1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 DAVID ANGEL SIFUENTES, 7 Case No. 25-cv-09666-JCS Plaintiff, 8 Related Case. No. 22-cv-3102 JCS v. 9 REPORT AND RECOMMENDATION GOOGLE, LLC RE DISMISSAL 10 Defendant. 11
12 13 I. INTRODUCTION 14 Plaintiff David Sifuentes, pro se, applied to proceed in forma pauperis and the Court 15 granted his application. See Docket No. 11. The Court now reviews the sufficiency of Plaintiff’s 16 complaint to determine whether it satisfies 28 U.S.C. § 1915(e)(2)(B). For the reasons set forth 17 below, the Court finds that Plaintiff does not allege facts establishing federal jurisdiction or state 18 any viable claim. Because Plaintiff has declined consent to magistrate jurisdiction under 28 19 U.S.C. § 636(c), this case shall be reassigned to a district judge with a recommendation that the 20 complaint be dismissed with leave to amend. 21 II. BACKGROUND 22 In the related case, 22-cv-3102 JCS (“the 3102 Case”), Plaintiff sued Google, Inc.,1 23 initially asserting claims based on alleged unauthorized charges on his bill for Google Fi cell 24 phone service. After the deadline to amend as-of-right had passed, the Court granted Plaintiff’s 25 request for leave to amend to add a claim for violation of 47 C.F.R. § 64.2401 (“Truth-in-Billing 26 Rules”). In his amended complaint, however, Plaintiff purported to add not only the Truth-in- 27 1 Billing Rules claim but also a series of claims based on an alleged data breach (“Data Breach 2 Claims”). Plaintiff filed the amended complaint on January 9, 2023. The factual allegations in the 3 amended complaint were as follows: 4 Concerning the data breach. Sifuentes first learned of the breach around December 2022. See Exhibit A. Google has been breached 5 numerous times since around 2009, and has never notified any Google users of the breach. Sifuentes has been a Google user since around 6 2010, and has used google and trusted the platform and email communication concerning his personal and private information. 7 Google has not let Sifuentes or the public know about the data breach therefore still covering it up. Sifuentes personal information has been 8 exposed for years. 9 First Amended Complaint, 3102 Case, dkt. no. 45 (“3102 FAC”) at 3. 10 On June 26, 2023, the Court struck the Data Breach Claims under Rule 12(f) of the Federal 11 Rules of Civil Procedure on the basis that those claims exceeded the scope of the Court’s 12 permission to amend the complaint. Dkt. no. 70 at 11-12. The Court made clear that in doing so, 13 it did not address the merits of those claims and therefore found it appropriate to address Google’s 14 challenge to them under Rule 12(f) rather than Rule 12(b)(6). Id. at 12 n. 8. The Court dismissed 15 Plaintiff’s remaining claims under Rule 12(b)(6). Id. at 17. Plaintiff appealed the dismissal of his 16 claims to the Ninth Circuit and the Ninth Circuit affirmed this Court’s rulings. See 3012 Case, 17 dkt. no. 80 (USCA Memorandum). The mandate issued on October 8, 2025. 18 In the instant action, initiated on November 10, 2025, Plaintiff states that he is “re- 19 assert[ing] the state-law claims dismissed without prejudice in Sifuentes v. Google, Inc., No. 22- 20 CV-03102-JCS (N.D. Cal. June 26 2023)[.]” Compl. at 1. He asserts the following state law 21 claims: 1) Negligence (California and Michigan Common Law); 2) Invasion of Privacy (Intrusion 22 and Public Disclosure); 3) Conversion and Breach of Bailment; 4) Failure to Implement 23 Reasonable Security Measures under Cal. Civ. Code§§ 1798.81.5 and 1798.82 and Michigan's 24 Identity Theft Protection Act, MCL 445.72; 5) Negligent and Intentional Infliction of Emotional 25 Distress; 6) Violation of Michigan Constitution Art. 10 § 2; 7) California Consumer Privacy Act 26 and Unfair Competition Law; and 8) Michigan Consumer Protection Act (MCL 445.901 et seq.). 27 Id. at 4-5. According to Plaintiff, “[t]he claims are timely” because “[t]he Ninth Circuit issued its 1 unadjudicated state counts and tolling any limitations period during the appeal.” Id. at 2. He also 2 asserts two new claims – one under the Fair Credit Reporting Act (“FCRA”), 15 U.S.C.§ 1681 et 3 seq., and the other under the Title II of the Telecommunications Act, 47 U.S.C. § 222, protecting 4 Customer Proprietary Network Information (“CPNI”). 5 Plaintiff alleges the following facts in the Complaint: 6 11. Plaintiff entrusted Google with private communications, contacts, billing data, and identifying information. 7
8 12. In October 2024, Google Fi Wireless sent Plaintiff a "Notice of Recent SIM Card Issue," admitting a manufacturing problem that 9 could expose service and data.
10 13. On July 30 2025, Google Fi sent a mandatory "Customer Proprietary Network Information (CPNI) Reminder" affirming its 11 legal duty to protect confidential network information.
12 14. Independent sources later confirmed Plaintiff's credentials appeared in the "Mother of All Breaches," a dataset of 183 million 13 accounts that included Google users.
14 15. Google had prior notice of deficient security practices through the Google Plus Class Action Settlement, Case No. 5:18-cv-06164-EJD 15 (N.D. Cal. 2020).
16 16. As a result of these breaches and concealment, Plaintiff has suffered emotional distress, identity-theft risk, and loss of privacy. 17 18 Id. at 2-3. He also alleges “equitable tolling” on the ground that he “first learned of Google’s 19 continuing breaches in 2025 when the CPNI notice and SIM card letter revealed ongoing data 20 exposure.” Id. at 5. 21 Plaintiff asserts that there is both diversity jurisdiction and federal question jurisdiction 22 over this action. Id. at 2. In support of diversity jurisdiction, he alleges that he is a citizen of 23 Michigan while Google, Inc. is a Delaware corporation based in California; he also alleges that 24 “the amount in controversy exceeds $75,000.” Id. He seeks $300,000 in actual damages and 25 $26,000,000 in punitive damages. Id. at 5. 26 III. ANALYSIS 27 A. Legal Standards Under 28 U.S.C. § 1915 1 to proceed in forma pauperis, courts must engage in screening and dismiss any claims which: 2 (1) are frivolous or malicious; (2) fail to state a claim on which relief may be granted; or (3) seek 3 monetary relief from a defendant who is immune from such relief. 28 U.S.C. § 1915(e)(2)(B); see 4 Marks v. Solcum, 98 F.3d 494, 495 (9th Cir. 1996). In addition, the Court must dismiss a 5 complaint where no basis for federal jurisdiction is apparent from the allegations. Cato v. United 6 States, 70 F.3d 1103, 1106 (9th Cir. 1995). 7 To state a claim for relief, a plaintiff must make “a short and plain statement of the claim 8 showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). Further, a claim may be 9 dismissed for “failure to state a claim upon which relief can be granted.” Fed. R. Civ. P.
Free access — add to your briefcase to read the full text and ask questions with AI
1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 DAVID ANGEL SIFUENTES, 7 Case No. 25-cv-09666-JCS Plaintiff, 8 Related Case. No. 22-cv-3102 JCS v. 9 REPORT AND RECOMMENDATION GOOGLE, LLC RE DISMISSAL 10 Defendant. 11
12 13 I. INTRODUCTION 14 Plaintiff David Sifuentes, pro se, applied to proceed in forma pauperis and the Court 15 granted his application. See Docket No. 11. The Court now reviews the sufficiency of Plaintiff’s 16 complaint to determine whether it satisfies 28 U.S.C. § 1915(e)(2)(B). For the reasons set forth 17 below, the Court finds that Plaintiff does not allege facts establishing federal jurisdiction or state 18 any viable claim. Because Plaintiff has declined consent to magistrate jurisdiction under 28 19 U.S.C. § 636(c), this case shall be reassigned to a district judge with a recommendation that the 20 complaint be dismissed with leave to amend. 21 II. BACKGROUND 22 In the related case, 22-cv-3102 JCS (“the 3102 Case”), Plaintiff sued Google, Inc.,1 23 initially asserting claims based on alleged unauthorized charges on his bill for Google Fi cell 24 phone service. After the deadline to amend as-of-right had passed, the Court granted Plaintiff’s 25 request for leave to amend to add a claim for violation of 47 C.F.R. § 64.2401 (“Truth-in-Billing 26 Rules”). In his amended complaint, however, Plaintiff purported to add not only the Truth-in- 27 1 Billing Rules claim but also a series of claims based on an alleged data breach (“Data Breach 2 Claims”). Plaintiff filed the amended complaint on January 9, 2023. The factual allegations in the 3 amended complaint were as follows: 4 Concerning the data breach. Sifuentes first learned of the breach around December 2022. See Exhibit A. Google has been breached 5 numerous times since around 2009, and has never notified any Google users of the breach. Sifuentes has been a Google user since around 6 2010, and has used google and trusted the platform and email communication concerning his personal and private information. 7 Google has not let Sifuentes or the public know about the data breach therefore still covering it up. Sifuentes personal information has been 8 exposed for years. 9 First Amended Complaint, 3102 Case, dkt. no. 45 (“3102 FAC”) at 3. 10 On June 26, 2023, the Court struck the Data Breach Claims under Rule 12(f) of the Federal 11 Rules of Civil Procedure on the basis that those claims exceeded the scope of the Court’s 12 permission to amend the complaint. Dkt. no. 70 at 11-12. The Court made clear that in doing so, 13 it did not address the merits of those claims and therefore found it appropriate to address Google’s 14 challenge to them under Rule 12(f) rather than Rule 12(b)(6). Id. at 12 n. 8. The Court dismissed 15 Plaintiff’s remaining claims under Rule 12(b)(6). Id. at 17. Plaintiff appealed the dismissal of his 16 claims to the Ninth Circuit and the Ninth Circuit affirmed this Court’s rulings. See 3012 Case, 17 dkt. no. 80 (USCA Memorandum). The mandate issued on October 8, 2025. 18 In the instant action, initiated on November 10, 2025, Plaintiff states that he is “re- 19 assert[ing] the state-law claims dismissed without prejudice in Sifuentes v. Google, Inc., No. 22- 20 CV-03102-JCS (N.D. Cal. June 26 2023)[.]” Compl. at 1. He asserts the following state law 21 claims: 1) Negligence (California and Michigan Common Law); 2) Invasion of Privacy (Intrusion 22 and Public Disclosure); 3) Conversion and Breach of Bailment; 4) Failure to Implement 23 Reasonable Security Measures under Cal. Civ. Code§§ 1798.81.5 and 1798.82 and Michigan's 24 Identity Theft Protection Act, MCL 445.72; 5) Negligent and Intentional Infliction of Emotional 25 Distress; 6) Violation of Michigan Constitution Art. 10 § 2; 7) California Consumer Privacy Act 26 and Unfair Competition Law; and 8) Michigan Consumer Protection Act (MCL 445.901 et seq.). 27 Id. at 4-5. According to Plaintiff, “[t]he claims are timely” because “[t]he Ninth Circuit issued its 1 unadjudicated state counts and tolling any limitations period during the appeal.” Id. at 2. He also 2 asserts two new claims – one under the Fair Credit Reporting Act (“FCRA”), 15 U.S.C.§ 1681 et 3 seq., and the other under the Title II of the Telecommunications Act, 47 U.S.C. § 222, protecting 4 Customer Proprietary Network Information (“CPNI”). 5 Plaintiff alleges the following facts in the Complaint: 6 11. Plaintiff entrusted Google with private communications, contacts, billing data, and identifying information. 7
8 12. In October 2024, Google Fi Wireless sent Plaintiff a "Notice of Recent SIM Card Issue," admitting a manufacturing problem that 9 could expose service and data.
10 13. On July 30 2025, Google Fi sent a mandatory "Customer Proprietary Network Information (CPNI) Reminder" affirming its 11 legal duty to protect confidential network information.
12 14. Independent sources later confirmed Plaintiff's credentials appeared in the "Mother of All Breaches," a dataset of 183 million 13 accounts that included Google users.
14 15. Google had prior notice of deficient security practices through the Google Plus Class Action Settlement, Case No. 5:18-cv-06164-EJD 15 (N.D. Cal. 2020).
16 16. As a result of these breaches and concealment, Plaintiff has suffered emotional distress, identity-theft risk, and loss of privacy. 17 18 Id. at 2-3. He also alleges “equitable tolling” on the ground that he “first learned of Google’s 19 continuing breaches in 2025 when the CPNI notice and SIM card letter revealed ongoing data 20 exposure.” Id. at 5. 21 Plaintiff asserts that there is both diversity jurisdiction and federal question jurisdiction 22 over this action. Id. at 2. In support of diversity jurisdiction, he alleges that he is a citizen of 23 Michigan while Google, Inc. is a Delaware corporation based in California; he also alleges that 24 “the amount in controversy exceeds $75,000.” Id. He seeks $300,000 in actual damages and 25 $26,000,000 in punitive damages. Id. at 5. 26 III. ANALYSIS 27 A. Legal Standards Under 28 U.S.C. § 1915 1 to proceed in forma pauperis, courts must engage in screening and dismiss any claims which: 2 (1) are frivolous or malicious; (2) fail to state a claim on which relief may be granted; or (3) seek 3 monetary relief from a defendant who is immune from such relief. 28 U.S.C. § 1915(e)(2)(B); see 4 Marks v. Solcum, 98 F.3d 494, 495 (9th Cir. 1996). In addition, the Court must dismiss a 5 complaint where no basis for federal jurisdiction is apparent from the allegations. Cato v. United 6 States, 70 F.3d 1103, 1106 (9th Cir. 1995). 7 To state a claim for relief, a plaintiff must make “a short and plain statement of the claim 8 showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). Further, a claim may be 9 dismissed for “failure to state a claim upon which relief can be granted.” Fed. R. Civ. P. 12(b)(6); 10 see also Diaz v. Int’l Longshore and Warehouse Union, Local 13, 474 F.3d 1202, 1205 (9th Cir. 11 2007). In determining whether a plaintiff fails to state a claim, the court takes “all allegations of 12 material fact in the complaint as true and construe[s] them in the light most favorable to the non- 13 moving party.” Cedars-Sinai Med. Ctr. v. Nat’l League of Postmasters of U.S., 497 F.3d 972, 975 14 (9th Cir. 2007). However, “the tenet that a court must accept a complaint’s allegations as true is 15 inapplicable to legal conclusions [and] mere conclusory statements,” Ashcroft v. Iqbal, 556 U.S. 16 662, 678 (2009) (citing Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007)), and courts “do not 17 necessarily assume the truth of legal conclusions merely because they are cast in the form of 18 factual allegations.” Coto Settlement v. Eisenberg, 593 F.3d 1031, 1034 (9th Cir. 2010) (internal 19 quotation marks omitted). The complaint need not contain “detailed factual allegations,” but must 20 allege facts sufficient to “state a claim to relief that is plausible on its face.” Id. at 678 (citing 21 Twombly, 550 U.S. at 570). 22 Where the complaint has been filed by a pro se plaintiff, courts must “construe the 23 pleadings liberally . . . to afford the petitioner the benefit of any doubt.” Hebbe v. Pliler, 627 F.3d 24 338, 342 (9th Cir. 2010). “A pro se litigant must be given leave to amend his or her complaint 25 unless it is absolutely clear that the deficiencies in the complaint could not be cured by 26 amendment.” Noll v. Carlson, 809 F.2d 1446, 1448 (9th Cir. 1987), superseded on other grounds 27 by statute, as recognized in Lopez v. Smith, 203 F.3d 1122 (9th Cir. 2000) (en banc). Further, 1 provide the litigant with notice of the deficiencies in his complaint in order to ensure that the 2 litigant uses the opportunity to amend effectively.” Id. (quoting Ferdik v. Bonzelet, 963 F.2d 3 1258, 1261 (9th Cir. 1992)). 4 B. Subject Matter Jurisdiction 5 The two most common forms of federal subject matter jurisdiction are federal 6 question jurisdiction under 28 U.S.C. § 1331 and diversity jurisdiction under 28 U.S.C. § 1332. 7 Diversity jurisdiction exists where all plaintiffs are citizens of different states from all defendants 8 and at least $75,000 is in controversy. Plaintiff has invoked both types of federal jurisdiction in 9 this case. The Court finds that Plaintiff has not alleged facts establishing diversity jurisdiction and 10 furthermore, that he has not stated any viable federal claim. It therefore concludes that the 11 complaint, as currently pled, does not establish any basis for federal jurisdiction. 12 With respect to diversity jurisdiction, Plaintiff has adequately alleged diversity of 13 citizenship by alleging that he is a citizen of Michigan and Google, Inc. is a Delaware corporation 14 based in California. See Compl. at p. 2. He has not, however, alleged any facts to show that the 15 amount-in-controversy requirement is met. To justify dismissal for failure to adequately allege the 16 $75,000 amount in controversy, “[i]t must appear to a legal certainty that the claim is really for 17 less than the jurisdictional amount.” Budget Rent–A–Car, Inc. v. Higashiguchi, 109 F.3d 1471, 18 1473 (9th Cir. 1997) (quoting St. Paul Mercury Indem. Co. v. Red Cab Co., 303 U.S. 283, 289 19 (1938)). That standard is met here. 20 As discussed above, Plaintiff’s complaint includes conclusory allegations that “the amount 21 in controversy exceeds $75,000,” that he suffered actual damages in the amount of $300,000 and 22 that he has suffered emotional distress. Yet he has not identified any specific data breach and he 23 has not alleged specific facts showing that any personal information disclosed was either the type 24 of information that would support an invasion of privacy claim or that he has suffered actual harm 25 from the disclosures. Further, he has alleged only a risk of identity theft, which may or may not 26 establish injury. As discussed below, the allegations relating to risk of identity theft here are not 27 sufficient to establish a cognizable injury and thus they also do not to meet the amount-in- 1 immediate risk of identity theft or any specific facts in connection with his alleged emotional 2 distress. See Sion v. SunRun, Inc., No. 16-CV-05834-JST, 2017 WL 952953, at *3 (N.D. Cal. 3 Mar. 13, 2017) (finding that “a bald assertion of emotional distress” did not suffice to show actual 4 damages where plaintiff alleged that the defendant had obtained her credit information as the 5 result of an unauthorized inquiry of Plaintiff's “consumer report.”). Therefore, the Court finds that 6 there is no diversity jurisdiction over this case. 7 The Court further concludes that Plaintiff has not demonstrated the existence of a federal 8 question because neither his FCRA claim nor his claim under 47 U.S.C. § 222 states a viable 9 claim. 10 C. Sufficiency of Claims 11 1. Federal Claims 12 a. FCRA Claim 13 “Congress enacted the [FCRA], 15 U.S.C. §§ 1681–1681x, in 1970 ‘to ensure fair and 14 accurate credit reporting, promote efficiency in the banking system, and protect consumer 15 privacy.’ ” Gorman v. Wolpoff & Abramson, LLP, 584 F.3d 1147, 1153–54 (9th Cir. 2009) 16 (quoting Safeco Ins. Co. of Am. v. Burr, 551 U.S. 47(2007)). The FCRA achieves these objectives 17 by imposing obligations on consumer reporting agencies (“CRAs”). Id. “In addition, to ensure 18 that credit reports are accurate, the FCRA imposes some duties on the sources that provide credit 19 information to CRAs, called ‘furnishers’ in the statute.” Plaintiff here alleges that Google is a 20 “furnisher” under the FCRA. Compl. ¶ 17. 21 In Gorman, the Ninth Circuit summarized the obligations of furnishers under the FCRA as 22 follows: 23 Section 1681s–2 sets forth “[r]esponsibilities of furnishers of information to consumer reporting agencies,” delineating two 24 categories of responsibilities. Subsection (a) details the duty “to provide accurate information,” and includes the following duty: 25 (3) Duty to provide notice of dispute 26 If the completeness or accuracy of any information furnished by 27 any person to any consumer reporting agency is disputed to such information is disputed by the consumer. 1 § 1681s–2(a)(3). 2 Section 1681s–2(b) imposes a second category of duties on furnishers 3 of information. These obligations are triggered “upon notice of dispute”—that is, when a person who furnished information to a CRA 4 receives notice from the CRA that the consumer disputes the information. See § 1681i(a)(2) (requiring CRAs promptly to provide 5 such notification containing all relevant information about the consumer's dispute). Subsection 1681s–2(b) provides that, after 6 receiving a notice of dispute, the furnisher shall:
7 (A) conduct an investigation with respect to the disputed information; 8 (B) review all relevant information provided by the [CRA] 9 pursuant to section 1681i(a)(2) ...;
10 (C) report the results of the investigation to the [CRA];
11 (D) if the investigation finds that the information is incomplete or inaccurate, report those results to all other [CRAs] to which the 12 person furnished the information ...; and
13 (E) if an item of information disputed by a consumer is found to be inaccurate or incomplete or cannot be verified after any 14 reinvestigation under paragraph (1) ... (i) modify ... (ii) delete[or] (iii) permanently block the reporting of that item of 15 information [to the CRAs].
16 § 1681s–2(b)(1). These duties arise only after the furnisher receives notice of dispute from a CRA; notice of a dispute received directly 17 from the consumer does not trigger furnishers' duties under subsection (b). 18 19 Id. at 1154 (citing Nelson v. Chase Manhattan Mortgage Corp., 282 F.3d 1057, 1059–60 (9th 20 Cir.2002). The court went on to explain that “[t]he FCRA expressly creates a private right of 21 action for willful or negligent noncompliance with its requirements.” Id. (citing §§ 1681n & o; 22 and Nelson, 282 F.3d at 1059). “However, § 1681s–2 limits this private right of action to claims 23 arising under subsection (b), the duties triggered upon notice of a dispute from a CRA.” Id. 24 (citing 15 U.S.C. § 1681s–2(c) (“Except[for circumstances not relevant here], sections 1681n and 25 1681o of this title do not apply to any violation of ... subsection (a) of this section, including any 26 regulations issued thereunder.”)). “Duties imposed on furnishers under subsection (a) are 27 enforceable only by federal or state agencies.” Id. (citing 15 U.S.C. § 1681s–2(d)). 1 Google willfully and/or negligently violated these duties by: 2 a. Failing to maintain reasonable security protocols; 3 b. Failing to notify Plaintiff and consumer reporting agencies of data compromise; 4 c. Failing to offer credit-monitoring remedies; and 5 d. Concealing the scope and duration of breaches. 6 Compl. ¶ 19. Plaintiff alleges that these obligations arise under 15 U.S.C. § 1681s-2 and FTC 7 Safeguards Rule (16 C.F.R. Part 314), but § 1681s-2 does not establish any such obligations on the 8 part of furnishers and 16 C.F.R. Part 314 applies only to “the handling of customer information by 9 . . . financial institutions over which the Federal Trade Commission . . . has jurisdiction.” 16 10 C.F.R. § 314.1 (emphasis added). Under that part, “[a]n entity is a ‘financial institution’ if its 11 business is engaging in an activity that is financial in nature or incidental to such financial 12 activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 13 1843(k), which incorporates activities enumerated by the Federal Reserve Board in 12 CFR 14 225.28 and 225.86.” Id. As there are no allegations that suggest that Google falls within the 15 definition of a “financial institution,” any obligations set forth in 12 CFR part 314 are inapplicable 16 here. The Court further notes that even assuming that Google is a “furnisher” of information under 17 the FCRA and Plaintiff alleged that it violated duties set forth in §1681s-2(b) – the only duties as 18 to which civil liability on the part of a furnisher may arise – the prerequisite for bringing a private 19 cause of action under that section, namely, receipt of notice of dispute from a CRA, has not been 20 alleged. 21 Finally, the Court finds that Plaintiff has not demonstrated that he has Article III standing 22 to assert an FCRA claim against Google based on the vague facts alleged in the Complaint about 23 the data breach (or breaches) at issue in this case. “An injury sufficient to satisfy Article III must 24 be ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’ ” Susan 25 B. Anthony List v. Driehaus, 573 U.S. 149, 158 (2014) (quoting Lujan v. Defs. of Wildlife, 504 26 U.S. 555, 560 (1992)). “An allegation of future injury may suffice if the threatened injury is 27 ‘certainly impending,’ or there is a ‘substantial risk that the harm will occur.’ ” Id. (quoting 1 breaches, the leading case in the Ninth Circuit on this issue is Krottner v. Starbucks Corporation, 2 628 F.3d 1139 (9th Cir. 2010). 3 In Krottner, the court held that “[i]f a plaintiff faces a credible threat of harm . . . and that 4 harm is both real and immediate, not conjectural or hypothetical, . . . , the plaintiff has met the 5 injury-in-fact requirement for standing under Article III.” 628 F.3d 1139, 1143 (9th Cir. 2010) 6 (internal quotations and citations omitted). In that case, the court found that this standard was met 7 where the plaintiffs, who were Starbucks employees, “alleged a credible threat of real and 8 immediate harm stemming from the theft of a laptop containing their unencrypted personal 9 data[,]” including names, addresses, and social security numbers. Id. at 1140, 1143. 10 Subsequently, the Ninth Circuit made clear that it found Article III standing in Krottner 11 because of the “sensitivity of the personal information, combined with its theft.” In re 12 Zappos.com, Inc., 888 F.3d 1020, 1027 (9th Cir. 2018). It made clear that the focus of the inquiry 13 is whether the information disclosed as a result of the breach is “the type of information . . .[that] 14 can be used to commit identity theft[.]” Id. Thus, courts in the Ninth Circuit have reached 15 different conclusions concerning Article III standing depending on the type of personal 16 information that is alleged to have been disclosed as a result of the data breach. See, e.g., 17 Krottner, 628 F.3d at 1143 (finding Article III standing where stolen laptop contained names, 18 addresses and social security numbers of employees); In re Adobe Sys., Inc. Priv. Litig., 66 F. 19 Supp. 3d 1197, 1214 (N.D. Cal. 2014) (finding Article III standing where “hackers deliberately 20 targeted Adobe’s servers and spent several weeks collecting names, usernames, passwords, emails 21 addresses, phone numbers, mailing addresses, credit card numbers and expiration dates.”); c.f. 22 Greenstein v. Noblr Reciprocal Exch., 585 F. Supp. 3d 1220, 1227 (N.D. Cal. 2022) ( finding no 23 Article III standing where the data breach was alleged to have exposed the names, addresses, and 24 driver's license numbers of the Class Members); Antman v. Uber Techs., Inc. (Antman II), No. 15- 25 CV-01175-LB, 2018 WL 2151231, at *10 (N.D. Cal. May 10, 2018) (finding no Article III 26 standing where the data breach was alleged to have exposed names, drivers license numbers and 27 bank accounts and routing information). 1 information disclosed as a result of the breach or breaches that are the subject of his claim, he has 2 not demonstrated that it is highly sensitive or that its theft gives rise to a credible threat of harm 3 sufficient to confer Article III standing to assert his FCRA claim. Therefore, his FCRA claim fails 4 for this additional reason. 5 b. Telecommunications Act Claim 6 Under the Telecommunications Act, “[e]very telecommunications carrier has a duty to 7 protect the confidentiality of proprietary information of, and relating to, other telecommunication 8 carriers, equipment manufacturers, and customers, including telecommunication carriers reselling 9 telecommunications services provided by a telecommunications carrier.” 47 U.S.C.A. § 222(a). 10 Section 222 further provides that “[e]xcept as required by law or with the approval of the 11 customer, a telecommunications carrier that receives or obtains customer proprietary network 12 information by virtue of its provision of a telecommunications service shall only use, disclose, or 13 permit access to individually identifiable customer proprietary network information in its 14 provision of (A) the telecommunications service from which such information is derived, or (B) 15 services necessary to, or used in, the provision of such telecommunications service, including the 16 publishing of directories.” 47 U.S.C. § 222(c)(1). 17 The statute defines “Customer proprietary network information” as: 18 (A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a 19 telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the 20 carrier by the customer solely by virtue of the carrier-customer relationship; and 21
22 (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer 23 of a carrier;
24 except that such term does not include subscriber list information. 25 47 U.S.C.A. § 222(h)(1); see also People of State of Cal. v. FCC, 39 F.3d 919, 930 (9th Cir. 26 1994) (“CPNI is information about a telephone customer’s use of the telephone network, such as 27 the number of lines ordered, service location, type and class of services purchased, usage levels, 1 Plaintiff alleges that Google is a “telecommunications carrier” within the meaning of the 2 Telecommunications Act but he does not assert any authority in support of that assertion. On July 3 22, 2024, the FCC issued a rule deeming broadband internet service providers to offer a 4 “telecommunications service” under Title II of the Telecommunications Act, see 89 Fed. Reg. 5 45404-45556 (Safeguarding and Securing the Open Internet; Restoring Internet Freedom), but the 6 Sixth Circuit set aside that rule in In re MCP No. 185, 124 F.4th 993, 1007 (6th Cir. 2025), finding 7 that broadband internet service providers and mobile broadband service providers are not 8 telecommunications carriers and therefore are not subject to FCC regulation of 9 telecommunications carriers under Title II. Therefore, Plaintiff has not established that Google is 10 subject to the requirements of 47 U.S.C. § 222. 11 Even assuming that Google were a telecommunications carrier within the meaning of the 12 Telecommunications Act, Plaintiff has not alleged any facts about what specific personal 13 information was disclosed or even identified a particular data breach that led to the disclosure. 14 Thus, it is impossible to determine whether the information falls within the definition of CPNI set 15 forth above. Likewise, he has not alleged any concrete injury for the reasons discussed above and 16 therefore, he has not alleged facts establishing that he has Article III standing to assert a claim 17 under 47 U.S.C. § 222. 18 For these reasons, Plaintiff fails to state a claim under 47 U.S.C. § 222. 19 2. State Law Claims 20 Plaintiff asserts in his complaint numerous claims under California and Michigan law that 21 he says are the Data Breach Claims that he attempted to assert in the 3102 Case. In his Complaint, 22 however, each of these claims is alleged in an entirely conclusory manner, without identifying the 23 specific data breach (or breaches) that is the basis for the claim, when Plaintiff first learned of the 24 breach, what type of personal information was disclosed, and what actual damage he suffered as a 25 result of the breach. As a consequence, Plaintiff has not plausibly alleged any state law claim in 26 the Complaint or that any of those claims are timely. Nor do the allegations relating to the alleged 27 data breach(es) in the 3102 FAC, which were similarly vague and conclusory as to the facts ] Plaintiff asserts in this case. Indeed, the only factual allegations in the 3102 FAC that might be 2 || relevant here are the allegations in that case referencing Google data breaches starting in 2009, 3 || which suggest that the state law claims asserted in this case are untimely. See 3102 Case, dkt. no. 4 || 45 at p. 3. 5 || IV. CONCLUSION 6 For the reasons discussed above, it is recommended that the Court dismiss Plaintiff’ s 7 || Complaint with leave to amend for lack of subject matter jurisdiction and failure to state any claim 8 || under federal or state law. To the extent that Plaintiffis unable to cure the defects in his federal 9 || claims, it is further recommended that the Court decline to exercise supplemental jurisdiction over 10 || Plaintiff's state law claims under 28 U.S.C. § 1367(c)(3), which gives the district court discretion 11 to decline to exercise supplemental jurisdiction over state law claims where it has “dismissed all 12 || claims over which it has original jurisdiction.” Any objection to this Report must be filed within 13 || two weeks of the date on which Plaintiff receives a copy of this Report. 14 15 || Dated: April 10, 2026
J PH C. SPERO 2 18 nited States Magistrate Judge 19 20 21 22 23 24 25 26 27 28