Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Official citation and/or docket number and footnotes (if any) for this case available with purchase.

Learn more about what you receive with purchase of this case.

In Re Iphone Application Litig.


September 20, 2011


The opinion of the court was delivered by: Lucy H. Koh United States District Judge

United States District Court For the Northern District of California


A putative nationwide class of plaintiffs bring suit against Apple, Inc., Admob, Inc., Flurry, Inc., Mobclix, Pinch Media, Inc.,, Inc., Mellenial Media, AdMarval, Inc., 18 and Quattro Wireless Inc. (aside from Apple, collectively "Mobile Industry Defendants") for 19 alleged violations of federal and state law. Plaintiffs are United States' residents who use mobile 20 devices manufacture by Apple that operate Apple's "iOS" proprietary operating systems, or what 21

Plaintiffs refer to as iDevices (e.g., iPhone, iPad, and iPod Touch). Plaintiffs claim that Defendants 22 violated their privacy rights by unlawfully allowing third party applications ("apps") that run on the 23 iDevices to collect and make use of, for commercial purposes, personal information without user 24 consent or knowledge. Apple and the Mobile Industry Defendants have each filed motions to 25 dismiss on various grounds, including lack of Article III standing, consent to privacy agreements, 26 failure to join necessary and indispensable parties (i.e., the apps), and additional claim-specific 27 reasons. The Court held a hearing on these motions on September 8, 2011. For the reasons 28 explained below, the Court GRANTS Defendants' motions to dismiss on the ground that Plaintiffs have failed to allege sufficient facts establishing Article III standing. Plaintiffs are given leave to 2 amend to cure the deficiencies identified below. 3


Plaintiffs in these consolidated actions ("In Re iPhone Application Litigation") allege that Defendants have committed, and are continuing to commit, privacy violations by illegally 6 collecting, using, and distributing iPhone, iPad, and App Store users' personal information. See 7 generally First Consolidated Class Action Complaint ("Consolidated Complaint") [dkt. #71]. The 8 first two of these consolidated actions were filed on December 23, 2010. See Lalo v. Apple, Inc., 9 et al., 10-cv-05878-LHK (the "Lalo Action") and Freeman v. Apple, Inc., et al., 10-cv05881-LHK

These other actions, filed throughout the country, involve substantially similar allegations against Apple and other Defendants. On August 25, 2011, the Judicial Panel on Multidistrict Litigation California before the undersigned. See August 25, 2011 Transfer Order in MDL No. 2250 [dkt. Unless otherwise noted, the following allegations are taken from the Consolidated Complaint and are presumed to be true for purposes of ruling upon Defendants' motions to dismiss.

To date, nearly 200 million iDevices have been sold worldwide. Consol. Compl. ¶ 27. Since 19 launching its mobile device business, Apple has sought to "completely control the user 20 experience." Id. at ¶ 26. The iDevices enable users to download apps only via Apple's "App 21

Store" application and website. Id. at ¶ 34. There is no dispute that signing up for the App Store is 22 free. Apple represents to users of the App Store that it "takes precautions -- including 23 administrative, technical, and physical measures -- to safeguard your personal information against 24 25

(the "Freeman Action"). Other actions in this District and throughout the country have followed.*fn1

("MDL Panel") issued a Transfer Order, centralizing these actions in the Northern District of theft, loss, and misuse, as well as against unauthorized access, disclosure, alteration, and 2 destruction." Id. at ¶ 36.

There are several hundred thousand apps available from the App Store created by third party developers. Id. at ¶ 39. Some are free of charge, while others are sold for a fee. Apple 5 exercises tight control over the types of apps it allows into the App Store, and whether an app is 6 allowed to be sold in the App Store is completely within Apple's discretion. Id. at ¶ 41. Even after 7 the user downloads an approved app from the App Store, Apple maintains control by requiring that 8 the "end-user-license-agreement," or EULA, have a clause giving Apple the third-party beneficiary 9 right to enforce the EULA against the end-user. Id. at ¶ 43. 10

Apple's privacy practices and design of the iOS system "permit apps that subject consumers to privacy exploits and security vulnerabilities." Id. at ¶ 56. For example, Apple's design of the 13 iDevices allow apps, without consent of the users, to access, use, and track the following 14 information: address book, cell phone numbers, file system, geolocation, International Mobile Subscriber Identity (IMSI), keyboard cache, photographs, SIM card serial number, and unique 16 device identifier (UDID). Id. at ¶ 58. Moreover, nothing in Apple's "click-through agreement" for 17 the App Store would put a reasonable consumer on notice that the iDevice and apps allow users to 18 be tracked and have their personal information accessed.

consumer data by using code to access personal information on the iDevices without the user's 21 permission or knowledge. Id. at ¶ 63. The Mobile Industry Defendants are thus able to learn 22

Apple removed several apps from the App Store over concerns regarding privacy violations in 24 which the apps would collect and track personal data without authorization. Id. at ¶ 65. Despite 25 criticism, Apple has taken no steps to fix the continuing privacy violations. As a result, the Mobile 26

Industry Defendants continue to have the ability to access and track personal information of 27 consumers. Id. at ¶ 67. Although this personal information is not necessary to the functioning of 28

Plaintiffs allege that, despite Apple's public statements about protecting user privacy, Plaintiffs further allege that the Mobile Industry Defendants "exploit" this access to "highly personal details." Prior to Apple's January 2010 purchase of Defendant Quattro Wireless,the apps, the Mobile Industry Defendants are able to use the personal information for advertising 2 and analytics purposes. Id. at ¶ 69. iDevices to be personal and private information. Id. at ¶ 74. Plaintiffs allege that the Mobile Industry Defendants (but not Apple) "exceeded the scope of any authorization" that could have 6 been granted by Plaintiffs at the time of downloading and using apps. Id. at ¶ 78. Moreover, the Mobile Industry Defendants "use the merger of personal information to effectively or actually de-8 anonymize consumers." Id. at ¶ 81. Accordingly, the Mobile Industry Defendants For strategic or other purposes, Plaintiffs have not named any app developers as Defendants in the Consolidated Complaint. Plaintiffs have represented to the Court that Plaintiffs worked out Plaintiffs consider the information found, and allegedly accessed and tracked, on the "misappropriated" Plaintiffs' personal information. Id. at ¶ 84. 10

tolling agreements with some of the app developers sued in the original Complaint, and may bring 13 the app developers back into the action if necessary.

Violation of Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030; (3) Computer Crime ("CLRA"), Cal. Civ. Code § 1750 against Apple only; (6) Unfair Competition under Cal. Bus. & Enrichment.

The Consolidated Complaint contains eight claims: (1) Negligence against Apple only; (2)

Law, Cal. Penal Code § 502; (4) Trespass on Chattel; (5) Consumer Legal Remedies Act Prof. Code § 17200; (7) Breach of Covenant of Good Faith and Fair Dealing; and (8) Unjust 19

22 essentially make five arguments. First, all Defendants argue that Plaintiffs lack Article III standing 23 because Plaintiffs do not allege an injury in fact or a causal connection between Defendants (as 24 opposed to the app developers) and Plaintiffs' purported injury. Second, Apple alleges that its 25 privacy agreements with customers, including Plaintiffs, bar Plaintiffs' claims. Third, the Mobile 26

Industry Defendants allege that Plaintiffs' allegations against them are insufficient under Rule 8 as 27 vague, conclusory and undifferentiated. Fourth, all Defendants argue that joinder of the app 28 developers is necessary for a complete resolution of this action, but is not feasible in light of the


Apple and the Mobile Industry Defendants have each filed motions to dismiss. Defendants number (potentially tens of thousands) of app developers involved. Finally, Defendants argue that 2 each of Plaintiffs' eight claims for relief is deficient for some claim-specific reason.

for the allegedly unauthorized collection or tracking of their personal information or that Apple has 6 a duty to prevent third party app developers from collecting or using Plaintiffs' personal 7 information. An Article III federal court must ask whether a plaintiff has suffered sufficient injury 8 to satisfy the "case or controversy" requirement of Article III of the U.S. Constitution. To satisfy 9

A.Article III Standing

Defendants first argue that Plintiffs' allegations do not establish an actual injury or harm

Article III, a plaintiff "must show that (1) it has suffered an 'injury in fact' that is (a) concrete and 10 particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." Friends of the Earth, Inc. v. A suit brought by a plaintiff without Article III standing is not a "case or controversy," and 15 an Article III federal court therefore lacks subject matter jurisdiction over the suit. Steel Co. v. Citizens for a Better Environment, 523 U.S. 83, 101 (1998). In that event, the suit should be 17 dismissed under Rule 12(b)(1). See Steel Co., 523 U.S. at 109-110. The injury required by Article 18

III may exist by virtue of "statutes creating legal rights, the invasion of which creates standing." U.S. 490, 500 (1975)). In such cases, the "standing question . . . is whether the constitutional or 21 statutory provision on which the claim rests properly can be understood as granting persons in the 22 plaintiff's position a right to judicial relief." Id. (quoting Warth, 422 U.S. at 500)).

Laidlaw Envtl. Sys. (TOC), Inc., 528 U.S. 167, 180-81 (2000). 14 See Edwards v. First Am. Corp., 610 F.3d 514, 517 (9th Cir. 2010) (quoting Warth v. Seldin, 422

1.Injury in Fact

At least one named plaintiff must have suffered injury an injury in fact. See Lierboe v. State Farm Mut. Auto. Ins. Co., 350 F.3d 1018, 1022 (9th Cir. 2003) ("[I]f none of the named 26 plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the 27 defendants, none may seek relief on behalf of himself or any other member of the class."). Apple 28 and the Mobile Industry Defendants argue that Named Plaintiffs have failed to allege concrete, particularized injuries in fact to themselves, as opposed to "consumers" in general, and that the 2 tracking or disclosure of personal information does not establish an "economic loss" sufficient to 3 find an injury in fact. Plaintiffs respond that the Consolidated Complaint alleges at least three 4 types of injury in fact: (1) misappropriation or misuse of personal information; (2) diminution in 5 value of the personal information, which is an "asset of economic value" due to its scarcity; and (3) 6

"lost opportunity costs" in having installed the apps, and diminution in value of the iDevices 7 because they are "less secure" and "less valuable" in light of the privacy concerns. 9 purposes of the standing analysis under Article III, Plaintiffs' current allegations are clearly 10 insufficient. First, Defendants are correct. Despite a lengthy Consolidated Complaint, Plaintiffs do Consolidated Complaint. See Birdsong v. Apple, Inc., 590 F.3d 955, 960-61 (9th Cir. 2009) ("The 13 plaintiffs have not shown the requisite injury to themselves and therefore lack standing" under 14

Article III.) In Birdsong, the Ninth Circuit considered allegations that use of an Apple iPod, which 15 has the capability to produce sound as loud as 120 decibels, created a risk of hearing loss. 16

The plaintiffs do not claim that they suffered or imminently will suffer hearing loss from their iPod use. The plaintiffs do not even claim that they used their iPods in a way that

exposed them to the alleged risk of hearing loss. At most, the plaintiffs plead a potential risk of hearing loss not to themselves, but to other unidentified iPod users who might

The Court does not take lightly Plaintiffs' allegations of privacy violations. However, for not allege injury in fact to themselves. This failure alone is sufficient reason to dismiss the However, the Ninth Circuit ruled: 17 choose to use their iPods in an unsafe manner. The risk of injury the plaintiffs allege is not concrete and particularized as to themselves.

The same reasoning applies to Plaintiffs' allegations here. In the Consolidated Complaint, Plaintiffs do not identify what iDevices they used, do not identify which Defendant (if any) 23 accessed or tracked their personal information, do not identify which apps they downloaded that 24 access/track their personal information, and do not identify what harm (if any) resulted from the 25 access or tracking of their personal information. The allegations are especially slim with respect to 26

Defendant Apple. The Consolidated Complaint only alleges that the Mobile Industry Defendants (without differentiation) tracked and accessed personal information for commercial and marketing purposes. See, e.g., Consol. Compl. at ¶¶ 77-78, 83-84 (alleging misappropriation of personal 2 information and unauthorized access to personal information by Mobile Industry Defendants, but 3 not Apple).

a concrete harm from the alleged collection and tracking of their personal information sufficient to 6 create injury in fact. Although not binding, a recent case from the Central District of California is 7 instructive. See Genevive La Court v. Specific Media, Case No. SACV-10-1256-JW, 2011 U.S. Plaintiffs' current allegations suffer from another deficiency. Plaintiffs have not identified

Dist. LEXIS 50543 (C.D. Cal. Apr. 28, 2011). In Specific Media, plaintiffs accused an online third 9 party ad network, Specific Media, of installing "cookies" on their computers to circumvent user 10 privacy controls and to track internet use without user knowledge or consent. The court, however, "particularized example" of economic injury or harm to their computers, but instead offered only 14 abstract concepts, such as "opportunity costs," "value-for-value exchanges," "consumer choice," 15 and "diminished performance." Id. at *7-13. Other cases have held the same. See In re 16

Doubleclick, Inc., Privacy Litig., 154 F.Supp.2d 497');">154 F. Supp. 2d 497, 525 (S.D.N.Y. 2001) ("cookies" case, 17 holding that unauthorized collection of personal information by a third-party is not "economic 18 loss"); see also In re JetBlue Airways Corp., Privacy Litig., 379 F. Supp. 2d 299, 327 (E.D.N.Y. 2005) (airline's disclosure of passenger data to third party in violation of airline's privacy policy 20 had no compensable value). The same is true here: Plaintiffs have not yet articulated a "coherent 21 and factually supported theory" of injury. Plaintiffs have stated general allegations about the Mobile Industry Defendants, the market for apps, and similar abstract concepts (e.g., lost 23 opportunity costs, value-for-value exchanges), but Plaintiffs have not identified an actual injury to 24 themselves sufficient for Article III standing.

Plaintiffs cite two cases that are supposedly to the contrary. However, both cases are distinguishable. In Doe 1 v. AOL LLC, the court was "persuaded that Plaintiffs' allegations are 27 sufficient to demonstrate standing for purposes of seeking injunctive relief. The Complaint alleges 28 that AOL engages in a practice and policy of storing search queries containing confidential held that plaintiffs lacked Article III standing because: (1) they had not alleged that any named plaintiff was actually harmed by defendant's alleged conduct; and (2) they had not alleged any information, and that it has taken no steps to ensure that such information is not disclosed again in 2 the future." See Doe 1 v. AOL LLC, 719 F. Supp. 2d 1102, 1109 (N.D. Cal. 2010) (finding Article 3

AOL continued to publicly disclose Plaintiffs' highly sensitive personal information). The 5 information publicly disclosed included credit card numbers, social security numbers, financial 6 account numbers, and information regarding AOL members' personal issues, including sexuality, 7 mental illness, alcoholism, incest, rape, and domestic violence. Id. at 1111. Plaintiffs' current 8 allegations here come nowhere close to the specific allegations of public disclosure on the Internet 9 of highly sensitive personal information in AOL. Nor do Plaintiffs identify any active role on the 10 part of Defendants in disclosing to the public such highly sensitive personal information.

In the Facebook Privacy Litigation, the court held that plaintiffs had standing under the Wiretap Act. See id. at *13-14 ("the Court finds that Plaintiffs allege a violation of their statutory rights 15 under the Wiretap Act, 18 U.S.C. §§ 2510, et seq. The Wiretap Act provides that any person 16 whose electronic communication is 'intercepted, disclosed, or intentionally used' in violation of the 17

§ 2520(a). Thus, the Court finds that Plaintiffs have alleged facts sufficient to establish that they 19 have suffered the injury required for standing under Article III."). In the instant action, however, 20

Wiretap Act does not require a separate showing of injury, but merely provides that any person 22 whose electronic communication is "intercepted, disclosed, or intentionally used" in violation of 23 the Act may in a civil action recover from the entity which engaged in that violation. See U.S.C. § 2520(a). Plaintiffs, in the instant case, do not allege a violation of an analogous statute 25 which does not require a showing of injury.

In sum, as in Specific Media, "[i]t is not obvious that Plaintiffs cannot articulate some7 actual or imminent injury in fact. It is just that at this point they haven't offered a coherent and III standing requirements for the purposes of injunctive relief are met when Plaintiffs' alleged that 4 Plaintiffs also cite In re Facebook Privacy Litig., Case No. 10-02839-JW, 2011 U.S. Dist. LEXIS 60604 (N.D. Cal. May 12, 2011),as a case supporting their argument for standing. Not so. 13 Act may in a civil action recover from the entity which engaged in that violation. 18 U.S.C. 18 Plaintiffs have not made a claim under the Wiretap Act. Moreover, statutory standing under the factually supported theory of what that injury might be." See Specific Media, 2011 U.S. Dist. LEXIS 50543 at *15. 3

Defendants making it impossible to decipher, based on the current allegations, any causal chain.

2. Causation: Fairly Traceable to Defendants' Actions

Plaintiffs have also failed to allege any injury fairly traceable to Apple or to the Mobile Industry Defendants. In fact, Plaintiffs fail to differentiate among the eight Mobile Industry First, as noted above, there is no allegation that Apple misappropriated data, so there is no nexus 8 between the alleged harm and Apple's conduct. Plaintiffs' only allegation is that Apple "designed" 9 a platform in which Mobile Industry Defendants and absent app developers could possibly engage 10 in harmful acts (Consol. Comp., ¶¶ 58, 61, 67), or that Apple's platform caused "users' iDevices to

be able to maintain, synchronize, and retain detailed, unencrypted location history files." Id. at ¶¶ 125, 140. These "conjectural" or speculative allegations about the risk of harm do not suffice for 13 purposes of Article III Standing. See Birdsong, 590 F.3d at 961 (rejecting argument for standing 14 because "the conjectural and hypothetical nature of the alleged injury as the plaintiffs merely assert 15 that some iPods have the 'capability' of producing unsafe levels of sound and that consumers 16

'may' listen to their iPods at unsafe levels combined with an 'ability' to listen for long periods of 17 time."); compare Hepting v. AT&T Corp., 439 F. Supp. 2d 974 1001 (N.D. Cal. 2006) (finding that 18 plaintiffs had standing where the allegations were that AT&T actively partnered to intercept and 19 monitor customer phone lines). 20 amend. Plaintiffs are on notice, however, that any amended complaint must provide specific 22 allegations with respect to the causal connection between the exact harm alleged (whatever it is) 23 and each Defendants' conduct or role in that harm. 24

lengthy analysis of Defendants' other arguments is unnecessary at this time. Nonetheless, the 27

Court notes additional deficiencies in the allegations in the event that Plaintiffs choose to file an 28 amended complaint.

The Court, thus, grants Defendants' motion to dismiss for lack of standing with leave to

B.Defendants' Alternative Arguments

In light of the Plaintiffs' failure to allege facts sufficient to support Article III standing, a incorporation by reference doctrine on a motion to dismiss. See, e.g., Rubio v. Capital One Bank, 613 F.3d 1195, 1199 (9th Cir. 2010) (reviewing disclosure agreements in a TILA action); In re Apple argues that all Plaintiffs' injuries are alleged to arise from the Plaintiffs' use of third-

7 party apps on their iDevices. Since Apple's "click-through" agreements with Plaintiffs govern any 8 potential liability for third-party apps that Plaintiffs use on their iOS Devices, Apple argues that the 9 express terms and conditions of those agreements bar claims for the alleged injuries. For example, 10

information through the operation of apps are barred by "App Store Terms of Service." See Decl.

of James F. McCabe ("McCabe Decl."), Exh. F, "License of Mac App Store and App Store 13

1.Privacy Agreements

The Court may consider agreements between the Plaintiffs and Apple under the Gilead Scis. Sec. Litig., 536 F.3d 1049, 1055 (9th Cir. 2008). 6

Plaintiffs' claims against Apple for Mobile Industry Defendants' receipt and use of device Products", at p.12) ("The Application Provider of each Third-Party Product is solely responsible 14 for that Third-Party Product."). In addition, Apple argues that Plaintiffs' claims against Apple for 15 the design of iOS are barred by the iOS Software License Agreements ("User SLAs"). See 16


Plaintiffs respond that the App Store "Terms of Service" agreement amounts to an unlawful "contract of adhesion." A court may deem a contract provision unconscionable, and therefore 21 unenforceable, only if it is both procedurally and substantively unconscionable. See Armendariz v. 22

Foundation Health Psychcare Services, Inc., 24 Cal. 4th 83, 114 (Cal. 2000). "The procedural 23 element of unconscionability focuses on two factors: oppression and surprise. 'Oppression' arises 24 from an inequality of bargaining power which results in no real negotiation and "an absence of 25 meaningful choice. 'Surprise' involves the extent to which the supposedly agreed-upon terms of 26 the bargain are hidden in a prolix printed form drafted by the party seeking to enforce the disputed 27 terms. The substantive element of unconscionability focuses on the actual terms of the agreement 28

McCabe Decl., Exh. A, B, C, D, and F) (e.g., Exh. F, "Disclaimer of Warranties; Liability ISK"). and evaluates whether they create 'overly harsh' or 'one-sided' results as to 'shock the 2 conscience.'" See Aron v. U-Haul Co. of California, 143 Cal. App. 4th 796, 808 (2006). 3

4 of unconscionability. Procedurally, "[t]he availability of alternative sources from which to obtain 5 the desired service defeats any claim of oppression, because the consumer has a meaningful 6 choice." See, e.g., Freeman v. Wal-Mart Stores, Inc., 111 Cal. App. 4th 660, 670 (2003). 7

"Moreover, when the challenged term is in a contract concerning a nonessential recreational 8 activity, the consumer always has the option of simply forgoing the activity." Belton v. Comcast 9

Here, Plaintiffs have difficulties both with respect to the procedural and substantive element

Cable Holdings, LLC, 151 Cal. App. 4th 1224, 1245 (Cal. App. 1st Dist. 2007). Plaintiffs have 10 alternatives to the iDevices. In addition, apps such as "Angry Birds" or "Plants versus Zombies" 11

At this point, however, the Court is not prepared to rule that Apple's privacy agreements establish an absolute bar to Plaintiffs' claims. In any amended complaint, Plaintiffs must explain 14 why Apple should be held responsible for privacy violations despite Apple's apparent privacy 15 agreements with customers, including Plaintiffs. 16

18 for one of two reasons: (1) lack of a cognizable legal theory, or (2) insufficient facts under a 19 cognizable legal theory. See Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007); see also 20

Rule 12(b)(6) is appropriate only where the complaint lacks a cognizable legal theory or sufficient 22 facts to support a cognizable legal theory."). A motion to dismiss should be granted if the 23 complaint does not proffer enough facts to state a claim for relief that is plausible on its face. See 24

The Mobile Industry Defendants persuasively argue that, by lumping all eight of them

26 together, Plaintiffs have not stated sufficient facts to state a claim for relief that is plausible against 27 one Defendant. Mobile Industry Defendants are correct. Plaintiffs' failure to allege what role each are nonessential recreational activities. 12

2.Rule 8 Pleading: Conclusory Allegations as to Mobile Industry Defendants

A complaint may be dismissed for failure to state a claim upon which relief can be granted Mendiondo v. Centinela Hosp. Med. Ctr., 521 F.3d 1097, 1104 (9th Cir. 2008) ("Dismissal under

Twombly, 550 U.S. at 558-59. 25

Defendant played in the alleged harm makes it exceedingly difficult, if not impossible, for individual Defendants to respond to Plaintiffs' allegations. In any amended complaint, Plaintiffs 2 must identify what action each Defendant took that caused Plaintiffs' harm, without resort to 3 generalized allegations against Defendants as a whole. 4


6 join a party under Rule 19." Fed. R. Civ. P. 19(a) provides, inter alia, that a person "must be 7 joined as a party" if "in that person's absence, the court cannot accord complete relief among 8 existing parties." If that required person cannot be joined, then "the court must determine 9 whether, in equity and good conscience, the action should proceed among the existing parties or 10 should be dismissed." Fed. R. Civ. P. 19(b). The Rule 19 inquiry is "fact specific," and the party

3.Necessary and Indispensable Parties

Fed. R. Civ. P. 12(b)(7) authorizes this Court to dismiss an action if a plaintiff has failed "to seeking dismissal has the burden of persuasion. See Makah Indian Tribe v. Verity, 910 F.2d 555, 558 (9th Cir. 1990). "In determining whether a party is 'necessary' under Rule 19(a), a court must 13 consider whether 'complete relief' can be accorded among the existing parties, and whether the 14 absent party has a 'legally protected interest' in the subject of the suit." See Shermoen v. U.S., 982 F.2d 1312, 1317 (9th Cir. 1992) (citation omitted). A party is also "necessary" if disposing of the 16 action in the person's absence may "(i) as a practical matter impair or impede the person's ability 17 to protect the interest; or (ii) leave an existing party subject to a substantial risk of incurring double, 18 multiple, or otherwise inconsistent obligations because of the interest." Fed. R. Civ. P. 19(a)(1). 19

Apple contends that the app developers (some of which were formerly in this action as Defendants) are necessary and indispensable parties because they have "legally protected interests" 21 and because "complete relief" cannot be accorded among the existing parties. Without specific 22 allegations of harm and causation, it is not clear whether the app developers are necessary parties 23 to this litigation. However, under Ninth Circuit authority, the app developers do not appear to be 24 necessary parties because they have not claimed a legally protected interest even though they are 25 aware of this action. See United States v. Bowen, 172 F.3d 682, 689 (9th Cir. 1999) (holding that 26 joinder of absent party was unnecessary where the absent party was aware of the action but did not 27

"claim a legally protected interest" in the action). Moreover, as Plaintiffs note, the allegations of 28 privacy violations in the Consolidated Complaint are not related to accessing information that is "necessary to the functioning" of the apps. Instead, Plaintiffs allege that the apps and Mobile 2

Industry Defendants are accessing personal information only for their own commercial purposes. 3 On this record, the Court will not dismiss for failure to join necessary and indispensable parties. 4

pointed out deficiencies with each of Plaintiffs' eight claims. 7

9 breach of such legal duty; [and] (c) the breach as the proximate or legal cause of the resulting 10 injury." Evan F. v. Hughson United Methodist Church, 8 Cal. App. 4th 828, 834 (1992) (italics in 11

Plaintiffs have not yet adequately pled or identified a legal duty on the part of Apple to protect 13 users' personal information from third-party app developers. Tort law may not be used to supplant 14 private contractual agreements, and the failure to perform a contractual duty is not a tort, unless 15 that failure involves an independent legal duty. See Applied Equip. Corp. v. Litton Saudi Arabia 16

Ltd., 7 Cal. 4th 503, 514-15 (1994). Moreover, as exhaustively analyzed above, Plaintiffs have 17 failed to allege an "appreciable, nonspeculative, present injury" which is "an essential element of a 18 tort cause of action." See Aas v. Super. Ct., 24 Cal. 4th 627, 646 (2000). Any amended complaint 19 must remedy these deficiencies. 20

22 dealing. See, e.g., Kransco v. American Empire Surplus Lines Ins. Co., 23 Cal.4th 390, 400 (2000). 23

This implied covenant requires that neither party do anything that will deprive the other of the 24 benefits of the contract. Id. "The implied covenant protects only the parties' right to receive the 25 benefit of their agreement." Foley v. Interactive Data Corp, 47 Cal.3d 654, 699, 254 Cal. Rptr. 26

211, 765 P.2d 373.n.39 (1988). Plaintiffs cannot use the implied covenant of good faith and fair 27 dealing to deny to another party specific contract benefits for which such party bargained. See 28

4.Claim-Specific Issues

Aside from the deficiencies with respect to standing and pleading, Defendants have also a.Negligence (pled against Apple Only) The elements of negligence under California law are: "(a) a legal duty to use due care; (b) a that Plaintiffs have failed to stat original). Defendants rightly argue e a claim of negligence. First, 12 b.Breach of Covenant of Good Faith and Fair Dealing Under California law, every contract contains an implied covenant of good faith and fair, LLC v. Google, Inc., No. C06-2057 JF (RS), 2006 WL 3246596, at *3 (N.D. Cal

July 13, 2006) (finding no violation of implied covenant where parties' website agreement 2 disclaimed referral warranties). Although Plaintiffs refer to Apple's "click-through agreement" for 3 the App Store and Apple's privacy agreements, Plaintiffs do not actually identify the contract upon 4 which they are relying for their breach of covenant of good faith and fair dealing claim. In 5 addition, Plaintiffs do not identify the "contract's purposes." Without identification of the 6 contract's purposes, the Court cannot determine whether Plaintiffs were deprived of the benefits of 7 the contract at issue. Accordingly, any amended complaint must remedy these deficiencies. 8


10 competition and unfair or deceptive acts or practices." Cal. Civ. Code § 1770. An action may be



c.California Consumer Legal Remedies Act, Cal. Civ. Code § 1770

The California Consumer Legal Remedies Act ("CLRA") prohibits "unfair methods of brought under the CLRA pursuant to § 1780(a), which provides that "[any] consumer who suffers ny damage as a result of the use or employment by any person of a method, act, or practice 13 declared to be unlawful by Section 1770 may bring an action against such person." Cal. Civ. Code 14 § 1780(a) (emphasis added). The statute proscribes a variety of conduct, including "[r]epresenting 15 that goods or services have . . . characteristics, . . . benefits, or quantities which they do not have" 16

(Cal. Civ. Code § 1770(a)(5)), or "[r]epresenting that goods or services are of a particular standard, 17 quality, or grade, or that goods are of a particular style or model, if they are of another." Cal. Civ. 18 Code § 1770(a)(7). The CLRA allows for restitution, injunctive relief, compensatory damage and 19 punitive damages. Cal. Civ. Code, § 1780(a)(1)-(5), (d). A consumer that has suffered "any 20 damage" as a result of a defendant's violation of the CLRA may present a claim for a violation of 21 its provisions. Cal. Civ. Code § 1780(a). 22

Apple alleges that Plaintiffs have failed to state a claim under the CLRA because the CLRA 25 provides civil remedies for specific conduct in the sale of "goods" or "services." Cal. Civ. Code 26 § 1770. However, all of Plaintiffs' allegations against Apple appear to be about software, i.e., the 27 iOS operating system on iDevices. Software is neither a "good" nor a "service" within the 28 meaning of the CLRA. See Ferrington v. McAfee, Case No. 10-CV-01455-LHK, 2010 U.S. Dist.

As explained above, at this point, Plaintiffs have not alleged "any damage" as a result of Defendants' alleged actions. Therefore, Plaintiffs' CLRA claim necessarily fails. Moreover, LEXIS 106600, at *52-58. Thus, to the extent Plaintiffs' allegations are based solely on software, 2

Plaintiffs do not have a claim under the CLRA. Plaintiffs must remedy these deficiencies in any 3 amended complaint. 4

d.Computer Fraud and Abuse Act, 28 U.S.C. § 1030

The Computer Fraud and Abuse Act ("CFAA") is a federal statute that creates liability for "knowingly and with intent to defraud, access[ing] a protected computer without authorization, or 7 exceed[ing] authorized access." 18 U.S.C. § 1030(a)(4). The CFAA specifically prohibits 8

"knowingly caus[ing] the transmission of a program, information, code, or command, and as a 9 result of such conduct, intentionally caus[ing] damage without authorization, to a protected 10 computer." Id. at § 1030(a)(5)(A)(i). A person who "intentionally accesses a computer without 11 authorization," accesses a computer without any

permission at all, while a person who "exceeds

12 authorized access," has permission to access the computer, but accesses information on the 13 computer that the person is not entitled to access. See LVRC Holdings LLC v. Brekka, 581 F.3d 14 In order to bring a civil action under the CFAA, a plaintiff must also demonstrate that the 16 defendant's action caused over $5,000 in "economic damages" over a one-year period. Id. at 17

§ 1030(a)(5)(B)(I). A plaintiff may aggregate individual damages over the putative class to meet 18 the damages threshold if the violation can be described as "one act." See In re Toys R Us, Inc. 19

Privacy Litigation, 2001 WL 34517252, *11 (N.D. Cal. 2001). The term "damage" means "any 20 impairment to the integrity or availability of data, a program, a system, or information." Id. at § 21

1030(e)(8). Thus, "economic damages" arise only when an individual or firm's money or property 22 are impaired in value; money or property is lost; or money must be spent to restore or maintain 23 some aspect of a business affected by the alleged violation. See Creative Computing v. 24 LLC, 386 F.3d 930, 935 (9th Cir. 2004) ("the statutory restriction, 'limited to 25 economic damages,' precludes damages for death, personal injury, mental distress, and the like."). 26 1127, 1133 (9th Cir. 2009) (quoting and interpreting 18 U.S.C. §§ 1030(a)(2) and (4)).

Plaintiffs' current allegations under their CFAA claim are insufficient for three reasons.

First, Plaintiffs have failed to allege that Apple acted "knowingly, with intent to defraud." 28

Plaintiffs merely allege that Apple has taken "no meaningful steps" to enforce its own privacy policy against third party app developers that are able to exploit Apple's design of the iOS system. 2

Consol. Comp. ¶¶ 66, 71, 73. However, negligent software design cannot serve as a basis for a 3

CFAA claim. See 18 U.S.C. § 1030(g) ("No cause of action may be brought under this subsection 4 for the negligent design or manufacture of computer hardware, computer software, or firmware."). 5

Second, Plaintiffs have failed to sufficiently allege that Defendants accessed a protected

6 computer "without authorization" or "exceeded authorized access" to Plaintiffs' iDevices. See 7

§ 1030(a)(4). Where the software that allegedly harmed the phone was voluntarily downloaded by 8 the user, other courts in this District and elsewhere have reasoned that users would have serious 9 difficulty pleading a CFAA violation. See In re Apple & ATTM Antitrust Litig., 2010 U.S. Dist. LEXIS 98270, at *26 (N.D. Cal. July 8, 2010) ("Voluntary installation runs counter to the notion that the alleged act was a trespass and to CFAA's requirement that the alleged act was 'without authorization' as well as the CPC's requirement that the act was 'without permission.'"); see also 13

Specific Media, 2011 U.S. Dist. LEXIS 50543, at *18 (on factual allegations similar to those here, 14 noting that "it is unclear whether Specific Media can be said to have 'intentionally caus[ed] 15 damage' to Plaintiffs' computers."). 16

Third, Plaintiffs have failed to sufficiently allege economic damages to one or more persons

17 during any one-year period aggregating at least $5,000 in value. The Court recognizes that 18 damages and losses under § 1030(e)(8)(A) may be aggregated across victims and over time for a 19 single act. See In re Doubleclick Privacy Litig., 154 F.Supp.2d 497, 523 (S.D.N.Y. 2001). Here, 20 however, there are no allegations as to the amount of economic harm suffered by Plaintiffs, and, at 21 this point at least, insufficient allegations of any economic harm to any Plaintiff. See Specific 22

Media, 2011 U.S. Dist. LEXIS 50543, at *17 (in analysis of CFAA claim, stating "Defendant 23 correctly observes that based on the above discussion regarding standing, Plaintiffs at the very least 24 have failed to plausibly allege that they and the putative class - even in the aggregate - have 25 suffered $5,000 in economic damages in a one year period as a result of Specific Media's 26 actions."); see also Bose v. Interclick, Inc., No. 10 Civ. 9183 (DAB), 2011 U.S. Dist. LEXIS 93663, at *12-14 (S.D.N.Y. Aug. 17, 2011) (finding that internet advertising company's collection 28 of personal information through use of "browser cookies" and "flash cookies" without permission did not establish the economic injury required by the CFAA). Moreover, even had economic 2 damages been alleged, Plaintiffs have not identified the "single act" of harm by Defendants that 3 would allow the Court to aggregate damages across victims and over time. 4


Plaintiffs must cure these deficiencies in any amended complaint, or risk dismissal of their

CFAA claim with prejudice. 6

e.Computer Crime Law, Cal. Penal Code § 502

California's legislature enacted Cal. Penal Code Section 502 ("Section 502), the Comprehensive Computer Data Access and Fraud Act, in order to "expand the degree of protection 9 afforded to individuals, businesses, and governmental agencies from tampering, interference, 10 damage, and unauthorized access to lawfully created computer data and computer systems." Cal. 11

12 the statute, the Northern District of California has twice considered the meaning of "without 13 permission" under Section 502 and determined that individuals may only be subjected to liability 14 for acting "without permission" under Section 502 if they "access[ ] or us[e] a computer, computer 15 network, or website in a manner that overcomes technical or code-based barriers." See Facebook, 16

July 20, 2010) (providing extensive analysis of Section 502); see also In re Facebook Privacy Litig., 2011 U.S. Dist. LEXIS 60604, at *26 ("It is thus impossible, on Plaintiffs' own allegations, 19 for Defendant to be liable under the subsections of Section 502 which require a defendant to act 20

'without permission,' as there were clearly no technical barriers blocking Defendant from 21 accessing its own website."). In Power Ventures, the court expressly refused to construe "without 22 permission" to include access to a website or computer network that merely violates a term of use, 23 reasoning that "interpreting the statutory phrase 'without permission' in a manner that imposes 24 liability for a violation of a term of use or receipt of a cease and desist letter would create a 25 constitutionally untenable situation in which criminal penalties could be meted out on the basis of 26 violating vague or ambiguous terms of use." See Power Ventures, Inc., 2010 U.S. Dist. LEXIS 27 93517, at *33; see also LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1130 (9th Cir. 2009)Penal Code § 502(a). While the term "without permission" is not defined within the language of Inc. v. Power Ventures, Inc., No. C 08-05870-JW, 2010 U.S. Dist. LEXIS 93517, at *35 (N.D. Cal. 17 ("access to a computer may be 'authorized,' within the statutory meaning of the term, even if that 2 access violates an agreed upon term of using that computer"). 3

Plaintiffs broadly allege that Mobile Industry Defendants, but not Apple, gained access to

4 consumers' data by paying app developers to include surreptitious tracking codes in the program 5 code for apps. Consol. Compl. ¶¶ 63-64. Plaintiffs attempt to distinguish their case from Power 6

Ventures and Facebook Privacy Litigation by arguing that, through the use of specific, 7 surreptitious computer code, Defendants gained access "without ever having Plaintiffs' permission 8 at all." However, Plaintiffs have still failed to allege how Defendants can be liable for accessing 9

Plaintiffs' computers "without permission." On Plaintiffs' own allegations, the iOS and third party 10 apps-which contain the alleged "surreptitious code"-were all installed or updated voluntarily by Penal Code § 502 that does not appear to require access "without permission" for liability. Section 15

502(c)(8) imposes liability upon any party who "[k]nowingly introduces any computer contaminant 16 into any computer, computer system, or computer network." Cal. Penal Code § 502(c)(8). 17

Plaintiffs argue that Section 502(c)(8) itself does not include an express requirement that the 18 introduction of a computer contaminant be done "without permission." However, Section 19

502(c)(10) defines "computer contaminant" as "any set of computer instructions that are designed 20 to modify, damage, destroy, record, or transmit information within a computer, computer system, 21 or computer network without the intent or permission of the owner of the information. They 22 include, but are not limited to, a group of computer instructions commonly called viruses or 23 worms, that are self-replicating or self-propagating and are designed to contaminate other computer 24 programs or computer data, consume computer resources, modify, destroy, record, or transmit data, 25 or in some other fashion usurp the normal operation of the computer, computer system, or 26 computer network." See Cal. Penal Code § 502(b)(10) (emphasis added). Thus, the very definition 27 of a "computer contaminant" limits liability to conduct that occurs "without the intent or 28 permission of the owner of the information." Moreover, the section on "computer contaminants"


The Court is not persuaded by Plaintiffs' further attempt to distinguish their case from

Power Ventures and Facebook Privacy Litigation by citing to the single subsection under Cal. appears to be aimed at "viruses or worms," and other malware that usurps the normal operation of 2 the computer or computer system. Although Plaintiffs' are given leave to amend to clarify their 3 allegations in an amended complaint, it is not clear to the Court how Section 502(c)(8) applies to 4 the case at hand. 5


7 possession of personal property has proximately caused injury." Intel Corp. v. Hamidi, 30 Cal. 4th 8

f.Trespass to Chattels Under California law, trespass to chattels "lies where an intentional interference with the 1342, 1350-51 (2003). In cases of interference with possession of personal property not amounting 9 to conversion, "the owner has a cause of action for trespass or case, and may recover only the 10 actual damages suffered by reason of the impairment of the property or

1351. "[W]hile a harmless use or touching of personal property may be a technical trespass (see

United States District Court

For the Northern District of California

Rest. 2d Torts, § 217), an interference (not amounting to dispossession) is not actionable, under 13 modern California and broader American law, without a showing of harm." Id. Even where 14 injunctive relief is sought, "the plaintiff must ordinarily show that the defendant's wrongful acts 15 threaten to cause irreparable injuries, ones that cannot be adequately compensated in damages." 16

In Intel Corp. v. Hamidi, the California Supreme Court held that, where there was "no

18 actual or threatened damage to [plaintiff's] computer hardware or software and no interference with 19 its ordinary and intended operation," the defendant's trespass was not actionable. Hamidi, 30 Cal. 20

4th at 1353. Even assuming Plaintiffs' current allegations establish a trespass, Plaintiffs have not 21 connected that trespass to an identifiable harm or injury. As Hamidi demonstrates, trespass without 22 harm, "by reason of the impairment of the property or the loss of use," is not actionable. Hamidi, 23

30 Cal. 4th at 1351. Accordingly, Plaintiffs are given leave to amend their claim for trespass to 24 chattels to identify actionably harm or injury.

27 money or property as a result of the unfair competition." See Rubio v. Capital One Bank, 613 F.3d 28 Id. at 1352 (citing 5 Witkin, Cal. Procedure (4th ed. 1997) Pleading, § 782, p. 239.). 17 g.Unfair Competition Law ("UCL"), Cal. Bus. & Prof. Code §17200 To assert a UCL claim, a private plaintiff needs to have "suffered injury in fact and ... lost 1195, 1203 (9th Cir. 2010). Numerous courts have held that a plaintiff's "personal information"

does not constitute money or property under the UCL. For example, the court in Facebook Privacy 2 Litigation rejected the argument that personal information itself "constitutes currency" and is "a 3 form of property," and thus rejected a UCL claim. See In re Facebook Privacy Litig., 2011 U.S. 4 2008) (finding no "authority to support the contention that unauthorized release of personal 6 information constitutes a loss of property.")); see also Thompson v. Home Depot, Inc., No. 7 As explained above in the section on Article III standing, Plaintiffs have not adequately 9 alleged any injury, let alone an injury of "lost money or property." Moreover, as the court in the 10

Dist. LEXIS 60604, at *23, n.10 (citing Ruiz v. Gap, Inc., 540 F. Supp. 2d 1121, 1127 (N.D. Cal. 5 07cv1058 IEG, 2007 WL 2746603, at *3 (S.D. Cal. Sept. 18, 2007). 8 Facebook Privacy Litigation recently explained: a plaintiff who is a consumer of certain services (i.e., who "paid fees" for those services) may state a claim under certain California consumer protection statutes when a company, in violation of its own policies, discloses personal information about its consumers to the public. See AOL, 719 F. Supp. 2d at 1111-13. Here, by contrast, Plaintiffs do not allege that they paid fees for Defendant's services. Instead, they allege that they used Defendant's services "free of charge." See In re Facebook Privacy Litig., 2011 U.S. Dist. LEXIS 60604, *22-23. Here, as in the 15 Facebook Privacy Litigation, there is no dispute that Plaintiffs did not pay for services for the App 16

Store, but instead used it "free of charge." Of course, Plaintiffs may have paid for the apps they 17 downloaded -- although Plaintiffs have not identified which apps they downloaded -- but Plaintiffs 18 have not brought suit against the app developers. In any event, although Plaintiffs' current 19 allegations do not suffice to establish a claim under the UCL, Plaintiffs are given leave to amend. 20 21 22 under California law." See Ferrington, 2010 U.S. Dist. LEXIS 106600, at *51(citing Durell v. 23 Sharp Healthcare, 183 Cal. App. 4th 1350, 1370, 108 Cal. Rptr. 3d 682 (Cal. Ct. App. 2010)). 24 However, some courts have held that unjust enrichment is equivalent to restitution, see Dinosaur 25 Dev., Inc. v. White, 216 Cal. App. 3d 1310, 265 Cal. Rptr. 525 (1989), and have allowed litigants to 26 seek unjust enrichment as a remedy. See Durell, 183 Cal. App. 4th at 1370. "[R]estitution may be 27 awarded in lieu of breach of contract damages when the parties had an express contract, but it was 28

h.Unjust Enrichment

As this Court has previously determined, "there is no cause of action for unjust enrichment procured by fraud or is unenforceable or ineffective for some reason." See McBride v. Boughton, 2

123 Cal. App. 4th 379, 388 (2004). 3

Plaintiffs concede that unjust enrichment is merely an equitable remedy, and instead request

4 leave to amend their demand for relief. In any amended complaint, Plaintiffs may clarify their 5 demand for relief to include unjust enrichment or restitution. 6



For the reasons explained above, Defendants' motions to dismiss for lack of Article III

8 standing are GRANTED WITH LEAVE TO AMEND. Any amended complaint must remedy the 9 deficiencies identified above, and must be filed and served within 60 days of this Order. 10


For the Northern District of California United States District Court

Buy This Entire Record For $7.95

Official citation and/or docket number and footnotes (if any) for this case available with purchase.

Learn more about what you receive with purchase of this case.