Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

In Re Iphone Application Litig.

September 20, 2011


The opinion of the court was delivered by: Lucy H. Koh United States District Judge

United States District Court For the Northern District of California


A putative nationwide class of plaintiffs bring suit against Apple, Inc., Admob, Inc., Flurry, Inc., Mobclix, Pinch Media, Inc.,, Inc., Mellenial Media, AdMarval, Inc., 18 and Quattro Wireless Inc. (aside from Apple, collectively "Mobile Industry Defendants") for 19 alleged violations of federal and state law. Plaintiffs are United States' residents who use mobile 20 devices manufacture by Apple that operate Apple's "iOS" proprietary operating systems, or what 21

Plaintiffs refer to as iDevices (e.g., iPhone, iPad, and iPod Touch). Plaintiffs claim that Defendants 22 violated their privacy rights by unlawfully allowing third party applications ("apps") that run on the 23 iDevices to collect and make use of, for commercial purposes, personal information without user 24 consent or knowledge. Apple and the Mobile Industry Defendants have each filed motions to 25 dismiss on various grounds, including lack of Article III standing, consent to privacy agreements, 26 failure to join necessary and indispensable parties (i.e., the apps), and additional claim-specific 27 reasons. The Court held a hearing on these motions on September 8, 2011. For the reasons 28 explained below, the Court GRANTS Defendants' motions to dismiss on the ground that Plaintiffs have failed to allege sufficient facts establishing Article III standing. Plaintiffs are given leave to 2 amend to cure the deficiencies identified below. 3


Plaintiffs in these consolidated actions ("In Re iPhone Application Litigation") allege that Defendants have committed, and are continuing to commit, privacy violations by illegally 6 collecting, using, and distributing iPhone, iPad, and App Store users' personal information. See 7 generally First Consolidated Class Action Complaint ("Consolidated Complaint") [dkt. #71]. The 8 first two of these consolidated actions were filed on December 23, 2010. See Lalo v. Apple, Inc., 9 et al., 10-cv-05878-LHK (the "Lalo Action") and Freeman v. Apple, Inc., et al., 10-cv05881-LHK

These other actions, filed throughout the country, involve substantially similar allegations against Apple and other Defendants. On August 25, 2011, the Judicial Panel on Multidistrict Litigation California before the undersigned. See August 25, 2011 Transfer Order in MDL No. 2250 [dkt. Unless otherwise noted, the following allegations are taken from the Consolidated Complaint and are presumed to be true for purposes of ruling upon Defendants' motions to dismiss.

To date, nearly 200 million iDevices have been sold worldwide. Consol. Compl. ¶ 27. Since 19 launching its mobile device business, Apple has sought to "completely control the user 20 experience." Id. at ¶ 26. The iDevices enable users to download apps only via Apple's "App 21

Store" application and website. Id. at ¶ 34. There is no dispute that signing up for the App Store is 22 free. Apple represents to users of the App Store that it "takes precautions -- including 23 administrative, technical, and physical measures -- to safeguard your personal information against 24 25

(the "Freeman Action"). Other actions in this District and throughout the country have followed.*fn1

("MDL Panel") issued a Transfer Order, centralizing these actions in the Northern District of theft, loss, and misuse, as well as against unauthorized access, disclosure, alteration, and 2 destruction." Id. at ¶ 36.

There are several hundred thousand apps available from the App Store created by third party developers. Id. at ¶ 39. Some are free of charge, while others are sold for a fee. Apple 5 exercises tight control over the types of apps it allows into the App Store, and whether an app is 6 allowed to be sold in the App Store is completely within Apple's discretion. Id. at ¶ 41. Even after 7 the user downloads an approved app from the App Store, Apple maintains control by requiring that 8 the "end-user-license-agreement," or EULA, have a clause giving Apple the third-party beneficiary 9 right to enforce the EULA against the end-user. Id. at ¶ 43. 10

Apple's privacy practices and design of the iOS system "permit apps that subject consumers to privacy exploits and security vulnerabilities." Id. at ¶ 56. For example, Apple's design of the 13 iDevices allow apps, without consent of the users, to access, use, and track the following 14 information: address book, cell phone numbers, file system, geolocation, International Mobile Subscriber Identity (IMSI), keyboard cache, photographs, SIM card serial number, and unique 16 device identifier (UDID). Id. at ¶ 58. Moreover, nothing in Apple's "click-through agreement" for 17 the App Store would put a reasonable consumer on notice that the iDevice and apps allow users to 18 be tracked and have their personal information accessed.

consumer data by using code to access personal information on the iDevices without the user's 21 permission or knowledge. Id. at ¶ 63. The Mobile Industry Defendants are thus able to learn 22

Apple removed several apps from the App Store over concerns regarding privacy violations in 24 which the apps would collect and track personal data without authorization. Id. at ¶ 65. Despite 25 criticism, Apple has taken no steps to fix the continuing privacy violations. As a result, the Mobile 26

Industry Defendants continue to have the ability to access and track personal information of 27 consumers. Id. at ¶ 67. Although this personal information is not necessary to the functioning of 28

Plaintiffs allege that, despite Apple's public statements about protecting user privacy, Plaintiffs further allege that the Mobile Industry Defendants "exploit" this access to "highly personal details." Prior to Apple's January 2010 purchase of Defendant Quattro Wireless,the apps, the Mobile Industry Defendants are able to use the personal information for advertising 2 and analytics purposes. Id. at ¶ 69. iDevices to be personal and private information. Id. at ¶ 74. Plaintiffs allege that the Mobile Industry Defendants (but not Apple) "exceeded the scope of any authorization" that could have 6 been granted by Plaintiffs at the time of downloading and using apps. Id. at ¶ 78. Moreover, the Mobile Industry Defendants "use the merger of personal information to effectively or actually de-8 anonymize consumers." Id. at ¶ 81. Accordingly, the Mobile Industry Defendants For strategic or other purposes, Plaintiffs have not named any app developers as Defendants in the Consolidated Complaint. Plaintiffs have represented to the Court that Plaintiffs worked out Plaintiffs consider the information found, and allegedly accessed and tracked, on the "misappropriated" Plaintiffs' personal information. Id. at ¶ 84. 10

tolling agreements with some of the app developers sued in the original Complaint, and may bring 13 the app developers back into the action if necessary.

Violation of Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030; (3) Computer Crime ("CLRA"), Cal. Civ. Code § 1750 against Apple only; (6) Unfair Competition under Cal. Bus. & Enrichment.

The Consolidated Complaint contains eight claims: (1) Negligence against Apple only; (2)

Law, Cal. Penal Code § 502; (4) Trespass on Chattel; (5) Consumer Legal Remedies Act Prof. Code § 17200; (7) Breach of Covenant of Good Faith and Fair Dealing; and (8) Unjust 19

22 essentially make five arguments. First, all Defendants argue that Plaintiffs lack Article III standing 23 because Plaintiffs do not allege an injury in fact or a causal connection between Defendants (as 24 opposed to the app developers) and Plaintiffs' purported injury. Second, Apple alleges that its 25 privacy agreements with customers, including Plaintiffs, bar Plaintiffs' claims. Third, the Mobile 26

Industry Defendants allege that Plaintiffs' allegations against them are insufficient under Rule 8 as 27 vague, conclusory and undifferentiated. Fourth, all Defendants argue that joinder of the app 28 developers is necessary for a complete resolution of this action, but is not feasible in light of the


Apple and the Mobile Industry Defendants have each filed motions to dismiss. Defendants number (potentially tens of thousands) of app developers involved. Finally, Defendants argue that 2 each of Plaintiffs' eight claims for relief is deficient for some claim-specific reason.

for the allegedly unauthorized collection or tracking of their personal information or that Apple has 6 a duty to prevent third party app developers from collecting or using Plaintiffs' personal 7 information. An Article III federal court must ask whether a plaintiff has suffered sufficient injury 8 to satisfy the "case or controversy" requirement of Article III of the U.S. Constitution. To satisfy 9

A.Article III Standing

Defendants first argue that Plintiffs' allegations do not establish an actual injury or harm

Article III, a plaintiff "must show that (1) it has suffered an 'injury in fact' that is (a) concrete and 10 particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." Friends of the Earth, Inc. v. A suit brought by a plaintiff without Article III standing is not a "case or controversy," and 15 an Article III federal court therefore lacks subject matter jurisdiction over the suit. Steel Co. v. Citizens for a Better Environment, 523 U.S. 83, 101 (1998). In that event, the suit should be 17 dismissed under Rule 12(b)(1). See Steel Co., 523 U.S. at 109-110. The injury required by Article 18

III may exist by virtue of "statutes creating legal rights, the invasion of which creates standing." U.S. 490, 500 (1975)). In such cases, the "standing question . . . is whether the constitutional or 21 statutory provision on which the claim rests properly can be understood as granting persons in the 22 plaintiff's position a right to judicial relief." Id. (quoting Warth, 422 U.S. at 500)).

Laidlaw Envtl. Sys. (TOC), Inc., 528 U.S. 167, 180-81 (2000). 14 See Edwards v. First Am. Corp., 610 F.3d 514, 517 (9th Cir. 2010) (quoting Warth v. Seldin, 422

1.Injury in Fact

At least one named plaintiff must have suffered injury an injury in fact. See Lierboe v. State Farm Mut. Auto. Ins. Co., 350 F.3d 1018, 1022 (9th Cir. 2003) ("[I]f none of the named 26 plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the 27 defendants, none may seek relief on behalf of himself or any other member of the class."). Apple 28 and the Mobile Industry Defendants argue that Named Plaintiffs have failed to allege concrete, particularized injuries in fact to themselves, as opposed to "consumers" in general, and that the 2 tracking or disclosure of personal information does not establish an "economic loss" sufficient to 3 find an injury in fact. Plaintiffs respond that the Consolidated Complaint alleges at least three 4 types of injury in fact: (1) misappropriation or misuse of personal information; (2) diminution in 5 value of the personal information, which is an "asset of economic value" due to its scarcity; and (3) 6

"lost opportunity costs" in having installed the apps, and diminution in value of the iDevices 7 because they are "less secure" and "less valuable" in light of the privacy concerns. 9 purposes of the standing analysis under Article III, Plaintiffs' current allegations are clearly 10 insufficient. First, Defendants are correct. Despite a lengthy Consolidated Complaint, Plaintiffs do Consolidated Complaint. See Birdsong v. Apple, Inc., 590 F.3d 955, 960-61 (9th Cir. 2009) ("The 13 plaintiffs have not shown the requisite injury to themselves and therefore lack standing" under 14

Article III.) In Birdsong, the Ninth Circuit considered allegations that use of an Apple iPod, which 15 has the capability to produce sound as loud as 120 decibels, created a risk of hearing loss. 16

The plaintiffs do not claim that they suffered or imminently will suffer hearing loss from their iPod use. The plaintiffs do not even claim that they used their iPods in a way that

exposed them to the alleged risk of hearing loss. At most, the plaintiffs plead a potential risk of hearing loss not to themselves, but to other unidentified iPod users who might

The Court does not take lightly Plaintiffs' allegations of privacy violations. However, for not allege injury in fact to themselves. This failure alone is sufficient reason to dismiss the However, the Ninth Circuit ruled: 17 choose to use their iPods in an unsafe manner. The risk of injury the plaintiffs allege is not concrete and particularized as to themselves.

The same reasoning applies to Plaintiffs' allegations here. In the Consolidated Complaint, Plaintiffs do not identify what iDevices they used, do not identify which Defendant (if any) 23 accessed or tracked their personal information, do not identify which apps they downloaded that 24 access/track their personal information, and do not identify what harm (if any) resulted from the 25 access or tracking of their personal information. The allegations are especially slim with respect to 26

Defendant Apple. The Consolidated Complaint only alleges that the Mobile Industry Defendants (without differentiation) tracked and accessed personal information for commercial and marketing purposes. See, e.g., Consol. Compl. at ¶¶ 77-78, 83-84 (alleging misappropriation of personal 2 information and unauthorized access to personal information by Mobile Industry Defendants, but 3 not Apple).

a concrete harm from the alleged collection and tracking of their personal information sufficient to 6 create injury in fact. Although not binding, a recent case from the Central District of California is 7 instructive. See Genevive La Court v. Specific Media, Case No. SACV-10-1256-JW, 2011 U.S. Plaintiffs' current allegations suffer from another deficiency. Plaintiffs have not identified

Dist. LEXIS 50543 (C.D. Cal. Apr. 28, 2011). In Specific Media, plaintiffs accused an online third 9 party ad network, Specific Media, of installing "cookies" on their computers to circumvent user 10 privacy controls and to track internet use without user knowledge or consent. The court, however, "particularized example" of economic injury or harm to their computers, but instead offered only 14 abstract concepts, such as "opportunity costs," "value-for-value exchanges," "consumer choice," 15 and "diminished performance." Id. at *7-13. Other cases have held the same. See In re 16

Doubleclick, Inc., Privacy Litig., 154 F.Supp.2d 497');">154 F. Supp. 2d 497, 525 (S.D.N.Y. 2001) ("cookies" case, 17 holding that unauthorized collection of personal information by a third-party is not "economic 18 loss"); see also In re JetBlue Airways Corp., Privacy Litig., 379 F. Supp. 2d 299, 327 (E.D.N.Y. 2005) (airline's disclosure of passenger data to third party in violation of airline's privacy policy 20 had no compensable value). The same is true here: Plaintiffs have not yet articulated a "coherent 21 and factually supported theory" of injury. Plaintiffs have stated general allegations about the Mobile Industry Defendants, the market for apps, and similar abstract concepts (e.g., lost 23 opportunity costs, value-for-value exchanges), but Plaintiffs have not identified an actual injury to 24 themselves sufficient for Article III standing.

Plaintiffs cite two cases that are supposedly to the contrary. However, both cases are distinguishable. In Doe 1 v. AOL LLC, the court was "persuaded that Plaintiffs' allegations are 27 sufficient to demonstrate standing for purposes of seeking injunctive relief. The Complaint alleges 28 that AOL engages in a practice and policy of storing search queries containing confidential held that plaintiffs lacked Article III standing because: (1) they had not alleged that any named plaintiff was actually harmed by defendant's alleged conduct; and (2) they had not alleged any information, and that it has taken no steps to ensure that such information is not disclosed again in 2 the future." See Doe 1 v. AOL LLC, 719 F. Supp. 2d 1102, 1109 (N.D. Cal. 2010) (finding Article 3

AOL continued to publicly disclose Plaintiffs' highly sensitive personal information). The 5 information publicly disclosed included credit card numbers, social security numbers, financial 6 account numbers, and information regarding AOL members' personal issues, including sexuality, 7 mental illness, alcoholism, incest, rape, and domestic violence. Id. at 1111. Plaintiffs' current 8 allegations here come nowhere close to the specific allegations of public disclosure on the Internet 9 of highly sensitive personal information in AOL. Nor do Plaintiffs identify any active role on the 10 part of Defendants in disclosing to the public such highly sensitive personal information.

In the Facebook Privacy Litigation, the court held that plaintiffs had standing under the Wiretap Act. See id. at *13-14 ("the Court finds that Plaintiffs allege a violation of their statutory rights 15 under the Wiretap Act, 18 U.S.C. §§ 2510, et seq. The Wiretap Act provides that any person 16 whose electronic communication is 'intercepted, disclosed, or intentionally used' in violation of the 17

§ 2520(a). Thus, the Court finds that Plaintiffs have alleged facts sufficient to establish that they 19 have suffered the injury required for standing under Article III."). In the instant action, however, 20

Wiretap Act does not require a separate showing of injury, but merely provides that any person 22 whose electronic communication is "intercepted, disclosed, or intentionally used" in violation of 23 the Act may in a civil action recover from the entity which engaged in that violation. See U.S.C. § 2520(a). Plaintiffs, in the instant case, do not allege a violation of an analogous statute 25 which does not require a showing of injury.

In sum, as in Specific Media, "[i]t is not obvious that Plaintiffs cannot articulate some7 actual or imminent injury in fact. It is just that at this point they haven't offered a coherent and III standing requirements for the purposes of injunctive relief are met when Plaintiffs' alleged that 4 Plaintiffs also cite In re Facebook Privacy Litig., Case No. 10-02839-JW, 2011 U.S. Dist. LEXIS 60604 (N.D. Cal. May 12, 2011),as a case supporting their argument for standing. Not so. 13 Act may in a civil action recover from the entity which engaged in that violation. 18 U.S.C. 18 Plaintiffs have not made a claim under the Wiretap Act. Moreover, statutory standing under the factually supported theory of what that injury might be." See Specific Media, 2011 U.S. Dist. LEXIS 50543 at *15. 3

Defendants making it impossible to decipher, based on the current allegations, any causal chain.

2. Causation: Fairly Traceable to Defendants' Actions

Plaintiffs have also failed to allege any injury fairly traceable to Apple or to the Mobile Industry Defendants. In fact, Plaintiffs fail to differentiate among the eight Mobile Industry First, as noted above, there is no allegation that Apple misappropriated data, so there is no nexus 8 between the alleged harm and Apple's conduct. Plaintiffs' only allegation is that Apple "designed" 9 a platform in which Mobile Industry Defendants and absent app developers could ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.