From Casetext: Smarter Legal Research

In re iPhone Application Litigation

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA SAN JOSE DIVISION
Sep 20, 2011
Case No.: 11-MD-02250-LHK (N.D. Cal. Sep. 20, 2011)

Summary

holding that “[p]laintiffs have not identified a concrete harm from the alleged collection and tracking of their personal information sufficient to create injury in fact,” where the plaintiffs merely stated general allegations about the defendants such as lost opportunity costs and value-for-value exchanges

Summary of this case from Tyler v. Michaels Stores, Inc.

Opinion

Case No.: 11-MD-02250-LHK.

September 20, 2011


ORDER GRANTING DEFENDANTS' MOTIONS TO DISMISS FOR LACK OF ARTICLE III STANDING WITH LEAVE TO AMEND


A putative nationwide class of plaintiffs bring suit against Apple, Inc., Admob, Inc., Flurry, Inc., Mobclix, Pinch Media, Inc., Trafficmarketplace.com, Inc., Mellenial Media, AdMarval, Inc., and Quattro Wireless Inc. (aside from Apple, collectively "Mobile Industry Defendants") for alleged violations of federal and state law. Plaintiffs are United States' residents who use mobile devices manufacture by Apple that operate Apple's "iOS" proprietary operating systems, or what Plaintiffs refer to as iDevices (e.g., iPhone, iPad, and iPod Touch). Plaintiffs claim that Defendants violated their privacy rights by unlawfully allowing third party applications ("apps") that run on the iDevices to collect and make use of, for commercial purposes, personal information without user consent or knowledge. Apple and the Mobile Industry Defendants have each filed motions to dismiss on various grounds, including lack of Article III standing, consent to privacy agreements, failure to join necessary and indispensible parties (i.e., the apps), and additional claim-specific reasons. The Court held a hearing on these motions on September 8, 2011. For the reasons explained below, the Court GRANTS Defendants' motions to dismiss on the ground that Plaintiffs have failed to allege sufficient facts establishing Article III standing. Plaintiffs are given leave to amend to cure the deficiencies identified below.

I. BACKGROUND

Plaintiffs in these consolidated actions ("In Re iPhone Application Litigation") allege that Defendants have committed, and are continuing to commit, privacy violations by illegally collecting, using, and distributing iPhone, iPad, and App Store users' personal information. See generally First Consolidated Class Action Complaint ("Consolidated Complaint") [dkt. #71]. The first two of these consolidated actions were filed on December 23, 2010. See Lalo v. Apple, Inc., et al., 10-cv-05878-LHK (the "Lalo Action") and Freeman v. Apple, Inc., et al., 10-cv05881-LHK (the "Freeman Action"). Other actions in this District and throughout the country have followed. These other actions, filed throughout the country, involve substantially similar allegations against Apple and other Defendants. On August 25, 2011, the Judicial Panel on Multidistrict Litigation ("MDL Panel") issued a Transfer Order, centralizing these actions in the Northern District of California before the undersigned. See August 25, 2011 Transfer Order in MDL No. 2250 [dkt. #1].

The other, currently consolidated actions are: Chiu v. Apple, Inc., 11-cv-00407-LHK (filed on January 27, 2011) and Rodimer v. Apple, Inc., et al., 11-cv-00700-LHK (filed on February 15, 2011). Three other actions have recently been related to the In Re iPhone Application Litigation: Gupta v. Apple, Inc., 11-cv-02110-LHK (filed on April 28, 2011); Velez-Colon v. Apple, Inc., 11-cv-02270-LHK (filed on May 9, 2011); and Normand v. Apple, Inc., 11-cv-02317-LHK (filed on May 10, 2011).

Unless otherwise noted, the following allegations are taken from the Consolidated Complaint and are presumed to be true for purposes of ruling upon Defendants' motions to dismiss. To date, nearly 200 million iDevices have been sold worldwide. Consol. Compl. ¶ 27. Since launching its mobile device business, Apple has sought to "completely control the user experience." Id. at ¶ 26. The iDevices enable users to download apps only via Apple's "App Store" application and website. Id. at ¶ 34. There is no dispute that signing up for the App Store is free. Apple represents to users of the App Store that it "takes precautions — including administrative, technical, and physical measures — to safeguard your personal information against theft, loss, and misuse, as well as against unauthorized access, disclosure, alteration, and destruction." Id. at ¶ 36.

There are several hundred thousand apps available from the App Store created by third party developers. Id. at ¶ 39. Some are free of charge, while others are sold for a fee. Apple exercises tight control over the types of apps it allows into the App Store, and whether an app is allowed to be sold in the App Store is completely within Apple's discretion. Id. at ¶ 41. Even after the user downloads an approved app from the App Store, Apple maintains control by requiring that the "end-user-license-agreement," or EULA, have a clause giving Apple the third-party beneficiary right to enforce the EULA against the end-user. Id. at ¶ 43.

Plaintiffs allege that, despite Apple's public statements about protecting user privacy, Apple's privacy practices and design of the iOS system "permit apps that subject consumers to privacy exploits and security vulnerabilities." Id. at ¶ 56. For example, Apple's design of the iDevices allow apps, without consent of the users, to access, use, and track the following information: address book, cell phone numbers, file system, geolocation, International Mobile Subscriber Identity (IMSI), keyboard cache, photographs, SIM card serial number, and unique device identifier (UDID). Id. at ¶ 58. Moreover, nothing in Apple's "click-through agreement" for the App Store would put a reasonable consumer on notice that the iDevice and apps allow users to be tracked and have their personal information accessed.

Plaintiffs further allege that the Mobile Industry Defendants "exploit" this access to consumer data by using code to access personal information on the iDevices without the user's permission or knowledge. Id. at ¶ 63. The Mobile Industry Defendants are thus able to learn "highly personal details." Prior to Apple's January 2010 purchase of Defendant Quattro Wireless, Apple removed several apps from the App Store over concerns regarding privacy violations in which the apps would collect and track personal data without authorization. Id. at ¶ 65. Despite criticism, Apple has taken no steps to fix the continuing privacy violations. As a result, the Mobile Industry Defendants continue to have the ability to access and track personal information of consumers. Id. at ¶ 67. Although this personal information is not necessary to the functioning of the apps, the Mobile Industry Defendants are able to use the personal information for advertising and analytics purposes. Id. at ¶ 69.

Plaintiffs consider the information found, and allegedly accessed and tracked, on the iDevices to be personal and private information. Id. at ¶ 74. Plaintiffs allege that the Mobile Industry Defendants (but not Apple) "exceeded the scope of any authorization" that could have been granted by Plaintiffs at the time of downloading and using apps. Id. at ¶ 78. Moreover, the Mobile Industry Defendants "use the merger of personal information to effectively or actually deanonymize consumers." Id. at ¶ 81. Accordingly, the Mobile Industry Defendants "misappropriated" Plaintiffs' personal information. Id. at ¶ 84.

For strategic or other purposes, Plaintiffs have not named any app developers as Defendants in the Consolidated Complaint. Plaintiffs have represented to the Court that Plaintiffs worked out tolling agreements with some of the app developers sued in the original Complaint, and may bring the app developers back into the action if necessary.

The Consolidated Complaint contains eight claims: (1) Negligence against Apple only; (2) Violation of Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030; (3) Computer Crime Law, Cal. Penal Code § 502; (4) Trespass on Chattel; (5) Consumer Legal Remedies Act ("CLRA"), Cal. Civ. Code § 1750 against Apple only; (6) Unfair Competition under Cal. Bus. Prof. Code § 17200; (7) Breach of Covenant of Good Faith and Fair Dealing; and (8) Unjust Enrichment.

II. ANALYSIS

Apple and the Mobile Industry Defendants have each filed motions to dismiss. Defendants essentially make five arguments. First, all Defendants argue that Plaintiffs lack Article III standing because Plaintiffs do not allege an injury in fact or a causal connection between Defendants (as opposed to the app developers) and Plaintiffs' purported injury. Second, Apple alleges that its privacy agreements with customers, including Plaintiffs, bar Plaintiffs' claims. Third, the Mobile Industry Defendants allege that Plaintiffs' allegations against them are insufficient under Rule 8 as vague, conclusory and undifferentiated. Fourth, all Defendants argue that joinder of the app developers is necessary for a complete resolution of this action, but is not feasible in light of the number (potentially tens of thousands) of app developers involved. Finally, Defendants argue that each of Plaintiffs' eight claims for relief is deficient for some claim-specific reason.

A. Article III Standing

Defendants first argue that Plaintiffs' allegations do not establish an actual injury or harm for the allegedly unauthorized collection or tracking of their personal information or that Apple has a duty to prevent third party app developers from collecting or using Plaintiffs' personal information. An Article III federal court must ask whether a plaintiff has suffered sufficient injury to satisfy the "case or controversy" requirement of Article III of the U.S. Constitution. To satisfy Article III, a plaintiff "must show that (1) it has suffered an `injury in fact' that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." Friends of the Earth, Inc. v. Laidlaw Envtl. Sys. (TOC), Inc., 528 U.S. 167, 180-81 (2000).

A suit brought by a plaintiff without Article III standing is not a "case or controversy," and an Article III federal court therefore lacks subject matter jurisdiction over the suit. Steel Co. v. Citizens for a Better Environment, 523 U.S. 83, 101 (1998). In that event, the suit should be dismissed under Rule 12(b)(1). See Steel Co., 523 U.S. at 109-110. The injury required by Article III may exist by virtue of "statutes creating legal rights, the invasion of which creates standing." See Edwards v. First Am. Corp., 610 F.3d 514, 517 (9th Cir. 2010) (quoting Warth v. Seldin, 422 U.S. 490, 500 (1975)). In such cases, the "standing question . . . is whether the constitutional or statutory provision on which the claim rests properly can be understood as granting persons in the plaintiff's position a right to judicial relief." Id. (quoting Warth, 422 U.S. at 500)).

1. Injury in Fact

At least one named plaintiff must have suffered injury an injury in fact. See Lierboe v. State Farm Mut. Auto. Ins. Co., 350 F.3d 1018, 1022 (9th Cir. 2003) ("[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class."). Apple and the Mobile Industry Defendants argue that Named Plaintiffs have failed to allege concrete, particularized injuries in fact to themselves, as opposed to "consumers" in general, and that the tracking or disclosure of personal information does not establish an "economic loss" sufficient to find an injury in fact. Plaintiffs respond that the Consolidated Complaint alleges at least three types of injury in fact: (1) misappropriation or misuse of personal information; (2) diminution in value of the personal information, which is an "asset of economic value" due to its scarcity; and (3) "lost opportunity costs" in having installed the apps, and diminution in value of the iDevices because they are "less secure" and "less valuable" in light of the privacy concerns.

The Court does not take lightly Plaintiffs' allegations of privacy violations. However, for purposes of the standing analysis under Article III, Plaintiffs' current allegations are clearly insufficient. First, Defendants are correct. Despite a lengthy Consolidated Complaint, Plaintiffs do not allege injury in fact to themselves. This failure alone is sufficient reason to dismiss the Consolidated Complaint. See Birdsong v. Apple, Inc., 590 F.3d 955, 960-61 (9th Cir. 2009) ("The plaintiffs have not shown the requisite injury to themselves and therefore lack standing" under Article III.) In Birdsong, the Ninth Circuit considered allegations that use of an Apple iPod, which has the capability to produce sound as loud as 120 decibels, created a risk of hearing loss. However, the Ninth Circuit ruled:

The plaintiffs do not claim that they suffered or imminently will suffer hearing loss from their iPod use. The plaintiffs do not even claim that they used their iPods in a way that exposed them to the alleged risk of hearing loss. At most, the plaintiffs plead a potential risk of hearing loss not to themselves, but to other unidentified iPod users who might choose to use their iPods in an unsafe manner. The risk of injury the plaintiffs allege is not concrete and particularized as to themselves.
Id.

The same reasoning applies to Plaintiffs' allegations here. In the Consolidated Complaint, Plaintiffs do not identify what iDevices they used, do not identify which Defendant (if any) accessed or tracked their personal information, do not identify which apps they downloaded that access/track their personal information, and do not identify what harm (if any) resulted from the access or tracking of their personal information. The allegations are especially slim with respect to Defendant Apple. The Consolidated Complaint only alleges that the Mobile Industry Defendants (without differentiation) tracked and accessed personal information for commercial and marketing purposes. See, e.g., Consol. Compl. at ¶¶ 77-78, 83-84 (alleging misappropriation of personal information and unauthorized access to personal information by Mobile Industry Defendants, but not Apple).

Plaintiffs' current allegations suffer from another deficiency. Plaintiffs have not identified a concrete harm from the alleged collection and tracking of their personal information sufficient to create injury in fact. Although not binding, a recent case from the Central District of California is instructive. See Genevive La Court v. Specific Media, Case No. SACV-10-1256-JW, 2011 U.S. Dist. LEXIS 50543 (C.D. Cal. Apr. 28, 2011). In Specific Media, plaintiffs accused an online third party ad network, Specific Media, of installing "cookies" on their computers to circumvent user privacy controls and to track internet use without user knowledge or consent. The court, however, held that plaintiffs lacked Article III standing because: (1) they had not alleged that any named plaintiff was actually harmed by defendant's alleged conduct; and (2) they had not alleged any "particularized example" of economic injury or harm to their computers, but instead offered only abstract concepts, such as "opportunity costs," "value-for-value exchanges," "consumer choice," and "diminished performance." Id. at *7-13. Other cases have held the same. See In re Doubleclick, Inc., Privacy Litig., 154 F. Supp. 2d 497, 525 (S.D.N.Y. 2001) ("cookies" case, holding that unauthorized collection of personal information by a third-party is not "economic loss"); see also In re JetBlue Airways Corp., Privacy Litig., 379 F. Supp. 2d 299, 327 (E.D.N.Y. 2005) (airline's disclosure of passenger data to third party in violation of airline's privacy policy had no compensable value). The same is true here: Plaintiffs have not yet articulated a "coherent and factually supported theory" of injury. Plaintiffs have stated general allegations about the Mobile Industry Defendants, the market for apps, and similar abstract concepts (e.g., lost opportunity costs, value-for-value exchanges), but Plaintiffs have not identified an actual injury to themselves sufficient for Article III standing.

Plaintiffs cite two cases that are supposedly to the contrary. However, both cases are distinguishable. In Doe 1 v. AOL LLC, the court was "persuaded that Plaintiffs' allegations are sufficient to demonstrate standing for purposes of seeking injunctive relief. The Complaint alleges that AOL engages in a practice and policy of storing search queries containing confidential information, and that it has taken no steps to ensure that such information is not disclosed again in the future." See Doe 1 v. AOL LLC, 719 F. Supp. 2d 1102, 1109 (N.D. Cal. 2010) (finding Article III standing requirements for the purposes of injunctive relief are met when Plaintiffs' alleged that AOL continued to publicly disclose Plaintiffs' highly sensitive personal information). The information publicly disclosed included credit card numbers, social security numbers, financial account numbers, and information regarding AOL members' personal issues, including sexuality, mental illness, alcoholism, incest, rape, and domestic violence. Id. at 1111. Plaintiffs' current allegations here come nowhere close to the specific allegations of public disclosure on the Internet of highly sensitive personal information in AOL. Nor do Plaintiffs identify any active role on the part of Defendants in disclosing to the public such highly sensitive personal information.

Plaintiffs also cite In re Facebook Privacy Litig., Case No. 10-02839-JW, 2011 U.S. Dist. LEXIS 60604 (N.D. Cal. May 12, 2011), as a case supporting their argument for standing. Not so. In the Facebook Privacy Litigation, the court held that plaintiffs had standing under the Wiretap Act. See id. at *13-14 ("the Court finds that Plaintiffs allege a violation of their statutory rights under the Wiretap Act, 18 U.S.C. §§ 2510, et seq. The Wiretap Act provides that any person whose electronic communication is `intercepted, disclosed, or intentionally used' in violation of the Act may in a civil action recover from the entity which engaged in that violation. 18 U.S.C. § 2520(a). Thus, the Court finds that Plaintiffs have alleged facts sufficient to establish that they have suffered the injury required for standing under Article III."). In the instant action, however, Plaintiffs have not made a claim under the Wiretap Act. Moreover, statutory standing under the Wiretap Act does not require a separate showing of injury, but merely provides that any person whose electronic communication is "intercepted, disclosed, or intentionally used" in violation of the Act may in a civil action recover from the entity which engaged in that violation. See 18 U.S.C. § 2520(a). Plaintiffs, in the instant case, do not allege a violation of an analogous statute which does not require a showing of injury.

In sum, as in Specific Media, "[i]t is not obvious that Plaintiffs cannot articulate some actual or imminent injury in fact. It is just that at this point they haven't offered a coherent and factually supported theory of what that injury might be." See Specific Media, 2011 U.S. Dist. LEXIS 50543 at *15.

2. Causation: Fairly Traceable to Defendants' Actions

Plaintiffs have also failed to allege any injury fairly traceable to Apple or to the Mobile Industry Defendants. In fact, Plaintiffs fail to differentiate among the eight Mobile Industry Defendants making it impossible to decipher, based on the current allegations, any causal chain. First, as noted above, there is no allegation that Apple misappropriated data, so there is no nexus between the alleged harm and Apple's conduct. Plaintiffs' only allegation is that Apple "designed" a platform in which Mobile Industry Defendants and absent app developers could possibly engage in harmful acts (Consol. Comp., ¶¶ 58, 61, 67), or that Apple's platform caused "users' iDevices to be able to maintain, synchronize, and retain detailed, unencrypted location history files." Id. at ¶¶ 125, 140. These "conjectural" or speculative allegations about the risk of harm do not suffice for purposes of Article III Standing. See Birdsong, 590 F.3d at 961 (rejecting argument for standing because "the conjectural and hypothetical nature of the alleged injury as the plaintiffs merely assert that some iPods have the `capability' of producing unsafe levels of sound and that consumers `may' listen to their iPods at unsafe levels combined with an `ability' to listen for long periods of time."); compare Hepting v. AT T Corp., 439 F. Supp. 2d 974 1001 (N.D. Cal. 2006) (finding that plaintiffs had standing where the allegations were that AT T actively partnered to intercept and monitor customer phone lines).

The Court, thus, grants Defendants' motion to dismiss for lack of standing with leave to amend. Plaintiffs are on notice, however, that any amended complaint must provide specific allegations with respect to the causal connection between the exact harm alleged (whatever it is) and each Defendants' conduct or role in that harm.

B. Defendants' Alternative Arguments

In light of the Plaintiffs' failure to allege facts sufficient to support Article III standing, a lengthy analysis of Defendants' other arguments is unnecessary at this time. Nonetheless, the Court notes additional deficiencies in the allegations in the event that Plaintiffs choose to file an amended complaint.

1. Privacy Agreements

The Court may consider agreements between the Plaintiffs and Apple under the incorporation by reference doctrine on a motion to dismiss. See, e.g., Rubio v. Capital One Bank, 613 F.3d 1195, 1199 (9th Cir. 2010) (reviewing disclosure agreements in a TILA action); In re Gilead Scis. Sec. Litig., 536 F.3d 1049, 1055 (9th Cir. 2008).

Apple argues that all Plaintiffs' injuries are alleged to arise from the Plaintiffs' use of thirdparty apps on their iDevices. Since Apple's "click-through" agreements with Plaintiffs govern any potential liability for third-party apps that Plaintiffs use on their iOS Devices, Apple argues that the express terms and conditions of those agreements bar claims for the alleged injuries. For example, Plaintiffs' claims against Apple for Mobile Industry Defendants' receipt and use of device information through the operation of apps are barred by "App Store Terms of Service." See Decl. of James F. McCabe ("McCabe Decl."), Exh. F, "License of Mac App Store and App Store Products", at p. 12) ("The Application Provider of each Third-Party Product is solely responsible for that Third-Party Product."). In addition, Apple argues that Plaintiffs' claims against Apple for the design of iOS are barred by the iOS Software License Agreements ("User SLAs"). See McCabe Decl., Exh. A, B, C, D, and F) (e.g., Exh. F, "Disclaimer of Warranties; Liability Limitations", at p. 11, "YOUR SUBMISSION OF SUCH INFORMATION IS AT YOUR SOLE RISK").

Plaintiffs respond that the App Store "Terms of Service" agreement amounts to an unlawful "contract of adhesion." A court may deem a contract provision unconscionable, and therefore unenforceable, only if it is both procedurally and substantively unconscionable. See Armendariz v. Foundation Health Psychcare Services, Inc., 24 Cal. 4th 83, 114 (Cal. 2000). "The procedural element of unconscionability focuses on two factors: oppression and surprise. `Oppression' arises from an inequality of bargaining power which results in no real negotiation and "an absence of meaningful choice. `Surprise' involves the extent to which the supposedly agreed-upon terms of the bargain are hidden in a prolix printed form drafted by the party seeking to enforce the disputed terms. The substantive element of unconscionability focuses on the actual terms of the agreement and evaluates whether they create `overly harsh' or `one-sided' results as to `shock the conscience.'" See Aron v. U-Haul Co. of California, 143 Cal. App. 4th 796, 808 (2006).

Here, Plaintiffs have difficulties both with respect to the procedural and substantive element of unconscionability. Procedurally, "[t]he availability of alternative sources from which to obtain the desired service defeats any claim of oppression, because the consumer has a meaningful choice." See, e.g., Freeman v. Wal-Mart Stores, Inc., 111 Cal. App. 4th 660, 670 (2003). "Moreover, when the challenged term is in a contract concerning a nonessential recreational activity, the consumer always has the option of simply forgoing the activity." Belton v. Comcast Cable Holdings, LLC, 151 Cal. App. 4th 1224, 1245 (Cal. App. 1st Dist. 2007). Plaintiffs have alternatives to the iDevices. In addition, apps such as "Angry Birds" or "Plants versus Zombies" are nonessential recreational activities.

At this point, however, the Court is not prepared to rule that Apple's privacy agreements establish an absolute bar to Plaintiffs' claims. In any amended complaint, Plaintiffs must explain why Apple should be held responsible for privacy violations despite Apple's apparent privacy agreements with customers, including Plaintiffs.

2. Rule 8 Pleading: Conclusory Allegations as to Mobile Industry Defendants

A complaint may be dismissed for failure to state a claim upon which relief can be granted for one of two reasons: (1) lack of a cognizable legal theory, or (2) insufficient facts under a cognizable legal theory. See Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007); see also Mendiondo v. Centinela Hosp. Med. Ctr., 521 F.3d 1097, 1104 (9th Cir. 2008) ("Dismissal under Rule 12(b)(6) is appropriate only where the complaint lacks a cognizable legal theory or sufficient facts to support a cognizable legal theory."). A motion to dismiss should be granted if the complaint does not proffer enough facts to state a claim for relief that is plausible on its face. See Twombly, 550 U.S. at 558-59.

The Mobile Industry Defendants persuasively argue that, by lumping all eight of them together, Plaintiffs have not stated sufficient facts to state a claim for relief that is plausible against one Defendant. Mobile Industry Defendants are correct. Plaintiffs' failure to allege what role each Defendant played in the alleged harm makes it exceedingly difficult, if not impossible, for individual Defendants to respond to Plaintiffs' allegations. In any amended complaint, Plaintiffs must identify what action each Defendant took that caused Plaintiffs' harm, without resort to generalized allegations against Defendants as a whole.

3. Necessary and Indispensable Parties

Fed.R.Civ.P. 12(b)(7) authorizes this Court to dismiss an action if a plaintiff has failed "to join a party under Rule 19." Fed.R.Civ.P. 19(a) provides, inter alia, that a person "must be joined as a party" if "in that person's absence, the court cannot accord complete relief among existing parties." If that required person cannot be joined, then "the court must determine whether, in equity and good conscience, the action should proceed among the existing parties or should be dismissed." Fed.R.Civ.P. 19(b). The Rule 19 inquiry is "fact specific," and the party seeking dismissal has the burden of persuasion. See Makah Indian Tribe v. Verity, 910 F.2d 555, 558 (9th Cir. 1990). "In determining whether a party is `necessary' under Rule 19(a), a court must consider whether `complete relief' can be accorded among the existing parties, and whether the absent party has a `legally protected interest' in the subject of the suit." See Shermoen v. U.S., 982 F.2d 1312, 1317 (9th Cir. 1992) (citation omitted). A party is also "necessary" if disposing of the action in the person's absence may "(i) as a practical matter impair or impede the person's ability to protect the interest; or (ii) leave an existing party subject to a substantial risk of incurring double, multiple, or otherwise inconsistent obligations because of the interest." Fed.R.Civ.P. 19(a)(1).

Apple contends that the app developers (some of which were formerly in this action as Defendants) are necessary and indispensable parties because they have "legally protected interests" and because "complete relief" cannot be accorded among the existing parties. Without specific allegations of harm and causation, it is not clear whether the app developers are necessary parties to this litigation. However, under Ninth Circuit authority, the app developers do not appear to be necessary parties because they have not claimed a legally protected interest even though they are aware of this action. See United States v. Bowen, 172 F.3d 682, 689 (9th Cir. 1999) (holding that joinder of absent party was unnecessary where the absent party was aware of the action but did not "claim a legally protected interest" in the action). Moreover, as Plaintiffs note, the allegations of privacy violations in the Consolidated Complaint are not related to accessing information that is "necessary to the functioning" of the apps. Instead, Plaintiffs allege that the apps and Mobile Industry Defendants are accessing personal information only for their own commercial purposes. On this record, the Court will not dismiss for failure to join necessary and indispensable parties.

4. Claim-Specific Issues

Aside from the deficiencies with respect to standing and pleading, Defendants have also pointed out deficiencies with each of Plaintiffs' eight claims.

a. Negligence (pled against Apple Only)

The elements of negligence under California law are: "(a) a legal duty to use due care; (b) a breach of such legal duty; [and] (c) the breach as the proximate or legal cause of the resulting injury." Evan F. v. Hughson United Methodist Church, 8 Cal. App. 4th 828, 834 (1992) (italics in original). Defendants rightly argue that Plaintiffs have failed to state a claim of negligence. First, Plaintiffs have not yet adequately pled or identified a legal duty on the part of Apple to protect users' personal information from third-party app developers. Tort law may not be used to supplant private contractual agreements, and the failure to perform a contractual duty is not a tort, unless that failure involves an independent legal duty. See Applied Equip. Corp. v. Litton Saudi Arabia Ltd., 7 Cal. 4th 503, 514-15 (1994). Moreover, as exhaustively analyzed above, Plaintiffs have failed to allege an "appreciable, nonspeculative, present injury" which is "an essential element of a tort cause of action." See Aas v. Super. Ct., 24 Cal. 4th 627, 646 (2000). Any amended complaint must remedy these deficiencies.

b. Breach of Covenant of Good Faith and Fair Dealing

Under California law, every contract contains an implied covenant of good faith and fair dealing. See, e.g., Kransco v. American Empire Surplus Lines Ins. Co., 23 Cal.4th 390, 400 (2000). This implied covenant requires that neither party do anything that will deprive the other of the benefits of the contract. Id. "The implied covenant protects only the parties' right to receive the benefit of their agreement." Foley v. Interactive Data Corp, 47 Cal.3d 654, 699, 254 Cal. Rptr. 211, 765 P.2d 373. n. 39 (1988). Plaintiffs cannot use the implied covenant of good faith and fair dealing to deny to another party specific contract benefits for which such party bargained. See Kinderstart.com, LLC v. Google, Inc., No. C06-2057 JF (RS), 2006 WL 3246596, at *3 (N.D. Cal July 13, 2006) (finding no violation of implied covenant where parties' website agreement disclaimed referral warranties). Although Plaintiffs refer to Apple's "click-through agreement" for the App Store and Apple's privacy agreements, Plaintiffs do not actually identify the contract upon which they are relying for their breach of covenant of good faith and fair dealing claim. In addition, Plaintiffs do not identify the "contract's purposes." Without identification of the contract's purposes, the Court cannot determine whether Plaintiffs were deprived of the benefits of the contract at issue. Accordingly, any amended complaint must remedy these deficiencies.

c. California Consumer Legal Remedies Act, Cal. Civ. Code § 1770

The California Consumer Legal Remedies Act ("CLRA") prohibits "unfair methods of competition and unfair or deceptive acts or practices." Cal. Civ. Code § 1770. An action may be brought under the CLRA pursuant to § 1780(a), which provides that "[any] consumer who suffers any damage as a result of the use or employment by any person of a method, act, or practice declared to be unlawful by Section 1770 may bring an action against such person." Cal. Civ. Code § 1780(a) (emphasis added). The statute proscribes a variety of conduct, including "[r]epresenting that goods or services have . . . characteristics, . . . benefits, or quantities which they do not have" (Cal. Civ. Code § 1770(a)(5)), or "[r]epresenting that goods or services are of a particular standard, quality, or grade, or that goods are of a particular style or model, if they are of another." Cal. Civ. Code § 1770(a)(7). The CLRA allows for restitution, injunctive relief, compensatory damage and punitive damages. Cal. Civ. Code, § 1780(a)(1)-(5), (d). A consumer that has suffered "any damage" as a result of a defendant's violation of the CLRA may present a claim for a violation of its provisions. Cal. Civ. Code § 1780(a).

As explained above, at this point, Plaintiffs have not alleged "any damage" as a result of Defendants' alleged actions. Therefore, Plaintiffs' CLRA claim necessarily fails. Moreover, Apple alleges that Plaintiffs have failed to state a claim under the CLRA because the CLRA provides civil remedies for specific conduct in the sale of "goods" or "services." Cal. Civ. Code § 1770. However, all of Plaintiffs' allegations against Apple appear to be about software, i.e., the iOS operating system on iDevices. Software is neither a "good" nor a "service" within the meaning of the CLRA. See Ferrington v. McAfee, Case No. 10-CV-01455-LHK, 2010 U.S. Dist. LEXIS 106600, at *52-58. Thus, to the extent Plaintiffs' allegations are based solely on software, Plaintiffs do not have a claim under the CLRA. Plaintiffs must remedy these deficiencies in any amended complaint.

d. Computer Fraud and Abuse Act, 28 U.S.C. § 1030

The Computer Fraud and Abuse Act ("CFAA") is a federal statute that creates liability for "knowingly and with intent to defraud, access[ing] a protected computer without authorization, or exceed[ing] authorized access." 18 U.S.C. § 1030(a)(4). The CFAA specifically prohibits "knowingly caus[ing] the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caus[ing] damage without authorization, to a protected computer." Id. at § 1030(a)(5)(A)(i). A person who "intentionally accesses a computer without authorization," accesses a computer without any permission at all, while a person who "exceeds authorized access," has permission to access the computer, but accesses information on the computer that the person is not entitled to access. See LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009) (quoting and interpreting 18 U.S.C. §§ 1030(a)(2) and (4)).

In order to bring a civil action under the CFAA, a plaintiff must also demonstrate that the defendant's action caused over $5,000 in "economic damages" over a one-year period. Id. at § 1030(a)(5)(B)(I). A plaintiff may aggregate individual damages over the putative class to meet the damages threshold if the violation can be described as "one act." See In re Toys R Us, Inc. Privacy Litigation, 2001 WL 34517252, *11 (N.D. Cal. 2001). The term "damage" means "any impairment to the integrity or availability of data, a program, a system, or information." Id. at § 1030(e)(8). Thus, "economic damages" arise only when an individual or firm's money or property are impaired in value; money or property is lost; or money must be spent to restore or maintain some aspect of a business affected by the alleged violation. See Creative Computing v. Getloaded.com LLC, 386 F.3d 930, 935 (9th Cir. 2004) ("the statutory restriction, `limited to economic damages,' precludes damages for death, personal injury, mental distress, and the like.").

Plaintiffs' current allegations under their CFAA claim are insufficient for three reasons. First, Plaintiffs have failed to allege that Apple acted "knowingly, with intent to defraud." Plaintiffs merely allege that Apple has taken "no meaningful steps" to enforce its own privacy policy against third party app developers that are able to exploit Apple's design of the iOS system. Consol. Comp. ¶¶ 66, 71, 73. However, negligent software design cannot serve as a basis for a CFAA claim. See 18 U.S.C. § 1030(g) ("No cause of action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.").

Second, Plaintiffs have failed to sufficiently allege that Defendants accessed a protected computer "without authorization" or "exceeded authorized access" to Plaintiffs' iDevices. See § 1030(a)(4). Where the software that allegedly harmed the phone was voluntarily downloaded by the user, other courts in this District and elsewhere have reasoned that users would have serious difficulty pleading a CFAA violation. See In re Apple ATTM Antitrust Litig., 2010 U.S. Dist. LEXIS 98270, at *26 (N.D. Cal. July 8, 2010) ("Voluntary installation runs counter to the notion that the alleged act was a trespass and to CFAA's requirement that the alleged act was `without authorization' as well as the CPC's requirement that the act was `without permission.'"); see also Specific Media, 2011 U.S. Dist. LEXIS 50543, at *18 (on factual allegations similar to those here, noting that "it is unclear whether Specific Media can be said to have `intentionally caus[ed] damage' to Plaintiffs' computers.").

Third, Plaintiffs have failed to sufficiently allege economic damages to one or more persons during any one-year period aggregating at least $5,000 in value. The Court recognizes that damages and losses under § 1030(e)(8)(A) may be aggregated across victims and over time for a single act. See In re Doubleclick Privacy Litig., 154 F.Supp.2d 497, 523 (S.D.N.Y. 2001). Here, however, there are no allegations as to the amount of economic harm suffered by Plaintiffs, and, at this point at least, insufficient allegations of any economic harm to any Plaintiff. See Specific Media, 2011 U.S. Dist. LEXIS 50543, at *17 (in analysis of CFAA claim, stating "Defendant correctly observes that based on the above discussion regarding standing, Plaintiffs at the very least have failed to plausibly allege that they and the putative class — even in the aggregate — have suffered $5,000 in economic damages in a one year period as a result of Specific Media's actions."); see also Bose v. Interclick, Inc., No. 10 Civ. 9183 (DAB), 2011 U.S. Dist. LEXIS 93663, at *12-14 (S.D.N.Y. Aug. 17, 2011) (finding that internet advertising company's collection of personal information through use of "browser cookies" and "flash cookies" without permission did not establish the economic injury required by the CFAA). Moreover, even had economic damages been alleged, Plaintiffs have not identified the "single act" of harm by Defendants that would allow the Court to aggregate damages across victims and over time.

Plaintiffs must cure these deficiencies in any amended complaint, or risk dismissal of their CFAA claim with prejudice.

e. Computer Crime Law, Cal. Penal Code § 502

California's legislature enacted Cal. Penal Code Section 502 ("Section 502), the Comprehensive Computer Data Access and Fraud Act, in order to "expand the degree of protection afforded to individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems." Cal. Penal Code § 502(a). While the term "without permission" is not defined within the language of the statute, the Northern District of California has twice considered the meaning of "without permission" under Section 502 and determined that individuals may only be subjected to liability for acting "without permission" under Section 502 if they "access [] or us[e] a computer, computer network, or website in a manner that overcomes technical or code-based barriers." See Facebook, Inc. v. Power Ventures, Inc., No. C 08-05870-JW, 2010 U.S. Dist. LEXIS 93517, at *35 (N.D. Cal. July 20, 2010) (providing extensive analysis of Section 502); see also In re Facebook Privacy Litig., 2011 U.S. Dist. LEXIS 60604, at *26 ("It is thus impossible, on Plaintiffs' own allegations, for Defendant to be liable under the subsections of Section 502 which require a defendant to act `without permission,' as there were clearly no technical barriers blocking Defendant from accessing its own website."). In Power Ventures, the court expressly refused to construe "without permission" to include access to a website or computer network that merely violates a term of use, reasoning that "interpreting the statutory phrase `without permission' in a manner that imposes liability for a violation of a term of use or receipt of a cease and desist letter would create a constitutionally untenable situation in which criminal penalties could be meted out on the basis of violating vague or ambiguous terms of use." See Power Ventures, Inc., 2010 U.S. Dist. LEXIS 93517, at *33; see also LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130 (9th Cir. 2009) ("access to a computer may be `authorized,' within the statutory meaning of the term, even if that access violates an agreed upon term of using that computer").

Plaintiffs broadly allege that Mobile Industry Defendants, but not Apple, gained access to consumers' data by paying app developers to include surreptitious tracking codes in the program code for apps. Consol. Compl. ¶¶ 63-64. Plaintiffs attempt to distinguish their case from Power Ventures and Facebook Privacy Litigation by arguing that, through the use of specific, surreptitious computer code, Defendants gained access "without ever having Plaintiffs' permission at all." However, Plaintiffs have still failed to allege how Defendants can be liable for accessing Plaintiffs' computers "without permission." On Plaintiffs' own allegations, the iOS and third party apps — which contain the alleged "surreptitious code" — were all installed or updated voluntarily by Plaintiffs.

The Court is not persuaded by Plaintiffs' further attempt to distinguish their case from Power Ventures and Facebook Privacy Litigation by citing to the single subsection under Cal. Penal Code § 502 that does not appear to require access "without permission" for liability. Section 502(c)(8) imposes liability upon any party who "[k]nowingly introduces any computer contaminant into any computer, computer system, or computer network." Cal. Penal Code § 502(c)(8). Plaintiffs argue that Section 502(c)(8) itself does not include an express requirement that the introduction of a computer contaminant be done "without permission." However, Section 502(c)(10) defines "computer contaminant" as "any set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information. They include, but are not limited to, a group of computer instructions commonly called viruses or worms, that are self-replicating or self-propagating and are designed to contaminate other computer programs or computer data, consume computer resources, modify, destroy, record, or transmit data, or in some other fashion usurp the normal operation of the computer, computer system, or computer network." See Cal. Penal Code § 502(b)(10) (emphasis added). Thus, the very definition of a "computer contaminant" limits liability to conduct that occurs "without the intent or permission of the owner of the information." Moreover, the section on "computer contaminants" appears to be aimed at "viruses or worms," and other malware that usurps the normal operation of the computer or computer system. Although Plaintiffs' are given leave to amend to clarify their allegations in an amended complaint, it is not clear to the Court how Section 502(c)(8) applies to the case at hand.

f. Trespass to Chattels

Under California law, trespass to chattels "lies where an intentional interference with the possession of personal property has proximately caused injury." Intel Corp. v. Hamidi, 30 Cal. 4th 1342, 1350-51 (2003). In cases of interference with possession of personal property not amounting to conversion, "the owner has a cause of action for trespass or case, and may recover only the actual damages suffered by reason of the impairment of the property or the loss of its use." Id. at 1351. "[W]hile a harmless use or touching of personal property may be a technical trespass (see Rest. 2d Torts, § 217), an interference (not amounting to dispossession) is not actionable, under modern California and broader American law, without a showing of harm." Id. Even where injunctive relief is sought, "the plaintiff must ordinarily show that the defendant's wrongful acts threaten to cause irreparable injuries, ones that cannot be adequately compensated in damages." Id. at 1352 (citing 5 Witkin, Cal. Procedure (4th ed. 1997) Pleading, § 782, p. 239.).

In Intel Corp. v. Hamidi, the California Supreme Court held that, where there was "no actual or threatened damage to [plaintiff's] computer hardware or software and no interference with its ordinary and intended operation," the defendant's trespass was not actionable. Hamidi, 30 Cal. 4th at 1353. Even assuming Plaintiffs' current allegations establish a trespass, Plaintiffs have not connected that trespass to an identifiable harm or injury. As Hamidi demonstrates, trespass without harm, "by reason of the impairment of the property or the loss of use," is not actionable. Hamidi, 30 Cal. 4th at 1351. Accordingly, Plaintiffs are given leave to amend their claim for trespass to chattels to identify actionably harm or injury.

g. Unfair Competition Law ("UCL"), Cal. Bus. Prof. Code § 17200

To assert a UCL claim, a private plaintiff needs to have "suffered injury in fact and . . . lost money or property as a result of the unfair competition." See Rubio v. Capital One Bank, 613 F.3d 1195, 1203 (9th Cir. 2010). Numerous courts have held that a plaintiff's "personal information" does not constitute money or property under the UCL. For example, the court in Facebook Privacy Litigation rejected the argument that personal information itself "constitutes currency" and is "a form of property," and thus rejected a UCL claim. See In re Facebook Privacy Litig., 2011 U.S. Dist. LEXIS 60604, at *23, n. 10 (citing Ruiz v. Gap, Inc., 540 F. Supp. 2d 1121, 1127 (N.D. Cal. 2008) (finding no "authority to support the contention that unauthorized release of personal information constitutes a loss of property.")); see also Thompson v. Home Depot, Inc., No. 07cv1058 IEG, 2007 WL 2746603, at *3 (S.D. Cal. Sept. 18, 2007).

As explained above in the section on Article III standing, Plaintiffs have not adequately alleged any injury, let alone an injury of "lost money or property." Moreover, as the court in the Facebook Privacy Litigation recently explained:

a plaintiff who is a consumer of certain services (i.e., who "paid fees" for those services) may state a claim under certain California consumer protection statutes when a company, in violation of its own policies, discloses personal information about its consumers to the public . See AOL, 719 F. Supp. 2d at 1111-13. Here, by contrast, Plaintiffs do not allege that they paid fees for Defendant's services. Instead, they allege that they used Defendant's services "free of charge."
See In re Facebook Privacy Litig., 2011 U.S. Dist. LEXIS 60604, *22-23. Here, as in the Facebook Privacy Litigation, there is no dispute that Plaintiffs did not pay for services for the App Store, but instead used it "free of charge." Of course, Plaintiffs may have paid for the apps they downloaded — although Plaintiffs have not identified which apps they downloaded — but Plaintiffs have not brought suit against the app developers. In any event, although Plaintiffs' current allegations do not suffice to establish a claim under the UCL, Plaintiffs are given leave to amend.

h. Unjust Enrichment

As this Court has previously determined, "there is no cause of action for unjust enrichment under California law." See Ferrington, 2010 U.S. Dist. LEXIS 106600, at *51 (citing Durell v. Sharp Healthcare, 183 Cal. App. 4th 1350, 1370, 108 Cal. Rptr. 3d 682 (Cal. Ct. App. 2010)). However, some courts have held that unjust enrichment is equivalent to restitution, see Dinosaur Dev., Inc. v. White, 216 Cal. App. 3d 1310, 265 Cal. Rptr. 525 (1989), and have allowed litigants to seek unjust enrichment as a remedy. See Durell, 183 Cal. App. 4th at 1370. "[R]estitution may be awarded in lieu of breach of contract damages when the parties had an express contract, but it was procured by fraud or is unenforceable or ineffective for some reason." See McBride v. Boughton, 123 Cal. App. 4th 379, 388 (2004).

Plaintiffs concede that unjust enrichment is merely an equitable remedy, and instead request leave to amend their demand for relief. In any amended complaint, Plaintiffs may clarify their demand for relief to include unjust enrichment or restitution.

III. CONCLUSION

For the reasons explained above, Defendants' motions to dismiss for lack of Article III standing are GRANTED WITH LEAVE TO AMEND. Any amended complaint must remedy the deficiencies identified above, and must be filed and served within 60 days of this Order.

IT IS SO ORDERED.


Summaries of

In re iPhone Application Litigation

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA SAN JOSE DIVISION
Sep 20, 2011
Case No.: 11-MD-02250-LHK (N.D. Cal. Sep. 20, 2011)

holding that “[p]laintiffs have not identified a concrete harm from the alleged collection and tracking of their personal information sufficient to create injury in fact,” where the plaintiffs merely stated general allegations about the defendants such as lost opportunity costs and value-for-value exchanges

Summary of this case from Tyler v. Michaels Stores, Inc.

finding to survive a motion to dismiss, complaint must "identify what action each Defendant took that caused Plaintiffs' harm, without resort to generalized allegations against Defendants as a whole" so that defendants can respond to allegations

Summary of this case from Sekerke v. City of National City

finding that "[p]laintiffs' failure to allege what role each Defendant played in the alleged harm makes it exceedingly difficult, if not impossible, for individual Defendants to respond to Plaintiffs' allegations"

Summary of this case from Blazheiev v. Ubisoft Toronto Inc.

finding that plaintiffs asserting privacy violations against mobile device makers lacked standing where they failed to identify what devices they used, what applications they downloaded, or whether any defendants actually accessed plaintiffs' personal information

Summary of this case from Cousineau v. Microsoft Corp.
Case details for

In re iPhone Application Litigation

Case Details

Full title:IN RE IPHONE APPLICATION LITIG.

Court:UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA SAN JOSE DIVISION

Date published: Sep 20, 2011

Citations

Case No.: 11-MD-02250-LHK (N.D. Cal. Sep. 20, 2011)

Citing Cases

Reynolds v. EzriCare LLC

(Dkt. No. 42 at 13 (quoting In re iPhone Application Litig., No. 11-MD-02250-LHK, 2011 WL 4403963, at…

Williams v. Facebook, Inc.

This is sufficient for the class claims. SeeIn re iPhone Application Litig. , No. 11-MD-02250-LHK, 2011 WL…