Among the many concerns that arise whenever unauthorized appropriation or use of consumer data occurs is the possible violation of the consumers’ privacy that the access may represent. In numerous cases, aggrieved parties have tried to assert claims for these alleged privacy violations, but by and large these attempts have not been successful. However, as Northwestern Law School Professor David A. Dana (pictured) discusses in the following guest post, there has been a series of recent decisions in California that may prove very valuable for future claimants seeking to assert privacy claims for unauthorized disclosure or use. A version of this article previously was published in the May 2015 issue of Internet Law and Business (here).
I would like to thank Professor Dana for his willingness to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Professor Dana’s guest post.
A burgeoning area of litigation involves claims that Internet and digital companies like Google, Facebook, and Twitter have insufficiently protected or actively appropriated user’s personal information. Because of the enormous numbers of users and hence enormous number of potential plaintiffs in such cases, which invariably are framed as putative class actions, potential liability for defendants is enormous. However, the district courts have repeatedly dismissed such suits for lack of Article III standing and/or for failure to state a claim. This Article addresses a recent quartet of decisions that may reflect a precedential gold mine for plaintiffs bringing claims for unconsented-to disclosure or use of their personal information. Two of these decisions come from the Ninth Circuit: In re Facebook Litig., _ Fed. App’x _, No. 12-151619, May 8, 2014 (“Facebook”), which is an unpublished memorandum opinion, and Astiana v. Hain Celestial (“Astiana”), No. 12-17596, April 10, 2015, which is an opinion designated for publication. Two of the decisions come from the Northern District of California: Opperman v. Path, Inc., Case 13-cv-00453-JST, March 23, 2015 (“Opperman”), and Svenson v. Google, Inc., Case No. 13-cv-04080-BLF, April 1, 2015 (“Svenson”).
Taken together, these decisions suggest that claims alleging certain California statutory and common law violations involving use or disclosure of the personal information of customers by technology companies can survive a motion to dismiss even with very general, even arguably vague, allegations. Specifically, claims under California’s Unfair Competition Law (“UCL”) and Consumer Legal Remedies Act (“CLRA”) and claims for common law breach of contract and fraud and perhaps unjust enrichment now appear to be able to survive a motion to dismiss even when (1) there are no allegations of individual plaintiff reliance on alleged misrepresentations; (2) there are no particularized factual allegations backing up general allegations that the services or products received by plaintiffs were worth less than they would have been worth had promised protections for personal information been afforded; and/or (3) there are no particularized factual allegations backing up general allegations plaintiffs lost economic opportunities because they could not sell their personal information for as much or at all once that information was disclosed or shared with others by the technology company whose product or service was purchased. One of these cases, Opperman, also establishes that partial disclosures by a company of the risk that users’ personal information may be used or disclosed does not eliminate the risk of fraud or other claims against the company, but instead can form the basis of an active concealment claim.
This apparent shift in the case law involving California law may be a response to recent attention in the media to the problem of inadequate security for personal information; perhaps the Courts believe that these personal information suits should be allowed to at least proceed to discovery, as a way to help keep corporate giants like Google “on their toes.”
Whatever the motivations behind these recent cases, they leave a number of questions open. While these cases can be distilled for the proposition that generalized allegations will suffice for purposes of surviving a motion to dismiss, it is not completely clear where the line is between sufficient, albeit generalized, pleading and excessively generalized and hence insufficient pleading. This is especially the case with respect to the question of when plaintiffs can plead their way of out of needing to allege individual reliance under Opperman. Moreover, the Ninth Circuit may well choose to revisit the decisions in Facebook, which is only an unpublished memorandum, and Astiana, which is a very thinly reasoned, arguably incoherent opinion. District courts, at least outside the Northern District of California, may choose not to follow these decisions or seek to distinguish them. Finally, and most notably, the quartet of decisions discussed below only go the question of whether a complaint will survive a motion to dismiss; they do not suggest that these suits will be successful at the summary judgment phase of litigation. Courts could allow claims to go past the motion to dismiss phase of litigation, but then hold plaintiffs to a high standard regarding proof of their allegations.
Fraud, Misrepresentation, Deceit, And Active Concealment Claims
In Opperman, Judge Tigar of the Northern District of California issued an opinion that may invigorate efforts to hold companies accountable for their advertising regarding privacy protections for personal data. In a putative class action alleging violations of the UCL, CLRA, and other statutes, the plaintiffs argued that Apple fraudulently represented that their personal information would be protected by Apple, and that Apple concealed the fact that it knew personal information of users in fact had not been protected as promised. Ordinarily, in a state law fraud action of this sort, purchasers of a product or service would have to allege individual reliance on particular misrepresentations made by the defendant. But here Judge Tigar denied the motion to dismiss the fraud claims, even though plaintiffs alleged no individual reliance. Judge Tigar interpreted California law as allowing fraud actions to proceed without individual-reliance allegations where there was “an extensive and long-term advertising campaign” by the defendant regarding its promises to protect personal information. According to Opperman, Federal Rule of Civil Procedure 9(b) in this context does not require more particular pleading than would be required in a state court. Moreover, Judge Tigar interpreted “an extensive and long-term advertising campaign” in a way that may be quite useful to future plaintiffs. The Court also held that plaintiffs had adequately alleged that Apple had acted unlawfully in failing to disclose it exclusive knowledge that personal information was not being protected and in actively concealing those same facts.
According to Opperman, even statements made by Apple before the product launch at issue could be counted as part of the advertising campaign. In addition, statements made by third parties and the media could be considered part of the campaign, given that Apple allegedly sought out such “buzz.” Even though the statements regarding “security” and the like were varied and directed at different audiences, they could constitute a single campaign.
Opperman does not establish a bright line as to how many or what sort of alleged misrepresentations are needed in order to adequately allege that there was “an extensive and long-term advertising campaign” of fraudulent representations. Judge Tigar found that the twenty plus examples of security-related representations were sufficient, and seemed to suggest that far fewer than twenty alleged misrepresentations might be two few. It appeared to help the plaintiffs that at least a few of the alleged misrepresentations were particular enough – for example, “[a]pplications on the device are ‘sandboxed’ so they cannot access data stored by other applications” – that they were “capable of being proven false.”
For technology companies and their lawyers, Opperman creates a kind of quandary. On the one hand, a company may well want to advertise to current and potential customers it personal information/data privacy protections as a way of keeping and wooing customers from possible competitors and increasing sales. On the other hand, if the company does advertise, advertisements may ex post be deemed “an extensive and long-term advertising campaign” and used as a basis for expensive class action litigation against the company.
Breach Of Contract – Deprivation Of The Benefit of The Bargain
To state a breach of contract claim, plaintiffs must be able to plead some contract damages, which means they must be able to allege some cognizable economic injury. Likewise, to the extent that the UCL allows claims based on “unlawful” conduct and conduct in breach of contract is unlawful, plaintiffs bringing a UCL claim based on contract violations also must allege economic injury, because such injury is an explicit requirement for a UCL cause of action. A concrete injury, which usually would mean an economic injury in the personal information/data security context, is also required for Article III standing.
The big question for plaintiffs pursuing claims in the personal information/data security context is how far will the courts go in accepting a “creative” theory of economic injury when there is no very straightforward theory available to the plaintiffs. One such theory that plaintiffs lawyers have offered is a lost-benefit-of-the-bargain or overpayment theory, which contends that when the purchaser of a computer product or service that promises privacy protection buys the product or service but does not receive the promised protection, that person has overpaid for the product or service, and the economic injury consists of the difference between the purchase price that was paid and the lesser price that would have been paid had the good or service been explicitly offered as lacking in privacy protection.
One problem with his theory is that plaintiffs may be hard pressed to prove – or even credibly allege – that they paid more for a product or service because of promised protection. Indeed, in In re Linked User Privacy Litigation, 932 F.Supp.2d 1089 (2013), Judge Davila of the Northern District of California dismissed privacy-related claims against users of Linked-In’s premium service, in part because Linked-In promised the same protections to premium and non-premium users and hence it could not be presumed premium users paid for promised privacy protection.
In Svenson, however, Judge Freeman of the Northern District of California refused to dismiss a breach of contract claim in a case where there was arguably an absence of particularized factual allegations supporting the claim plaintiffs paid more than they would have had they not been promised privacy protections. The Court pointed to two allegations made by plaintiffs: that “[t]he services Plaintiff and Class Members ultimately received in exchange for Defendants’ cut of the App purchase price – payment processing, in which their information was unnecessarily divulged to an unaccountable third party – were worth quantifiably less than the services they agreed to accept, payment processing in which the data they communicated to Defendants would only be divulged under circumstances which never occurred. . . .” and “[h]ad Plaintiff known Defendants would disclose her Packets Contents, she would not have purchased the ‘SMS MMS to Email’ App from Defendants.” These allegations were deemed “sufficient to show contract damages under a benefit of the bargain theory,” even though the slightly more general allegations in a prior version of the complaint had been deemed insufficient by the same judge. One alleged fact in the amended complaint that may have been persuasive for Judge Freeman was that Google did receive a share of the payment for an “App” plaintiffs made, and was not providing processing for free. Overall, at least where the defendant did receive payment for a product or service – which would seem to be most cases – Svenson seems to allow a benefit-of-the-bargain contract claim as long as the plaintiff very explicitly alleges that they regarded privacy or security protections as part of the bargain and would not have paid what they paid had they known privacy or security would not be provided. Thus, it should be quite easy – and courts one day swamped with suits may find, too easy – for plaintiffs to allege economic injury in the form of deprived benefit of the bargain in the personal information/data security context.
Breach of Contract – Loss Of Market Opportunity
A second theory for contract damages in the personal information/data security setting is that purchasers of a service or product lost an opportunity to sell their own personal data when a company that promised to preserve the privacy or security of their personal information actually uses or discloses that information for its own purposes. A line of federal district cases, including ones from the Northern District of California, held that general allegations that the plaintiffs lost an opportunity to sell their own personal information as a result of contractual violations of privacy or data security promises were insufficient to satisfy the requirement that plaintiffs allege Article III economic injury and/or damages as part of a breach of contract claim. However, in the unpublished memorandum opinion in Facebook, the Ninth Circuit held that where “[p]laintiffs allege[d] that the information disclosed by Facebook . . . harmed” them because they “los[t] the sales value of that information,” the allegations were sufficient to show the element of damages for their breach of contract claim. In reversing the district court’s dismissal of the contract claim against Facebook, the Ninth Circuit, albeit in an opinion that lacks binding authority under Ninth Circuit rules, signaled that plaintiffs need do no more than allege what the Facebook plaintiffs alleged in order to have a breach of contract claim survive a motion to dismiss. And the Facebook plaintiffs had not alleged facts supporting their general allegation that they lost an opportunity to sell their own personal information due to Facebook’s alleged misconduct.
Judge Freeman in Svenson explained that the case law prior to the Ninth Circuit’s decision in Facebook – case law Google largely relied upon – was inapposite because the Ninth’s Circuit’s decision changed what was required for plaintiffs to allege. For Judge Freeman, the Ninth Circuit’s decision appeared to be governing even though it is a memorandum decision. Judge Freeman may have taken this position because even though the Facebook memorandum opinion is inconsistent with prior district court rulings, it is not even arguably inconsistent with any other Ninth Circuit opinions, as the Ninth Circuit had not previously addressed this issue.
As Judge Freeman explained, the Ninth Circuit in Facebook did not require an explication of precisely how personal information was diminished in value as part of a well-pled contract claim. Thus, even though the plaintiffs in Svenson alleged only that there is a “robust market” for the information at issue and as a result of Facebook’s actions, plaintiffs were deprived of their ability to sell their own personal data on the market,” those allegations were found to be sufficient.
Taken together, the Ninth Circuit’s decision in Facebook and Svenson suggest that, at least in the Northern District of California, bare allegations of loss of value in personal information will suffice. That is certainly how litigants in that District are treating the current state of the law, as evidenced by both the plaintiffs’ and defendants’ briefs in In re Google, Inc. Privacy Litigation, No. 12-CV-01382 PSG, before Judge Grewal, in which the parties seem to agree that the law has shifted with Facebook and Svenson, but disagree whether diminution in value of personal information is actually at issue in their case or whether their case only relates to alleged loss in battery life and bandwidth.
If plaintiffs in personal information/data security cases can avoid alleging contract claims and can instead allege unjust enrichment, then they might be able to avoid alleging contract damages, which outside of the Northern District of California, can be difficult (although they still need to allege economic injury for Article II purposes). However, under California law, it has generally been understood that unjust enrichment is not a stand-alone action but rather a remedy that can be sought after a stand-alone claim like breach of contract or fraud is adequately pled. Nonetheless, the Ninth Circuit’s recent decision in Astiana perhaps suggests plaintiffs in personal information/data security cases could plead unjust enrichment as a distinct clause of action under a quasi-contract theory, even though the unjust enrichment/quasi-contract theory claim would look just like a breach of contract or fraud claim. The Ninth Circuit’s analysis in Astiana is quite brief, and here is the key passage:
As the district court correctly noted, in California, there is not a standalone cause of action for “unjust enrichment,” which is synonymous with “restitution.” . . . . However, unjust enrichment and restitution are not irrelevant in California law. Rather, they describe the theory underlying a claim that a defendant has been unjustly conferred a benefit “through mistake, fraud, coercion, or request.” 55 Cal. Jur. 3d Restitution § 2. . . . When a plaintiff alleges unjust enrichment, a court may “construe the cause of action as a quasi-contract claim seeking restitution.” . . . . Astiana alleged in her First Amended Complaint that she was entitled to relief under a “quasi-contract” cause of action because Hain had “entic[ed]” plaintiffs to purchase their products through “false and misleading” labeling, and that Hain was “unjustly enriched” as a result. This straightforward statement is sufficient to state a quasi- contract cause of action.
The Ninth Circuit’s reasoning in Astiana is unpersuasive, in that it seems to sanction exactly what it explicitly states is impermissible under California law – the pleading of a stand-alone, separate cause of action for unjust enrichment. If all one must do is add the label “quasi-contract” to an unjust enrichment cause of action, then there is no real constraint on the pleading of what are in substance stand-alone unjust enrichment causes of action under California law. Nonetheless, for now, Astiana is good law and it may open up pleading opportunities for plaintiffs in personal information/data security cases.
In sum, the quartet of federal cases applying California appear to lower the pleading thresholds for plaintiffs in personal information/data security cases. Whether these cases lead to more complaints being filed and a consequential rethinking by the courts, or whether the courts will simply winnow suits by requiring proof of general allegations in the summary judgment phase of litigation, remains to be seen.