Summary
distinguishing the data at issue in Carpenter from IP addresses for purposes of standing under Article III of the federal constitution, not the Fourth Amendment
Summary of this case from People v. SeymourOpinion
Case No. 18-cv-06399-JD Case No. 18-cv-06793-JD
12-24-2020
Franklin David Azar, Pro Hac Vice, Michael Davitt Murphy, Pro Hac Vice, Paul R. Wood, Pro Hac Vice, Margeaux Rachelle Azar, Pro Hac Vice, Sean Olsen McCrary, Franklin D. Azar & Associates, P.C., Aurora, CO, Ivy T. Ngo, Roche Cyrulnik Freedman LLP, Miami, FL, Barrett Jay Vahle, Pro Hac Vice, Jillian Rebecca Dent, Pro Hac Vice, Stueve Siegel Hanson LLP, Kansas City, MO, James E. Hoffmann, Levin & Hoffmann, LLP, Calabasas, CA, Katherine Marie Aizpuru, Tycko & Zavareei LLP, Washington, DC, Sabita J. Soneji, Tycko & Zavareei LLP, Oakland, CA, for Plaintiff Brendan Lundy. Ivy T. Ngo, Roche Cyrulnik Freedman LLP, Miami, FL, Michael Davitt Murphy, Pro Hac Vice, Paul R. Wood, Pro Hac Vice, Franklin D. Azar & Associates, P.C., Aurora, CO, Barrett Jay Vahle, Pro Hac Vice, Jillian Rebecca Dent, Pro Hac Vice, Stueve Siegel Hanson LLP, Kansas City, MO, Katherine Marie Aizpuru, Tycko & Zavareei LLP, Washington, DC, Sabita J. Soneji, Tycko & Zavareei LLP, Oakland, CA, for Plaintiff Myriah Watkins. Michael Davitt Murphy, Franklin D. Azar & Associates, P.C., Aurora, CO, for Plaintiffs Elizabeth Childers, Michelle Agnitti, Robin Hodge, William Jolly. Andrew Cath Rubenstein, Rosemarie Theresa Ring, Munger, Tolles & Olson LLP, San Francisco, CA, Laura Danielle Smolowe, Munger Tolles Olson LLP, Los Angeles, CA, Zoe Bedell, Munger, Tolles & Olson LLP, Washington, DC, for Defendant.
Franklin David Azar, Pro Hac Vice, Michael Davitt Murphy, Pro Hac Vice, Paul R. Wood, Pro Hac Vice, Margeaux Rachelle Azar, Pro Hac Vice, Sean Olsen McCrary, Franklin D. Azar & Associates, P.C., Aurora, CO, Ivy T. Ngo, Roche Cyrulnik Freedman LLP, Miami, FL, Barrett Jay Vahle, Pro Hac Vice, Jillian Rebecca Dent, Pro Hac Vice, Stueve Siegel Hanson LLP, Kansas City, MO, James E. Hoffmann, Levin & Hoffmann, LLP, Calabasas, CA, Katherine Marie Aizpuru, Tycko & Zavareei LLP, Washington, DC, Sabita J. Soneji, Tycko & Zavareei LLP, Oakland, CA, for Plaintiff Brendan Lundy.
Ivy T. Ngo, Roche Cyrulnik Freedman LLP, Miami, FL, Michael Davitt Murphy, Pro Hac Vice, Paul R. Wood, Pro Hac Vice, Franklin D. Azar & Associates, P.C., Aurora, CO, Barrett Jay Vahle, Pro Hac Vice, Jillian Rebecca Dent, Pro Hac Vice, Stueve Siegel Hanson LLP, Kansas City, MO, Katherine Marie Aizpuru, Tycko & Zavareei LLP, Washington, DC, Sabita J. Soneji, Tycko & Zavareei LLP, Oakland, CA, for Plaintiff Myriah Watkins.
Michael Davitt Murphy, Franklin D. Azar & Associates, P.C., Aurora, CO, for Plaintiffs Elizabeth Childers, Michelle Agnitti, Robin Hodge, William Jolly.
Andrew Cath Rubenstein, Rosemarie Theresa Ring, Munger, Tolles & Olson LLP, San Francisco, CA, Laura Danielle Smolowe, Munger Tolles Olson LLP, Los Angeles, CA, Zoe Bedell, Munger, Tolles & Olson LLP, Washington, DC, for Defendant.
ORDER RE MOTIONS TO DISMISS
Re: Dkt. No. 76
Re: Dkt. No. 82
JAMES DONATO, United States District Judge
These cases are related putative class actions by Facebook users, who challenge Facebook, Inc.’s collection of personal location data. Facebook's motion to dismiss in Heeger , Case No. 18-6399, is granted, and its motion to dismiss in Lundy , Case No. 18-6793, is granted and denied in part.
BACKGROUND
In both cases, the first amended class action complaints are the operative pleadings. See Case No. 18-6399, Dkt. No. 74 ("Heeger FAC"); Case No. 18-6793, Dkt. No. 80 ("Lundy FAC"). While the allegations in the complaints overlap to a considerable degree, Lundy presents some material variations that warrant a different outcome for the motion. Facebook is the sole named defendant in each action.
The Heeger FAC added three named plaintiffs -- Zachary Henderson, Caleb Rappaport, and Elizabeth Pomiak -- to plaintiff Brett Heeger, who filed the original complaint. Heeger FAC ¶¶ 14-17. As alleged in the FAC, Facebook "describ[es]" the "Location History" feature in its mobile app, and the "Location Services" setting on users’ cell phones, as "settings through which Facebook users can purportedly control location tracking." Id. ¶¶ 4-5. But Facebook "collects users’ location data without those users’ consent, regardless of their settings." Id. ¶ 5. Facebook then "highlights the detail and specificity of that data" to its advertisers, and "uses th[e] data to precisely target its advertiser customers’ advertisements to Facebook users." Id. The FAC alleges California state law claims on behalf of a putative class of "[a]ll Facebook users in the United States who turned off ‘Location History’ or ‘Location Services’ or both, during the applicable limitations period," for: (1) violation of the California Invasion of Privacy Act, Cal. Pen. Code § 630 et seq. ("CIPA"); (2) violation of California's constitutional right of privacy; (3) intrusion upon seclusion; and (4) unjust enrichment. Id. ¶¶ 67, 81-107.
The Lundy FAC was brought by two plaintiffs: Brendan Lundy and Myriah Watkins. Lundy FAC ¶¶ 10-19. The FAC alleges that they "never granted Facebook permission to access [their] location data through [their] Location Services or Facebook App settings," and that they specifically had their "Location History" Facebook app setting turned to "off." Id. ¶¶ 11, 16. Plaintiffs allege that "[c]ontrary to plaintiffs’ device settings selections, and contrary to Facebook's Privacy Policy in effect during the relevant time period, Facebook tracked plaintiffs’ locations using their IP addresses and enhanced location determination techniques." Id. ¶ 5. Facebook is said to have "bundled this location information with plaintiffs’ other personal information," and then "monetized these bundled packages ... for targeted advertising purposes, thus enriching itself" in the amount of "hundreds of millions of dollars from increased advertising revenue." Id.
Unlike Heeger , the Lundy plaintiffs limit their claims to the time period before April 19, 2018. See id. ¶ 99 (alleging the lawsuit is brought on behalf of persons "who were users of Facebook prior to April 19, 2018 who did not give Facebook permission to collect and use their location information"). Plaintiffs acknowledge that Facebook adopted on that date a "revised privacy policy" which disclosed "that Facebook will collect location data using IP addresses, even without user permission." Id. ¶¶ 25-26. The Lundy FAC quotes the revised policy, which expressly advised users that "[y]ou can control whether your device shares precise location information with Facebook Company Products via Location Services," but also that "[w]e may still understand your location using things like check-ins, events, and information about your internet connection." Id. ¶ 26. It agrees that this revised policy, unlike the prior version, "advises users that it will collect their location information, including location information derived from IP addresses without user consent, and bundle this location information, with ‘information about [their] interests, actions and connections,’ to deliver personalized advertising and sponsored content." Id. ¶ 27.
The complaint in Lundy also differs from Heeger in the claims alleged against Facebook. The Lundy plaintiffs make claims for: (1) violation of article I, section 1 of the California constitution ; (2) intrusion upon seclusion; (3) intentional misrepresentation and omission; (4) deceit by concealment or omission, Cal. Civ. §§ 1709 & 1710 ; (5) breach of contract; (6) breach of implied covenant of good faith and fair dealing; (7) negligent misrepresentation; and (8) unjust enrichment. Id. ¶¶ 108-96.
Facebook has moved to dismiss both amended complaints under Rules 12(b)(1) and 12(b)(6) of the Federal Rules of Civil Procedure. Heeger Dkt. No. 76; Lundy Dkt. No. 82.
When necessary for clarity, the Court will specify the case name for the ECF docket cites.
DISCUSSION
I. FACEBOOK'S MOTION TO DISMISS IN HEEGER
This is the second round of pleadings motions in Heeger. The Court granted Facebook's initial motion to dismiss, with leave to amend. Dkt. No. 70. In that order, the Court concluded that plaintiff Heeger had established Article III standing to sue on the privacy and other claims. Id. at 2-4. On substantive grounds, the CIPA claim was dismissed because the complaint did not plausibly allege the use of an "electronic tracking device" as required by California Penal Code § 637.7(a). Id. at 4. The privacy claims for intrusion upon seclusion and violation of the California constitutional right to privacy were dismissed because the complaint did not "provide enough facts to undertake the context-specific inquiry into the plausibility of the privacy expectation or the offensiveness of the intrusion." Id. at 5-6. The Court determined that the complaint "does not state the precision of the location data Facebook is alleged to have collected after users turned off ‘Location History.’ " Id. at 6. The Court underscored that "[t]his is important because a generalized location, such as one that locates a user no more precisely than within several city blocks, may not implicate much in the way of privacy concerns," whereas "[h]ighly specific location data ... that identifies a user's pinpoint comings and goings would likely present substantially greater concerns." Id.
Plaintiffs amended the complaint, but with scant improvement. The Heeger FAC now reads like a book report that simply summarizes third-party news stories about Facebook's ostensible capacity to "discern precise locations" from user data. See , e.g. , Heeger FAC ¶¶ 8, 48-50, 53 & nn.4-5, 29-31. Few facts are alleged without the caveat of "on information or belief," or without hedging on whether Facebook actually does what Heeger accuses, or simply has the ability to do it. See, e.g., id. ¶ 49 (alleging that "Facebook can also match IP addresses taken from users who have turned Location Services and Location History off with IP address information taken from users who have not limited Facebook's ability to access their location and who have given Facebook access to extremely precise location data, like Wifi access points or GPS") (first emphasis added); id. & n.29 (citing an article entitled, How Others Compromise Your Location Privacy: The Case of Shared Public IPs at Hotspots , and alleging "upon information and belief, Facebook does this in order to obtain precise location data about all its users, without disclosing this practice.").
The degree to which plaintiffs’ cited articles and materials actually support the associated FAC allegations is not germane to the Court's analysis. The Court consequently declines to take judicial notice of Facebook's proffered Exhibits D through L. Dkt. No. 77. Facebook's unopposed request to take judicial notice of Exhibits A through C, Dkt. Nos. 77, 81, is granted.
These allegations did nothing to fill in the substantive gaps in the original complaint. They did little more than parrot internet musings about things Facebook may or may not be doing, and which plaintiffs may or may not have experienced themselves. When these fillers are stripped away, all that the Heeger FAC alleges is that Facebook collected plaintiffs’ IP addresses. See id. ¶ 41 ("At a minimum, Facebook tracks its users’ IP addresses regardless of whether they have affirmatively sought to limit Facebook's ability to track their locations by turning Location History and Location Services ‘off.’ "); ¶ 42 ("Facebook ... continues to track users’ approximate location using IP addresses"); n.24 (Facebook's statements do not "make clear that Facebook is collecting IP address information even in cases where users have chosen to limit Facebook's access to their location data"); ¶ 45 ("turning Location History ‘off’ has no impact on Facebook's collection of location information -- at a minimum IP address information"); ¶ 46 (Facebook's representations obscure the fact that "Facebook continues collecting IP address information (and in some cases other location information)"). In addition, the primary and sole factual allegation made about location data actually collected from the plaintiffs is that plaintiff Heeger "discovered 104 pages of IP addresses showing locations where he accessed his Facebook account spanning from 2014 through August 2018." Id. ¶ 14.
Consequently, the Heeger FAC plausibly alleges only that Facebook collected plaintiffs’ IP addresses and even then, only when they were using the Facebook app or were visiting Facebook's website. Id. ¶ 41. This creates an Article III standing problem for plaintiffs. As Article III of the United States Constitution states, federal courts have the "power to decide legal questions only in the presence of an actual ‘Cas[e]’ or ‘Controvers[y].’ " Wittman v. Personhuballah , ––– U.S. ––––, 136 S.Ct. 1732, 1736, 195 L.Ed.2d 37 (2016). The party invoking a federal court's jurisdiction must demonstrate standing by showing that she has "suffered an ‘injury in fact,’ that the injury is ‘fairly traceable’ to the conduct being challenged, and that the injury will likely be ‘redressed’ by a favorable decision." Id. (quoting Lujan v. Defenders of Wildlife , 504 U.S. 555, 560-61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) ). Standing is an ongoing inquiry, and "[t]he need to satisfy these three [ Article III standing] requirements persists throughout the life of the lawsuit." Id. (citation omitted). The Court has an independent duty to be vigilant about standing, and Facebook has renewed its Article III standing challenge by invoking Federal Rule of Civil Procedure Rule 12(b)(1) as a basis for the motion to dismiss, and by asserting "that the FAC fails adequately to allege ‘injury in fact’ for purposes of Article III standing." Dkt. No. 76 at 6 n.4.
As Facebook suggests, it is the injury in fact prong that requires the closest examination here. To establish injury in fact, a plaintiff must show that he or she suffered "an invasion of a legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not conjectural or hypothetical." Lujan , 504 U.S. at 560, 112 S.Ct. 2130 (quotations and citations omitted). Article III standing is "not dispensed in gross," Lewis v. Casey , 518 U.S. 343, 358 n.6, 116 S.Ct. 2174, 135 L.Ed.2d 606 (1996), and must be demonstrated "for each claim plaintiff[s] seek[ ] to press" and "for each form of relief" that is sought. DaimlerChrysler Corp. v. Cuno , 547 U.S. 332, 352, 126 S.Ct. 1854, 164 L.Ed.2d 589 (2006) (quotations and citations omitted). "Where standing is raised in connection with a motion to dismiss, the court is to accept as true all material allegations of the complaint, and ... construe the complaint in favor of the complaining party." In re Facebook, Inc. Internet Tracking Litigation , 956 F.3d 589, 597 (9th Cir. 2020) (quotations omitted).
Although the Court found that plaintiff Heeger had Article III standing based on the allegations in his original complaint, Dkt. No. 70, that conclusion must be reconsidered in light of the pleading amendments. The amended allegations show that plaintiffs do not have standing to bring claims for intrusion upon seclusion, violation of the California constitution, article I, section 1, or for a violation of CIPA, because they have not plausibly alleged any privacy injuries. See In re Facebook , 956 F.3d at 598. Plaintiffs do not plausibly allege anything more than the collection of IP addresses, and there is no legally protected privacy interest in IP addresses. That is because "every computer or server connected to the Internet has a unique IP address," United States v. Forrester , 512 F.3d 500, 510 n.5 (9th Cir. 2008), and "[a]n ‘IP address’ is a numerical identifier for each computer or network connected to the Internet." In re Facebook , 956 F.3d at 596 n.2. "Internet users have no expectation of privacy in ... IP addresses of the websites they visit because they should know that this information is provided to and used by Internet service providers for the specific purpose of directing the routing of information." Forrester , 512 F.3d at 510. IP addresses "are voluntarily turned over in order to direct the third party's servers," id. , and so no reasonable expectation of privacy attaches to them.
The fact that the IP addresses at issue here are assigned to cell phones does not lead to a different conclusion. While the United States Supreme Court noted in Carpenter v. United States , ––– U.S. ––––, 138 S.Ct. 2206, 2218-20, 201 L.Ed.2d 507 (2018), that cell phones have become "almost a ‘feature of human anatomy,’ " and uniquely offer a highly effective means of "achiev[ing] near perfect surveillance," these observations were expressly limited to the context of the cell-site location information (CSLI) data that was before the Court. That is a key point of distinction because cell-site location information data and IP addresses are apples and oranges for privacy purposes. CSLI data is much more sticky and persistent, as it is generated "several times a minute whenever [a cell phone's] signal is on, even if the owner is not using one of the phone's features." Id. at 2211. Carpenter indicates that it also more exact in pinpointing a location than an IP address, but the full degree of that is difficult to gauge here because the Heeger plaintiffs provided no meaningful descriptions of how precise their IP address data was.
In addition, the number of cell sites has mushroomed in response to rising cell phone data traffic in the United States, which has led to "increasingly compact coverage areas, especially in urban areas." Id. at 2211-12. In Carpenter , the CSLI data was described as placing defendant "within a wedge-shaped sector ranging from one-eighth to four square miles," and the government highlighted it as some of its best evidence showing "he was at the site of the robberies." Id. at 2218. The total lack of any similar allegations about IP addresses in the Heeger FAC, as well as the general understanding of IP addresses the Court has from other cases, indicates IP address data is far less finely detailed.
In effect, the allegation that Facebook collected "IP addresses showing locations where [plaintiff Heeger] accessed his Facebook account," Dkt. No. 74 ¶ 14, describes a practice akin to a pen register recording the outgoing phone numbers dialed on a landline telephone. Carpenter , 138 S.Ct. at 2216. That will not do for a privacy injury. "Telephone subscribers know, after all, that the numbers are used by the telephone company ‘for a variety of legitimate business purposes,’ including routing calls," and it is doubtful that "people in general entertain any actual expectation of privacy in the numbers they dial." Id. So too for an IP address. Device "users ‘should know that [IP address] information is provided to and used by Internet service providers for the specific purposes of directing the routing information.’ " In re Facebook , 956 F.3d at 604 (quoting Forrester , 512 F.3d at 510 ). Significantly, plaintiffs acknowledge this truth about IP addresses by prefacing allegations with statements like "[e]ven if it is inevitable that Facebook learns a user's IP address because the user is connected to the internet ...." Dkt. No. 74 ¶ 47. To be sure, a voluntary sharing alone does not in itself necessarily negate a legally protected privacy interest. Carpenter made that clear. See 138 S.Ct. at 2216 (CSLI data is generated from an "individual continuously reveal[ing] his location to his wireless carrier"). But while Carpenter declined to extend the "third-party doctrine," which "stems from the notion that an individual has a reduced expectation of privacy in information knowingly shared with another," to "the collection of CSLI," it was careful to underscore that the "decision today is a narrow one" and does not "express a view on matters not before us." Id. at 2219-20.
In re Facebook also noted that while "the Fourth Amendment imposes higher standards on the government than those on private, civil litigants, ... we have nonetheless found analogies to Fourth Amendment cases applicable when deciding issues of privacy related to technology." 956 F.3d at 604 n.7. Hence it is useful to look to Fourth Amendment cases such as Carpenter and Forrester .
--------
The collection of IP addresses is a country mile from the CSLI data collected in Carpenter , and plaintiffs do not argue otherwise. There is no legally protected privacy interest in IP addresses alone, which is the only interest plaintiffs concretely allege. Consequently, they cannot be injured from the collection of IP addresses, and so lack Article III standing for the privacy claims under California common law, the California constitution, and CIPA that are premised on that ostensible injury.
This conclusion is entirely consonant with the Court's ongoing duty to police standing. Standing was established in the original complaint on the basis of Heeger's allegation that "Facebook systematically and covertly tracks, collects, and stores users’ private location information even after users have affirmatively opted not to share their location history," as well as that Facebook tracked and stored users’ "detailed location histories without their knowledge and consent." Dkt. No. 70 at 2-3 (quoting Dkt. No. 1 (Complaint) ¶¶ 9, 71). But after the Court required plaintiffs to put a finer point on the facts in an amended complaint, plaintiffs made clear that all that they were alleging was the collection of IP addresses. In effect, plaintiffs planted their flag in quicksand. The Court has not hesitated to find Article III standing in other cases alleging intangible privacy harms, see , e.g. , Patel v. Facebook Inc. , 290 F. Supp. 3d 948 (N.D. Cal. 2018), but the FAC here forestalls a similar outcome. Plaintiffs also lack Article III standing for the unjust enrichment claim because they have failed to make any allegation that "they retain a stake in the profits garnered from" the collection of their IP addresses. In re Facebook , 956 F.3d at 600. It seems doubtful they could ever plausibly allege such a claim. Article III standing for this claim is also undercut by the scarcity of facts plausibly demonstrating how Facebook's profits were unjustly earned, id. at 601, given that the only factual allegations are that Facebook collected, stored, and used plaintiffs’ IP address information, as to which they had no legally protected privacy interest.
The Heeger FAC is dismissed in its entirety for lack of Article III standing. Plaintiffs may, if they wish, attempt to cure these deficiencies by filing an amended complaint, which will likely constitute plaintiffs’ final opportunity to amend.
II. FACEBOOK'S MOTION TO DISMISS IN LUNDY
Facebook's prior motion to dismiss the Lundy complaint was mooted when plaintiffs elected to voluntarily amend. Dkt. Nos. 48, 76. Among other amendments, plaintiffs voluntarily dismissed some defendants and filed the FAC against Facebook only. Dkt. Nos. 77, 80. This is the Court's first decision with respect to the pleading allegations in Lundy.
A. Article III Standing
Facebook again says that plaintiffs have "fail[ed] to plead adequately the ‘injury in fact’ necessary to demonstrate Article III standing." Dkt. No. 82 at 6. The principles and analysis in the Heeger discussion apply here with equal force.
For the intrusion upon seclusion, California constitutional privacy, breach of contract, and breach of implied covenant of good faith and fair dealing claims, the salient question is whether plaintiffs have plausibly alleged privacy injuries, see In re Facebook , 956 F.3d at 598, and specifically, whether they alleged more than the collection of IP addresses. They have. The Lundy FAC expressly alleges for both plaintiffs that a Facebook folder entitled, "Security and Login Information," was discovered to "contain[ ] multiple entries identifying [each plaintiff's] location by IP address, latitude and longitude at specific dates and times from 2014 through the present." Dkt. No. 80 ¶¶ 12, 17. The FAC adds that "[t]hese files contained the IP addresses assigned by plaintiffs’ respective Internet Service Providers (‘ISP’) to their devices when they logged into the Facebook App, along with the precise longitude and latitude of the IP address." Id. ¶ 48. The FAC gives this example of what was collected:
Estimated location inferred from IP 32.584, -97.168 Created Dec. 16, 2017 2:32 pm
Id.
Plaintiffs allege that "[t]he ‘Login Protection Data’ and ‘Where You're Logged In’ subfiles, located under the obscurely labeled ‘Security and Login Information’ file, contain precise longitude and latitude coordinates inferred from IP addresses," as discussed above. Id. ¶ 51. They also say that "Facebook then further refined plaintiffs’ location derived from the IP addresses using enhanced location tracking methodologies." Id. "For purposes of illustration," plaintiffs allege that Facebook logged plaintiff Lundy's IP address on August 31, 2018, at 6:38 p.m., as "71.209.176.35." Id. ¶ 53. Inputting that IP address into "IP location service providers’ websites for free to determine the location based on that IP address," returned results showing Lundy might have been in Phoenix, Gilbert, or Mesa, Arizona. Id. ¶ 54. Facebook's log, however, included not just Lundy's IP address but also his geocoordinates of "34.6, latitude, -112.28 longitude," "show[ing] that Mr. Lundy was in Prescott, Arizona at that date and time. Id. ¶ 53. Given that "[t]he various IP location providers result in geocoordinate locations for the same IP address more than 100 miles away in the Phoenix, Arizona metropolitan area," plaintiffs say "[t]hese differences indicate that Facebook used an enhanced location determination technique based on data collected from other users instead of, or in addition to, simply plotting plaintiff Lundy's IP address location in order to more precisely pinpoint the location of the IP address." Id. ¶ 55.
This alleges considerably more than the collection of IP addresses. Plaintiffs have made specific, factual allegations pointing to "enhanced" geocoordinate location information. As the Court said in the first motion to dismiss order in Heeger , "[b]oth the common law and the literal understandings of privacy encompass the individual's control of information concerning his or her person." Heeger Dkt. No. 70 at 3 (quoting Patel v. Facebook, Inc. , 932 F.3d 1264, 1272-73 (9th Cir. 2019) ). Informational privacy was also "the core value furthered by the Privacy Initiative," which added a right of privacy to the California constitution. Id. (quoting Hill v. Nat'l Collegiate Athletic Ass'n , 7 Cal. 4th 1, 21, 26 Cal.Rptr.2d 834, 865 P.2d 633 (1994) ). Plaintiffs have plausibly alleged harm to these privacy interests, and so have standing to pursue their California constitutional privacy claim, intrusion upon seclusion claim, "as well as their claims for breach of contract and breach of the implied covenant of good faith and fair dealing." In re Facebook , 956 F.3d at 599.
To have standing to pursue the fraud claims, plaintiffs must demonstrate that they suffered an economic injury. See id. at 599 & n.4 ("[f]raud ... requires damages"). And for their unjust enrichment claim, plaintiffs "must allege they retain a stake in the profits garnered from" the location data collected from plaintiffs "because the circumstances are such that, as between the two parties, it is unjust for Facebook to retain it." Id. at 599-600 (quotations and alterations omitted). "Under California law, this stake in unjustly earned profits exists regardless of whether an individual planned to sell his or her data or whether the individual's data is made less valuable." Id. at 600.
Here, as in In re Facebook , plaintiffs have alleged that the location data collected from them "carry financial value." Id. They say that "[l]ocation data presents one of the most valuable forms of data that Facebook collects about its users for its advertisers," and that "[t]he location data bundled with plaintiffs’ personal information is ... worth $1.72" per individual. Dkt. No. 80 ¶ 77. They also point to a 2015 survey in which U.S. respondents, "on average, believe[d] that their physical location is worth $16.1, and their home address is worth $12.9." Id. ¶ 78. Plaintiffs add that Facebook "targeting advertisers for its mobile users has become the Company's focus for generating advertising revenue," and "[a]s of 2018, over 90% of Facebook's advertising revenue came from mobile users." Id. ¶¶ 79-81. Plaintiffs also allege that Facebook "collected users’ IP addresses, identified the users’ locations through their IP addresses, then bundled that location information with other user information and monetized it by selling it for targeted advertising purposes." Id. ¶ 3.
All of these allegations are "sufficient at the pleading stage to demonstrate that these profits were unjustly earned," and plaintiffs have consequently "sufficiently alleged a state law interest whose violation constitutes an injury sufficient to establish standing to bring their claims for ... fraud" as well as for unjust enrichment. In re Facebook , 956 F.3d at 601.
B. Intrusion Upon Seclusion and California Constitutional Privacy Claims
While plaintiffs have made out standing to sue, the substantive facts alleged for their causes of action need work. To state a claim for intrusion upon seclusion under California common law, a plaintiff must plead that "(1) a defendant ‘intentionally intruded into a place, conversation, or matter as to which the plaintiff has a reasonable expectation of privacy,’ and (2) the intrusion ‘occurred in a manner highly offensive to a reasonable person.’ " In re Facebook , 956 F.3d at 601 (quoting Hernandez v. Hillsides, Inc. , 47 Cal. 4th 272, 286, 97 Cal.Rptr.3d 274, 211 P.3d 1063 (2009) ). To state a claim for invasion of privacy under the California constitution, plaintiffs must show: "(1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by defendant constituting a serious invasion of privacy." McDonald v. Kiloo ApS , 385 F. Supp. 3d 1022, 1032 (N.D. Cal. 2019) (quoting Hill , 7 Cal. 4th at 39-40, 26 Cal.Rptr.2d 834, 865 P.2d 633 ). For the last element, the invasion of privacy must be sufficiently serious in "nature, scope, and actual or potential impact to constitute an egregious breach of the social norms underlying the privacy right." Id. (quoting Hill , 7 Cal. 4th at 37, 26 Cal.Rptr.2d 834, 865 P.2d 633 ). When alleged together, the Court "asses[es] the two claims together and examine[s] the largely parallel elements of these two claims which call on the Court to consider (1) the nature of any intrusion upon reasonable expectations of privacy, and (2) the offensiveness or seriousness of the intrusion, including any justification and other relevant interests." Heeger Dkt. No. 70 at 5 (quotations and citations omitted).
"The existence of a reasonable expectation of privacy, given the circumstances of each case, is a mixed question of law and fact." In re Facebook , 956 F.3d at 601 (citing Hill , 7 Cal. 4th at 40, 26 Cal.Rptr.2d 834, 865 P.2d 633 ). What a user would reasonably expect in light of Facebook's disclosures is a relevant question, but so is "the amount of data allegedly collected." Id. at 602-03. And, "[t]he nature of the allegedly collected data is also important." Id. at 603. In In re Facebook , the circuit stated, "[t]he question is not necessarily whether plaintiffs maintained a reasonable expectation of privacy in the information in and of itself. Rather, we must examine whether the data itself is sensitive and whether the manner in which it was collected -- after users had logged out -- violates social norms." Id. at 603.
The Court cannot conclude that there is a factual question as to whether the location data Facebook allegedly collected here might be sensitive and confidential. At most, plaintiffs have alleged that Facebook "pinned" plaintiff Lundy down to a city and state. As the Court determined in Heeger , "a generalized location, such as one that locates a user no more precisely than within several city blocks, may not implicate much in the way of privacy concerns." Heeger Dkt. No. 70 at 6. The city-level tracking alleged in Lundy is substantially more general and imprecise, and plaintiffs have not provided any factual allegations to show otherwise. Plaintiffs also do not allege that Facebook tracked this city data after users had logged out. Facebook is said to have collected it only while plaintiffs were using the app. Lundy FAC ¶ 47.
Consequently, plaintiffs have not plausibly alleged a reasonable expectation of privacy in the location data collected by Facebook. The Court has doubts about the seriousness of the alleged invasion as well, but does not need to decide that now. The two privacy claims are dismissed with leave to amend.
C. Intentional Misrepresentation and Omission, Deceit by Concealment or Omission, and Negligent Misrepresentation
In their complaint, plaintiffs asserted claims for intentional misrepresentation and omission; deceit by concealment or omission, Cal. Civ. Code §§ 1709, 1710 ; and negligent misrepresentation. Both sides discuss these claims together in their motion papers. See Dkt. No. 82 at 9-13; Dkt. No. 83 at 9-12. Plaintiffs do not dispute Facebook's statement that all three claims require "(1) a misrepresentation or omission of material fact; (2) knowledge of falsity; (3) intent to defraud or to induce reliance; (4) justifiable reliance; and (5) resulting damage. Negligent misrepresentation relaxes only the intent element." Dkt. No. 82 at 9-10.
Plaintiffs have plausibly alleged a misrepresentation or omission. The complaint cites these statements in the Facebook Data Policy that was in effect during the relevant time period:
We collect information from or about the computers, phones, or other devices where you install or access our Services, depending on the permissions you've granted. ... Here are some examples of the device information we collect:
...
• Device locations, including specific geographic locations, such as through GPS, Bluetooth, or WiFi signals.
• Connection information such as the name of your mobile operator or ISP, browser type, language and time zone, mobile phone number and IP address.
Dkt. No. 80 ¶ 24; Dkt. No. 80-1 at ECF p.3. A typical user would reasonably conclude from these statements that Facebook would not collect device locations or IP address without user consent. Otherwise, the phrase "depending on the permissions you've granted" would be misleading in itself. Plaintiffs have also plausibly alleged that Facebook failed to disclose that it uses "enhanced location determination techniques to more accurately pinpoint IP address locations." Dkt. No. 80 ¶ 58.
The reliance allegations are less sound. Plaintiffs say they "specifically allege[d] ... that they adjusted their devices and app settings to turn off permission to access their location data in 2013 and 2014." Dkt. No. 83 at 11 (citing Lundy FAC ¶¶ 10, 11, 15, 16, 48, 143, 151). But those allegations do not adequately establish reliance, especially in light of Facebook's assertion in reply that the Data Policy at issue became effective on September 29, 2016. Dkt. No. 85 at 7. Plaintiffs have also failed to explain how their continued use of Facebook even after discovery of this issue does not defeat any alleged reliance on their part.
The fraud claims are consequently dismissed with leave to amend.
D. Breach of Contract and Breach of Implied Covenant of Good Faith and Fair Dealing
"In order to establish a contract breach, plaintiffs must allege: (1) the existence of a contract with Facebook, (2) their performance under that contract, (3) Facebook breached that contract, and (4) they suffered damages." In re Facebook , 956 F.3d at 610.
Neither side gave the breach of contract and implied covenant of good faith and fair dealing claims much attention. Dkt. No. 82 at 15; Dkt. No. 83 at 15. The supporting allegations in the FAC are thin, and the scant argument for them by plaintiffs did not justify keeping these claims alive. Plaintiffs need to do more to establish the existence of a contract, especially in light of the fact that the strongest language in their favor appears in the Data Policy, and in In re Facebook , the circuit held that the Data Use Policy at issue in that case did "not constitute a separate contract." 956 F.3d at 611. The Court also has doubts about plaintiffs’ damages allegations.
For the implied covenant of good faith and fair dealing, as in In re Facebook , plaintiffs’ implied covenant allegations do not appear to "go beyond the breach of contract theories asserted by plaintiffs." 956 F.3d at 611. The breach of contract and breach of implied covenant of good faith and fair dealing claims are dismissed with leave to amend.
E. Unjust Enrichment
Facebook moved to dismiss plaintiffs’ unjust enrichment claim because "in California, there is not a standalone cause of action for unjust enrichment"; a quasi-contract claim is barred where, as here, "an enforceable, binding agreement exists defining the rights of the parties"; and plaintiffs "fail to plead any misrepresentation or unfair action by Facebook." Dkt. No. 82 at 15. Plaintiffs did not provide a clear response to these challenges, and said only that "[c]ontrary to Facebook's argument, plaintiffs properly plead unjust enrichment along with its breach of contract claim." Dkt. No. 83 at 15. Why this might be so is left unexplained. In effect, plaintiffs failed to oppose dismissal of the unjust enrichment claim, and it is dismissed for that reason with leave to amend.
CONCLUSION
Facebook's motion to dismiss the Heeger FAC is granted, and its motion to dismiss the Lundy FAC is denied in part and granted in part. In both cases, plaintiffs are granted leave to amend, and any amended complaints must be filed by January 21, 2021.
No new claims or defendants may be added without express leave of Court.