Opinion
MDL No. 2948 Master Docket No. 20 C 4699 23 C 225 23 C 504 23 C 841 23 C 1430 23 C 2248 23 C 2260 23 C 2262 23 C 2462 23 C 2463 23 C 2464 23 C 2465 23 C 2466 23 C 2467
2024-01-25
MEMORANDUM OPINION AND ORDER
REBECCA R. PALLMEYER, United States District Judge
Plaintiffs in these cases (collectively, the "IAB Plaintiffs") are users of the social media and entertainment app TikTok ("the App") who allege that their private data has been illegally harvested through the App's "in-app browser." Defendant TikTok, Inc. ("TikTok") contends that these claims should be dismissed on the basis of a $92 million class settlement and final judgment (the "Settlement") entered in this multidistrict litigation ("MDL"), MDL No. 2948, in 2022. Whether that earlier Settlement bars these newly asserted claims is hotly contested. For now, the Judicial Panel on Multidistrict Litigation ("JPML" or "the Panel") has directed that Plaintiffs' claims be centralized in this preexisting MDL and that this court resolve the threshold question of whether Plaintiffs' claims should in fact be dismissed on the basis of the Settlement. In the event that some or all of the IAB Plaintiffs' claims survive this analysis, the JPML has directed that their cases should proceed within MDL No. 2948 for coordinated pre-trial proceedings.
Having considered the parties' thoughtful submissions, the court declines, for now, to dismiss the IAB Plaintiffs' claims on the basis of the Settlement. With respect to some of the Plaintiffs' claims, the determination is straightforward: by its terms, the Settlement only applies to (i) its class members, i.e., TikTok users who used the App prior to September 30, 2021, the date of the Settlement's preliminary approval, for (ii) claims that arose on or
before October 13, 2022, the Settlement's Effective Date. Thus, any of the IAB Plaintiffs who were class members in the prior Settlement remain free to assert claims against TikTok for post-October 13, 2022 conduct, and any who did not use the App until September 30, 2021 or later (or who validly opted out) are not subject to the Settlement at all and may bring claims for conduct arising at any time.
That leaves the question of whether the Settlement also bars prior class members' claims over conduct related to the App's in-app browser that predates the Effective Date. For reasons explained below, the court is not prepared to rule on that issue on the current record and will allow the IAB Plaintiffs' claims to proceed in full for the time being. If discovery provides additional insight into the legal and factual scope of the Settlement's release, TikTok may reassert the affirmative defenses of release and claim preclusion at a later stage in this proceeding.
BACKGROUND
I. Factual Background
The App is a social media and entertainment platform that allows users to view, create, and share short videos. See In re TikTok, Inc., Consumer Priv. Litig., 617 F. Supp. 3d 904, 913 (N.D. Ill. 2022) (hereinafter "TikTok Final Approval"), appeal dismissed, No. 22-2682, 2022 WL 19079999 (7th Cir. Oct. 12, 2022). The TikTok App is one of the world's most popular social media platforms, with an estimated 1.5 billion monthly active users across the globe as of the third quarter of 2022. (Compl. [1] in Buckley v. TikTok, No. 23 C 841, ¶ 17.) Users of the App can publish videos for others' viewing, including videos that they make themselves, and can apply filters and visual effects using the App's technology. TikTok Final Approval, 617 F. Supp. 3d at 913. The App also displays a curated feed of video content based on the users' viewing preferences, as well as advertisements. Id. Users who create accounts are given personal profile pages that display their username and posted content. (See Compl. [1] in Recht v. TikTok, Inc., No. 23 C 2248 (hereinafter "Recht Compl."), ¶ 93.)
The App's origins can be traced back to a social media app known as "Musical.ly," released in 2014 by a Chinese company of the same name. (Consol. Am. Class Action Compl. [114] (hereinafter "Consol. Compl."), ¶¶ 101, 127.) By November 2017, the Musical.ly app had 60 million monthly active users. (Id. ¶ 128.) In 2016, Chinese company Beijing Bytedance created a version of Musical.ly called "Douyin" in China, and one year later released an English-language version of this app called "TikTok" outside China. (Id. ¶ 129.) In 2018, Beijing Bytedance acquired Musical.ly and merged the two apps—as well as all existing accounts and data—into a single app under the TikTok name. (Id.) By August 2020, the App had over 100 million monthly users in the United States. (Id. ¶ 133.)
According to the IAB Plaintiffs' pleadings, foreign entities Beijing Bytedance and Cayman Islands-based holding company Bytedance Ltd. currently operate as a "single enterprise" with domestic entities TikTok, Inc. (a California corporation) and ByteDance Inc. (a Delaware corporation). (See Recht Compl. ¶¶ 8-14.)
While the App's primary function involves video creation and viewing, it also contains a custom "in-app browser" that enables users to view external websites. (Recht Compl. ¶ 91.) The App directs users to these third-party websites in several different ways. (Id. ¶ 86.) First, the App presents users with video ads in their feeds that include links to an advertised product or service's website. (Id. ¶¶ 88-90.) Second, users who have at least 1,000 followers
can add links to external websites on their personal profiles, a feature that influencers, businesses, and organizations routinely use to direct viewers to their brands and products. (Id. ¶¶ 92-94.) When users tap on these ads or links while using the App, the in-app browser opens these links internally within the TikTok App instead of transferring them to a separate web browser on the user's device such as Google Chrome or Safari. (Id. ¶¶ 91, 95.) It is unclear from the parties' pleadings and briefing exactly how long the in-app browser has been a feature of the App, though it has been present since at least August 2022 and potentially earlier. (Id. ¶ 7.)
II. Procedural History
A. MDL No. 2948
In its original incarnation, this MDL arose from a series of data-privacy actions filed in late 2019 and early 2020 against TikTok. These actions were filed amid growing concerns over TikTok's data-privacy practices, including investigation by multiple U.S. federal government actors into potential national security risks posed by its Chinese ownership. See TikTok Final Approval, 617 F. Supp. 3d. at 913-14.
The first case, Hong v. Bytedance, was filed in the Northern District of California in November 2019. Id. That case alleged claims on behalf of a nationwide class challenging TikTok's collection of large amounts of "private and personally-identifiable data," including users' biometric facial data; "draft" videos (that is, videos that the user had never posted on the TikTok App); geolocation data; and personal identifying information such as email addresses. (See Compl. [1] in In re TikTok, Inc. Privacy Litig., No. 20 C 4723, ¶¶ 22-25, 29.) The lawyers responsible for filing the Hong action had spent several years conducting extensive research into TikTok's potential data-privacy violations from 2018 onward. (Decl. of Ekwan E. Rhow. In Supp. of Mot. for Prelim. Approv. of Settlement [122-8] (hereinafter "Rhow Decl."), ¶¶ 8-10 (describing pre-centralization fact-gathering efforts, including "working closely with highly trained source code experts in analyzing multiple versions of the Musical.ly and TikTok apps to uncover ... the various types of private and personally-identifiable data taken by defendants").) Soon after the case filing, the parties engaged in settlement efforts; initially, they participated in a mediation with retired district judge Layn Phillips on April 6, 2020, but failed to reach settlement. (See Decl. of Layn R. Phillips Regarding Approv. of Settlement [122-9] ¶ 6.) Following this effort, Hong was consolidated with other related actions pending in the Northern District of California, and the parties initiated written discovery. (Rhow Decl. ¶¶ 15-16.)
Initially, the Hong complaint asserted claims on behalf of a nationwide class and California subclass under federal and California statutes and common law that were not specific to the collection of biometric data. (Compl. [1] in In re TikTok, Inc. Privacy Litig., No. 20 C 4723, ¶¶ 89-148.) After further "extensive investigation," however, the Hong plaintiffs amended their complaint on May 11, 2020 to add a claim on behalf of a new Illinois subclass under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (Rhow Decl. ¶ 11; see First Am. Compl. [35] in In re TikTok, Inc. Privacy Litig., No. 20 C 4723, ¶¶ 250-65.) Then after still more factual investigation and expert consultation, the consolidated Hong action was again amended on August 14, 2020 to add a claim under the Video Privacy Protection Act ("VPPA"), 18 U.S.C. § 2710 et seq., based on TikTok's alleged disclosure to third parties of users' video viewing histories.
(See Rhow Decl. ¶ 18; Consol. Am. Class Action Compl. [89] in In re TikTok, Inc. Privacy Litig., No. 20 C 4723, ¶¶ 288-96.)
Beginning in late April 2020, another wave of actions was filed against TikTok in federal district courts in California and Illinois. See In re TikTok, Inc., Consumer Priv. Litig., 565 F. Supp. 3d 1076, 1079 (N.D. Ill. 2021) (hereinafter "TikTok Preliminary Approval"). Unlike Hong, many of these actions exclusively asserted BIPA claims on behalf of Illinois residents based on the App's alleged collection of biometric data. (See, e.g., Am. Compl. [32] in E.R. v. TikTok, Inc., No. 20 C 2810, ¶¶ 84-111; Compl. [1] in A.S. v. TikTok, Inc., No. 20 C 4731, ¶¶ 46-66; Compl. [1] in S.A. v. TikTok, Inc., No. 20 C 4729, ¶¶ 48-57.) Others also sought relief solely for the collection of biometric data, but did so on behalf of a nationwide class under other states' privacy laws. (See, e.g., Compl. [1] in G.R. v. TikTok, No. 20 C 5212, ¶¶ 40-63.) Still others followed Hong in pursuing TikTok under a range of data-privacy theories of liability for the App's alleged collection of both biometric data and other forms of data. (See, e.g., Am. Compl. [17] in R.S. v. TikTok, Inc., No. 20 C 4728, ¶¶ 147-75, 204-10 (amending BIPA-only complaint to add general data-privacy claims under federal and California state law for, inter alia, TikTok's collection of users' device identifier data).) In total, 16 of the 19 cases filed against TikTok by August 2020 alleged Illinois statutory claims. (See Tr. of JPML Oral Arg. [87] in In re TikTok Consumer Priv. Litig., MDL No. 2948 (J.P.M.L. July 30, 2020) (hereinafter "2020 JPML Oral Arg."), at 6.) These various groups of plaintiffs quickly began disputing whether and where their actions against TikTok should be centralized.
On August 4, 2020, the JPML made the decision, centralizing all of the aforementioned actions in the Northern District of Illinois as MDL No. 2948. See In re TikTok, Inc., Consumer Priv. Litig., 481 F. Supp. 3d 1331 (J.P.M.L. 2020). At the time of this initial centralization, the JPML described the common factual issues presented in the cases against TikTok as involving "the scanning, capture, retention, and dissemination of the facial geometry and other biometric information of users of the app." Id. at 1331. The Panel assigned the newly formed MDL to Judge John Z. Lee, who was then a judge of this court and was already presiding over E.R. and several other related actions in the Northern District of Illinois. Id. at 1332. Only two days later, on August 6, 2020, federal pressure against TikTok boiled over as President Trump issued an executive order stating that the TikTok App would be banned in the United States unless ByteDance sold or spun off its domestic TikTok operations to a U.S. company within 45 days. See Exec. Ord. No. 13, 942, 85 Fed. Reg. 48,637 (Aug. 6, 2020). TikTok thus faced intense pressure to shed its existing liabilities and maximize its value in preparation for sale. See TikTok Final Approval, 617 F. Supp. 3d at 915.
Judge Lee was confirmed to the U.S. Court of Appeals for the Seventh Circuit in September 2022, and the case was reassigned to the undersigned judge.
This deadline was later extended after the parties had already negotiated their initial settlement and was ultimately abandoned after the change in presidential administrations. See TikTok Final Approval, 617 F. Supp. 3d at 915 n.4.
On August 13, 2020, nine days after the JPML's initial centralization order and seven days after President Trump's executive order, a group of plaintiffs engaged in a second mediation with TikTok that culminated in a preliminary agreement to a
settlement in principle on a class-wide basis. TikTok Preliminary Approval, 565 F. Supp. 3d at 1080. This second mediation, also facilitated by Judge Phillips, was spearheaded by lead counsel for E.R. and the other Northern District of Illinois actions and had already been scheduled for several months prior to the JPML's order. (See Decl. of Katrina Carroll in Supp. of Pls.' Unopposed Mot. for Prelim. Approv. of Class Action Settlement [122-6] (hereinafter "Carroll Decl."), ¶¶ 14-16.) The mediation involved 16 law firms representing 11 of the 19 actions that had just been consolidated in the MDL. (See Pls.' Mot. for Prelim. Approv. of Class Action Settlement ([122] (hereinafter "Prelim. Approv. Mot."), at 9.) Notably absent, however, was lead counsel for Hong and the other consolidated actions in the Northern District of California. (See Status Rep. by Interim Lead Counsel in the Consol. N.D. Cal. Actions [5] at 2-3.) At the time this initial settlement was negotiated, this court had not yet created a plaintiffs' leadership group and case management plan for the new MDL. (Id. at 4.) Thus, while the Settlement applied in theory to all of the plaintiffs in the MDL, its terms had only been negotiated by a subset of them.
This exclusion was at TikTok's request based on a purported conflict of interest, though there is nothing in the record indicating whether this objection had any basis in fact. (Status Rep. by Interim Lead Counsel in the Consol. N.D. Cal. Actions [5] at 4.) Also at TikTok's request, the terms of the settlement were not initially shared with the Northern District of California plaintiffs. This generated contentious litigation as Hong counsel sought to compel TikTok and the settling plaintiffs to disclose the information. (See Emergency Mot. to Compel Defs. and Settling Pls. to Comply with Court's Case Mgmt. Order No. 1. [11].) The court ultimately resolved this internal conflict by appointing Hong counsel to the MDL's leadership committee and requiring that all plaintiffs participate in reviewing and vetting the proposed settlement. (See Case Mgmt. Order No. 2 [24] at 2-3; Tr. of Sept. 24, 2020 Status Conf. [91] at 15:4-12.)
After the parties who had attended the mediation formally executed a Settlement Agreement on September 4, 2020 (but with the appointment process for plaintiffs' leadership counsel still pending), these settling plaintiffs immediately began conducting confirmatory discovery to vet its fairness for the class. (See Carroll Decl. ¶ 30.) Prior to mediation, the settling plaintiffs had retained a source code expert, Bob Zeidman of Zeidman Consulting, to assess the App's technical functions. (Id. ¶ 29.) The September 4, 2020 Settlement Agreement included a warranty that TikTok "ha[d] not used the App to collect biometric identifiers or biometric information as defined by the Illinois Biometric Information Privacy Act." (Settlement Agreement and Release, Ex. A. to Pls.' Mot. for Prelim. Approv. of Settlement [122-1] (hereinafter "Settlement"), § 7.1.) TikTok agreed to provide several categories of discovery to "confirm this warranty," including making the App's source code available for inspection by the plaintiffs' expert, responding to interrogatories and document requests, and participating in depositions. (Id. §§ 7.1-7.6.) In accordance with these terms, Mr. Zeidman conducted a two-week in-person review of the "relevant code for the TikTok app (both iOS and Android platforms) and also relevant server code" from September 8 to September 25, 2020. (Carroll Decl. ¶ 31.)
On September 28, 2020, this court appointed co-lead counsel and a steering committee among the MDL plaintiffs, including representatives from both the California and Illinois plaintiff groups. (See Case Mgmt. Order No. 3 [94].) The court directed the new consolidated plaintiffs' leadership group to review and evaluate the negotiated settlement as a team, warning
that it would not grant approval "unless and until [all] members ... have had a chance to fully digest and discuss [its] terms," and that if "further work needs to be done with regard to any proposed settlement [as a result], then that is what needs to take place." (Tr. of Sept. 24, 2020 Status Conf. [91] at 15:9-15.)
After this leadership group was appointed, the full group of plaintiffs in the MDL (collectively, the "Original Plaintiffs") and TikTok (collectively, the "Original Parties") continued their efforts to evaluate the Settlement, including "analyzing an array of legal, factual and strategic issues" and conducting further confirmatory discovery. TikTok Preliminary Approval, 565 F. Supp. 3d at 1080. In their submissions in support of preliminary approval, the Original Plaintiffs stated that their different teams of experts "were brought together to exchange ideas and assess one another's analyses." (Rhow Decl. ¶ 19.) The leadership group collectively analyzed the findings from Mr. Zeidman's code review and used them to generate additional written discovery and deposition questions posed to TikTok for purposes of settlement. (Carroll Decl. ¶¶ 31-32, 37-39.) Further, "Plaintiffs' source code expert"—presumably Mr. Zeidman—was given "further free rein to probe TikTok's relevant technology, source code (both in terms of scope and with questions stemming from the expert's findings), and answers to the deposition on written questions." (Rhow Decl. ¶ 20.) The precise scope, nature, and timing of these additional discovery requests is not made clear in the record.
Midway through these settlement efforts, and after Zeidman had completed his code review, the Original Plaintiffs filed a consolidated class action complaint on December 18, 2020. The consolidated complaint included allegations related to TikTok's biometric data and to a wide range of other forms of data, including personally identifiable information, geolocation data, and internet browsing history. (See Consol. Compl. ¶¶ 153, 156.) It identified a Nationwide Class of all U.S. residents who had used the App (or its Musical.ly predecessor), as well as an Illinois Subclass who had used the App or Musical.ly specifically to create videos. (Id. ¶ 322.) The complaint asserted both a BIPA claim on behalf of the Illinois Subclass (id. ¶ 402-17) and nine other counts on behalf of the Nationwide Class under federal statutes and California statutory and common law (id. ¶¶ 338-401, 418-27). The Original Plaintiffs also appointed separate counsel for the Nationwide Class and Illinois Subclass to negotiate a plan for allocating the Settlement fund between these subgroups, based on the relative estimated value of the BIPA and non-BIPA claims. (See Prelim. Approv. Mot. at 13-14.)
On February 25, 2021, the Original Plaintiffs moved the court for preliminary approval of the Settlement, submitting a final copy of the nineteen-page September 2020 Settlement Agreement—along with a two-page Addendum reflecting additional terms negotiated with TikTok during the vetting process—for the court's review. (See generally Prelim. Approv. Mot.; Settlement.) The final Settlement Agreement provided for a $92 million payout to the proposed settlement class, as well as a series of injunctive measures to address TikTok's alleged privacy violations. (Settlement §§ 4.1, 6.1-6.4.) The Settlement fund was to be allocated in a six-to-one ratio between Illinois Subclass members and non-Illinois Nationwide Class members. (Prelim. Approv. Mot. at 13-14.) In exchange for this relief, the Agreement included the following language releasing the class members' claims against TikTok:
Upon entry of the Final Order and Judgment, and regardless of whether any Class Member executes and delivers a written release, each Class Representative and each Class Member shall be deemed to waive, release and forever discharge Defendants' Released Parties from all Released Claims. No Defendants' Released Party will be subject to any liability or expense of any kind to any Plaintiffs' Releasing Party with respect to any Released Claim.
The Agreement defined "Defendants' Released Parties" as "the current Defendants in the Civil Actions"—i.e., TikTok and its parent company ByteDance—as well as their various corporate agents, units, and successors. (Settlement § 2.10.)
(Settlement § 12.1.) The Agreement in turn defined "Released Claims" as
any and all claims, complaints, actions, proceedings, or remedies of any kind, whether known or unknown (including, without limitation, claims for attorneys' fees and expenses and costs), arising from or related to the Civil Actions or the collection and use of any user data, including biometric data, whether in law or in equity, under contract, tort or any other subject area, or under any statute, rule, regulation, order, or law, whether federal, state, or local, on any grounds whatsoever, arising from the beginning of time through the Effective Date, that were, could have been, or could be asserted by the Releasing Parties. Notwithstanding the foregoing, the released claims shall not be deemed to release, remise, waive, acquit, affect, or discharge any claims that are not releasable under the law or any claims or defenses arising from enforcement of this agreement.
(Id. § 2.30.) The Agreement's "Effective Date" was defined as "the first date after either (i) the time to appeal the Final Order and Judgment has expired with no appeal having been filed or (ii) the Final Order and Judgment is affirmed on appeal by a reviewing court and no longer reviewable by any court." (Id. § 2.12.) The Addendum, meanwhile, contained several additional terms that, as stated by the Original Plaintiffs, were the product of Mr. Zeidman's code review and their follow-up discovery efforts, as well as further deliberation by the full plaintiffs' leadership group. (See Prelim. Approv. Mot. at 11; Decl. of Elizabeth Fegan in Supp. of Mot. for Prelim. Approv. of Settlement [122-7] (hereinafter "Fegan Decl."), ¶ 20.) These additions were "intended only to clarify and not modify" the terms of the September 4 Agreement and were mostly directed towards the scope of the Settlement's injunctive relief. (Addendum No. 1 to Settlement [122-1] § 1.1.)
For example, the Addendum clarified that the Settlement applied to both TikTok's domestic and overseas affiliates, and that its prohibitions on further wrongful conduct included both the App and TikTok's use of App-derived data on the server. (See Prelim. Approv. Mot. at 11; Fegan Decl. ¶ 25.)
On October 1, 2021, Judge Lee signed the order granting preliminary approval of the parties' settlement. (See Order Granting Prelim. Approv. of Class Action Settlement [162] (hereinafter "Prelim. Approv. Order.").) In its order, the court provisionally certified the Nationwide Class of all U.S. residents who had downloaded and used the App prior to September 30, 2021, as well as the Illinois Subclass of all Illinois residents who had specifically used the app to create videos prior to that date. (Id. ¶ 2.)
From November 2021 to March 2022, the Original Plaintiffs' counsel provided members of the putative class with notice and an opportunity to submit claims or opt out of the Settlement. See TikTok Final Approval, 617 F. Supp. 3d at 920. The
settlement administrator created a website that contained information about the claims and the Settlement, including copies of the consolidated complaint and the Settlement Agreement. Id. The long-form notice included the following language:
2. What is this litigation about?
The lawsuit alleges that Defendants collected and used, without sufficient notice and consent, Plaintiffs' personal data in connection with Plaintiffs' use of the App.
...
12. What am I giving up to stay in the Settlement Class?
Unless you opt out of the Settlement, you cannot sue or be part of any other lawsuit against Defendants about the issues in this case, including any existing litigation, arbitration, or proceeding. The Settlement Agreement is available at www.tiktokdataprivacysettlement.com. The Settlement Agreement provides more detail regarding the Releases and describes the Released Claims with specific descriptions in necessary, accurate legal terminology, so read it carefully.
(Class Notice, Ex. D to Prelim. Approv. Mot. [122-4] (hereinafter "Notice") at 4, 7.)
Approximately 1 million members of the Nationwide Class (roughly 1.4% of an estimated 89 million members) and 177,000 members of the Illinois Subclass (roughly 13% of an estimated 1.4 million) submitted claims. TikTok Final Approval, 617 F. Supp. 3d at 921. Some 850 individuals validly requested to opt out. See id. at 921, 933. The estimated average awards to claimants, based on the six-to-one ratio determined by the Original Plaintiffs' counsel, were $27.19 for each Nationwide Class claimant and $163.13 for each Illinois Subclass claimant. Id. at 918.
Following the notice period, the court issued an opinion granting the Original Plaintiffs' motion for class certification and granting final approval of the Settlement Agreement on July 28, 2022. See id. at 949. Then, on August 22, 2022, the court entered an order and final judgment certifying the settlement class, binding any class members who had not opted out, dismissing with prejudice all pending claims contained within the MDL, releasing all non-opt-out class members' claims as defined in the Settlement Agreement, and enjoining further related litigation by the class members against TikTok. (Order and Final J. Granting Final Approv. of Class Action Settlement [264] (hereinafter "Final Approv. Order"), ¶¶ 2, 17, 20, 21, 24.) The court's order terminated MDL No. 2948 (id. ¶ 20), but expressly retained "continuing jurisdiction over matters relating to the Settlement, including, without limitation, the administration, interpretation, effectuation and/or enforcement of the Settlement, the Settlement Agreement, and this Final Order and Judgment" (id. ¶ 27). A single objector filed an appeal from this order, but voluntarily dismissed the appeal on October 12, 2022, meaning that the Settlement's Effective Date is October 13, 2022. See In re TikTok, Inc., 2022 WL 19079999, at *1.
B. The In-App Browser Cases
Just days before the Settlement was finalized, new independent research emerged concerning a previously undiscovered privacy risk arising from the App's in-app browser. On August 10, 2022, amateur software researcher Felix Krause
Mr. Krause describes himself on his personal blog as an "active security & privacy researcher" who "work[s] on privacy research projects for the iOS platform in [his] spare time," as well as the founder of several software tools for app developers. Felix Krause, About, KrauseFX Blog, https://krausefx.com/ about (last visited Jan. 25, 2024); Felix Krause, Privacy, KrauseFX Blog, https://krausefx.com/privacy (last visited Jan. 25, 2024).
published an online blog post in which he described the ability of several popular social media apps to track user activity on external websites via their in-app browsers. See Felix Krause, iOS Privacy: Instagram and Facebook Can Track Anything You Do on Any Website in their In-App Browser, KrauseFX Blog (Aug. 10, 2022), https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser. This initial post did not mention TikTok. On August 18, 2022, however —four days before the court issued its final order approving the Settlement— Krause published a follow-up blog post specifically singling out TikTok's use of an in-app browser for potential privacy violations. Felix Krause, iOS Privacy: Announcing InAppBrowser.com — See What JavaScript Commands Get Injected Through an In-App Browser, KrauseFX Blog (Aug. 18, 2022), https://krausefx.com/blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser.
Krause's report showed that the App injects JavaScript code into third-party websites accessed by users through the in-app browser. This code monitors and records the text inputs, or "keystrokes," that users enter into these websites, as well as users' taps on website elements like buttons, links, and images. Id. This capacity could, in theory, allow the App to gather users' sensitive private data, including purchase details, personally identifiable information, and credit card or bank numbers. (Recht Compl. ¶ 103.) Krause's research attracted significant public and media attention, receiving coverage in Forbes and triggering inquiries from several members of Congress. See Richard Nieva & Thomas Brewster, Lawmakers Press Apple and Google Over TikTok's Keystroke Tracking Ability, Forbes (Nov. 4, 2022, 8:00 AM EDT), https://www.forbes.com/sites/richardnieva/2022/11/04/lawmakers-letter-apple-google-tiktok-keystroke-tracking/?sh=29c51d7241a6. In response to the publicity, TikTok denied using data gathered via the in-app browser for any improper purpose, and told reporters through a spokesperson that the code was solely for "debugging, troubleshooting, and performance monitoring" purposes. Id.
This kind of code, also known as "session replay" code, is widely used by website operators and app developers to track and record how users interact with digital platforms. (See Compl. [1] in Kowalski v. TikTok, Inc., No. 23 C 2264 (hereinafter "Kowalski Compl."), ¶¶ 2-3.) While this code is often embedded in websites by the website operators themselves, see In re BPS Direct, LLC, MDL No. 3074, 2023 WL 8458245, at *2 (E.D. Pa. Dec. 5, 2023), independent web browsers like Google Chrome and Safari do not record user behavior on third-party sites in the way that TikTok's browser does (Kowalski Compl. ¶ 41).
Within a few months, Krause's report had also spawned new litigation. On November 25, 2022, a little over a month after the Settlement's Effective Date, Plaintiff in Recht v. TikTok, Inc. filed a class action in the Central District of California challenging TikTok's collection of user data through its in-app browser. (See generally Recht Compl.) The Recht complaint included counts under the federal Wiretap Act, 18 U.S.C. § 2510 et seq., and California's state equivalent, the California Invasion of Privacy Act ("CIPA"), Cal. Penal Code
The Recht action names both the U.S. companies TikTok, Inc. and ByteDance, Inc. and their foreign affiliates Bytedance, Ltd. and Beijing Bytedance as defendants. (Recht Compl. ¶¶ 8-13.) Most other IAB actions filed thus far, however, have only named the former two domestic companies.
§§ 630 et seq.—neither of which had appeared in any of the Original Plaintiffs' individual or consolidated lawsuits—as well as other counts under California statutory and common law. (Id. ¶¶ 158-238.) A wave of similar actions followed in the succeeding months, some in the Northern District of Illinois and others in districts across the country. They alleged claims similar to those in the Recht case, including under the federal Wiretap Act and its state analogs. (See, e.g., Compl. [1] in Fleming v. TikTok Inc., No. 23 C 2260; Compl. [1] in Fugok v. TikTok, Inc., No. 23 C 2467; Compl. [1] in Tado v. TikTok, Inc., No. 23 C 1430.) Each brought putative class action claims on behalf of overlapping nationwide and state-specific classes of TikTok users who had accessed external websites via the in-app browser. In total, seventeen actions alleging claims related to the in-app browser had been filed by April 2023. See In re TikTok In-App Browser Consumer Privacy Litig., 669 F.Supp.3d 1363, 1364-1365 (J.P.M.L.2023).
Confusion as to the overlap between these new "in-app browser" actions (collectively, the "IAB Cases") and the preexisting MDL No. 2948 arose almost immediately. TikTok filed "tag-along" notices for the in-app browser actions (both with this court for actions filed in this district, and with the JPML for actions filed in other districts) and sought to have them all transferred to this MDL. (See, e.g., Notice of Tag-Along Action [281]; Notice of Potential Tag-Along Action [96] in In re TikTok, Inc., Consumer Priv. Litig., MDL No. 2948 (J.P.M.L. Dec. 22, 2022).) In response to this court's inquiry, Defendant confirmed that its intention in filing these notices was to obtain an order dismissing the new actions pursuant to the Settlement's release. (See Def. TikTok Inc.'s Resp. to Minute Order [283] at 1.) Meanwhile, the JPML initially issued conditional transfer orders for several of the in-app browser cases to this MDL, but soon thereafter received a motion to instead centralize the in-app browser cases in an entirely new MDL in the Central District of California. See In re TikTok In-App Browser, 669 F.Supp.3d at 1363-1364.
After a hearing on March 30, 2023, the JPML issued an order on April 7, 2023 denying the new motion for centralization and holding that the in-app browser cases should instead be transferred to the existing MDL No. 2948. Id. The JPML noted that while MDL No. 2948's original centralization order in 2020 focused on biometric claims, the MDL "appear[ed] to have expanded" after being centralized "to include claims that the TikTok app captured certain additional types of data." Id. The JPML concluded that creating a new MDL was "not necessary for the convenience of the parties and witnesses or to further the just and efficient conduct of this litigation," and that the in-app browser actions would be most effectively handled within the existing MDL No. 2948. As to the "threshold" question of whether the in-app browser claims were barred by the Settlement, the JPML found this to be a "merits issue" related to "the interpretation and scope" of the Settlement and thus most appropriately resolved by the original transferee court. Id. at 1364-1365. The JPML ordered that, "if the [transferee] court concludes that some or all of the claims in the in-app browser actions were not released under the settlement, coordinated pretrial proceedings in those actions may proceed as part of MDL No. 2948." Id. at 1366. Following further consolidation, this MDL—previously dismissed pursuant to a global settlement—now contains thirteen new live cases pending before the court. On July 12, 2023, the court requested briefing from the parties on the issue of whether the IAB Cases are subject to the Settlement in MDL No. 2948. (Order [306].) The issue is now before the court for decision.
A few days after its initial order [293] transferring five IAB Cases filed outside the Northern District of Illinois to this MDL, the JPML filed another order [294] conditionally transferring six more cases filed in other districts. Consistent with the JPML's order, this court has since internally transferred [298] another six IAB Cases that were originally filed in the Northern District of Illinois to this MDL. Four of the IAB Cases have since been voluntarily dismissed without prejudice, leaving a total of thirteen actions currently pending before this court.
DISCUSSION
In its final order dismissing MDL No. 2948, the court expressly retained jurisdiction to interpret and enforce the Settlement Agreement and enjoined any further litigation of claims subject to its release. (Final Approv. Order at ¶¶ 24, 27.) The court now exercises this jurisdiction, and, at the direction of the JPML, addresses the threshold question of whether the IAB Plaintiffs' claims are partially or completely barred by the Settlement and the Court's injunction.
I. Justiciability
Before addressing the issues briefed by the parties, the court flags an issue they have not had an opportunity to brief. In several cases, district courts across the country are actively working through a wave of "session replay" wiretapping claims that have been filed within the past two years against website operators. See In re BPS Direct, LLC, MDL No. 3074, 705 F.Supp.3d 333, 352 n.118 (E.D. Pa. Dec. 5, 2023) (collecting cases). Several courts have dismissed such claims on standing grounds if the plaintiffs failed to specifically allege that they "shared personal or sensitive information on the website in question[.]" Id. at 353 (citing TransUnion LLC v. Ramirez, 594 U.S. 413, 426-27, 141 S.Ct. 2190, 210 L.Ed.2d 568 (2021)); see also, e.g., Cook v. GameStop, Inc., No. 2:22-CV-1292, 689 F.Supp.3d 58, 64-66 (W.D. Pa. Aug. 28, 2023), appeal filed, No. 23-2574 (3d Cir. Aug. 29, 2023); Lightoller v. Jetblue Airways Corp., No. 23-CV-00361-H-KSC, 2023 WL 3963823, at *4 (S.D. Cal. June 12, 2023); cf. James v. Walt Disney Co., No. 23CV02500EMCEMC, 701 F.Supp.3d 942, 949-50 (N.D. Cal. Nov. 8, 2023) (finding that plaintiffs had adequately alleged that their personal information was intercepted).
It is not clear whether this is the applicable standard in determining whether the IAB Plaintiffs have standing to pursue their claims—or if so, which (if any) of them meet it. While the IAB Cases broadly allege claims that share factual similarities to these "session replay" cases—involving the use of hidden code to track online user interactions on websites—they also differ in several ways from most other suits in this body of recent litigation. In particular, they are suing a defendant who allegedly collects data through a web browser across multiple sites, rather than via embedded code on a single site. Because the court's prior order directed the parties only to address the specific question of whether the Settlement encompassed the IAB Plaintiffs' claims, rather than any other potential grounds for dismissal, neither these nor any other questions of standing have yet been litigated.
For now, the court is comfortable addressing the Settlement's scope without first resolving this unbriefed issue of standing. In its 2022 order, the court retained
continuing jurisdiction over "the administration, interpretation, effectuation and/or enforcement of the Settlement, the Settlement Agreement, and this Final Order and Judgment." (See Final Approv. Order ¶ 27.) This jurisdiction extends to any "matters relating to the Settlement," including both the IAB Plaintiffs' pending claims, the Original Plaintiffs' settled claims, and any other potential past, present, and future claims. (Id.) Further, because the caselaw on this issue is still so new and rapidly evolving, the court is not inclined to rule definitively on this issue without briefing, but will welcome further briefing on the matter, if appropriate.
II. Applicable Standard of Law
The legal standard governing this matter is disputed. Defendant argues that the Settlement bars the IAB Plaintiffs' claims under the doctrines of release and res judicata. (Def. TikTok Inc.'s Resp. to Ct.'s July 12, 2023 Order [310] (hereinafter "Def.'s Br."), at 6.) Plaintiffs do not directly identify the applicable standard, but rely on a line of cases specific to class actions which hold that a settlement of such an action bars later-filed claims only if they share an "identical factual predicate" with the settled action. (In-App Browser Pls.' Opp'n to Dismissal of In-App Browser Claims on Basis of Biometric Data Settlement [311] (hereinafter "Pls.' Br."), at 11.) The court first turns to the question of which of these frameworks applies here.
Because a class-action settlement is an agreement between the parties that must be approved by the court to take effect, it has dual status as both a private contract and a court judgment. See 2 Joseph M. McLaughlin, McLaughlin on Class Actions § 6:29 n.2 (20th ed. 2023). Release is a doctrine of state contract law. Id. The Settlement adopted in this MDL includes a choice-of-law clause specifying that it is governed by California law. (See Settlement § 16.2.) Accordingly, Defendant first argues that this court should refer to California contract law in resolving this dispute.
Applying this law here would likely yield an easy result in TikTok's favor. "In California, interpretation of a settlement release is governed by contract principles." Howard v. Am. Online Inc., 208 F.3d 741, 747 (9th Cir. 2000) (citing Gen. Motors Corp. v. Superior Ct., 12 Cal. App.4th 435, 15 Cal. Rptr. 2d 622, 625 (1993)). Thus, releases in settlements "are binding on the signatories and enforceable so long as they are clear, explicit and comprehensible in their essential details." Skrbina v. Fleming Cos., 45 Cal.App.4th 1353, 53 Cal. Rptr. 2d 481, 490 (1996). To this end, the Settlement releases "any and all claims ... whether known or unknown... arising from or related to the Civil Actions or the collection and use of any user data, including biometric data ... arising from the beginning of time through the Effective Date, that were, could have been, or could be asserted by the Releasing Parties." (Settlement § 2:30 (emphasis added).) The complaints filed by Plaintiffs in the IAB Cases assert that TikTok wrongfully collected users' data, including keystrokes and other user inputs, through its in-app browser via JavaScript code. (See, e.g., Recht Compl. ¶¶ 100-04.) At least for class members' claims arising before the Effective Date of the Settlement Agreement, the plain language of the Agreement is broad enough for the court to find those claims barred. See Jefferson v. Cal. Dep't of Youth Auth., 28 Cal. 4th 299, 306, 121 Cal.Rptr.2d 391, 48 P.3d 423, 427 (2002) (holding, in the context of an individual settlement, that "the release of 'all claims and causes of action' must be given a comprehensive scope); see also
Tropp v. W.-S. Life Ins. Co., 381 F.3d 591, 594, 596 (7th Cir. 2004) (holding, with respect to a class action settlement's "very broad" release, that "[w]here the terms of the release are clear and explicit, the court must enforce the release as written").
Plaintiffs, however, cite a line of federal circuit court and district court cases that apply a modified analysis in the specific context of class-action settlements. Under this analysis, the language of the settlement agreement may not be controlling: because "the process by which a class action settlement is approved has the effect of turning the private settlement into a ... judgment ... future litigation is always governed by the doctrine of preclusion and never by the settlement contract directly." 6 William B. Rubenstein et al., Newberg and Rubenstein on Class Actions § 18:19 (6th ed. 2023). "Res judicata, or claim preclusion, bars any claims that were litigated or could have been litigated in a previous action when three requirements are met: (1) an identity of the causes of action; (2) an identity of the parties or their privies; and (3) a final judgment on the merits." Bell v. Taylor, 827 F.3d 699, 706 (7th Cir. 2016) (citation and internal quotation marks omitted). The second two elements are not at issue here: it is clear that a substantial portion of the IAB Plaintiffs' proposed classes were also non-opt-out members of the MDL settlement class, and the court's final approval order dismissing the MDL with prejudice operated as a final judgment on the merits. (See Final Approv. Order ¶ 20.) The more challenging issue here is whether there is an identity of causes of action; to meet that test, the IAB claims and the Original Plaintiffs' claims must share the same "core of operative facts" and be based on "the same, or nearly the same, factual allegations." Brzostowski v. Laidlaw Waste Sys., 49 F.3d 337, 338-39 (7th Cir. 1995). The answer to that question cannot necessarily be resolved by reference to the settlement agreement alone.
The underlying rationale for requiring court approval of class settlements —and for looking beyond their plain text in determining the scope of their releases —is that class actions raise special due process issues not present in the individual context. Unlike individual litigants, "absent class members are not 'parties' before the court in the sense of being able to direct the litigation." Williams v. Gen. Elec. Cap. Auto Lease, Inc., 159 F.3d 266, 269 (7th Cir. 1998). This raises the concern that class counsel and class representatives may "endeavor to obtain a better settlement by sacrificing the claims of others at no cost to themselves by throwing the others' claims to the winds." TBK Partners, Ltd. v. W. Union Corp., 675 F.2d 456, 462 (2nd Cir. 1982) (citation and internal quotation marks omitted). Thus, "because of the unique situation posed by a class action—whereby attorneys for the class may be incentivized to accept inadequate settlement terms so long as they receive their fees—it is necessary for a court to scrutinize what claims the class is giving up and what the class is receiving in exchange." Kaufman v. Am. Express Travel Related Servs. Co., 877 F.3d 276, 287 (7th Cir. 2017).
Accordingly, courts have converged on a common test that parallels the factual-equivalency test in traditional res judicata for evaluating the preclusive effect of class-action settlements. Namely, "a federal court may release not only those claims alleged in the complaint, but also a claim based on the identical factual predicate as that underlying the claims in the settled class action even though the claim was not presented and might not have been presentable in the class action." Williams, 159 F.3d at 273-74 (emphasis
removed) (quoting Class Plaintiffs v. City of Seattle, 955 F.2d 1268, 1287 (9th Cir. 1992)). A version of this standard has been applied by courts in nearly every circuit, including the Seventh, and no circuit has rejected it. See 6 Rubenstein, supra, § 18:19 nn. 13-14, 19-20 (citing cases). While there is confusion in the caselaw as to whether this test relates to the enforceability of a release or to the doctrine of claim preclusion, its broad principles are clear: class releases can extend to new claims "whether or not that relief was specifically requested in the [original] complaint," but only if the new claims are based on the same core of essential facts. Class Plaintiffs, 955 F.2d at 1287-88. Most courts applying this rule agree, for instance, that a class settlement cannot release claims arising from a defendant's future conduct; actions that have not yet occurred cannot form part of the same "factual predicate." See Feller v. Transamerica Life Ins. Co., No. 2:16-cv-01378-CAS (AJWX), 2016 WL 6602561, at *6 (C.D. Cal. Nov. 8, 2016) (describing this consensus and citing cases); Kleen Prods. LLC v. Int'l Paper, 306 F.R.D. 585, 606 (N.D. Ill. 2015) (finding no identical factual predicate where events in new action took place "nearly a decade later" than the prior class settlement), aff'd, 831 F.3d 919 (7th Cir. 2016).
See Kris J. Kostolansky & Diane R. Hazel, Class Action Settlements: Res Judicata, Release, and the Identical Factual Predicate Doctrine, 55 Idaho L. Rev. 263, 275-80 (2019) (noting this confusion and arguing that the "identical factual predicate" test should apply with equal force to both doctrines). Defendant here also addresses the "identical factual predicate" test as relevant to the enforceability of release. (Def.'s Br. at 7.) Defendant argues in the alternative that res judicata also bars Plaintiffs' claims, under either a "traditional" identity-of-claims approach or a "modified" approach under which the "express terms of a settlement agreement, not merely the terms of the judgment, determine the bounds of preclusion after a settlement." Daniels v. Rivers, No. 14 C 1533, 2014 WL 6910492, at *7 (N.D. Ill. Dec. 9, 2014) (citation omitted). The res judicata cases cited by Defendant are less helpful, however, as they are not all specific to the class-action context. The court finds the law on the "identical factual predicate" test to be the applicable authority to follow here, regardless of whether it is viewed through the lens of release or res judicata.
The court agrees with Plaintiffs that the "identical factual predicate" test, and not solely California contract law, is the correct standard to apply here. The Seventh Circuit has discussed the test in just one case, Williams, and as another district court has recognized, the law here is not as well-developed as in other circuits. See Arandell Corp. v. Xcel Energy, Inc., No. 07-cv-076-wmc, 2022 WL 2314717, at *5 (W.D. Wis. June 28, 2022), appeal filed, No. 22-3279 (7th Cir. Dec. 27, 2022). Williams remains good law, however, and has been followed by multiple other district courts in evaluating the scope of class settlement releases. See, e.g., Rosenberg v. S.C. Johnson & Son, Inc., No. 20-CV-869-JPS-JPS, 2023 WL 1795192, at *10 (E.D. Wis. Feb. 7, 2023) (citing Williams); Kaufman v. Am. Express Travel Related Servs., Co ., No. 07 C 1707, 2016 WL 806546, at *9 (N.D. Ill. Mar. 2, 2016) (same), aff'd, 877 F.3d 276; Schulte v. Fifth Third Bank, No. 09 C 6655, 2012 WL 2254197, at *2 (N.D. Ill. June 15, 2012) (same).
Under this modified analysis, the intent of the parties remains relevant to the court's determination. The language of the Settlement Agreement, the consolidated complaint, and representations made during the approval process are all important indica of both the Original Parties' intent as to the release and the court's understanding of that intent at the time of entry
of the final approval order. See 6 Rubenstein, supra, § 18:19 (noting that "the doctrine of claim preclusion in class actions" must still "take account of ... settlement agreements approved as judgments"). But in addition, the court must also determine whether the facts underlying any new claims are so closely aligned with the facts in the previous action that barring the new claims will not frustrate due process. See Hesse v. Sprint Corp., 598 F.3d 581, 590 (9th Cir. 2010) ("[A] settlement agreement's bare assertion that a party will not be liable for a broad swath of potential claims does not necessarily make it so.").
This framework guides the court's analysis of whether the IAB Plaintiffs' claims are released by the Settlement. That analysis calls for consideration, first, of what time period the Settlement covers, and second, what claims fall within the scope of its release. The court addresses those issues below.
III. The Settlement's Temporal Scope
The text of the Settlement Agreement and Judge Lee's implementing orders limit the Settlement's temporal scope in two ways. First, the Settlement only includes members of the Nationwide and Illinois Subclasses, which are respectively defined as all U.S. residents and Illinois residents who "used the App ... prior to September 30, 2021," the date of the court's preliminary approval order, and who did not timely request to opt out. (Final Approv. Order ¶¶ 2, 24; see Settlement §§ 2.4, 2.6, 2.17, 2.19, 2.26.) Second, its release only covers claims arising from conduct that took place on or before October 13, 2022, the Settlement's Effective Date. (See Final Approv. Order ¶ 21; Settlement §§ 2.12; 2.30.)
The parties dispute the extent to which these two provisions, taken together, preclude the IAB Plaintiffs from pursuing their claims. Plaintiffs urge this court to allow two sets of claims to proceed regardless of its conclusion as to the Settlement's legal and factual scope. First, they argue that TikTok users who downloaded and used the App for the first time on or after September 30, 2021 fall outside the class definition entirely and are thus not subject to the Settlement, meaning that they should be allowed to pursue claims for conduct related to the in-app browser that occurred at any time in the past. (Pls.' Br. [311] at 13-14.) Second, they argue that Settlement class members who did download the App prior to September 30, 2021 should still be able to pursue claims related to conduct that occurred after the Settlement's Effective Date of October 13, 2022. (Id.) Defendant argues that Plaintiffs' cases must be dismissed in their entirety since they "arise from alleged conduct that ... predates the Effective Date of the Settlement" and Plaintiffs have not alleged that they were not part of the class or opted out. (Def.'s Br. at 4.)
Plaintiffs have the better of the argument on both issues. The plain language of the Settlement, the class notice, and the court's final approval order explicitly limit the release's applicability to (i) TikTok users who downloaded the App prior to September 30, 2021 and did not validly opt out of the Settlement, for (ii) claims that arose on or before October 13, 2022. It is inapplicable to non-class members and opt-outs, who received no consideration for the Settlement's release of claims and cannot be bound by its terms. And if TikTok sought to expand the release to "encompass [class members'] claims based on [its] future conduct" that had not yet occurred by the Effective Date, "such a release would be unenforceable," as these claims would not involve an "identical factual predicate" to the Original Plaintiffs' claims. Feller, 2016 WL 6602561, at *6; see Kleen Prods. LLC, 306 F.R.D. at
606. Thus, regardless of the Settlement's applicability to pre-Effective Date conduct, the IAB Plaintiffs "may still be able to proceed in some fashion, either individually or as a class," for claims outside its class period. Rosenberg, 2023 WL 1795192, at *11 (holding that prior class settlement did not preclude new claims by those who either opted out or whose claims arose from post-class period conduct).
Accordingly, the court holds that any TikTok user who either downloaded the App on or after September 30, 2021, or who validly opted out of the Settlement, is not subject to its release and may bring claims for data collection through the in-app browser that took place at any time in the past. Further, any user who downloaded the App before September 30, 2021 and did not opt out of the class may bring claims for data collection through the in-app browser that took place after October 13, 2022.
What effect this ruling will have on the individual IAB Plaintiffs' claims is not clear. At least some Plaintiffs appear to fall within the prior Settlement class definition and have not specifically allege that they opted out. (See, e.g., Recht Compl. at 2 (Plaintiff Recht "downloaded the TikTok app and created his TikTok account in 2019"); Compl. [1] in E.K. v. TikTok, Inc., No. 23 C 2262 ¶ 12 (Plaintiff E.K. "began using TikTok in 2020 ... [and] continued ... into 2022").) Others, however, have not clarified in their pleadings whether they were class members in the prior settlement or, if so, whether they submitted valid opt-out requests. Similarly, most do not specifically plead that they used the in-app browser after the Settlement's Effective Date.
The one exception is Plaintiff Michael Moody, who specifically asserts that he does not fall within the Settlement's class definition and thus should not be subject to its release at all. (See Pl. Michael Moody's Br. in Resp. to Court's Order of July 12, 2023 [309].) Moody asserts in his amended complaint that he "downloaded the TikTok App and created an account in May 2022." (Am. Compl. [17], Moody v. TikTok, Inc., No. 23 C 2465, ¶ 6.) He brings representative claims on behalf of a nationwide class and Illinois subclass of TikTok users who "created TikTok accounts after September 30, 2021 and who utilized the TikTok app to access external websites via the In-App Browser...." (Id. ¶¶ 39-40.) Defendant urges that Moody is nevertheless subject to the release because the Settlement's class definition extends to all individuals who "used" the App, and Moody does not specifically allege that he did not use the App at any point in time before downloading it and creating an account. (Def.'s Br. at 4 n.2.)
The court finds that Moody has adequately pleaded facts to establish, at this stage, that he was not a prior Settlement class member. While it is theoretically possible that he could have "used" the App prior to downloading it for the first time in May 2022 (possibly on another person's device), his statement that he "downloaded the TikTok App and created an account in May 2022" is more plausibly read to suggest that he did not "use" the App before this time. Although this conclusion could change following discovery, it is also irrelevant for the moment: the court's holding on the Settlement's legal and factual scope, as discussed further below, means that Moody's claims are not subject to release at this time whether or not he is a former class member. See infra Section IV.C.
Whether this lack of specificity dooms the IAB Plaintiffs' claims is a difficult question. It is one the court need not answer, however, unless the court concludes that the Settlement does in fact encompass claims related to the in-app browser. Accordingly, the court now turns to this more challenging question.
IV. The Settlement's Legal and Factual Scope
Regardless of whether some or all of the IAB Plaintiffs' claims fall outside the dates listed above, it is clear—and the parties do
not dispute—that there is significant overlap between the original MDL's settlement class and the classes proposed by the IAB Plaintiffs: all U.S. residents (or in some cases, minor residents) who used the App's in-app browser to access external websites. (See, e.g., Recht Compl. ¶ 145; Compl. [1] in E.K. v. TikTok, Inc., No. 23 C 2262, ¶ 48 (proposing a class of "[a]ll minor persons in the United States who visited external websites on TikTok's [in-app browser]").) Thus, at minimum, the question of whether the Settlement covers the subject matter of the IAB Cases bears heavily on the scope of any potential future classwide relief.
The parties vigorously dispute whether the Settlement's release encompasses the legal and factual allegations in the IAB Cases. As the IAB Plaintiffs see things, MDL No. 2948 was focused solely on claims related to the App's collection of users' biometric data, and these new cases involving the in-app browser present distinct questions of fact and law. (See Pls.' Br. at 1.) The IAB Plaintiffs thus style the thirteen cases now before this court as the "In-App Browser" cases, and refer to the cases disposed of in the earlier Settlement as the "Biometric Data cases." They point out that the Original Plaintiffs made no reference to the in-app browser in their individual or consolidated complaints, and that the IAB Cases raise claims under federal and state wiretap laws that were not presented in this earlier litigation. A determination that the Settlement bars these claims would, these new Plaintiffs contend, raise "grave due process concerns." (Id. at 1 n.1, 2.) Defendant, on the other hand, claims that this MDL from the beginning involved a "kitchen sink" of all data-privacy claims that could be asserted against TikTok. (Def.'s Br. at 2.) TikTok cites language from the consolidated complaint, the Settlement, and the court's orders to argue that the Settlement encompasses claims relating not only to biometric data but also to the improper collection of all user data through the App.
A. The Original Parties' Intent Regarding the Settlement's Release
In resolving this dispute, an initial concern is that the "factual predicate" underlying the original MDL is highly diffuse and fragmented. Some twenty-one different member cases were filed between 2019 and 2020; those cases were combined into a single omnibus complaint only after the plaintiffs had already reached a preliminary settlement and begun conducting confirmatory discovery. Many of these early member cases focused primarily or exclusively on biometric-data claims under BIPA or other statutes. (See, e.g., Am. Compl. [32] in E.R. v. TikTok, Inc., No. 20 C 2810; 2020 JPML Oral Arg. at 6 (statement by E.R. plaintiffs' counsel that 16 of 19 cases filed as of July 30, 2020 asserted Illinois statutory claims).) But others, in particular the MDL's earliest progenitor Hong, from their inception contained a wide array of allegations stretching beyond the collection of biometric data. (See, e.g., Compl. [1] in In re TikTok, Inc. Privacy Litig., No. 20 C 4723; Am. Compl. [17] in R.S. v. TikTok, Inc., No. 20 C 4728; see also 2020 JPML Oral Arg. at 9 (statement by Hong plaintiffs' counsel that "this is not just a BIPA case," but "has California and federal claims that go beyond BIPA, class members that go beyond Illinois,... relief that goes beyond simply statutory penalties, ... [and the case] goes beyond factually biometrics ... into user ID, device ID, and private user videos").)
The Original Plaintiffs' consolidated complaint, filed in December 2020, focuses to some degree on the biometric claims but retains much of its predecessors'
factual and legal breadth. Thus, although a significant portion of the complaint is devoted to the app's video-sharing and biometric data-gathering capacities (see Consol. Compl. ¶¶ 240-91), the complaint also makes a number of allegations related to different functions of the App that gather data other than biometric data from users. In particular, the consolidated complaint inherits the Hong action's catalogue of eighteen separate types of "user/device identifier" data allegedly collected by the App. (Id. ¶ 156.) Further, the complaint describes the App's alleged capacities to transmit user video viewing histories to third parties (id. ¶¶ 159-63), pinpoint users' precise locations (id. ¶¶ 164-66), create digital "fingerprints" for users' devices (id. ¶¶ 173-75), analyze private messages and draft video posts (id. ¶ 176), and access stored data on users' clipboards (id. ¶¶ 181-89). Thus, while the complaint's BIPA and VPPA claims are specifically tied to the collection of video data, its other claims extend to all of these various data collection methods. (See, e.g., id. ¶ 341) (alleging violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, for the "secret transmission of the Plaintiffs' and the Class's private and personally identifiable data and content — including User/Device Identifiers"). Similarly, the complaint seeks injunctive relief relating to both biometric and non-biometric data collection. (Id. § XIV (requesting that TikTok be enjoined "from taking physical/digital location tracking data, device ID data, personally identifiable data and any other TikTok user data and content except that for which appropriate notice and consent is provided and which Defendants can show to be reasonably necessary for the lawful operation of the TikTok app within the United States").)
The Original Parties' settlement negotiations are also relevant in determining the scope of the Settlement's release. On this score, the record suggests that the release was always intended to cover forms of data other than biometric data. During the application process for the MDL's leadership committee in September 2020, the plaintiffs who had participated in the August 2020 mediation explicitly rejected the idea that their negotiated Settlement was limited to BIPA claims (even though several of their own individual cases only pleaded such claims). (Settling Pls.' and Add'l Interim Counsel's Objections to Applications [81] at 5.) Instead, they took the position that the Settlement encompassed all claims that either were or could have been asserted on behalf of a nationwide class based on their prior vetting efforts—even those that went "beyond the four corners of the on-file complaints." (Id. at 6.) Citing the "identical factual predicate" test in support of their ability "to settle unpleaded claims," they argued that any potential issues with "the proposed scope of the release" could be addressed by the court "at preliminary and final approval." (Id. at 6 & n.8 (citing Kaufman, 2016 WL 806546, at *9).)
The conclusion about the broad scope of the Settlement is further supported by the Original Parties' negotiations over whether the release would apply to class members in T.K. v. Bytedance Tech. Co., Ltd ., a parallel class action against TikTok also filed in this district that settled before consolidation of the MDL. (See Prelim. Approv. Hearing Tr., Ex. E. to Carroll Decl. in Further Supp. of Prelim. Approv. Mot. [138-5], at 31:20-24.) The T.K. action did not allege BIPA claims at all, but rather challenged TikTok's collection of "personally identifiable information and/or viewing data" of minor users as a violation of federal and California privacy laws. See T.K. v. Bytedance Tech. Co., Ltd., No. 19 C 7915, 2022 WL 888943, at *4, 20 (N.D. Ill. Mar. 25, 2022), appeal dismissed, No. 22-1686,
2022 WL 19575674 (7th Cir. Aug. 22, 2022). In a March 2021 hearing, TikTok's counsel took the position that the release would by its terms encompass the claims in the T.K. action, but that the settling parties had negotiated a carveout in which TikTok would not seek to enforce it against T.K. class members, allowing them to recover under both settlements. See T.K., 2022 WL 888943, at *19; TikTok Final Approval, 617 F. Supp. 3d at 904. That this was considered necessary suggests, at minimum, that the Original Plaintiffs always understood themselves to be entering into an agreement with the potential to release claims beyond alleged violations of BIPA.
This history undermines the IAB Plaintiffs' arguments that either the original MDL or its Settlement were limited to claims related to the App's video functions or its collection of biometric data. The BIPA claim is fairly characterized as the Original Plaintiffs' "core claim[ ]," particularly given its outsize estimated value relative to the other claims. (Mot. for Final Approv. of Class Action Settlement [195] (hereinafter "Final Approv. Mot."), at 3; see also id. at 14 (estimating a payout of $27.19 for each Nationwide Class member and $163.13 for each Illinois Subclass member); Decl. of Jonathan Rotter in Supp. of Mot. for Prelim. Approv. of Settlement [122-10] ¶ 9 (describing a six-to-one ratio for class payouts negotiated between representatives for the Illinois Subclass and Nationwide Class).) But the overall scope of the litigation against TikTok consolidated within this MDL clearly reached beyond this one claim to encompass other theories of liability, based on a laundry list of the App's alleged data-gathering functions.
The IAB Plaintiffs also argue that because the original parties referred to the App as the "TikTok video-sharing application" in their Settlement Agreement and class definition (see Settlement § 2.1; Final Approv. Order ¶ 2), the original MDL was limited to claims involving the App's video recording and facial recognition capacities. The court disagrees: this definition only describes the App's basic nature as a platform for sharing videos, and does not limit the class to users who used its video capacities. The distinct class definitions are significant in this regard: while the Illinois Subclass was defined as all Illinois residents who specifically "used the App ... to create videos prior to September 30, 2021," the Nationwide Class contained no such limitation. (Final Approv. Order ¶ 2 (emphasis added).)
That said, however, the court recognizes that the specific method of data collection that the IAB Plaintiffs describe—the in-app browser's ability to gather data via JavaScript—is not included in this laundry list. The terms "in-app browser," "keystroke logging," and "third-party website" appear nowhere in the consolidated complaint and were not mentioned in the parties' preliminary or final approval briefing. (See generally Consol. Compl.; Prelim. Approv. Mot.; Final Approv. Mot.) Further, the injunctive relief sought in the consolidated complaint and ultimately obtained in the Settlement is limited to TikTok's collection of specific types of data enumerated in the complaint—an enumeration that did not include in-app browser data. (See
The court agrees with Plaintiffs that the terms "browsing history" and "internet browsing history" in the consolidated complaint are distinct from the kind of data at issue in the IAB Cases. (See Consol. Compl. ¶¶ 156(o), 167.) "Internet browsing history" is more commonly understood as a user's trail of web addresses visited, while keystroke logging data consists of inputs by the user into these websites. Further, the portion of the consolidated complaint in which this term appears describes data collected "when the TikTok app is not in use"; the court understands this as a reference to data collected from a device's default internet browser such as Safari. (Id. ¶ 167.)
Consol. Compl. at 116; Settlement § 6.1.) Given the breadth of factual allegations in the consolidated complaint, it seems highly likely that the Original Plaintiffs would have added the in-app browser's security risks to their list of grievances had they known about them. At bottom, it does not appear from the record that the in-app browser's ability to collect user data through JavaScript code was known or contemplated when the Original Plaintiffs filed their complaints, during their settlement negotiations and vetting efforts, or indeed at any time prior to the publication of Mr. Krause's report in August 2022, just days before the court signed the order approving the parties' Settlement.
It is uncertain whether the Original Parties meant for such unknown conduct to be covered by the release. There is some evidence that the Original Plaintiffs did not: in their motions for preliminary and final approval, they described the release as "narrowly tailored to the claims ... actually at issue (or that could have been asserted based on the alleged facts) in this MDL through the date of preliminary approval." (Prelim. Approv. Mot. at 16 (emphasis added); see Final Approv. Mot. at 16-17.). But this qualification is not reflected in the actual text of the Settlement Agreement (see Settlement § 1.2 (releasing claims "whether known or unknown"), nor in Judge Lee's approval memoranda, see TikTok Preliminary Approval, 565 F. Supp. 3d at 1082 ("[M]embers of the Settlement Class agree to release Defendants from any and all claims that were or could have been asserted in this MDL relating to the collection and use of user data"); TikTok Final Approval, 617 F. Supp. 3d at 917 (describing the release as extending to "any potential claims based on Defendants' collection or handling of App users' data"). TikTok, of course, denies that any such limitation was intended. (See Def.'s Br. at 3) ("The parties drafted the $92 million class settlement in this MDL to clean up the entire kitchen sink of allegations.").)
In sum, the court is satisfied that the Original Parties intended the Settlement's release to extend beyond biometric-data claims and reach, as well, claims related to the various forms of data collection described in the consolidated complaint. Whether they also intended this release to reach beyond these factual allegations to similar, but unknown forms of data collection is less clear.
B. Comparison of The Factual Predicates for the Original MDL and the IAB Cases
Thus, the critical issue on which this case turns is what constitutes an "identical factual predicate" between two actions— and in particular, whether a later action can share such a predicate with an earlier, now-settled class action if it is based on similar but distinct facts that existed but were not known at the time of settlement. Defendant advances an expansive view of the test that would construe the original MDL's "factual predicate" as the App's collection of all user data writ large, through both known and unknown methods. Plaintiffs, on the other hand, would have this court adopt a slice-and-dice approach that asks whether the exact data-collection mechanism at issue was described in the original litigation.
There is no settled definition of "identical factual predicate" among the circuits, though the slight majority view is to treat it as equivalent to the transactional "common nucleus of operative fact" test that animates the res judicata doctrine. Kazi v. PNC Bank, N.A., No. 18-cv-04810-JCS, 2021 WL 965372, at *15 (N.D. Cal. 2021); see 6 Rubenstein, supra, § 18:19 nn.15-16 (citing cases). As noted, most courts agree that a class settlement cannot release
claims arising from a defendant's conduct that has yet to occur. See Feller, 2016 WL 6602561, at *6; Kleen Prods. LLC, 306 F.R.D. at 606. But there is no such consensus regarding facts related to a defendant's then-existing but unknown conduct: some courts have endorsed releases of claims based on previously undiscovered information, while others have more strictly held that the scope of a class release is limited to "'any matter or fact set forth or referred to in' the complaint." The Seventh Circuit's sole decision directly addressing the identical factual predicate test, Williams v. General Electric Capital Auto Lease, Inc., does not answer the specific question here. But analogous principles from both this and other circuits' caselaw—as discussed below—can provide some guidance to this court in comparing the Original Plaintiffs' and IAB Plaintiffs' respective factual predicates.
See, e.g., In re Gen. Am. Life Ins. Co. Sales Pracs. Litig., 357 F.3d 800, 804 (8th Cir. 2004) (allowing release of claims based on facts that "had not, at th[e] time [of settlement], been discovered by the plaintiff"); Ross v. Metro. Life Ins. Co., 411 F. Supp. 2d 571, 576-77 & n.2 (W.D. Pa. 2006) (refusing to "impute knowledge of [a potential] claim to the Class for purposes of the Release" in light of "evidence of [the defendant's] concealment" of the underlying factual predicate, but nevertheless holding that these claims could be validly released since "the fact that a claim wasn't known at the time of the Release does not necessarily make the Release inapplicable," as long as class members received adequate notice).
In re Corrugated Container Antitrust Litig., 643 F.2d 195, 221 (5th Cir. 1981) (quoting Patterson v. Stovall, 528 F.2d 108, 110 n.2 (7th Cir. 1976)).
In Williams, the Seventh Circuit held that a class settlement over the defendant's lease termination fees precluded a class member's attempt to sue over the same fees even though she had not actually terminated her lease at the time of settlement, rendering her claims unripe at that point. Because "the appraisal procedure and the computation of the early termination payments might be ministerial at any given point in time," the plaintiff could have easily assessed the value of her potential claims in determining whether to opt out of the original settlement. Williams, 159 F.3d at 274. But the basic factual predicate allowing the plaintiff to sue in the first place—the defendant's policies—did not change between the two actions.
1. Identity of Harms
One distinction drawn in the caselaw in determining whether claims share the same factual basis is whether both the earlier and later plaintiffs allege the same underlying harm. Hesse, 598 F.3d at 589 (holding that release was not enforceable to bar claims "brought to remedy a different set of injuries"); In re W. States Wholesale Nat. Gas Antitrust Litig., 725 F. App'x 560, 563 (9th Cir. 2018) (holding that claims were distinct where they "depend[e]d on proof of different facts to establish a different injury").
Here, the harms alleged by the Original Plaintiffs and the IAB Plaintiffs appear quite similar, even if they arise from different functions of the App. Both the original litigation and the IAB Cases broadly allege that TikTok wrongfully collected users' personal data without their adequate consent. While the Original Plaintiffs' consolidated complaint does not describe the precise method of data collection detailed in the IAB Cases (keystroke logging), it does describe a number of ways in which the App allegedly collects the same types of information. (Compare Consol. Compl. ¶ 9 (describing how TikTok profits from the collection of users' "unique identifying information ... names, email addresses, passcodes, social media accounts, messaging services, telephone numbers, and other private, non-public, or confidential data and information"), and id. ¶ 181 (describing the App's ability to copy
clipboard data, "which could include passwords, financial information, or other sensitive, personally identifiable information"), with Recht Compl. ¶ 103 (describing the in-app browser's alleged ability to collect a user's "name ... their address, telephone number, credit card or bank information, usernames, passwords, dates of birth, etc.").) Even if the mechanism alleged to obtain this information differs between the two actions, the underlying injury—the collection of TikTok users' personal data— seems comparable. See Reyn's Pasta Bella, LLC v. Visa USA, Inc., 442 F.3d 741, 748-49 (9th Cir. 2006) (affirming dismissal of a later antitrust action that "posit[ed] a different theory of anti-competitive conduct" from a previous settled action where the "price-fixing predicate ... and the underlying injury [were] identical").
On the other hand, it is possible that a user inputs meaningfully different forms of data through the browser that are not collected through other functions of the App. (See, e.g., Recht Compl. ¶¶ 105-16 (describing the risks posed by users visiting websites that betray "private and sensitive information about persons' physical and mental health," such as abortion and mental health providers).) The original MDL's record gives no indication of whether such data could be collected as easily through the App's other, then-known mechanisms. Thus, the court is hesitant to draw conclusions on the similarity of these modes of data collection without knowing more about the underlying facts and their legal significance.
2. Identity of Proof
A second consideration is whether the Original Plaintiffs' and IAB Plaintiffs' legal claims require distinct elements of proof. See Burgess v. Citigroup Inc., 624 F. App'x 6, 9 (2nd Cir. 2015) (holding that "distinct claims that depend 'upon proof of further facts' constitute a 'separate factual predicate'"). The IAB Plaintiffs insist that because their cases advance legal theories that the Original Plaintiffs did not—namely, claims under federal and state wiretapping laws—they fall outside the Settlement's scope. But that is not determinative if the claims could have been brought in the original action based on the alleged facts. See Class Plaintiffs, 955 F.2d at 1287-88 ("[W]here a particular type of relief potentially available to the class members is compromised in the settlement process, it is mainly irrelevant whether or not that relief was specifically requested in the complaint. The breadth of negotiations is not necessarily strictly confined by the pleadings.") (citation omitted); Williams v. Boeing Co., 517 F.3d 1120, 1134 (9th Cir. 2008) (noting that class releases are enforceable "as to subsequent claims relying upon a legal theory different from that relied upon in the class action complaint, but depending upon the same set of facts.").
Many of the IAB Plaintiffs' ancillary legal theories did appear in the Original Plaintiffs' consolidated complaint, including claims under the California Comprehensive Data Access and Fraud Act and state common-law and constitutional privacy claims. (Compare Consol. Compl. ¶¶ 344-47, 348-78, 386-92, with Recht Compl. ¶¶ 192-238 (alleging the same or substantially similar counts).) It is clear, however, that the federal and state wiretapping claims are the centerpiece of the IAB Plaintiffs' cases, as they provide for potentially substantial statutory damages. See 18 U.S.C. § 2520(c)(2) (providing for damages of the greater of $100 per day per violation or $10,000); see also, e.g., Cal. Penal Code § 637.2(a) (providing for damages of the greater of $5,000 per violation or three times the plaintiff's actual damages).
In other words, if the Original Plaintiffs could have asserted the same wiretapping claims that the IAB Plaintiffs now do using
the facts available to them at the time— even without knowledge of the in-app browser's data-tracking capacities—it might be reasonable to hold that their Settlement validly released such claims. Cf. Wright v. Nationstar Mortg. LLC, No. 14 C 10457, 2016 WL 4505169, at *12 (N.D. Ill. Aug. 29, 2016) (approving a settlement that released all claims related to "the use of automatic telephone dialing systems or an artificial or prerecorded voice" on the grounds that, "[a]side from the [Telephone Consumer Protection Act] (which the Plaintiffs of course did invoke), it is not at all clear what other claims a plaintiff could successfully premise on [this factual predicate]... [a]nd even if there were such a claim, it is not clear whether that claim would be more successful (or lead to a more generous remedy) than a claim under the TCPA"). On the other hand, if the wiretapping claims are uniquely predicated in some way on the in-app browser facts such that they could not have been brought in the original action, this would support the opposite finding. See, e.g., In re W. States Wholesale Nat. Gas Antitrust Litig., 725 F. App'x at 563 (refusing to recognize an identical factual predicate in light of "facts which [plaintiff] must prove in this action and which would have been unnecessary in the [settled] action"); Burgess, 624 Fed. App'x at 9.
In this case, it is not fully clear whether the Original Plaintiffs could feasibly have used the factual allegations in the original litigation as the foundation for a federal or state wiretapping claim. Wiretapping claims over the use of "session replay" technology to track user behavior on websites (such as keystrokes, chat history, and other online interactions) are a new and rapidly evolving theory of data-privacy liability, and the law even as it existed in 2020 would not have looked the same as it does today. See, e.g., Javier v. Assurance IQ, LLC, No. 21-16351, 2022 WL 1744107 (9th Cir. May 31, 2022) (evaluating applicability of California's wiretapping statute to "session replay" software); Popa v. Harriet Carter Gifts, Inc., 52 F.4th 121 (3d Cir. 2022) (conducting a similar analysis for Pennsylvania's statute). The Original Plaintiffs' consolidated complaint described the App's capacity to read and scan users' draft private messages as well as ones they had sent (a factual allegation inherited from the Hong complaint), but did not specifically allege that the TikTok App logged keystroke data. (Consol. Compl. ¶¶ 156(b), 176.) Prior to the MDL's formation, the Hong plaintiffs notified their transferor court in April 2020 that they were considering amending their complaint to add a federal Wiretap Act claim, but this claim did not ultimately appear in either their amended complaint or in the consolidated MDL complaint. (See Joint Case Mgmt. Statement [30] in In re TikTok, Inc. Privacy Litig., No. 20 C 4723, at 9.) So while at least one of the Original Plaintiffs considered adding a wiretapping theory of liability to their case at one point in time, it is difficult to draw inferences one way or the other from this road not taken.
In the end, the court is unable to conclude summarily that the Original Plaintiffs could have asserted the same legal claims as the IAB Plaintiffs based on the facts known at the time of their Settlement. Precisely how this novel theory of liability interacts with the underlying facts of the in-app browser's data collection has not yet been litigated and presents a multitude of questions that the court is not equipped to answer at this time. Perhaps the in-app browser provides a unique "hook" for wiretapping liability that was not present in the original MDL; perhaps not. Either way, the court cannot confidently rule one way or the other without
knowing more about the merits of the IAB Plaintiffs' claims.
3. Adequacy and Notice Concerns
In determining whether it would be fair to preclude the IAB Plaintiffs' claims on the basis of the Original Plaintiffs' Settlement, the court also finds it worthwhile to consider the underlying due process rationales for the "identical factual predicate" test. As one scholar has explained, the test "aims to balance two competing interests": namely, "ensuring that claims similar to those at the heart of the class suit are not relitigated" while also "safeguard[ing] the class from the possibility that its representatives might compromise claims that are tangential to their own but central to those of the class." 6 Rubenstein, supra, § 18:19 nn. 10-11 (citing cases). Further, to protect the due process rights of absent class members, the rule seeks to ensure that those absent class members do not inadvertently sacrifice future claims of which they lacked notice. See TBK Partners, 675 F.2d at 461 (enforcing release "where the relationship between the suits is at the time of the class action foreseeably obvious to notified class members"); In re Gen. Am. Life Ins. Co. Sales Pracs. Litig., 357 F.3d 800, 804 (8th Cir. 2004) ("[I]n class actions more than the usual requirements of res judicata, as applied in the traditional lawsuit between or among individuals, must be met. Among other things, a class member cannot be bound unless she has received due process... [t]he most important element of [which] is adequate notice."); cf. Schulte, 2012 WL 2254197, at *3 (finding that the plaintiff "knew, or should have known" that she would be giving up her right to sue over the same facts after receiving notice). These bases for the test, then, track the same adequacy-of-representation and notice requirements embodied in Rule 23 itself. See FED. R. CIV. P. 23(e)(1)-(2) (requiring courts to consider these factors when approving class settlements).
With respect to this concern, the IAB Plaintiffs contend that the class notice distributed in February 2022 did not adequately apprise absent class members of the claims they were releasing. They point out that it referred to the App as a "video-sharing application" and did not reference third-party websites, keystroke logging, or the in-app browser. (Pls.' Br. at 8-9.) The court notes, however, that if the notice failed to do this, it also failed to specify any of the myriad other data-collection forms in the complaint, or include the terms "biometric," "BIPA," or "facial recognition." Indeed, the notice's only reference to the scope of the litigation is quite expansive: "The lawsuit alleges that Defendants collected and used, without sufficient notice and consent, Plaintiffs' personal data in connection with Plaintiffs' use of the App." (Notice at 4 (emphasis added).) That broad language would not reasonably be understood to convey that the MDL or its proposed settlement is limited to BIPA or biometric data. To the contrary, the most natural reading of the notice is as an explanation that users accepting the proposed resolution would be giving up the right to pursue data-privacy claims against TikTok more generally. See In re Gen. Am. Life Ins. Co., 357 F.3d at 804 (holding that "no due-process violation occurred" in barring former's class member's new claim where language of prior notice was "clearly broad enough to encompass" practices that were "not specifically at issue in the class action").
Nor is the court aware of any clear structural conflict between the IAB Plaintiffs' claims and those of the prior class representatives that would justify exempting the IAB Plaintiffs from the release on due process grounds. The IAB Plaintiffs place particular weight on Hesse v. Sprint
Corp , a case where the Ninth Circuit refused to apply a prior class-action release of claims over Sprint's billing practices to a new class of Washington State Sprint customers who had been included in the prior settlement. But Hesse is distinguishable. The Ninth Circuit's decision in that case hinged on structural adequacy-of-representation concerns: the prior class representative— a resident of a different state—did not share the new class's state-law claims, meaning that his "injury was not typical of [theirs] ... and, as a result, he failed to vigorously prosecute their claims or avoid the conflict between their legal interests." Hesse, 598 F.3d at 592. Here, the IAB Plaintiffs' wiretapping claims are not so clearly different in kind from the Original Plaintiffs' claims: they are simply a new theory of data-privacy liability based on slightly different, but highly similar, facts. Had the Original Plaintiffs known of the in-app browser's potential security risks and the resultant potential legal exposure to TikTok under the wiretapping laws, they may well have added it to their grab bag of allegations against TikTok. Indeed, co-lead counsel and a steering committee member for the original MDL filed— though later withdrew—an IAB action against TikTok in December 2022.
The IAB Plaintiffs cite this as evidence that the original parties to the Settlement did not intend for it to reach the claims now asserted in the IAB Cases. (Pls.' Br. at 5-6.) But the attorneys in question—Katrina Carroll and Jonathan Jagher—later withdrew their claim without prejudice, stating that they and their client had "decided not to pursue these claims" after "an opportunity to further investigate the allegations upon which the claims in this action are based, including early discovery sought and obtained from defendant TikTok Inc." (Pl.'s Notice of Voluntary Dismissal [19] in Rahn v. TikTok Inc., No. 22 C 7256.) These circumstances do not necessarily bear on the threshold question of the Settlement's scope, but Ms. Carroll and Mr. Jager's brief participation in the IAB litigation also does not confirm that the original MDL co-lead counsel would endorse the IAB Plaintiffs' position here.
4. Scope of Prior Investigation
One obvious question this raises— though not one explicitly articulated in other circuits' caselaw on the "identical factual predicate" test—is whether the Original Plaintiffs either knew of the purported security risks posed by the TikTok in-app browser or could have discovered them through due diligence. A "yes" answer to either would mitigate the due process concerns that the IAB Plaintiffs identify. See Kleen Prods. LLC, 306 F.R.D. at 606 ("[A] general release is valid as to all claims of which a signing party has actual knowledge or that he could have discovered upon reasonable inquiry.") (emphasis added) (citation and internal quotation marks removed); Fair v. Int'l Flavors & Fragrances, Inc., 905 F.2d 1114, 1116 (7th Cir. 1990) (stating the same principle in the context of a non-class settlement); cf. Doe v. Allied-Signal, Inc., 985 F.2d 908, 914 (7th Cir. 1993) (noting, in the context of individual claim preclusion, that "[i]f the plaintiff is unaware of facts when filing a complaint, res judicata will not bar subsequent litigation ... [unless] if, by exercising due diligence, he or she could have discovered the relevant information before filing the initial suit").
To this end, Defendant calls the court's attention to the confirmatory discovery that the Original Plaintiffs conducted in late 2020 to vet the Settlement Agreement before seeking the court's approval. In particular, TikTok highlights the two-week onsite evaluation of the App's source code undertaken by "world-renowned computer science expert" Bob Zeidman as evidence that the Original Plaintiffs had a fair chance to discover the in-app browser's purported security issues but failed to do
so. (Prelim. Approv. Mot. at 18; see Carroll Decl. ¶¶ 29-31.) The Original Plaintiffs filed their consolidated complaint after Mr. Zeidman had completed his code review, and specifically used his research to inform the final suite of claims they chose to press against TikTok. (Carroll Decl. ¶¶ 32, 37-39.) The JPML also referenced this prior discovery in one of its transfer orders as a reason why this court might be better suited than the Panel itself to resolving the question of the Settlement's scope. (Transfer Order [293] at 3.) The IAB Plaintiffs, meanwhile, argue that the scope of the Original Plaintiffs' confirmatory discovery goes to matters outside the pleadings, and that they should be entitled to further discovery on this issue if TikTok intends to rely on it as a basis for arguing that their claims are precluded. (Pls.' Br. at 14-15.)
Unfortunately, the record sheds little light on the scope of Mr. Zeidman's code review or the Original Plaintiffs' follow-up discovery. As an initial matter, it is not clear from the record whether the in-app browser was even a part of the App at the time of his review in September 2020, much less whether, at that point in time, it already contained the code enabling it to track user activity that Mr. Krause would later discover in August 2022. At a minimum, if this code was in fact in the App at the time of Mr. Zeidman's effort, it seems likely that he would at least have had the opportunity to discover it: the Settlement Agreement did not specifically limit the portion of the App's source code that he was allowed to review, and the Original Plaintiffs stated in seeking approval of the settlement that Zeidman had been given "free rein to probe TikTok's relevant technology." (Fegan Decl. ¶¶ 18-19.) Assuming it did exist when Mr. Zeidman performed his work, the record's silence on his findings is frustrating; it would be significant if, for example, his report made glancing reference to the in-app browser's keystroke-logging capabilities but did not regard them as meaningfully distinct from the subject matter of the settlement.
There is, however, at least some circumstantial evidence that Mr. Zeidman's review was specifically focused on the BIPA claim and the App's facial-recognition capacities. Mr. Zeidman was retained by Katrina Carroll and Jonathan Jagher, two members of the Original Plaintiffs' leadership committee whose own cases were filed in Illinois and exclusively asserted BIPA claims. (See Carroll Decl. ¶¶ 29-31; Am. Compl. [32] in E.R. v. TikTok, Inc., No. 20 C 2810.) He conducted his two-week code review of the App in September 2020, before the court had appointed a formal plaintiffs' leadership structure for the MDL and before counsel for Hong and the California plaintiffs' group—whose earlier factual research had stretched beyond BIPA and biometric data—were admitted into the settlement negotiation process. TikTok also only agreed to provide discovery that would "confirm [its] warranty" that "it ha[d] not used the App to collect biometric identifiers or biometric information as defined by the Illinois Biometric Information Privacy Act." (Settlement § 7.1 (emphasis added).) Further, the follow-up interrogatories that the Original Plaintiffs were permitted to serve were limited to requests for "an explanation of the function and purpose of up to 20 specific terms in the source code that the third-party expert believes in good faith to be potentially related to the collection of biometric data from users." (Id. § 7.3 (emphasis added).) And TikTok agreed to provide witnesses for deposition under Federal Rule of Civil Procedure 30(b)(6) only as necessary to "verify the warranty that [it] ha[d] not collected biometric identifiers or biometric information from users of the App." (Id. § 7.6.) The Addendum that the Original Plaintiffs added to the initial Settlement
after their vetting period, which they stated was based in key part on the findings from Mr. Zeidman's review, "clarif[ied]" the scope of the Settlement's injunctive relief (for example, to apply to data stored on TikTok's servers as well as the App itself) but made no mention of the in-app browser. (Addendum No. 1 to Settlement [122-1] § 1.1.) Ultimately, however, the precise scope of Mr. Zeidman's work remains a black box. Plaintiffs' counsel in the original MDL did not share any report that Mr. Zeidman prepared or disclose his findings, perhaps because the Settlement stipulated that any confirmatory discovery would be "subject to the terms of a mutually-agreeable confidentiality agreement." (Settlement § 7.1.)
The scope of Mr. Zeidman's analysis is one matter of uncertainty here. There are others. The court notes the speed at which the original MDL was settled and the at-least-facially unorthodox manner in which this settlement was reached. It is not unusual for a case of such significance to be vigorously litigated for years; yet here the Original Plaintiffs reached a settlement in principle only nine days after the JPML issued its consolidation order. The mediation that produced this Settlement was spearheaded by a group of counsel from Illinois whose cases focused primarily on BIPA liability, while the California counsel whose cases raised the broadest array of factual and legal allegations, and who had conducted the most extensive research into the App pre-centralization, did not participate in negotiating its initial terms. The court recognizes that representatives from both of these plaintiff groups were ultimately folded into the negotiation process through the MDL leadership appointment process, but this took place only after the principal Settlement's terms had been reached, and substantial recovery was available to the class and to counsel. The court is not certain, then, that absent class members could reasonably have relied upon the Original Plaintiffs to have turned over every stone imaginable in their post-settlement fact-gathering efforts. Nor is it clear that the potential scope of TikTok's data-privacy violations over the course of the Settlement's class period is such a "settled question[ ] at the core of [the prior] class action" that due process considerations shield TikTok from "relitigati[ng]" it. TBK Partners, 675 F.2d at 460; cf. Class Plaintiffs, 955 F.2d at 1293 (holding that release should apply where prior action had been "aggressively litigated ... for more than three years," including "[m]ultiple motions to dismiss or for summary judgment," "comprehensive" discovery, and "trial ... [that] had already begun and had proceeded for nearly three months"). It is at least worthy of comment that the Original Plaintiffs' investigation evidently failed to uncover a supposedly critical security risk in the App's browser that was subsequently identified by an amateur security researcher and blogger. But there are enough unresolved factual questions about what the Original Plaintiffs could have—and could not have—discovered that this court is not prepared to second-guess their efforts at this stage without knowing more.
This does not cast doubt on Judge Lee's prior determination that the Settlement was a "fair, reasonable and adequate" deal. TikTok Final Approval, 617 F. Supp. 3d at 933 (citing FED. R. CIV. P. 23(e)(2)). As the court noted in its preliminary approval order, the Settlement's quick timeframe resulted in key part from "urgent and extraordinary political pressure upon Defendants to shed TikTok's existing liabilities," and the resulting agreement "ensure[d] meaningful, immediate monetary and injunctive relief for 89 million individuals" compared to what the Original Plaintiffs might have later achieved at trial.
TikTok Preliminary Approval, 565 F. Supp. 3d at 1088. As explained earlier, it is clear from the record that the Settlement's release reaches beyond BIPA and biometric data to cover, at minimum, claims arising from the other types of data collection that the Original Plaintiffs did know about at the time of settlement—and TikTok presumably negotiated the Settlement with the value of this release in mind. See Williams, 159 F.3d at 275 ("No one can say for sure what the settlement would have looked like if [the defendant] had thought that it was really resolving only... [some] claims and leaving open a large number of substantive claims, but it is safe to say it probably would have been different."). While the release of all of these claims is admittedly quite expansive, "on balance," Judge Lee "d[id] not believe [its] breadth ... justifie[d] rejecting the settlement" when he gave his final approval last year, and this court will not revisit that determination. Kaufman, 877 F.3d at 286 (upholding district court's approval of a release that foreclosed "any and all" claims "that relate to any and all Gift Cards issued by American Express" during a nine-year period).
Nevertheless, the breadth of this release is noteworthy, as its terms are broader in scope than others that have previously been approved in this circuit: in particular, it lacks language present in other settlements limiting its scope to the four corners of the Original Plaintiffs' complaint. Cf. Schulte, 2012 WL 2254197, at *1 (describing a release of "any and all ... claims ... related to in any way to the conduct, omission, duties or matters alleged in the Complaints, including claims related ... in any way ... to the assessment of one or more Overdraft Fees") (emphasis added); see also 2 McLaughlin, supra, § 6:29 n.21 (citing similar language in cases from other circuits). And this release was given as consideration for a $92 million settlement that allocated funds between BIPA and non-BIPA claimants at a ratio of six to one. Taken to its logical extreme, it could insulate TikTok from a broad range of unknown data-privacy liability concerns beyond BIPA that it was never forced to litigate at all, and that the Original Plaintiffs might never have reasonably been able to discover. Given the particular facts of this case, the court is unwilling for now to endorse such an expansive reading.
C. Conclusion
In sum, based on the existing record, the court is not prepared to conclude that applying the Settlement's release to in-app browser claims would be consistent with due process. The in-app browser claims closely resemble the claims in the original MDL on their face, but they are not identical in either their underlying harms or their required elements of proof. Further, while the Original Plaintiffs' conduct does not raise any clear structural adequacy-of-representation or notice concerns, the scope of their prior investigation into the App is murky at best. It is not clear that the Original Plaintiffs could reasonably have discovered the in-app browser's security risks and used them to assert additional claims on absent class members' behalf.
In so ruling, the court notes that the unusual and as-yet-undisclosed manner and method of the Original Plaintiffs' post-settlement investigation leaves open the possibility that further information might alter this conclusion—for example, evidence that they recognized both the in-app browser's risks and the potential to use them as the basis for a wiretapping theory of liability, but deliberately chose not to pursue this opportunity. Such evidence would be worth further attention, if not a different result. At this point, although the question is close, the court will err on the
side of allowing the IAB Plaintiffs their day in court—at least unless further discovery unearths facts that require the opposite conclusion. See Denver Homeless Out Loud v. Denver, 32 F.4th 1259, 1289 (10th Cir. 2022) (Rossman, J., dissenting) ("Inevitably, courts must struggle with the uncertain consequences of ambiguous settlement agreements and judgments. The conflicting pressures are apparent, but impenetrable obscurity is likely to be resolved against preclusion.") (quoting 18A Charles Alan Wright & Arthur R. Miller, Federal Practice and Procedure § 4443 (3d ed. 2022)).
The court will thus allow the IAB Plaintiffs to proceed with class claims against TikTok on behalf of former Settlement class members that arise from conduct related to the in-app browser predating the Settlement's Effective Date, without prejudice to TikTok's reasserting affirmative defenses of release and claim preclusion at a later stage in this proceeding. If TikTok intends to rely upon additional factual information, Plaintiffs may seek discovery to test the merits and credibility of TikTok's position.
V. Redesignation of MDL No. 2948
As a final housekeeping matter, the court addresses a small procedural concern. The JPML specifically declined to create a new MDL to house the IAB Cases, dictating instead that that "if the [transferee] court concludes that some or all of the claims in the in-app browser actions were not released under the settlement, coordinated pretrial proceedings in those actions may proceed as part of MDL No. 2948." In re TikTok In-App Browser, 669 F.Supp.3d at 1366 (emphasis added). But this court already issued an order on August 22, 2022 "dismiss[ing] ... the above-captioned action," as well as "all member cases related to and/or consolidated with this action...." (Final Approv. Order ¶ 20.) Further, the court retains jurisdiction to address matters related to MDL No. 2948's settlement distribution and administration. While the court understands this process to be either fully or largely complete based on the Original Parties' most recent status report (see Joint Status Rep. [280]), it is possible that future administrative issues could arise that are distinct from the forthcoming litigation in the IAB Cases, but that will still fall under the same case heading and docket.
To avoid future confusion arising out of an MDL with two distinct generations of cases but the same case number, the court will designate this case as "MDL No. 2948-A" for matters relating to the IAB Cases, and retain the original "MDL No. 2948" designation for all other matters pertaining to the legacy MDL.
CONCLUSION
The IAB Plaintiffs' claims are not subject to dismissal on the basis of the Settlement in MDL No. 2948 at this time, and may proceed for coordinated pretrial proceedings before this court in accordance with the JPML's order. The court will schedule a status conference to discuss the next procedural steps, including appointment of counsel and development of a revised case management order.