Opinion
MDL 2948-A Master 24C2110
10-01-2024
IN RE TIKTOK, INC. IN-APP BROWSER PRIVACY LITIGATION This Document Relates to: ALL ACTIONS
MEMORANDUM OPINION AND ORDER
REBECCA R. PALLMEYER United States District Judge
Plaintiffs in this MDL are users of the social-media app TikTok (the “App”) who allege that the App wrongfully collected their personal data through its “in-app browser.” They have sued the App's U.S.-based owners and their foreign affiliates under the federal Wiretap Act, 18 U.S.C. §§ 2510 et seq., and the wiretapping, data-privacy, and consumer-protection laws of multiple states. After the Judicial Panel on Multidistrict Litigation (“JPML”) transferred their cases here for coordinated pretrial proceedings, this court rejected an initial effort by Defendants to dismiss their claims based on an earlier MDL settlement. See In re TikTok, Inc., Consumer Priv. Litig., No. 20 C 4699, 2024 WL 278987 (N.D. Ill. Jan. 25, 2024) [38]. Plaintiffs have since filed a Master Consolidated Complaint that seeks relief on behalf of one nationwide and four state-specific classes of similarly situated users.
The domestic Defendants now move to dismiss this Master Consolidated Complaint in its entirety under Federal Rule of Civil Procedure 12(b)(6). For the reasons stated below, that motion is granted as to Plaintiffs' claims under California's Unfair Competition Law, Cal. Bus. & Prof. Code § 17200 et seq., but otherwise denied.
BACKGROUND
I. Factual Background
A. The TikTok App
The following facts are taken from the Master Consolidated Complaint. TikTok is a social media and entertainment platform that allows its users to create short videos and interact with others' videos. (Master Consol. Compl. [44] (“MCC”) ¶¶ 84-86.) It is one of the world's most popular social media applications, with some 100 million U.S. users as of August 2020. (Id. ¶ 89.) The App is operated in the United States by the California corporation TikTok, Inc., which is named in this lawsuit as one of two “domestic Defendants” along with the Delaware corporation ByteDance, Inc. (Id. ¶¶ 15-16.) These two companies are, in turn, affiliated with a complex network of offshore entities including the Cayman Islands holding company ByteDance Ltd. and the China-based entity Beijing Douyin Information Service Co. Ltd. (named as the “foreign Defendants”). (Id. ¶¶ 18-20.) TikTok's ownership structure is complex, but Plaintiffs allege that all named Defendants are alter egos subject to common control. (Id. ¶¶ 21-23.)
TikTok's business model is founded on digital advertising. (Id. ¶ 90.) While the App itself is free to download, it collects data on users' interests and preferences through their interactions with videos, and uses that data to sell targeted ads to third-party businesses. (Id. ¶ 92-97.) These ads appear as videos in the user's feed that include links to the advertiser's website or other point of sale. (Id. ¶¶ 98, 125-28.) In addition, users who have at least one thousand followers can add links to external websites on their personal profiles, a feature that influencers and businesses often use to direct viewers to their brands and products. (Id. ¶ 131.)
When a user taps on one of these links, it opens directly in the App via an “in-app browser” rather than through a separate web browser on the user's device such as Google Chrome or Safari. (Id. ¶ 122.) Such in-app browsers are not exclusive to TikTok and are a feature of many other popular apps, including Instagram and Facebook. (Id. ¶¶ 137-38 & n.156.) TikTok's in-app browser is unique among those of other peer apps, however, in that the TikTok app did not, as of August 2022, give users the opportunity to re-load the page in their device's default browser. (Ex. 1 to Decl. Anthony J. Weibell Supp. Mot. Dismiss (“Weibell Decl.”) [56-2] at 5.) It is unclear how long the in-app browser has been a feature of the App, though it has been present since at least August 2022. (Id.)
Since its 2018 debut in the United States, TikTok has generated both substantial revenue and substantial controversy. (Id. ¶ 84.) TikTok's website claims that “1 in 2 Gen Z TikTok users are likely to buy something while using TikTok and that 81% of users use TikTok to discover new products and brands.” (Id. ¶ 91.) Consumers spent more than $914 million on the App- specifically, as Plaintiffs assert, via purchases conducted through the in-app browser-in the September quarter of 2022, bringing lifetime total consumer spending to nearly $6.3 billion. (Id. ¶¶ 91, 136.) At the same time, TikTok has been the subject of growing concerns over its handling of users' personal data and its potential ties to the Chinese government. (Id. ¶ 99.) In light of these concerns, multiple federal, state, and foreign government officials have repeatedly sought to ban or limit TikTok's use in their jurisdictions. (Id. ¶¶ 101-121.)
B. Felix Krause's 2022 Report
The origins of this litigation lie in a pair of blog posts made by software engineer Felix Krause in August 2022.(See id. ¶¶ 137-41 & n.156.) Krause discovered that several popular smartphone apps, including TikTok, inject lines of JavaScript code into third-party websites that users access through the in-app browser. (MCC ¶ 138.) This code, added when the browser renders the websites on the user's device, creates new commands that can record and copy users' interactions while browsing, including their keyboard inputs (or “keystrokes”) and taps on elements such as buttons, links, and images. (Id. ¶ 139.) Krause compared this functionality to installing a “keylogger” on third-party websites. (Id. ¶ 140.) Of the seven apps Krause tested, TikTok's in-app browser was the only one that did not give users the option of re-loading the page in their device's default browser. (Weibell Decl. Ex. 1 at 5.)
The Complaint only cites to the first of these blog posts (which does not actually mention TikTok by name), but references and quotes from both extensively. (See MCC ¶¶ 13741 & n.56 (citing Felix Krause, iOS Privacy: Instagram and Facebook Can Track Anything You Do on Any Website in their In-App Browser, KrauseFX Blog (Aug. 10, 2022), https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser).) Defendants have attached the full text of the second blog post, which does discuss TikTok, as an exhibit to their motion to dismiss. (See Ex. 1 to Decl. Anthony J. Weibell Supp. Mot. Dismiss [56-2] (reproducing Felix Krause, iOS Privacy: Announcing InAppBrowser.com - See What JavaScript Commands Get Injected Through an In-App Browser, KrauseFX Blog (Aug. 18, 2022), https://krausefx.com/blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser).) Because both blog posts are clearly “central to the complaint and referred to in it,” the court deems them both incorporated by reference in full. Williamson v. Curran, 714 F.3d 432, 436 (7th Cir. 2013).
Krause characterized the in-app browser's ability to monitor user behavior as an “active choice the company made” and a “non-trivial engineering task . . . [that] does not happen by mistake or randomly.” (Id. ¶ 141.) He also, however, qualified his report's findings, stressing that “[j]ust because an app injects JavaScript into external websites, doesn't mean the app is doing anything malicious” and that “[t]here is no way for us to know the full details on what kind of data [the] in-app browser collects, or how or if the data is being transferred or used.” (Weibell Decl. Ex. 1 at 3; see also id. at 6 (“Do the apps above actually steal my passwords, address and credit card numbers? No! I wanted to showcase that bad actors could get access to this data with this approach.”).) In response to the report, TikTok denied using data gathered via the in-app browser for any improper purpose and told the media through a spokesperson that the code was solely for “debugging, troubleshooting, and performance monitoring” purposes “like checking how quickly a page loads or whether it crashes.” (Weibell Decl. Ex. 1 at 4.) Krause later updated his second blog post to acknowledge this response. (Id.)
II. Procedural History
Following Krause's posts, the individual cases in this MDL were filed between November 2022 and April 2023 in judicial districts across the country. In re TikTok, 2024 WL 278987, at *7. In April 2023, the JPML ordered that these “in-app browser cases” should be transferred to the preexisting MDL No. 2948, which had been created to house an earlier, since-settled round of data-privacy litigation against TikTok. In re TikTok In-App Browser Consumer Priv. Litig., 669 F.Supp.3d 1363, 1365 (J.P.M.L. 2023). The JPML directed this court, the transferee court for MDL No. 2948, to resolve the “threshold question” of whether the in-app browser cases should be dismissed based on the settlement in MDL No. 2948, and-if not-to retain them for coordinated pretrial proceedings. Id. at 1365-66.
In January 2024, this court held that the in-app browser cases were not subject to immediate dismissal based on the MDL No. 2948 settlement. In re TikTok, 2024 WL 278987, at *1. Plaintiffs have since formed a Steering Committee [2] and merged their claims into a Master Consolidated Complaint that lists ten named Plaintiffs as parties. (MCC ¶¶ 5-14.) The Complaint seeks relief on behalf of a Nationwide Class of “[a]ll natural persons in the United States who used the TikTok app to visit external, third-party websites via the in-app browser,” as well as four state-specific subclasses for residents of California, Florida, Illinois, and Pennsylvania. (Id. ¶ 188.) The Nationwide Class brings claims under: (1) the federal Wiretap Act, 18 U.S.C. §§ 2510 et seq.; (2) the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code §§ 630 et seq.; (3) the California Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code §§ 17200 et seq.; and (4) the law of unjust enrichment in California and other states.(Id. ¶¶ 196-265.) The state subclasses assert claims under (1) CIPA; (2) the UCL; (3) the Florida Security of Communications Act (“FSCA”), Fla. Stat. §§ 934 et seq.; (4) the Illinois Eavesdropping Act (“IEA”), 720 ILCS 5/141 et seq.; (5) the Pennsylvania Wiretapping and Electronic Surveillance Control Act (“WESCA”), 18 Pa. Cons. Stat. §§ 5701 et seq., and (6) unjust enrichment. (Id. ¶¶ 266-378.)
Plaintiffs assert that California law applies to all Nationwide Class members because the domestic Defendants are headquartered in California. (MCC ¶¶ 211-25.)
The domestic Defendants have now moved to dismiss all of these counts under Rule 12(b)(6) for failure to state a claim upon which relief may be granted [55].
The motion is filed by the U.S.-based companies TikTok, Inc. and ByteDance, Inc., the only defendants who have been served and have filed appearances. (See [14, 15, 17] in Recht v. TikTok, No. 23 C 2248 (N.D. Ill.).) The other defendants named in the Master Consolidated Complaint-ByteDance, Ltd. and Beijing Douyin Information Service Co. Ltd-have not been served. At oral argument on Defendants' motion to dismiss, counsel for the domestic Defendants disclaimed any relationship with the foreign Defendants and represented that “[t]he entity TikTok Inc., takes full responsibility for whatever happens with the TikTok app in the United States.” (Sept. 10, 2024 Oral Arg. Tr. [74] (“Oral Arg. Tr.”) 51:17-20.)
LEGAL STANDARD
Rule 8(a)(2) requires a complaint to include “a short and plain statement of the claim showing that the pleader is entitled to relief.” FED. R. CIV. P. 8(a)(2). “A claim satisfies Rule 8(a)(2)-and avoids dismissal under Rule 12(b)(6)-if the complaint alleges facts that show the claim is ‘plausible on its face.'” Taha v. Int'l Bhd. of Teamsters, Loc. 781, 947 F.3d 464, 469 (7th Cir. 2020) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 554, 570 (2007)). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. (quoting Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009)). The court must accept the complaint's factual allegations as true, but is “not bound to accept as true a legal conclusion couched as a factual allegation.” Ashcroft, 556 U.S. at 678 (citation omitted). Its review is limited to the complaint itself, “documents that are attached to the complaint, documents that are central to the complaint and are referred to in it, and information that is properly subject to judicial notice.” Williamson v. Curran, 714 F.3d 432, 436 (7th Cir. 2013). Because a plaintiff “ordinarily need not anticipate and attempt to plead around affirmative defenses,” dismissal based on such a defense is appropriate only when “the factual allegations in the complaint unambiguously establish all the elements of the defense.” Hyson USA, Inc. v. Hyson 2U, Ltd., 821 F.3d 935, 939 (7th Cir. 2016).
Defendants do not challenge this court's subject-matter jurisdiction under Rule 12(b)(1), but, as the following discussion will show, their motion raises questions as to the named Plaintiffs' standing as well. Standing is a jurisdictional issue that the court must address sua sponte even if no party has invoked it as a basis for dismissal. Cothron v. White Castle Sys., Inc., 20 F.4th 1156, 1159-60 (7th Cir. 2021). If the plaintiff's allegations supporting standing are “questioned as a factual matter,” the court may look beyond the pleadings to determine whether standing has been proven by a preponderance of the evidence. Bazile v. Fin. Sys. of Green Bay, Inc., 983 F.3d 274, 279 (7th Cir. 2020). In this case, where no such factual attack has been made, the standard of review is the same as that under Rule 12(b)(6): whether the plaintiffs' well-pleaded factual allegations, taken as true, plausibly support each element of standing. Silha v. ACT, Inc., 807 F.3d 169, 174 (7th Cir. 2015). As “[s]ubject-matter jurisdiction is the first issue in any case,” the court must address any jurisdictional questions before turning to the merits. Cothron, 926 F.3d at 902 (citation omitted).
DISCUSSION
Defendants argue for dismissal on the following grounds: (1) Plaintiffs' entire case is rendered implausible by the admissions in Felix Krause's report; (2) Plaintiffs consented to any collection of data by acknowledging TikTok's terms and conditions; (3) the Complaint does not plausibly allege that each of the named Plaintiffs suffered an individualized injury; and (4) Plaintiffs have failed to meet all of the elements of their various causes of action under federal and state law. Because the third argument raises concerns about the justiciability as well as the legal sufficiency of Plaintiffs' claims, the court will address it first before turning to Defendants' other arguments.
I. Named Plaintiffs' Personal Allegations
The threshold issue presented in Defendants' motion is whether the named Plaintiffs' personal allegations are detailed enough to justify their participation in this MDL. While the Master Consolidated Complaint goes into great depth on how the in-app browser works generally, its allegations on the named Plaintiffs' actual experiences with that browser are minimal. Plaintiff Austin Recht, for example, alleges that he downloaded the App in 2019, and that “[w]hile using [it] . . . encountered and clicked on links to external, third party websites” that opened via the in-app browser. (MCC ¶ 5.) He then asserts that “Defendants secretly used [the browser] to monitor and capture the details of [his] website activities and purchases, including his personal information, contact information, and credit card information . . . without his knowledge or consent.” (Id.) Each of the other named Plaintiffs pleads some variation of this same boilerplate language: they downloaded TikTok at some point in the past, used its in-app browser to visit third-party websites, and unknowingly had their personal data collected. (Id. ¶¶ 6-14.) Left unstated is when exactly these “activities and purchases” took place, what websites the named Plaintiffs visited, what products they purchased, or what specific information they provided in doing so.
Defendants present this as a failure-to-state-a-claim problem, but it is also a standing issue. Article III's limit on subject-matter jurisdiction to “cases” and “controversies” means that plaintiffs “must maintain their personal interest in the dispute at all stages of litigation.” TransUnion LLC v. Ramirez, 594 U.S. 413, 431 (2021). “At the pleading stage, standing requires allegations of a concrete and particularized injury in fact that is traceable to the defendant's conduct and redressable by judicial relief.” Cothron, 20 F.4th at 1160 (citing Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992)). Any named plaintiff seeking to represent a class must personally satisfy these requirements. Spokeo, Inc. v. Robins, 578 U.S. 330, 338 n.6 (2016). Here, all of the named Plaintiffs' claims rest on the central assumption that their personal data was actually collected by the in-app browser. If their pleadings cannot plausibly support this reasonable inference, they not only cannot state a claim under any law-they lack any justiciable controversy for this court to resolve.
The parties do not address the related question of whether the type of data collection that Plaintiffs are describing, even if taken as true, is sufficiently “concrete” to confer standing. The Supreme Court has emphasized that “bare procedural” violations cannot create standing in data-privacy cases. Spokeo, 578 U.S. at 342. Rather, the plaintiff generally must show that the claimed injury bears a “close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts,” such as “reputational harms, disclosure of private information, and intrusion upon seclusion.” TransUnion, 594 U.S. at 424. Many (though not all) courts in cases involving similar internet-tracking software have dismissed claims under TransUnion where the plaintiffs failed to allege that the data collected was sufficiently sensitive or private in nature. See Cook v. GameStop, Inc., 689 F.Supp.3d 58, 67-68 (W.D. Pa. 2023); In re BPS Direct, LLC, 705 F.Supp.3d 333, 352-53 & nn.118-20 (E.D. Pa. 2023) (collecting cases). But see James v. Walt Disney Co., 701 F.Supp.3d 942, 950 (N.D. Cal. 2023) (rejecting the premise that “Plaintiffs must show that any interception of information was highly offensive in order to have standing,” and concluding that “intercepting information about, e.g., pages viewed, search terms entered, or purchase behavior” is sufficient). This court need not weigh in on the debate, as Plaintiffs' pleadings, at least technically, do appear to meet the stricter standard outlined in these cases. The parties do not seem to dispute, and the court agrees, that TikTok's surreptitious interception of users' personally identifying information or financial data (like a credit card number or banking details) would be cognizable under Article III. See Smidga v. Spirit Airlines, Inc., No. 2:22-CV-1578-MJH, 2024 WL 1485853, at *5 (W.D. Pa. Apr. 5, 2024) (noting, in dicta, that while “courts have rejected standing where plaintiffs have only inputted basic personal information, Cook and others suggest that the input and recording of credit card data may be sufficient to allege a concrete harm”). The remaining question is whether these relatively terse allegations are simply “formulaic recitation[s] of the elements” needed to clear TransUnion's bar. Ashcroft, 556 U.S. at 678; see Silha, 807 F.3d at 174.
Indeed, a district court in the Northern District of California dismissed a parallel litigation against Meta-inspired by Krause's same blog post on in-app browsers-on equivalent grounds after finding the named plaintiffs' personal allegations insufficiently detailed. (See Aug. 17, 2023 Mot. Hrg. Tr. [91] in In re Meta Browser Tracking Litig., No. 3:22-cv-05267 (N.D. Cal.), at 19:2020:25.) The complaint in Meta Browser made similarly cookie-cutter statements about the plaintiffs' experiences with the Facebook app's browser, alleging only that their “sensitive, confidential and private” data was intercepted on third-party websites, without offering any details about the content of this data or the identity of these websites. (Consol. Class Action Compl. [36] in In re Meta Browser, ¶¶ 13-54.) In ruling from the bench on the defendants' motion to dismiss, the district court found that without more on “what websites they visited, [or] where that information would have . . . been taken,” the plaintiffs had failed to provide enough “particularized information” to plausibly suggest that they had been harmed. (Mot. Hrg. Tr. 12:11-13:18.)
This court shares concerns over Plaintiffs' failure to plead more specifics about their interactions with the in-app browser, but will not dismiss the Complaint on that basis. “At the pleading stage, ‘general factual allegations of injury resulting from the defendant's conduct may suffice'” to establish standing, and the court must “draw[] all reasonable inferences in the plaintiff's favor.” Bazile, 983 F.3d at 278 (quoting Lujan, 504 U.S. at 561). Similarly, Rule 8's “short and plain statement” requirement requires only “sufficient detail to put the defendants on notice of the claims.” Sloan v. Anker Innovations Ltd., No. 22 C 7174, 2024 WL 935426, at *3 (N.D. Ill. Jan. 9, 2024) (citation omitted). While “unsupported conclusory statements” are not enough, Taha, 947 F.3d at 469, the Complaint's background context about the in-app browser helps shore up Plaintiffs' individual pleadings here and is sufficient to both affirm their standing and put Defendants on notice.
The Complaint alleges that one of the in-app browser's central functions is to facilitate targeted advertising on the App. (MCC ¶¶ 1, 123.) TikTok users generally begin in-app browsing sessions by either (1) tapping on links in video ads that route to the advertiser's website, or (2) tapping on links in the profiles of popular TikTok accounts, which commonly provide these links in order to promote their brands and products. (Id. ¶ 125-32.) Thus, while Defendants argue that “not every website visit involves the use of one's personal, contact, credit card [and] banking” data (Mem. Supp. Mot. Dismiss [56] at 10), this ignores the context that Plaintiffs provide about how the in-app browser works and what it is designed to do. Their general allegations, taken as true, suggest that the in-app browser is a more specifically transactional platform than a generalpurpose browser like Chrome or Safari. Any given TikTok user who accesses an external website through the App is relatively more likely to be doing so in order to buy something. (See id. ¶¶ 91, 136 (quoting TikTok's own assertion that “1 in 2 Gen Z TikTok users are likely to buy something while using TikTok,” as well as statistics that consumers spent more than $914 million via the App in the September quarter of 2022).) And this makes it easier to believe the named Plaintiffs' assertions that they each entered their personal identifying information (such as their name and billing address) and financial data (such as their credit card numbers and banking details) while using the in-app browser.
The same point could perhaps have been made in the Meta Browser case, and the different outcome here is partly a matter of simple disagreement. The California district court acknowledged-but ultimately did not heed-the “chicken and the egg” problem that frequently arises in data-privacy cases, in which plaintiffs often lack knowledge of when or how their data is being used by the defendant's platform and can find out only through discovery. (Mot. Hrg. Tr. in In re Meta Browser, at 19:1-20:5.) Given this informational asymmetry, this court is not inclined to require Plaintiffs to provide detailed facts about the time and circumstances of their injury at the pleading stage. See TransUnion, 594 U.S. at 431 (“A plaintiff must demonstrate standing ‘with the manner and degree of evidence required at the successive stages of the litigation.'” (quoting Lujan, 504 U.S. at 561)); Kurowski v. Rush Sys. for Health (“Kurowski III”), No. 22 C 5380, 2023 WL 8544084, at *3 (N.D. Ill.Dec. 11, 2023) (“[T]he Court also notes that [plaintiff] lacks the direct access to what occurs in the background on [defendant's] web properties . . . that she would need to provide further details supporting her claim of improper disclosures of personal . . . information.”). But beyond this, Meta Browser involved a challenge to a different company's app that routes its users to third-party websites under a distinct set of circumstances. While a Facebook user, like a TikTok user, can access that app's browser by tapping on an ad, they can also do so via other means, such as a link in another user's message or in their newsfeed. (See Consol. Class Action Compl. in In re Meta Browser, ¶ 86 & fig.4 (outlining methods of accessing Facebook's in-app browser).) And while Meta Browser stemmed from the same research by Krause that prompted this litigation, Krause specifically singled out TikTok's in-app browser as unique among other peer apps', noting that it was the only one surveyed that did not, as of August 2022, give users the option of switching to their device's default browser. (See Weibell Decl. Ex. 4 [56-5] at 5.) The two cases are not identical, and the California district court's nonbinding bench ruling need not control the outcome here.
Beyond Meta Browser, Defendants cite several other cases that dismissed data-privacy claims arising from software that tracked users' online behavior after finding the named plaintiffs' personal allegations too vague to state a claim. The sticking point in all of these cases, however, was that the plaintiffs had not provided enough detail about the content of the compromised data to support an inference that defendants' actions violated any law. Both Kurowski v. Rush System for Health (“Kurowski II”), 683 F.Supp.3d 836 (N.D. Ill. 2023), and Hartley v. University of Chicago Medical Center, No. 22 C 5891, 2023 WL 7386060 (N.D. Ill. Nov. 8, 2023), were HIPAA cases involving “pixel” code that collected patients' browsing data during visits to hospital websites. And both courts found the plaintiffs' “allegations . . . far too vague to allow an inference to be drawn that [defendants were] actually disclosing” data within HIPAA's statutory definition of individually-identifiable health information. Kurowski II, 683 F.Supp.3d at 843; see Hartley, 2023 WL 7386060, at *2. No such problem exists here: Plaintiffs' allegations are not founded on violations of HIPAA, but on the allegedly unlawful interception of their personal and financial data during online transactions.
Kurowski and Hartley are also distinguishable in that both cases involved claims against the operator of a specific website, implicating the Wiretap Act's “party exception” for communications intercepted by their own recipient. See 18 U.S.C. § 2511(2)(d). The courts' scrutiny of the named plaintiffs' personal allegations was driven by a need to assess whether the defendants had potentially violated HIPAA, allowing the plaintiffs to invoke the statute's “exception to th[is] exception” for criminal or tortious acts. Kurowski II, 683 F.Supp.3d at 842; Hartley, 2023 WL 7386060, at *2. That issue is not presented here: as discussed further below, Defendants cannot claim the party exception since they were not the intended recipients of any communication. See infra Section IV.A.2.
Cook v. GameStop, meanwhile, was one of a number of recent cases challenging online retailers' use of “session replay” code to track and record visitors' interactions with their website, such as mouse movements, clicks, and keystrokes. 689 F.Supp.3d 58, 61 (W.D. Pa. 2023); see In re BPS Direct, LLC, 705 F.Supp.3d 333, 352 n.118 (E.D. Pa. 2023) (collecting session replay cases). As this court previously noted, the legal theories and underlying technology in these “session replay” cases are similar to, though distinct from, those at issue in this lawsuit. In re TikTok, 2024 WL 278987, at *9. Namely, most “session replay” cases involve privacy claims against a website operator who tracks user behavior on a single website (or discrete collection of sites), while this case involves a browser operator who tracks user behavior across all third-party websites. Id. The Cook court dismissed the plaintiff's case for lack of standing and for failure to state a claim, finding that she lacked any cognizable privacy interest in her anonymized browsing behavior while on the website and that she had not plausibly alleged that any of her personal or sensitive information was actually intercepted. Id. at 65-66, 69 (“[P]laintiff did not enter any personally identifying information at any point during her interaction. Not her name. Not her address. Not her credit card information. Nothing that could connect her browsing activity to her.”); see also Straubmuller v. JetBlue Airways Corp., No. DKC 23-384, 2023 WL 5671615, at *4 (D. Md. Sept. 1, 2023) (“Because the Complaint says nothing about the kinds of interactions Plaintiff had with Defendant's website, much less the specific kinds of captured personal information implicating a substantive privacy interest, Plaintiff has not alleged that his personal information was intercepted and recorded by Defendant.”). Plaintiffs here, in contrast, have alleged that the in-app browser collected their sensitive personal and financial data, such as “credit card information,” “banking information,” and one Plaintiff's “social security number.” (See MCC ¶¶ 5-14.) Other courts assessing “session replay” claims have found similar allegations sufficient to survive a motion to dismiss. See, e.g., India Price v. Carnival Corp., No. 23-CV-236-GPC-MSB, 2024 WL 221437, at *2-3 & n.3 (S.D. Cal. Jan. 19, 2024) (finding allegations that defendant's website intercepts a user's “passport number, driver's license number, date of birth, home address, phone number, email address and/or payment information” adequate to support standing and to state a claim under the federal Wiretap Act).
Finally, In re Google Assistant Privacy Litigation involved data-privacy and consumer-protection claims arising from Google's voice-activated virtual assistant software and its purported ability to monitor users' private conversations. 457 F.Supp.3d 797, 810 (N.D. Cal. 2020). The district court found the Complaint's bare allegations “that Plaintiffs' conversations were ‘confidential'” and that they “‘interacted with' their device ‘repeatedly'” insufficient to state a claim without more details about “the participants in the conversations, the locations of the conversations, or examples of content from the conversations.” Id. at 816. The pleadings here skirt close to that line: Plaintiffs' allegations that Defendants collected their unspecified data at some indeterminate time while they were using the App are not much more detailed than those the Google Assistant court found wanting. Again, however, context matters. The Google Assistant case involved a technology that could allegedly pick up all conversations, whether private or not; the court's dismissal was founded on the idea that the plaintiffs could only claim protection over conversations “subject to a reasonable expectation of privacy,” and had not sufficiently alleged that any such conversations were in fact collected. Id. at 816-17. Here, while the TikTok in-app browser could in theory be used to browse the internet for non-transactional purposes, Plaintiffs have provided sufficient background to plausibly suggest that this is unlikely. And they have alleged that the browser enables unlawful interception of their personal and financial data.
Plaintiffs will always have the burden to maintain their standing, TransUnion, 594 U.S. at 431, and this conclusion could change as more information comes to light in discovery. If it ultimately emerges that one or more of the named Plaintiffs was never actually injured by the in-app browser-such as if they never actually entered their name, credit-card number, or other private information to buy any products-their claims will be promptly dismissed. In the meantime, as the court will be granting Defendants' motion in part with leave to amend (as discussed further below), “it would behoove Plaintiffs to include . . . more specific allegations” about their personal experiences with the in-app browser should they choose to file a new complaint. James v. Walt Disney Co., 701 F.Supp.3d 942, 952 (N.D. Cal. 2023).
II. The Krause Report
Defendants next argue that the Complaint must be dismissed because Felix Krause's report, on which it rests, effectively admits that their claims lack any basis in fact. Recall that Krause repeatedly discounted the significance of his findings on the in-app browser's capabilities in the same blog post he used to publish them, stressing that he had no way of verifying “the full details on what kind of data [the] in-app browser collects, or how or if [it] is being transferred or used.” (Weibell Decl. Ex. 1 at 3.) Krause drew a distinction between the App's “subscrib[ing] to” user interaction data and what actually “happens with the data”, suggesting that “subscribes to” at most connotes the capacity to monitor and harvest data. (Id. at 4.) These qualifications, Defendants contend, leave Plaintiffs' claims implausible on their face-particularly in light of TikTok's alternative explanation, provided in response to Krause's report, that “the Javascript code in question is used only for debugging, troubleshooting, and performance monitoring” purposes (id. at 4). See McCauley v. City of Chicago, 671 F.3d 611, 616 (7th Cir. 2011) (“If the allegations give rise to an obvious alternative explanation, then the complaint may stop short of the line between possibility and plausibility of entitlement to relief.”) (cleaned up).
While the Krause Report is clearly central to the Complaint and properly within the scope of this court's review under the incorporation-by-reference doctrine, it does not “undermine [Plaintiffs'] case” in any way that would justify dismissal. Fin. Fiduciaries, LLC v. Gannett Co., 46 F.4th 654, 663 (7th Cir. 2022). As an initial matter, the mere fact that Plaintiffs' claims may have been inspired by Krause's findings does not mean that Plaintiffs are bound by his purported admissions. Plaintiffs have not stated that they intend to offer Krause as an expert, and his nonparty statements may not be admissible at trial. But even accepting Defendants' premise for the limited purpose of evaluating the Complaint's plausibility, the Krause Report does not definitively absolve TikTok of liability. None of Krause's disclaimers alter his central finding: that TikTok's in-app browser “subscribes to all keyboard inputs (including passwords, credit card information, etc.) and every tap on the screen,” a function that he describes as “the equivalent of installing a keylogger on third party websites.”(Weibell Decl. Ex. 1 at 4.) Krause only stated that he had no way of verifying, one way or the other, whether TikTok retains or uses this data- a question that Plaintiffs now seek to answer through discovery. (Id. at 3.) TikTok's alternative rationale-that the code is meant for debugging purposes only and does not collect users' personal information-is not so clearly preferable to Plaintiffs' version of events that they should be precluded from testing the merits of the company's position. See Swanson v. Citibank, N.A., 614 F.3d 400, 404 (7th Cir. 2010) (“[I]t is not necessary to stack up inferences side by side and allow the case to go forward only if the plaintiff's inferences seem more compelling than the opposing inferences.”).
Defendants also cite several statements that Krause made to the media after releasing his report, in which he further qualified his findings and described TikTok's response concerning the in-app browser code as “very reasonable.” (Mem. Supp. Mot. Dismiss at 6; see MCC ¶ 141 n.158 (citing Richard Nieva, TikTok's In-App Browser Includes Code That Can Monitor Your Keystrokes, Researcher Says, Forbes (Aug. 18, 2022), https://www.forbes.com/sites/richardnieva/2022/08/18/tiktok-in-app-browserresearch/?sh= 5849e78b7c55).) Unlike the Krause Report itself, the Complaint makes no mention of these statements (beyond one footnote citation to a Forbes article that does not actually reproduce Krause's quote), and they are neither clearly incorporated by reference nor subject to judicial notice. See In re Shopko Sec. Litig., No. 01-C-1034, 2002 WL 32003318, at *1 (E.D. Wis. Nov. 5, 2002) (rejecting defendants' attempt to incorporate press materials not attached to plaintiffs' complaint). More importantly, they add nothing beyond what Krause initially said in his blog posts that would affect the plausibility of Plaintiffs' claims.
III. Consent
Next, Defendants argue that Plaintiffs consented to any collection of data by the in-app browser under TikTok's Terms of Service and Privacy Policy. Consent is a potential defense to all of Plaintiffs' claims under both federal and state law.However, consent is also “an affirmative defense on which [Defendants] bear[] the burden of proof.” Craftwood II, Inc. v. Generac Power Sys., Inc., 63 F.4th 1121, 1126 (7th Cir. 2023). The parties concur that the defense is available if Defendants show that a “reasonable user viewing [TikTok's] disclosures would . . . have concluded that they unambiguously disclosed the data collection at issue.” Calhoun v. Google, LLC, 113 F.4th 1141, 1147-48 (9th Cir. 2024). And at the motion-to-dismiss stage, Defendants must do so using only the Complaint's allegations and any documents attached, incorporated by reference, or properly subject to judicial notice. Hyson USA, Inc., 821 F.3d at 939; Williamson, 714 F.3d at 436.
See 18 U.S.C. § 2511(2)(d) (precluding liability for private-party interceptions “where one of the parties to the communication has given prior consent” and the interception is not made for criminal or tortious purposes); Cal. Penal Code § 631(a) (prohibiting wiretapping “without the consent of all parties to the communication”); id. § 632(a) (prohibiting eavesdropping “without the consent of all parties to . . . [the] communication”); Fla. Stat. § 934.03(2)(d) (precluding liability for interceptions “when all of the parties to the communication have given prior consent”); 720 ILCS 5/14-2(a)(3) (precluding liability for interceptions by nonparties made “with the consent of all parties to the private electronic communication”); 18 Pa. Cons. Stat. § 5704(4) (precluding liability “where all parties to the communication have given prior consent”); Sweet v. Google Inc., 2018 WL 1184777, at *10 (N.D. Cal. Mar. 7, 2018) (dismissing UCL claim, among others, based on consent established by defendants' terms and conditions); Hicks v. PGA Tour, Inc., 897 F.3d 1109, 1120 (9th Cir. 2018) (dismissing unjust enrichment claims, among others, based on consent established by defendant's registration form).
Plaintiffs acknowledge the existence of the Privacy Policy in their Complaint, but they do not cite it or reproduce its language; they only assert that it does not effectively disclose the in- app browser's collection of data. (MCC ¶ 180 (“Nowhere in Defendants' Terms of Service or the privacy policies is it disclosed that Defendants compel their users to use an in-app browser that . . . [records] every keystroke, every tap on any button, link, image or other component on any website, and details about the elements the users clicked.”).) In response, Defendants have submitted several screenshots from the Internet Archive's “Wayback Machine” as exhibits to their motion to dismiss, purporting to show versions of TikTok's U.S. Privacy Policy dating from June 2021 to March 2024. (Weibell Decl. Exs. 2-4 [56-3 to 56-5].) They have also submitted screenshots of Apple's and Google's respective app store listings for the TikTok App as of late 2020, which contain links to the Privacy Policy, as well as screenshots of the App's “log in / sign up” dialogs, which prompt users to acknowledge that they have read the Privacy Policy before creating a TikTok account. (Weibell Decl. Exs. 5-8 [56-3 to 56-9].) Defendants contend that the Privacy Policy's language unambiguously discloses any collection of data by the in-app browser.
Before addressing whether this is so, the court considers whether these newly provided documents are properly within the scope of its review. Plaintiff argues otherwise, as they are neither attached to the Complaint, “central to . . . and referred to in it,” or properly subject to judicial notice. Williamson, 714 F.3d at 436. But the question of whether Plaintiffs consented to the in-app browser's data collection under the Privacy Policy is “central” to the Complaint; lack of consent is a prima facie element of many of their claims. See Silver v. Stripe Inc., No. 4:20-CV-08196-YGR, 2021 WL 3191752, at *2 (N.D. Cal. July 28, 2021) (“Consideration of consent is appropriate on a motion to dismiss where lack of consent is an element of the claim.”). And Plaintiffs have “referred” to the Privacy Policy by making affirmative representations about what it does not contain. It was thus fair game for Defendants to submit the Policy's full text with their Rule 12(b)(6) motion. See Fin. Fiduciaries, 46 F.4th at 663 (“Th[e] incorporation-by-reference doctrine prevents a plaintiff from avoiding dismissal by omitting facts or documents that undermine his case.”); In re VTech Data Breach Litig., No. 15 CV 10889, 2017 WL 2880102, at *2 (N.D. Ill. July 5, 2017) (finding that defendants' privacy policy was incorporated by reference where plaintiff's complaint repeatedly referred to its terms).
Although the consent defense is, thus, fairly before the court at this stage, the court concludes, for now, that Defendants' submissions are too limited to allow a definitive ruling on the merits of that defense. As an initial matter, the authenticity of the submissions is disputed: Plaintiffs argue that Defendants must verify them through the testimony of “someone with personal knowledge of reliability of the archive service from which the screenshots are retrieved.” Specht v. Google Inc., 747 F.3d 929, 933 (7th Cir. 2014).More importantly, even if Defendants' Internet Archive screenshots do provide a continuous and accurate record of TikTok's operative Privacy Policy from June 2021 to March 2024, that record is insufficient to establish that all of the named Plaintiffs consented to its terms. First, many of them allege that they began using the App before 2021. (See, e.g., MCC ¶ 5 (Plaintiff Recht “downloaded the TikTok app and created his first TikTok account in 2019”); id ¶ 9 (Plaintiff Stowers did so in 2020); id. ¶ 10 (Plaintiff Bravo did so in 2019).) The parties have yet to address the critical question of when the in-app browser first became a part of the App, see In re TikTok, 2024 WL 278987, at *20, but assuming that it was added prior to 2021, the court would need to see the version of the Privacy Policy then in effect before determining whether these Plaintiffs had consented to its collection of data. See Patterson v. Respondus, Inc., 593 F.Supp.3d 783, 805-06 (N.D. Ill. 2022). Any retroactive disclosure in a later-issued version would be insufficient to establish effective prior consent. See Javier v. Assurance IQ, LLC, No. 21-16351, 2022 WL 1744107, at *2 (9th Cir. May 31, 2022) (holding that retroactive disclosure of data collection on website did not bar CIPA § 631(a) claim).
There is conflicting authority on this point. Compare Specht, 747 F.3d at 943 (affirming exclusion of Internet Archive screenshots without authenticating testimony), with Arteaga v. United States, 711 F.3d 828, 834 (7th Cir. 2013) (considering archived version of webpage in affirming dismissal under Rule 12(b)(6) without discussing authentication), and Hepp v. Ultra Green Energy Servs., LLC, No. 13 C 4692, 2016 WL 1073070, at *2 n.1 (N.D. Ill. Mar. 18, 2016) (citing cases that “take[] judicial notice of the contents of web pages available through the Wayback Machine as facts that can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned”).
Second, even for the named Plaintiffs whose claims postdate June 2021, Defendants have not connected the dots enough to prove that these Plaintiffs acknowledged the Privacy Policy. Defendants do not provide dates when their screenshots of TikTok's “log in / sign up” dialogs were created; assuming they coincide with the June 2024 motion to dismiss, it is unclear whether the same prompt to acknowledge the Privacy Policy was present in the App before that date. (See Weibell Decl. Exs. 7-8.) Nor has it been established that a user even needs to create a TikTok account using these dialogs before viewing content on the App and its browser, or that the named Plaintiffs in fact did so. See Wilson v. Redbox Automated Retail, LLC, 448 F.Supp.3d 873, 882-83 (N.D. Ill. 2020) (online agreements must provide “clear and conspicuous notice” of terms and conditions to bind users).
The court will thus be better prepared to rule on “whether a reasonable user reading [the Privacy Policy] would think that he or she was consenting to the [App's] data collection” at summary judgment, with the benefit of a record establishing which version of the Policy (if any) each named Plaintiff acknowledged. Calhoun, 113 F.4th at 1148. Until then, Defendants' motion to dismiss the Complaint based on consent is denied.
IV. Causes of Action
Defendants' remaining arguments for dismissal attack the various elements of Plaintiffs' federal- and state-law claims. The court addresses each in turn, starting with the federal Wiretap Act claim, then turning to the state-law wiretapping and eavesdropping claims, and finishing with the state-law unfair competition and unjust enrichment claims.
A. Federal Wiretap Act
The federal Wiretap Act, as amended by the Electronic Communications Privacy Act of 1986, imposes civil liability on anyone who “intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral or electronic communication.” 18 U.S.C. §§ 2511(1)(a), 2520(a). It does the same for any person who intentionally “discloses” or “uses” an unlawfully intercepted communication Id. § 2511(1)(c), (d). The term “intercept” is defined as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” Id. § 2510(4). “Contents,” in turn, is defined as “any information concerning the substance, purport, or meaning of [a] communication.” Id. § 2510(8). Thus, to plead a prima facie Wiretap Act claim, Plaintiffs must show that Defendants “(1) intentionally (2) intercepted, endeavored to intercept or procured another person to intercept or endeavor to intercept (3) the contents of (4) an electronic communication (5) using a device.” In re Pharmatrak, Inc., 329 F.3d 9, 18 (1st Cir. 2003).
The Act contains several statutory exceptions from liability. The exceptions shield any interception by a person who “is a party to the communication,” or where “one of the parties . . . has given prior consent,” as long as the interception is not for criminal or tortious purposes. Id. § 2511(2)(d). The Act also carves out interceptions by any “device” that is “being used by a provider of wire or electronic communication service in the ordinary course of its business.” Id. § 2510(5)(a)(ii). Defendants here argue that Plaintiffs fail to plead a Wiretap Act violation because (1) there was no “interception” of any communications, (2) Defendants would in any event be “parties” to such communications, and (3) any collection of data would be within their “ordinary course of business.”
1. Interception of Communications
First, Defendants argue that Plaintiffs have not plausibly alleged that any of their “communications” were “intercepted” (or, by extension, unlawfully “used” or “disclosed”). Defendants do not seem to dispute that Plaintiffs' allegations would satisfy the statute's broad definition of “electronic communications,” see 18 U.S.C. § 2510(12) (“[A]ny transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce.”). Rather, they contest whether the Complaint states an actual “interception” of any such data. In support, however, they simply cite back to the sections of their brief discussing the Krause Report and the Named Plaintiffs' personal allegations, claiming that Krause's qualifications-and Plaintiffs' own threadbare individual pleadings-render it implausible that TikTok intentionally “acquire[d]” the “contents” of any of Plaintiffs' personal data via the in-app browser. 18 U.S.C. § 2510(4).
If Defendants are ultimately proven right, Plaintiffs' Wiretap Act claim may very well fail. The Krause Report compares the in-app browser's ability to record users' keystrokes to that of a “keylogger.” (Weibell Decl. Ex. 2 [56-3] at 4.) Multiple courts have rejected Wiretap Act liability for the use of “keylogger” software, on the grounds that a keylogger's local storage of collected keystroke data on a user's personal computer does not constitute an “interception” of any “electronic communication,” which requires a “transfer” through a “system that affects interstate or foreign commerce.” Rene v. G.F. Fishers, Inc., 817 F.Supp.2d 1090, 1093 (S.D. Ind. 2011) (citing United States v. Barrington, 648 F.3d 1178, 1202-03 (11th Cir. 2011)). At the same time, these holdings appear to implicitly recognize that a nonparty's use of a keylogger could state a Wiretap Act violation if such a transmission did take place. See Barrington, 648 F.3d at 1203 (“Conceivably, the keylogger software at issue here could be used to contemporaneously capture information or signals being transmitted beyond the user's computer. If so, this would bring the keylogger software within the [Act's scope] .... However, the Government points to no evidence in the record showing that the keylogger at issue here had that capacity and we have found none.”). While Krause's analogy need not be taken as a given, it does raise a critical question that Plaintiffs will ultimately need to confront-whether the TikTok App not only had the ability to record users' keystrokes and other website interactions on the in-app browser, but actually did collect and contemporaneously transmit this data to the company's servers. Rene, 817 F.Supp.2d at 1093 (citing United States v. Szymuszkiewicz, 622 F.3d 701, 705-06 (7th Cir. 2010)); cf. Popa v. Harriet Carter Gifts, Inc., 52 F.4th 121, 132 (3d Cir. 2022) (holding, under Pennsylvania wiretapping statute, that “the place of interception is the point at which the signals were routed to [defendant's] servers”). If the App merely “subscribes to” keystrokes and other user inputs locally without ever conveying this data to the company's servers, Plaintiffs may have no basis for liability under the wiretapping laws. See Barrington, 648 F.3d at 1202.
Alternatively, it is possible that the App does collect and transmit data on users' website interactions, but only in a format that does not convey any “substance, purport, or meaning.” 18 U.S.C. § 2510(4). For example, if the App only collects data on how users are typing (such as the speed or cadence of their keystrokes) rather than what they are typing (i.e., the substance of their text inputs), it is hard to see how this could satisfy the statutory element of the “contents” of a communication-let alone TransUnion's requirements for a sufficiently concrete harm under Article III. See In re Zynga Priv. Litig., 750 F.3d 1098, 1106 (9th Cir. 2014) (holding that “‘contents' refers to the intended message conveyed by the communication, and does not include record information regarding the characteristics of the message that is generated in the course of the communication”); TransUnion, 594 U.S. at 424-25. The same concerns would also seem to apply to the App's collection of non-keystroke data (such as button presses, taps, pauses, and scrolls). See Cook, 689 F.Supp.3d at 66, 70 (finding that mouse movements and clicks are neither sufficiently private for standing purposes nor “communicative” for purposes of the statute). If Plaintiffs intend to argue that all of this data falls under the Wiretap Act, they will need to more clearly demonstrate how it is sufficiently substantive to implicate the Act's protections.
Plaintiffs' counsel took the position at oral argument that “the case is actionable whether [Defendants] did or didn't” collect users' credit card information or other sensitive financial data. (Oral Arg. Tr. 39:9-40:11.) In arguing this point, counsel cited the Ninth Circuit's reasoning in the Facebook Tracking case, which recognized potential wiretapping liability for Facebook's compilation of users' internet browsing data across multiple sites into “cradle-to-grave” profiles of their likes and interests. In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 598-99 (9th Cir. 2020). But the facts in Facebook Tracking are not clearly analogous: there is no contention here, as in that case, that the TikTok browser “continued to collect [users'] data after they had logged off,” and it is unclear how data like taps, pauses, or scrolls could provide the same level of invasive insight into a user's identity, even if aggregated over time. Id. And the Ninth Circuit in Facebook Tracking did not consider whether the data at issue conveyed sufficient “substance” to meet the statutory element of “contents,” as that question was not presented on appeal. Id. at 608.
The court need not definitively resolve these issues at this stage, though: Plaintiffs have affirmatively alleged that their “text written” on third-party websites-not merely their keystroke “patterns” or nonverbal interactions-was both recorded and transmitted to the company. (MCC ¶¶ 140, 142, 155, 206-07.) These allegations, taken as true, are sufficient to state an “interception” of “communications” within the meaning of the statute. While Defendants dispute whether the in-app browser in fact collected this kind of data, the Krause Report is merely equivocal on this point, and Plaintiffs deserve the chance to seek answers for themselves. See supra Section II.
2. Party Exception
Next, Defendants argue that they should be exempt from liability under the Act's “party exception.” See 18 U.S.C. § 2511(2)(d). They contend that because the in-app browser was necessary to facilitate TikTok users' interactions with external websites, Defendants were by definition a party to any communications that took place on those websites. See Sloan, 2024 WL 935426, at *4 (dismissing Wiretap Act claim under party exception where “the communication necessarily require[d] Defendants' participation, even if Plaintiffs did not intend to share their information with Defendants”).
The term “party” is not defined in the Wiretap Act, but courts have interpreted it as “one who takes part in the conversation.” Zak v. Bose Corp., No. 17-CV-02928, 2019 WL 1437909, at *3 (N.D. Ill. Mar. 31, 2019) (citing In re Google Inc. Cookie Placement Consumer Priv. Litig., 806 F.3d 125, 143 (3d Cir. 2015)). The relevant question, then, is “who the intended recipient of the communication was.” Kurowski v. Rush Sys. for Health (“Kurowski I”), 659 F.Supp.3d 931, 938 (N.D. Ill. 2023). This inquiry is relatively simple for telephone calls, see United States v. Pasha, 332 F.2d 193, 198 (7th Cir. 1964) (“Interception connotes a situation in which by surreptitious means a third party overhears a telephone conversation between two persons."), but becomes trickier for electronic communications, which may involve multiple simultaneous exchanges of information. See Google Cookie, 806 F.3d at 140 (“Before we can assess whether the defendants were ‘parties' to the electronic transmissions at issue, we must first identify what, exactly, are the transmissions at issue.”); In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 607 (9th Cir. 2020) (noting that “the party exception must be considered in the technical context of th[e] case [at hand]”).
Plaintiffs' allegations are sufficient to support the inference that TikTok was not a “party” to their communications on the in-app browser. They frame the “communications” in question as TikTok users' keystrokes, taps, and other interactions while browsing external websites. Under this characterization, the user is the sending “party,” and the website is the receiving “party.” See In re DoubleClick Inc. Priv. Litig., 154 F.Supp.2d 497, 514 (S.D.N.Y. 2001) (finding that websites users visited were “parties” to these users' electronic communications). The user's communicative intent is directed towards the website, not the in-app browser, which is merely the “conduit or host” for their communication. S.D. v. Hytto Ltd., No. 18-CV-00688-JW, 2019 WL 8333519, at *8 (N.D. Cal. May 15, 2019). In other words, the in-app browser's status as the medium for users' communications does not elevate it to the status of a participant in those communications. An argument to the contrary would be like saying that a telecommunications provider automatically becomes a party to any conversation that takes place over their phone lines.
As Defendants' counsel pointed out at oral argument, telecommunications providers in this position (and their employees) might still be shielded from liability under the Act's “normal course of employment” and “ordinary course of business” exceptions. (Oral Arg. Tr. 23:13-26:8.) But these exceptions are governed by a distinct set of statutory provisions from the “party exception,” and are discussed separately below. See infra Section IV.A.3.
TikTok's cited cases dismissing Wiretap Act claims under the “party exception” involved technical contexts in which the defendant was inextricably involved in the “communication” in question. The Third Circuit's Google Cookie decision, for example, involved claims against internet advertising businesses who placed their content in ad spaces on websites that the plaintiffs visited. 806 F.3d at 130. The plaintiffs alleged that, in the process of injecting these ads into the websites, the defendant advertisers surreptitiously placed “tracking cookies”-blocks of data containing information about the user's web activity-into the plaintiffs' web browsers, allowing them to track the users' behavior and serve them targeted content on pages visited later. Id. at 130-31. The Third Circuit held that even though the plaintiffs had not consented to the placement of these cookies, the defendants were still the “intended recipients of the transmissions at issue,” since the process of loading websites required the plaintiffs' browsers to send requests for data directly to the defendant advertisers' servers. Id. at 142-43. In Zak v. Bose, meanwhile, the defendant provided an app for controlling its wireless headphones and speakers that included a “now playing” display of content being streamed on these devices via third-party services like Spotify. 2019 WL 1437909, at *1. While the plaintiffs alleged that the app unlawfully “intercepted” data about the media being streamed to enable the defendant to compile information on users' listening preferences, the court held that the defendant was necessarily a party to the “communication” in question since its own app was “the intended recipient of” the streaming data. Id at *4 (citing Google Cookie, 806 F.3d at 143). Similarly, in Sloan v. Anker Innovations Ltd., the defendant was deemed a party because the allegedly intercepted “communication” was sent to its own platform-namely, its security camera transmitted video recordings and data to its app, which then synced this data to cloud storage. 2024 WL 935426, at *4. In all of these cases, the plaintiff (or the plaintiff's device, as a proxy) affirmatively sent some data to the defendant's server or other platform as a necessary condition of their use of the technology at hand. Here, in contrast, there is nothing about Plaintiffs' description of the in-app browser that suggests it could not function without collecting and transmitting users' data to Defendants.
Defendants cite the Seventh Circuit's decision in Pasha for the proposition that TikTok could be deemed a party to Plaintiffs' communications even if Plaintiffs mistakenly believed they were using their device's default browser. See Pasha, 332 F.3d at 198 (holding that police officer who impersonated a recipient of a phone call was still a “party” to the call, albeit not the intended party). But that principle is irrelevant here: the question is not whether Plaintiffs intended TikTok's browser (versus another browser) to be the recipient of their communications, but whether they intended to communicate with any browser at all. Whether or not a given TikTok user believed they were on their default browser or TikTok's, they would presumably intend to direct any communications made on that browser to the hosts of the websites they visited (or to other internet users)-not to the browser itself. See Hytto, 2019 WL 8333519, at *8 (“At no point does [the complaint] allege that users communicated with [defendant] or with [defendant's] app itself.”); Vasil v. Kiip, Inc., No. 16 C 9937, 2018 WL 1156328, at *6 & n.5 (N.D. Ill. Mar. 5, 2018) (“[Defendant] was not a substitute for [the intended recipient of the communication], a la Pasha; allegedly, it surreptitiously received the plaintiffs' information in addition to [the intended recipient]”).
Nor is this a case in which the defendant is the website operator itself. Kurowski, for example, involved Wiretap Act claims against a hospital that deployed analytics source code on its web pages and patients' MyChart health portals to collect their data and transmit it to third parties for advertising purposes. 659 F.Supp.3d at 935. The district court initially dismissed these claims under the party exception, since the hospital “was the intended recipient of the communications” and thus “c[ould] not be liable under the Wiretap Act for its interception of them, if such an interception even occurred.” Id. at 938; see also DoubleClick, 154 F.Supp.2d at 519 (finding that “[defendant]-affiliated Web sites are ‘parties' to plaintiffs' intercepted communications” and . . . consent[ed] to [defendant's] interceptions”). Perhaps for this reason, most of the recent “session replay” litigation over website operators' use of hidden analytics software has been brought under the laws of jurisdictions like Pennsylvania or Florida that do not recognize a “one-party consent” defense. See, e.g., Cook, 689 F.Supp.3d at 66; In re BPS Direct, 705 F.Supp.3d at 352 n.118. This case, in contrast, is arguably a better fit for liability under the federal Wiretap Act-which does recognize such a defense-than either Kurowski or other cases involving the use of analytics software on specific websites. The defendant here is not the website operator (using the telephone analogy, the person on the other end of the phone line), but the browser operator (i.e., the phone company).
After the plaintiffs amended their pleadings several times to add more detail on how their allegedly intercepted data was protected under HIPAA, the Kurowski court later found that they had stated a viable Wiretap Act claim under the “exception to the party exception” that forbids parties' interception of communications “for the purpose of committing any tortious or criminal act” in violation of state or federal law. Kurowski III, 2023 WL 8544084, at *2.
3. “Ordinary Course of Business” Exception
Finally, Defendants seek refuge under the Wiretap Act's exception for electronic communications intercepted in a service provider's “ordinary course of business.” 18 U.S.C. § 2510(5)(a)(ii); see also id. § 2511(2)(a)(i) (related exception for any employee of a service provider who intercepts a communication “in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service”). The Seventh Circuit has not construed the term “ordinary course of business,” and district courts in other jurisdictions have split into competing camps on its meaning. The “narrow” view requires “some nexus between the need to engage in the alleged interception and the [provider's] ultimate business, that is, the ability to provide the underlying service or good.” Matera v. Google Inc., No. 15-CV-04062-LHK, 2016 WL 8200619, at *9 (N.D. Cal. Aug. 12, 2016) (citing In re Google Inc. Gmail Litig., No. 13-MD-02430-LHK, 2013 WL 5423918, at *11 (N.D. Cal. Sept. 26, 2013)). The “broad” view extends the exception to any actions taken in furtherance of a provider's “legitimate business purposes,” including targeted advertising. In re Google, Inc. Priv. Pol'y Litig., No. C-12-01382-PSG, 2013 WL 6248499, at *11 (N.D. Cal. Dec. 3, 2013). The district court in Campbell v. Facebook found both interpretations “persuasive” and noted that the ultimate inquiry must rest on “the details of [the defendant's] business . . . [rather than] a generic, one-size-fits-all approach that would apply the exception uniformly across all electronic communication service providers.” 77 F.Supp.3d 836, 843-44 (N.D. Cal. 2014).
Defendants here have not provided enough detail for the court to conclude that this defense bars Plaintiffs' complaint as a matter of law. For one thing, their only cited case endorsing the “broad” view of the exception, Google Privacy, appears to be an outlier: multiple courts have since rejected its reasoning on the grounds that allowing companies to claim “any revenue-generating practice” as part of their “ordinary course of business” would “permit electronic communication service providers to effectively exempt themselves from the Wiretap Act.” Matera, 2016 WL 8200619, at *8; see Hytto, 2019 WL 8333519, at *8-9. But even if this is the appropriate standard, Defendants have failed to show how the in-app browser's alleged collection of user data is part and parcel of their “customary and routine” advertising practices. Google Privacy, 2013 WL 6248499, at *10. Rather, Defendants are “attempting to have it both ways” by both denying the truth of Plaintiffs' “advertising-related allegations,” but also contending that these allegations- if true-would entitle them to the exception. Campbell, 77 F.Supp.3d at 844. Defendants are indeed allowed to argue these positions in the alternative, but their “unwillingness to offer any details regarding [their] targeted advertising practice prevents the court from being able to determine whether the specific practice challenged in this case should be considered ‘ordinary.'” Id.
Defendants' argument under the “narrow” version of the exception, meanwhile, is that the in-app browser collects users' data only for “debugging, troubleshooting, and performance monitoring” functions that are necessary to keep the App running smoothly. But this simply rehashes the factual dispute over the true purpose of the accused code, a dispute discussed at length above. See supra Sections II, IV.A.1. Because Plaintiffs have plausibly alleged that the browser does not collect data solely for these purposes, it would be “premature” to apply the exception on this basis now. Hytto, 2019 WL 8333519, at *9. Defendants will be “free to raise [their] ‘ordinary course of business' argument again at summary judgment.” Id. (citing Campbell, 77 F.Supp.3d at 845).
At oral argument, TikTok's counsel asserted that the in-app browser's JavaScript injections are meant to allow the company to “see if a Web page is loaded properly or if there is malicious activity going on,” such as “if it's registering a million keystrokes within a given minute more than a normal human would do . . . [o]r if there is no activity, [suggesting that] the Web page is broken or there is something wrong with the link.” (Oral Arg. Tr. 13:3-14.) While this statement is outside the four corners of the complaint and need not be considered for purposes of the motion to dismiss, it forecasts a potentially significant issue for summary judgment.
B. State-Law Wiretapping and Eavesdropping Claims
In addition to their federal Wiretap Act claim, Plaintiffs bring parallel wiretapping and eavesdropping claims under the laws of California, Florida, Illinois, and Pennsylvania. The California claims are brought on behalf of both the Nationwide Class and the California Subclass, while the remaining state-law claims are brought on behalf of the Florida, Illinois, and Pennsylvania Subclasses alone. Because these laws overlap significantly with both the federal Act and with each other, the court will address Plaintiffs' state wiretapping and eavesdropping claims in tandem.
See Cal. Penal Code § 631(a) (prohibiting nonparties from either (1) “tap[ping], or mak[ing] any unauthorized connection . . . with any telegraph or telephone wire, line, cable, or instrument,” or (2) “us[ing] any machine, instrument, or contrivance” in an “unauthorized manner” to “learn the contents or meaning of” a “communication”); id. § 632(a) (prohibiting anyone from intentionally “us[ing] an electronic amplifying or recording device to eavesdrop upon or record [a] confidential communication” taking place in person or “by means of a telegraph, telephone, or other device” without the consent of all parties to that communication”); Fla Stat. § 934.03(1)(a) (prohibiting “intentionally intercept[ing], endeavor[ing] to intercept, or procur[ing] any other person to intercept or endeavor to intercept any wire, oral or electronic communication”); 720 ILCS 5/14-2(a) (prohibiting “knowingly and intentionally . . . intercept[ing], record[ing], or transcrib[ing], in a surreptitious manner, any private electronic communication to which he or she is not a party unless he or she does so with the consent of all parties to the private electronic communication,” as well as “[u]sing or disclos[ing] any information from which he or she knows or reasonably should know was obtained from a private conversation or private electronic communication . . . with[out] the consent of all of the parties”); 18 Pa. Cons. Stat. § 5703(1) (prohibiting “intentionally intercept[ing], endeavor[ing] to intercept, or procur[ing] any other person to intercept or endeavor to intercept any wire, oral or electronic communication”).
1. Interception of Communications
First, Defendants argue that Plaintiffs have not plausibly alleged that any of their communications were actually intercepted, as required by all of their state-law wiretapping and eavesdropping claims. See Cal. Penal Code §§ 631(a), 632(a); Fla. Stat. § 934.03(1)(a), (c)-(d); 720 ILCS 5/14-2(a)(3), (5); 18 Pa. Cons. Stat. § 5703. Most of their arguments on this front, like their attack on Plaintiffs' federal Wiretap Act claim, simply retread their general contentions that the Krause Report disproves any collection of data and that Plaintiffs have not pleaded enough personal details. The court rejects those arguments as applied to the CIPA, IEA, and WESCA claims for reasons already stated. See supra Sections I, II. Only Defendants' challenge to Plaintiff Steve Berrios's FSCA claim merits more specific discussion.
Plaintiff Berrios is the only named Plaintiff in the Master Consolidated Complaint who resides in Florida and asserts claims under the FSCA. (See MCC ¶ 8.)
The FSCA's language is modeled after the federal Wiretap Act and is interpreted similarly. See Minotty v. Baudo, 42 So.3d 824, 831 (Fla. Dist. Ct. App. 2010). In particular, the FSCA follows the federal Act in limiting “interceptions” to the “contents” of a communication, and in excluding “tracking” device transmissions from its definition of “electronic communications.” Fla. Stat. § 934.02(3), (7) (12)(c); see 18 U.S.C. § 2510(4), (8), (12)(c). In 2021, a Florida trial court interpreted these provisions (among others) to conclude that the FSCA “definitionally exclude[s]” session replay claims against website providers. Jacome v. Spirit Airlines Inc., No. 2021-000947-CA-01, 2021 WL 3087860, at *3 (Fla. Cir. Ct. June 17, 2021). Multiple federal district courts have since followed the Jacome court's lead. See Connor v. Whirlpool Corp., No. 21-CV-14180-WPD, 2021 WL 3076477, at *2 (S.D. Fla. July 6, 2021) (citing Jacome, 2021 WL 3087860, at *4); Goldstein v. Luxottica of Am., Inc., 2021 WL 4093295, at *2-3 (S.D. Fla. Aug. 23, 2021) (same); Goldstein v. Costco Wholesale Corp., 559 F.Supp.3d 1318, 1320-21 (S.D. Fla. 2021) (same).
Defendants contend that Plaintiffs' FSCA claim fails for multiple independent reasons under this line of caselaw. They contends that the FSCA does not apply to “commonplace analytics software [used] to improve a website browser['s] experience,” both because this kind of software does not intercept the “contents” of any communication, and because the statutory exception for “tracking” devices applies to software that “tracks a website browser's movements.” Jacome, 2021 WL 3087860, at *3-4. And indeed, if TikTok's in-app browser really does capture nothing more than a user's “movements” (such as scrolls, taps, and button presses), then their FSCA claim poses the same concerns as already noted about their federal wiretapping claim. See supra Section IV.A.1.
As before, however, the court need not definitively reach the issue. Plaintiffs have adequately alleged that their writings on third-party websites-and not just their nonverbal interactions-were collected. See Katz-Lacabe v. Oracle America, Inc., No. 22-CV-04792-RS, 2023 WL 6466195, *at 5 (N.D. Cal. Oct. 3, 2023) (distinguishing Jacome in finding that “transmissions containing ‘data entered by the users into forms' on various websites . . . [may] constitute electronic communications under the FSCA” (quoting In re Pharmatrak, 329 F.3d at 18)). The Jacome court likened “session replay” software to a “silent video” of users' interactions with websites, a type of surveillance beyond the purview of both the FSCA and the federal Act. Jacome, 2021 WL 3087860, at *4 (citing Minotty, 42 So.3d at 832). But Plaintiffs here claim that TikTok's browser collects not only users' “movements,” but also text strings of “personal information, contact information, [and] credit card information” via their keystrokes. (MCC ¶¶ 514.) And while the Jacome court listed “keystrokes, search terms, [and] information inputted by Plaintiff” among the types of data it found incapable of “convey[ing] the substance or meaning of any message,” to the extent this is meant to suggest that such data can never be substantive under the FSCA, this court simply disagrees with its read of the analogous federal caselaw. Jacome, 2021 WL 3087860, at *4 (citing In re Zynga Priv. Litig., 750 F.3d at 1106); see A.D., v. Aspen Dental Management, Inc., No. 24 C 1404, 2024 WL 4119153, at *6 (N.D. Ill. Sept. 9, 2024) (noting that Jacome is not clearly “binding precedent” in allowing FSCA claim to proceed). Plaintiff Berrios's FSCA claim may proceed for now.
The Jacome court also concluded that the FSCA's “tracking device” exception applies to software that “tracks a website browser's movements.” Jacome, 2021 WL 3087860, at *4. But the FSCA's “tracking” device exception is almost identical to the federal Wiretap Act's, and the definition of “tracking device” under federal law has traditionally been applied to devices that track a user's physical location in space, such as GPS transponders (and more recently, cell phones). See In re Ord. Authorizing Prospective & Continuous Release of Cell Site Location Recs., 31 F.Supp.3d 889, 896-99 (S.D. Tex. 2014) (citing 18 U.S.C. § 3117); Vasil, 2018 WL 1156328, at *9 (interpreting the IEA's equivalent “tracking” exception to apply to “the collection of geo-locational data”). But see Costco, 559 F.Supp.3d at 1321 (“Although the tracking in this case is virtual rather than physical, the Court finds that the plain language of the [FSCA] exempts the sort of tracking that triggered this action.”).
2. Party Exception
Both Section 631(a) of CIPA and the IEA, like the federal Wiretap Act, recognize a one-party exception in the context of electronic communications. See Facebook Tracking, 956 F.3d at 607 (citing Cal. Penal Code § 631(a)); Kurowski II, 683 F.Supp.3d at 853 (citing 720 ILCS 5/14-2(a)(3), 5/14-6). Defendants thus repeat the same argument they made against the federal wiretapping claim in seeking dismissal of Plaintiffs' claims under these statutes-that TikTok was necessarily a “party” to any “communications” that took place on the in-app browser. Because the court has already concluded that Plaintiffs' allegations about the browser's functionality are sufficient to plausibly suggest that TikTok was not a party, Defendants' parallel challenge on this front fails. See supra Section IV.A.2.
3. “Confidential” or “Private” Communications
Several of Plaintiffs' state-law eavesdropping claims include an additional element: that the content of the intercepted communication in question must be “confidential” or “private.” See Cal. Penal Code § 632(a); 720 ILCS 5/14-2(a)(3); cf. Peters v. Mundelein Consol. High Sch. Dist. No. 120, No. 21 C 0336, 2022 WL 393572, at *10 (N.D. Ill. Feb. 9, 2022) (noting that the federal Wiretap Act's “definitions of “wire and electronic communications do not require a showing that the speaker had a reasonable expectation of privacy” (citing 18 U.S.C. § 2510(1), (2))).
Plaintiffs have pleaded facts sufficient to meet this element of their CIPA and IEA claims: they allege that they had a “reasonable expectation of privacy” in the personal and financial information that they claim to have been collected by the in-app browser. (MCC ¶¶ 169-75.) While Defendants argue that Plaintiffs' data is no more than “public shopping behavior” akin to a user's movements in a brick-and-mortar store, Cook, 2023 WL 5529772, this characterization applies at most to their nonverbal taps, scrolls, and pauses-not the text of “sensitive, personal information” like their passwords, addresses, or credit card numbers, India Price, 2024 WL 221437, at *3. Again, if it ultimately emerges that Plaintiffs' intercepted data was not in fact private, Defendants may reassert this defense at summary judgment.
While Defendants also lump the FSCA in with this group, there is conflicting authority on whether it too requires a reasonable expectation of privacy in the underlying communications. Compare Jacome, 2021 WL 3087860, at *6 (concluding that it does), with Katz-Lacabe, 2023 WL 6466195, at *5 n.10 (noting that the statute's definition of “electronic communication,” like its federal analogue, “contains no reference to expectations of privacy”).
Indeed, to the extent the “confidentiality” requirement in CIPA and like statutes operates as a codified analogue to TransUnion's requirement that data-breach or data-collection harms must resemble a common-law privacy tort (like intrusion upon seclusion) to confer Article III standing, Plaintiffs have already cleared this bar for the reasons described above. See supra note 4.
4. Service Provider Exception
Finally, Defendants mount a challenge to Plaintiff Bradley Fugok's WESCA claim under that statute's “service provider” exception, which states that “[i]t shall not be unlawful . . . for . . . a provider of wire or electronic communication service . . . to intercept, disclose, or use [a] communication . . . while engaged in any activity which is a necessary incident to the rendition of his service ....” 18 Pa. Cons. Stat. § 5704(1). As courts have recognized, the WESCA's service provider exception mirrors-and should be construed similarly to-the federal Wiretap Act's “ordinary course of business” exception. See Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107, 113 n.6 (3d Cir. 2004). Defendant's challenge to Fugok's WESCA claim thus fails since, as stated, Plaintiffs have plausibly alleged that the collection of their data via the in-app browser was neither necessary for TikTok's targeted advertising business (under the broad version of that exception) nor for maintaining the App's functionality (under the narrow version). See supra Section IV.A.3.
C. California Unfair Competition Law Claims
In addition to their claims under federal and state wiretapping laws, Plaintiffs also bring claims under California's Unfair Competition Law on behalf of both the Nationwide Class and California Subclass. Broadly, they allege that Defendants engaged in “unlawful, unfair, [and] fraudulent” business acts and practices by collecting their data via the in-app browser without properly disclosing as much. See Cal. Bus. & Prof. Code § 17200.
The UCL requires “that a plaintiff have ‘lost money or property' to have standing to sue,” which courts have interpreted to require that a plaintiff “demonstrate some form of economic injury” that was caused by the defendant's conduct. Griffith v. TikTok, Inc., 697 F.Supp.3d 963, 976 (C.D. Cal. 2023) (quoting Kwikset Corp. v. Superior Ct., 51 Cal.4th 310, 323, 246 P.3d 877, 885 (2011)); see Cal. Bus. & Prof. Code § 17204. This makes the UCL's threshold “standing” inquiry substantially more stringent than federal standing under Article III. Id. To plausibly plead a UCL claim in the data-privacy context, Plaintiffs must allege that they suffered some sort of financial or property harm as a result of the in-app browser's interception of their data. Bass v. Facebook, Inc., 394 F.Supp.3d 1024 (N.D. Cal. 2019). Courts have split, however, on whether a defendant's misappropriation of personal information-without more-can confer UCL standing in this context. A.B. ex rel. Turner v. Google LLC, No. 23-CV-03101-PCP, 2024 WL 3052969, at *6-7 (N.D. Cal. June 18, 2024) (collecting cases).
The Master Consolidated Complaint fails to allege any particularized financial or property harm that Plaintiffs suffered from the App's collection of data. Plaintiffs do not claim, for instance, that they lost money or incurred other direct costs as a result of Defendants' conduct through the in-app browser. Cf. Weizman v. Talkspace, Inc., 705 F.Supp.3d 984, 989 (N.D. Cal. 2023) (finding economic injury element of UCL standing satisfied where plaintiff purchased services on defendant's platform and alleged that she “would not have [done so] . . . if she had known that it would enter her into an automatically renewing subscription plan without her permission”). Nor do they provide any personalized details about the financial value of the information that they allege to have been intercepted. Cf. Brown v. Google LLC, No. 20-CV-03664-LHK, 2021 WL 6064009, at *15 (N.D. Cal. Dec. 22, 2021) (finding that plaintiffs adequately alleged UCL standing by providing “detailed allegations” on how “the ‘cash value' of the data which [defendant] collected ‘c[ould] be quantified'” via the defendant's own service). Rather, Plaintiffs make general statements on the commodity value of data in the digital economy and how their own data might theoretically be monetized in the future. (MCC ¶¶ 157-68). They seek to proceed under “diminished value” and “right to exclude” theories of UCL standing, contending that Defendants have impaired their ability to profit from the use of their data and infringed upon their inherent property rights in this data. In re Meta Pixel Tax Filing Cases, No. 22-CV-07557-PCP, 2024 WL 1251350, at *24-25 (N.D. Cal. Mar. 25, 2024). But “just because [this] data is valuable in the abstract, and because [defendant] might have made money from it, does not mean that Plaintiffs have ‘lost money or property' as a result.” Hazel v. Prudential Fin., Inc., No. 22-CV-07465-CRB, 2023 WL 3933073, at *6 (N.D. Cal. June 9, 2023) (emphasis added).
Recognizing that there is conflicting authority on this point, in the absence of any clear guidance to the contrary from the California Supreme Court, this court will follow the more conservative read of the UCL's standing requirements. See Murphy v. Kochava Inc., No. 2:23-CV-00058-BLW, 2023 WL 6391061, at *9-10 (D. Idaho Oct. 2, 2023) (collecting state and federal cases “dismiss[ing] informational-privacy claims resting on bald references to the ‘economic value' of a plaintiff's information”). Plaintiffs' allegations may be sufficient for Article III injury-in-fact purposes, but they are not enough to plead a violation of the UCL under clearly established state law. See Hazel, 2023 WL 3933073, at *6 (granting motion to dismiss UCL claim on statutory standing grounds while allowing other claims to proceed in federal court); Griffith, 697 F.Supp.3d at 978 (same); Campbell, 77 F.3d at 849 (same); A.D., 2024 WL 4119143, at *8 (same). Plaintiffs' UCL claim is therefore dismissed with leave to replead facts that would satisfy the UCL's “economic injury” requirement.
D. State-Law Unjust Enrichment Claims
Finally, Defendants challenge Plaintiffs' unjust enrichment claims brought under the laws of their various states. Broadly, unjust enrichment is a doctrine that allows for “liability in restitution” against a party who receives a benefit from another party under circumstances that would make it inequitable for them to retain that benefit. Restatement (Third) of Restitution and Unjust Enrichment § 1 & cmt. a (Am. L. Inst. 2011); see Hartford Cas. Ins. Co. v. J.R. Mktg., L.L.C., 61 Cal.4th 988, 998, 353 P.3d 319, 326 (2015); Pincus v. Am. Traffic Sols., Inc., 333 So.3d 1095, 1097 (Fla. 2022); Gagnon v. Schickel, 2012 IL App (1st) 120645, ¶ 25, 983 N.E.2d 1044, 1052; Wilson Area Sch. Dist. v. Skepton, 586 Pa. 513, 520, 895 A.2d 1250, 1254 (2006). States vary in their treatment of unjust enrichment as a separate and independent cause of action, as well as in the prima facie elements needed to state such a claim. See In re 100% Grated Parmesan Cheese Mktg. & Sales Pracs. Litig., 348 F.Supp.3d 797, 816-17 (N.D. Ill. 2018) (surveying state laws), rev'd in part on other grounds sub nom. Bell v. Publix Super Markets, Inc., 982 F.3d 468 (7th Cir. 2020).
The court will not dismiss Plaintiffs' unjust enrichment claims at this juncture. Defendants argue that since their statutory claims provide an adequate remedy at law for the same accused conduct, their unjust enrichment claims are duplicative and risk allowing “double recovery.” Smith v. RecordQuest, LLC, 989 F.3d 513, 520 (7th Cir. 2021). But this presumes the success of those other claims: at this stage, Rule 8(d) permits Plaintiffs to plead in the alternative so that “if [they] cannot prove some of [their] statutory claims later in litigation, [they] might still be able to prevail on [their] claim[s] for unjust enrichment.” Kahn v. Walmart Inc., 107 F.4th 585, 606 (7th Cir. 2024); see Parmesan Cheese, 348 F.Supp.3d at 816-17 (finding that “it would be premature to dismiss [MDL plaintiffs'] “unjust enrichment claims at the pleading stage” for this same reason); In re Generac Solar Power Sys. Mktg., Sales Pracs., & Prod. Liab. Litig., No. 23-MD-3078, 2024 WL 2519778, at *8 (E.D. Wis. May 24, 2024) (same); In re Vizio, Inc., Consumer Priv. Litig., 238 F.Supp.3d 1204, 1233-34 (C.D. Cal. 2017) (same). The court will construe the Master Consolidated Complaint to plead unjust enrichment only in the alternative to any adequate remedy at law.
Whether the unjust enrichment claims could be independently maintained in this scenario may turn, in part, on the applicable state law. Compare Bruton v. Gerber Prod. Co., 703 Fed.Appx. 468, 470 (9th Cir. 2017) (observing that unjust enrichment “c[an] be sustained as a standalone cause of action” under California law), with Cleary v. Philip Morris Inc., 656 F.3d 511, 516-18 (7th Cir. 2011) (declining to “resolve definitively whether Illinois law recognizes unjust enrichment as an independent cause of action,” but noting that “if an unjust enrichment claim rests on the same improper conduct alleged in another claim, then the unjust enrichment claim will be tied to . . . [and] will stand or fall with the related claim”). For this reason, the court here limits its analysis in this section to the unjust enrichment laws of the states for which Plaintiffs have defined subclasses: California, Florida, Illinois, and Pennsylvania. (See MCC ¶¶ 319, 339, 355, 377.) While the Complaint insinuates that the Nationwide Class's unjust enrichment claims could ultimately arise under the laws of “every other state” in which any class member resided (MCC ¶ 264), that would be unsupportable under Rule 23's requirement that the named Plaintiffs bring claims “typical” of those of the class. See FED. R. CIV. P. 23(a)(3). The court need not, however, reach the issue of which of Plaintiffs' state-law unjust enrichment claims can stand independently at this time: since most of Plaintiffs' statutory claims “survive dismissal, there remain several claims on which to ground the . . . unjust enrichment claims” for purposes of the 12(b)(6) motion. Parmesan Cheese, 348 F.Supp.3d at 817.
The Complaint does not expressly state as much. Cf. Hernandez v. Ill. Inst. of Tech., 63 F.4th 661, 672 (7th Cir. 2023) (reversing dismissal of unjust enrichment claim where plaintiffs' complaint “expressly state[d] that [it] ‘is pled in the alternative to . . . the[ir] contractbased claim'”). But Plaintiffs have clarified in their opposition papers that they are doing so, and the court will hold them to this as a condition of allowing their unjust enrichment claims to proceed. (See Opp. Mot. Dismiss [68] at 25.)
Defendants also argue that TikTok's Terms of Service and Privacy Policy are an “express contract” governing the parties' relationship that displaces any action for unjust enrichment. Letizia v. Facebook Inc., 267 F.Supp.3d 1235, 1253 (N.D. Cal. 2017); see Gagnon, 2012 IL App (1st) 120645, ¶ 19, 983 N.E.2d at 1053; Wilson Area Sch. Dist., 586 Pa. at 520, 895 A.2d at 1254; Restatement (Third) of Restitution and Unjust Enrichment § 2(2). But Plaintiffs have not alleged a claim of breach of these Terms of Service and, more importantly, dispute that the Terms and Privacy Policy encompass the alleged data collection at issue here. See supra Section III. Because “there is a fundamental dispute between the parties concerning the scope of th[eir] contractual relationship and whether it definitively defines [Defendants'] obligations with respect to . . . Plaintiffs' [data],” the Terms of Service do not defeat Plaintiffs' unjust enrichment claims at this stage. In re Cap. One Consumer Data Sec. Breach Litig., 488 F.Supp.3d 374, 412 (E.D. Va. 2020); see In re Google Location Hist. Litig., 514 F.Supp.3d 1147, 1159 (N.D. Cal. 2021) (denying motion to dismiss unjust enrichment claim where plaintiffs alleged that “surreptitious collection and storage of location data . . . [was] not included in the ‘subject matter' covered by [defendant's] Terms of Service or Privacy Policy”).
Finally, Defendants contend that Plaintiffs fail to state a prima facie claim of unjust enrichment because they have not plausibly alleged TikTok “benefited” from any purported data collection through the in-app browser in a way that was “unjust.” But Defendants do not ground this objection in any particular state's law-rather, they merely retread the general plausibility and consent challenges that have already been considered and rejected above. Because Plaintiffs have plausibly alleged “an actionable wrong” in the collection of their data, and have alleged that Defendants monetized this data for their own benefit, the court finds their unjust enrichment claims legally sufficient. Google Location Hist., 514 F.Supp.3d at 1160.
CONCLUSION
Defendants' Motion to Dismiss Plaintiffs' Master Consolidated Complaint [55] is granted without prejudice as to Plaintiffs' Fourth Nationwide Claim for Relief and Third California Claim for Relief under the UCL, and is otherwise denied.