From Casetext: Smarter Legal Research

Graham v. Noom, Inc.

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA San Francisco Division
Apr 8, 2021
533 F. Supp. 3d 823 (N.D. Cal. 2021)

Summary

holding that because there were no allegations that the third party "intercepted and used the data itself," plaintiff did not plausibly plead third party software provider eavesdropped on plaintiffs' communications, but pled only that the third party was "a vendor that provides a software service"

Summary of this case from Massie v. Gen. Motors

Opinion

Case No. 20-cv-06903-LB

2021-04-08

Audra GRAHAM and Stacy Moise, individually and on behalf of all others similarly situated, Plaintiffs, v. NOOM, INC., and FullStory, Inc., Defendants.

Joel Dashiell Smith, L. Timothy Fisher, Bursor & Fisher, P.A., Walnut Creek, CA, Max Stuart Roberts, Pro Hac Vice, Bursor & Fisher, P.A., New York, NY, for Plaintiffs. Aarti G. Reddy, Kyle Christopher Wong, Michael Graham Rhodes, Cooley LLP, San Francisco, CA, Charles A. Wood, Cooley LLP, Washington, DC, for Defendant Noom, Inc. Emily Johnson Henn, Covington & Burling LLP, Palo Alto, CA, Patrick R. Carey, Simon J. Frankel, Jenna L. Zhang, Matthew Quinn Verdin, Covington & Burling LLP, San Francisco, CA, for Defendant FullStory, Inc.


Joel Dashiell Smith, L. Timothy Fisher, Bursor & Fisher, P.A., Walnut Creek, CA, Max Stuart Roberts, Pro Hac Vice, Bursor & Fisher, P.A., New York, NY, for Plaintiffs.

Aarti G. Reddy, Kyle Christopher Wong, Michael Graham Rhodes, Cooley LLP, San Francisco, CA, Charles A. Wood, Cooley LLP, Washington, DC, for Defendant Noom, Inc.

Emily Johnson Henn, Covington & Burling LLP, Palo Alto, CA, Patrick R. Carey, Simon J. Frankel, Jenna L. Zhang, Matthew Quinn Verdin, Covington & Burling LLP, San Francisco, CA, for Defendant FullStory, Inc.

ORDER GRANTING DEFENDANTS’ MOTIONS TO DISMISS

Re: ECF No. 35, 36

LAUREL BEELER, United States Magistrate Judge

INTRODUCTION

Noom is a web application that helps its users lose weight and lead healthier lifestyles. Noom uses FullStory's software (called "session replay") to record what visitors are doing on the Noom website, such as their keystrokes, mouse clicks, and page scrolling, thereby allowing a full picture of the user's website interactions. Noom contends that the software improves its website design and the user's experience. The plaintiffs — on behalf of a putative California class — claim that FullStory is illegally wiretapping their communications with Noom (and Noom is aiding and abetting that eavesdropping) in violation of their right to privacy under California's Invasion of Privacy Act (CIPA) and the California Constitution.

First Am. Compl. (FAC) – ECF No. 27 at 2 (¶ 1 & n.1 (citing NOOM, https://www.noom.com)), 5–11 (¶¶ 18–32, 38). Citations refer to material in the Electronic Case File (ECF); pinpoint citations are to the ECF-generated page numbers at the top of documents.

Id. at 2 (¶¶ 1–2), 5 (¶ 18), 11 (¶ 45), 16–21 (¶¶ 64–93); Mot. – ECF No. 36 at 8 (citing id. at 5 (¶ 18)).

Noom and FullStory moved to dismiss the claims, in part on the ground that FullStory — as Noom's vendor for analyzing its website traffic — was a party to the communication (and not an eavesdropper). FullStory also contends that the court lacks personal jurisdiction because it has no forum-related conduct. The plaintiffs do not plausibly plead that FullStory eavesdropped on their communications with Noom and instead plead only that FullStory is Noom's vendor for software services. They thus do not meet their prima facie burden to establish specific jurisdiction over FullStory, and they do not plausibly plead wiretapping in violation of California law.

Mots. – ECF Nos. 35 & 36.

STATEMENT

The next sections describe how FullStory's software works, how the plaintiffs used Noom's website (and what information FullStory's software captured), and the case's procedural history.

1. FullStory's Software

FullStory is a Delaware corporation headquartered in Atlanta, Georgia. It provides software to its clients (including Noom) to capture and analyze data so that the clients can see how visitors are using their websites. The clients put FullStory's code on their websites to capture the data, and then they can review the data, which is stored in the cloud on FullStory's servers. The software records visitor data such as keystrokes, mouse clicks, and page scrolling. Through a function called Session Replay, FullStory's clients can see a "playback" of any visitor's session. If the visitor is still on the site, the clients can see the session live.

FAC – ECF No. 27 at 3–4 (¶ 10).

Id. at 5 (¶ 18), 11 (¶ 39).

Id. at 4 (¶ 11) (FullStory is a "marketing software-as-a-service" company), 8 (¶ 29) (FullStory records information locally in the user's browser in real time, transmits the information to FullStory's servers every few seconds, and "makes the information available to its clients"), 11 (¶ 38) (Noom pays FullStory "for the keystrokes, mouse clicks[,] and other communications of visitors to its website").

Id. at 8 (¶¶ 26–30).

A video example of a session is on FullStory's website and shows a fictional user "flipping through" FullStory's Definitive Guide to Session Replay. The accompanying marketing materials say, "Notice how you can see interactions, mouse movements, clicks, interactions with overlays, and more — and everything is listed in order in a stream at the right side of the replay. This is what a session replay looks like in a FullStory app."

Id. at 5–6 (¶¶ 21–23) (emphasis omitted).

2. The Plaintiffs’ Use of Noom's Website

The plaintiffs are California citizens and residents, and Noom is a Delaware company headquartered in New York, New York. The plaintiffs browsed Noom's website (from California) to investigate Noom's "diet offerings." FullStory's Session Replay function "created a video capturing [their] keystrokes and mouse clicks on the website ... and also captured the date and time of their visits, the duration of the visits, [their] IP addresses, their locations at the time of the visits, their browser types, and the operating system on their devices."

Id. at 2–3 (¶¶ 4–6).

Id. at 11 (¶ 43).

"When users access [ ] Noom's website, they fill out a form and enter PII [personally identifiable information] and PHI [protected health information]," and FullStory's software "captures these electronic communications ... [e]ven if users do not complete the form." The captured PII and PHI includes — in addition to the information in the last paragraph — height, weight, gender, age, diet and exercise habits, some medical information, and email addresses.

Id. at 2 (¶ 1) (defining PII and PHI), 11–12 (¶¶ 44–46).

3. Procedural History

The plaintiffs’ amended complaint has three claims: (1) wiretapping, in violation of Cal. Penal Code § 631(a) ; (2) the sale of eavesdropping software, in violation of Cal. Penal Code § 635(a) ; and (3) invasion of privacy under California's Constitution. The putative class is "all California residents who visited Noom.com, and whose electronic communications were intercepted or recorded by FullStory." All parties consented to magistrate jurisdiction. The parties do not dispute that there is subject-matter jurisdiction under the Class Action Fairness Act, 28 U.S.C. § 1332(d)(2)(A). Noom and FullStory moved to dismiss the case. The court held a hearing on April 8, 2021.

Id. at 16–21 (¶¶ 64–93).

Id. at 15 (¶ 57).

Consents – ECF Nos. 6, 16, 24.

FAC – ECF No. 27 at 4 (¶ 13).

Mots. – ECF Nos. 35–36.

STANDARDS OF REVIEW

1. Rule 12(b)(1)

A complaint must contain a short and plain statement of the ground for the court's jurisdiction. Fed. R. Civ. P. 8(a)(1). The plaintiffs have the burden of establishing jurisdiction. Kokkonen v. Guardian Life Ins. Co. of Am. , 511 U.S. 375, 377, 114 S.Ct. 1673, 128 L.Ed.2d 391 (1994) ; Farmers Ins. Exch. v. Portage La Prairie Mut. Ins. Co. , 907 F.2d 911, 912 (9th Cir. 1990).

A defendant's Rule 12(b)(1) jurisdictional attack can be either facial or factual. White v. Lee , 227 F.3d 1214, 1242 (9th Cir. 2000). "A ‘facial’ attack asserts that a complaint's allegations are themselves insufficient to invoke jurisdiction, while a ‘factual’ attack asserts that the complaint's allegations, though adequate on their face to invoke jurisdiction, are untrue." Courthouse News Serv. v. Planet , 750 F.3d 776, 780 n.3 (9th Cir. 2014). This is a facial attack. The court thus "accept[s] all allegations of fact in the complaint as true and construe[s] them in the light most favorable to the plaintiff[ ]." Warren v. Fox Family Worldwide, Inc. , 328 F.3d 1136, 1139 (9th Cir. 2003). The defendants contend that the plaintiffs lack standing. Standing pertains to the court's subject-matter jurisdiction and thus is properly raised in a Rule 12(b)(1) motion to dismiss. Chandler v. State Farm Mut. Auto. Ins. Co. , 598 F.3d 1115, 1121–22 (9th Cir. 2010) (citation omitted).

Mot. – ECF No. 35 at 23–24; Mot. – ECF No. 36 at 15–16.

A court should dismiss a complaint without leave to amend only if the jurisdictional defect cannot be cured by amendment. Eminence Capital, LLC v. Aspeon, Inc. , 316 F.3d 1048, 1052 (9th Cir. 2003).

2. Rule 12(b)(2)

"In opposing a defendant's motion to dismiss for lack of personal jurisdiction, the plaintiff bears the burden of establishing that jurisdiction is proper." Ranza v. Nike, Inc. , 793 F.3d 1059, 1068 (9th Cir. 2015) (cleaned up and quotation omitted). The parties may submit, and the court may consider, declarations and other evidence outside the pleadings in determining whether it has personal jurisdiction. Doe v. Unocal Corp. , 248 F.3d 915, 922 (9th Cir. 2001), abrogated on other grounds as recognized in Williams v. Yamaha Motor Co. , 851 F.3d 1015, 1024 (9th Cir. 2001).

"Where, as here, the defendant's motion is based on written materials rather than an evidentiary hearing, the plaintiff need only make a prima facie showing of jurisdictional facts to withstand the motion to dismiss." Ranza , 793 F.3d at 1068 (cleaned up and quotation omitted). "Uncontroverted allegations must be taken as true, and conflicts between parties over statements contained in affidavits must be resolved in the plaintiff's favor." Id. (cleaned up and quotation omitted). But courts "may not assume the truth of allegations in a pleading which are contradicted by affidavit[.]" Mavrix Photo, Inc. v. Brand Techs., Inc. , 647 F.3d 1218, 1223 (9th Cir. 2011) (cleaned up and quotation omitted); accord Ranza , 793 F.3d at 1068 ("A plaintiff may not simply rest on the bare allegations of the complaint.") (cleaned up and quotation omitted).

3. Rule 12(b)(6)

A complaint must contain a "short and plain statement of the claim showing that the pleader is entitled to relief" to give the defendant "fair notice" of what the claims are and the grounds upon which they rest. Fed. R. Civ. P. 8(a)(2) ; Bell Atl. Corp. v. Twombly , 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). A complaint does not need detailed factual allegations, but "a plaintiff's obligation to provide the grounds of his entitlement to relief requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do. Factual allegations must be enough to raise a claim for relief above the speculative level." Twombly , 550 U.S. at 555, 127 S.Ct. 1955 (cleaned up).

To survive a motion to dismiss, a complaint must contain sufficient factual allegations, which when accepted as true, "state a claim to relief that is plausible on its face." Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quoting Twombly , 550 U.S. at 570, 127 S.Ct. 1955 ). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. "The plausibility standard is not akin to a ‘probability requirement,’ but it asks for more than a sheer possibility that a defendant has acted unlawfully." Id. (citing Twombly , 550 U.S. at 557, 127 S.Ct. 1955 ). "Where a complaint pleads facts that are merely consistent with a defendant's liability, it stops short of the line between possibility and plausibility of ‘entitlement to relief.’ " Id. (cleaned up) (quoting Twombly , 550 U.S. at 557, 127 S.Ct. 1955 ).

A court should dismiss a complaint with leave to amend unless the "pleading could not possibly be cured by the allegation of other facts." United States v. United Healthcare Ins. Co. , 848 F.3d 1161, 1182 (9th Cir. 2016) (cleaned up).

ANALYSIS

Both defendants contend that the plaintiffs do not state statutory or constitutional claims for invasion of their privacy. There are three invasion-of-privacy claims: (1) eavesdropping in violation of CIPA, Cal. Penal Code § 631(a) ; (2) sale of eavesdropping software, in violation of CIPA, Cal. Penal Code § 635(a) ; and (3) invasion of privacy in violation of California's Constitution. In addition, Noom contends that the plaintiffs lack standing to pursue injunctive relief, and FullStory contends that it has no forum-related contacts (and there thus is no personal jurisdiction). Because the plaintiffs do not plausibly plead FullStory's wiretapping, the court dismisses the claims, holds that they did not meet their prima facie burden to establish specific personal jurisdiction over FullStory, and dismisses the claim for injunctive relief.

1. Section 631(a) Claim

Section 631(a) defines the following behavior as a crime:

Any person [1] who, by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection ... with any telegraph or telephone wire, line, cable, or instrument, ... or [2] who willfully and without consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state, or [3] who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or [4] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above ....

Cal. Penal Code § 631(a). The defendants moved to dismiss the claim on three grounds: (1) there is no wrongful eavesdropping; (2) the claim rests in part on the collection of information that is not protected content; and (3) Noom's privacy policy discloses the data collection.

1.1 Eavesdropping

Under section 631(a), if a person secretly listens to another's conversation, the person is liable. Ribas v. Clark , 38 Cal. 3d 355, 359, 212 Cal.Rptr. 143, 696 P.2d 637 (1985). Only a third party can listen to a conversation secretly. Rogers v. Ulrich , 52 Cal. App. 3d 894, 899, 125 Cal.Rptr. 306 (1975). By contrast, a party to a communication can record it (and is not eavesdropping when it does). Id. at 897–99, 125 Cal.Rptr. 306 ; In re Facebook, Inc. Internet Tracking Litig. , 956 F.3d 589, 607 (9th Cir. 2020), cert. denied , No. 20-727, ––– U.S. ––––, 141 S.Ct. 1684, 209 L.Ed.2d 464 (U.S. Mar. 22, 2021).

The parties do not dispute that if Noom and Noom users were the only parties to the communications, then Noom would not be liable under section 631(a). But the plaintiffs contend that FullStory is not a party to the communications and thus is liable for recording them, and Noom is liable for aiding and abetting that eavesdropping. In another case in this district, the plaintiffs’ counsel predicated a section 631(a) claim on the same theory. Revitch v. New Moosejaw, LLC , No. 18-cv-06827-VC, 2019 WL 5485330, at *1 (N.D. Cal. Oct. 23, 2019). The Moosejaw plaintiff was a California resident and citizen who browsed defendant Moosejaw's website, where Moosejaw sells outdoor gear. Moosejaw imbedded defendant NaviStone's code in its website, enabling NaviStone — "an online marketing company and data broker that deals in U.S. consumer data" — to collect visitor data such as keystrokes, mouse clicks, and page scrolling. NaviStone captured the data, de-anonymized it, and matched it with other databases, thereby creating marketing databases of identified website visitors.

Mot. – ECF No. 35 at 17–19; Mot. – ECF No. 36 at 12–13; Opp'n – ECF No. 39 at 9–12; Opp'n – ECF No. 40 at 18–20.

Revitch v. New Moosejaw, LLC , No. 18-cv-06827-VC, Second Am. Compl. – ECF No. 43 at 2 (¶ 1), 4–17 (¶¶ 9–46).

The district court held that the allegations plausibly pleaded a section 631(a) claim that NaviStone was a third-party eavesdropper. It rejected NaviStone's contention that it received the communications directly and therefore was a party to them: "it cannot be that anyone who receives a direct signal escapes liability by becoming a party to the communication. Someone who presses up against a door to listen to a conversation is no less an eavesdropper just because the sound waves from the next room reach his ears directly." And it held Moosejaw liable as an aider and abettor of NaviStone's wrongdoing. Id. at *1–2.

The plaintiffs contend that, applying Moosejaw , FullStory is not a party, it instead is a third party that is liable for eavesdropping, and its contract with Noom does not make it any less of an eavesdropper. As a result, they contend, Noom is liable for FullStory's wrongdoing. But the allegations about FullStory are different than the acts that courts hold plausibly support a claim of surreptitious wiretapping by a third party.

Opp'n – ECF No. 39 at 9–12; Opp'n – ECF No. 40 at 19–20.

In Moosejaw , for example, NaviStone was a marketing company that partnered with e-commerce sites to intercept visitor data and create marketing databases of consumer information. In Facebook , Facebook tracked its users to third-party websites (through Facebook's code on the websites) — even when its users were not signed into Facebook, and then it sold that data to advertisers. 956 F.3d at 596, 607–08. NaviStone and Facebook were independent parties who mined information from other websites and sold it: NaviStone through its code on participating e-commerce sites and Facebook through its plug-ins on third-party sites.

By contrast, FullStory is a vendor that provides a software service that captures its clients’ data, hosts it on FullStory's servers, and allows the clients to analyze their data. Unlike NaviStone's and Facebook's aggregation of data for resale, there are no allegations here that FullStory intercepted and used the data itself. Instead, as a service provider, FullStory is an extension of Noom. It provides a tool — like the tape recorder in Rogers — that allows Noom to record and analyze its own data in aid of Noom's business. See 52 Cal. App. 3d at 897–99, 125 Cal.Rptr. 306. It is not a third-party eavesdropper.

Mot. – ECF No. 35 at 18 (making this argument); Reply – ECF No. 41 at 11 (same).

FullStory cites Javier v. Assurance IQ to support its argument. Reply – ECF No. 41 at 14 (citing No. 20-cv-02860-JSW, 2021 WL 940319, at *4 n.5 (N.D. Cal. Mar. 9, 2021) ). The two Javier defendants were an online platform for insurance quotes and its software provider, which had a product that allowed analysis of data (like the analysis here). 2021 WL 940319 at *1. The allegations did not plausibly plead a section 631(a) claim because "the complaint never alleges that [software provider] ActiveProspect itself ever[ ] recorded or received his data, only that it provided a product by which Assurance did so." Id. at *4 n.5. By contrast, here, FullStory transmitted the data to its servers.

As a result, Noom is not liable for aiding and abetting FullStory's wrongdoing because there is no wrongdoing. Cf. Moosejaw , 2019 WL 5485330 at *2. Moosejaw deserves emphasis here. In holding Moosejaw plausibly liable for aiding and abetting NaviStone's misconduct, the court recognized that Moosejaw "cannot be liable for eavesdropping on its own communications" or recording its own communications and sending them to NaviStone (because sharing a record is not eavesdropping). Id. (citing Rogers , 52 Cal. App. 3d at 898, 125 Cal.Rptr. 306 ; Ribas , 38 Cal. 3d at 360–61, 212 Cal.Rptr. 143, 696 P.2d 637 ). But it could be liable if it allowed the equivalent of permitting "an outsider to tap his telephone or listen in on the call"). Id. (quoting Ribas , 38 Cal. 3d at 363, 212 Cal.Rptr. 143, 696 P.2d 637 ). There is no equivalent of a wiretap here, which supports the conclusion that FullStory is not a third-party eavesdropper.

1.2 Protected Content

The defendants also moved to dismiss on the ground that section 631(a) prohibits only the unauthorized access of the content of communications, and the plaintiffs predicate their claim in part on information — such as IP addresses, locations, browser types, and operating systems — that is not content. The plaintiffs did not dispute that this information is not content but contend that other website interactions are content.

Mot. – ECF No. 35 at 20; Mot. – ECF No. 36 at 15 n.2; Reply – ECF No. 41 at 14–16.

Opp'n – ECF No. 39 at 12–14; Opp'n – ECF No. 40 at 21–23.

Section 631(a) prohibits the unauthorized access of the contents of any communications. Cal. Penal Code § 631(a) ; Brodsky v. Apple Inc. , 445 F. Supp. 3d 110, 127 (N.D. Cal. 2020). The "contents" of a communication under CIPA and the federal Wiretap Act are the same. Brodsky , 445 F. Supp. 3d at 127 (citation omitted). The "content" of a communication is "the intended message conveyed by the communication." In re Zynga Priv. Litig. , 750 F.3d 1098, 1106 (9th Cir. 2014). It does not include "record information regarding the characteristics of the message that is generated in the course of the communication" such as "the name, address and subscriber number or identity of a subscriber or customer." Id. (cleaned up). Similarly, the origin, length, and time of a call, or geolocation data are not content. United States v. Reed , 575 F.3d 900, 914–17 (9th Cir. 2009) ; S.D. v. Hytto Ltd. , No. 18-cv-00688-JSW, 2019 WL 8333519, at *6 (N.D. Cal. May 15, 2019).

Given the plaintiffs’ concessions, the court dismisses the claim to the extent that it is predicated on non-content information. See Hytto , 2019 WL 8333519 at *7 (dismissing federal wiretapping claim "to the extent the allegations concern the interception of date and time information"). In any amended complaint, the plaintiffs can delineate content from non-content records. 1.3 Privacy Policy

FullStory also contends that Noom's privacy policy discloses the possibility of data collection and analysis. The plaintiffs counter that they could not consent to wiretapping that happened when they accessed the website and before they could read the policy, notice was insufficient, and the policy in any event did not disclose wiretapping.

Mot. – ECF No. 35 at 21–22; Reply – ECF No. 41 at 17.

Opp'n – ECF No. 40 at 24–29.

The privacy policy discloses that Noom "may use various methods and technologies" to store or collect usage information, such as tracking technologies (that alter settings and configurations on the user's device), cookies, web beacons, and embedded scripts.

An embedded script is programming code that is designed to collect information about User's interactions with the Website, Mobile App and Services, such as the links User clicks on. The code is temporarily downloaded onto User's Device from Noom's web server and/or Mobile App or a third party service provider, is active only while User is connected to the Website and/or Mobile App, and is deactivated or deleted thereafter.

Privacy Policy, Ex. A to Zhang Decl. – ECF No. 45-1 at 6. The court considers the privacy policy under the incorporation-by-reference doctrine. Knievel v. ESPN , 393 F.3d 1068, 1076 (9th Cir. 2005) ; FAC – ECF No. 27 at 12–14 (¶¶ 48–54) (citing Noom's privacy policy).

The privacy policy is available via a link at the bottom of Noom's homepage and is in "small, non-contrasting font (i.e. light grey against a white background) ...."

Visitors to the website are given no notice and are not prompted to take any affirmative action to demonstrate assent. Visitors are not required to read or acknowledge the Privacy Policy to use the website. In any event, by the time a website user visited the Privacy Policy, the [software] on Noom's website will have already deployed.

FAC – ECF No. 27 at 12 (¶ 48).

The parties largely talk past each other in their briefs. FullStory's main argument is that to be liable, its acts must be surreptitious, and given the policy's disclosures, the plaintiffs did not plausibly plead its surreptitious acts. The plaintiffs mainly argue traditional principles of consent (although they also contend that the policy does not disclose wiretapping). FullStory counters that it never argued traditional consent (although it points out in its reply that retroactive consent can be valid).

Mot. – ECF No. 35 at 21–22.

Opp'n – ECF No. 40 at 24–29.

Reply – ECF No. 41 at 17.

The parties’ arguments about consent do not permit resolution of the issue. As to the adequacy of the privacy policy's disclosures, FullStory made a practical argument but did not cite cases to support it. (Perhaps there are none.) Given the court's holding that there is no wiretapping, the issues — consent and the policy's alleged failure to disclose wiretapping — are moot. On this round of motions, the privacy policy is not a separate ground to dismiss the claim.

* * *

The court dismisses the section 631(a) claim with leave to amend.

2. Section 635(a) Claim

Section 635(a) defines the following behavior as a crime:

Every person who manufactures, assembles, sells, offers for sale, advertises for sale, possesses, transports, imports, or furnishes to another any device which is primarily or exclusively designed or intended for eavesdropping upon the communication of another ... shall be punished....

Cal. Penal Code § 635(a).

The defendants moved to dismiss on two grounds: (1) the plaintiffs were not injured and thus do not have a private right of action under section 635(a) or Article III standing; and (2) FullStory's code is not a device designed primarily or exclusively for eavesdropping.

Mot. – ECF No. 35 at 23–25; Mot. – ECF No. 36 at 15–18.

First, the plaintiffs do not have a private right of action and lack Article III standing.

CIPA creates a private right of action for "any person who has been injured by a violation of this chapter...." Cal. Penal Code § 637.2(a). "It is not a necessary prerequisite to an action pursuant to this section that the plaintiff has suffered, or be threatened with, actual damages." Id. § 637.2(c).

The plaintiffs "do not base their standing on mere possession of a wiretapping device, but on FullStory's knowledge and active involvement in using that device to monitor [their] communications." Because there is no eavesdropping, there is no violation of CIPA. The plaintiffs thus suffered no injury, and they have no private right of action. Id. § 637.2(a).

Opp'n – ECF No. 40 at 30 (citing FAC – ECF No. 27 at 2 (¶ 1), 11 (¶¶ 35–40, 43), & 19 (¶ 80)).

That means that they lack Article III standing too. If FullStory had eavesdropped on them, then there would be concrete injury. Moosejaw , 2019 WL 5485330 at *1. But there is no plausible eavesdropping, and thus there is "(1) [no] injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision." Spokeo, Inc. v. Robins , 578 U.S. 330, 136 S. Ct. 1540, 1547, 194 L.Ed.2d 635 (2016) (citation omitted).

Second, at least one court assumed the truth of allegations that session-replay code is a "device ... is primarily or exclusively designed or intended for eavesdropping upon the communication of another." Cal. Penal Code § 635(a) ; Moosejaw , 2019 WL 5485330 at *3. Given the lack of a private right of action or Article III standing, the court does not address the issue further.

3. Invasion of Privacy Under California's Constitution

The plaintiffs claim that the defendants intentionally invaded their privacy rights under the California Constitution "by implementing FullStory's wiretaps on Noom's Website." Because there is no wiretap, the plaintiffs did not plausibly plead a legally protected privacy interest.

FAC – ECF No. 27 at 21 (¶¶ 88–89).

The elements of a claim for invasion of privacy under the California Constitution are "(1) the [plaintiffs] possess a legally protected privacy interest, (2) they maintain a reasonable expectation of privacy, and (3) the intrusion is ‘so serious as to constitute an egregious breach of social norms’ such that the breach is ‘highly offensive.’ " Facebook , 956 F.3d at 601 (quoting Hernandez v. Hillsides, Inc. , 47 Cal. 4th 272, 287, 97 Cal.Rptr.3d 274, 211 P.3d 1063 (2009) ); Hill v. Nat'l Collegiate Athletic Ass'n , 7 Cal. 4th 1, 35–37, 26 Cal.Rptr.2d 834, 865 P.2d 633 (1994). The first prong — "[w]hether a legally recognized privacy interest is present in a given case [—] is a question of law to be decided by the court." Hill , 7 Cal. 4th at 40, 26 Cal.Rptr.2d 834, 865 P.2d 633. The second and third prongs are "mixed questions of law and fact." Id.

The plaintiffs do not complain that providing the information to Noom violates their privacy rights. Their claim rests on their allegations that "[u]sers are never told that their electronic communications are being wiretapped by FullStory." They "allege [that] FullStory, with Noom's consent and participation, surreptitiously collected and stored highly sensitive PII and PHI in real time." They oppose the motion to dismiss the claim because "[t]his is a wiretapping case, and Plaintiffs sufficiently allege that they did not know that a third party — FullStory — was secretly recording their interactions with Noom's website without Plaintiffs’ consent." Because there was no plausible wiretapping by FullStory, the plaintiffs did not plausibly plead that they possess a legally protected privacy interest. Facebook , 956 F.3d at 601 ; Hernandez , 47 Cal. 4th at 287, 97 Cal.Rptr.3d 274, 211 P.3d 1063 ; Hill , 7 Cal. 4th at 35, 40, 26 Cal.Rptr.2d 834, 865 P.2d 633. The court grants the motion to dismiss.

Opp'n – ECF No. 40 at 32 (quoting FAC – ECF No. 27 at 12 (¶ 47) and citing id. at 14 (¶ 53)).

Opp'n – ECF No. 39 at 17 (citing FAC – ECF No. 27 at 2 (¶ 1) & 11 (¶ 45)).

Id. at 18–19 (quoting FAC – ECF No. 27 at 2 (¶¶ 4–5) & 12 (¶ 47)).

4. Standing to Seek Injunctive Relief

Noom moved to dismiss the claims for injunctive relief because the plaintiffs did not plead their intent to use Noom's platform in the future. The plaintiffs countered that Ms. Moise's intent "is reasonably inferred" and can be cured through amendment (and abandoned Ms. Graham's claim). The court dismisses Ms. Graham's claim with prejudice and Ms. Moise's claim with leave to amend.

Mot. – ECF No. 36 at 24–25.

Opp'n – ECF No. 39 at 22–23.

5. Personal Jurisdiction over FullStory

The plaintiffs have not met their prima facie burden to establish specific jurisdiction.

In diversity cases, "federal courts ordinarily follow state law in determining the bounds of their jurisdiction over persons." Picot v. Weston , 780 F.3d 1206, 1211 (9th Cir. 2015) (cleaned up). "The general rule is that personal jurisdiction is proper if permitted by a long-arm statute and if the exercise of that jurisdiction does not violate federal due process." Pebble Beach v. Caddy , 453 F.3d 1151, 1154–55 (9th Cir. 2006) (analyzing California and federal long-arm statutes). "Because California's long-arm statute allows the exercise of personal jurisdiction to the full extent permissible under the U.S. Constitution, a court's inquiry centers on whether exercising jurisdiction comports with due process." Picot , 780 F.3d at 1211 (cleaned up and quotation omitted). The due-process inquiry is whether the defendant has sufficient minimum contacts with the forum such that the assertion of jurisdiction in the forum " ‘does not offend traditional notions of fair play and substantial justice.’ " Pebble Beach , 453 F.3d at 1154–55 (quoting Int'l Shoe Co. v. Washington , 326 U.S. 310, 315, 66 S.Ct. 154, 90 L.Ed. 95 (1945) ).

There are two types of personal jurisdiction: general and specific. Bristol-Myers Squibb Co. v. Super. Ct. , ––– U.S. ––––, 137 S. Ct. 1773, 1779–80, 198 L.Ed.2d 395 (2017). The plaintiffs assert specific personal jurisdiction. "In order for a state court to exercise specific jurisdiction, the suit must arise out of or relate to the defendant's contacts with the forum. " Id. at 1780 (cleaned up). "In other words, there must be an affiliation between the forum and the underlying controversy, principally, an activity or an occurrence that takes place in the forum State and is therefore subject to the State's regulation." Id. "For this reason, specific jurisdiction is confined to adjudication of issues deriving from, or connected with, the very controversy that establishes jurisdiction." Id. The Ninth Circuit employs a three-prong test to assess whether a defendant has sufficient contacts with the forum to be subject to specific personal jurisdiction:

Opp'n – ECF No. 40 at 10.

(1) The non-resident defendant must purposefully direct his activities or consummate some transaction with the forum or resident thereof; or perform some act by which he purposefully avails himself of the privilege of conducting activities in the forum, thereby invoking the benefits and protections of its laws;

(2) the claim must be one which arises out of or relates to the defendant's forum-related activities; and

(3) the exercise of jurisdiction must comport with fair play and substantial justice, i.e. it must be reasonable.

Picot , 780 F.3d at 1211. "The plaintiff has the burden of proving the first two prongs." Id. at 1211–12. "If he does so, the burden shifts to the defendant to set forth a compelling case that the exercise of jurisdiction would not be reasonable." Id. at 1212 (cleaned up). With respect to the first prong, courts apply a "purposeful availment" analysis in suits sounding in contract and a "purposeful direction" analysis (also known as the effects test) in suits sounding in tort. Schwarzenegger v. Fred Martin Motor Co. , 374 F.3d 797, 802 (9th Cir. 2004). The purposeful-direction test applies here.

Mot. – ECF No. 35 at 14–15; Opp'n – ECF No. 40 at 11.

Under the Calder effects test, purposeful direction exists when a defendant commits an act outside the forum that was intended to and does in fact cause injury in the forum, meaning, the defendant must (1) commit an intentional act (2) expressly aimed at the forum (3) that causes harm that the defendant knows is likely to be suffered in the forum. Calder v. Jones , 465 U.S. 783, 788–89, 104 S.Ct. 1482, 79 L.Ed.2d 804 (1984) ; Washington Shoe Co. v. A–Z Sporting Goods Inc. , 704 F.3d 668, 673 (9th Cir. 2012) (quoting Mavrix , 647 F.3d at 1228 ), abrogated on other grounds as recognized in Axiom Foods, Inc. v. Acerchem Int'l, Inc. , 874 F.3d 1064, 1069 (9th Cir. 2017). The effects test focuses on "the forum in which the defendant's acts were felt, whether or not the actions themselves occurred within the forum." Mavrix , 647 F.3d at 1228. "However, referring to the Calder test as an effects test can be misleading. For this reason, we have warned courts not to focus too narrowly on the test's third prong — the effects prong — holding that something more is needed in addition to a mere foreseeable effect." Pebble Beach , 453 F.3d at 1156 (cleaned up).

The allegations in the complaint establish only that FullStory is Noom's vendor for a software service that Noom uses to analyze its data. A vendor's selling a product to Noom — even if Noom has substantial business here and the vendor knew it — does not establish specific personal jurisdiction over the vendor. The plaintiffs do not contest this point. Instead, they predicate jurisdiction on FullStory's wiretapping. They allege that (1) "Defendants knew that a significant number of Californians would visit Noom's website, because they form a significant portion of Noom's customer base," and (2) "[b]y intercepting the transmissions of Noom website users, Defendants targeted their wrongful conduct at customers, some of whom Defendants knew, at least constructively, were residents of California," thus causing harm in California. Their basis for jurisdiction is the wiretapping of those customers: "At least three courts have held the ‘intentional act’ standard is easily satisfied where plaintiff alleges wiretapping claims." Because they did not plausibly plead wiretapping, the plaintiffs have not met their prima facie burden to establish specific personal jurisdiction.

FAC – ECF No. 27 at 3 (¶ 8), 4–5 (¶ 15).

Id. at 4–5 (¶ 15).

Opp'n – ECF No. 40 at 11 (citing Hytto , 2019 WL 8333519 at *4, and two other cases).

CONCLUSION

The court dismisses the complaint with leave to amend within 21 days (except it dismisses Ms. Graham's claim for injunctive relief with prejudice). Any amended complaint must attach a blackline comparison between the current complaint and the amended complaint.

IT IS SO ORDERED.


Summaries of

Graham v. Noom, Inc.

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA San Francisco Division
Apr 8, 2021
533 F. Supp. 3d 823 (N.D. Cal. 2021)

holding that because there were no allegations that the third party "intercepted and used the data itself," plaintiff did not plausibly plead third party software provider eavesdropped on plaintiffs' communications, but pled only that the third party was "a vendor that provides a software service"

Summary of this case from Massie v. Gen. Motors

determining a third party software company was not liable where it captured and stored its client's information

Summary of this case from Licea v. Am. Eagle Outfitters, Inc.

determining a third party software company was not liable where it captured and stored its client's information

Summary of this case from Licea v. Cinmar, LLC

recognizing case law finding that "the 'intentional act' standard is easily satisfied where plaintiff alleges wiretapping claims," but granting motion to dismiss because plaintiffs "did not plausibly plead wiretapping, the plaintiffs have not met their prima facie burden to establish specific personal jurisdiction."

Summary of this case from Doe v. Fullstory, Inc.

In Graham, a website used a software to record what visitors were doing on the website, such as their keystrokes, mouse clicks, and page scrolling, so that it could see how visitors were using its website.

Summary of this case from Rodriguez v. Ford Motor Co.

In Graham, the court reasoned that the tracking defendant provided a tool, like a tape recorder, and therefore was not an eavesdropper.

Summary of this case from Mikulsky v. Bloomingdale's, LLC

In Graham, the court reasoned that the tracking defendant provided a tool, like a tape recorder, and therefore was not an eavesdropper.

Summary of this case from Kauffman v. Papa John's Int'l

In Graham, FullStory provided a "software service that captures its clients' data, hosts it on FullStory's servers, and allows the clients to analyze their data." Id.

Summary of this case from Yockey v. Salesforce, Inc.
Case details for

Graham v. Noom, Inc.

Case Details

Full title:AUDRA GRAHAM and STACY MOISE, individually and on behalf of all others…

Court:UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA San Francisco Division

Date published: Apr 8, 2021

Citations

533 F. Supp. 3d 823 (N.D. Cal. 2021)

Citing Cases

Garcia v. Build.com

” Id. (citing Graham v. Noom, 533 F.Supp.3d 823, 832 (N.D. Cal.…

Byars v. Hot Topic, Inc.

Relying in large part on the state court authorities, federal district courts have applied the direct party…