1 2 UNITED STATES DISTRICT COURT 3 NORTHERN DISTRICT OF CALIFORNIA 4 5 Case No. 22-cv-03580-WHO
6 ORDER ON MOTION TO DISMISS 7 IN RE META HEALTHCARE PIXEL AND STRIKE 8 LITIGATION Re: Dkt. Nos. 387, 388 9
11 In my September 7, 2023 Order, I denied defendant Meta Platform, Inc.’s motion to 12 dismiss certain claims, but granted it with leave to amend plaintiffs’ claims for invasion of 13 privacy/intrusion on seclusion, California’s Comprehensive Computer Data Access and Fraud Act 14 (“CDAFA”), negligence per se, trespass, larceny, Unfair Competition Law (“UCL”), and 15 California’s Consumers Legal Remedies Act (“CLRA”). Doe v. Meta Platforms, Inc., No. 22-CV- 16 03580-WHO, 2023 WL 5837443, at *17 (N.D. Cal. Sept. 7, 2023). In their First Amended 17 Consolidated Class Action Complaint (“FAC,” Dkt. No. 334-3) plaintiffs did not reallege their 18 negligence per se, larceny, or UCL claims and amended and realleged their privacy/intrusion of 19 seclusion, CDAFA, trespass and CLRA claims. Meta moves again to dismiss. Plaintiffs 20 voluntarily withdraw their CLRA claim, but contest dismissal of the other claims. Meta’s motion 21 is DENIED. 1 22 LEGAL STANDARD 23 I. CONSTITUTIONAL PRIVACY AND INTRUSION ON SECLUSION 24 In the September 2023 Order, I rejected most of Meta’s challenges to plaintiffs’ privacy 25 claims but recognized:
27 1 The factual and procedural background have been outlined in my prior Orders and will not be Given the nature of this case – where plaintiffs allege that both 1 unprotected and constitutionally protected information was captured by Meta's Pixel – plaintiffs are required to amend to describe the types 2 or categories of sensitive health information that they provided through their devices to their healthcare providers. That basic 3 amendment (which can be general enough to protect plaintiffs’ specific privacy interests) will allow these privacy claims to go 4 forward. 5 September 2023 Order, 2023 WL 5837443 at *8. 6 In the FAC, plaintiffs identify the specific types of information they provided to their 7 healthcare providers that they believe Meta collected without their consent. FAC ¶¶ 24-38. For 8 the most part, plaintiffs identify the health conditions for which they sought treatment or services, 9 as well as examples of their queries, appointment requests, or other information and services about 10 which they communicated with their providers. 11 Meta takes another pass at arguing that these disclosures are insufficient to plausibly plead 12 their privacy-based claims. Mot. at 1, 4. But the allegations suffice at this juncture because they 13 identify generally the types of sensitive information plaintiffs shared with their healthcare 14 providers that was plausibly collected by Meta. 15 Meta also attacks on these claims because the plaintiffs transmitted some or all of their 16 healthcare information to their providers’ websites through “publicly accessible” URLs, meaning 17 URLs that were accessible without a user logging in. It contends that its retrieval of plaintiffs’ 18 information from those unprotected or public pages cannot support an invasion of privacy claim. 19 Smith v. Facebook, Inc., 745 F. App'x 8, 9 (9th Cir. 2018) (“The data show only that Plaintiffs 20 searched and viewed publicly available health information that cannot, in and of itself, reveal 21 details of an individual’s health status or medical history. Moreover, many other kinds of 22 information are equally sensitive. We conclude that the practice complained of falls within the 23 scope of Plaintiffs’ consent to Facebook’s Terms and Policies. . . . Information available on 24 publicly accessible websites stands in stark contrast to the personally identifiable patient records 25 and medical histories protected by these statutes—information that unequivocally provides a 26 window into an individual’s personal medical history. . . . Put simply, the connection between a 27 person’s browsing history and his or her own state of health is too tenuous to support Plaintiffs’ 1 In the Preliminary Injunction Order, I distinguished the Smith district court decision:
2 Meta does not challenge plaintiffs’ assertion that patient status is protected information under HIPAA, but instead relies on Smith v. 3 Facebook, 262 F. Supp. 3d 943 (N.D. Cal. 2017). But Smith does not forestall my conclusion that patient status is protected health 4 information. It dealt with the question of whether Facebook users had consented to Facebook collecting information about them via their 5 browsing through certain health-related websites (such as http://www.cancer.net) that had an embedded Facebook “Like” 6 button. Smith, 262 F. Supp. 3d at 948. Smith concluded that there was no protected health information because the information transmitted 7 to Facebook when a user visited the http://www.cancer.net page was the same kind of information transmitted to Facebook any time a user 8 visited any page on the internet that contained a Facebook button. Id. at 954. In other words, the URLs did not “relate[ ] specifically to 9 Plaintiffs’ health.” Id. at 954. Smith further explained:
10 The URLs at issue in this case point to pages containing information about treatment options for melanoma, 11 information about a specific doctor, search results related to the phrase “intestine transplant,” a wife's blog post about her 12 husband's cancer diagnosis, and other publicly available medical information. These pages contain general health 13 information that is accessible to the public at large. The same pages are available *793 to every computer, tablet, 14 smartphone, or automated crawler that sends GET requests to these URLs. Nothing about the URLs, or the content of the 15 pages located at those URLs, relates “to the past, present, or future physical or mental health or condition of an individual.” 16 45 C.F.R. § 160.103 (emphasis added). As such, the stricter authorization requirements of HIPAA (as well as Cal. Civ. 17 Code § 1798.91) do not apply.
18 Id. at 954–55 (underline in original).
19 This case is different than Smith. Unlike the “general health information that is accessible to the public at large,” the URLs and 20 other information transmitted through the Pixel establish that a user is about to log in to a healthcare provider's website. Smith Decl. ¶¶ 21 31–37. Unlike in Smith, then, the Pixel captures information that connects a particular user to a particular healthcare provider—i.e., 22 patient status—which falls within the ambit of information protected under HIPAA. Smith involved users browsing through websites 23 providing healthcare information to the public at large, not users navigating to patient portals on healthcare providers’ websites. The 24 act of navigating to a patient portal on a healthcare provider’s website is not the general internet browsing contemplated in Smith. As a 25 result, Smith does not bear on the question of whether the information at issue here constitutes patient health information. 26 In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d 778, 792–93 (N.D. Cal. 2022). Meta contends 27 that based on the additional allegations of the FAC, this case falls within the Smith line and the 1 privacy claims should be dismissed. 2 Plaintiffs counter that because they and their healthcare providers have a “privileged” 3 relationship and because their searches were not random web searches but submission of 4 information by patients to their healthcare providers, they can state invasion of privacy claims 5 even if the submissions were made through the publicly available pages of their providers’ 6 websites.
Free access — add to your briefcase to read the full text and ask questions with AI
1 2 UNITED STATES DISTRICT COURT 3 NORTHERN DISTRICT OF CALIFORNIA 4 5 Case No. 22-cv-03580-WHO
6 ORDER ON MOTION TO DISMISS 7 IN RE META HEALTHCARE PIXEL AND STRIKE 8 LITIGATION Re: Dkt. Nos. 387, 388 9
11 In my September 7, 2023 Order, I denied defendant Meta Platform, Inc.’s motion to 12 dismiss certain claims, but granted it with leave to amend plaintiffs’ claims for invasion of 13 privacy/intrusion on seclusion, California’s Comprehensive Computer Data Access and Fraud Act 14 (“CDAFA”), negligence per se, trespass, larceny, Unfair Competition Law (“UCL”), and 15 California’s Consumers Legal Remedies Act (“CLRA”). Doe v. Meta Platforms, Inc., No. 22-CV- 16 03580-WHO, 2023 WL 5837443, at *17 (N.D. Cal. Sept. 7, 2023). In their First Amended 17 Consolidated Class Action Complaint (“FAC,” Dkt. No. 334-3) plaintiffs did not reallege their 18 negligence per se, larceny, or UCL claims and amended and realleged their privacy/intrusion of 19 seclusion, CDAFA, trespass and CLRA claims. Meta moves again to dismiss. Plaintiffs 20 voluntarily withdraw their CLRA claim, but contest dismissal of the other claims. Meta’s motion 21 is DENIED. 1 22 LEGAL STANDARD 23 I. CONSTITUTIONAL PRIVACY AND INTRUSION ON SECLUSION 24 In the September 2023 Order, I rejected most of Meta’s challenges to plaintiffs’ privacy 25 claims but recognized:
27 1 The factual and procedural background have been outlined in my prior Orders and will not be Given the nature of this case – where plaintiffs allege that both 1 unprotected and constitutionally protected information was captured by Meta's Pixel – plaintiffs are required to amend to describe the types 2 or categories of sensitive health information that they provided through their devices to their healthcare providers. That basic 3 amendment (which can be general enough to protect plaintiffs’ specific privacy interests) will allow these privacy claims to go 4 forward. 5 September 2023 Order, 2023 WL 5837443 at *8. 6 In the FAC, plaintiffs identify the specific types of information they provided to their 7 healthcare providers that they believe Meta collected without their consent. FAC ¶¶ 24-38. For 8 the most part, plaintiffs identify the health conditions for which they sought treatment or services, 9 as well as examples of their queries, appointment requests, or other information and services about 10 which they communicated with their providers. 11 Meta takes another pass at arguing that these disclosures are insufficient to plausibly plead 12 their privacy-based claims. Mot. at 1, 4. But the allegations suffice at this juncture because they 13 identify generally the types of sensitive information plaintiffs shared with their healthcare 14 providers that was plausibly collected by Meta. 15 Meta also attacks on these claims because the plaintiffs transmitted some or all of their 16 healthcare information to their providers’ websites through “publicly accessible” URLs, meaning 17 URLs that were accessible without a user logging in. It contends that its retrieval of plaintiffs’ 18 information from those unprotected or public pages cannot support an invasion of privacy claim. 19 Smith v. Facebook, Inc., 745 F. App'x 8, 9 (9th Cir. 2018) (“The data show only that Plaintiffs 20 searched and viewed publicly available health information that cannot, in and of itself, reveal 21 details of an individual’s health status or medical history. Moreover, many other kinds of 22 information are equally sensitive. We conclude that the practice complained of falls within the 23 scope of Plaintiffs’ consent to Facebook’s Terms and Policies. . . . Information available on 24 publicly accessible websites stands in stark contrast to the personally identifiable patient records 25 and medical histories protected by these statutes—information that unequivocally provides a 26 window into an individual’s personal medical history. . . . Put simply, the connection between a 27 person’s browsing history and his or her own state of health is too tenuous to support Plaintiffs’ 1 In the Preliminary Injunction Order, I distinguished the Smith district court decision:
2 Meta does not challenge plaintiffs’ assertion that patient status is protected information under HIPAA, but instead relies on Smith v. 3 Facebook, 262 F. Supp. 3d 943 (N.D. Cal. 2017). But Smith does not forestall my conclusion that patient status is protected health 4 information. It dealt with the question of whether Facebook users had consented to Facebook collecting information about them via their 5 browsing through certain health-related websites (such as http://www.cancer.net) that had an embedded Facebook “Like” 6 button. Smith, 262 F. Supp. 3d at 948. Smith concluded that there was no protected health information because the information transmitted 7 to Facebook when a user visited the http://www.cancer.net page was the same kind of information transmitted to Facebook any time a user 8 visited any page on the internet that contained a Facebook button. Id. at 954. In other words, the URLs did not “relate[ ] specifically to 9 Plaintiffs’ health.” Id. at 954. Smith further explained:
10 The URLs at issue in this case point to pages containing information about treatment options for melanoma, 11 information about a specific doctor, search results related to the phrase “intestine transplant,” a wife's blog post about her 12 husband's cancer diagnosis, and other publicly available medical information. These pages contain general health 13 information that is accessible to the public at large. The same pages are available *793 to every computer, tablet, 14 smartphone, or automated crawler that sends GET requests to these URLs. Nothing about the URLs, or the content of the 15 pages located at those URLs, relates “to the past, present, or future physical or mental health or condition of an individual.” 16 45 C.F.R. § 160.103 (emphasis added). As such, the stricter authorization requirements of HIPAA (as well as Cal. Civ. 17 Code § 1798.91) do not apply.
18 Id. at 954–55 (underline in original).
19 This case is different than Smith. Unlike the “general health information that is accessible to the public at large,” the URLs and 20 other information transmitted through the Pixel establish that a user is about to log in to a healthcare provider's website. Smith Decl. ¶¶ 21 31–37. Unlike in Smith, then, the Pixel captures information that connects a particular user to a particular healthcare provider—i.e., 22 patient status—which falls within the ambit of information protected under HIPAA. Smith involved users browsing through websites 23 providing healthcare information to the public at large, not users navigating to patient portals on healthcare providers’ websites. The 24 act of navigating to a patient portal on a healthcare provider’s website is not the general internet browsing contemplated in Smith. As a 25 result, Smith does not bear on the question of whether the information at issue here constitutes patient health information. 26 In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d 778, 792–93 (N.D. Cal. 2022). Meta contends 27 that based on the additional allegations of the FAC, this case falls within the Smith line and the 1 privacy claims should be dismissed. 2 Plaintiffs counter that because they and their healthcare providers have a “privileged” 3 relationship and because their searches were not random web searches but submission of 4 information by patients to their healthcare providers, they can state invasion of privacy claims 5 even if the submissions were made through the publicly available pages of their providers’ 6 websites. Plaintiffs identify published cases that are more recent than Smith that have accepted 7 privacy tort claims where information was transmitted to Meta from “public” sites, including In 8 re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589 (9th Cir. 2020). There, “[p]laintiffs 9 alleged that Facebook continued to collect their data after they had logged off the social media 10 platform, in order to receive and compile their personally identifiable browsing history. As alleged 11 in the complaint, this tracking occurred “no matter how sensitive” or personal users’ browsing 12 histories were. . . . According to Plaintiffs, by correlating users’ browsing history with users’ 13 personal Facebook profiles—profiles that could include a user’s employment history and political 14 and religious affiliations—Facebook gained a cradle-to-grave profile without users’ consent.”). 15 Id. at 598-99; see also Cousin v. Sharp Healthcare, No. 22-CV-2040-MMA-DDL, 2023 WL 16 8007350, at *3 (S.D. Cal. Nov. 17, 2023 (“the Court finds that their interactions on Defendant's 17 website, while ‘unauthenticated’ or publicly facing, plausibly involve PHI,” sufficient to please 18 invasion of privacy claims). 19 Plaintiffs’ privacy claims are not foreclosed at this juncture in whole or part simply 20 because their communications with their healthcare providers may have been through publicly 21 available webpages. That fact is not irrelevant to the question of whether plaintiffs will ultimately 22 be able to prove an invasion of privacy when considering the totality of the circumstances,2 but at 23 this juncture and given that plaintiffs were communicating with their healthcare providers about 24 their healthcare needs, plaintiffs have alleged enough for this claim to proceed to discovery. 25 26 2 See, e.g., Hill v. Nat’l Collegiate Athletic Assn., 7 Cal. 4th 1, 26 (1994) (to determine whether an 27 intrusion is actionably offensive courts consider: “the degree of the intrusion, the context, conduct II. CDAFA 1 A. Damage or Loss 2 I dismissed this claim in the September 2023 Order so that plaintiffs could plead facts 3 regarding “impairment of their computing devices” required under CDAFA. I rejected plaintiffs’ 4 prior theories of damage or loss based on the “diminished value of information” and their alleged 5 “‘inability’ to use their computer devices to communicate with their healthcare providers in the 6 future.” Doe v. Meta Platforms, Inc., 2023 WL 5837443 at *9. I recognized that what plaintiffs 7 might be able to plead on amendment regarding impairment would also inform whether plaintiff 8 could satisfy a separate CDAFA element – to plausibly allege facts establishing the Pixel as “a 9 contaminant that ‘usurps’ the normal operation of plaintiffs’ devices.” Id. at *10. 10 Plaintiffs now plead the following injuries: (i) Meta occupied storage space on their 11 devices without authorization; (ii) Meta’s acts caused their devices to work slower; (iii) Meta’s 12 acts used computer resources of the device; and (4) Meta unjustly profited from the data taken. AC 13 ¶ 536. Meta argues that the amended claim must nonetheless be dismissed because all plaintiffs 14 have not alleged sufficient damage or loss as a result of Meta’s actions. But “CDAFA does not 15 define ‘damage’ or ‘loss’ and does not contain a specific monetary threshold for loss related to 16 violations of the statute.” Cottle v. Plaid Inc., 536 F. Supp. 3d 461, 487 (N.D. Cal. 2021); see also 17 Facebook, Inc. v. Power Ventures, Inc., No. C 08-05780 JW, 2010 WL 3291750, at *4 (N.D. Cal. 18 July 20, 2010) (“Although Defendants contend that any steps that Facebook took to block Power’s 19 access to the Facebook website were de minimus . . . Section 502 sets no threshold level of 20 damage or loss that must be reached to impart standing to bring suit. Under the plain language of 21 the statute, any amount of damage or loss may be sufficient.”). Plaintiffs’ revised allegations 22 identifying the measureable impact on their devices is sufficient at this juncture. 23 B. Merits 24 Moving beyond damage or loss, Meta argues that plaintiffs have failed to allege facts 25 sufficient to plausibly state violations of (c)(1) and (c)(8) of CDAFA. 26 Under (c)(1), the parties dispute whether mere “use” of data suffices or whether plaintiffs 27 1 must, instead, plead that Meta altered, damaged, deleted or destroyed plaintiffs’ data or devices.3 2 Meta relies on two Central District cases that have required allegations that a defendant altered, 3 damaged, deleted, or destroyed data and rejected the sufficiency of allegations of “mere use” of 4 data. Ticketmaster L.L.C. v. Prestige Ent. W., Inc., 315 F. Supp. 3d 1147, 1175 n.5 (C.D. Cal. 5 2018) (“The Court will not read the phrase “or otherwise uses” in section 502(c)(1) as prohibiting 6 anything other than use that is similar to alteration, damage, deletion, or destruction.”); see also 7 McGowan v. Weinstein, 505 F. Supp. 3d 1000, 1020 (C.D. Cal. 2020) (following Ticketmaster). 8 Plaintiffs rely on Northern District cases that have entered judgment in favor of Meta on data 9 scraping cases based on mere use. See, e.g., Meta Platforms, Inc. v. Soc. Data Trading Ltd., No. 10 21-CV-09807-AGT, 2022 WL 18806267, at *4 (N.D. Cal. Nov. 15, 2022), report and 11 recommendation adopted, No. 21-CV-09807-CRB, 2022 WL 18806265 (N.D. Cal. Dec. 8, 2022) 12 (default judgment entered in Meta’s favor based on allegations defendant exceeded consent and 13 engaged in mere use of Meta’s data, by data scrapping); Meta Platforms, Inc. v. Ates, No. 22-CV- 14 03918-TSH, 2023 WL 4035611, at *6 (N.D. Cal. May 1, 2023), report and recommendation 15 adopted, No. 4:22-CV-3918-YGR, 2023 WL 4995717 (N.D. Cal. June 27, 2023) (“California 16 Penal Code section 502 prohibits the unauthorized access and use of any data from a computer, 17 computer system, or computer network”). 18 In addition, plaintiffs argue that Meta has altered plaintiffs’ devices, in violation of (c)(1) 19 by (i) “usurp[ing] the[ir] normal operation” (FAC ¶ 528); (ii) “surreptitiously plac[ing] the _fbp 20 cookie” on them (¶ 530); and (iii) “caus[ing]” the computers to “redirect Plaintiffs’ . . . data to 21 Meta.” Id. ¶ 530. Meta responds that this conduct is “no different” than obtaining and copying 22 data that its Central District court cases have rejected. Reply at 14. I conclude that plaintiffs’ 23 allegations regarding the operation and impacts of the _fbp cookie are sufficient at this juncture. 24 If Meta is right that, after discovery, all plaintiffs can point to is the mere copying of data and no 25 alteration to plaintiffs’ data or devices, then Meta may re-raise its “‘mere use’ is not sufficient” 26 3 Cal. Penal Code § 501(c)(1) penalizes someone who “accesses and without permission alters, 27 damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer 1 argument. 2 Under (c)(8), Meta argues that plaintiffs’ allegations about the Pixel do not suffice to 3 qualify it as a prohibited contaminant under (c)(8).4 However, plaintiffs allege that the Pixel 4 records and transmits information to Meta. They say that Meta designed the Pixel to log and track 5 website visitors’ actions (FAC ¶¶ 53-57), that Meta disguises the Pixel as a first-party cookie to 6 allow it to be placed on website visitors’ devices and avoid detection (id. ¶¶ 74-75, 79), and that 7 the Pixel usurps the normal operation of website visitors’ devices. Id. ¶¶ 524, 528. These are 8 sufficient to allege that the Pixel, as Meta puts it, transmits information without permission in 9 violation of (c)(8). Whether that was Meta’s intent or whether Meta’s intent was not to secure 10 sensitive tracking information without consent should be tested on an evidentiary basis. 11 The motion to dismiss the CDAFA claims is DENIED. 12 III. TRESPASS TO CHATTELS 13 I dismissed the trespass to chattels claim because plaintiffs failed to allege the required 14 impact to the functionality of their devices from Meta’s conduct, noting:
15 there are no allegations that any functionality inherent in their computing devices has been impacted by Meta's conduct. Nor are 16 there allegations that plaintiffs purchased any specific computing device with the purpose in whole or part of using that device to 17 communicate with their healthcare providers. That these plaintiffs may have valued using their personal devices to communicate with 18 their healthcare providers does not sufficiently impair the value of those devices to allow the plaintiffs to state a trespass to chattels 19 claim. 20 September 2023 Order, 2023 WL 5837443 at *14. 21 In the FAC, plaintiffs allege the impairment as: (i) placement of the _fbp cookie/tracking 22 tool, as the tool takes up a “measurable” amount of available storage that would otherwise be 23 24 4 Cal. Penal Code § 502(c)(8) prohibits “Knowingly introduces any computer contaminant into any computer, computer system, or computer network.” Cal. Penal Code § 502(b)(12) defined “Computer contaminant” as “any set of computer instructions that are designed to modify, 25 damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information. They include, 26 but are not limited to, a group of computer instructions commonly called viruses or worms, that are self-replicating or self-propagating and are designed to contaminate other computer programs 27 or computer data, consume computer resources, modify, destroy, record, or transmit data, or in 1 available to the devices, FAC ¶ 496; (ii) Meta source code that “used a measurable amount of 2 resources” that slow the speed of user devices, id. ¶ 499; and (iii) the lost time caused by Meta’s 3 slowing communications exchanged with their healthcare providers, causing “measurable” 4 increases in web-page loading time. Id. ¶ 502; see also id. ¶¶ 497-502. As a result, plaintiffs seek 5 nominal damages as well as damages for the loss of storage space and loss of time caused by 6 Meta’s slowing of communications between plaintiffs and their healthcare providers. Id. ¶ 504. 7 Meta argues that the de minimis nature of the resource usage and slowed communications 8 cannot support the trespass claim. In Intel Corp. v. Hamidi, 30 Cal. 4th 1342 (2003), the 9 California Supreme Court addressed a trespass to chattels claim based on a former Intel employee 10 sending thousands of emails repeatedly to current Intel employees through Intel’s email system. 11 The Court confirmed that there must be some damage that results from the trespass, explaining 12 that “‘[t]respass remains as an occasional remedy for minor interferences, resulting in some 13 damage, but not sufficiently serious or sufficiently important to amount to the greater tort’ of 14 conversion.” Id. at 1351. Noting that some impact must be shown, the Court held that trespass to 15 chattels “does not encompass, and should not be extended to encompass, an electronic 16 communication that neither damages the recipient computer system nor impairs its functioning.” 17 Id. at 1347. 18 Hamidi did not specify how major the minor interference must be or how big the impact, 19 other than saying that there must be some “appreciable effect on the operation of its computer 20 system from” the defendant’s conduct or a risk that the defendant’s “actions will be replicated by 21 others if found not to constitute a trespass.” Id. at 1356. The Hamidi court also recognized, with 22 respect to a claim of loss of use, that “an actionable deprivation of use ‘must be for a time so 23 substantial that it is possible to estimate the loss caused thereby. A mere momentary or theoretical 24 deprivation of use is not sufficient unless there is a dispossession.’” It concluded that merely that 25 defendant’s email “messages temporarily used some portion of the Intel computers’ processors or 26 storage is [ ] not enough; Intel must, but does not, demonstrate some measurable loss from the use 27 1 of its computer system.” Id. at 1342.5 2 Meta argues that plaintiffs cannot plausibly make that showing here because none has 3 alleged that the small use of their storage and other resources impacted their ability to 4 communicate with their healthcare providers and because the miniscule delays in communications 5 time cannot suffice. But plaintiffs have alleged a measurable impact on their devices that is not, as 6 in Hamidi, temporary. The _fbp cookies remain on users’ devices and continue to use storage and 7 resources, if only a small amount. That is a significant distinction from Hamidi. 8 Meta also asserts that the alleged slowing of communications amounts, at most, to seconds 9 of delay (Reply at 10) and that is an insufficient to establish a “significant” “loss of use” as 10 required by Hamidi. The parties dispute whether these admittedly small impacts suffice under 11 Hamidi. Meta says no, relying on In re iPhone Application Litig., 844 F. Supp. 2d 1040 (N.D. 12 Cal. 2012). There, addressing and relying on Hamidi, the district court rejected plaintiffs trespass 13 claim based on the placement of geolocation data on devices, because plaintiffs could not show a 14 “significant reduction in service constituting an interference with the intended functioning of the 15 system.” Id. at 1069; see also Yunker v. Pandora Media, Inc., No. 11-CV-03113 JSW, 2013 WL 16 1282980, at *16 (N.D. Cal. Mar. 26, 2013) (following In re IPhone Application Litigation). 17 But as discussed above, the “significant” impact language was used in Hamidi only in 18 connection with a deprivation of use. See supra n. 3. Following Hamidi, it is questionable 19 whether the “slowing of communications” for a matter of seconds is significant enough for 20 actionable “loss of use.” Unlike in Hamidi, however, plaintiffs allege Meta’s placement of the 21 _fbp cookie on their devices is not a temporary trespass (as the cookie stays until it is discovered 22 or removed) and creates a measureable impact on the functioning of the systems’ memory 23 sufficient to satisfy damage for the trespass. 24 5 Hamidi referred to “substantial” in quoting the Restatement in connection to measuring the 25 necessary length of deprivation of use. See Hamidi, 30 Cal. 4th at 1357 (“intermeddling is actionable only if ‘the chattel is impaired as to its condition, quality, or value, or [¶] ... the 26 possessor is deprived of the use of the chattel for a substantial time.” (Rest.2d Torts, § 218, pars. (b), (c).) In particular, an actionable deprivation of use “must be for a time so substantial that it is 27 possible to estimate the loss caused thereby. A mere momentary or theoretical deprivation of use is 1 Plaintiffs spend much of their opposition arguing that I should not focus on damage or loss 2 of use because courts are increasingly adopting a “digital trespass” theory that considers access in 3 excess of consent, as opposed to harm. Oppo. at 11-13. The main decisions plaintiffs rely on pre- 4 date the California Supreme Court’s Hamidi decision in 2003 and were rejected by Hamidi to the 5 extent they did not require a showing of harm from the trespass. See, e.g., eBay, Inc. v. Bidder's 6 Edge, Inc., 100 F. Supp. 2d 1058, 1060 (N.D. Cal. 2000) and Oyster Software, Inc. v. Forms 7 Processing, Inc., No. C-00-0724 JCS, 2001 WL 1736382, at *1 (N.D. Cal. Dec. 6, 2001). The 8 other cases plaintiffs rely on for their digital trespass/exceeding scope of consent theory all alleged 9 measurable damage to plaintiffs from the trespass and do not answer the question of how 10 measurable or significant a “minor” impact must be to support a trespass to chattels claim. See, 11 e.g., In re Apple Inc. Device Performance Litig., 347 F. Supp. 3d 434, 455 (N.D. Cal. 2018), on 12 reconsideration in part, 386 F. Supp. 3d 1155 (N.D. Cal. 2019 (allegations that updates “impaired 13 the functioning of their iPhones by substantially slowing their processing speed (by as much as 14 50%)”); Parziale v. HP, Inc., 445 F. Supp. 3d 435, 450 (N.D. Cal. 2020 (claim stated where 15 defendant’s conduct prevented class printers “from operating, by impairing the condition of these 16 printers, by reducing the value of these printers, and by depriving Plaintiff and Class members of 17 the use of these printers and of their non-HP ink cartridges”); San Miguel v. HP Inc., 317 F. Supp. 18 3d 1075, 1088 (N.D. Cal. 2018) (same harm as in Parziale); Twitch Interactive, Inc. v. Does 1 19 Through 100, No. 19-CV-03418-WHO, 2019 WL 3718582, at *1 (N.D. Cal. Aug. 7, 2019 20 (unauthorized video streamers injured plaintiff, who then had to suspend service, modify its 21 systems, and expend resources in order to block unauthorized streamers). 22 No party cites caselaw that explains how significant the impact from non-temporary 23 trespass – like the placement of the _fbp cookies at issue here – must be, other than recognizing 24 that claims of “loss of use” must be significant following Hamidi. Plaintiffs have alleged 25 measurable harm from the loss of available storage space on their devices. Compl. ¶ 495. An 26 allegedly unconsented, surreptitious, non-temporary placement of software on devices that reduces 27 storage has a measurable impact. 1 cookie on plaintiffs’ devices, resulting in a measurable decrease in the storage plaintiffs’ have on 2 || their phone proceed. This is a close call involving thorny and evolving issues of state law. 3 Discovery and expert testimony may establish that the placement of, operation of, or impact of the 4 || _fbp cookie cannot rise to a sufficient level of harm under Hamidi, but the impacts are better 5 || explored after discovery. 6 Meta’s motion to dismiss is DENIED. 7 || IV. MOTION TO STRIKE 8 Meta separately moves to strike Paragraph 357 of the FAC, where plaintiffs exclude from 9 || their class “health information that was obtained by Meta from Hey Favor, Inc.” Meta wants, in 10 || connection with its pending motion to sever the claims asserted against in it the Doe v. Hey Favor 11 case, Case No. 23-cv-0059-WHO, to have those claims wrapped into this case. The claims against 12 || Meta in the Hey Favor action will stay in the Hey Favor action and proceed along with the claims 13 against the other defendants in that case. See Case No. 23-cv-0059, Dkt. No. 117. 14 The motion to strike is DENIED. As I reminded counsel during the hearing on this 3 15 || motion, the shape this consolidated class action will ultimately have — with respect to any class or 16 || classes certified or otherwise — will be determined by me at the appropriate time. Plaintiffs have 3 17 defined the scope of the class in the pending FAC to their liking, but I will be the ultimate arbiter 18 of what makes sense from a case management and litigation perspective.° 19 CONCLUSION 20 Meta’s motion to dismiss is DENIED, except for the CLRA claim that plaintiffs 21 voluntarily abandon. 22 IT IS SO ORDERED. 23 Dated: January 29, 2024 * \f 24 ® William H. Orrick 25 United States District Judge 26 07 6 Meta should not, however, take this statement as a reason to attempt to circumscribe or refuse discovery. Defendants have not challenged the scope of the FAC — in terms of covered entities or 2g || technologies involved — and therefore this Order places no express or implied limit on discovery other than those required by Civil Rule of Civil Procedure 26(b).