Flores-Mendez v. Zoosk, Inc.

• Court: District Court, N.D. California
• Decided: February 7, 2022
• Docket: 3:20-cv-04929
• Status: Unknown

Opinion

1 2 3 4 5 6 UNITED STATES DISTRICT COURT 7 NORTHERN DISTRICT OF CALIFORNIA 8

10 JUAN FLORES-MENDEZ, an individual and AMBER COLLINS, an individual, and 11 on behalf of classes of similarly situated No. C 20-04929 WHA individuals, 12

Plaintiffs,

13 ORDER RE MOTION TO AMEND v. 14 ZOOSK, INC., a Delaware corporation, 15 Defendant. 16

17 INTRODUCTION 18 In this putative class action by data-breach victims, plaintiffs move for leave to file a 19 third amended complaint. For the reasons that follow, and to the extent stated, the motion is 20 GRANTED. 21 STATEMENT 22 A prior order detailed the facts (Dkt. No. 93). In brief, plaintiffs Juan Flores-Mendez and 23 Amber Collins used defendant Zoosk, Inc.’s online dating platform. Zoosk offered a free 24 service. It also offered a premium subscription service for a fee. As alleged, all customers 25 provided their personal information to Zoosk upon joining. Zoosk’s website posted its privacy 26 policy, which allegedly contained the company’s data-security-related representations. 27 Plaintiffs allege injury from a massive data breach in May 2020, which allegedly occurred 1 because Zoosk failed adequately to protect plaintiffs’ personal information (Proposed Third 2 Amd. Compl. ¶¶ 49–52). 3 An order dated January 30, 2021, granted in part and denied in part Zoosk’s motion to 4 dismiss, noting that plaintiffs’ first amended complaint had not alleged a right by either Collins 5 or Flores-Mendez to sue under California Business & Professions Code Section 17200 (Dkt. 6 No. 61). Plaintiffs subsequently filed a motion for leave to amend, which attached a second 7 amended complaint. It alleged that before the announcement of the data breach, plaintiff 8 Flores-Mendez and other subscription customers had paid for a premium subscription service 9 (putatively, the subscription class). By contrast, Collins and others did not pay for Zoosk 10 services (Sec. Amd. Compl. ¶¶ 3, 13, 27). Zoosk opposed the motion to amend and cross- 11 moved to dismiss the Section 17200 claim (Dkt. Nos. 79, 80). An order filed on October 5, 12 2021, granted plaintiffs’ motion for leave to amend and granted Zoosk’s motion to dismiss, all 13 as to the Section 17200 claim. The same order invited plaintiffs again to move for leave to 14 amend their complaint with respect to their Section 17200 claim, while “plead[ing] their best 15 case” (Dkt. No. 93). 16 Plaintiffs now file a proposed third amended complaint concurrently with a motion for 17 leave to amend (Dkt. No. 95). The proposed third amended complaint has revised the Section 18 17200 claim, which now applies only to Flores-Mendez and members of a putative 19 subscription class. It also now details Zoosk’s then-current privacy policy. It has also added 20 allegations about the personal information provided by Flores-Mendez to Zoosk. Flores- 21 Mendez now alleges he would have stopped using Zoosk, stopped providing his personal 22 information, and stopped paying for Zoosk’s services had Zoosk properly notified him that its 23 security was inadequate and that it was not complying with its privacy policy. This order 24 follows full briefing and a hearing held telephonically. At the hearing, Zoosk was offered an 25 opportunity to file a supplemental brief in response to an issue raised for the first time on reply. 26 Zoosk did so timely (Dkt. No. 123; Proposed Third Amd. Comp. ¶¶ 100–10, 35–45, 46–47). 27 1 ANALYSIS 2 FRCP 15(a)(2) permits a party to amend its pleadings with the court’s leave. The rule is 3 a lenient standard dictating that leave to amend shall be freely given when justice requires it. 4 See DCD Programs, Ltd. v. Leighton, 833 F.2d 183, 185–186 (9th Cir. 1987). In so 5 determining, a district court considers: (1) bad faith; (2) undue delay; (3) prejudice to the 6 opposing party; (4) futility of amendment; and (5) whether the plaintiff has previously 7 amended the complaint. See Johnson v. Buckley, 356 F.3d 1067, 1077 (9th Cir. 2004). 8 Prejudice “carries the greatest weight” in this analysis. Eminence Cap., LLC v. Aspeon, Inc., 9 316 F.3d 1048, 1052 (9th Cir. 2003). For purposes of assessing futility on this motion, the 10 legal standard is the same as it would be on a motion to dismiss under FRCP 12(b)(6). See 11 Miller v. Rykoff-Sexton, Inc., 845 F.2d 209, 214 (9th Cir. 1988). 12 This order finds (1) no sign of bad faith; (2) minimal undue delay; and (3) no significant 13 prejudice to Zoosk. As for (5), plaintiffs have had prior — but not yet excessive — 14 opportunities to amend. 15 This order focuses on (4), futility. As described below, the proposed amendment to the 16 Section 17200 claim has cured the failure to allege economic injury required for statutory 17 standing, rendering the motion not futile. Here follow the relevant new or revised paragraphs 18 alleged in the third amended complaint, as this order understands them (Proposed Third Amd. 19 Comp. ¶¶ 35, 42, 45, 46 (emphasis added)). (Plaintiffs failed to note any specific paragraph, 20 instead arguing that the “Proposed Third Amended Complaint at ¶¶xx” “remedied” the 21 “deficiencies” (Br. 7).) 22 35. When Plaintiff Flores-Mendez signed up for his account with Zoosk in or about 2015 or 2016, Zoosk’s then-current Privacy Policy 23 explained, in relevant part “how information about [consumers] or associated with [consumers]’ (‘Personal Information’) is collected, 24 used and disclosed by Zoosk,” including when Plaintiff Flores- Mendez and other users “use[d Zoosk’s] services through [Zoosk’s] 25 websites linked to th[e Privacy] Policy, as well as [Zoosk’s] products and applications (including Zoosk’s mobile applications, 26 downloadable products and applications and pages operated by Zoosk on social networking sites and other platforms) (collectively, 27 the ‘Services.’”[)] 42. Zoosk bound all parties, including Plaintiffs and Class Members 1 alike, to the Privacy Policy, stating that “By registering, using or subscribing to the Services, you confirm that you have read and 2 consent to” the portions of the Privacy Policy described, supra ¶¶ 36–41. . . . 3 * * * 4 45. Because Zoosk’s then-current Privacy Policy presumed that any 5 consumer who used Zoosk’s Services read the Privacy Policy, and also compelled consent of those consumers through use of the 6 Services, Zoosk was bound by those promises to Plaintiffs and Class Members. 7 46. With these binding terms in place, Plaintiff Flores-Mendez 8 continued to pay for Zoosk’s Services, and also continued to provide his PII . . . . 9 10 Flores-Mendez advances several theories of economic standing. First, he argues for 11 standing via a “benefit-of-the-bargain” theory of economic damages under Section 17200. 12 This putative class allegedly lost money because Zoosk’s misrepresentations in the privacy 13 policy caused the subscription subclass to pay at all or to pay more than they would have 14 otherwise for Zoosk’s premium subscription. Second, he argues that the paying subscribers 15 lost money because the privacy policy constituted a contract to which Zoosk bound all 16 consumers. Thus, Zoosk’s failure to abide by its policy constituted a breach of contract for the 17 subscription subclass. The latter breach-of-contract point plaintiffs raised for the first time on 18 reply, but Zoosk has since addressed it in a supplemental filing (Dkt. No. 123). 19 Here are the rulings. 20 1. STANDING. 21 The proposed third amended complaint this time adequately alleges reliance. For a 22 Section 17200 claim theorizing that plaintiffs read and considered alleged misrepresentations, 23 the claim generally must plead “actual reliance.” In re Tobacco II Cases, 46 Cal.4th 298, 324– 24 26 (2009) (excepting cases with massive advertising campaigns). Both sides appear to agree 25 on this point (Rep. Br. 3; Opp. 4). Plaintiffs’ proposed third amended complaint has now 26 successfully pleaded when and how plaintiffs encountered Zoosk’s allegedly misleading 27 statements or omissions in the privacy policy (cf. Dkt. No. 93 at 6–7; Opp. Br. 4–5). Zoosk 1 consent[ed] to” the relevant privacy policies on the website and, simultaneously, that Flores- 2 Mendez has not read them (Third Amd. Compl. ¶ 42). This is “nonsensical” (Opp. Br. 4). 3 To state reliance, a complaint must allege the unfair conduct “was an immediate cause” 4 of the economic loss. In re Tobacco, 46 Cal.4th at 328. That is, it must plead that the data- 5 privacy assurances mattered to Flores-Mendez (and putative subscription class members) when 6 he (they) decided to purchase a subscription. Even, as here, when Flores-Mendez does not 7 hook his Section 17200 claim on fraud, the logic applies. In re Tobacco addressed standing, 8 and its reasoning did not depend upon the substantive theory of liability (there, fraud). Rather, 9 In re Tobacco simply explained reliance on misrepresentations as one way in which plaintiffs 10 may allege that economic loss came “as a result of the unfair competition.” Cal. Bus. & Prof. 11 Code § 17204; see also In re Yahoo! Inc. Customer Data Sec. Breach Litig., 2017 WL 12 3727318, at *20 (N.D. Cal. Aug. 30, 2017) (Judge Lucy H. Koh). 13 True, other decisions have found that clicking through and certifying that one had read 14 certain representations did not adequately allege that one had relied thereon. See In re iPhone 15 Application Litig., 6 F. Supp. 3d 1004, 1025 (N.D. Cal. 2013) (Judge Lucy H. Koh) (having to 16 “scroll through” and click “agree” to a privacy policy didn’t indicate that the consumers 17 “underst[ood]” the policy). In another decision, In re Yahoo! Inc. Customer Data Sec. Breach 18 Litig., the same court likewise found that allegations of consumers scrolling and clicking to 19 assent did not establish that they “actually read” the misrepresentations, absent further 20 allegations. 2017 WL 3727318, at *28. Notwithstanding these decisions, this order holds that 21 our facts warrant a different outcome. 22 Zoosk’s own terms prove that that plaintiffs consented to the privacy policy. Read and 23 consented to means understood. And, Flores-Mendez has alleged that he would have cancelled 24 his subscription had Zoosk disclosed its true data-security practices (Proposed Third Amd. 25 Compl. ¶ 47). See Kwikset Corp. v. Superior Ct., 51 Cal. 4th 310, 330 (2011) (alleging the 26 plaintiff “would not have bought the product but for” the unfair business practice). Our 27 allegedly misleading statements, which relate to data security, feature centrally in the privacy 1 would find them important enough to affect their decision to purchase. Note that it does not 2 matter that all customers were presumed to agree to the policy upon sign up, but that Flores- 3 Mendez subsequently decided to purchase the subscription. Critically, at the time of purchase, 4 it’s alleged that Zoosk had already presumed that Flores-Mendez knew of and consented to the 5 privacy policy. Thus, Flores-Mendez has sufficiently alleged a loss of money or property as a 6 result of the alleged Section 17200 violation. 7 Zoosk argues against following the logic of McCoy v. Alphabet, Inc., 2021 WL 405816 8 (N.D. Cal. Feb. 2, 2021) (Judge Susan Van Keulen). That decision found standing adequate 9 when the complaint alleged simply that defendant “claims to obtain [consumers’] ‘consent’” to 10 various allegedly misleading statements “during the Android setup process.” Complaint, 20- 11 cv-05427, ECF No. 1 ¶¶ 33 (emphasis added), see also ¶¶ 128, 133, 134, 154. The McCoy 12 complaint therefore alleged solely that the company had presumed that plaintiffs consented to 13 the policies. Having found knowledge of the statements adequately alleged and crediting as 14 true the allegation that the plaintiff would not have purchased the product had he known the 15 truth, McCoy found benefit-of-the-bargain standing. Zoosk contends that McCoy does not 16 apply because Flores-Mendez here “falsely confirmed that he had read the statement in 17 question,” and that McCoy does not provide that “standing can be founded on a loss resulting 18 from a purportedly misleading statement that the plaintiff in fact never even actually saw” 19 (Opp. Br. 5, emphasis added; see also Supp. Br. n. 4). Zoosk apparently concludes that Flores- 20 Mendez is lying by alleging that he “read” the statements simply because Flores-Mendez fails 21 affirmatively to allege that he personally read them. This does not follow. Many explanations, 22 including litigation strategy, could have prompted the decision not to plead that Flores-Mendez 23 personally read the statement (id. 4). 24 In all, the proposed third amended complaint adequately alleges that Flores-Mendez 25 “actually bargained” for a Zoosk dating service with reasonable security practices. McGee v. 26 S-L Snacks Nat’l, 982 F.3d 700, 706 (9th Cir. 2020) (emphasis in the original). He provided 27 his money and his PII, in consideration of which he expected to receive the adequate data 1 security practices that Zoosk’s representations described. (For the same reasons, the proposed 2 amended complaint likewise also adequately alleges an overpayment theory. See ibid.) 3 This order does not hold that the who-what-where-when-how of the Rule 9(b) pleading 4 standard is required for a benefit-of-the-bargain theory of standing. Cf. Kearns v. Ford Motor 5 Co., 567 F.3d 1120, 1125 (9th Cir. 2009) (applying Rule 9(b) to fraud-based allegations of 6 Section 17200 liability). Nonetheless, the proposed third amended complaint satisfies Rule 7 9(b): it names the statements; how they allegedly misled; how Flores-Mendez and subscription 8 users encountered them; and how the statements would have mattered to Flores-Mendez at 9 purchase. 10 Analogy to substantive Section 17200 fraud also supports Flores-Mendez’s argument for 11 standing. The alleged misrepresentations here concerned data security for a dating website. 12 Dating sites implicate data about users’ romantic lives and sexual preferences, which are 13 particularly reputationally sensitive, as our prior order held (Dkt. No. 61 at 6). The 14 misrepresentations also implicated a risk of run-of-the-mill identity theft (see ibid.). Zoosk’s 15 customers’ privacy featured “central[ly]” in the service’s function, so as to lend persuasive 16 support for the proposition that a reasonable consumer would rely upon statements assuring 17 them of data security. Hodson v. Mars, Inc., 891 F.3d 857, 864 (9th Cir. 2018) (when alleged 18 omissions concern a product’s “central function” and meet several other factors, the omissions 19 may warrant a presumption of reliance). 20 Since this order has found standing adequately alleged, it does not reach the dispute over 21 whether a complaint alleging a breach-of-contract theory of standing also requires proof of 22 reliance on an alleged misrepresentation in that contract. See Cappello v. Walmart Inc., 394 F. 23 Supp. 3d 1015, 1020 (N.D. Cal. Aug. 26, 2019) (Judge Richard Seeborg). 24 2. SECTION 17200 LIABILITY. 25 Section 17200 prohibits acts or practices that are (1) unlawful, (2) unfair, or (3) 26 fraudulent. Each of the foregoing prongs permits a separate theory of relief. See Davis v. 27 HSBC Bank Nevada, N.A., 691 F.3d 1152, 1168 (9th Cir. 2012). “[A] breach of contract may 1 unlawful, or unfair, or fraudulent.” Sybersound Records, Inc. v. UAV Corp., 517 F.3d 1137, 2 1152 (9th Cir. 2008) (cleaned up). Plaintiffs here have pleaded unfairness and unlawfulness 3 (Proposed Third Amd. Compl. ¶¶ 35–47, 100–02). Plaintiffs now argue that the third amended 4 complaint incorporates their allegation of a violation of Section 5 of the Federal Trade 5 Commission (FTC) Act. Plaintiffs do not contend in the instant motion that a violation of the 6 California Consumer Privacy Act (CCPA) supports an “unlawful” theory of Section 17200 7 liability (but do argue that it supports “unfairness” under the tethering test (Rep. Br. 6)). See 8 Kaar v. Wells Fargo Bank, N.A., 2016 WL 3068396, at *2 (N.D. Cal. June 1, 2016). 9 As stated above, a presumption of reliance has been pleaded adequately for standing and 10 therefore also for liability (regardless of whether required). Also as stated, the pleading has 11 satisfied the heightened requirements of Rule 9(b), if indeed a heightened standard must be 12 met. As next discussed, the proposed third amended complaint adequately alleges a theory of 13 liability under the unfairness prong but fails to do so under the unlawfulness prong. 14 A. UNFAIR. 15 Pending further instruction from the California Supreme Court, our court of appeals has 16 approved the use of either a balancing test or a tethering test when it comes to defining unfair 17 conduct against consumers. See Lozano v. AT&T Wireless Servs., Inc., 504 F.3d 718, 735–36 18 (9th Cir. 2007). The balancing test assesses the harm to the consumer against the utility of a 19 defendant’s allegedly unfair practice. See South Bay Chevrolet v. General Motors Acceptance 20 Corp., 72 Cal. App. 4th 861, 886 (1999). “In general, the unfairness prong has been used to 21 enjoin deceptive or sharp practices. . . .” Id. at 887 (cleaned up). The tethering prong states 22 that conduct is unfair under Section 17200 when it offends an established public policy that is 23 “tethered to specific constitutional, statutory, or regulatory provisions.” Bardin v. Daimler 24 Chrysler Corp., 136 Cal. App. 4th 1255, 1261 (2006). 25 This order finds that the proposed third amended complaint adequately alleges a violation 26 of Section 17200 as to Flores-Mendez using the balancing test because it details misleading 27 statements coupled with Zoosk’s failure to disclose its “inadequate” data-security practices. It 1 despite Flores-Mendez’s expectations to the contrary (Proposed Third Amd. Compl. ¶¶ 104– 2 106; Opp. Br. 13–14). As for harm, Flores-Mendez “allege[s] . . . loss of time, risk of 3 embarrassment, and enlarged risk of identity theft,” which harms are adequately pleaded to 4 justify taking discovery (Dkt. No. 61 at 5). The proposed third amended complaint also 5 adequately alleges financial loss based on Flores-Mendez’s benefit of the bargain (id. at 7). 6 Zoosk argues that Flores-Mendez has not adequately pled a duty to disclose anything about its 7 practices and has not specifically named “the costs Zoosk would have had to incur in order to 8 avoid” the “harm[s]” to subscription users. We have already found misrepresentations 9 adequately alleged. True, Flores-Mendez does not explain what benefits Zoosk might have 10 gained from failing to provide adequate security practices. But, Zoosk fails itself to offer some 11 legitimate interest to weigh against the alleged harm to paying subscribers (see Opp. Br. 14). 12 This order joins numerous other data-breach decisions that have found the balancing test “not 13 suitable for resolution on a motion to dismiss.” See Grace v. Apple Inc., 2017 WL 3232464, at 14 *15 (N.D. Cal. July 28, 2017) (Judge Lucy H. Koh) (collecting cases). A fulsome record will 15 assist the finder of fact at summary judgment (see id. at 7). 16 Breach of contract does not, however, support Flores-Mendez’s argument for unfairness. 17 On this point, he asks that this order follow Cappello v. Walmart Inc., 394 F. Supp. 3d at 1020 18 (Rep. Br. 2); see also Amended Complaint, ECF No. 41 ¶ 60, Cappello v. Walmart Inc., No. 19 18-06678-RS (N.D. Cal. Apr. 25, 2019) (emphasis added) (“Walmart violated the UCL’s 20 unlawful prong by violating its Privacy Policy knowingly and willfully or, in the alternative, 21 negligently and materially in violation of Cal[ifornia] Bus[iness] & Prof[essions] Code 22 [Section] 22576.”); see also ECF No. 41 ¶¶ 21, 22. Unlike the Cappello plaintiffs, our 23 proposed third amended complaint has not sufficiently alleged a contractual relationship 24 between Flores-Mendez and Zoosk. The proposed third amended complaint simply pleads that 25 Zoosk’s privacy policy presumed Zoosk subscribers read the policy and that the policy 26 “confirm[ed]” their affirmation, which “bound” Zoosk (Proposed Third Amd. Comp. ¶ 42; see 27 also ¶¶ 45, 46). The notice requirement of FRCP 8 does not require magic words. But, 1 that Zoosk could have divined the breach-of-contract liability theory. This order therefore does 2 not reach whether, or not, a breach of contract alone can support a claim for liability under 3 Section 17200 (see Supp. Br. 2). 4 This order need not reach the tethering test for unfairness, except to say that substantial 5 questions remain whether statutory violations have been properly alleged as part of plaintiffs’ 6 Section 17200 claim or whether they can furnish the substance of the tethering approach to the 7 unfairness prong. See 15 U.S.C.A. § 45; Cel-Tech Commc'ns, Inc. v. Los Angeles Cellular 8 Tel. Co., 20 Cal. 4th 163, 185 (1999) (Proposed Third Amd. Compl. ¶ 100 (incorporating ¶¶ 1– 9 84); ¶¶ 101–10 (Section 17200 claim); see also id. ¶¶ 96–97 (pleading other statutory 10 violations within a negligence claim)). 11 B. UNLAWFUL. 12 This order finds that the proposed third amended complaint has not adequately alleged a 13 violation of Section 17200 under the unlawfulness prong. The failure to disclose inadequate 14 security practices does not, alone, constitute a violation of a statute or common-law regime, 15 since something more must give rise to a duty to disclose in the first place to make the claim 16 “actionable.” Cel-Tech Commc’ns, Inc., 20 Cal. 4th at 180. Likewise, for the reasons stated 17 above, a breach of contract has not been adequately alleged and no statutory violation related 18 to breach of contract has, either. As for other alleged statutory violations, the second amended 19 complaint had alleged under the header, “Violation of California’s Unfair Competition Law:” 20 90. Defendant engaged in business acts and practices deemed “unlawful” under the UCL, because . . . Defendant violated the 21 FTC Act and failed to protect Plaintiffs’ and Class Members’ PII 22 (Dkt. No. 84-1 ¶ 90). The proposed third amended complaint deletes the above paragraph 90 23 from its Section 17200 claim — Count 2 — and instead states as to unlawfulness (color in the 24 original, emphasis added): 25 91.102. Defendant engaged in business acts and practices 26 deemed “unlawful” under the UCL, because, as alleged above, Defendant unlawfully failed to disclose the inadequate 27 nature of the security of its computer systems and networks 1 Flores-Mendez now argues for the first time on reply that the proposed third amended 2 complaint “alleged violations of Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 3 45. TAC, ¶¶ 50, 51” (Rep. Br. 4). As to what the relevant paragraphs “above” mean, the 4 relevant paragraphs are 50 and 51 of the body of the proposed third amended complaint, which 5 provide (emphasis added): 6 39.50. . . . Defendant also had a legal duty to take reasonable steps to protect customers’ PII under applicable federal and 7 state statutes, including Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 45, which is further 8 defined by federal and state guidelines and industry norms.

9 40.51. Defendant breached its duties by failing to implement reasonable safeguards to ensure Plaintiffs’ and Class 10 members’ PII was adequately protected. As a direct and proximate result of this breach of duty, the Data Breach 11 occurred, and Plaintiffs and Class members were harmed. Plaintiffs and Class members did not consent to having their 12 PII disclosed to any third-party, much less a malicious hacker who would sell it on the dark web. 13 A specific reference to the FTC Act repeats in Count 1 (negligence), but not in Count 2 of the 14 proposed third amended complaint. 15 Do these allegations about the FTC Act Section 5 suffice to “give the defendant 16 fair notice of what the claim is and the grounds upon which it rests”? Bell Atl Corp. v. 17 Twombly, 550 U.S. 544, 555 (2007) (cleaned up). 18 No. The proposed third amended complaint’s Count 2, at paragraph 100, states, “89.100. 19 Plaintiff Flores-Mendezs re-alleges and incorporates by reference herein all of the allegations 20 contained in paragraphs 1 through [[8472]] above.” Thus, Zoosk correctly notes that Count 2 21 does incorporate the paragraphs describing the FTC Act in paragraphs 50 and 51 but does not 22 incorporate the paragraphs in Count 1 that discuss the FTC Act and other statutes (id. ¶¶ 91– 23 97). As a result, the only explicit reference to Section 5 incorporated into Count 2 appears in 24 paragraph 50 (paragraph 51 appears to continue discussion of the FTC Act but does not 25 mention it by name). 26 Does the language of the “unlawful” allegation in Count 2 match the language describing 27 the FTC Act violation? Also no. The former alleges that Zoosk “unlawfully failed to disclose 1 the inadequate nature of the security,” whereas the FTC Act allegation provides that Zoosk 2 “fail[ed] to implement reasonable safeguards” on data security (id. ¶¶ 102, 51, emphasis 3 added). In other words, one concerns disclosures while the other concerns required 4 safeguards. 5 The proposed complaint might have put Zoosk on adequate notice that it was predicating 6 an unlawful-prong Section 17200 claim on the FTC Act Section 5 if an FTC Act violation had 7 been the only statutory violation elsewhere alleged in the body of the complaint. But the 8 proposed third amended complaint also discusses the CCPA (id. ¶¶ 10, 13, 19). (Another 9 paragraph under the negligence banner alleges a violation of California Civil Code Section 10 1798.81.5 but is not incorporated by reference into Count 2 (id. ¶ 95).) 11 Furthermore, the proposed third amended complaint does not allege a stand-alone 12 violation of the FTC Act (and could not, for the FTC Act provides no private right of action). 13 In contrast, Patel v. 7-Eleven, Incorporated found a California Franchise Relations Act 14 (CFRA) claim had adequately grounded an unlawful-prong Section 17200 claim even though it 15 was not mentioned in the Section 17200 count, because the complaint separately stated a 16 CFRA violation as a standalone count. The Section 17200 count, the decision found, was 17 “derivative of” the CFRA count. 2014 WL 12772077, at *3 (C.D. Cal. Nov. 12, 2014) (Judge 18 Philip S. Gutierrez). See also Gorlick Distribution Centers, LLC v. Car Sound Exhaust Sys., 19 Inc., 2009 WL 10676068, at *5 (W.D. Wash. Mar. 30, 2009) (Judge Richard A. Jones) (same); 20 Compl., No. 07-1076-RAJ, ECF. No. 1 (July 11, 2007). 21 Additionally, the inclusion of the FTC Act referenced in the Section 17200 count of the 22 second amended complaint, contrasted with its omission in the proposed third amended 23 complaint, implies that the latter no longer advances an FTC Act basis for its theory of 24 unlawfulness under Section 17200. The third amended complaint would have to be quite clear 25 from the “as alleged above” that the paragraph meant the FTC Act violation (id. ¶ 102). For 26 the reasons stated, it is not clear. 27 1 This order finds that plaintiffs have not adequately put Zoosk on notice of their intent to 2 show that Zoosk violated Section 5 of the FTC Act in order to prove that Zoosk violated 3 Section 17200. 4 Additional problems may prohibit relief on an “unlawful” prong. Substantial questions 5 remain whether the FTC Act Section 5 can support the “unlawful” prong of a Section 17200 6 claim, or whether it can furnish the substance of the tethering approach to the unfairness prong. 7 See 15 U.S.C.A. § 45; Cel-Tech Commc’ns, Inc., 20 Cal. 4th at 166 (pointing to the “parallel” 8 Section 17200 and FTC Act Section 5, which both broadly define “unfairness”). Since the 9 proposed third amended complaint has not adequately alleged a predicate violation of any 10 statute to support the Section 17200 count, this order does not reach the adequacy (or not) of 11 the pleadings as to the elements of any statute pleaded. Any future motion pleadings must be 12 sure to adequately allege all elements of any statutory violation and to address, in detail, all 13 issues raised herein or raised by Zoosk (whether or not an order re-raised those issues) (see 14 Dkt. No. 51 at 7–9; Supp. Br. 4–5). 15 3. RELIEF. 16 Finally, Flores-Mendez has stated claims for restitution and injunctive relief, as permitted 17 under Section 17203. Just as our prior order held, it is reasonable to infer from these amended 18 pleadings that Zoosk failed to use subscribers’ money to fund data security, as plaintiffs would 19 have expected (id. ¶¶ 46, 47; Dkt. No. 93 at 7). Alleging, as Zoosk insists Flores-Mendez 20 must, what portion of “profits” Zoosk made from the allegedly deceptive practice would be 21 impossible at this stage, and, anyway, plaintiffs have alleged an “ownership interest” in some 22 proportion of the funds given to Zoosk for the subscription. Yahoo!, 2017 WL 3727318, at *31 23 (see Opp. Br. 14–15). As for an injunction, the proposed pleading alleges that Zoosk’s touted 24 changes to its privacy policies are not enough. The complaint has pleaded that Zoosk’s 25 “investigation remains ongoing” and customers “face an imminent and ongoing risk of identity 26 theft” (Proposed Third Amd. Compl. ¶¶ 16, 18, 19). This adequately alleges that the data 27 security problems have not yet been solved. 1 CONCLUSION 2 For the foregoing reasons and to the extent stated, plaintiffs’ motion for leave to amend 3 as to the unfairness theory of Section 17200 liability is GRANTED. The motion for leave to 4 amend is DENIED WITHOUT PREJUDICE solely on the theory of an unlawfulness-prong 5 violation of Section 17200. All other amendments are DENIED WITH PREJUDICE. Any further 6 motion for leave to amend as to the unlawfulness prong of Section 17200 will be the final 7 opportunity to move for leave to amend: any opening brief is due FEBRUARY 17 and is limited 8 to ten pages. The third amended complaint or any proposed fourth amended complaint must 9 be filed by FEBRUARY 17, regardless of any motion. Any opposition is due FEBRUARY 28 and 10 is also limited to ten pages. Any reply is due MARCH 7 and is limited to five pages. Any 11 arguments raised for the first time on reply will be disregarded. If a motion is filed, the Court 12 will decide whether (or not) to set a hearing. 5 13 IT IS SO ORDERED. Dated: February 7, 2022. 3 15 | - Pee WILLIAM ALSUP 3 17 UNITED STATES DISTRICT JUDGE 18 19 20 21 22 23 24 25 26 27 28