1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 ERICA FRASCO, et al., Case No. 21-cv-00757-JD
8 Plaintiffs, ORDER RE SUMMARY JUDGMENT v. 9
10 FLO HEALTH, INC., et al., Defendants. 11
12 13 In this putative class action, named plaintiffs Erica Frasco, Sarah Wellman, Justine 14 Pietrzyk, Jennifer Chen, Tesha Gamino, Leah Ridgway, Autumn Meigs, and Madeline Kiss sued 15 Flo Health, Inc. (Flo) and Google LLC (Google), among others, over Flo’s use of Google’s 16 analytics services in connection with the Flo Period & Ovulation Tracker app for women (Flo 17 App). See Dkt. No. 64 (first amended complaint). Plaintiffs alleged a panoply of federal- and 18 state-law privacy claims and claims of unfair competition under California law, against Google. 19 See id. at 77-87. After the close of fact discovery, Google moved for summary judgment. See 20 Dkt. Nos. 338-39. Plaintiffs timely opposed. See Dkt. Nos. 348-49, 51. The parties’ familiarity 21 with the record is assumed, and summary judgment is granted in part. 22 DISCUSSION 23 I. STANDING 24 The parties’ briefs indicate a misunderstanding about a prior order with respect to 25 Article III standing to sue. The Court dismissed the claims against defendant AppsFlyers on the 26 ground that plaintiffs had “not adequately alleged a concrete and particularized injury caused by 27 AppsFlyer” because “AppsFlyer [was] not said to have used the data collected from the Flo App 1 ask for summary judgment on all plaintiffs’ claims on the grounds that there is no evidence it 2 “receive[d] any sensitive health information from Flo” or “use[d] the data it received from the Flo 3 App for research, development, marketing, or advertising purposes.” Dkt. No. 339-3 at 15-16. 4 Google goes too far. Plaintiffs’ claims are premised on the allegation that Google violated 5 their privacy rights by obtaining and storing, without plaintiffs’ knowledge or consent, sensitive 6 personal information from the Flo App via the Google software developer kit (SDK). See Dkt. 7 No. 64 at 77-87. Violations of the right to privacy, which “encompass[es] the individual’s control 8 of information concerning his or her person,” “have long been actionable at common law.” In re 9 Facebook, Inc. Internet Tracking Litigation (Facebook Tracking), 956 F.3d 589, 598 (9th Cir. 10 2020) (alteration in original) (quoting Eichenberger v. ESPN, Inc., 876 F.3d 979, 983 (9th Cir. 11 2017), and Patel v. Facebook, 932 F.3d 1264, 1272 (9th Cir. 2019)). The statutory and common- 12 law causes of action that plaintiffs allege protect “substantive right[s] to privacy, the violation of 13 which gives rise to a concrete injury sufficient to confer standing.” Id.; see also Campbell v. 14 Facebook, Inc., 951 F.3d 1106, 1117-19 (9th Cir. 2020). Consequently, plaintiffs need not adduce 15 evidence that the private information was “used” or further disclosed by Google. See Campbell, 16 951 F.3d at 1118; Eichenberger, 876 F.3d at 983; In re Facebook Tracking, 956 F.3d at 598-99. 17 There are genuine disputes of material fact bearing on whether plaintiffs have suffered an 18 injury in fact from Google having collected their private health information. For example, the 19 parties hotly disagree whether the information Google obtained via the SDK contains private 20 health information. See, e.g., Dkt. Nos. 338-14 at 125:2-8; 351-15; 351-16; 351-17. Similar 21 disputes of fact abound with respect to whether plaintiffs’ alleged injury is traceable to Google. 22 The record indicates that Google provided the SDK for free to obtain data from third-party apps, 23 among other reasons, see, e.g., Dkt. Nos. 338-4 at 2; 348-10 at 2; 351-31 at 2-5; 351-5 at 2, and 24 that the disclosure of the Flo App data was made possible by Google’s SDK, see, e.g., Dkt. Nos. 25 351-5 at 2-8; 351-31 at 2-5; 348-10 at 2-3. The parties dispute whether Google actively solicited 26 Flo’s business to obtain sensitive health data and adhered to its own privacy policies in connection 27 with the Flo App. See Dkt. Nos. 351-42; 338-1 ¶ 6; 351-45 at ECF 2; 338-30 at 11:2-25, 12:1-20; 1 Google says that plaintiffs could not have suffered a privacy injury because any 2 information it collected “was not tied to Plaintiffs’ GAIA IDs or any identifying information.” 3 Dkt. No. 339-3 at 17. But it is not at all clear that the collection of information about a woman’s 4 menstruation cycles and fertility goals without consent is permissible just because Google says it 5 didn’t connect the information to a particular person. Google certainly did not cite any case law to 6 that effect, and Ninth Circuit precedent suggests otherwise. See Campbell, 951 F.3d at 1119, 1119 7 n.9 (stating that Facebook’s argument that plaintiffs “suffered no concrete harm from the ‘use of 8 anonymized and aggregated data’” was “beside the point” because Facebook “identifies and 9 collects the contents of users’ individual private messages” and “Plaintiffs’ position [was that] this 10 was done without consent” (emphasis in original)). In addition, plaintiffs have adduced evidence 11 to establish a material dispute of fact with respect to whether the information collected was or 12 could be tied to identifying information, see Dkt. Nos. 351-22 at ECF 2; 351-12 at 18-20; 351-24 13 at ECF 4; 351-20 at ECF 13.1 14 II. CONSENT 15 For present purposes, Google hangs its hat for the defense of consent solely on plaintiffs’ 16 acceptance of Flo’s privacy policies. See Dkt. No. 339-3 at 12-13, 18-19. Consent may be a 17 defense when it is “actual,” and it “is only effective if the person alleging harm consented ‘to the 18 particular conduct, or to substantially the same conduct’ and if the alleged tortfeasor did not 19 exceed the scope of that consent.” Calhoun v. Google, LLC, --- F.4th ---, No. 22-16993, 2024 WL 20 3869446, at *5 (9th Cir. Aug. 20, 2024) (quotations omitted). 21 As these principles indicate, consent is typically a fact-bound inquiry, and the record 22 before the Court demonstrates a number of factual disputes that preclude summary judgment on 23 this score. As discussed herein, there are disputes of fact about the scope of the information that 24 Google obtained from the Flo App, and the uses of that data, if any. The parties also highlight 25
26 1 Google says that the record demonstrates that Google “could not find[] any data associated with Plaintiffs.” Dkt. No. 360 at 10. While that is a creative interpretation of Google’s own evidence, 27 see Dkt. No. 338-16 at ECF 7 (“Based on Google’s investigation to date, there is no Flo App Data 1 different portions of various privacy policies over the years to disagree about the scope of 2 plaintiffs’ consent to sharing data with Google. See, e.g., Dkt. Nos. 339-3 at 9-10; 351-3 at 13-14, 3 22-23. Consequently, the Court cannot assess whether a “reasonable user reading [the Flo App’s 4 privacy policies] would [have thought] that he or she was consenting” to Google’s collection 5 practices until a jury resolves those factual disputes. See Calhoun, --- F.4th at ---, 2024 WL 6 6869446, at *6. 7 III. STATUTORY STANDING FOR UCL AND CDAFA 8 Counts Nine, Ten, and Fourteen of the operative complaint allege that Google violated the 9 California Unfair Competition Law (UCL), Cal. Bus. & Prof. Code § 17200 et seq.; aided and 10 abetted Flo’s violation of the UCL; and violated the California Comprehensive Computer Data 11 Access and Fraud Act (CDAFA), Cal. Penal Code § 502. See Dkt. No. 64 at 77-80, 85-87.
Free access — add to your briefcase to read the full text and ask questions with AI
1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 ERICA FRASCO, et al., Case No. 21-cv-00757-JD
8 Plaintiffs, ORDER RE SUMMARY JUDGMENT v. 9
10 FLO HEALTH, INC., et al., Defendants. 11
12 13 In this putative class action, named plaintiffs Erica Frasco, Sarah Wellman, Justine 14 Pietrzyk, Jennifer Chen, Tesha Gamino, Leah Ridgway, Autumn Meigs, and Madeline Kiss sued 15 Flo Health, Inc. (Flo) and Google LLC (Google), among others, over Flo’s use of Google’s 16 analytics services in connection with the Flo Period & Ovulation Tracker app for women (Flo 17 App). See Dkt. No. 64 (first amended complaint). Plaintiffs alleged a panoply of federal- and 18 state-law privacy claims and claims of unfair competition under California law, against Google. 19 See id. at 77-87. After the close of fact discovery, Google moved for summary judgment. See 20 Dkt. Nos. 338-39. Plaintiffs timely opposed. See Dkt. Nos. 348-49, 51. The parties’ familiarity 21 with the record is assumed, and summary judgment is granted in part. 22 DISCUSSION 23 I. STANDING 24 The parties’ briefs indicate a misunderstanding about a prior order with respect to 25 Article III standing to sue. The Court dismissed the claims against defendant AppsFlyers on the 26 ground that plaintiffs had “not adequately alleged a concrete and particularized injury caused by 27 AppsFlyer” because “AppsFlyer [was] not said to have used the data collected from the Flo App 1 ask for summary judgment on all plaintiffs’ claims on the grounds that there is no evidence it 2 “receive[d] any sensitive health information from Flo” or “use[d] the data it received from the Flo 3 App for research, development, marketing, or advertising purposes.” Dkt. No. 339-3 at 15-16. 4 Google goes too far. Plaintiffs’ claims are premised on the allegation that Google violated 5 their privacy rights by obtaining and storing, without plaintiffs’ knowledge or consent, sensitive 6 personal information from the Flo App via the Google software developer kit (SDK). See Dkt. 7 No. 64 at 77-87. Violations of the right to privacy, which “encompass[es] the individual’s control 8 of information concerning his or her person,” “have long been actionable at common law.” In re 9 Facebook, Inc. Internet Tracking Litigation (Facebook Tracking), 956 F.3d 589, 598 (9th Cir. 10 2020) (alteration in original) (quoting Eichenberger v. ESPN, Inc., 876 F.3d 979, 983 (9th Cir. 11 2017), and Patel v. Facebook, 932 F.3d 1264, 1272 (9th Cir. 2019)). The statutory and common- 12 law causes of action that plaintiffs allege protect “substantive right[s] to privacy, the violation of 13 which gives rise to a concrete injury sufficient to confer standing.” Id.; see also Campbell v. 14 Facebook, Inc., 951 F.3d 1106, 1117-19 (9th Cir. 2020). Consequently, plaintiffs need not adduce 15 evidence that the private information was “used” or further disclosed by Google. See Campbell, 16 951 F.3d at 1118; Eichenberger, 876 F.3d at 983; In re Facebook Tracking, 956 F.3d at 598-99. 17 There are genuine disputes of material fact bearing on whether plaintiffs have suffered an 18 injury in fact from Google having collected their private health information. For example, the 19 parties hotly disagree whether the information Google obtained via the SDK contains private 20 health information. See, e.g., Dkt. Nos. 338-14 at 125:2-8; 351-15; 351-16; 351-17. Similar 21 disputes of fact abound with respect to whether plaintiffs’ alleged injury is traceable to Google. 22 The record indicates that Google provided the SDK for free to obtain data from third-party apps, 23 among other reasons, see, e.g., Dkt. Nos. 338-4 at 2; 348-10 at 2; 351-31 at 2-5; 351-5 at 2, and 24 that the disclosure of the Flo App data was made possible by Google’s SDK, see, e.g., Dkt. Nos. 25 351-5 at 2-8; 351-31 at 2-5; 348-10 at 2-3. The parties dispute whether Google actively solicited 26 Flo’s business to obtain sensitive health data and adhered to its own privacy policies in connection 27 with the Flo App. See Dkt. Nos. 351-42; 338-1 ¶ 6; 351-45 at ECF 2; 338-30 at 11:2-25, 12:1-20; 1 Google says that plaintiffs could not have suffered a privacy injury because any 2 information it collected “was not tied to Plaintiffs’ GAIA IDs or any identifying information.” 3 Dkt. No. 339-3 at 17. But it is not at all clear that the collection of information about a woman’s 4 menstruation cycles and fertility goals without consent is permissible just because Google says it 5 didn’t connect the information to a particular person. Google certainly did not cite any case law to 6 that effect, and Ninth Circuit precedent suggests otherwise. See Campbell, 951 F.3d at 1119, 1119 7 n.9 (stating that Facebook’s argument that plaintiffs “suffered no concrete harm from the ‘use of 8 anonymized and aggregated data’” was “beside the point” because Facebook “identifies and 9 collects the contents of users’ individual private messages” and “Plaintiffs’ position [was that] this 10 was done without consent” (emphasis in original)). In addition, plaintiffs have adduced evidence 11 to establish a material dispute of fact with respect to whether the information collected was or 12 could be tied to identifying information, see Dkt. Nos. 351-22 at ECF 2; 351-12 at 18-20; 351-24 13 at ECF 4; 351-20 at ECF 13.1 14 II. CONSENT 15 For present purposes, Google hangs its hat for the defense of consent solely on plaintiffs’ 16 acceptance of Flo’s privacy policies. See Dkt. No. 339-3 at 12-13, 18-19. Consent may be a 17 defense when it is “actual,” and it “is only effective if the person alleging harm consented ‘to the 18 particular conduct, or to substantially the same conduct’ and if the alleged tortfeasor did not 19 exceed the scope of that consent.” Calhoun v. Google, LLC, --- F.4th ---, No. 22-16993, 2024 WL 20 3869446, at *5 (9th Cir. Aug. 20, 2024) (quotations omitted). 21 As these principles indicate, consent is typically a fact-bound inquiry, and the record 22 before the Court demonstrates a number of factual disputes that preclude summary judgment on 23 this score. As discussed herein, there are disputes of fact about the scope of the information that 24 Google obtained from the Flo App, and the uses of that data, if any. The parties also highlight 25
26 1 Google says that the record demonstrates that Google “could not find[] any data associated with Plaintiffs.” Dkt. No. 360 at 10. While that is a creative interpretation of Google’s own evidence, 27 see Dkt. No. 338-16 at ECF 7 (“Based on Google’s investigation to date, there is no Flo App Data 1 different portions of various privacy policies over the years to disagree about the scope of 2 plaintiffs’ consent to sharing data with Google. See, e.g., Dkt. Nos. 339-3 at 9-10; 351-3 at 13-14, 3 22-23. Consequently, the Court cannot assess whether a “reasonable user reading [the Flo App’s 4 privacy policies] would [have thought] that he or she was consenting” to Google’s collection 5 practices until a jury resolves those factual disputes. See Calhoun, --- F.4th at ---, 2024 WL 6 6869446, at *6. 7 III. STATUTORY STANDING FOR UCL AND CDAFA 8 Counts Nine, Ten, and Fourteen of the operative complaint allege that Google violated the 9 California Unfair Competition Law (UCL), Cal. Bus. & Prof. Code § 17200 et seq.; aided and 10 abetted Flo’s violation of the UCL; and violated the California Comprehensive Computer Data 11 Access and Fraud Act (CDAFA), Cal. Penal Code § 502. See Dkt. No. 64 at 77-80, 85-87. 12 Google says that plaintiffs lack statutory standing under the UCL and CDAFA and so these claims 13 should be dismissed. See Dkt. No. 339-3 at 20-21. 14 Summary judgment is granted in Google’s favor on the UCL and UCL-based aiding-and- 15 abetting claims because plaintiffs abandoned the defense of their UCL claims. See Dkt. No. 351-3 16 at 17-18, 17 n.18. It is denied as to the CDAFA claim because Google did not carry its burden for 17 summary judgement. 18 CDAFA is the California state law analog of the federal Computer Fraud and Abuse Act 19 (CFAA), 18 U.S.C. § 1030 et seq. Like the CFAA, CDAFA provides a private cause of action 20 against any person who “[k]knowingly accesses and without permission uses or causes to be used 21 computer services” or “accesses or causes to be accessed any computer, computer system, or 22 computer network.” Cal. Pen. Code §§ 502(c)(3), (7) & (e)(1). To sue under CDAFA, a plaintiff 23 must have suffered “damage or loss by reason of a [CDAFA] violation.” Cal. Pen. Code 24 § 502(e)(1). Google’s main contention on summary judgment is that an “intangible invasion of 25 privacy” without a loss of income or other “actual” injury is not “damage or loss” as contemplated 26 by CDAFA. See Dkt. No. 339-3 at 21 (citing Williams v. Facebook, Inc., 384 F. Supp. 3d 1043, 27 1050 (N.D. Cal. 2018)). 1 The point is not well taken. The plain language of CDAFA is not as definitive as Google 2 urges. See Cal. Pen. Code § 502(a) (“The Legislature further finds and declares that protection of 3 . . . lawfully created computers, computer systems, and computer data is vital to the protection of 4 the privacy of individuals”). In addition, even giving Google’s interpretation the benefit of the 5 doubt, plaintiffs have adduced evidence from which a reasonable jury could conclude that the 6 information obtained by Google “carried financial value” that amounts to damage or loss suffered 7 by plaintiffs. See Dkt. Nos. 359-75 at ECF 10-11, 14-19; 359-31 at ECF 3; 359-5 at ECF 2; 359- 8 61 at ECF 2-3. Summary judgment is denied on the CDAFA claim. 9 IV. AIDING AND ABETTING 10 Summary judgment is granted in favor of Google on the claim that it aided and abetted 11 Flo’s intrusion upon plaintiffs’ seclusion. Under California law, aiding and abetting “necessarily 12 requires a defendant to reach a conscious decision to participate in tortious activity for the purpose 13 of assisting another in performing a wrongful act.” Howard v. Superior Court, 2 Cal. App. 4th 14 745, 749 (1992). California courts have concluded that ordinary business transactions may 15 “satisfy the substantial assistance element of an aiding and abetting claim if the [commercial 16 vendor] actually knew those transactions were assisting the customer in committing a specific 17 tort.” Casey v. U.S. Bank Nat’l Ass’n, 127 Cal. App. 4th 1138, 1145 (2005). Consequently, 18 Google might be liable for aiding and abetting by providing the SDK to Flo only if there were 19 evidence that Google had actual knowledge of Flo’s deceptive disclosure practices with respect to 20 plaintiffs’ private health information. 21 The record presented to the Court is devoid of such facts. Plaintiffs did not identify “with 22 reasonable particularity” a non-speculative basis in the record from which a jury could conclude 23 that Google had the requisite knowledge. Metro. Life Ins. Co. v. Oyedele, No. 21-cv-04607, 2014 24 WL 6985079, at *3 (N.D. Cal. Dec. 10, 2014) (citing Keenan v. Allan, 91 F.3d 1275, 1279 (9th 25 Cir. 1996)). Plaintiffs’ suggestion that Google could have used data obtained by Flo, see Dkt. No. 26 351-3 at 7-8, does not fill in the gap. So too for whether Google used the data for its machine- 27 learning programs and products. See Dkt. Nos. 351-31 at ECF 3-4; 351-34 at ECF 66; 351-61 at 1 Flo in committing a tort. Plaintiffs point to business meetings and pitches between Flo and 2 Google, see, e.g., Dkt. Nos. 351-45 at 35:2-25; 351-46; 351-42, but these entirely generic events 3 also do not provide non-speculative evidence that Google knew of Flo’s tortious conduct. The 4 same goes for evidence indicating that Google helped Flo advertise to women who were pregnant 5 or trying to get pregnant. That was the whole point of Flo’s fertility app and does not in itself 6 indicate an aiding-and-abetting scheme. See Dkt. Nos. 351-47 at ECF 3; 351-48 at ECF 3 (email 7 about “launch[ing] a campaign or an ad group to work [the] particular group” of “get pregnant” 8 from a Flo employee in “Lead User Acquisition”). 9 Plaintiffs’ reliance on emails after the putative class period is equally misplaced. It may be 10 that Flo and Google employees exchanged emails about Google Ad campaigns targeting Flo users 11 who were “TTC” (trying to conceive, according to plaintiffs), see Dkt. No. 351-50 at ECF 2, but 12 that is not a basis from which a reasonable jury could find aiding-and-abetting knowledge. The 13 cases on which plaintiffs rely concerned the plausibility of inferring knowledge from allegations in 14 the operative complaint. See Sihler v. Fulfillment Lab, Inc., No. 20-cv-01528, 2021 WL 1293839, 15 at *7 (S.D. Cal. Apr. 7, 2021) (concluding that it was “plausible” that the entity assisting with 16 advertising would have “knowledge of the content of the advertisements and the nature of the 17 campaign”); Opperman v. Path, Inc., 84 F. Supp. 3d 962, 986 (N.D. Cal. 2015). At summary 18 judgment, the relevant question is not the plausibility of knowledge but the existence of evidence 19 tending to show it. 20 V. CIPA AND WIRETAP ACT CLAIMS 21 Summary judgment is denied on plaintiffs’ claims under the Federal Wiretap Act, 22 18 U.S.C. § 2511,2 and the California Invasion of Privacy Act (CIPA), Cal. Pen. Code § 630 et 23 seq. Google says that: (1) the alleged interception was not purposeful; (2) Google was acting only 24 as a “vendor”; and (3) any asserted recording was performed by Flo, not Google. See Dkt. No. 25 339-3 at 23-25. 26 27 1 Disputes of fact about these issues preclude summary judgment. Google concedes that the 2 analysis for a violation of CIPA tracks the analysis under the federal Wiretap Act, which the Court 3 will accept as true for present purposes. See Dkt. No. 339-3 at 24. For the Wiretap Act, “the 4 || operative question under § 2511 is whether the defendant acted consciously and deliberately with 5 || the goal of intercepting wire communications.” United States v. Christensen, 828 F.3d 763, 775 6 (9th Cir. 2015). The factual disputes that barred summary judgment with respect to the alleged 7 transmission of data via Google’s SDK, and its subsequent use vel non, apply here to the same 8 || end. 9 CONCLUSION 10 Summary judgment is granted in favor of Google on plaintiffs’ UCL and aiding-and- 11 abetting claims. It is denied in all other respects. 12 IT IS SO ORDERED. 13 Dated: September 23, 2024 14 15 JAMBB DONATO = 16 Unitgg States District Judge
18 19 20 21 22 23 24 25 26 27 28