1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 STEPHEN GERBER, et al., Case No. 4:23-cv-00186-KAW
8 Plaintiffs, ORDER GRANTING IN PART AND DENYING IN PART MOTION TO 9 v. DISMISS CONSOLIDATED AMENDED CLASS ACTION COMPLAINT 10 TWITTER, INC., et al., Re: Dkt. No. 40 11 Defendants.
12 13 On June 6, 2023, Defendant X Corp., as successor in interest to Twitter, Inc. (collectively 14 “Twitter”), filed a motion to dismiss Plaintiffs’ consolidated class action complaint. 15 On February 15, 2023, the Court held a hearing, and, after considering the legal arguments 16 made, GRANTS IN PART AND DENIES IN PART Defendant’s motion to dismiss. 17 I. BACKGROUND 18 Twitter is a social media platform where users can post and engage with short-form 19 commentary, called “Tweets,” which may include text, images, or video. (Consolidated Class 20 Action Compl., “CCAC,” Dkt. No. 36 ¶¶ 2, 28-30.) Each user must create a username and display 21 name, which are displayed publicly and associate the user with their activity on the Twitter 22 platform. (CCAC ¶ 32.) Twitter invites users to operate on its platform by using pseudonymous 23 user and display names, thereby allowing users to share and access information and engage freely 24 and anonymously. (CCAC ¶¶ 41-44.) While Twitter does not charge its users, it realizes billions 25 of dollars in annual revenues from the highly valuable data generated by its users. (CCAC ¶ 31.) 26 In order to sign up for an account on the Twitter platform, a prospective user is required to: 27 (1) enter into a User Agreement, and (2) provide certain personal information, including name, 1 Agreement, includes the Terms of Service (“TOS”), the Privacy Policy, the Twitter Rules and 2 Policies, and all incorporated policies. (See CCAC ¶¶ 33-35.) As a result, prior to accessing the 3 Twitter platform and using Twitter’s services, Plaintiffs entered into the User Agreement with 4 Twitter, including the Privacy Policy, and provided Twitter with their PII, as requested by Twitter 5 and subject to Twitter’s representations set forth in the Privacy Policy. (CCAC ¶¶ 97, 118-34.) 6 The Privacy Policy states in detail how user data, including PII, will be used and who will have 7 access to that data. (CCAC ¶¶ 37-39, 122-26.) 8 From around June 2021 through January 2022, a defect in Twitter’s application 9 programming interface (“API”) allowed threat actors to access and obtain PII associated with an 10 estimated 200 million Twitter users. (CCAC ¶¶ 6, 19, 23, 26, 39, 46, 60.) It is unclear from 11 publicly available information whether the person(s) that took advantage of the API vulnerability 12 were external threat actors or had internal access at Twitter. (CCAC ¶¶ 46, 75(b), 75(g), 80, 83, 13 93, 97.) The information extracted through the API defect consists of information associated with 14 users’ Twitter account (username, display name, and account creation data), together with the 15 users’ PII (email address and phone number). (CCAC ¶ 46.) This data was offered for sale, on 16 more than one occasion, and/or leaked on the dark web between August 2022 and January 2023. 17 Id. 18 Plaintiffs contend that the Data Breach does not represent an isolated incident, but, rather, 19 was the foreseeable result of the reckless way that Twitter has chosen to operate its business. As 20 early as 2010, Twitter came under scrutiny from the Federal Trade Commission (“FTC”) for its 21 data privacy failures, resulting in the entry of a 2011 consent order (the “FTC Order”), which 22 Twitter has continued to violate (despite being subject to it for over a decade), including with 23 respect to the Data Breach. (CCAC ¶¶ 7, 83-90.) Recently, Twitter’s former Head of Security, 24 Peiter Zatko, filed a whistleblower complaint and testified before Congress regarding the 25 dangerous and pervasive lack of both internal and external data security at Twitter. (CCAC ¶¶ 73- 26 77.) Zatko provided comprehensive reports to the Twitter Board of Directors and executives 27 regarding his data security concerns, but Twitter allegedly failed and refused to implement even 1 giving rise to the Data Breach occurred. (CCAC ¶¶ 46, 73.) 2 Plaintiffs allege that had they known that Twitter failed to implement reasonable and 3 adequate data security measures, they would not have created Twitter accounts or would not have 4 provided their PII that was disclosed in the Data Breach to Twitter. (CCAC ¶¶ 19, 23, 26.) 5 Plaintiff Weitzman alleges that she has spent time monitoring her various accounts to detect and 6 prevent any misuses of her PII, which she would not have had to expend if not for the Data 7 Breach. (CACC ¶ 26.) Plaintiffs further contend that the Data Breach has also caused specific and 8 unique harm to Twitter’s impacted users that accepted its invitation to operate on its platform 9 anonymously through the use of pseudonyms, such as Plaintiffs Gerber and Cohen, as the data 10 available as a result enables any person with access to it to readily ascertain the identity of the 11 person associated with a pseudonymous Twitter account and their related activity on the platform. 12 (CCAC ¶¶ 49, 65, 104.) 13 On April 20, 2023, Plaintiffs filed the consolidated class action complaint alleging eight 14 causes of action for breach of contract, negligence, negligence per se, gross negligence, unjust 15 enrichment, violation of California Unfair Competition Law (Cal. Bus. & Prof. Code § 17200), 16 violation of the California Consumers Legal Remedies Act (Cal. Civil Code § 1750), and 17 declaratory judgment. On June 6, 2023, Defendant filed a motion to dismiss. (Def.’s Mot., Dkt. 18 No. 40.) On July 20, 2023, Plaintiffs filed an opposition. (Pls.’ Opp’n, Dkt. No. 45.) On 19 September 8, 2023, Defendant filed a reply. (Def.’s Reply, Dkt. No. 55.) 20 II. LEGAL STANDARD 21 A. Motion to Dismiss 22 Under Federal Rule of Civil Procedure 12(b)(6), a party may file a motion to dismiss based 23 on the failure to state a claim upon which relief may be granted. A motion to dismiss under Rule 24 12(b)(6) tests the legal sufficiency of the claims asserted in the complaint. Navarro v. Block, 250 25 F.3d 729, 732 (9th Cir. 2001). 26 In considering such a motion, a court must “accept as true all of the factual allegations 27 contained in the complaint,” Erickson v. Pardus, 551 U.S. 89, 94 (2007) (per curiam) (citation 1 there is an absence of “sufficient factual matter to state a facially plausible claim to relief.” 2 Shroyer v. New Cingular Wireless Servs., Inc., 622 F.3d 1035, 1041 (9th Cir. 2010) (citing 3 Ashcroft v. Iqbal, 556 U.S. 662, 677-78 (2009); Navarro, 250 F.3d at 732) (internal quotation 4 marks omitted). 5 A claim is plausible on its face when a plaintiff “pleads factual content that allows the 6 court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” 7 Iqbal, 556 U.S. at 678 (citation omitted). In other words, the facts alleged must demonstrate “more 8 than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not 9 do.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). “Threadbare recitals of the elements of 10 a cause of action” and “conclusory statements” are inadequate. Iqbal, 556 U.S. at 678; see also 11 Epstein v. Wash.
Free access — add to your briefcase to read the full text and ask questions with AI
1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 STEPHEN GERBER, et al., Case No. 4:23-cv-00186-KAW
8 Plaintiffs, ORDER GRANTING IN PART AND DENYING IN PART MOTION TO 9 v. DISMISS CONSOLIDATED AMENDED CLASS ACTION COMPLAINT 10 TWITTER, INC., et al., Re: Dkt. No. 40 11 Defendants.
12 13 On June 6, 2023, Defendant X Corp., as successor in interest to Twitter, Inc. (collectively 14 “Twitter”), filed a motion to dismiss Plaintiffs’ consolidated class action complaint. 15 On February 15, 2023, the Court held a hearing, and, after considering the legal arguments 16 made, GRANTS IN PART AND DENIES IN PART Defendant’s motion to dismiss. 17 I. BACKGROUND 18 Twitter is a social media platform where users can post and engage with short-form 19 commentary, called “Tweets,” which may include text, images, or video. (Consolidated Class 20 Action Compl., “CCAC,” Dkt. No. 36 ¶¶ 2, 28-30.) Each user must create a username and display 21 name, which are displayed publicly and associate the user with their activity on the Twitter 22 platform. (CCAC ¶ 32.) Twitter invites users to operate on its platform by using pseudonymous 23 user and display names, thereby allowing users to share and access information and engage freely 24 and anonymously. (CCAC ¶¶ 41-44.) While Twitter does not charge its users, it realizes billions 25 of dollars in annual revenues from the highly valuable data generated by its users. (CCAC ¶ 31.) 26 In order to sign up for an account on the Twitter platform, a prospective user is required to: 27 (1) enter into a User Agreement, and (2) provide certain personal information, including name, 1 Agreement, includes the Terms of Service (“TOS”), the Privacy Policy, the Twitter Rules and 2 Policies, and all incorporated policies. (See CCAC ¶¶ 33-35.) As a result, prior to accessing the 3 Twitter platform and using Twitter’s services, Plaintiffs entered into the User Agreement with 4 Twitter, including the Privacy Policy, and provided Twitter with their PII, as requested by Twitter 5 and subject to Twitter’s representations set forth in the Privacy Policy. (CCAC ¶¶ 97, 118-34.) 6 The Privacy Policy states in detail how user data, including PII, will be used and who will have 7 access to that data. (CCAC ¶¶ 37-39, 122-26.) 8 From around June 2021 through January 2022, a defect in Twitter’s application 9 programming interface (“API”) allowed threat actors to access and obtain PII associated with an 10 estimated 200 million Twitter users. (CCAC ¶¶ 6, 19, 23, 26, 39, 46, 60.) It is unclear from 11 publicly available information whether the person(s) that took advantage of the API vulnerability 12 were external threat actors or had internal access at Twitter. (CCAC ¶¶ 46, 75(b), 75(g), 80, 83, 13 93, 97.) The information extracted through the API defect consists of information associated with 14 users’ Twitter account (username, display name, and account creation data), together with the 15 users’ PII (email address and phone number). (CCAC ¶ 46.) This data was offered for sale, on 16 more than one occasion, and/or leaked on the dark web between August 2022 and January 2023. 17 Id. 18 Plaintiffs contend that the Data Breach does not represent an isolated incident, but, rather, 19 was the foreseeable result of the reckless way that Twitter has chosen to operate its business. As 20 early as 2010, Twitter came under scrutiny from the Federal Trade Commission (“FTC”) for its 21 data privacy failures, resulting in the entry of a 2011 consent order (the “FTC Order”), which 22 Twitter has continued to violate (despite being subject to it for over a decade), including with 23 respect to the Data Breach. (CCAC ¶¶ 7, 83-90.) Recently, Twitter’s former Head of Security, 24 Peiter Zatko, filed a whistleblower complaint and testified before Congress regarding the 25 dangerous and pervasive lack of both internal and external data security at Twitter. (CCAC ¶¶ 73- 26 77.) Zatko provided comprehensive reports to the Twitter Board of Directors and executives 27 regarding his data security concerns, but Twitter allegedly failed and refused to implement even 1 giving rise to the Data Breach occurred. (CCAC ¶¶ 46, 73.) 2 Plaintiffs allege that had they known that Twitter failed to implement reasonable and 3 adequate data security measures, they would not have created Twitter accounts or would not have 4 provided their PII that was disclosed in the Data Breach to Twitter. (CCAC ¶¶ 19, 23, 26.) 5 Plaintiff Weitzman alleges that she has spent time monitoring her various accounts to detect and 6 prevent any misuses of her PII, which she would not have had to expend if not for the Data 7 Breach. (CACC ¶ 26.) Plaintiffs further contend that the Data Breach has also caused specific and 8 unique harm to Twitter’s impacted users that accepted its invitation to operate on its platform 9 anonymously through the use of pseudonyms, such as Plaintiffs Gerber and Cohen, as the data 10 available as a result enables any person with access to it to readily ascertain the identity of the 11 person associated with a pseudonymous Twitter account and their related activity on the platform. 12 (CCAC ¶¶ 49, 65, 104.) 13 On April 20, 2023, Plaintiffs filed the consolidated class action complaint alleging eight 14 causes of action for breach of contract, negligence, negligence per se, gross negligence, unjust 15 enrichment, violation of California Unfair Competition Law (Cal. Bus. & Prof. Code § 17200), 16 violation of the California Consumers Legal Remedies Act (Cal. Civil Code § 1750), and 17 declaratory judgment. On June 6, 2023, Defendant filed a motion to dismiss. (Def.’s Mot., Dkt. 18 No. 40.) On July 20, 2023, Plaintiffs filed an opposition. (Pls.’ Opp’n, Dkt. No. 45.) On 19 September 8, 2023, Defendant filed a reply. (Def.’s Reply, Dkt. No. 55.) 20 II. LEGAL STANDARD 21 A. Motion to Dismiss 22 Under Federal Rule of Civil Procedure 12(b)(6), a party may file a motion to dismiss based 23 on the failure to state a claim upon which relief may be granted. A motion to dismiss under Rule 24 12(b)(6) tests the legal sufficiency of the claims asserted in the complaint. Navarro v. Block, 250 25 F.3d 729, 732 (9th Cir. 2001). 26 In considering such a motion, a court must “accept as true all of the factual allegations 27 contained in the complaint,” Erickson v. Pardus, 551 U.S. 89, 94 (2007) (per curiam) (citation 1 there is an absence of “sufficient factual matter to state a facially plausible claim to relief.” 2 Shroyer v. New Cingular Wireless Servs., Inc., 622 F.3d 1035, 1041 (9th Cir. 2010) (citing 3 Ashcroft v. Iqbal, 556 U.S. 662, 677-78 (2009); Navarro, 250 F.3d at 732) (internal quotation 4 marks omitted). 5 A claim is plausible on its face when a plaintiff “pleads factual content that allows the 6 court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” 7 Iqbal, 556 U.S. at 678 (citation omitted). In other words, the facts alleged must demonstrate “more 8 than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not 9 do.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). “Threadbare recitals of the elements of 10 a cause of action” and “conclusory statements” are inadequate. Iqbal, 556 U.S. at 678; see also 11 Epstein v. Wash. Energy Co., 83 F.3d 1136, 1140 (9th Cir. 1996) (“[C]onclusory allegations of 12 law and unwarranted inferences are insufficient to defeat a motion to dismiss for failure to state a 13 claim.”). “The plausibility standard is not akin to a probability requirement, but it asks for more 14 than a sheer possibility that a defendant has acted unlawfully . . . When a complaint pleads facts 15 that are merely consistent with a defendant's liability, it stops short of the line between possibility 16 and plausibility of entitlement to relief.” Iqbal, 556 U.S. at 678 (quoting Twombly, 550 U.S. at 17 557) (internal citations omitted). 18 Generally, if the court grants a motion to dismiss, it should grant leave to amend even if no 19 request to amend is made “unless it determines that the pleading could not possibly be cured by 20 the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000) (citations 21 omitted). 22 B. Request for Judicial Notice 23 As a general rule, a district court may not consider any material beyond the pleadings in 24 ruling on a motion to dismiss for failure to state a claim. Lee v. City of Los Angeles, 250 F.3d 668, 25 688 (9th Cir. 2001). A district court may take notice of facts not subject to reasonable dispute that 26 are “capable of accurate and ready determination by resort to sources whose accuracy cannot 27 reasonably be questioned.” Fed. R. Evid. 201(b); United States v. Bernal–Obeso, 989 F.2d 331, 1 F.3d at 689 (citing Mack v. S. Bay Beer Distrib., 798 F.2d 1279, 1282 (9th Cir. 1986)), and may 2 also consider “documents whose contents are alleged in a complaint and whose authenticity no 3 party questions, but which are not physically attached to the pleading” without converting a 4 motion to dismiss under Rule 12(b)(6) into a motion for summary judgment. Branch v. Tunnell, 5 14 F.3d 449, 454 (9th Cir. 1994), overruled on other grounds by Galbraith v. Cnty. of Santa Clara, 6 307 F.3d 1119 (9th Cir. 2002). The court need not accept as true allegations that contradict facts 7 which may be judicially noticed. See Mullis v. United States Bankruptcy Ct., 828 F.2d 1385, 1388 8 (9th Cir. 1987). 9 III. DISCUSSION 10 A. Request for Judicial Notice 11 As a preliminary matter, Defendant asks that the Court take judicial notice of 14 12 documents in support of its motion to dismiss. (Def.’s Req. for Judicial Notice, “RJN,” Dkt. No. 13 41.) The documents are purportedly true and correct copies of: 1) Twitter’s Privacy Policy 14 effective June 18, 2020, available at https://twitter.com/en/privacy/previous/version_16; 2) 15 Twitter’s Privacy Policy effective August 19, 2021, available at 16 https://twitter.com/en/privacy/previous/version_17; 3) Twitter’s Privacy Policy effective June 10, 17 2022, available at https://twitter.com/en/privacy/previous/version-18; 4) Twitter’s Terms of 18 Service effective June 18, 2020, available at https://twitter.com/en/tos/previous/version_15; 5) 19 Twitter’s Terms of Service effective as of August 19, 2021, available at 20 https://twitter.com/en/tos/previous/version_16; 6) Twitter’s Terms of Service effective June 10, 21 2022, available at https://twitter.com/en/tos/previous/version-17; 7) a blog post published on the 22 Twitter Privacy Center on August 5, 2022, titled “An incident impacting some accounts and 23 private information on Twitter,” available at https://privacy.twitter.com/en/blog/2022/an-issue- 24 affecting-some-anonymous-accounts; 8) a blog post published on the Twitter Privacy Center on 25 January 11, 2023, titled “Update about an alleged incident regarding Twitter user data being sold 26 online,” available at https://privacy.twitter.com/en/blog/2023/update-about-an-alleged-incident- 27 regarding-twitter-user-data-being-sold-online; 9) an article published on the Bleeping Computer 1 online,” available at https://www.bleepingcomputer.com/news/security/200-million-twitter-users- 2 email-addresses-allegedly-leaked-online/; 10) an article published on the KnowBe4 website on 3 March 7, 2013, titled “28 Percent of Data Breaches Lead to Fraud,” available at 4 https://blog.knowbe4.com/bid/252486/28-percent-of-data-breaches-lead-to-fraud; 11) a report 5 published by the United States Government Accountability Office on June 4, 2007, titled “Data 6 Breaches Are Frequent, But Evidence of Resulting Identity Theft is Limited; However, the Full 7 Extent is Unknown” (GAO–07-737), available at https://www.gao.gov/assets/gao-07-737.pdf; 12) 8 Twitter Help Center page titled “About your email and phone number discoverability privacy 9 settings,” available at https://help.twitter.com/en/safety-and-security/email-and-phone- 10 discoverability-settings; 13) Twitter Help Center page titled “How to Upload and Manage Your 11 Contacts,” available at https://help.twitter.com/en/using-twitter/upload-your-contacts-to-search- 12 for-friends; 14) Twitter Help Center page titled “About Twitter’s Account Suggestions,” available 13 at https://help.twitter.com/en/using-twitter/account-suggestions. (RJN at 1-3; Decl. of Stephen A. 14 Broome, Dkt. No. 40-1, Exs. 1-14.)1 15 Plaintiffs oppose Defendant’s request to judicial notice as to Exhibit Nos. 9, 11, 12, 13, 16 and 14 on the grounds that Defendant is seeking to establish the truth of the documents’ contents 17 to dispute the well-pleaded facts in the complaint. (Pl.’s RJN Opp’n, Dkt. No. 44 at 1.) Defendant 18 argues that these exhibits are all incorporated into the complaint by reference. (Def.’s RJN at 7-8.) 19 The “incorporation by reference” doctrine “permits [a court] to take into account 20 documents whose contents are alleged in a complaint and whose authenticity no party questions, 21 but which are not physically attached to the plaintiff’s pleading.” Knievel v. ESPN, 393 F.3d 1068, 22 1076 (9th Cir. 2005). Thus, “[e]ven if a document is not attached to a complaint, it may be 23 incorporated by reference into a complaint if the plaintiff refers extensively to the document or the 24 document forms the basis of the plaintiff’s claim.” United States v. Richie, 342 F.3d 903, 908 (9th 25 Cir. 2003). The court, however, “is not required to incorporate documents by reference.” Davis v. 26 HSBC Bank Nev., N.A., 691 F.3d 1152, 1159 (9th Cir. 2012). The disputed exhibits are not 27 1 needed to resolve the pending motion, so the Court declines to incorporate them by reference. The 2 Court also declines to incorporate Exhibit 10 by reference, because it is also unnecessary. 3 As to the remaining Exhibit Nos. 1-8, the Court will take judicial notice of those exhibits 4 pursuant to the incorporation by reference doctrine. 5 Accordingly, Defendant’s request for judicial notice is GRANTED IN PART AND 6 DENIED IN PART. 7 B. Motion to Dismiss 8 i. Terms of Service 9 As an initial matter, Defendant argues that the first five causes of action for breach of 10 contract, negligence, negligence per se, gross negligence, and unjust enrichment are barred by the 11 Terms of Service (“TOS”) disclaimer and the limitation of liability clauses. (Def.’s Mot. at 6.) 12 Section 6 of the TOS provides that California law governs both the terms and any claim 13 that may arise between the consumer and Twitter. (RJN, Ex. 6 at 9-10.) “With respect to claims 14 for breach of contract, limitation of liability clauses are enforceable unless they are 15 unconscionable, that is, the improper result of unequal bargaining power or contrary to public 16 policy.” Food Safety Net Servs. v. Eco Safe Sys. USA, Inc., 209 Cal. App. 4th 1118, 1126 (2012). 17 Specifically, Section 5 of the TOS contained disclaimers and limitations of liability. First, users 18 were advised that the services were being made available “AS-IS”:
19 Your access to and use of the Services or any Content are at your own risk. . . . [T]he Services are provided to you on an “AS IS” . . . basis. 20 The Twitter Entities make no warranty or representation and disclaim all responsibility and liability for: (i) the . . security or reliability of 21 the Services or any Content; (ii) any harm to your computer system, loss of data, or other harm that results from your access to or use of 22 the Services or any content; . . . and (iv) whether the Services will meet your requirements or be available on an uninterrupted, secure, 23 or error-free basis. 24 (RJN, Ex. 6 at 8) (emphasis added). Next, the limitation of liability clause was as follows:
25 TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE TWITTER ENTITIES SHALL NOT BE LIABLE FOR 26 ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS OR 27 REVENUES, WHETHER INCURRED DIRECTLY OR TO OR USE OF OR INABILITY TO ACCESS OR USE THE 1 SERVICES; (ii) ANY CONDUCT OR CONTENT OF ANY THIRD PARTY ON THE SERVICES, INCLUDING WITHOUT 2 LIMITATION, ANY DEFAMATORY, OFFENSIVE OR ILLEGAL CONDUCT OF OTHER USERS OR THIRD PARTIES; (iii) ANY 3 CONTENT OBTAINED FROM THE SERVICES; OR (iv) UNAUTHORIZED ACCESS, USE OR ALTERATION OF YOUR 4 TRANSMISSIONS OR CONTENT… THE LIMITATIONS OF THIS SUBSECTION SHALL APPLY TO ANY THEORY OF 5 LIABILITY, WHETHER BASED ON WARRANTY, CONTRACT, STATUTE, TORT (INCLUDING NEGLIGENCE) 6 OR OTHERWISE…. 7 (RJN, Ex. 6 at 9) (emphasis added). 8 Courts in this district have found liability limitation provisions to be generally enforceable 9 for similar services. See, e.g., Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1038 (N.D. Cal. 10 2019) (contract claims barred by TOS). Broad provisions such as these, however, have also been 11 found to be unconscionable because they “are overly one-sided and bar any effective relief.” In re 12 Yahoo! Inc. Customer Data Sec. Breach Litig., 313 F. Supp. 3d 1113, 1137 (N.D. Cal. 2018). 13 Moreover, as Plaintiffs do allege, Defendant is obligated by law to maintain reasonable data 14 security systems. (CCAC ¶¶ 180-183.) Despite this obligation, Twitter allegedly “took minimal 15 action despite knowing about their inadequate security measures,” which would be adequate to 16 plead that the limitations of liability are substantively unconscionable. See In re Yahoo! Inc., 313 17 F. Supp. 3d at 1138. 18 Regardless, as Defendant argues, the operative complaint contains no specific allegations 19 regarding the unconscionability of the TOS. (See Def.’s Reply at 2.) At the hearing, Plaintiffs 20 conceded that the complaint was devoid of any such allegations and requested leave to amend to 21 allege unconscionability. 22 Even in the absence of such allegations, as Defendant conceded at the hearing, the gross 23 negligence claim would not be barred by the TOS, because “California law forbids limiting 24 liability for gross negligence.” In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F. 25 Supp. 3d 767, 800 (N.D. Cal. 2019). 26 Accordingly, the first, second, third, and fifth causes of action for breach of contract, 27 negligence, negligence per se, and unjust enrichment are dismissed with leave to amend, so that 1 these causes of action. 2 ii. First and Fifth Causes of Action: Contract Claims 3 Plaintiffs first and fifth causes of action are for breach of contract and unjust enrichment. 4 (CCAC ¶¶ 118-134, 157-167.) Unjust enrichment is considered to be quasi-contract claim. See 5 Doe v. Meta Platforms, Inc., No. 22-CV-03580-WHO, 2023 WL 5837443, at *13 (N.D. Cal. Sept. 6 7, 2023). 7 These claims have already been dismissed, see discussion, supra, Part III.B.i, so the Court 8 will briefly address them together. At the hearing, Plaintiffs indicated a willingness to allege the 9 specific promises made within the TOS and related privacy policies. While Defendant’s argument 10 that Plaintiffs should have already done so is well taken, the Court will permit Plaintiffs to amend 11 these causes of action to allege the specific promises, but Plaintiffs are advised that the Court is 12 not inclined to give them another opportunity to amend should their next attempt prove to be 13 insufficient. 14 iii. Second through Fourth Causes of Action: Negligence claims 15 Plaintiffs second through fourth causes of action are for negligence, negligence per se, and 16 gross negligence. (CCAC ¶¶ 135-156.) As discussed above, Plaintiffs have failed to allege that 17 the TOS is unconscionable, so the negligence and negligence per se causes of action are dismissed 18 with leave to amend. Since negligence per se is not an independent cause of action, Plaintiffs’ 19 amended complaint should plead both theories as the single tort of negligence. See Moore v. 20 Centrelake Med. Grp., Inc., 83 Cal. App. 5th 515, 521 n.2 (2022), review denied (Dec. 14, 2022). 21 To plead negligence, including gross negligence, Plaintiffs must show that Defendant 22 “owed [Plaintiffs] a legal duty, that it breached the duty, and that the breach was a proximate or 23 legal cause of [Plaintiffs’] injuries.” Merrill v. Navegar, Inc., 26 Cal. 4th 465, 477 (2001). 24 Defendant argues that the economic loss rule bars Plaintiffs’ claims. (Def.’s Mot. at 15- 25 16.) The economic loss rule provides that “there is no recovery in tort for negligently inflicted 26 ‘purely economic losses,’ meaning financial harm unaccompanied by physical or property 27 damage.” Sheen v. Wells Fargo Bank, N.A., 12 Cal. 5th 905, 922, 505 P.3d 625, 632 (2022), reh'g 1 claim arises from the contract (in other words, the claim is not independent of the contract).” 2 Moore v. Centrelake Med. Grp., Inc., 83 Cal. App. 5th 515, 535, 299 Cal. Rptr. 3d 544, 561 3 (2022), review denied (Dec. 14, 2022) (citing Sheen, 12 Cal. 5th at 923). 4 As an initial matter, it is unclear to the Court what economic losses Plaintiffs have 5 suffered, if any. Defendant cites to Moore in support of their argument that the economic loss rule 6 bars Plaintiffs’ negligence claims. (Def.’s Mot. at 16.) There, the California Court of Appeal 7 found that the economic loss rule barred the appellants’ negligence claim because their 8 complaint’s allegations “implicitly referr[ed] to their time’s financial value” rather than being 9 “accompanied by any personal injury or property damage.” Moore v. Centrelake Med. Grp., Inc., 10 83 Cal. App. 5th 515, 535-36, 299 Cal. Rptr. 3d 544, 561 (2022), review denied (Dec. 14, 2022). 11 In sum, the Moore plaintiffs failed to allege their loss of time as a personal injury, which would 12 have presumably allowed their negligence claim to survive the pleadings stage. Id. at 536. Here, 13 unlike Moore, Plaintiffs do allege non-economic injuries in spending “time monitoring [their] 14 various accounts in an effort to detect and prevent any misuses of [their] PII….” (CCAC ¶ 26.) 15 “Various California courts have referred to privacy-based causes of action as actions for 16 ‘personal injury.’” Greenley v. Avis Budget Grp. Inc., No. 19-cv-00421-GPC-AHG, 2020 WL 17 1493618, at *13 (S.D. Cal. Mar. 27, 2020) (collecting cases); Medoff v. Minka Lighting, LLC, No. 18 22-cv-08885-SVW-PVC, 2023 WL 4291973, at *8 (C.D. Cal. May 8, 2023) (quoting same 19 language from Greenley). Courts in this district have found that loss of time allegations are 20 sufficient to state a harm that is not a “pure economic loss.” Bass v. Facebook, Inc., 394 F. Supp. 21 3d 1024, 1039 (N.D. Cal. 2019). The Court agrees and finds that the economic loss rule would not 22 bar the remaining negligence claim should Plaintiffs sufficiently allege that the TOS is 23 unconscionable. See discussion, supra, Part III.B.i. 24 Accordingly, Plaintiffs adequately state a claim for gross negligence, and the motion to 25 dismiss is denied as to the fourth cause of action.2 26 2 The Court notes that the harm allegation is not explicitly cited in the claim itself, which merely 27 incorporates preceding paragraphs by reference. In an effort to clarify their allegations and comply 1 iv. Sixth Cause of Action: Unfair Competition Law, Bus. & Prof. Code § 17200 2 In order to establish standing for the UCL Claim, plaintiffs must show that they personally 3 lost money or property “as a result of the unfair competition.” CAL. BUS. & PROF. CODE § 17204; 4 Kwikset Corp. v. Superior Court, 51 Cal. 4th 310, 330 (2011). Under California law: [t]here are innumerable ways in which economic injury from unfair 5 competition may be shown. A plaintiff may (1) surrender in a transaction more, or acquire in a transaction less, than he or she 6 otherwise would have; (2) have a present or future property interest diminished; (3) be deprived of money or property to which he or she 7 has a cognizable claim; (4) be required to enter into a transaction, costing money or property, that would otherwise have been 8 unnecessary. 9 Kwikset, 51 Cal. 4th at 323. 10 Here, Plaintiffs allege two harms: (1) loss of the monetary value of the personal 11 information, and (2) failure to receive the benefit of their bargain with Twitter. (CCAC ¶¶ 185, 12 192.) If either harm is plausibly alleged, Plaintiffs would satisfy the standing requirement for 13 these two causes of action. Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1040 (N.D. Cal. 2019). 14 Plaintiffs contend that the complaint adequately alleges how and when Plaintiffs’ PII was 15 offered for sale and the monetary value and market for PII. (CCAC ¶¶ 46, 48, 50-52, 56-57, 59- 16 60, 102, 185.) Plaintiffs position that the sale of their PII on the dark web satisfies the “lost-value- 17 of-PII” theory has been rejected by courts in this district, because the existence of a nefarious 18 market does not equate to an allegation that Plaintiffs “attempted or intended to participate in this 19 market, or otherwise to derive economic value from their PII.” Doe v. Meta Platforms, Inc., No. 20 22-CV-03580-WHO, 2023 WL 5837443, at *16 (N.D. Cal. Sept. 7, 2023) (quoting Moore v. 21 Centrelake Med. Grp., Inc., 83 Cal. App. 5th 515, 538 (2022), review denied (Dec. 14, 2022)). To 22 the extent that Plaintiffs rely on Brown v. Google LLC, No. 20-CV-03664-LHK, 2021 WL 23 6064009 (N.D. Cal. Dec. 22, 2021), for the proposition that the future value of their data was 24 diminished by the unauthorized sale of that data, that reliance is misplaced. (Pls.’ Opp’n at 15.) 25 Brown is factually inapposite because that case involved allegations that Plaintiffs had been 26 induced to give Google their data without payment, and that they would have demanded payment 27 had they known that Google had previously paid individuals for their browsing histories. Brown, 1 is dismissed with prejudice, because any amendment would be futile. 2 Plaintiffs, however, do have the potential to sufficiently allege economic injury based on 3 “benefit of the bargain.” (See Pls.’ Opp’n at 15.) Business and Professions Code § 22576 4 prohibits “an operator of a commercial website” that collects PII from consumers from violating 5 “its posted privacy policy.” Plaintiffs argue that they have UCL standing based on a breach of the 6 contractual privacy protections governing the sales in violation of Section 22576. (Id.; see also 7 CCAC ¶ 183.) Thus, Plaintiffs have standing so long as they have adequately alleged that 8 Defendant breached the terms of its privacy agreement. See In re Anthem, Inc. Data Breach Litig., 9 No. 15-md-2617-LHK, 2016 WL 3029783, at *13, *30 (N.D. Cal. 2016) (finding defendant’s 10 breach of privacy policies incorporated into customers’ insurance contracts deprived plaintiffs of 11 the benefit of their bargain and caused economic injury sufficient to establish UCL standing). 12 Plaintiffs are, therefore, granted leave to amend to clearly allege violations of the privacy policy, 13 which, if adequately pled, will satisfy the harm requirement for the UCL claim. 14 Thus, the sixth cause of action is dismissed with leave to amend. 15 v. Seventh Cause of Action: California Consumers Legal Remedies Act 16 The seventh cause of action is for violation of the California Consumers Legal Remedies 17 Act (“CLRA”). (CCAC ¶¶ 186-193.) Defendant argues that the CLRA claim fails because 18 Plaintiffs fail to allege that the parties engaged in a transaction for the “sale or lease of goods or 19 services to any consumer.” (Def.’s Mot. at 22 (quoting Cal. Civ. Code § 1770(a)).) At the hearing, 20 Plaintiffs conceded this cause of action. 21 Accordingly, the seventh cause of action is dismissed with prejudice. 22 vi. Eighth Cause of Action: Declaratory Judgment 23 The eighth cause of action is for declaratory judgment. (CCAC ¶¶ 194-201.) Specifically, 24 Plaintiffs allege that Twitter’s data security measures remain inadequate, and they seek a 25 declaratory judgment that Twitter owes a legal duty to secure consumers’ PII and to timely notify 26 them of a data breach, and that it continues to breach that duty by failing to employ reasonable 27 measures to secure consumers’ PII. (CCAC ¶¶ 196-197.) 1 (Def.’s Mot. at 23.) Plaintiffs’ claim for gross negligence is sufficiently pled. Furthermore, a 2 || dispute exists as to the continued risk Plaintiffs and similarly situated users face, rendering the 3 dismissal of the declaratory judgment claim premature. See Bass v. Facebook, Inc., 394 F. Supp. 4 |} 3d 1024, 1040 (N.D. Cal. 2019). 5 Accordingly, the motion to dismiss is denied as to the eighth cause of action. 6 IV. CONCLUSION 7 For the reasons set forth above, Defendant’s motion to dismiss is GRANTED IN PART 8 AND DENIED IN PART. Consistent with this order, the motion is granted with leave to amend 9 as to first, second, third, fifth, and sixth causes of action. The motion is granted with prejudice 10 || regarding the seventh cause of action for violation of the California Consumers Legal Remedies 11 Act. The motion is denied as to the fourth and eighth causes of action. 12 Plaintiffs shall file a second amended complaint within 21 days of this order. 13 IT IS SO ORDERED. 14 || Dated: March 29, 2024
A 16 United States Magistrate Judge
18 19 20 21 22 23 24 25 26 27 28