Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Official citation and/or docket number and footnotes (if any) for this case available with purchase.

Learn more about what you receive with purchase of this case.

In re Google, Inc. Privacy Policy Litig.

United States District Court, N.D. California, San Jose Division

July 21, 2014


Page 969

[Copyrighted Material Omitted]

Page 970

[Copyrighted Material Omitted]

Page 971

For Robert B. De Mars, individually and on behalf of all others similarly situated, Lorena Barrios, individually and on behalf of all others similarly situated, Nicholas Anderson, Pedro Marti, Matthew Villani, Scott McCullough, Plaintiffs: Diane Zilka, LEAD ATTORNEY, PRO HAC VICE, Grant and Eisenhofer, Wilmington, DE; James J Sabella, PRO HAC VICE, Grant and Eisenhofer, Wilmington, DE; Kelly A. Noto, LEAD ATTORNEY, PRO HAC VICE, Gardy & Notis LLP, Englewood Cliffs, NJ; Kyle J McGee, LEAD ATTORNEY, PRO HAC VICE, Grant and Eisenhofer P.A., Wilmington, DE; Martin Stuart Bakst, LEAD ATTORNEY, Attorney at Law, Encino, CA; Annick Marie Persinger, Lawrence Timothy Fisher, Bursor & Fisher, P.A., Walnut Creek, CA; James S. Notis, PRO HAC VICE, Gardy & Notis, LLP, Englewood Cliffs, NJ; Jennifer Sarnelli, Mark C. Gardy, Gardy & Notis, LLP, Englewood Cliffs, NJ; Orin Kurtz, Gardy and Notis, LLP, New York, NY; Sarah Nicole Westcot, Bursor and Fisher, P.A., Walnut Creek, CA; Yeremey O. Krivoshey, Bursor Fisher, P.A., Walnut Creek, CA.

For David Nisenbaum, Plaintiff: Diane Zilka, LEAD ATTORNEY, PRO HAC VICE, Grant and Eisenhofer, Wilmington, DE; Kelly A. Noto, LEAD ATTORNEY, PRO HAC VICE, Gardy & Notis LLP, Englewood Cliffs, NJ; Kyle J McGee, LEAD ATTORNEY, PRO HAC VICE, Grant and Eisenhofer P.A., Wilmington, DE; Annick Marie Persinger, Lawrence Timothy Fisher, Bursor & Fisher, P.A., Walnut Creek, CA; Orin Kurtz, Gardy and Notis, LLP, New York, NY; Yeremey O. Krivoshey, Bursor Fisher, P.A., Walnut Creek, CA; Sarah Nicole Westcot, Bursor and Fisher, P.A., Walnut Creek, CA.

For Google, Inc., Defendant: Michael Henry Page, LEAD ATTORNEY, Durie Tangri LLP, San Francisco, CA.

Page 972


PAUL S. GREWAL, United States Magistrate Judge.

Page 973

Over two years ago, Plaintiffs[1] filed this lawsuit against Defendant Google, Inc. for commingling user data across different Google products and disclosing such data to third parties.[2] Since then, the court has twice dismissed Plaintiffs' claims. Google now moves for a third dismissal.

Like Rocky rising from Apollo's uppercut in the 14th round, Plaintiffs' complaint has sustained much damage but just manages to stand. The court GRANTS the motion, but only IN-PART.


This is a nationwide, putative class action against Google on behalf of all persons and entities in the United States that acquired a Google account between August 19, 2004 and February 29, 2012, and continued to maintain that Google account on or after March 1, 2012, when a new Google privacy policy went into effect. Plaintiffs also bring nationwide class claims against Google on behalf of (a) all persons and entities in the United States that acquired an Android-powered device between May 1, 2010 and February 29, 2012 and switched to a non-Android device on or after March 1, 2012 (the " Android Device Switch Subclass" ); and (b) all persons and entities in the United States that acquired an Android-powered device between August 19, 2004 and the present, and downloaded at least one Android application through the Android Market and/or Google Play (the " Android App Disclosure Subclass" ).[4]

Google is a technology and advertising company that provides free web-based products to billions of consumers around the world. Google can offer its products free of charge due to its primary business model -- advertising. In 2011, Google's revenues were $37.91 billion, approximately 95% of which ($36.53 billion) came from advertising. In 2012, Google's revenues increased to $46.04 billion, approximately 95% of which ($43.69 billion) came from advertising.[5]

In order to accomplish this, Google logs personal identifying information, browsing habits, search queries, responsiveness to ads, demographic information, declared preferences and other information about each consumer that uses its products. Google's Gmail service also scans and discloses to other Google services the contents of Gmail communications. Google uses this information, including the contents of Gmail communications, to place advertisements that are tailored to each consumer while the consumer is using any Google product or browsing third-party sites that have partnered with Google to

Page 974

serve targeted ads.[6]

Before March 1, 2012, information collected in one Google product was not automatically commingled with information collected during the consumer's use of other Google products. Google did not, for instance, ordinarily and automatically associate a consumer's Gmail account (and therefore his or her name and identity, his or her private contact list, or the contents of his or her communications) with the consumer's Google search queries or the consumer's use of other Google products like Android, YouTube, Picasa, Voice, Google, Maps, Docs, and Reader.[7]

Google has always maintained a general or default privacy policy purporting to permit Google to " combine the information you submit under your account with information from other services." [8] However, before the introduction of the new privacy policy on March 1, 2012, this statement was qualified, limited, and contradicted in privacy policies associated with specific Google products, including both Gmail and Android-powered devices. The privacy policies associated with Android-powered devices, for example, specified that, although the default terms would generally apply, " [c]ertain applications or features of your Android-powered phone may cause other information [that is, other than certain delimited " usage statistics" ] to be sent to Google but in a fashion that cannot be identified with you personally" and that " [y]our device may send us location information (for example, Cell ID or GPS information) that is not associated with your [Google] Account." These categories of information, and certain other discrete categories of Android user information, identified by the terms of the Android-powered device policy in effect prior to March 1, 2012, could affirmatively not be " combine[d] ... with information from other services." [9]

On March 1, 2012, however, Google replaced those policies with a single, unified policy that allows Google to comingle user data across accounts and disclose it to third-parties for advertising purposes.[10] Plaintiffs, who each either acquired a Google account or purchased an Android-powered device before or on February 29, 2012, were not pleased and filed this suit.

Plaintiffs brought their original complaint on March 20, 2012 and consolidated it with related actions on June 8, 2012.[11] The complaint presented a bare-bones theory that, by switching to the less-restrictive privacy policy without user consent, Google violated both its prior policies and consumers' privacy rights.[12] However, Plaintiffs did not plead facts sufficient to show concrete economic harm or prima facie statutory or common law violations, so the court dismissed the complaint for lack of standing.[13] Because the court was without jurisdiction to consider Plaintiffs' substantive allegations, the dismissal provided Plaintiffs leave to amend their complaint.[14]

Plaintiffs' first amended complaint, filed on March 7, 2013, expanded the bounds of the alleged classes, as well as the explanations

Page 975

of Plaintiffs' injuries.[15] After Google again moved to dismiss, the court held that Plaintiffs have sufficiently plead standing,[16] but nonetheless granted the motion because Plaintiffs did not plead sufficient facts to support any of their claims.[17] Although Plaintiffs were granted leave to amend, the court warned " that any further dismissal [would] likely be with prejudice." [18] The most significant allegations added concern Google's plan entitled " Emerald Sea." [19] Unveiled within Google as early as May, 2010,[20] Emerald Sea's apparent objective was " to reinvent [Google] as a social-media advertising company." [21] The plan's execution involves creating cross-platform dossiers of user data that would allow third-parties to better tailor advertisements to specific consumers.[22] Plaintiffs allege that despite this objective, Google left in place the prior policies in order to avoid tipping-off consumers.[23] They cast Emerald Sea as evidence of Google's intent to deceive consumers by disregarding existing privacy policies in pursuit of ad revenue.[24]

With these new allegations in place, Plaintiffs allege effectively the same harms as before. The class as a whole complains that commingling and disseminating user data violates Google's prior privacy policies and constitutes an unreasonable invasion of consumer privacy.[25] The Android Device Switch Subclass further complains that in order to avoid such an invasive policy, the class members replaced their Android devices and incurred costs in doing so.[26] Additionally, the Android Application Disclosure Subclass claims Google's disclosures to third parties caused increased battery and bandwidth consumption as well as invasions of Plaintiffs' statutory and common law privacy rights.[27] Plaintiffs frame these complaints within six legal theories: violations of the California Consumers Legal Remedies Act (" CLRA" ), Federal Wiretap Act, Stored Electronic Communications Act, California's Unfair Competition Law (" UCL" ), and common law theories of breach of contract and intrusion upon seclusion.[28]

Page 976

Google now moves to dismiss this case once and for all, again arguing that Plaintiffs' lack standing and have failed to plead facts sufficient to substantiate their claims.


A. Article III Standing

To satisfy Article III, a plaintiff " must show that (1) it has suffered an 'injury in fact' that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." [29] A suit brought by a plaintiff without Article III standing is not a " case or controversy," and an Article III court lacks subject matter jurisdiction over the suit.[30] In that event, the suit should be dismissed under Fed. R. Civ. Pro. 12(b)(1).[31]

The injury required by Article III may exist by virtue of " statutes creating legal rights, the invasion of which creates standing." [32] In such cases, the " standing question . . . is whether the constitutional or standing provision on which the claim rests properly can be understood as granting persons in the plaintiff's position a right to judicial relief." [33] At all times the threshold question of standing " is distinct from the merits of [a] claim" and does not require " analysis of the merits." [34] The Supreme Court also has instructed that the " standing inquiry requires careful judicial examination of a complaint's allegations to ascertain whether the particular plaintiff is entitled to an adjudication of the particular claims asserted." [35]

B. Rule 12(b)(6)

A complaint must contain " a short and plain statement of the claim showing that the pleader is entitled to relief." [36] If a plaintiff fails to proffer " enough facts to state a claim to relief that is plausible on its face," the complaint may be dismissed for failure to state a claim upon which relief may be granted.[37] A claim is facially plausible " when the pleaded factual content allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." [38] Accordingly, under Fed.R.Civ.P. 12(b)(6), which tests the legal sufficiency of the claims alleged in the complaint, " [d]ismissal can

Page 977

be based on the lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory." [39] " A formulaic recitation of the elements of a cause of action will not do." [40]

On a motion to dismiss, the court must accept all material allegations in the complaint as true and construe them in the light most favorable to the non-moving party.[41] The court's review is limited to the face of the complaint, materials incorporated into the complaint by reference, and matters of which the court may take judicial notice.[42] However, the court need not accept as true allegations that are conclusory, unwarranted deductions of fact, or unreasonable inferences.[43]

" Dismissal with prejudice and without leave to amend is not appropriate unless it is clear . . . that the complaint could not be saved by amendment." [44]


As in prior motions, Google attacks Plaintiffs' operative complaint on two fronts. First, it argues that Plaintiffs lack standing to bring their claims at all. Second, it argues that even if they have standing, Plaintiffs have once again failed to plead their claims in more than a conclusory manner, such that they must be dismissed under Iqbal and Twombly.

A. Standing

In its earlier order, the court explained that Plaintiffs had standing to raise their claims based on: (1) the greater discharge of battery power and system resources due to unauthorized activity; (2) the costs incurred by each named plaintiff when he bought a new phone after the policy change, since his initial phone choice was substantially driven by privacy concerns; (3) the injury incurred overpaying for Android devices based on Google's misrepresentation about certain features; (4) violation of statutory rights bestowed by the Wiretap Act; (5) violations of statutory rights bestowed by the Stored Communications Act and (6) violations of statutory rights bestowed by Cal. Civ. Code § 3344.[45] In light of the claims Plaintiffs now pursue, only the first two reasons remain pertinent. Google argues that those two do not give rise to Article III standing and that all of Plaintiffs' other injury theories " fail anew for the same reasons they failed last time." [46] Google separately argues Plaintiffs' standing based on an alleged risk of future harm from data commingling and disclosure to third parties is insufficient. As explained below, while the latter argument is persuasive, the former arguments are not.

1. Alleged Heightened Risks of Future Harms Do Not Confer Standing

Google initially challenges the Application Disclosure subclass' standing to bring

Page 978

its claims for unfair competition and intrusion upon seclusion.[47] Google argues that the heightened security risk Plaintiffs allege as a result of their data being disclosed to app developers does not amount to Article III injury-in-fact.[48] Indeed, this court's prior order held that unauthorized disclosure in and of itself did not confer standing.[49] In response to that order, however, Plaintiffs have expanded their allegations to explain that the relevant injury is not the mere unauthorized disclosure of user data, but rather the fact that such disclosure exposes users " to a substantially increased, unexpected, and unreasonable risk of further interception or dissemination of their personal information as well as of other adverse consequences, including harassment, receipt of unwelcome communications, and identity theft." [50]

The Ninth Circuit has recognized that the improper disclosure of personal information can give rise to standing based on the threat of future harm so long as that harm is credible, real, and immediate, and not merely conjectural or hypothetical.[51] But establishing such a credible, real, and immediate harm is no small feat. For example, in Low v. LinkedIn, the court found no such harm, even where a digital service provider was alleged to have disclosed information to (un)authorized third-parties.[52] Similarly, in Yunker v. Pandora, the court found insufficient harm to confer standing where the defendant, a music service provider, shared personal information without anonymizing it.[53] Each of these courts concluded that the alleged risk of future harm posed by the defendant's conduct was too conjectural and hypothetical to fall within the scope of

Page 979

the Ninth Circuit's standard.[54]

The alleged threat of future harm in this case is similarly conjectural. The information disclosure is markedly distinguishable from that in Krottner : there, disclosure was a result of laptop theft containing sensitive personal information of almost 100,000 Starbucks employees.[55] Here, no criminal activity is alleged to have been involved.[56] Google's authorized third-party disclosure not only differentiates this case from Krottner, but also brings it in line with Low and Yunker.[57]

2. Plaintiff Nisenbaum's Phone Replacement Still Confers Standing

Google's second argument against standing targets the injury that Nisenbaum asserts in bringing the Device Switch Subclass' UCL and CLRA claims. Google argues that Nisenbaum has not suffered an actual harm that would confer standing because (a) based on his purchase date, he was a party to a 2009 privacy policy--not the 2008 privacy policy upon which his claim is based--that expressly allows data commingling, and (b) the court's prior holding that phone replacement conferred standing no longer applies because he now alleges that Google's failure to disclose its intention to disregard its policy, rather than fear of data commingling, was the cause of replacement.[58] The court previously found standing based on Nisenbaum's allegation that he would not have replaced his Android but for Google's change in policy.[59]

Google's arguments are not persuasive. First, the court's granting Plaintiffs' motion to strike Google's submission of the 2009 privacy policy renders the first half of Google's argument moot. Accepting Plaintiffs' allegations as true, Nisenbaum was a party to the 2008 privacy policy giving rise to his claim. Second, and of more substantive import, the court's prior ruling that the economic injury resulting from Nisenbaum's phone replacement still applies.[60] Nisenbaum still alleges that but for the policy switch he would not have

Page 980

otherwise bought a new phone[61] and this injury is still fairly traceable to Google's (now allegedly fraudulent) prior policies.[62] In sum, although Nisenbaum's ostensible motivation for switching phones has changed from the first to the second amended complaint, his injury remains the same and Google's privacy policy is alleged to be the source of that injury. Nisenbaum's phone replacement therefore continues to bestow standing allowing him to bring UCL and CLRA claims on behalf of the Android Device Switch Subclass.

3. Battery Depletion Confers Standing

Google's third substantive argument against standing attacks the alleged injury to Plaintiffs' battery life caused by Google Play's unauthorized transmission of their information when they download an app.[63] As in previous complaints, the App Disclosure subclass has asserted breach of contract and unfair competition, based on the injury caused by decreased battery life.[64] Google argues that the claims giving rise to that injury are " now gone," and that there is now " no nexus between the claimed violation (Google Play disclosing account information to developers) and the claimed injury (battery use)." [65] Google's reasoning is that app developers access user data from Google Play's servers, not the user's individual phones, and therefore such optional access does not implicate phone battery consumption.[66]

Google's argument here--challenging the causal nexus between its alleged conduct and the Plaintiffs' alleged injury--requires a heavily and inherently fact-bound inquiry that the court may not reach at this stage in the litigation.[67] Google also concedes that its disclosure of user data causes the phones to send at least " a few bytes of name, email address, and zip code information." [68] Moreover, the court has already ruled that allegations of resource depletion, including battery power, gives rise to standing,[69] and the App Disclosure subclass has alleged resource depletion stemming from Google's breach of contract and the UCL.[70] Whatever their ultimate merits, the subclass plainly has standing to raise those claims.

B. Sufficiency of the Pleadings

With the standing question resolved, the court next turns to the legal sufficiency of the claims alleged. At the outset, it is worth noting that this court's prior order found that Google is immune from the claims alleged under the Wiretap Act because of its status as a provider of electronic communication services,[71] and Plaintiffs have not amended or altered their claim to avoid that immunity in this iteration. Similarly, the court's prior order

Page 981

determined that Google is not subject to liability under the Stored Communications Act based on the conduct alleged,[72] and again, Plaintiffs have not amended their claim to suggest a different result. The breach of contract claim on behalf of the entire class falls for the same reason.[73] While Plaintiffs have successfully preserved these issues for appellate review, they are once again dismissed for failure to state a claim in the current proceeding.

1. CLRA Claim on Behalf of Device Switch Subclass

Plaintiffs' first cause of action seeks recovery under Sections (a)(5),(7), (9), (14) and (16) of the CLRA on behalf of the Device Switch Subclass. It is based on the theory that Google drafted its 2008 Android Policy with the intent of deceiving potential purchasers of Android devices into buying them based on the promise that Google would not associated device-related information (such as the device's IMEI) with a user's account, that Google had a secret plan to change that policy, and that " [h]ad Google disclosed in June 2010 that it did not intend to honor the terms of the 'Android-powered device privacy policy' at that time, Plaintiff Nisenbaum would not have purchased his Android device." [74] The CLRA proscribes representations that goods or services have characteristics that they do not have, representations that goods or services are of a particular standard when they are not, advertisement of goods with the intent not to sell them in the manner advertised, representations that a transaction conveys rights that it does not, and representations that the subject of a transaction has been conveyed in accordance with terms of a previous transaction, when it has not. In order to recover, Plaintiffs also must allege facts to establish that they relied on the misrepresentations in question, and that in so relying, they suffered damage.[75] These allegations are subject to Rule 9(b)'s heightened pleading standards.[76]

Google first argues that Plaintiffs' CLRA claim should fail because software is neither a good nor a service as required for liability under Cal. Civ. Code § 1770. However, Plaintiffs' allegations are not premised on the sale of the apps, but the sale of the Android device itself.[77] Plaintiffs allege that the same hardware that was the subject of the relevant sale was also subject to the privacy policy at issue.[78] The Android-powered device is

Page 982

the " tangible chattel" that makes Google the proper target of a CLRA claim.[79] Additionally, under the CLRA, the stream of commerce does not vitiate liability for alleged affirmative misrepresentations made by manufacturers that do not sell directly to customers.[80] Plaintiff's CLRA claim is not based upon an omission, rather, Plaintiffs allege that through its privacy policy, Google " intentionally misrepresented the ability of Nisenbaum and other members of the Android Device Switch Subclass to prevent the association and commingling of their personal information." [81] Therefore, Plaintiffs need not allege a direct sale between Google and themselves to establish their CLRA claim.[82]

In its prior order, the court dismissed all of Plaintiffs' theories of recovery under the CLRA because Plaintiffs did not allege that Google intended to use their information in a manner other than was advertised at the time that Plaintiffs purchased devices and registered for accounts.[83] That omission has been remedied in the current version of the complaint.[84] However, the CSAC suffers from another, equally fatal omission: it never alleges that Nisenbaum or any other member of the subclass read, heard, saw or were in any way aware of Google's operative privacy policy.[85] If Nisenbaum and the other members of his subclass did not see, read, hear or consider the terms of Google's then-active privacy policy before creating their account, they could not have relied on any representation it contained in making their decisions to purchase Android phones, and without affirmatively alleging reliance on Google's misrepresentations, the CLRA claim cannot survive.

Plaintiffs try to dodge this flaw in their claim with three arguments. First, they argue that " CLRA jurisprudence is abundantly clear that the reliance element is satisfied with allegations that 'the plaintiff 'in all reasonable probability' would not have engaged in the injury-producing conduct' absent the misrepresentation or omission." [86] This argument is problematic for several reasons, but the most glaring

Page 983

is that every case Plaintiffs cite in its support concerns the UCL, not the CLRA.[87] Furthermore, in two of those three cases, the plaintiff had clearly alleged that he or she was exposed to the misrepresentation,[88] and the parties were simply fighting about whether the complaint spelled out that the plaintiff had relied on it in deciding to pursue the injury-inducing conduct.[89] This complaint lacks the predicate allegation (exposure), which precludes the court from considering reliance. Second, Plaintiffs argue that reliance may be presumed from a material omission.[90] That is certainly true in a case based on a theory of non-disclosure, but here, Plaintiffs theory is that they made their purchasing decision based on affirmative, fraudulent representations.[91] Third, Plaintiffs argues that the court can and should reasonably infer that " Nisenbaum was exposed to the 2008 Android Policy or 2009 Mobile Policy terms during the registration process" for his Android account.[92] However, that exposure would not have occurred until " after [Nisenbaum purchased] his Android device," [93] at which point, it would not be reasonable to infer that Nisenbaum relied on the policy in deciding to purchase the device.

In short, although it was properly directed at Google, the Device Switch Subclass' CLRA claim must be dismissed once again based on deficient pleadings.[94]

Page 984

2. UCL Claim on Behalf of Device Switch Subclass

California's UCL provides a private cause of action for users who are harmed by unfair, unlawful, or fraudulent business practices.[95] Plaintiffs plead their UCL claim under all three prongs. To sustain a claim under the unlawful prong, Plaintiffs must allege facts that, if proven, would demonstrate that Defendant's conduct violated another, underlying law.[96] If the unlawful conduct is part of a uniform course of fraudulent conduct, it must meet Rule 9(b)'s heightened pleading standards.[97] Under the fraudulent prong, Plaintiffs must allege specific facts to show that the members of the public are likely to be deceived by the actions of the defendant.[98] The Ninth Circuit has established that this prong always is subject to Fed. Rule Civ. P. 9(b)'s heightened pleading requirements.[99] With respect to Plaintiffs' claim under the UCL's unfair prong, " [t]he standard for determining what business acts or practices are 'unfair' in user actions under the UCL is currently unsettled." [100] Generally speaking, " [a]n unfair business practice under the UCL is " one that either offends an established public policy or is immoral, unethical, oppressive, unscrupulous, or substantially injurious to users." [101] To determine whether a business practice is unfair, a court should consider " the impact of the practice or act on its victim, balanced against the reasons, justifications and motives of the alleged wrongdoer; " this prong of the UCL should be used to " enjoin deceptive or sharp practices." [102]

Plaintiffs' claim under the unlawful prong of the UCL is based entirely on their CLRA claim.[103] As the CLRA claim fails, so does the derivative UCL claim. Plaintiffs' claim under the fraudulent prong of the UCL also fails for the same

Page 985

reason that the CLRA claim failed: the complaint does not allege reliance.[104]

Plaintiffs' claim under the unfair prong of the UCL fails as well, but for a different reason. Their unfairness theory is best understood in a three-step syllogism: (1) Plaintiffs have a right to privacy under the California Constitution; (2) Google's conduct " resulted in a violation of" that right to privacy, therefore (3) Google's conduct ran afoul of the UCL.[105] Contrary to Google's suggestion that the harms alleged in this claim are the same as they were in the previous iterations, this framework offers a new and different theory of recovery.[106] Unfortunately for Plaintiffs, it is no more successful. A necessary piece of the theory is that Google's conduct violated Plaintiffs' right to privacy under the California Constitution, yet they have not alleged facts to support that assertion. To prove a claim under the California Constitutional right to privacy, a plaintiff must plead three elements: (1) a legally protected privacy interest; (2) a reasonable expectation of privacy under the circumstances; and (3) conduct by the defendant that amounts to a serious, egregious invasion of the protected privacy interest.[107] Even if Plaintiffs have sufficiently alleged the first two elements, they have not met the third. Courts in this district have consistently refused to characterize the disclosure of common, basic digital information to third parties as serious or egregious violations of social norms.[108] The conduct at issue in this case is neither sufficiently different from prior cases nor sufficiently beyond the pale of social norms to justify such a characterization here.

As the theories of harm fail under all three prongs of the UCL, the Device Switch Subclass' claim under the UCL is dismissed.

3. Breach of Contract Claim on Behalf of App Disclosure Subclass

Plaintiffs' third through fifth causes of action are brought on behalf of the App Disclosure subclass. The first is the breach of contract claim, which underlies this subclass' other claims.

" Under California law, the elements of a breach of contract claim are: (1) the existence of a contract, (2) plaintiff's performance or excuse for nonperformance, (3) defendant's breach, and (4) resulting damage to plaintiff." [109] The

Page 986

court's prior order dismissed Plaintiffs' breach of contract claim because an express provision in the contract at issue allowed data commingling.[110] The complaint now adequately states a claim for breach of contract solely on behalf of the Android App Disclosure Subclass.[111] The complaint alleges: (1) that the subclass " entered into a contract with Google by registering for an Android Market/Google Play account, the key terms of which were provided in the relevant terms of service and privacy policies," [112] (2) the specific terms at issue; [113] (3) that Google breached those terms by disclosing user data to third parties following every download or purchase of an app[114] and (4) resulting damages in the form of resource consumption.[115]

Google argues that the complaint fails to state a breach of contract claim for three reasons.[116] First, it argues that the claim fails because the complaint fails to identify when the class members made their App purchases via Google Play, making it impossible to determine what privacy policy governed those transactions.[117] This argument misstates the complaint and is thus unpersuasive. The complaint alleges that Google used an ever-changing array of privacy policies that varied by device, platform and service, including " the Google Wallet privacy policy, the Google Play terms of service, the Android-powered device privacy policy, and the general or default Google privacy policy," that one of these policies was in place at the time of each transaction[118] and what provisions of the policies were allegedly violated.[119] Although these allegations may not be sufficient to sustain a fraud claim subject to Rule 9(b), this is a simple breach of contract claim subject to Rule 8. Under these laxer standards, the allegations will suffice.

Google's second and third arguments also are unpersuasive. The second--that Plaintiffs are not parties to the general privacy policy on which they base their claims[120] --fails for the same reason that it did when posed against Nisenbaum's standing: Google's 2009 policy is not properly before the court. The third--that Plaintiffs fail to point to any explicit terms in the contracts they allegedly breached[121] -- is simply false. Paragraph 130 points to a term in the Android device policy that assures consumers that although Google " may share non-personal, aggregated information with certain third parties . . . such information will not identify you personally." [122] Paragraph 132 spells out that " [t]he November 16, 2011 Google Wallet Privacy Policy states that Google may share personal information outside Google only in certain defined circumstances. For

Page 987

example, that policy states that Google may share personal information with third parties '[a]s necessary to process your transaction and maintain your account. As with any credit card payment, if you process a credit card transaction through the Processing Service, we need to share some information (for example, your name and credit card number) with the banks and other entities in the financial system that process credit card transactions.'" [123] However, that same provision allegedly assures consumers that when additional information, such as a telephone number, is required, " you will be notified before you complete your transaction." [124] Finally, the complaint alleges that Google's general privacy policy specifically provides that it " restrict[s] access to personal information to Google employees, contractors and agents who need to know that information in order to process it on our behalf. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations." [125]

4. Intrusion Upon Seclusion Claim on Behalf of App Disclosure Subclass

As the court previously admonished Plaintiffs, to assert an intrusion upon seclusion claim, a plaintiff must plead facts in support of two elements: " 1) intrusion into a private place, conversation or matter, and 2) in a manner highly offensive to a reasonable person. . . . To show intrusion, a plaintiff must have 'an objectively reasonable expectation of seclusion or solitude in the place, conversation or data source,' and the defendant must have 'penetrated some zone of physical or sensory privacy surrounding, or obtained unwanted access to data about, the plaintiff.'" [126] In this context, " the concept of 'seclusion' is relative. The mere fact that a person [or their information] can be seen by someone does not automatically mean that he or she can legally be forced to be subject to being seen by everyone." [127] Courts have recognized facts sufficient to support these elements in the context of repeated phone calls,[128] eavesdropping on workplace conversations,[129] and unauthorized email review.[130]

Google argues that the court should simply stick with its prior holding that commingling of user data is an inadequate allegation for an intrusion claim.[131] But to so rule would fail to recognize Plaintiffs' new theory: that the intrusion at issue is disclosure to third-party developers contrary to Google's own policies.[132]

Page 988

The court nonetheless cannot find that Plaintiffs have stated a claim under their revised theory either. This district " set[s] a high bar" for the requisite " intrusion [that is] highly offensive to a reasonable person." [133] Just as In re iPhone Application Litig.'s analogous facts were informative on the issue of standing, they also teach here that Plaintiffs' allegations do not plausibly rise to the level of intrusion necessary to establish an intrusion claim.[134] Plaintiffs' intrusion claims are therefore dismissed.

5. UCL Claim on Behalf of App Disclosure Subclass

Plaintiffs' fifth cause of action is another UCL claim, this time on behalf of the App Disclosure subclass. The App Disclosure subclass seeks recovery under two of the three prongs of the UCL, one of which is easily disposed of by this court's prior order. Their theory under the unfair prong of the UCL is that members of the App Disclosure subclass were lured into believing that their personal information would be closely guarded while Google encouraged them to " make Android devices and applications indispensable to their lives; " they were therefore trapped when Google implemented policies " from which they cannot effectively opt out." [135] In its last order, the court found that the " benefit to users in receiving free, 'indispensable services' offsets much of the harm they may suffer" as a result of being subjected to the changed policies. Plaintiff presents no persuasive reason to alter that holding here. As such the unfair prong of the App Disclosure subclass' UCL claim fails.

The App Disclosure subclass' claim under the fraudulent prong of the UCL, however, carries weight. As described above, under the fraudulent prong of the UCL, Plaintiffs must plead specific facts to show that the members of the public are likely to be deceived by the actions of the defendant and that Plaintiffs both relied on and were harmed by those actions.[136] Here, they allege that Google left a privacy policy in place which led consumers to believe that access to their data would be limited to certain groups,[137] even though it knew that it planned to distribute the data outside of those groups.[138] These allegations fill ten pages with extensive detail about the plan and its concealment, such that they clear the bar of Rule 9(b). Plaintiffs also successfully plead that they relied on these policies in making the decision to use Google Play

Page 989

and download Android applications.[139] Finally, Plaintiffs plead that they have suffered the loss of battery power and other system resources as a result of Google's fraudulent and surreptitious conduct. Once again, whatever the ultimate merits of this claim, the App Disclosure Subclass has stated a claim for relief that may go forward.


After running each claim (and subclaim) of each class (and subclass) through the gauntlet of constitutional and procedural hurdles, two claims remain: the App Disclosure Subclass' breach of contract claim, and the fraudulent prong of the App Disclosure Subclass' UCL claim. Plaintiffs may proceed on these two causes of action alone. Because the court warned Plaintiffs in its last order that any future dismissal would likely be with prejudice,[140] and because the thorough nature of the allegations presented persuades the court that any and all omissions were intentional, all other causes of action dismissed in this order are dismissed with prejudice and without leave to amend. It is time for this case to move forward.


Buy This Entire Record For $7.95

Official citation and/or docket number and footnotes (if any) for this case available with purchase.

Learn more about what you receive with purchase of this case.