Summary
finding that a failure to halt the automatic deletion process of relevant records was not intentional where the movant had not shown intent to be "the most likely explanation" when negligence was equally probable
Summary of this case from Estate of Bosco v. Cnty. of SonomaOpinion
Case No. 20-cv-07182-JCS
2022-05-27
Ann Marie Mortimer, Jason Jonathan Kim, Jeff R. R. Nelson, Hunton Andrews Kurth LLP, Los Angeles, CA, Allison Schultz, Ari Holtzblatt, Robin C. Burrell, Wilmer Cutler Pickering Hale and Dorr LLP, Washington, DC, Andres R. O'Laughlin, Pro Hac Vice, Wilmer Cutler Pickering Hale and Dorr LLP, Boston, MA, Brandon L. Boxler, Pro Hac Vice, Klein Thomas & Lee LLC, Richmond, VA, Cindy Y. Pan, Pro Hac Vice, Wilmer Cutler Pickering Hale and Dorr LLP, New York, NY, Joseph Michael Levy, Sonal N. Mehta, Thomas G. Sprankling, Wilmer Cutler Pickering Hale and Dorr LLP, Palo Alto, CA, for Plaintiff. Rudolph A. Telscher, Kara Renee Fussner, Husch Blackwell LLP, St. Louis, MO, David Eric Anderson, Pro Hac Vice, Chicago, IL, Ryan B. Hauer, Husch Blackwell LLP, Chicago, IL, David Matthew Stauss, Dustin L. Taylor, Pro Hac Vice, Husch Blackwell LLP, Denver, CO, Jeffrey Michael Rosenfeld, Karl Stephen Kronenberger, Kronenberger Rosenfeld, LLP, San Francisco, CA, Stephen P. Bosco, Pro Hac Vice, HuschBlackwell LLP, Washington, DC, for Defendant BrandTotal Ltd. Rudolph A. Telscher, Kara Renee Fussner, Husch Blackwell LLP, St. Louis, MO, David Matthew Stauss, Dustin L. Taylor, Pro Hac Vice, Husch Blackwell LLP, Denver, CO, Jeffrey Michael Rosenfeld, Karl Stephen Kronenberger, Kronenberger Rosenfeld, LLP, San Francisco, CA, Ryan B. Hauer, Husch Blackwell LLP, Chicago, IL, Stephen P. Bosco, Pro Hac Vice, HuschBlackwell LLP, Washington, DC, for Defendant Unimania, Inc.
Ann Marie Mortimer, Jason Jonathan Kim, Jeff R. R. Nelson, Hunton Andrews Kurth LLP, Los Angeles, CA, Allison Schultz, Ari Holtzblatt, Robin C. Burrell, Wilmer Cutler Pickering Hale and Dorr LLP, Washington, DC, Andres R. O'Laughlin, Pro Hac Vice, Wilmer Cutler Pickering Hale and Dorr LLP, Boston, MA, Brandon L. Boxler, Pro Hac Vice, Klein Thomas & Lee LLC, Richmond, VA, Cindy Y. Pan, Pro Hac Vice, Wilmer Cutler Pickering Hale and Dorr LLP, New York, NY, Joseph Michael Levy, Sonal N. Mehta, Thomas G. Sprankling, Wilmer Cutler Pickering Hale and Dorr LLP, Palo Alto, CA, for Plaintiff.
Rudolph A. Telscher, Kara Renee Fussner, Husch Blackwell LLP, St. Louis, MO, David Eric Anderson, Pro Hac Vice, Chicago, IL, Ryan B. Hauer, Husch Blackwell LLP, Chicago, IL, David Matthew Stauss, Dustin L. Taylor, Pro Hac Vice, Husch Blackwell LLP, Denver, CO, Jeffrey Michael Rosenfeld, Karl Stephen Kronenberger, Kronenberger Rosenfeld, LLP, San Francisco, CA, Stephen P. Bosco, Pro Hac Vice, HuschBlackwell LLP, Washington, DC, for Defendant BrandTotal Ltd.
Rudolph A. Telscher, Kara Renee Fussner, Husch Blackwell LLP, St. Louis, MO, David Matthew Stauss, Dustin L. Taylor, Pro Hac Vice, Husch Blackwell LLP, Denver, CO, Jeffrey Michael Rosenfeld, Karl Stephen Kronenberger, Kronenberger Rosenfeld, LLP, San Francisco, CA, Ryan B. Hauer, Husch Blackwell LLP, Chicago, IL, Stephen P. Bosco, Pro Hac Vice, HuschBlackwell LLP, Washington, DC, for Defendant Unimania, Inc.
ORDER REGARDING MOTION FOR SANCTIONS AND MOTIONS FOR SUMMARY JUDGMENT
Re: Dkt. Nos. 246, 268, 272
Redacted Public Version
JOSEPH C. SPERO, Chief Magistrate Judge
I. INTRODUCTION
Plaintiff Meta Platforms, Inc. ("Meta") and Defendants BrandTotal Ltd. and Unimania, Inc. (collectively, "BrandTotal") each move for summary judgment. Meta also moves for sanctions based on purported spoliation of evidence and perjured testimony. The Court held a hearing on May 16, 2022. Each of those motions is GRANTED in part and DENIED in part, as discussed below. This order does not resolve the parties’ motions to exclude expert testimony (dkts. 248, 251), which will be addressed in a separate order.
The parties have consented to the jurisdiction of a magistrate judge for all purposes pursuant to 28 U.S.C. § 636(c).
This order is provisionally filed under seal. Any party that believes compelling reasons warrant sealing any portion of this order may bring a motion no later than June 3, 2022 to retain narrowly tailored redactions under seal.
II. OVERVIEW AND PROCEDURAL HISTORY
Meta is a technology company that, among other things, operates two ubiquitous social networks: Facebook and Instagram. Much of its revenue is derived from selling the right to advertise on those services. Meta provides its advertising clients with information about how their ads are served to users.
BrandTotal provides advertising consulting services to corporate clients regarding how those clients’ and their competitors’ digital advertisements are presented to social media users. One of its primary methods of collecting that information is incentivizing individual users, whom it refers to as "panelists," to share data about the advertisements they are served while browsing social networks. The primary product at issue in this case, a browser extension called UpVoice, awards users points that can be redeemed for gift cards in exchange for using a browser extension that automatically sends data to BrandTotal while a user browses websites like Facebook. Other BrandTotal products, many of which are now defunct, provided less tangible incentives to users, allowing them to do things like keep track of the advertisements they had seen or view other users’ Instagram stories anonymously, again in exchange for collecting advertising data for BrandTotal. Two of those products, addressed below in the context of Meta's motion for sanctions, also logged users’ Instagram access credentials to a server that BrandTotal used primarily for debugging its software for period of around four months.
The current version of UpVoice introduced in 2021 ("UpVoice 2021") (as well as a Spanish-language near-equivalent product called Calix that BrandTotal recently developed in partnership with a third-party ) merely logs information that Facebook transmits to the user about advertisements in the course of the user's regular interaction with the website, as well as demographic information that the user specifically enters into UpVoice (rather than UpVoice collecting it from Facebook). Earlier versions of UpVoice and BrandTotal's other products automatically caused users’ browsers to query Facebook's servers for information, and collected demographic information about users from Facebook in addition to information about advertisements. BrandTotal also gathers data more proactively: its servers collect data directly from webpages that are publicly available for most advertisements on Facebook, it hires contractors to gather data using a program called the "Restricted Panel Extension" for advertisements that are not available to the public and instead require a user to be logged in (for example, age-restricted ads for alcohol), and it has at least at times used Facebook accounts that it purchased or created (which BrandTotal refers to internally as "Muppets") to access information on Facebook.
See Schultz MSJ Decl. Ex. 23 (Martens Supp'l Report) ¶¶ 23–26; id. Ex. 25 (Regev Feb. 2022 Dep.) at 86:21–89:15.
See Schultz MSJ Decl. Ex. 25 (Regev Feb. 2022 Dep.) at 131:8–144:11.
After successfully petitioning Google to remove the then-existing version of UpVoice from its online store, Meta—known at the time as Facebook, Inc.—filed claims against BrandTotal in California state court on October 1, 2020. Meta quickly dismissed that case without prejudice and filed the present case here on October 14, 2020. BrandTotal filed counterclaims and moved for a temporary restraining order ("TRO"). The Court denied that motion for failure to show that the relief BrandTotal sought was in the public interest. Order re TRO (dkt. 63).
Facebook, Inc. v. BrandTotal Ltd. , 499 F. Supp. 3d 720, 725 (N.D. Cal. 2020). Citations herein to the Court's previous orders refer to page numbers of the versions filed in the Court's ECF docket.
On February 19, 2021, the Court granted Meta's motion to dismiss all of BrandTotal's counterclaims, largely with leave to amend. 1st MTD Order (dkt. 108).
Facebook, Inc. v. BrandTotal Ltd. , No. 20-cv-07182-JCS, 2021 WL 662168 (N.D. Cal. Feb. 19, 2021).
BrandTotal reasserted all of its counterclaims in an amended pleading. On June 3, 2021, the Court dismissed BrandTotal's declaratory judgment counterclaims, BrandTotal's counterclaim for intentional interference with contract to the extent it was based on contracts with investors, BrandTotal's interference with prospective advantage counterclaim to the extent it was based on potential customers and investors, and BrandTotal's counterclaims under the "unfair" and "fraudulent" prongs of the UCL. 2d MTD Order (dkts. 152, 158). The Court denied Meta's motion to dismiss BrandTotal's interference with contract and prospective advantage counterclaims and to the extent they were based on existing customers, panelists, and Google, and its counterclaim under the "unlawful" prong of the UCL. Id.
Facebook, Inc. v. BrandTotal Ltd. , No. 20-cv-07182-JCS, 2021 WL 2354751 (N.D. Cal. June 9, 2021). This order was initially filed under seal in an abundance of caution, and unsealed after Meta declined to seek sealing and BrandTotal failed to sufficiently justify its proposed redactions. See dkt. 157.
BrandTotal moved for a preliminary injunction, but the parties agreed at the hearing to resolve that motion with a commitment by Meta not to interfere with UpVoice 2021 while this case is pending without providing notice to BrandTotal in advance, and a commitment by BrandTotal to notify Meta of any changes to the UpVoice 2021 code. Dkt. 150.
On August 31, 2021, the Court denied BrandTotal's motion for leave to add a defamation counterclaim after the deadline to amend pleadings had expired, and dismissed with prejudice BrandTotal's reasserted counterclaim under the UCL's "unfair" prong for failure to allege Meta's market power in a relevant product market. 3d MTD Order (dkt. 178).
Facebook, Inc. v. BrandTotal Ltd. , No. 20-cv-07182-JCS, 2021 WL 3885981 (N.D. Cal. Aug. 31, 2021).
BrandTotal's operative third amended counterclaims assert the following theories: (1) intentional interference with BrandTotal's contracts with its corporate customers, its panelists, and Google, 3d Am. Counterclaims (dkt. 183) ¶¶ 94–130; (2) intentional interference with prospective economic advantage regarding the same relationships, id. ¶¶ 131–39; and (3) violation of the UCL's "unlawful" prong by virtue of the intentional interference theories, id. ¶¶ 140–46.
Since BrandTotal did not challenge the sufficiency of Meta's allegations through a motion to dismiss and Meta never sought preliminary injunctive relief, Meta's claims against BrandTotal have not been directly at issue in any previous motion. Meta asserts the following claims in its operative first amended complaint: (1) breach of contract, citing the Facebook and Instagram terms of use, 1st Am. Compl. ("FAC," dkt. 148) ¶¶ 83–89; (2) unjust enrichment, id. ¶¶ 90–96; (3) violation of the Computer Fraud and Abuse Act ("CFAA," 18 U.S.C. § 1030 ), id. ¶¶ 97–102; (4) violation of California's Comprehensive Computer Data Access and Fraud Act ("CDAFA," Cal. Penal Code § 502 ), id. ¶¶ 103–11; (5) intentional interference with Meta's contracts with its users, id. ¶¶ 112–18; and (6) violation of the "unlawful," "unfair," and "fraudulent" prongs of the UCL, id. ¶¶ 119–26.
III. META'S MOTION FOR SANCTIONS
A. Background
Meta's sanctions motion primarily concerns two related issues: (1) data from a debugging log called Rapid7 that BrandTotal allowed to be deleted on a regular schedule, including after this action commenced and purportedly after learning that it was relevant; and (2) deposition testimony by BrandTotal's Rule 30(b)(6) witness and then-Vice President of Research and Development Oren Dor stating, inaccurately, that BrandTotal's Anonymous Story Viewer product did not transmit access credentials to BrandTotal's servers.
At all relevant times, BrandTotal has used Rapid7 as a logger tool to track the operation of its various software products. The Rapid7 log received information about processes executed by BrandTotal's software and stored that information for a period of thirty days, with each entry automatically deleted thirty days after it was created. See O'Laughlin Decl. (dkt. 246-2) Ex. 5 (Regev Nov. 2021 Dep.) at 194:20–22. According to BrandTotal, the Rapid7 log was used only for troubleshooting and debugging, not for BrandTotal's business of preparing marketing insights for its customers. Regev Sanctions Decl. (dkt. 288-1) ¶¶ 5–6.
As of October of 2020, at least some BrandTotal developers knew that "access tokens and cookies" from users of certain BrandTotal products (Story Savebox and Anonymous Story Viewer, or "ASV") had been sent to the Rapid7 log, but until BrandTotal Vice President Yair Regev's November 18, 2021 deposition, BrandTotal took no steps to preserve those logs and prevents their automatic deletion. O'Laughlin Decl. Ex. 5 (Regev Nov. 2021 Dep.) at 196:11–197:21. Meta's data security team also knew as of October 2020 that ASV collected and exfiltrated users session ID tokens and sessions IDs, which would be sufficient for a third party to make requests to Instagram servers as if that third party were the user, Karve Oct. 2020 Decl. (dkt. 42) ¶¶ 22–23, but it is not clear from the record that Meta knew at that time where or how BrandTotal stored that data after collecting it. According to Regev, Meta would have been able to determine from BrandTotal's source code what information was sent to Rapid7. Regev Sanctions Decl. ¶ 6. After Meta filed a declaration in October of 2020 address the collection of user access credentials, BrandTotal modified ASV and Story Savebox to cease doing so, but did not take steps to preserve the Rapid7 logs or prevent their automatic deletion.
During deposition in January of 2021 related to BrandTotal's efforts to obtain a preliminary injunction, Dor testified on behalf of BrandTotal that ASV had never transmitted users’ session tokens or session IDs (which could be used to access Instagram as if one were that user) to BrandTotal's servers. O'Laughlin Decl. Ex. 1 (Dor Jan. 2021 Dep.) at 128:17–130:3. Dor's successor, Regev, conceded that Dor's testimony on that subject was inaccurate and did not reflect what BrandTotal knew at the time of Dor's deposition. O'Laughlin Decl. Ex. 5 (Regev Nov. 2021 Dep.) at 184:13–186:2. After leaving the company in 2021, Dor testified in a March 2022 deposition that he did not recall whether BrandTotal used Rapid7 or any other logging service, and that although he oversaw developers, his own role was not sufficiently technical for him to have "connected to these logs" during his time at BrandTotal. Schultz Sanctions Decl. (dkt. 293-1) Ex. 27 (Dor March 2022 Dep.) at 74:6–75:5. BrandTotal altered the software to remove the collection of access credentials around four months after it started collecting that data, and ASV was removed from the Google's browser extension store in October of 2020, but BrandTotal's Rapid7 log may have continued to receive that information from users who downloaded ASV while it was available from Google and who did not update their software after the code was altered. Regev Sanctions Decl. ¶ 12; O'Laughlin Decl. Ex. 5 (Regev Nov. 2021 Dep.) at 186:6–21. Neither ASV nor Story Savebox is currently available for download. O'Laughlin Decl. Ex. 5 (Regev Nov. 2021 Dep.) at 186:3–5.
Meta's attorneys first learned at some point after September 17, 2021 that data from Facebook and Instagram was stored in the Rapid7 logs, BrandTotal thereafter produced excerpts of the Rapid7 data, and Meta confirmed from Regev during his November 18, 2021 testimony that the Rapid7 logs had at one point contained users’ access tokens but older logs had been lost due to the thirty-day retention and automatic deletion process. See O'Laughlin Decl. Ex. 13 (email from Meta's counsel to BrandTotal's counsel). In response to a specific request by Meta's counsel, BrandTotal produced all Rapid7 data that remained available at that time (running from October 2021), and continued to do so on a weekly basis beyond the close of expert discovery. Taylor Sanctions Decl. (dkt. 288-2) ¶¶ 19–20.
Meta does not dispute BrandTotal's contention that none of BrandTotal's source code produced in this litigation—either for BrandTotal's consumer products or for its own server-side operations—draws data from the Rapid7 log, as opposed to sending data to it. See Regev Sanctions Decl. ¶ 10. Meta has not identified evidence indicating that any other BrandTotal product collected the sort of access credentials at issue, or that newly installed versions of ASV or Story Savebox did so at any time beyond the approximately four-month period ending in October of 2020. See id. ¶¶ 11–12.
Meta seeks an order imposing the following adverse presumption against BrandTotal:
1. The Court will treat the following facts as established for purposes of adjudicating Meta's summary judgment motion, and that the fact-finder at trial will be instructed that it may presume:
a. Defendants were obligated to preserve the data logged on the Rapid7 server between October 2020 and October 2021, but intentionally failed to do so because the data was unfavorable to Defendants.
b. The deleted data would have shown that between October 2020 and October 2021 (i) Defendants continuously misappropriated access credentials from Meta users and exfiltrated them to BrandTotal-controlled servers; (ii) Defendants did not anonymize or encrypt this sensitive data; (c) [sic] Defendants used these access credentials to pose as legitimate Meta users and scrape password-protected data from Meta's computers, in violation of Meta's Terms of Service; and (iv) Defendants attempted to conceal the collection and use of these access credentials because they knew their conduct was unlawful.
c. The deleted data would have shown that between October 2020 and October 2021, Defendants continuously used accounts they created or purchased in order to gain access to Facebook and Instagram, pose as legitimate Meta users, and scrape data from Meta's computers in violation of Meta's Terms of Service.
Proposed Order re Sanctions (dkt. 246-28). Meta also seeks to preclude BrandTotal "from relying on Mr. Oren Dor's January 13, 2021 testimony," and to recover its "fees and costs, including expert costs, incurred in connection with bringing this motion." Id.
BrandTotal argues that it "did not intentionally (or even affirmatively) delete anything," but "[r]ather, the data within the logger tool merely expired after 30-days as part of BrandTotal's ordinary course of business." Opp'n to Sanctions (dkt. 288) at 2. It also argues that Meta was not prejudiced because other evidence shows the conduct at issue, id. at 13–15, that the relief Meta seeks is excessive, id. at 15–18, and that it should be permitted to use Dor's testimony, id. at 18–21. Based on its contention that sanctions are not appropriate, BrandTotal also argues that it should not be required to pay Meta's attorneys’ fees. Id. at 21–22.
B. Legal Standard for Discovery Sanctions
"Federal courts have the authority to sanction litigants for discovery abuses both under the Federal Rules of Civil Procedure and pursuant to the court's inherent power to prevent abuse of the judicial process." Network Appliance, Inc. v. Bluearc Corp. , No. C 03-5665 MHP, 2005 WL 1513099, at *2 (N.D. Cal. June 27, 2005) (citing Chambers v. NASCO, Inc. , 501 U.S. 32, 45–46, 111 S.Ct. 2123, 115 L.Ed.2d 27 (1991) ; In re Yagman , 796 F.2d 1165, 1187 (9th Cir. 1986) ). Rule 16(f) of the Federal Rules of Civil Procedure allows a court to order sanctions where a party or its attorney fails to obey a pretrial order. Rule 37(b)(2)(A) specifically addresses sanctions that may be imposed on a party that has failed to comply with a discovery order, including striking pleadings in whole or in part, dismissal, entry of default judgment, contempt of court, and an order "directing that the matters embraced in the order or other designated facts be taken as established for purposes of the action, as the prevailing party claims." See Fed. R. Civ. P. 37(b)(2)(A)(i).
Rule 37(e) provides that "[i]f electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery," a court that finds prejudice to another party as a result may "order measures no greater than necessary to cure the prejudice," and a court that finds "that the party acted with the intent to deprive another party of the information's use in the litigation may" presume that the information was unfavorable, instruct the jury that it may or must so presume, or enter judgment against the culpable party. Fed. R. Civ. P. 37(e).
A district court also has inherent authority to impose sanctions for spoliation of evidence. Leon v. IDX Sys. Corp. , 464 F.3d 951, 958 (9th Cir. 2006) ; Glover v. BIC Corp. , 6 F.3d 1318, 1329 (9th Cir. 1993). The majority of courts use a three-part test to determine whether spoliation occurred, consisting of the following elements: " ‘(1) that the party having control over the evidence had an obligation to preserve it at the time it was destroyed; (2) that the records were destroyed with a "culpable state of mind;" and (3) that the evidence was "relevant" to the party's claim or defense such that a reasonable trier of fact could find that it would support that claim or defense.’ " Apple Inc. v. Samsung Elecs. Co. , 881 F. Supp. 2d 1132, 1138 (N.D. Cal. 2012) (quoting Zubulake v. UBS Warburg LLC , 220 F.R.D. 212, 215 (S.D.N.Y. 2003) ) (footnotes omitted). "[T]he ‘culpable state of mind’ factor is satisfied by a showing that the evidence was destroyed knowingly, even if without intent to breach a duty to preserve it, or negligently." Residential Funding Corp. v. DeGeorge Fin. Corp. , 306 F.3d 99, 108 (2d Cir. 2002) (cleaned up; emphasis omitted); see Miranda v. Wyatt , 677 F. App'x 432, 432–33 (9th Cir. 2017) (citing Residential Funding with approval and noting the parties’ agreement that it "provides an appropriate test for determining when an adverse inference instruction can be given"); Katzman v. L.A. Cty. Metro. Transp. Auth. , No. 13-cv-00438-LHK, 2015 WL 13861765, at *9–10 (N.D. Cal. Mar. 26, 2015) (applying the Residential Funding test).
If spoliation is found, courts often consider three factors to determine whether and what type of sanctions to issue: "(1) the degree of fault of the party who altered or destroyed the evidence; (2) the degree of prejudice suffered by the opposing party; and (3) whether there is a lesser sanction that will avoid substantial unfairness to the opposing party." Nursing Home Pension Fund v. Oracle Corp. , 254 F.R.D. 559, 563 (N.D. Cal. 2008) (quoting Schmid v. Milwaukee Elec. Tool Corp. , 13 F.3d 76, 79 (3d Cir. 1994) ). Among other sanctions, trial courts have "the broad discretionary power to permit a jury to draw an adverse inference from the destruction or spoliation against the party or witness responsible for that behavior" so long as the party responsible had "simple notice of ‘potential relevance to the litigation,’ " with no requirement to prove bad faith. Glover , 6 F.3d at 1329 (quoting Akiona v. United States , 938 F.2d 158, 161 (9th Cir. 1991) ).
C. BrandTotal's Conduct Warrants a Permissive (as Opposed to Mandatory) Adverse Inference Instruction
The relief that Meta seeks here is internally inconsistent: while Meta asks the Court to treat certain facts as established for the purpose of Meta's summary judgment motion, it seeks an instruction at trial only that the jury may presume such facts to be true. See Proposed Sanctions Order (dkt. 246-28). Such an approach is in tension with the usual rules for summary judgment, where courts view the facts and draw all possible inferences in the light most favorable to the nonmoving party, in order to determine whether the nonmoving party could prevail at trial. Meta's approach here could potentially have the Court grant summary judgment in Meta's favor on a record where BrandTotal might prevail if the case went to trial. Meta cites no authority for imposing sanctions in that manner and does not offer a reason to do so. The Court evaluates the motion without regard to the phase of the case as if it requests, in the first instance, a mandatory presumption that the facts Meta has set forth are true, or, as an alternative lesser sanction, an instruction that the finder of fact may presume those facts to be true.
The Court has little trouble concluding that the Rapid7 database—which provided a detailed running log of the operation of BrandTotal's software, recording at least to some degree the actual data BrandTotal collected from Facebook and Instagram—included information relevant to the case, that BrandTotal knew it included that information, and that BrandTotal should have taken steps to preserve it once litigation was contemplated, i.e., no later than when Meta filed its first complaint against BrandTotal in state court. There is no dispute that BrandTotal failed to do so until roughly a year after the case began. See, e.g. , O'Laughlin Decl. Ex. 5 (Regev Nov. 2021 Dep.) at 196:15–18. The Court is also satisfied that the loss of a real-time log of at least some of BrandTotal's data collection prejudices Meta's ability to understand and prove the scope and nature of that conduct. As one example, there currently does not appear to be any way to assess how many users’ access credentials were logged by BrandTotal or when BrandTotal stopped receiving that information from users of outdated versions of its products. Similarly, the Rapid7 logs would have provided greater insight than is now available as to how extensively BrandTotal used "fake" accounts that it purchased or created to gather data from Facebook and Instagram from October 2020 to October 2021. There is also no dispute that the deleted Rapid7 logs cannot be replaced or recovered through additional discovery. Meta has therefore established the basic elements of spoliation for the purpose of Rule 37(e).
When it comes to the specific relief Meta seeks, however, Meta has not met Rule 37(e)(2) ’s requirement to show that BrandTotal "acted with the intent to deprive another party of the information's use in the litigation," as would be necessary for an adverse inference presumption or instruction under that rule. Fed. R. Civ. P. 37(e)(2). BrandTotal's position that it merely negligently failed to take steps to counteract the automatic deletion process of its Rapid7 subscription is plausible. While BrandTotal certainly should have recognized its obligation to preserve those records, it is not hard to imagine that BrandTotal's employees might have overlooked their transient diagnostic log as a source of relevant and discoverable information while they, presumably, took steps to preserve more obvious sources of relevant information like email accounts and the databases they used to prepare analysis for BrandTotal's corporate clients. Negligence—even gross negligence—in failing to retain relevant evidence is not sufficient to support an adverse inference under Rule 37(e)(2). Porter v. City & Cty. of San Francisco , No. 16-cv-03771-CW (DMR), 2018 WL 4215602, at *4 (N.D. Cal. Sept. 5, 2018). While it is possible that BrandTotal intentionally failed to preserve the Rapid7 logs that documented its collection of user access credentials, and BrandTotal having affirmatively acted to alter its programs to cease collecting those credentials lends at least some support to that theory, Meta has not shown that to be the most likely explanation for the ongoing automatic deletion of those logs.
The type of information at issue distinguishes this case from WeRide Corp. v. Kun Huang , where the court found bad faith for the purpose of terminating sanctions under Rule 37(b) based on a party having "left in place the autodelete setting on its email server, began using DingTalk's ephemeral messaging feature, and maintained a policy of deleting the email accounts and wiping the computers of former employees." WeRide , No. 5:18-cv-07233-EJD, 2020 WL 1967209, at *10 (N.D. Cal. Apr. 24, 2020) ; see also John v. County of Lake , No. 18-cv-06935-WHA (SK), 2020 WL 3630391, at *4, *6–7 (N.D. Cal. July 3, 2020) (finding the requisite intent for Rule 37(e)(2) where "the District Court explicitly warned Defendants to put in place policies to preserve evidence and to stop any policy of destruction, but Defendants did not do so," instead actively deleting emails and text messages).
In Porter , the City and County of San Francisco did not dispute that it had an obligation to preserve the recording of a call to law enforcement. Id. at *3. The court found that the city failed to take reasonable steps to do so, that the recording could not be restored or replaced after it was deleted pursuant to a two-year retention policy, and that the plaintiff was prejudiced by losing evidence potentially relevant to a witness's credibility or other issues in the case. Id. at *3–4. Turning to the intent requirement of Rule 37(e)(2), however, the court found that the city's mere failure to recognize its obligation to preserve the call and deviate from its regular deletion schedule was not sufficient to show that intentionally prevented the plaintiff from obtaining that evidence. Id. at *4 ("While CCSF certainly should have done more, and should have acted earlier to preserve a piece of evidence as central as a recording of the dispatch call, there is no evidence that CCSF decided to erase the Okupnik call when it was under pressure to produce it."). The court instead determined that the jury should be instructed as to what occurred, and allowed to draw its own conclusions:
Since the Okupnik call cannot be restored or retrieved, and constitutes relevant and material evidence, the court finds that an appropriate sanction is to inform the jury that the call was spoliated. To that end, the court orders that the jury may hear a short factual statement at trial regarding the spoliation of this evidence. The statement should inform the jury that CCSF had a duty to preserve a copy of the Okupnik call, and that despite this duty, the recording of the call was erased and is no longer available. As a result, CCSF's actions have prevented the jury from hearing what Okupnik communicated to SFSD in that call, how he communicated it, and what SFSD said in response to Okupnik.
Id. The court also awarded the plaintiff his attorneys’ fees for bringing the sanctions motion, but not for "time spent in the meet and confer process, because such work was necessary regardless of whether a sanctions motion ensued." Id. at *5.
In another case from this district, the defendant improperly failed to preserve video footage of the plaintiff's slip-and-fall injury at the defendant's gas station, prejudicing the plaintiff's ability to prove his case. Phan v. Costco Wholesale Corp. , No. 19-cv-05713-YGR, 2020 WL 5074349, at *2–3 (N.D. Cal. Aug. 24, 2020). In the absence of any evidence of malicious intent, however, the court declined to infer that the loss of the video was anything more than "sloppiness," and thus found that Rule 37(e)(2) was not satisfied. Id. at *3. Rather than an instruction as to any particular adverse inference or barring the defendant from pursuing a particular theory, the court determined that California's CACI 204 model instruction was appropriate, allowing the jury to determine whether the destruction of evidence was intentional and whether to infer that the video was unfavorable to the defense, without specifically laying out what facts the jury might infer. Id. at *4.
Here, as in Porter and Phan , Rule 37(e)(2) is not satisfied because Meta has not offered sufficient evidence of any intent by BrandTotal to deprive Meta of the lost Rapid7 logs. Meta is therefore not entitled to a mandatory adverse inference presumption or instruction under that rule.
BrandTotal's negligence could potentially support an adverse inference instruction under the Court's inherent authority even if not under Rule 37(e). See, e.g., Posner v. Hillstone Rest. Grp., Inc. , No. 219CV00507TLNKJN, 2022 WL 705602, at *5–7 (E.D. Cal. Mar. 9, 2022) (issuing a "flexible" instruction leaving to the jury the question of what inference to draw, based on a broader standard of culpability that intent and without discussing Rule 37(e) ). The particular instruction Meta seeks, however, is too far removed from the evidence that is in the record. To the extent Meta asks the Court to accept as proven that the deleted Rapid7 logs would have revealed a year-long practice of exfiltrating users’ access credentials and using that information to pose as those users and scrape data, it identifies no evidence besides the absence of the logs to support those allegations. While Meta is correct that the mere absence of corroborating evidence does not necessarily negate an adverse inference, it offers no meaningful response to BrandTotal's argument that, had BrandTotal been systematically misusing the access tokens collected in its Rapid7 logs, its source code would include calls for data from that repository. Instead, Meta relies solely on the facts that: (1) BrandTotal engineers had access to manually review the Rapid7 logs; and (2) BrandTotal sometimes had to replace the access tokens that it created using fake accounts because Meta sometimes blocked them. In the Court's view, whatever inferences might be drawn from those facts is best left to the jury—or, in the context of any claims tried to the Court, for resolution after trial.
Under the circumstances, the Court finds that instructions similar to those used in Porter, Phan , and Posner are appropriate. If the case proceeds to trial, the jury will be instructed that BrandTotal had a duty to preserve its Rapid7 logs from October of 2020 through October of 2021 but failed to do so. The jury will also receive the CACI 204 instruction, modified as follows:
You may consider whether one party intentionally concealed or destroyed evidence, or intentionally allowed evidence to be lost. If you decide that a party did so, you may decide that the evidence would have been unfavorable to that party.
The emphasis here indicates an addition to the model instruction to address the facts of this case. The instruction as presented to the jury will include the same text without emphasis.
D. Dor's Testimony
On December 23, 2021, the parties agreed that BrandTotal would not rely on any testimony from Dor postdating that stipulation. Stipulation (dkt. 215) ¶ 10; see also Order on Stipulation (dkt. 216). Meta now argues that as a result of Dor's purported perjury regarding the sort of data BrandTotal collected, BrandTotal also should not be permitted to rely on his previous deposition testimony.
In its reply, Meta argues for the first time that even if Dor's statements were not knowingly false, BrandTotal violated its discovery obligations by failing to correct Dor's false statements, and that later representations by BrandTotal regarding the nature of its data collection were also false. Sanctions Reply at 11–12. BrandTotal had no opportunity to respond to these arguments, and no reason is apparent why Meta could not have raised them in its motion if it intended to pursue them. The Court therefore declines to consider them.
While Meta is correct that courts may impose sanctions for a party's perjured testimony, it cites no case imposing a comparable sanction to what it seeks here. See Sanctions Mot. (dkt. 246) at 20 (citing Valley Eng'rs Inc. v. Elec. Eng'g Co. , 158 F.3d 1051, 1058 (9th Cir. 1998) (imposing case-dispositive sanctions in an extreme case); Excel Innovations, Inc. v. Indivos Corp. , No. C-03-3125 MMC (JCS), 2006 WL 8439364, at *13 (N.D. Cal. Nov. 21, 2006) (same); Bowoto v. Chevron Texaco Corp. , No. C 99-02506 SI, 2008 WL 552456, at *3 (N.D. Cal. Feb. 27, 2008) (denying a motion for sanctions that asked the court to infer perjury, and deferring that issue to the jury, but imposing lesser sanctions for failure to preserve evidence)). Meta has not argued that the case-dispositive sanctions imposed in Valley Engineers and Excel Innovations are warranted here. Nor has it offered any explanation for why the particular remedy it seeks is appropriate.
BrandTotal has not materially relied on any testimony by Dor in its summary judgment briefing, so this portion of the sanctions motion does not affect the outcome of the parties’ motions for summary judgment. See Defs.’ Opp'n to MSJ (dkt. 299) at 3 (citing Dor's testimony to show a 2018 change to BrandTotal's security practices, which is not relevant to the outcome of the motion and is supported by other evidence); Defs.’ MSJ Reply (dkt. 311) at 17 (addressing portions of Dor's testimony offered by Meta, for facts also confirmed by Meta's expert witness). It is not clear if or how BrandTotal would seek to use Dor's past testimony at trial.
While it is possible that Dor lied in his deposition, it is not clear that he was not simply mistaken or uninformed about the nature of the Rapid7 log and the two BrandTotal products at issue, which were not central to the case at that time. Taking into account that "credibility of witnesses is almost categorically a trial issue," Alameda Books, Inc. v. City of Los Angeles , 631 F.3d 1031, 1042–43 (9th Cir. 2011), that Meta would likely be able to impeach any testimony from Dor with his testimony that BrandTotal has now acknowledged to be false and with any circumstantial evidence that it believes indicates he would have known the truth, and that it is difficult to assess any potential prejudice to Meta of allowing Dor's testimony at trial without knowing what testimony BrandTotal might seek to use, the Court declines at this time to prevent BrandTotal from offering it. This order is without prejudice to any argument that Meta might raise with respect to the fairness of any particular testimony BrandTotal seeks to use at trial.
E. Attorneys’ Fees
While Meta has not shown that it is entitled to an adverse inference sanction under Rule 37(e)(2), it has shown spoliation of relevant evidence at least through BrandTotal's negligence, and that an instruction informing the jury of BrandTotal's obligation to preserve that evidence and failure to do so is appropriate. An award of attorneys’ fees for bringing a sanctions motion is an appropriate remedy for spoliation under Rule 37(e)(1) as "measures no greater than necessary to cure the prejudice," even where a party fails to show bad faith under Rule 37(e)(2). Aramark Mgmt., LLC v. Borgquist , No. 8:18-cv-01888-JLS-KESx, 2021 WL 864067, at *22 (C.D. Cal. Jan. 27, 2021), recommendation adopted , 2021 WL 863746 (C.D. Cal. Mar. 8, 2021). BrandTotal does not dispute that proposition, arguing only that Meta should be denied fees because its motion should be denied on its merits. Opp'n to Sanctions at 21–22.
The Court finds that an award of attorneys’ fees is appropriate to cure the prejudice to Meta that resulted from BrandTotal's spoliation of evidence. Based on Meta's overreach in seeking a more extreme remedy under Rule 37(e)(2), however, the Court concludes that not all of the fees expended in bringing this motion were reasonably incurred. BrandTotal is therefore ORDERED to reimburse seventy-five percent of the fees and costs Meta incurred in bringing its motion for sanctions. See Fox v. Vice , 563 U.S. 826, 838, 131 S.Ct. 2205, 180 L.Ed.2d 45 (2011) ("The essential goal in shifting fees is to do rough justice, not to achieve auditing perfection.").
The parties shall meet and confer by videoconference and file no later than June 10, 2022 either: (1) a stipulation as to the amount of such fees and costs; or (2) a joint letter brief no longer than five pages laying out their respective positions on the value of fees and costs to be awarded.
IV. MOTIONS FOR SUMMARY JUDGMENT
BrandTotal seeks summary adjudication or judgment in its favor on the following issues: (1) that section 3.2.3 of the Facebook terms of service is unenforceable as contrary to public policy; (2) that section 3.2.3 is unconscionable; (3) that Meta cannot prevail on its CFAA and CDAFA claims; and (4) that Meta cannot prevail on its UCL claim. Defs.’ MSJ (dkt. 268). BrandTotal asserts in its reply that it is also entitled to summary judgment on Meta's tortious interference claim with respect to UpVoice 2021 for reasons other than the purported unenforceability of Meta's terms of service, Defs.’ MSJ Reply at 13, but the Court declines to address that argument raised for the first time in the reply.
Meta seeks summary judgment on its own claims for breach of contract and violation of the CFAA and CDAFA, and partial summary judgment on its UCL claim. Pl.’s MSJ (dkt. 272) at 10–22. It also seeks summary judgment on BrandTotal's counterclaims for interference and under the UCL. Id. at 23–35.
A. Legal Standard
Summary judgment on a claim or defense is appropriate "if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law." Fed. R. Civ. P. 56(a). In order to prevail, a party moving for summary judgment must show the absence of a genuine issue of material fact with respect to an essential element of the non-moving party's claim, or to a defense on which the non-moving party will bear the burden of persuasion at trial. Celotex Corp. v. Catrett , 477 U.S. 317, 323, 106 S.Ct. 2548, 91 L.Ed.2d 265 (1986).
Once the movant has made this showing, the burden then shifts to the party opposing summary judgment to designate " ‘specific facts showing there is a genuine issue for trial.’ " Id. (citation omitted); see also Fed. R. Civ. P. 56(c)(1) ("A party asserting that a fact ... is genuinely disputed must support the assertion by ... citing to particular parts of materials in the record ...."). "[T]he inquiry involved in a ruling on a motion for summary judgment ... implicates the substantive evidentiary standard of proof that would apply at the trial on the merits." Anderson v. Liberty Lobby Inc. , 477 U.S. 242, 252, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986). The non-moving party has the burden of identifying, with reasonable particularity, the evidence that precludes summary judgment. Keenan v. Allan , 91 F.3d 1275, 1279 (9th Cir. 1996). Thus, it is not the task of the court " ‘to scour the record in search of a genuine issue of triable fact.’ " Id. (citation omitted); see Carmen v. S.F. Unified Sch. Dist. , 237 F.3d 1026, 1031 (9th Cir. 2001) ; Fed. R. Civ. P. 56(c)(3).
A party need not present evidence to support or oppose a motion for summary judgment in a form that would be admissible at trial, but the contents of the parties’ evidence must be amenable to presentation in an admissible form. See Fraser v. Goodale , 342 F.3d 1032, 1036–37 (9th Cir. 2003). Neither conclusory, speculative testimony in affidavits nor arguments in moving papers are sufficient to raise genuine issues of fact and defeat summary judgment. Thornhill Publ'g Co., Inc. v. GTE Corp. , 594 F.2d 730, 738 (9th Cir. 1979). On summary judgment, the court draws all reasonable factual inferences in favor of the non-movant, Scott v. Harris , 550 U.S. 372, 378, 127 S.Ct. 1769, 167 L.Ed.2d 686 (2007), but where a rational trier of fact could not find for the non-moving party based on the record as a whole, there is no "genuine issue for trial" and summary judgment is appropriate. Matsushita Elec. Indus. Co. v. Zenith Radio , 475 U.S. 574, 587, 106 S.Ct. 1348, 89 L.Ed.2d 538 (1986).
B. Breach of Contract
Under California law, the "cause of action for damages for breach of contract is comprised of the following elements: (1) the contract, (2) plaintiff's performance or excuse for nonperformance, (3) defendant's breach, and (4) the resulting damages to plaintiff." Armstrong Petroleum Corp. v. Tri-Valley Oil & Gas Co. , 116 Cal. App. 4th 1375, 1391 n.6, 11 Cal.Rptr.3d 412 (2004).
The contractual provision most central to this case is section 3.2.3 of Meta's terms of use for Facebook, which reads as follows:
You may not access or collect data from our Products using automated means (without our prior permission) or attempt to access data you do not have permission to access.
Schultz MSJ Decl. (dkt. 272-6) Ex. 5 § 3.2.3. Section 4.2. states that the terms of use generally terminate as an agreement when Meta disables a user's account, but specifically provides that section 3, as well as subsections 4.2 through 4.5, remain in effect. Id. § 4.2. Instagram's terms of use include a similar clause, but since the relevant portion of the Facebook terms of use govern all of Meta's products, the Instagram terms are largely redundant in this case.
In 2017, when BrandTotal created some of the accounts at issue, the relevant provision read: "You will not collect users’ content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without our prior permission." Dor TRO Decl. Ex. I at 2, § 3.2. BrandTotal suggests that was a narrower restriction but does not explain why that is so. See Defs.’ MSJ at 10; Defs.’ MSJ Reply at 9–10. To the extent BrandTotal's argument rests on the list of particular methods of automated collection included in the older version but omitted from the newer version, the Court finds that the use of "such as" to introduce the parenthetical plainly indicates that it is intended as an incomplete list of examples and not to limit the scope of the restriction.
1. BrandTotal's Motion Regarding Breach of Contract
BrandTotal seeks summary judgment on Meta's contract claim based on two defenses: that section 3.2.3 violates public policy, and that it is unconscionable.
a. Section 3.2.3 and Public Policy
BrandTotal contends that the prohibition of unauthorized automated access violates public policies related to consumer data ownership, Defs.’ MSJ at 15–18, market competition, id. at 18–22, and the free flow of information and speech, id. at 22–27.
"Under general principles of California contract law, a contract is unlawful, and therefore unenforceable, if it is ‘[c]ontrary to an express provision of law’ or ‘[c]ontrary to the policy of express law, though not expressly prohibited.’ " Sheppard, Mullin, Richter & Hampton, LLP v. J-M Mfg. Co. , 6 Cal. 5th 59, 73, 237 Cal.Rptr.3d 424, 425 P.3d 1 (2018) (quoting Cal. Civ. Code § 1667 ) (alterations in original). According to the California Supreme Court, however, that doctrine is not limited to public policies embodied in express law. Instead, that court has "also held that a contract or transaction may be found contrary to public policy even if the Legislature has not yet spoken to the issue." Id. In a 1953 case that the more recent Sheppard, Mullin decision cited with approval, the court stated that " ‘public policy’ is inherently not subject to precise definition," encompassing "principle of law which holds that no citizen can lawfully do that which has a tendency to be injurious to the public or against the public good" such that "anything which tends to undermine that sense of security for individual rights, whether of personal liberty or private property, which any citizen ought to feel, is against public policy." Safeway Stores, Inc. v. Retail Clerks Int'l Ass'n , 41 Cal. 2d 567, 575, 261 P.2d 721 (1953) (citation and internal quotation marks omitted). " ‘Whether a contract is illegal or contrary to public policy is a question of law to be determined from the circumstances of each particular case.’ " Dunkin v. Boskey , 82 Cal. App. 4th 171, 183, 98 Cal.Rptr.2d 44 (2000) (quoting Jackson v. Rogers & Wells 210 Cal.App.3d 336, 349–350, 258 Cal.Rptr. 454 (1989) ).
Meta cites Sheppard, Mullin for the proposition that contracts may only be invalidated as contrary to public policy where they implicate express law, Pl.’s Opp'n to MSJ (dkt. 303) at 4, which is the opposite of what that case says.
The principle that a court may decline to enforce a contract based on public interest beyond express law is in tension with an even older line of U.S. Supreme Court precedent holding that because "the term ‘public policy’ is vague, there must be found definite indications in the law of the sovereignty to justify the invalidation of a contract as contrary to that policy," as "ascertained by reference to the laws and legal precedents and not from general considerations of supposed public interests." Muschany v. United States , 324 U.S. 49, 65–66, 65 S.Ct. 442, 89 L.Ed. 744 (1945). Muschany involved contracts between private parties and the United States, which were invoked by those parties as defendants in a federal eminent domain suit as evidence of the fair value of their property, and which the United States argued were unenforceable as contrary to federal policy. Id. at 51–54, 65 S.Ct. 442. On its own, it could perhaps be read narrowly as a matter of federal common law, with no application to the California contract claim at issue here, as perhaps could many more recent cases restating its rule in the context of labor arbitration and collective bargaining agreements. See, e.g., E. Associated Coal Corp. v. United Mine Workers of Am., Dist. 17 , 531 U.S. 57, 62, 121 S.Ct. 462, 148 L.Ed.2d 354 (2000) ("The Court has made clear that any such public policy must be explicit, well defined, and dominant. It must be ascertained by reference to the laws and legal precedents and not from general considerations of supposed public interests." (cleaned up)). Some of the cases on which Muschany relied, however, involved the Supreme Court examining state law.
In Vidal v. Girard's Executors , 43 U.S. (2 How.) 127, 11 L.Ed. 205 (1844), the Court declined to invalidate a charitable bequest that prohibited the school for orphans it established from employing religious ministers. Despite accepting the proposition that "that the Christian religion is a part of the common law of Pennsylvania," the Court determined that the bequest did not impugn or bar the teaching of Christianity, and declined to inquire further as to "general considerations of the supposed public interests and policy of Pennsylvania upon this subject, beyond what its constitution and laws and judicial decisions make known to us," because "[t]he question, what is the public policy of a state, and what is contrary to it, if inquired into beyond these limits, will be found to be one of great vagueness and uncertainty, and to involve discussion which scarcely come within the range of judicial duty and functions." Id. at 197–98.
Vidal predated the Fourteenth Amendment, which through its guarantee of due process incorporates the First Amendment's Establishment Clause against the states, and would of course prohibit a state's common law from incorporating a particular religion. See Everson v. Bd. of Ed. , 330 U.S. 1, 13–16, 67 S.Ct. 504, 91 L.Ed. 711 (1947). Other terms of the bequest at issue in Vidal remained the subject of litigation for more than a century, including a racial restriction that was ultimately held unconstitutional. See generally, e.g., Pennsylvania v. Brown , 392 F.2d 120 (3d Cir. 1968).
In another case on which Muschany relied, Twin City Pipe Line Co. v. Harding Glass Co. , 283 U.S. 353, 51 S.Ct. 476, 75 L.Ed. 1112 (1931), the Court considered whether any public policy of Arkansas invalidated a settlement agreement among various Arkansas corporate entities, taking a cautious approach deferential to established law:
The meaning of the phrase ‘public policy’ is vague and variable; courts have not defined it, and there is no fixed rule
by which to determine what contracts are repugnant to it. The principle that contracts in contravention of public policy are not enforceable should be applied with caution and only in cases plainly within the reasons on which that doctrine rests. It is only because of the dominant public interest that one who, like respondent, has had the benefit of performance by the other party will be permitted to avoid his own promise....
In determining whether the contract here in question contravenes the public policy of Arkansas, the Constitution, laws, and judicial decisions of that state, and as well the applicable principles of the common law, are to be considered. Primarily it is for the lawmakers to determine the public policy of the state.
Id. at 356–57, 51 S.Ct. 476.
The parties here have not addressed this tension between federal and California caselaw or how best to resolve it in this case, and BrandTotal has generally tethered its public policy arguments to specific sources of law. This Court therefore does not reach questions of whether the U.S. Supreme Court's requirement that "public policy" in this context must be rooted in positive law is best viewed as a matter of due process (such that California authority to the contrary might be wrongly decided) or a prudential limit of the federal courts (such that the authority to invalidate a contract might be broader if this case were in state court), or whether the California Supreme Court's recognition of broader authority in Safeway and Sheppard, Mullin is itself the sort of state law precedent that the U.S. Supreme Court might accept as sufficiently establishing a public policy—here, a policy that courts should intervene as necessary to prevent harm to the general public good—that could be weighed against a party's interest in enforcing a contract. Even under the California courts’ approach, "questions of public policy are primarily for the legislative department to determine," Sheppard, Mullin , 6 Cal. 5th at 73, 237 Cal.Rptr.3d 424, 425 P.3d 1 (cleaned up), and "[t]he power of the courts to declare a contract void for being in contravention of sound public policy ... should be exercised only in cases free from doubt," Dunkin , 82 Cal. App. 4th at 184, 98 Cal.Rptr.2d 44 (cleaned up). Meta has at least some interest in policing the manner in which users access data on its social networks—an interest that is at least to some degree shared by its users. No background principle of public policy independent of any codified law unquestionably compels the conclusion that section 3.2.3 is unenforceable.
Having determined that a basic sense of what is in the public interest is not sufficient here to invalidate section 3.2.3, the Court proceeds to consider the particular constitutional and statutory policies BrandTotal has advanced.
i. California Consumer Privacy Laws
BrandTotal cites the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA") as espousing a principle of user control of data sufficient to invalidate section 3.2.3. Defs.’ MSJ at 15–16.
The Court has repeatedly "rejected BrandTotal's scattershot citations to the CCPA that failed to tie that law's actual requirements to the conduct at issue in this case," noting that the "fact that information about advertising interactions falls within the statute's definition of ‘personal information’ does not, in itself, say anything about whether Facebook must provide BrandTotal access to such information." 3d MTD Order at 12. BrandTotal's present motion does not go significantly further when it comes to the CCPA, citing only the same definition that the Court has previously found insufficient, as well as a comment in legislative history from one of its authors, then-Assemblymember (and now Superior Court Judge) Edwin Chau, that "Californians should have a right to choose how their personal information is collected and used." Defs.’ MSJ at 16 (emphasis omitted). That statement could mean many things, and in any event, is only the opinion of a single legislator. If the CCPA, as duly enacted, in fact established a policy requiring Facebook to allow the sort of access at issue here, the Court would expect BrandTotal to be able to cite some part of the legislation itself, as opposed to merely a sponsor's aspirational comment in support of its passage.
BrandTotal is more specific in addressing the CPRA (a law enacted by California voters through a 2020 ballot initiative that amends portions of the CCPA), citing its statements of purpose "that ‘the ability of individuals to control the use, including the sale, of their personal information’ is ‘fundamental to’ their right of privacy under the California Constitution," "that ‘[c]onsumers should be able to control the use of their personal information’ and ‘should have meaningful options over how it is collected, used, and disclosed,’ " and "that ‘[c]onsumers should benefit from businesses’ use of their personal information.’ " Defs.’ MSJ at 15–16 (quoting CPRA §§ 2(A), 3(A)(2), 3(A)(7) ) (alterations in original).
The parties’ briefs do not cite any source to access the text of the CPRA, which was enacted through a ballot initiative submitted in 2019 and accepted by California voters in 2020. The Court takes judicial notice of the text submitted by the sponsor of the initiative on November 4, 2019, available on the California Attorney General's website at https://oag.ca.gov/initiatives/search?combine=19-0021.
This argument has at least two weaknesses. First, with narrow exceptions, the CPRA does not become operative until January 1, 2023. CPRA § 31(a). While the CPRA sets forth state policies to enhance users’ control over their personal information, it also incorporates a policy of allowing businesses time to adapt their operations to the new law. Relying on the CPRA to invalidate Meta's terms of use before most of the substantive provisions of that law take effect would undermine the latter policy and potentially conflict with the stated intent of the voters. Second, the CPRA recognizes a number of policy interests besides data control and portability, including that "[b]usinesses should take reasonable precautions to protect consumers’ personal information from a security breach," CPRA § 3(B)(6), and that while "[t]he law should enable pro-consumer new products and services and promote efficiency of implementation for business," that interest is contingent on ensuring "that the amendments do not compromise or weaken consumer privacy," id. § 3(C)(5). Presumably informed at least in part by balancing those interests, the CPRA creates substantive law establishing a variety of specific rights, obligations, and procedures—most of which relate to consumers’ rights to understand and limit the manner in which businesses use their personal information, not to expanding the means by which users can interact with social media platforms. BrandTotal has not cited any substantive, codified provision of the CPRA that prevents Meta from enforcing section 3.2.3, and the Court hesitates to infer that the voters intended that effect when they did not enact any law governing the conduct at issue. See Dunkin , 82 Cal. App. 4th at 183–84, 98 Cal.Rptr.2d 44 (requiring caution before finding a contract contrary to public policy).
The potential for automated access and collection of data from a social networking platform to weaken consumer privacy is fairly obvious: many users choose to share information with only certain people, and might reasonably expect that the platform would prevent other users from automatically recording that data and selling it to data aggregators or other third parties for commercial use. While BrandTotal's programs did not, at least for the most part, collect third-party personal information directly implicating such concerns, that privacy interest nevertheless reflects a valid public policy interest acknowledged in the CPRA and weighing against invalidating contractual prohibitions on unauthorized automated data collection.
One provision of the CCPA (materially unchanged by the CPRA) that BrandTotal has not addressed requires businesses to disclose (among other information) "[t]he specific pieces of personal information it has collected about that consumer ... upon receipt of a verifiable consumer request from the consumer." Cal. Civ. Code § 1798.110(a)(5), (b). If Meta collects information about what advertisements it has shown to particular users, that provision might require Meta to disclose that information to users who request it. But it is of little use to BrandTotal here because it creates a specific process for requesting and providing the data, rather than suggesting that users have a right to collect that data themselves, notwithstanding Meta's terms of use, by any means they see fit.
At least with respect to UpVoice 2021, which has removed many of the more questionable methods of data collection employed by some of BrandTotal's earlier products, there is certainly an argument that allowing users to record and sell data regarding the advertisements that Facebook shows them would further a public policy of establishing user ownership of personal data and empowering users to share in the financial benefits that flow from that data. See, e.g. , CPRA §§ 2(A), 3(A)(7). But the application of that policy to a social media platform's ability to restrict automated access, as Meta has with section 3.2.3, is by no means straightforward. Mindful that "questions of public policy are primarily for the legislative department to determine," Sheppard, Mullin , 6 Cal. 5th at 73, 237 Cal.Rptr.3d 424, 425 P.3d 1, the Court declines to hold section 3.2.3 is unenforceable on this basis.
ii. Market Competition
Next, BrandTotal contends that section 3.2.3 is unenforceable because it subverts the policy of market competition underlying section 1 of the Sherman Act and section 16600 of the California Business and Professions Code. Defs.’ MSJ at 18.
Despite arguing throughout this case that Meta monopolizes the market for social media advertising, and by extension social media advertising analytics, BrandTotal has at no point asserted a claim under the Sherman Act. The closest it has come is attempting to state a claim under the "unfair" prong of the UCL, which requires showing a violation of either the letter or the spirit of the antitrust laws. See, e.g. , 2d MTD Order at 24–25; 3d MTD Order at 9–10. The Court ultimately dismissed that claim with prejudice because, despite repeated attempts, BrandTotal failed to provide plausible allegations of a product market, market power, or any basis for an exception to the usual rule that the antitrust laws permit market participants to refuse to deal with their competitors. See 1st MTD Order at 16–17; 2d MTD Order at 24–28; 3d MTD Order at 10–18.
Section 1 of the Sherman Act prohibits any "contract, combination in the form of trust or otherwise, or conspiracy, in restraint of trade or commerce." 15 U.S.C. § 1. The Supreme Court has long held that the Sherman Act is not as broad as its literal language might suggest, and "that Congress intended to outlaw only unreasonable restraints." Texaco v. Dagher , 547 U.S. 1, 5, 126 S.Ct. 1276, 164 L.Ed.2d 1 (2006) (quoting State Oil Co. v. Khan , 522 U.S. 3, 10, 118 S.Ct. 275, 139 L.Ed.2d 199 (1997), and adding emphasis). Courts "generally evaluate whether a practice unreasonably restrains trade in violation of Section 1 under the "rule of reason," Brantley v. NBC Universal, Inc. , 675 F.3d 1192, 1197 (9th Cir. 2012), which "requires a fact-intensive market-level analysis of the claims." Choker v. Pet Emergency Clinic, P.S. ex rel. Bd. of Directors , No. 2:20-CV-00417-SAB, 2021 WL 934037, at *4 (E.D. Wash. Mar. 11, 2021) (citing Harris v. Safeway, Inc. , 651 F.3d 1118, 1133 (9th Cir. 2011) ). One element of any rule of reason claim is defining a product market that "must encompass the product at issue as well as all economic substitutes for the product." Hicks v. PGA Tour, Inc. , 897 F.3d 1109, 1120–21 (9th Cir. 2018).
BrandTotal has offered no meaningful economic analysis of the market it asserts for social media advertising analytics, and leaves key questions unanswered. Are there competitors besides Meta and BrandTotal? What is each party's market share? Could other methods of advertising analysis serve as substitutes for the type of data collection and processing BrandTotal performs? Cf. Wilcox Report ¶¶ 31, 33, 34, 40 (BrandTotal's expert witness discussing survey-based methods of collecting advertising intelligence). What qualifies as "social media," as opposed to other forms of internet advertising that customers might seek to analyze?
The report of BrandTotal's expert witness Dr. Wilcox—which BrandTotal does not cite in its arguments regarding section 3.2.3—touches on some related issues, noting the difficulty of collecting automated data from "walled garden" websites that restrict access, Wilcox Report ¶¶ 44–49, and Meta's domination of the social media advertising market (but not any market for advertising analytics), e.g., id. ¶ 59, but does not provide the sort of market analysis that would be necessary to find Meta's conduct unreasonable for the purpose of the Sherman Act. Wilcox's ultimate conclusions, that "the information BrandTotal collects from social media channels ... is properly considered public information" and that BrandTotal's "are the same type of services that have been offered in the advertising industry for decades," id. ¶ 126, do not speak to whether section 3.2.3 of Meta's terms of use unreasonably restrains competition. As a media and marketing professor rather than an economist, Dr. Wilcox would likely not be qualified to offer opinions on a relevant market for an antitrust claim.
Instead, BrandTotal relies on mere assertions in its motion that section 3.2.3 "not only completely extinguishes all competition for analysis of Facebook advertising, but also has a malign ripple effect on competition in the advertising analytics market more broadly," Defs.’ MSJ at 20, which it contends in its reply that Meta has not contested, Defs.’ MSJ Reply at 4. But in the context of summary judgment, as the party advancing an affirmative defense of contract unenforceability, BrandTotal has the burden to support its assertions with evidence , which it has not done. BrandTotal's motion cites evidence that it competes with Facebook, and that its customers have sought BrandTotal's services to better understand their own advertising campaigns despite Facebook offering them similar analysis, Defs.’ MSJ at 19–21, but cites no evidence beyond that regarding the nature of the market at issue or whether the sort of data collection barred by section 3.2.3 is necessary to competing in that market. The Court having previously "assume[d] for the sake of argument that BrandTotal's alleged markets" for "Third Party Commercial Advertising Information" on "personal social networking services in the United States" or on Facebook and Instagram were "sufficiently plausible to survive the limited scrutiny of Rule 12(b)(6)," 3d MTD Order at 14–16—an issue the Court did not need to resolve because BrandTotal's UCL claim had other defects—does not relieve BrandTotal of the obligation to support any market definition and effects to competition that it might seek to rely on here with evidence. Nor is it the Court's role "to scour the record in search of" any evidence that might support BrandTotal's position despite not being cited in its briefs. Keenan , 91 F.3d at 1279.
Even if BrandTotal had provided evidence to support the basic elements of a rule of reason claim, it would still face a hurdle in overcoming the general rule that the antitrust laws impose no requirement to deal with a competitor. BrandTotal asserts for the first time in its reply that the "essential facilities" doctrine applies, but again cites no evidence to support its contention that automated collection of data from Facebook is an essential facility. Defs.’ MSJ Reply at 5–6.
While BrandTotal is correct that it need not show a violation of the letter of the Sherman Act to render section 3.2.3 unenforceable, but instead could prevail by showing a violation of policies underlying that law, see Sheppard, Mullin , 6 Cal. 5th at 73, 237 Cal.Rptr.3d 424, 425 P.3d 1, that analysis is similar to the BrandTotal's putative UCL claim that the Court repeatedly addressed and dismissed on the pleadings, where a plaintiff must show "conduct that threatens an incipient violation of an antitrust law, or violates the policy or spirit of one of those laws because its effects are comparable to or the same as a violation of the law, or otherwise significantly threatens or harms competition." Cel-Tech Commc'ns, Inc. v. L.A. Cellular Tel. Co. , 20 Cal. 4th 163, 187, 83 Cal.Rptr.2d 548, 973 P.2d 527 (1999). A party seeking to establish a violation of the "spirit" of the antitrust laws for the purpose of such a claim, without showing an actual violation, must identify and prove some " ‘unusual’ aspect of the alleged conduct that would make that conduct something that violates the ‘policy and spirit’ of the antitrust laws without violating the actual laws themselves," comparable to the Cel-Tech defendant's " ‘privileged status as one of two holders of a lucrative government-licensed duopoly.’ " Synopsys, Inc. v. ATopTech, Inc. , No. C 13-2965 MMC, 2015 WL 4719048, at *10 (N.D. Cal. Aug. 7, 2015) (quoting Cel-Tech , 20 Cal. 4th at 190, 83 Cal.Rptr.2d 548, 973 P.2d 527 ). The Court finds the same analysis appropriate in considering whether the policy underlying the Sherman Act is sufficient to render section 3.2.3 unenforceable without showing a violation of that law. Cf. Epic Games, Inc. v. Apple Inc. , 559 F.Supp.3d 898, 1060–62 (N.D. Cal. 2021) (declining to hold contracts unenforceable for violating policy favoring competitive markets even where the court determined that portions of the contracts violated the "unfair" prong of the UCL).
Here, as the Court has previously held on a motion to dismiss BrandTotal's UCL unfairness claim, BrandTotal's "theory of what makes Facebook's conduct unfair is relatively straightforward: Facebook is extremely large and powerful," and uses that clout to advance its own competitive interests and prevent BrandTotal from effectively competing. 2d MTD Order at 25–26. Once again, BrandTotal has not identified any unusual circumstances of this case that would threaten competition while evading antitrust enforcement under the actual terms of the antitrust laws, nor has it shown a violation of the antitrust laws. Absent such a showing, the Court declines to hold that the policies underlying those laws require invalidating Meta's terms of use.
Section 16600 is a somewhat different law from the Sherman Act. That statute provides that, subject to exceptions, "every contract by which anyone is restrained from engaging in a lawful profession, trade, or business of any kind is to that extent void." Cal. Bus. & Prof. Code § 16600. It is often invoked in cases involving non-compete agreements that purport to prevent an employee from later working for their employer's competitors, or anti-poaching agreements where two businesses agree not to hire each other's employees (or to pay a penalty if they do). See VL Sys., Inc. v. Unisen, Inc. , 152 Cal. App. 4th 708, 713, 61 Cal.Rptr.3d 818 (2007). This case does not implicate that sort of direct agreement not to compete or not to hire.
BrandTotal has not invoked the Cartwright Act, Cal. Bus. & Prof. Code §§ 16700 –70, California's closer analogue to section 1 of the Sherman Act.
Section 16600 and its "substantively identical" predecessor statute have also, albeit less commonly, been applied in cases considering agreements to secure monopolies or fix prices—the sort of context addressed by section 1 of the Sherman Act—but when invoked in that manner, it is subject to the rule of reason. See Ixchel Pharma, LLC v. Biogen, Inc. , 9 Cal. 5th 1130, 1154–56, 266 Cal.Rptr.3d 665, 470 P.3d 571 (2020). The same issues discussed above in the context of the Sherman Act therefore also apply to section 16600 : BrandTotal has not shown, through evidence, harm to competition under the rule of reason.
In hiQ Labs, Inc. v. LinkedIn Corporation , 31 F.4th 1180 (9th Cir. 2022), the Ninth Circuit recently reaffirmed its decision (which had been vacated for reconsideration in light of an intervening Supreme Court decision addressing the CFAA) affirming a preliminary injunction preventing LinkedIn from taking action to block a data analysis company and potential LinkedIn competitor, hiQ, from accessing information that LinkedIn made available to the general public. The Ninth Circuit relied in part on public policy concerns "that giving companies like LinkedIn free rein to decide, on any basis, who can collect and use data—data that the companies do not own, that they otherwise make publicly available to viewers, and that the companies themselves collect and use—risks the possible creation of information monopolies that would disserve the public interest." Id. at 1202. But in addition to the distinction that not all of the data at issue in this case is publicly accessible without a Facebook or Instagram account, hiQ involved a live claim by hiQ under "unfair" prong of the UCL, id. at 1194 n.10, an antitrust theory that BrandTotal attempted to pursue but failed to support here. The procedural context also differs: granting a preliminary injunction is a matter of discretion, see id. at 1188, and this Court is aware of no authority requiring the same degree of deference to policy that has been specifically declared by the legislature (or existing caselaw) in the public interest portion of that inquiry as is necessary in considering whether to hold a contract unenforceable. The Court therefore does not construe hiQ as suggesting that a contract can be invalidated for its purportedly anticompetitive effects without a showing of harm to competition through the established framework of competition claims, i.e., either the rule of reason or special circumstances recognized as warranting heightened scrutiny.
Taking into account the caution that is always appropriate in considering whether a contract should be declared unenforceable as contrary to public policy, the Court holds that BrandTotal has not met its burden to set aside section 3.2.3 based on harm to competition.
iii. Free Speech and Flow of Information
BrandTotal contends that section 3.2.3. impermissibly burdens interests in free speech and the flow of information, rooted in the First Amendment to the U.S. Constitution and Article I, Section 7 of the California Constitution. Defs.’ MSJ at 22–27. That section of the California Constitution relates to due process and equal protection. BrandTotal does not specifically discuss its terms, instead only citing it in passing at the start of its argument regarding free speech. Id. at 22. The Court understands that citation as intended to assert that California law incorporates the free speech protections of the federal Constitution. For reasons that are not clear, BrandTotal has not cited the California Constitution's own free speech protection at Article I, Section 2, which "is at least as broad as and in some ways broader than the comparable provisions of the federal Constitution's First Amendment." Kasky v. Nike, Inc. , 27 Cal. 4th 939, 958–59, 119 Cal.Rptr.2d 296, 45 P.3d 243 (2002) (cleaned up).
BrandTotal cites Kasky solely for its summary of the U.S. Supreme Court's Board of Pharmacy decision discussed below. See Defs.’ MSJ at 22 (quoting Kasky , 27 Cal. 4th at 951, 119 Cal.Rptr.2d 296, 45 P.3d 243 ). The issue before the California Supreme Court in Kasky was whether statements by Nike about the working conditions in its factories were commercial speech subject to diminished First Amendment protection if determined to be false or misleading, and thus properly within the scope of the state's consumer protection laws, which the court answered in the affirmative. That holding is of no use to BrandTotal here.
The Supreme Court has recognized that the First Amendment protects commercial advertising, in part due to the need for public "information as to who is producing and selling what product, for what reason, and at what price" to allow for informed participation in and regulation of the economy. Va. State Bd. of Pharmacy v. Va. Citizens Consumer Council, Inc. , 425 U.S. 748, 765, 96 S.Ct. 1817, 48 L.Ed.2d 346 (1976). The conduct at issue here, however, is a few steps removed from the state restrictions on advertising in the Board of Pharmacy case. This case does not concern direct state action, although BrandTotal is correct that judicial enforcement of a private contract restricting speech can implicate the First Amendment at least to some degree. But BrandTotal does not argue that section 3.2.3 prevents anyone from advertising their services. Nor does section 3.2.3 directly prevent anyone from sharing information about advertisements—the provision is not implicated by a Facebook user discussing the advertisements they have seen, for example, or even by advertising consultants manually browsing Facebook's public ad library to prepare reports for clients. Instead, section 3.2.3 prohibits a particular method of interacting with Meta's services: "access[ing] or collect[ing] data from [Meta's] products using automated means," one application of which is BrandTotal's automated collection of advertising data. BrandTotal cites no authority finding a contract unenforceable based on the reasoning of Board of Pharmacy in a context so far removed from that case, and instead similar to the facts here. Nor is it otherwise clear that the effect of this access restriction so burdens users’ ability to speak to what they have seen on Facebook that policies underlying the First Amendment require declaring it unenforceable.
See, e.g., Nat'l Abortion Fed'n v. Ctr. for Med. Progress , No. 15-cv-03522-WHO, 2016 WL 454082, at *18–21 (N.D. Cal. Feb. 5, 2016) (issuing an injunction to enforce a confidentiality agreement based on the conclusion that the defendants knowingly waived their first amendment rights by entering the agreement, and that any public interest in disclosure of the information at issue was insufficient to compel a different result), aff'd , 685 F. App'x 623 (9th Cir. 2017).
The second line of cases on which BrandTotal relies for its free speech arguments stems from Lear, Inc. v. Adkins , 395 U.S. 653, 89 S.Ct. 1902, 23 L.Ed.2d 610 (1969), where the Supreme Court held that an inventor could not rely on estoppel against a licensee or the contractual force of a license agreement to recover royalties if his patent were held invalid. See Defs.’ MSJ at 22–23. Circuit courts have divided as to whether or when Lear applies outside the context of patent law. Compare Idaho Potato Comm'n v. M & M Produce Farm & Sales , 335 F.3d 130, 135–39 (2d Cir. 2003) (applying Lear to hold that a defendant who had agreed, as part of a since-lapsed license agreement, never to challenge the validity of certain certification marks registered with the USPTO was not estopped from doing so because enforcing the agreement undermined free market principles related to the purpose of certification marks), with Saturday Evening Post Co. v. Rumbleseat Press, Inc. , 816 F.2d 1191, 1200 (7th Cir. 1987) (declining to apply Lear to copyright because the "economic power conferred is much smaller" than that conferred by a patent, and noting that the Sherman Act is a more appropriate framework for any such contract with a meaningful effect on competition), and Beer Nuts, Inc. v. King Nut Co. , 477 F.2d 326, 328–29 (6th Cir. 1973) (balancing the interests addressed in Lear to hold that it does not apply in the trademark context, and that a licensee was estopped from contesting the validity of a mark). Regardless, unlike a license agreement, section 3.2.3 does not govern the publication or use of information once obtained; it prohibits some forms of access to Meta's servers. Lear and its progeny do not show that Meta's terms of use are unenforceable.
Saturday Evening Post was recognized as abrogated with respect to an unrelated holding regarding harmless error review in Glickenhaus & Co. v. Household Int'l, Inc. , 787 F.3d 408, 426 n.12 (7th Cir. 2015).
In its reply, BrandTotal abandons any effort to link this argument to precedent, dismissing Meta's "focus[ ] on distinguishing cases that BrandTotal cited for a general proposition ... that there is a judicially recognized public interest in the free flow of information online" as immaterial when that "general proposition ... is not legitimately in dispute." Defs.’ MSJ Reply at 8. BrandTotal instead reiterates the "real-world information throttling effect of Meta's enforcement," citing Meta's efforts to block research at New York University regarding advertising on Facebook, as well as the FTC's criticism of those efforts and stated position that "efforts to shield targeted advertising practices from scrutiny run counter to" protection of user privacy. Id. (citing Fussner MSJ Decl. (dkt. 268-1) Ex. R (FTC Letter)). But BrandTotal has not identified authority that would void Meta's terms of use as to the NYU researchers any more than with respect to itself, and the FTC's statement of concern is not the sort of legislatively or judicially declared public policy that courts have held sufficient to invalidate a contract. BrandTotal's general interest in free flow of information is defined too vaguely to support setting aside a contract regarding means of access without a showing that the courts or legislature have determined that interest outweighs the competing interest in enforceability of contracts under comparable circumstances. Cf. Beer Nuts , 477 F.2d at 329 (finding the public interest in avoiding depletion of marks that could be used in commerce "is not so great that it should take precedence over the rule of the law of contracts that a person should be held to his undertakings").
The Court therefore concludes that BrandTotal has not shown Meta's terms of use to be unenforceable as contrary to public policy.
b. Unconscionability
BrandTotal argues that the terms of use are unconscionable, specifically addressing: (1) the provision in section 4 extending certain restrictions (including section 3) beyond the termination of an account; and (2) a limitation of Meta's liability to no more than the greater of $100 or the amount the user has paid Meta in the previous year. Defs.’ MSJ at 32–33. Although BrandTotal focuses on those provisions as substantially unfair, it argues that the appropriate remedy is to deem section 3.2.3 unenforceable. Id. at 33.
Meta contends that BrandTotal waived its unconscionability defense by failing to include it in its October 2021 response to an interrogatory requesting "the full basis for [BrandTotal's] contention" that "it did not breach any contacts with [Meta]" or that the terms of use "were not[ ] valid contracts between [Meta] and [BrandTotal]." See Schultz MSJ Decl. Ex. 36 at 9 (Interrogatory No. 20 ). BrandTotal argues that it provided sufficient notice of its unconscionability defense by pleading it in its answer and including it in a later response to a different interrogatory, where BrandTotal stated that Meta's enforcement of its terms of use was not a legitimate business purpose for interfering with BrandTotal's contracts because, among other reasons, the terms of use "are overly broad, unconscionable, and contrary to public policy." See Burrell Opp'n Decl. (dkt. 303-1) Ex. 29 at 6 (November 2021 response to Interrogatory No. 25 ). While BrandTotal's should have included unconscionability in its response to Meta's contention interrogatory for defenses to breach of contract, or should have supplemented that response to do so, the Court assumes for the sake of argument that the subsequent interrogatory response asserting that the terms of use are unconscionable provided sufficient notice of BrandTotal's position to avoid waiver. In any event, BrandTotal has not shown that the relevant provisions of the terms of use should be set aside as unconscionable.
"In order to render a contract unenforceable under the doctrine of unconscionability, there must be both a procedural and substantive element of unconscionability." Ferguson v. Countrywide Credit Indus., Inc. , 298 F.3d 778, 783 (9th Cir. 2002) (citing Armendariz v. Found. Health Psychcare Servs., Inc. , 24 Cal. 4th 83, 6 P.3d 669, 690, 99 Cal.Rptr.2d 745 (2000) ). "[T]he former focus[es] on ‘oppression’ or ‘surprise’ due to unequal bargaining power, the latter on ‘overly harsh’ or ‘one-sided’ results." Armendariz , 24 Cal. 4th at 114, 99 Cal.Rptr.2d 745, 6 P.3d 669 (citation omitted). While both of those aspects must be present to find the contract unconscionable, "they need not be present in the same degree[:] ... the more substantively oppressive the contract term, the less evidence of procedural unconscionability is required to come to the conclusion that the term is unenforceable, and vice versa." Id. "Unconscionability is ultimately a question of law for the court." Marin Storage & Trucking, Inc. v. Benco Contracting & Eng'g, Inc. , 89 Cal. App. 4th 1042, 1055, 107 Cal.Rptr.2d 645 (2001). Neither party has suggested here that the question of whether Facebook's terms are unconscionable is inappropriate for resolution on summary judgment.
"Procedural unconscionability ‘concerns the manner in which the contract was negotiated and the circumstances of the parties at that time.’ " Ferguson , 298 F.3d at 783 (quoting Kinney v. United HealthCare Servs., Inc. , 70 Cal. App. 4th 1322, 1329, 83 Cal.Rptr.2d 348 (1999) ). That analysis "begins with an inquiry into whether the contract is one of adhesion." Armendariz , 24 Cal. 4th at 113, 99 Cal.Rptr.2d 745, 6 P.3d 669. "California courts have consistently held that where a party in a position of unequal bargaining power is presented with an offending clause without the opportunity for meaningful negotiation, oppression and, therefore, procedural unconscionability, are present." Ferguson , 298 F.3d at 784. That test is met with respect to Meta's terms of use, at least for nearly all users. There is no dispute that BrandTotal was offered Meta's terms on a take-it-or-leave-it basis, with no power to negotiate. Under California law, that is enough to meet the procedural element of unconscionability. See Baltazar v. Forever 21, Inc. , 62 Cal. 4th 1237, 1244, 200 Cal.Rptr.3d 7, 367 P.3d 6 (2016) ("Ordinary contracts of adhesion, although they are indispensable facts of modern life that are generally enforced, contain a degree of procedural unconscionability even without any notable surprises, and bear within them the clear danger of oppression and overreaching." (cleaned up)).
The Court need not consider here whether a sufficiently powerful counterparty, such as another Fortune 500 company or a government entity, might have enough bargaining power to effectively negotiate the terms under which it accessed Meta's products.
Meta's argument that "courts routinely conclude that sign-up flows like Meta's are sufficient to bind users to terms of service" misses the mark. See Pl.’s Opp'n to MSJ (dkt. 303) at 21. The cases Meta cites considered whether the users had consented to the terms, held that they had, and either did not reach questions of unconscionability or found at least some degree of procedural unconscionability. See Britt v. ContextLogic, Inc. , No. 3:20-cv-04333-WHA, 2021 WL 1338553 (N.D. Cal. Apr. 9, 2021) (finding mutuals assent and declining to reach questions of unconscionability as properly delegated to an arbitrator); Nevarez v. Forty Niners Football Co. , LLC, No. 16-cv-07013, 2017 WL 3492110, at *12 (N.D. Cal. Aug. 15, 2017) (finding "a low degree of procedural unconscionability" sufficient to consider whether the contract was highly substantively unconscionable); Loewen v. Lyft, Inc. , 129 F. Supp. 3d 945, 956 (N.D. Cal. 2015) (same); Swift v. Zynga Game Network, Inc. , 805 F. Supp. 2d 904, 915 (N.D. Cal. 2011) (noting that the plaintiff failed to address the standard for unconscionability or present any argument as to why the terms of service at issue were procedurally unconscionable). Because Meta's terms of use are a contract of adhesion, at least as applied to BrandTotal, they are sufficiently procedurally unconscionable to proceed to BrandTotal's arguments regarding substantive unconscionability.
Fagerstrom v. Amazon.com, Inc. , 141 F. Supp. 3d 1051, 1068 (S.D. Cal. 2015), aff'd sub nom. Wiseley v. Amazon.com, Inc. , 709 F. App'x 862 (9th Cir. 2017), applied Washington rather than California law, which differs in its treatment of this doctrine.
Since the test uses a sliding scale where the degree of each form unconscionability is relevant, however, there is reason to evaluate other aspects of procedural unconscionability before turning to the substantive terms of the agreement. BrandTotal notes that Meta's sign-up process includes only text in a small font informing users that "[b]y clicking Sign Up, you agree to our Terms, Data Policy and Cookies Policy," with "Terms" as a small hyperlink, but does not specifically present users with the terms or include a separate box to check to indicate that the user agrees to those terms. Defs.’ MSJ at 31 (citing Martens Opening Report ¶¶ 63–66).
Any inconspicuousness of the terms of use might be relevant to whether it is procedurally unconscionable as to individuals creating accounts for personal use. See In re Facebook Biometric Info. Priv. Litig. , 185 F. Supp. 3d 1155, 1166 (N.D. Cal. 2016) (raising concerns about Facebook's process of obtaining consent to its terms of use, but finding them enforceable). As to BrandTotal, however, it is less clear why that should matter. BrandTotal is a business built around collecting data from social networks and other websites. It would reasonably have been expected to seek out and understand those terms before agreeing to them. See Burrell Opp'n Dec. Ex. 30 (Leibovich Nov. 2021 Dep.) at 20:23–22:5 (confirming the BrandTotal's CEO knew before this lawsuit that all Facebook users must agree to the terms of service before creating an account). BrandTotal in fact sought a legal opinion regarding section 3.2.3, albeit belatedly in 2019, years after it had first created accounts. See Burrell Opp'n Decl. Ex. 4. Although as noted above Meta's terms were at least to some degree procedurally unconscionable because BrandTotal had no meaningful opportunity to negotiate them, the manner in which Meta presented them during the sign-up process adds little to the analysis with respect to a sophisticated user like BrandTotal. The Court therefore concludes that the terms of use, as applied to BrandTotal, are only procedurally unconscionable in that they represent a contract of adhesion. Accordingly, " ‘the agreement will be enforceable unless the degree of substantive unconscionability is high.’ " Loewen , 129 F. Supp. 3d at 956 (quoting Serpa v. Cal. Sur. Investigations, Inc. , 215 Cal. App. 4th 695, 704, 155 Cal.Rptr.3d 506 (2013) ).
BrandTotal has not pursued a defense based on the advice it received at that time, that advertisements on Facebook did not fall within the scope of Meta's "products" for the purpose of section 3.2.3. See Burrell Opp'n Decl. Ex. 4.
BrandTotal also argues that the sign-up page contradicts section 4 by stating that users " ‘can opt out any time’ from the ‘Terms, Data Policy and Cookies’ referenced in the prior sentence." Defs.’ MSJ at 32. In context, that language clearly applies to receiving text messages, not to the terms of use. Martens Opening Report ¶ 64 (screenshot of the sign-up page, including the text: "You may receive SMS Notifications from us and can opt out any time.").
BrandTotal's motion for summary judgment does not argue that section 3.2.3, standing alone, meets that standard. Instead, BrandTotal focuses on section 4.2's provision that section 3 (and certain subsections of section 4) remain in place following termination of the remainder of the agreement when a user deletes their account of Meta disables it, and section 4.3's limitation of Meta's liability to exclude certain forms of damages and limit monetary damages against Meta to "not exceed the greater of $100 or the amount [the user] has paid [Meta] in the past twelve months." Schultz MSJ Decl. Ex. 5, §§ 4.2–3; see Defs.’ MSJ at 32–33. In its reply, BrandTotal contends that section 3.2.3 is itself substantively unconscionable for the reasons stated in its arguments regarding public policy, Defs.’ MSJ Reply at 15–16, but for the same reasons discussed above in the Court's analysis of those arguments, BrandTotal has not shown that any public policy implication of section 3.2.3 meets the high standard of substantive unconscionability applicable where the only meaningful procedural defect is a contract of adhesion.
Turning to the related provisions BrandTotal has invoked, the Court is not persuaded that the survival of section 3.2.3 beyond the termination of an account is substantively unconscionable. That is not to say that any open-ended commitments in exchange for the temporary provision of a service would be enforceable. The provision at issue here, though, relates specifically to the manner in which a user continues to access Meta's services after their account is terminated. If a user were to walk away from Meta's products entirely, the continuing force of section 3.2.3 would have no effect on them. Notwithstanding the importance of social media platforms as "what for many are the principal sources for knowing current events, checking ads for employment, speaking and listening in the modern public square, and otherwise exploring the vast realms of human thought and knowledge," Packingham v. North Carolina , ––– U.S. ––––, 137 S. Ct. 1730, 1737, 198 L.Ed.2d 273 (2017), it is not manifestly unreasonable for a user to agree, in return for the free services that Meta provides, not to subvert the rules regarding automated access that Meta has put in place for its platforms, even after termination of an account. BrandTotal has not shown the high degree of oppression necessary to prevail on this argument in light of the relatively minor degree of procedural unconscionability at issue.
It is not entirely clear whether Meta is taking the position that even non-automated access by BrandTotal to public (i.e., non-password-protected) portions of Facebook is a violation of section 3.2.3.’s prohibition against "attempt[ing] to access data you do not have permission to access" because Meta has revoked BrandTotal's access to its products. In light of the concerns raised by the Supreme Court in Packingham and the Ninth Circuit in hiQ , enforcing the terms of use in that manner would raise greater concerns. The Court declines to resolve that issue on the briefing the parties have provided, which did not focus on it.
As for the limitation of liability, that provision is only connected to section 3.2.3 in that, by its terms, Meta could potentially recover far greater damages from BrandTotal for violating section 3.2.3 than BrandTotal could recover from Meta on any potential claim of its own. The limitation of liability is certainly "one-sided," see Armendariz , 24 Cal. 4th at 114, 99 Cal.Rptr.2d 745, 6 P.3d 669, but it is only tangentially related to section 3.2.3. California law grants "a trial court some discretion as to whether to sever or restrict [an] unconscionable provision or whether to refuse to enforce the entire agreement," but "contemplate the latter course only when an agreement is ‘permeated’ by unconscionability." Id. at 122, 6 P.3d 669, 690, 99 Cal.Rptr.2d 745 (examining Cal. Civ. Code § 1670.5(a) ). Here, if the limitation of liability is unconscionable, the appropriate course would be to decline to enforce that provision, not any other provision (like section 3.2.3) that confers rights or obligations on either party from which liability might arise. BrandTotal's motion only seeks to declare section 3.2.3 unenforceable, and has not focused on whether section 4.3 is itself enforceable. Regardless, because this order disposes of BrandTotal's remaining counterclaims against Meta, the validity of section 4.3 is not relevant to the outcome of the case.
To the extent BrandTotal is asserting that Meta's terms are unconscionable as applied to BrandTotal's "panelist" users as a defense to Meta's interference with contract claim, the particular terms that it has argued create substantively unconscionability have no relevance to the panelists in this case. The panelists are current rather than former Facebook users, so section 4's extension of certain prohibitions past termination of an account does not affect them, and they are not bringing any claims against Meta, so the limitation of damages against Meta also does not affect them. Even if those provisions were not enforceable against panelists—in fact, even if section 3.2.3 were unenforceable—that would not affect the analysis of whether BrandTotal interfered with Meta's contracts with "panelist" users by inducing those users to share their access credentials with BrandTotal, which is the only basis Meta has asserted for interference with contract. See FAC ¶¶ 112–18 (Meta's tortious interference claim). Neither party has moved for summary judgment on Meta's interference claim beyond this issue, so the Court does not address that claim beyond holding that BrandTotal is not entitled to summary judgment that Meta's terms of use are unconscionable with respect to panelists in any material way.
Because BrandTotal has not shown sufficient substantive unconscionability of section 3.2.3 to render it unenforceable in conjunction with the relatively minor procedural unconscionability of a contract of adhesion, BrandTotal's motion for summary judgment on this issue is DENIED.
2. Meta's Motion Regarding Breach of Contract
Meta seeks summary judgment in its favor on its breach of contract claim. Pl.’s MSJ at 10–16. Again, this claim has four elements: "(1) the contract, (2) plaintiff's performance or excuse for nonperformance, (3) defendant's breach, and (4) the resulting damages to plaintiff." Armstrong Petroleum Corp. v. Tri-Valley Oil & Gas Co. , 116 Cal. App. 4th 1375, 1391 n.6, 11 Cal.Rptr.3d 412 (2004).
a. The Contract
There is no dispute that BrandTotal created a number of accounts on Meta's platforms, and that all users who create accounts indicate that they agree to Meta's terms of use. See, e.g. , Schultz MSJ Decl. Ex. 35 at 3 (responses to Request Nos. 21 and 22, admitting knowledge that all Facebook and Instagram users must agree to the applicable terms of use). BrandTotal contests two aspects of the element requiring the existence of a contract: whether the terms of use were enforceable, and whether their effect terminated when Meta disabled BrandTotal's corporate accounts. As discussed above in the context of BrandTotal's motion, BrandTotal has not met its burden to show that the terms of use are unenforceable due to either public policy or unconscionability, and the Court holds as a matter of law that they are not.
As for termination, the terms of use specifically provide that section 3—including section 3.2.3's prohibition of unauthorized automated access and data collection—survives after a user deletes their account or Meta terminates an account. Schultz MSJ Decl. Ex. 5 § 4.2. As discussed above, BrandTotal has not shown that term to be unconscionable. Nor does it conflict with section 3's preface that the commitments stated therein are required in exchange for Meta providing services. See id. § 3, Defs.’ Opp'n to MSJ at 20–21. As BrandTotal has admitted, Meta did provide services. Schultz MSJ Decl. Ex. 35 at 2 (response to Request No. 19 ). That Meta requires an ongoing commitment not to take certain action in return for services that might not last as long as that commitment is a coherent structure for an agreement, and section 4.2 is sufficiently clear as to its survival clause to dispel any reasonable confusion. BrandTotal therefore remains bound by section 3, including section 3.2.3.
Even if the relevant provisions of the terms of use did not survive the termination of an account, some of the "Muppet" accounts that BrandTotal employees created for data collection and debugging remained active as of 2022. Schultz MSJ Decl. Ex. 14 (Vardi Dep.) at 142:5–146:8. BrandTotal's assertion that it "disputes ... that any of those accounts belong to BrandTotal" is not supported by evidence. See Defs.’ Opp'n to MSJ at 21. BrandTotal thus remains bound by the terms of use.
b. Meta's Performance
BrandTotal specifically admitted performance by Meta prior to September 30, 2020. Schultz MSJ Decl. Ex. 35 at 2 (response to Request No. 19 ). There is evidence that certain accounts created by BrandTotal remained active as of February of 2022, suggesting that Meta has continued to perform under the terms of use at least as to accounts not terminated. See id. Ex. 14 (Vardi Dep.) at 142:5–146:8. In its response to a contention interrogatory that included a request to describe "whether you contend ... that Facebook and/or Instagram did not perform their obligations," BrandTotal did not include any such assertion. Id. Ex. 36 at 9 (Interrogatory No. 20 ). Nor has BrandTotal argued in its briefing that any nonperformance is a defense to these claims. Meta is entitled to summary judgment as to its own performance under the terms of use.
c. Breach by BrandTotal
The parties do not dispute that at least some conduct by BrandTotal breached the terms of use as written. Meta offers evidence that BrandTotal accessed and collected data from Facebook and Instagram using automated means through its various consumer products installed by users and through back-end processes from its own servers. See, e.g. , Martens Opening Report ¶¶ 28–50 (summary of opinions).
In disputing the element of breach, BrandTotal argues only that UpVoice 2021 does not breach Meta's terms of use, because it collects data only from panelists’ computers. Defs.’ Opp'n to MSJ at 22. In an October 2021 response to an interrogatory seeking all of BrandTotal's contentions that it did not breach the terms of use or that the terms are not enforceable, BrandTotal asserted only that the terms of use are unenforceable as against public policy and that the parties’ contractual relationship ended when Meta terminated BrandTotal's accounts in October of 2020. Schultz MSJ Decl. Ex. 36 at 9–11 (response to Interrogatory No. 20 ). Moreover, in a supplemental response to a request for admission that BrandTotal "collect[s] information and data from password-protected locations on the Facebook and Instagram platforms," BrandTotal admitted that "the versions of UpVoice released after February 26, 2021, collect only the creative ID of an advertisement, the advertiser name, and the advertiser page name from password-protect locations of Facebook." Id. Ex. 21 at 2 (supplemental response to Request No. 1 ).
BrandTotal has therefore waived any argument that UpVoice 2021—or any other conduct alleged in Facebook's amended complaint—did not violate the terms of use as written. Meta is entitled to summary judgment on the issue of breach.
There is perhaps some tension between this holding and the Court's holding below that UpVoice 2021 does not access Meta's servers for the purpose of the CFAA. Any such tension results at least in part from BrandTotal's waiver of arguments with respect to breach of contract. The Court does not reach the question of whether BrandTotal could have prevailed on the question of whether UpVoice 2021 breaches section 3.2.3 had it preserved that argument.
d. Damages
Finally, BrandTotal disputes the element of damage. Defs.’ Opp'n to MSJ at 13–20. The only compensatory damages Meta has asserted are based on the cost of its investigation in response to BrandTotal's breach, but it also argues that it should be permitted to proceed based on a theory of unjust enrichment or the possibility of nominal damages.
Although damages are often recited as an element of a breach of contract claim, a recent California appellate decision reaffirmed older authority holding that nominal damages are available for breach of contract and can support entry of judgment in favor of a plaintiff who suffered "no appreciable harm":
We agree the trial court should have awarded nominal damages in light of the jury's unchallenged finding of breach. [California Civil Code] Section 3360 provides: "When a breach of duty has caused no appreciable detriment to the party affected, he may yet recover nominal damages." California courts have applied section 3360 to conclude that "[a] plaintiff is entitled to recover nominal damages for the breach of a contract, despite inability to show that actual
damage was inflicted upon him." ( Sweet v. Johnson (1959) 169 Cal.App.2d 630, 632, 337 P.2d 499 ( Sweet ).) Nominal damages may be properly awarded for the violation of a contractual right because "failure to perform a contractual duty is, in itself, a legal wrong that is fully distinct from the actual damages." ( Ibid. )
Elation Sys., Inc. v. Fenn Bridge LLC , 71 Cal. App. 5th 958, 965–66, 286 Cal.Rptr.3d 762 (2021). The court specifically rejected the reasoning of two Ninth Circuit cases on which BrandTotal relies to assert that actual damages are a necessary element of the claim, in part because they did not "consider[ ] the availability of nominal damages in the absence of actual damage." Id. at 967 ("Accordingly, we follow California law as provided in section 3360 and Sweet ... and do not find Aguilera or Ruiz persuasive on the point."); see Defs.’ Opp'n to MSJ at 14–17 (citing, e.g., Aguilera v. Pirelli Armstrong Tire Corp. , 223 F.3d 1010, 1015 (9th Cir. 2000) ; Ruiz v. Gap, Inc. , 622 F. Supp. 2d 908 (N.D. Cal. 2009), aff'd , 380 F. App'x 689 (9th Cir. 2010) ).
Ninth Circuit interpretations of state law are "only binding in the absence of any subsequent indication from the California courts that our interpretation was incorrect." and "[i]n the absence of a pronouncement by the highest court of a state, the federal courts must follow the decision of the intermediate appellate courts of the state unless there is convincing evidence that the highest court of the state would decide differently." Owen ex rel. Owen v. United States , 713 F.2d 1461, 1464 (9th Cir. 1983) (cleaned up). The Court is aware of no convincing evidence that the California Supreme Court would decide this issue differently from the Elations Systems court's conclusion that even a plaintiff who has not suffered actual damages may prevail on a claim for breach of contract.
Meta seeks summary judgment only as to liability, and not as to any particular amount of damages. See Pl.’s Prop'd Order (dkt. 272-9). Nor has BrandTotal moved for summary judgment—as opposed to arguing in its opposition to Meta's motion—that any particular portion of Meta's damages are not compensable. See generally Defs.’ MSJ. The Court therefore need not decide at this juncture whether Meta is entitled to all of the damages it has asserted, and declines to do so when no party specifically sought summary judgment as to such issues. Since at least nominal damages are available and sufficient to support the claim, Meta is entitled to judgment in its favor on its claim for breach of contract, with the amount of any actual damages to be proven at trial. Meta's motion for summary judgment on this claim is GRANTED.
C. Meta's CFAA and CDAFA Claims
Both parties seek summary judgment on at least some aspects of Meta's claims under the CFAA and the CDAFA. The CFAA "subjects to criminal liability anyone who ‘intentionally accesses a computer without authorization or exceeds authorized access,’ and thereby obtains computer information. 18 U.S.C. § 1030(a)(2). It defines the term ‘exceeds authorized access’ to mean ‘to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.’ § 1030(e)(6)." Van Buren v. United States , ––– U.S. ––––, 141 S. Ct. 1648, 1652, 210 L.Ed.2d 26 (2021). It also allows for a civil action for damages and injunctive relief by "[a]ny person who suffers damage or loss by reason of a violation of this section," provided that at least one of several conditions are met. 18 U.S.C. § 1030(g). The condition on which Meta hangs its claim here is a requirement to show a loss of at least $5,000 during a one-year period. Pl.’s MSJ at 18; see 18 U.S.C. § 1030(a)(5)(B)(i).
"[T]he CFAA was enacted ‘primarily to address the growing problem of computer hacking,’ such that the en banc Ninth Circuit has favored an interpretation of the statute that ‘maintains the CFAA's focus on hacking rather than turning it into a sweeping Internet-policing mandate.’ " Brodsky v. Apple Inc. , 445 F. Supp. 3d 110, 129 (N.D. Cal. 2020) (quoting United States v. Nosal ("Nosal I "), 676 F.3d 854, 858 (2012) (en banc)). Moreover, since the CFAA "is primarily a criminal statute," and is interpreted consistently in the criminal and civil contexts, the rule of lenity applies and "requires courts to limit [its] reach ... to the clear import of [its] text and construe any ambiguity against" enforcement. LVRC Holdings LLC v. Brekka , 581 F.3d 1127, 1134–35 (9th Cir. 2009).
California's CDAFA, also sometimes cited as the California Computer Crime Law or simply Penal Code section 502, is a state law counterpart to the CFAA. Courts have held that CDAFA claims generally "rise or fall with ... CFAA claims because the necessary elements of Section 502 do not differ materially from the necessary elements of the CFAA, except in terms of damages." Brodsky , 445 F. Supp. 3d at 129 (cleaned up). One difference between the two statutes is that the CDAFA "does not impose a minimum of $5,000 in damages." Id. The parties here appear to agree that, with the exception of the minimum damages requirement under the CFAA, these claims are coextensive for the purpose of the present motions.
1. BrandTotal's Motion Regarding the CFAA and CDAFA
BrandTotal seeks summary judgment on these claims only "with respect to UpVoice 2021 and ongoing server-side collection." Defs.’ MSJ at 33 (heading capitalization altered). It contends that UpVoice 2021 only accesses panelists’ computers, not Meta's computers. BrandTotal also assert that under its current practices of collecting data directly from Facebook servers, it only accesses publicly available websites, which are outside the scope of the statutes.
Beginning with the question of whether UpVoice 2021 "accesses" Meta's computers within the meaning of the CFAA, the Court agrees with BrandTotal that it does not. Meta's expert David Martens only identifies that program as using "reactive" data collection, logging and sending to BrandTotal data that users receive from Facebook through their normal use of the website. See Martens Opening Report § 8.3.1. Meta cites evidence from BrandTotal witnesses that UpVoice 2021 " ‘listen[s] to network data being transmitted over the wire’ from Meta's computers, [Burrell Opp'n Decl.] Ex. 35 (Sherwood Rebuttal Rep.) ¶ 90, and ‘pars[es] different elements’ from ‘Facebook's social feed,’ [id. ] Ex. 36 (Dor March 10, 2021 Dep. Tr.) at 44:14-45:11. According to Meta, those functions constitute " ‘communicat[ing] with" Meta's servers, which one decision has suggested establishes "access" for the purpose of the CFAA. Pl.’s Opp'n to MSJ at 26 (quoting United States v. Nosal , 930 F. Supp. 2d 1051, 1063 (N.D. Cal. 2013) (in turn quoting Black's Law Dictionary)) (alteration in Meta's brief). But the evidence that Meta cites only describes UpVoice accessing and processing the data that Meta has sent to the individual users—incidentally, information that Meta has never argued users are not free to share as they see fit—not proactively "accessing" or "communicating with" Meta's servers. Meta cites no case extending the CFAA to comparable conduct, and the statute is at most ambiguous as to whether it could encompass BrandTotal analyzing data on users’ computers that the users are authorized to access from Facebook. Under the rule of lenity, the Court is required to construe such ambiguity narrowly, and holds that the statute does not encompass UpVoice 2021's data collection, at least where it is installed by individuals who are not subject to any sort of direction by BrandTotal. BrandTotal's motion for summary judgment is GRANTED as to that issue.
Turning to the question of BrandTotal's access to Meta's servers using its own computers, BrandTotal agrees that Meta revoked its access in October of 2020. The parties dispute whether BrandTotal continues to access password-protected portions of Facebook, or limits its access to portions of Facebook that are available to the public without a password.
Before reaching that dispute as to what, exactly, BrandTotal is doing, the Court begins with the question of whether the CFAA governs access to non-password-protected pages on Facebook and Instagram. The Ninth Circuit considered that question in hiQ , holding both before and after remand by the Supreme Court "that the concept of ‘without authorization’ does not apply to public websites." hiQ , 31 F.4th at 1199 (applying the "gates up" or "gates down" framework that the Supreme Court set forth in Van Buren , 141 S. Ct. at 1658–59 ). The parties’ regular briefing on the present motions occurred after the Supreme Court vacated the Ninth Circuit's first hiQ decision for reconsideration in light of Van Buren and before the Ninth Circuit reaffirmed that decision on remand. Meta's argument that the CFAA applies where a specific party's access to an otherwise public website has been revoked, see Pl.’s Opp'n to MSJ at 28–29, was therefore potentially viable at the time Meta filed its briefs, but has since been foreclosed by circuit precedent.
Formally, the Ninth Circuit held only that the plaintiff in hiQ raised "serious questions" that the CFAA did not preempt its tortious interference claim, which was sufficient to affirm the district court's preliminary injunction. 31 F.4th at 1201. The panel's statement that "Van Buren ... reinforces our conclusion that the concept of ‘without authorization’ does not apply to public websites," id. at 1199, however, is a clear expression of its view of the law that this Court is not inclined to disregard, and Meta has not argued that the Court should treat it as anything but binding.
In a supplemental brief that Meta filed after the Ninth Circuit issued its new hiQ decision, Meta contends that the advertisement pages at issue are not actually public, but instead that "the general default for [those pages] is password protection" because while "Meta allows non-authenticated users to access certain ad URLs a very limited number of times, it then redirects them to a log-in page and prevents further access." Pl.’s Supp'l Br. (dkt. 327) at 3 (citing Schultz MSJ Decl. Ex. 1 (Martens Opening Report) ¶¶ 209–21; id. Ex. 20 (Sherwood Report) ¶ 142 (asserting that most advertisement pages can be accessed without a password but acknowledging that Meta "restricts even this otherwise publicly available information by imposing technical limitations such as ‘lockout mechanisms.’ "). In the Court's view, these restrictions differ in degree rather than in kind from the technological restrictions that LinkedIn employed in hiQ to attempt to block automated and otherwise suspicious access, which the Ninth Circuit apparently considered insufficient to bring LinkedIn's otherwise public pages within the scope of the CFAA. See hiQ , 31 F.4th at 1186 ("For example, LinkedIn's Quicksand system detects non-human activity indicative of scraping; its Sentinel system throttles (slows or limits) or even blocks activity from suspicious IP addresses; and its Org Block system generates a list of known ‘bad’ IP addresses serving as large-scale scrapers."). As the panel held in that case, the statute's concept of access without authorization is predicated on the general public lacking authorization to access the material at issue at all:
[T]he wording of the statute, forbidding "access[ ] ... without authorization," 18 U.S.C. § 1030(a)(2), suggests a baseline in which access is not generally available and so permission is ordinarily required. "Authorization" is an affirmative notion, indicating that access is restricted to those specially recognized or admitted.... Where the default is free access without authorization, in ordinary parlance one would characterize selective denial of access as a ban, not as a lack of "authorization."
Id. at 1195–96.
Following hiQ , the Court holds that where a website is made available to the public without any authentication requirement in at least the first instance, "the concept of ‘without authorization’ does not apply," see id. at 1199, even if the owner employs technological measures to block specific users, suspicious activity, or—as here—repeated access beyond a particular threshold. To hold otherwise could bring conduct ranging far beyond the CFAA's purpose of preventing "hacking" within its scope of potential criminal liability, such as a user accessing a newspaper's website from a smartphone after receiving notice on their computer that they had reached their monthly limit of free articles. The precedential decision in hiQ and the rule of lenity foreclose such an interpretation of the statute. Accordingly, BrandTotal is entitled to summary adjudication that such access does not violate the CFAA (or the nearly-coextensive CDAFA), and its motion is GRANTED as to that issue.
The record suggests BrandTotal's Calix product uses the same relevant process as UpVoice 2021 to gather data, but BrandTotal has not sought summary judgment with respect to that product, and the Court declines to address the issue sua sponte.
Whether BrandTotal's current practices are limited to accessing those public pages is a different question. For one thing, there is no dispute that BrandTotal currently uses its "Restricted Panel Extension" program to gather from particular restricted advertisement URLs that BrandTotal directs contractors to navigate to with the extension installed. Burrell Opp'n Decl. Ex. 39 (Regev Feb. 2022 Dep.) at 134:3–14. BrandTotal has not sought summary adjudication that such conduct, which uses a different program than UpVoice 2021, does not violate the CFAA, although as discussed separately below, the Court holds that Meta is not entitled to summary judgment on that issue.
Meta asserts that BrandTotal has also engaged directly with password-protected pages since Meta revoked its access in October of 2020. BrandTotal concedes that it only "modified its server-side collection software in ‘late October, beginning of November 2021 ,’ " i.e., more than a year after Meta revoked its access, "to stop using access credentials of purchased users to collect information on restricted pages." Defs.’ MSJ Reply at 18 (citing Taylor Reply Decl. (dkt. 311-1) Ex. KK (Regev Feb. 2022 Dep.) at 143:14–18) (emphasis added). Meta's expert witness identified "tens of thousands" of instances starting in October of 2021 where BrandTotal's Rapid7 logs reflected that BrandTotal used account names or access credentials from Facebook and Instagram accounts that BrandTotal created or purchased in its code, Martens Sanctions Decl. (dkt. 246-1) ¶¶ 33–35, and specific instances where access tokens from Facebook accounts were "used by BrandTotal's Direct Collection software" in November and December of 2021, Martens Opening Report ¶¶ 363–69. BrandTotal's Vice President Regev testified that BrandTotal still at least sometimes uses access codes when testing or debugging software like the Restricted Panel Extension, Burrell Opp'n Decl. Ex. 39 (Regev Feb. 2022 Dep.) at 157:12–159:19, and that some access tokens that appear in the Rapid7 logs are related to leftover code in BrandTotal's software that still calls up that information despite not using it for "instantiating a scraping service," id. at 159:20–160:16. It is not entirely clear from Regev's testimony whether any of that debugging software or leftover code actually connects to password-protected pages on Facebook. Such a connection, even if not used to collect data, could violate the CFAA.
Given that the record is less than clear as to how BrandTotal currently uses access tokens, the Court declines to resolve the question of whether BrandTotal's "ongoing server-side data collection" violates the CFAA, see Defs.’ MSJ at 34–35, which may turn more on semantic questions of what that term encompasses than on whether any of BrandTotal's ongoing operations (such as testing software) violate the statute, and even by its terms would seem to raise disputed issues of fact as to whether a jury should credit Martens's opinion (which BrandTotal has not moved to exclude) "that BrandTotal was using Access Tokens associated with specific individuals as part of its Direct Collection activities," Martens Opening Report ¶ 369. BrandTotal's motion for summary judgment as to that issue is therefore DENIED, except for the more limited holding above that access to non-password-protected pages does not implicate the CFAA or the CDAFA.
2. Meta's Motion Regarding the CFAA and CDAFA
Meta seeks judgment in its favor on its CFAA and CDAFA claims. Pl.’s MSJ at 16–22. To the extent it seeks judgment that BrandTotal's collection of data from panelists using UpVoice 2021, or its direct access to non-password-protected portions of Meta's platforms violates those statutes, id. at 20–21, 118 S.Ct. 275, its motion is DENIED for the reasons discussed above.
BrandTotal does not dispute that Meta revoked its authorization to access Meta's platforms as of October 1, 2020. See Burrell Opp'n Decl. Ex. 28 at 12–14 (response to Interrogatory No. 21 ). Meta does not argue that BrandTotal lacked authorization before that date. The relevant period for this claim is therefore from October 1, 2020 to the present, and Meta is entitled to summary adjudication that any direct access by BrandTotal to password-protected Meta servers during that period was not authorized.
a. Losses of at Least $5,000
BrandTotal contends that Meta is not entitled to summary judgment that it has incurred the required loss of at least $5,000 in a one-year period as a result of BrandTotal's purportedly unauthorized access. Defs.’ Opp'n to MSJ at 22 (citing 18 U.S.C. § 1030(c)(4)(A)(i)(1) ). Meta relies entirely on its own internal investigation costs to establish those damages, asserting that it "incurred $98,784 in losses identifying, analyzing, and responding to BrandTotal's conduct" after October 1, 2020. Pl.’s MSJ at 18 (citing Prowse Report (dkt. 272-5) ¶ 38).
Meta also argues that BrandTotal waived any defense based on lack of damages by failing to raise it in response to a contention interrogatory. Pl.’s MSJ Reply (dkt. 314) at 11. The interrogatory at issue reads as follows:
INTERROGATORY NO. 21 : Separately for each of Your Products, to the extent you contend that You did not violate the CFAA or CDAFA, describe in detail the full basis for Your contention
(including by identifying all facts, Documents and witnesses that relate to Your contention). Your response should include the full basis for Your contention, if any, that You did not "knowingly," "with intent to defraud," or "intentionally" "access" a protected Facebook or Instagram computer "without authorization or exceeding authorization" or did not "obtain information" from a protected Facebook or Instagram computer as those terms are used for purposes of establishing liability under the CFAA, or did not "knowingly" "access" and "without permission" "alter, damage, delete, destroy, or otherwise use" or "take, copy, or make use of" any "data, computer, computer system, or computer network" or "computer services" as those terms are used for purposes of establishing liability under the CDAFA.
Burrell Opp'n Decl. Ex. 28 at 12. Meta did not ask for any potential defense; it asked for the basis for BrandTotal's contention that it did not violate the statute. BrandTotal's defense that Meta did not incur at least $5,000 in losses is not contingent on BrandTotal having complied with the statute. In other words, even if BrandTotal violated the CFAA, Meta could not bring a civil claim against it unless it had sufficient losses (or satisfied one of the other potential criteria of 18 U.S.C. § 1030(c)(4)(A)(i), which it has not asserted). BrandTotal was not required to answer a question Meta did not ask in this interrogatory, and thus did not waive this defense by failing to disclose it in that response.
Turning to the merits of this element of the claim, the parties dispute whether investigative costs are cognizable. The statute defines "loss" as:
any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service[.]
As BrandTotal notes, some district courts have held that this definition "makes clear Congress's intent to restrict civil actions under subsection (I) to the traditional computer ‘hacker’ scenario—where the hacker deletes information, infects computers, or crashes networks." AtPac, Inc. v. Aptitude Solutions, Inc. , 730 F.Supp.2d 1174, 1185 (E.D. Cal. 2010) ; see also Welenco, Inc. v. Corbell , 126 F. Supp. 3d 1154, 1169 (E.D. Cal. 2015) (quoting and following AtPac ); In re iPhone Application Litig. , 844 F. Supp. 2d 1040, 1067 (N.D. Cal. 2012) (same). The Supreme Court recently construed the "loss" provision somewhat similarly, noting that it "relates to costs caused by harm to computer data, programs, systems, or information services" and "focus[es] on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data," and that such an understanding of the civil provisions of the CFAA informed the Court's analysis of the criminal case before it. Van Buren , 141 S. Ct. at 1659–60. The Ninth Circuit took that analysis one step further, interpreting Van Buren as having "concluded that this civil remedies provision requires a showing of" such technological harm. hiQ , 31 F.4th at 1195 n.12.
That line of cases could be construed as abrogating a slew of previous district court decisions holding that investigative costs are recoverable under the CFAA and count towards the requisite loss, potentially including attorneys’ fees to the extent they are incurred for investigative purposes or similarly in "responding" to a violation. See, e.g., Distinct Media Ltd. v. Shutov , No. 15-cv-03312-NC, 2017 WL 1234400, at *6 (N.D. Cal. Mar. 10, 2017) (awarding on default judgment "attorneys’ fees associated with its investigative efforts, including court-approved discovery to identify" the defendant); United States v. Nosal , No. CR-08-0237 EMC, 2014 WL 121519, at *4–5 (N.D. Cal. Jan. 13, 2014) (noting that "judges in this district have routinely held that such investigation costs are included within the definition of § 1030(e)(11)," while acknowledging decision from other districts construing the statute more narrowly); NCMIC Fin. Corp. v. Artino , 638 F. Supp. 2d 1042, 1065–66 (S.D. Iowa 2009) ("Although attorneys’ fees in prosecuting a CFAA action do not count toward the $5000 statutory threshold, attorneys’ fees incurred responding to the actual CFAA violation to place the plaintiff in their ex ante position are permissible as costs incurred as part of the response to a CFAA violation, including the investigation of an offense." (cleaned up)). Interpreting Van Buren and hiQ in that manner would also call into question the Ninth Circuit's earlier decision in Facebook v. Power Ventures, Inc. , where the court held "that Facebook suffered a loss within the meaning of the CFAA" because it was "undisputed that Facebook employees spent many hours, totaling more than $5,000 in costs, analyzing, investigating, and responding to Power's actions." 844 F.3d 1058, 1066 (9th Cir. 2016).
The Court declines to construe Van Buren and hiQ as foreclosing a loss based on Facebook's investigative costs. Van Buren drew a contrast between loss related to a technological breach and harm caused by later misuse of wrongfully obtained data, which is further removed from the sort of access violation at issue here. 141 S. Ct. at 1659–60. There is no indication that the Van Buren Court would place investigative costs as falling outside the scope of "the cost of responding to an offense" that the statute specifically incorporates. 18 U.S.C. § 1030(e)(11). In hiQ , the Ninth Circuit addressed this issue in a footnote and gave Van Buren a broad reading of "requir[ing] a showing of ‘technological harms—such as the corruption of files,’ " but does not appear to have relied on that principle in concluding that the plaintiff showed serious issues that LinkedIn would not be able to use the CFAA as a defense to tortious interference. See hiQ , 31 F.4th at 1195 n.12 (emphasis added). The opinion in hiQ did not address Power Ventures ’ holding that investigative costs were sufficient to meet the loss threshold, and the Court declines to construe its dicta regarding the nature of "loss" as overruling that earlier precedent.
That said, Meta faces a hurdle in showing sufficient loss in that, as discussed above with respect to UpVoice 2021 and BrandTotal's access to non-password-protected websites, much of the conduct Meta was investigating did not actually violate the CFAA. It is not clear from Dr. Prowse's report what costs Meta incurred in response to true violations, and Meta has not argued or offered authority for the proposition that it can count costs to investigate potential violations that do not turn out to be violations towards the $5,000 threshold. Meta's motion for summary judgment on its CFAA claim is therefore DENIED.
BrandTotal did not move for summary judgment on the issue of the $5,000 loss threshold. Even it had, it likely would not be entitled to it, because a jury might reasonably infer that at least $5,000 of the nearly $100,000 that Dr. Prowse identified in post–October 2020 investigation costs was attributable to unauthorized access by BrandTotal. The Court also does not reach BrandTotal's argument—which it similarly raised only in opposition to Meta's motion, not in its own motion—that Meta's losses were unrecoverable litigation expenses, but notes that despite Meta's attorneys’ involvement in supervising the investigation both before and after Meta filed its complaint, Dr. Prowse's description of the investigative work on which he based his cost analysis tends to suggest that at least some of that work for the sort of response to BrandTotal's access to understand the nature of the violation that courts have held fall within the statutory definition of "loss."
While BrandTotal moves to exclude Dr. Prowse's opinions regarding BrandTotal's purported unjust enrichment, it did not move to exclude his opinions regarding Meta's losses.
Because the CDAFA does not include the $5,000 loss threshold see Brodsky , 445 F. Supp. 3d at 129, and because identifying issues that are not genuinely in dispute with respect to the CFAA claim could streamline the issues to be addressed at trial, the Court proceeds to the remaining elements of Meta's CFAA and CDAFA claims.
b. Unauthorized Access to Meta's Computers
Aside from the forms of access already addressed above in the context of BrandTotal's motion, Meta asserts that BrandTotal continued to access password-protected Meta websites in a number of ways after Meta revoked access: (1) through previously-installed copies of its various consumer products, including the legacy version of UpVoice and versions of the ASV and Story Savebox programs that collected access tokens, which continued requesting data from Facebook and Instagram and sending data that data to BrandTotal after Google removed those products from its online store, as well as the Phoenix and Social One applications for Android smartphones, which Google never removed from its store and which continued to collect data from Meta's platforms in a similar manner to the pre-litigation version of UpVoice until February 2021; (2) through the "Muppet" accounts that BrandTotal created or purchased to access restricted pages; and (3) through the Restricted Panel Extension, which a BrandTotal contractor uses to collect data from password-protected advertisement pages at BrandTotal's direction. See Defs.’ MSJ at 17–18; Defs.’ MSJ Reply at 14–15.
i. Legacy Products and Surviving Android Applications
BrandTotal does not respond to Meta's arguments regarding legacy applications that remained installed after October of 2020, and Meta does not return to that issue in its reply. Meta's expert witness Martens states in his report that many of BrandTotal's legacy applications—both those like the old version of UpVoice that were removed from Google's store but remained installed on some users’ computers, and the two applications (Phoenix and Social One) that remained available for download—continued actively requesting data from Facebook's servers while users were logged into Facebook until February 23, 2021, when BrandTotal altered code that those programs dynamically downloaded to execute their data collection, effectively remotely shutting down that active collection. Martens Opening Report ¶¶ 518–21, 565. BrandTotal's two Android applications that targeted Instagram, ASV and Story Savebox, continued to use active data collection of password-protected areas of Instagram even in versions released after Meta revoked BrandTotal's authorization, despite the ability of developers to force users to upgrade Android applications, which BrandTotal never employed to cease collection through those applications. Id. ¶¶ 386–403. BrandTotal has not moved to exclude those opinions and does not address them in its opposition brief, and it is not the Court's role to search the record for potentially conflicting evidence that could create a dispute of fact. Keenan , 91 F.3d at 1279. Moreover, BrandTotal's Vice President Regev testified that ASV and Story Savebox continued to collect data from Instagram through at least February of this year. Schultz MSJ Decl. Ex. 25 (Regev Feb. 2022 Dep.) at 40:18–22.
This method of hijacking a user's logged-in session with Facebook or Instagram to manipulate Meta's servers to divulge further information is materially indistinguishable from the conduct in Power Ventures , where even after Facebook explicitly revoked its authorization, the defendant continued sending emails to users inviting them to share advertisements for Power Ventures’ services with the users’ Facebook friends. 844 F.3d at 1063, 1067. If the user clicked a link agreeing to do so, Power Ventures automatically "create[d] an event, photo, or status on the user's Facebook profile." Id. at 1063. While the Ninth Circuit concluded that Power Ventures had permission from the users to access their profiles, and that it initially reasonably believed that permission was sufficient to authorize it to access Facebook's servers, the court held that after Facebook explicitly revoked Power Ventures’ authorization and attempted to block its IP addresses, its continued use of that email campaign and manipulation of users’ accounts (even with the users’ permission) constituted unauthorized access to Facebook's servers. Id. at 1067–68. Here, as in that case, it is of no consequence whether BrandTotal had permission from its panelists to use their accounts for data collection. Once Meta revoked BrandTotal's authorization to access its platforms, BrandTotal's continued use of its various programs to actively collect data while panelists were logged into Facebook—which it had the power to stop, but did not before February of 2021 —violated the CFAA. Meta's motion is GRANTED as to summary adjudication of that issue with respect to its CFAA claim, and as to summary judgment on it CDAFA claim with respect to that conduct.
If BrandTotal lacked any way to stop these previously installed programs from accessing Meta's servers, its ongoing use of the data they collected might not violate the CFAA, which focuses on unauthorized access rather than misappropriation of information. But since BrandTotal has not contested Martens's opinions that it could have remotely deactivated all of these programs’ ongoing proactive access to Meta's platforms, its decision to allow them to keep accessing those servers amounts to a violation, and the Court need not decide whether the outcome would differ if BrandTotal had no control over the ongoing access.
ii. Direct Collection by BrandTotal
BrandTotal's direct collection of data also, in at least some instances, violated the CFAA and CDAFA. While the testimony in the record regarding the extent to which BrandTotal used "fake" user credentials to access restricted pages is muddled, BrandTotal concedes in its reply brief in support of its own motion for summary judgment that it only "modified its server-side collection software in ‘late October, beginning of November 2021’ to stop using access credentials of purchased users to collect information on restricted pages." Defs.’ MSJ Reply at 18 (citing Taylor Reply Decl. Ex. KK (Regev Feb. 2022 Dep.) at 143:14–18 (describing when BrandTotal began using the Restricted Panel Extension)); Burrell Opp'n Decl. Ex. 39 (Regev Feb. 2022 Dep.) at 109:10–22 (stating that the only way BrandTotal could access restricted pages before it began using the Restricted Panel Extension was by using "the fake users or some other technique"). Meta's expert witness Martens states that BrandTotal at times used [redacted] to gather information from restricted advertisement pages that could only be accessed by a logged-in account, although Meta does not specifically cite that portion of his report in its briefing. Martens Opening Report ¶¶ 635–37. [redacted] Id.
Meta is entitled to summary adjudication that direct access by BrandTotal to password-protected areas of Meta's platforms violated the CFAA and the CDAFA. Neither the frequency or duration of such access, nor the degree to which it continued beyond the October or November 2021 rollout of the Restricted Panel Extension, is entirely clear, however, and to the extent those questions are relevant to damages or any other aspect of these claims, they remain to be resolved at trial.
iii. Restricted Panel Extension
BrandTotal began using the Restricted Panel Extension ("RPE") in October or November of 2021. Schultz MSJ Decl. Ex. 25 (Regev Feb. 2022 Dep.) at 143:14–18. BrandTotal collects data by directing an individual it has contracted with through a third party to install the RPE and visit specific restricted pages while logged into Facebook using that individual's own account. Id. at 134:3–140:19. Meta's briefs do not identify any relevant technological difference between the RPE and UpVoice 2021, instead focusing on the fact that the RPE is an "internal tool" used by someone working at BrandTotal's direction. Pl.’s MSJ Reply (dkt. 314) at 14. There is no indication that Facebook has denied authorized access to the individual who uses the RPE, in their individual capacity. The question, then, is whether someone who lacks authorized access to a computer violates the CFAA by soliciting someone who has access to obtain particular data from the computer.
The Supreme Court addressed in Van Buren the converse situation of whether the individual accessing the computer under such an arrangement violates the CFAA, and held that they do not, because their access is authorized. There, a police officer who was authorized to access information in a law enforcement database used that database to look up the owner of a license plate at the request of an acquaintance (who happened to be a confidential informant for the FBI) in exchange for a promise of payment. 141 S. Ct. at 1653. The Court reversed the officer's criminal conviction under the CFAA because he "did not ‘excee[d] authorized access’ to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose." Id. at 1662.
Here, the question is analogous to whether the acquaintance who offered to pay the officer for that information, and was not himself authorized to access it, would have violated the CFAA if the offer had been genuine (rather than part of a sting operation). Few courts have addressed that fact pattern, but the limited authority available suggests that hiring an authorized intermediary to obtain data from a computer the principal is not authorized to access does not violate the statute. In the Ninth Circuit's en banc Nosal decision, a former employee of an executive search company, David Nosal asked his former colleagues who still worked there to extract confidential information from the company's database in order to help him start a competing a business. Nosal I , 676 F.3d at 856. Nosal was criminally charged with "with violations of [the CFAA], for aiding and abetting the [current] employees in ‘exceed[ing their] authorized access’ with intent to defraud." Id. at 856 (final alteration in original). Presaging the Supreme Court's Van Burden decision, the Ninth Circuit affirmed dismissal, holding that company rules prohibiting misuse of the information were not "restrictions on access " within the meaning of the CFAA, and the charges therefore failed because the current employees were authorized to access the database. See id. at 863–64. While the en banc court did not address whether Nosal could have been charged under the CFAA on the grounds that his own conduct directing the extraction of information violated the statute—since he, of course, was no longer authorized to access the database—rather than for aiding and abetting his former colleagues’ violation, nothing in its decision suggests that the prosecution could have taken that more straightforward approach.
On remand to the district court, the prosecution asserted additional facts regarding other individuals: an authorized user, J.F., "logged on to the computer using her credentials, then handed over the computer terminal to M.J. [an unauthorized user], who ran his own searches through the ... database and then downloaded files therefrom." United States v. Nosal ("Nosal II "), 930 F. Supp. 2d 1051, 1063 (N.D. Cal. 2013). Judge Chen held that was sufficient to allege that M.J. accessed the computer without authorization, as it was equivalent to using J.F.’s credentials to access what M.J. was not himself authorized to access. Id. He declined to reach the question of whether the statute "should be read so broadly as to encompass the situation where an unauthorized person looks over the shoulder of the authorized user to view password protected information or files," holding only that a violation occurred where the unauthorized person actually interacted with the computer. Id.
In a 2015 case from this district, the plaintiff LED manufacturing companies alleged that the defendants directed one of the plaintiffs’ employees to procure confidential information from corporate computers before he left the plaintiffs’ employment to work for the defendants. Koninklijke Philips N.V. v. Elec-Tech Int'l Co. , No. 14-cv-02737-BLF, 2015 WL 1289984, at *2 (N.D. Cal. Mar. 20, 2015). In granting a motion to dismiss, Judge Freeman noted that the plaintiffs did not provide sufficient allegations to establish an agency relationship, but held that "even a well-pled agency allegation would leave the Plaintiffs no closer to stating a claim under the CFAA," because the defendants did not themselves access the plaintiffs computer and holding them for directing the misuse of data by an authorized user would run afoul of the Ninth Circuit's conclusion in Nosal "that the CFAA was designed to target hacking, not misappropriation." Id. at *4. Judge Freeman noted that the facts alleged did not amount to an unauthorized user directly interacting with the computer as in Nosal II , but instead merely misuse of information taken from the computer by an authorized user. Id. at *5. That such misappropriation occurred at the defendants’ direction did not mean the defendants "accessed" a computer within the meaning of the statute. See also Dresser-Rand Co. v. Jones , 957 F. Supp. 2d 610, 615 (E.D. Pa. 2013) (reaching the same conclusion in a similar case).
Following the decision in Koninklijke , the Ninth Circuit confronted yet another permutation of Nosal. In that iteration of the case, the relevant facts were that after Nosal and his accomplices had left the company, the accomplices continued to access its network using the access credentials of Nosal's former executive assistant, who continued to work there at Nosal's request. United States v. Nosal ("Nosal III "), 844 F.3d 1024, 1029 (9th Cir. 2016). The Ninth Circuit affirmed Nosal's conviction for conspiracy to violate the CFAA, holding that his former employer had unambiguously revoked his and his accomplices’ access and his former assistant had no power to reinstate that access. Id. at 1029–30. Meta highlight's the court's conclusion that "once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party." Id. at 1028. But that case involved unauthorized parties using an authorized user's credentials to interact with the computer—more comparable to BrandTotal's older products that affirmatively requested data from Meta's servers after an authorized user had logged in—not merely soliciting an authorized user to collect and provide information, or even "look[ing] over the shoulder of the authorized user," cf. Nosal II , 930 F. Supp. 2d at 1063, as BrandTotal essentially does with the RPE.
An unauthorized person hiring an authorized agent to extract information from a computer system may violate any number of other laws, particularly if the information at issue is protected as trade secrets or intellectual property. But extending the CFAA to encompass such conduct risks "transform[ing] the CFAA from an anti-hacking statute into an expansive misappropriation statute." See Nosal I , 676 F.3d at 857. Meta cites no case applying the statute to similar facts, and the Court declines to extend it to do so. While this interpretation of the CFAA (and by extension, the CDAFA) might limit its usefulness for services like Meta that generally make authorized access available for the asking, that outcome would be consistent with the Ninth Circuit's view that the CFAA is focused on hacking and not applicable to public websites. Accordingly, Meta's motion for summary judgment is DENIED as to the question of whether BrandTotal's use of the RPE violates the CFAA or the CDAFA.
* * *
Meta's motions for summary judgment is GRANTED as to the question of whether active collection of data from password-protected portions of Meta's services by BrandTotal's legacy programs, and by BrandTotal directly, violated the CFAA and the CDAFA. Meta's motion is otherwise DENIED as to these claims. Meta will be entitled to judgment in its favor on the CDAFA claim based on its legacy programs and direct access to password-protected material, with relief to be determined at trial. Meta's CFAA claim remains contingent on showing at trial at least $5,000 in loss caused by BrandTotal's violations.
D. Meta's UCL Claim (Both Parties’ Motions)
Both parties seek summary judgment on Meta's claim under the UCL, which broadly prohibits unlawful, unfair, and fraudulent business acts. Korea Supply Co. v. Lockheed Martin Corp. , 29 Cal. 4th 1134, 1143, 131 Cal.Rptr.2d 29, 63 P.3d 937 (2003). "Unlawful acts are anything that can properly be called a business practice and that at the same time is forbidden by law ... be it civil, criminal, federal, state, or municipal, statutory, regulatory, or court-made, where court-made law is, for example a violation of a prior court order." Sybersound Records, Inc. v. UAV Corp. , 517 F.3d 1137, 1151 (9th Cir. 2008) (ellipsis in original) (citations and internal quotation marks omitted). "Unfair acts among competitors means ‘conduct that threatens an incipient violation of an antitrust law, or violates the spirit or policy of those laws because its effects are comparable to or the same as a violation of the law, or otherwise significantly threatens or harms competition.’ " Id. at 1152 (quoting Cel-Tech , 20 Cal. 4th at 187, 83 Cal.Rptr.2d 548, 973 P.2d 527 ). "Finally, fraudulent acts are ones where members of the public are likely to be deceived." Id. Meta's amended complaint invokes all three prongs of that statute, asserting that BrandTotal's conduct is "unfair," "fraudulent," and "unlawful." FAC ¶¶ 119–26.
1. BrandTotal's Motion: UpVoice 2021
BrandTotal has only sought summary judgment on this claim with respect to UpVoice 2021. Defs.’ MSJ at 35.
Beginning with the "unlawful" prong, as discussed above, Meta is entitled to summary judgment that BrandTotal's use of UpVoice 2021 is a breach of Meta's terms of use. But "breach of contract may form the basis for UCL claims only if ‘it also constitutes conduct that is ‘unlawful, or unfair, or fraudulent.’ " Conder v. Home Sav. of Am. , 680 F. Supp. 2d 1168, 1176 (C.D. Cal. 2010) (quoting Puentes v. Wells Fargo Home Mtg., Inc. , 160 Cal. App. 4th 638, 645, 72 Cal.Rptr.3d 903 (2008) ) (emphasis omitted). As also discussed above, the Court holds that UpVoice 2021 does not violate the CFAA or CDAFA, which are Meta's only stated grounds for asserting a violation of the "unlawful" prong of the UCL. Pl.’s Opp'n to MSJ at 33.
As stated in Meta's complaint, the two grounds for its claim under the "fraudulent" prong of the UCL are that BrandTotal "falsely represented to Facebook and Instagram's users that Facebook was a ‘participating site’ that sanctioned Defendants’ conduct," and that BrandTotal "deceived Facebook into providing them with access to its computer network by using the login credentials of other users." FAC ¶ 123. With respect to purported deception of users, BrandTotal offers undisputed evidence that it removed the statement on which Meta bases its claim from its website before launching UpVoice 2021. Leibovich TRO Decl. (dkt. 27-3) ¶ 29. Regardless, "courts have recognized that UCL fraud plaintiffs must allege their own reliance—not the reliance of third parties—to have standing," such that competitors may not bring claims based on the reliance of third party customers, much less based on a mere possibility of such reliance. See O'Connor v. Uber Techs., Inc. , 58 F. Supp. 3d 989, 1002 (N.D. Cal. 2014) (citing ZL Techs. v. Gartner, Inc. , No. CV 09-02393 JF (RS), 2009 WL 3706821, at *11 (N.D. Cal. Nov. 4, 2009) ; Morgan v. AT & T Wireless Servs., Inc. , 177 Cal. App. 4th 1235, 1255, 99 Cal.Rptr.3d 768 (2009) ); see also In re Tobacco II Cases , 46 Cal. 4th 298, 326, 93 Cal.Rptr.3d 559, 207 P.3d 20 (2009). As for the purported misrepresentation directed to Meta, there is no dispute that UpVoice 2021 does not send any sort of communication to Meta's servers, but instead merely records data that users receive from Facebook in the course of their normal usage of the site. Meta thus has not identified any representation to it by UpVoice 2021 on which it could have relied.
Finally, as discussed at length in the Court's previous orders in this case, a competitor bringing a claim under the "unfair" prong must show " ‘conduct that threatens an incipient violation of an antitrust law, or violates the policy or spirit of one of those laws because its effects are comparable to or the same as a violation of the law, or otherwise significantly threatens or harms competition.’ " E.g. , 2d MTD Order at 25 (quoting Cel-Tech , 20 Cal. 4th at 187, 83 Cal.Rptr.2d 548, 973 P.2d 527 ). Meta has made no attempt to meet that standard here and has identified no evidence from which such an effect on competition could be found.
BrandTotal's motion for summary judgment is therefore GRANTED as to a finding that its use of UpVoice 2021 does not violate the UCL. Since that is the only conduct it addressed in its motion, however, this holding does not reach any other past or present conduct by BrandTotal aside from its distribution of that product and its collection of data from users who have installed it. 2. Meta's Motion
Meta seeks partial summary judgment on its UCL claim to the extent BrandTotal violated the CFAA and the CDAFA. Pl.’s MSJ at 22–23. BrandTotal argues in response only that its conduct does not violate those statutes. Defs.’ Opp'n to MSJ at 26. Meta's motion is therefore granted in part and denied in part to the same extent as its CFAA and CDAFA claims discussed above. In other words, Meta's motion for summary judgment on its UCL claim is granted with respect to conduct that the Court has found violates the CFAA and CDAFA, and denied with respect to conduct that the Court found did not violate those statutes.
Except with respect to UpVoice 2021, neither party sought summary judgment on Meta's UCL claim to the extent it was based on the "unfair" or "fraudulent" prong. If Meta intends to pursue this claim under those theories as to any conduct by BrandTotal besides the use of UpVoice 2021, it may do so at trial.
E. BrandTotal's Counterclaims (Meta's Motion)
Meta seeks summary judgment in its favor on BrandTotal's remaining counterclaims for intentional interference with contract (with respect to existing customers, panelists, and Google), intentional interference with prospective economic advantage (with respect to the same entities), and violation of the "unlawful" prong of the UCL by virtue of the same tortious interference. Pl.’s MSJ at 22–35. Since the elements of the two tortious interference theories largely overlap, and BrandTotal's surviving UCL counterclaim is predicated entirely on tortious interference, the Court addresses these counterclaims together.
1. Legal Standard
" ‘The elements which a plaintiff must plead to state the cause of action for intentional interference with contractual relations are (1) a valid contract between plaintiff and a third party; (2) defendant's knowledge of this contract; (3) defendant's intentional acts designed to induce a breach or disruption of the contractual relationship; (4) actual breach or disruption of the contractual relationship; and (5) resulting damage.’ " hiQ , 31 F.4th at 1191 (quoting Pac. Gas & Elec. Co. v. Bear Stearns & Co. ("PG&E "), 50 Cal. 3d 1118, 1126, 270 Cal.Rptr. 1, 791 P.2d 587 (1990) ). While the typical case involves actual breach, the element of "disruption" of a contract can also be satisfied "where the plaintiff's performance has been prevented or rendered more expensive or burdensome." Id. at 1191 n.9 (citation and internal quotation marks omitted); see also PG&E , 50 Cal. 3d at 1129, 270 Cal.Rptr. 1, 791 P.2d 587 ("[W]hile the tort of inducing breach of contract requires proof of a breach, the cause of action for interference with contractual relations is distinct and requires only proof of interference."). A claim for interference with an at-will contract requires showing wrongfulness beyond mere interference, based on its resemblance to a claim for interference with prospective relations—in particular, the lack of any "legal basis in either case to expect the continuity of the relationship or to make decisions in reliance on the relationship." Ixchel , 9 Cal. 5th at 1147.
A claim for intentional interference with prospective economic relations is similar to intentional interference with contract. "A plaintiff asserting this tort must show that the defendant knowingly interfered with an ‘economic relationship between the plaintiff and some third party, [which carries] the probability of future economic benefit to the plaintiff.’ " Id. at 1141 (quoting Korea Supply , 29 Cal. 4th 1134, 1153, 131 Cal.Rptr.2d 29, 63 P.3d 937 (2003) ) (alteration in original). "Although this need not be a contractual relationship, an existing relationship is required." Roth v. Rhodes , 25 Cal. App. 4th 530, 546, 30 Cal.Rptr.2d 706 (1994) (citing Buckaloo v. Johnson , 14 Cal. 3d 815, 829, 122 Cal.Rptr. 745, 537 P.2d 865 (1975), abrogated on other grounds by Della Penna v. Toyota Motor Sales, U.S.A., Inc. , 11 Cal. 4th 376, 45 Cal.Rptr.2d 436, 902 P.2d 740 (1995) ). As with a claim based on an at-will contract, the plaintiff "must plead as an element of the claim that the defendant's conduct was ‘wrongful by some legal measure other than the fact of interference itself.’ " Ixchel , 9 Cal. 5th at 1142 (quoting Della Penna , 11 Cal. 4th at 393, 45 Cal.Rptr.2d 436, 902 P.2d 740 ). "In this regard, ‘an act is independently wrongful if it is unlawful, that is, if it is proscribed by some constitutional, statutory, regulatory, common law, or other determinable legal standard.’ " Reeves v. Hanlon , 33 Cal. 4th 1140, 1152, 17 Cal.Rptr.3d 289, 95 P.3d 513 (2004) (quoting Korea Supply , 29 Cal. 4th at 1158, 131 Cal.Rptr.2d 29, 63 P.3d 937 ).
2. Relevant Facts
The act of interference on which BrandTotal bases these claims is Meta's outreach to Google regarding concerns about BrandTotal's products, which led to the removal of UpVoice from Google's online store. See Defs.’ Opp'n to MSJ at 26–27. Specifically, after Meta had investigated BrandTotal's products over a period of years, Meta employee Jeremy Brewer wrote to Google employee Benjamin Ackerman on September 21, 2020, that Meta believed UpVoice, among other Google Chrome extensions, was "improperly scraping user PII (e.g., gender, relationship status, ad interests, etc.) without proper disclosure." Schultz MSJ Decl. Ex. 34. Another Meta employee who had been involved with the investigation of BrandTotal, Sanchit Karve, followed up that day to note that similar extensions from a company called "oinkandstuff" had been removed by Google, and again a few days later to ask if Ackerman had "had a chance to look into our request." Id. Ackerman responded on September 29, 2020: "... I will get the three that are live looked at. Just looking through their privacy policy it does look like they are collecting a bunch of information for advertising purposes, which is a no no." Id.
Karve states that he had begun investigating BrandTotal browser extensions in March of 2020 and had reached the following conclusions by the time Meta first reached out to Google:
As of September 21, 2020, I understood from our investigation that BrandTotal's claim that it anonymized user data was misleading because it used a hash function on user IDs that did not fully or securely anonymize the information collected. Even with a properly hashed user ID, for example, it is possible to correlate information from different entries bearing the same hashed user ID to discovery the identity of the user. Additionally, because Facebook user IDs have defined lengths and ranges of valid values, they can be reverse engineered relatively easily even when hashed. I also understood from our investigation that BrandTotal's method of data collection was not targeted, meaning that in order to collect one piece of information, its extensions also collected additional, related information. The collection of that additional information was not disclosed to users. And finally, I was also aware that multiple individuals in a household could be using an extension installed on a shared household computer, some of whom might have been unaware of the extension's operation and data collection.
Karve Decl. (dkt. 272-1) ¶ 7. Karve also states that Brewer's "email accurately described Meta's understanding of the operation of BrandTotal's extensions and the substance of its disclosures to users, as based upon our investigations at the time." Id. ¶ 6. According to Karve, "[i]t is routine for Meta to report applications and extensions that violate Facebook and Instagram terms to Google." Id. ¶ 9.
Google—specifically Benjamin Ackerman—had opened an investigation into oinkandstuff in March of 2020. Ackerman Decl. (dkt. 272-3) Attach. 1 at -3. Ackerman had also received a report on September 17, 2020 of certain Chrome extensions believed to be developed by BrandTotal's affiliate Unimania improperly manipulating their reviews on Google's store. Ackerman Decl. ¶¶ 8–9. On September 29, 2020, the same day he responded to Karve, Ackerman added a note to the oinkandstuff investigation stating that he "got a report from some contacts at Facebook that the following extensions [including UpVoice] are also from oinkandstuff and are collecting unnecessary data." Id. Attach. 1 at -11. Based on a "quick look through their privacy policy" he determined that it "looks like they are selling that data for advertisers." Id. According to Ackerman, Google ultimately removed UpVoice and the other extensions Meta reported based on Google's determination, after its own investigation, that they "obfuscated their code base, did not provide users with the proper express opt-in for data collection, and lacked privacy policies that were sufficiently clear regarding the data collected," as well as their functional similarity to the oinkandstuff extensions reported several months earlier that had already been removed. Ackerman Decl. ¶ 13.
Citations in this order where page numbers begin with hyphens refer to Bates numbers used within exhibits, with leading letters and zeros omitted.
3. Meta Acted with a Legitimate Business Purpose
Meta asserts that it was justified in any interference with BrandTotal's contracts. "Under California law, a legitimate business purpose can indeed justify interference with contract"—or economic relations—"but not just any such purpose suffices." See hiQ , 31 F.4th at 1192. " ‘Whether an intentional interference by a third party is justifiable depends upon a balancing of the importance, social and private, of the objective advanced by the interference against the importance of the interest interfered with, considering all circumstances including the nature of the actor's conduct and the relationship between the parties.’ " Id. at 1193 (quoting Herron v. State Farm Mut. Ins. Co. , 56 Cal. 2d 202, 206, 14 Cal.Rptr. 294, 363 P.2d 310 (1961) ). Courts must determine whether the defendant's interest outweighs societal interests in stability of contracts (the defendant's mere pursuit of economic advantage generally does not), "whether the means of interference involve no more than recognized trade practices," "whether the conduct is within the realm of fair competition," and—most importantly—"whether the business interest is pretextual or asserted in good faith." Id. (citations and internal quotation marks omitted). A defendant's enforcement of its own contract is not an absolute defense to interference—even then, the "determinative question" is whether the party acted in good faith. Richardson v. La Rancherita , 98 Cal. App. 3d 73, 81, 159 Cal.Rptr. 285 (1979) ; see also Webber v. Inland Empire Invs. , 74 Cal. App. 4th 884, 902, 88 Cal.Rptr.2d 594 (1999).
The Court previously denied Meta's motion to dismiss this counterclaim based on the legitimate purpose defense, holding that BrandTotal had "raise[d] at least a specter of bad faith sufficient to render ... plausible" its allegation that Meta's statements to Google " ‘were known by [Meta] to be false, and its actions were malicious.’ " 2d MTD Order at 14–15 (quoting 1st Am. Counterclaim ¶ 149). The Court reached that conclusion in the highly deferential context of whether the affirmative defense Meta asserted was " ‘obvious from the face of’ " BrandTotal's counterclaims. Id. (quoting Rivera v. Peri & Sons Farms, Inc. , 735 F.3d 892, 902 (9th Cir. 2013) ). While BrandTotal is also entitled to a favorable standard here as the party opposing summary judgment, it is no longer entitled to have its allegations that Meta knew its statement was false merely taken as true, and must present sufficient evidence from which a reasonable jury could find in its favor.
Contemporary documentation from Meta's investigation indicates that Meta believed BrandTotal was acting deceptively and abusing Meta's platform. A March 31, 2020 internal report on the success of one of Meta's monitoring programs highlighted BrandTotal's products including UpVoice (as well as one other entity redacted in the record), asserting that "in most cases users are unaware this data is being accessed" and concluding that BrandTotal's "spider web of services across different platforms to deceptively collect user metadata and ad targeting makes [sic] highlights the need to take more severe enforcement / legal action." Schultz MSJ Decl. Ex. 41 at -1166, -1169. The report notes that BrandTotal collects various categories of user data, and that "while user ID and device ID is hashed before sending to remote server, this is misleading" because "User ID hashing is considered ‘pseudo anonymized’ since you can still correlate information from multiple entries bearing the same hashed user ID and discovery the user identity." Id. at -1169. Another document from Meta's investigation similarly asserts that, despite UpVoice employing techniques that would seem to anonymize user IDs, "the user id is still easily recoverable." Id. Ex. 40 at -28702. The latter document includes an "Enforcement Plan," prepared at a time when the enforcement date was "TBD," that included "[c]ontact[ing] Google CWS [i.e., Chrome Web Store] team to take down following chrome extensions," including UpVoice. Id. at -28716.
Regardless of whether Meta's contemporary views of BrandTotal's purportedly deceptive collection of user data were accurate, BrandTotal's assertion here that "nothing in the contemporaneous documents obtained since the motion to dismiss hearing suggest Meta ‘believed’ BrandTotal was collecting user PII ‘without proper disclosure,’ " Defs.’ Opp'n to MSJ at 30, is not accurate, because Meta apparently believed that many users were unaware of BrandTotal's data collection, and that it was "deceptive," as early as April of 2020. Schultz MSJ Decl. Ex. 41 at -1166, -1169. Google's ultimate conclusion after its own investigation that UpVoice "did not provide users with the proper express opt-in for data collection, and lacked privacy policies that were sufficiently clear regarding the data collected" lends credence to the conclusion that Meta's stated objections were genuine. See Ackerman Decl. ¶ 13.
There is certainly also evidence that Meta was concerned about BrandTotal's "scraping" of ads on Facebook and Instagram. See, e.g. , Taylor Opp'n Decl. (dkt. 299-1) Ex. T at -14657 (April 2019 note reading: "Ads and targeted scraping is a priority for BU this half so to the extent they do that at scale, I think it merits enforcement."). There is also evidence that Meta knew some of its advertising customers were using or interested in BrandTotal's analytics services. See, e.g., id. Ex. V (September 24, 2020 request to Karve from Meta's "marketing insights team" for information about UpVoice because "several advertiser partners [were] asking our sales team for their POV on it's [sic] capabilities," to which Karve responded, "We're enforcing on them this week"); id. Ex. U (September 22, 2020 email among Facebook employees expressing interest in better understanding BrandTotal and potentially exploring a partnership).
But as discussed above in the context Meta's breach of contract claim, BrandTotal's scraping violates Meta's terms of use, and BrandTotal has not met its burden to show that those terms are unenforceable. Generally, "if a defendant's ‘conduct was lawful and undertaken to enforce its rights,’ it cannot be held liable for intentional interference with a contract even if it knew that such conduct might interrupt a third party's contract." SIC Metals, Inc. v. Hyundai Steel Co. , 442 F. Supp. 3d 1251, 1256 (C.D. Cal. 2020) (quoting Webber v. Inland Empire Invs. , 74 Cal. App. 4th 884, 905, 88 Cal.Rptr.2d 594 (1999) ), aff'd , 838 F. Appx 315 (9th Cir. 2021). BrandTotal notes that SIC Metals acknowledged an exception for fraud, see id. at 1257 (quoting Quelimane Co. v. Stewart Title Guar. Co. , 19 Cal. 4th 26, 56, 77 Cal.Rptr.2d 709, 960 P.2d 513 (1998) ). As discussed above, however, there is both declaration testimony and corroborating evidence that Meta's email to Google accurately reflected its beliefs at the time about BrandTotal engaging in deceptive data collection. Discovery has now closed, and BrandTotal identifies no evidence that Meta instead believed that BrandTotal provided proper disclosures, or that its message was otherwise knowingly or recklessly false.
At the time of the events at issue, BrandTotal was routinely violating Meta's terms of service at least by engaging in automated data collection without permission. Google determined that UpVoice also violated the terms of its store by failing to "provide users with the proper express opt-in for data collection" and "privacy policies that were sufficiently clear regarding the data collected." See Ackerman Decl. ¶ 13. "[C]onsidering all circumstances including the nature of the actor's conduct and the relationship between the parties," no reasonable jury could find on this record that Meta reporting its genuinely held concerns about UpVoice's data collection to Google in order to allow Google to enforce its rules was illegitimate, even if—as appears to be the case—the report was motivated in part by Meta's desire to enforce its own separate contract terms regarding automated access. Meta's motion for summary judgment is therefore GRANTED as to BrandTotal's counterclaims for tortious interference, as well as the remaining UCL counterclaim predicated on such interference.
The Court does not reach the parties’ other arguments regarding these counterclaims, including whether BrandTotal's contracts are enforceable, whether Meta knew of the contracts, whether Meta's interference proximately caused harm, and whether any conduct was independently wrongful as needed to support a claim for interference with prospective relations or an at-will contract.
V. ADMINISTRATIVE MOTIONS TO FILE UNDER SEAL
The parties have filed a number of administrative motions to file documents under seal, or to consider whether an opponent's confidential material should be sealed, in connection with the present substantive motions and their motions to exclude expert testimony. See dkts. 245, 249, 250, 267, 270, 271, 280, 281, 287, 292, 294, 297, 298, 300, 302, 312, 313, 315, 326. All of the motions at issue are "more than tangentially related to the merits of the case," and thus require "compelling reasons" to seal. See generally Ctr. for Auto. Safety v. Chrysler Grp., LLC , 809 F.3d 1092 (2016).
For the most part, the parties have limited their requests to sensitive information about their respective operations that could cause competitive harm if disclosed. There is one exception: BrandTotal's designation of any discussion of its past practices of purchasing or creating "fake" accounts to access Meta's platforms. See, e.g. , Defs.’ MSJ Reply at 18. BrandTotal asserts that it does not use that technique anymore, so disclosing that it once did so does not reveal meaningful information about its current operations that competitors or bad actors could exploit. Nor is the disclosure of that concept likely to affect whether competitors might emulate it (and thereby gain some advantage), since the idea of using a "fake" account to access social networking platforms is obvious and widely used. See Defs.’ Opp'n to MSJ at 5 ("The use of ‘fake’ accounts is common within the social media industry ...."). The parties’ motions to seal are DENIED as to passages that BrandTotal considered confidential only based on discussion of that past practice.
Otherwise, the parties’ administrative motions to seal are GRANTED as to all proposed redactions supported by their own or their opponent's declarations, and DENIED as to material identified for consideration of sealing solely based on an opponent's designation that the opponent did not seek to seal in a responsive declaration. BrandTotal shall file a statement no later than June 10, 2022 identifying each of its confidentiality designations (for its own filings and Meta's filings) that is subject to the Court's ruling above regarding fake accounts. If the Court finds BrandTotal's list insufficient, it will order further disclosure. The parties shall file revised public versions conforming to this order—i.e., disclosing in the public record any opponent's material not substantiated with an opponent's declaration, any material included on BrandTotal's June 10, 2022 list, and any further information the Court might order disclosed—no later than June 24, 2022.
VI. CONCLUSION
For the reasons discussed above, Meta's motion for sanctions and each party's motion for summary judgment is GRANTED in part and DENIED in part.
On the motion for sanctions, the Court finds that BrandTotal at least negligently failed to preserve relevant evidence. The Court will instruct the jury that BrandTotal failed to preserve the Rapid7 logs despite a duty to do so, and that the jury may draw an adverse inference if it finds that failure was intentional. BrandTotal is ORDERED to reimburse seventy-five percent of Meta's fees and costs for bringing its sanctions motion.
Meta's motion for summary judgment is GRANTED as to the following claims and issues: (1) Meta is entitled to judgment on its claim for breach of contract; (2) Meta is entitled to judgment on its CDAFA claim based on BrandTotal's active data collection through legacy user products beginning in October of 2020, and based on BrandTotal's direct access to password-protected pages on Meta's platforms using fake or purchased user accounts; (3) Meta is entitled to judgment on its UCL claim based on the same conduct; (3) the same conduct violated the CFAA, and would entitle Meta to judgment on that claim if it can show resulting losses of at least $5,000; and (4) Meta is entitled to judgment on all of BrandTotal's remaining counterclaims.
BrandTotal's motion for summary judgment is GRANTED as to the following issues: (1) BrandTotal's use of UpVoice 2021 does not violate the CFAA, the CDAFA or the UCL; and (2) BrandTotal's direct collection of data from non-password-protected pages on Meta's platforms does not violate the CFAA or the CDAFA, even where Meta has imposed technological barriers attempting to block repeated or suspicious access. The parties’ motions for summary judgment are otherwise DENIED.
The Court also GRANTS in large part the parties’ various administrative motions to file under seal. In an abundance of caution, the Court has provisionally filed this order under seal. Any party that believes any portion of this order cannot be publicly disclosed may bring a motion identifying compelling reasons to maintain under seal narrowly tailored redactions no later than June 3, 2022. If no such motion is filed by that date, the Court will file this order unredacted in the public record.