UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION
IN RE VTECH DATA BREACH LITIGATION No. 15 CV 10889, No. 15 CV 10891, No. 15 CV 11620, and No. 15 CV 11885
Judge Manish S. Shah
MEMORANDUM OPINION AND ORDER
Defendant VTech Electronics North America, LLC manufactures and markets digital learning toys for children. Plaintiffs purchased some of those toys, which came with access to certain online services. Use of the online services required plaintiffs to provide VTech with personally identifiable information about them and their children. VTech’s inadequate data-protection measures allowed a hacker to access and download plaintiffs’ personal information. As a result, VTech suspended its online services. Plaintiffs seek to represent a class of consumers and bring suit under theories of breach of contract, breach of the implied warranty of merchantability, violation of the Illinois Consumer Fraud and Deception Act, and unjust enrichment. VTech moves to dismiss the second consolidated amended complaint. For the following reasons, the motion is granted. I. Legal Standards A complaint must contain factual allegations that plausibly suggest a right to relief. Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). I must accept as true all of the
facts alleged in the complaint and draw reasonable inferences from those facts in plaintiffs’ favor, but I am not required to accept as true the complaint’s legal conclusions. Id. at 678–79. In considering a motion to dismiss under Rule 12(b)(6), I review the complaint, exhibits attached to the complaint, and, if they are central to the claims, documents referenced by the complaint. Otis v. Demarasse, —F.3d—, 2018 WL 1571916, at *5 n.33 (7th Cir. Apr. 2, 2018). II. Facts
VTech makes and distributes digital learning toys for young children, including tablets, smartwatches, and other handheld learning systems. [94] ¶ 2.1 Plaintiffs are eight adults who purchased VTech toys for their children. [94] ¶¶ 74– 131. Some VTech toys have access to the Learning Lodge, which is an online application store where toy-users can purchase and download software for their toys. [94] ¶¶ 3, 34. Learning Lodge is also where users install updates to the
operating system software and previously installed applications. [94] ¶ 35. Some VTech toys also support Kid Connect, an online communications platform that allows children to use their Kid Connect-enabled toys to communicate with their parents’ cell phones. [94] ¶¶ 3, 40. Toys that are able to access these online services—Learning Lodge and Kid Connect—are priced at a premium over toys that
1 Bracketed numbers refer to docket numbers on the district court docket. The facts are largely taken from the operative complaint, [94]. are not able to access the online services. [94] ¶¶ 30, 32, 41. Each plaintiff purchased toys that were able to access online services—either Learning Lodge, Kid Connect, or both. [94] ¶¶ 74–131.
If a customer buys an online services-enabled toy, access to the online services is not automatic. Users have to register for an online account with VTech, which requires providing personally identifiable information like name, home address, email address, password, and credit or debit card information. [94] ¶ 42. After an adult registers for an online account, children create profiles with their names, passwords, birthdates, genders, and photographs. [94] ¶ 43. In addition to account creation, users must also affirmatively agree to VTech’s terms and
conditions (there are separate terms for Learning Lodge and Kid Connect) before using the online services. [94] ¶ 48. The online services terms incorporate VTech’s Privacy Policy. [94] ¶ 48.2 In the Privacy Policy, VTech promised to keep their customers’ personally identifiable information secure, including by transmitting data in an encrypted format and storing the data where it would not be accessible by the internet. [94] ¶¶ 48–49.
But in 2015, a hacker penetrated VTech’s systems, obtaining the data of millions of VTech’s customers. [94] ¶ 51. The hacker acquired parents’ names, email addresses, and account password information as well as children’s names, genders, birthdates, and photos. [94] ¶ 52. The hacker also obtained the messages that children and their parents exchanged in Kid Connect and on Kid Connect’s family
2 Plaintiffs attached copies of the online services terms, [94-2]; [94-3], and Privacy Policy, [94-4], to the complaint. bulletin board feature. [94] ¶ 52. The hacker’s breach was made possible by VTech’s inadequate data-protection measures. [94] ¶ 56. He was able to gain access to the VTech database through its website. [94] ¶ 57. It also turned out that VTech did not
use encryption to transmit its customers’ data. [94] ¶ 58. As VTech itself stated, the databases were “not as secure as [they] should have been.” [94] ¶ 55. VTech found out about the cybersecurity breach from a news organization. [94] ¶ 62. Four days later, VTech issued a press release informing the public of the breach. [94] ¶ 63. VTech also suspended access to the online services. [94] ¶ 6. Plaintiffs brought several suits against VTech, which have been consolidated into this action. [43]. I dismissed the first consolidated amended complaint for the
failure to state a claim. [87]. VTech now moves to dismiss the second consolidated amended complaint, arguing that plaintiffs have failed to state a claim for the second time. III. Analysis A. Breach of Contract (Counts I-II) Plaintiffs allege that they entered into contracts with VTech when they purchased their toys. And, as part of that exchange, VTech promised plaintiffs two
things—(1) that plaintiffs would have access to the online services “without meaningful interruptions” and (2) that VTech would use “effective and industry- standard security measures” to protect plaintiffs’ data. [94] ¶¶ 150, 163. Plaintiffs have not been clear about what contracts are the source of the promises they allege, but their claims appear to involve three groups of contracts: (1) purchase contracts, created at the time each plaintiff bought her VTech toy; (2) the Terms and Conditions of Learning Lodge and Kid Connect, agreed to when plaintiffs registered for the online services; and (3) VTech’s Privacy Policy, incorporated by reference into the online services terms and deemed accepted by use of the online services.
Plaintiffs appear to rest their breach of contract claims on the purchase contracts. See [94] ¶¶ 149–50, 162–63. Plaintiffs have not labeled the purchase contracts as express or implied, but the allegations show that they must be implied. Illinois recognizes contracts that are implied in fact, meaning contracts in which there is no express written or oral contract, but the facts and circumstances show that the promisor meant to be bound by a promise. Marcatante v. City of Chicago, Ill., 657 F.3d 433, 440 (7th Cir. 2011).
Or more simply, the promisor did not expressly promise anything, but the promise was implied. An implied-in-fact contract is “a true contract, containing all necessary elements of a binding agreement; it differs from other contracts only in that it has not been committed to writing or stated orally in express terms, but rather is inferred from the conduct of the parties in the milieu in which they dealt.” Id. (citation omitted). The complaint makes no allegations that the terms of the
purchase contracts were written, nor does it allege that VTech and plaintiffs made an oral contract. Rather, plaintiffs describe VTech’s actions—offering products for sale (with particular statements on the packaging)—and plaintiffs’ actions— “purchasing and using the VTech Products and the Online Services,” [94] ¶¶ 149, 162—and infer that a contract arose from those actions. That would be an implied contract, not an express one.3 VTech’s lead argument for dismissing both the online services and data-
security theories of breach is that plaintiffs did not plead “facts sufficient to demonstrate that the initial purchase transaction included both the hardware device and the Online Services.” [101] at 18 (emphasis omitted). This argument is based on my opinion on the first motion to dismiss. On the first go-round, I dismissed plaintiffs’ breach of contract claims because the claims hinged on the initial purchase transaction including both the toy and the online services, and I found that the complaint did not allege sufficient facts to show that the initial
purchase encompassed a contract for online services. [87] at 18–22. Plaintiffs are right that they have fixed that issue, particularly by including photos of the toys’ packaging in the new complaint. See [94] ¶¶ 25–28, 32. The photos show that the toys’ packaging included references to Learning Lodge and Kid Connect that suggested access to the online services was part of the deal upon purchase, not just an addition available later. But there are other problems with the complaint.
1. Access to Online Services Plaintiffs allege that as part of the purchase contracts, VTech promised to provide “access to and use of the Online Services without meaningful interruptions,”
3 Although VTech did not raise the issue in this round of briefing, whether plaintiffs have even adequately pleaded the existence of a valid implied-in-fact contract between themselves and VTech (the manufacturer, not the retailer) at the time of purchase is not clear. “[I]n order to prove an implied contract, [plaintiffs] must prove the same elements as an express contract.” Nissan N. Am., Inc. v. Jim M’Lady Oldsmobile, Inc., 486 F.3d 989, 996 (7th Cir. 2007). But I will assume such a contract does exist, since VTech did not argue otherwise. [94] ¶¶ 150, 163, and that it broke this promise by suspending access to the online services. [94] ¶¶ 155, 168. But this alleged promise is not governed by the terms of the implied purchase contracts, it is governed by the express online services terms.
“As in physics, two solid bodies cannot occupy the same space at the same time, so in law and common sense, there cannot be an express and implied contract for the same thing, existing at the same time.” Gadsby v. Health Ins. Admin., Inc., 168 Ill.App.3d 460, 470 (1988) (citation omitted). Where an express contract exists on the same subject-matter as an implied contract, the implied contract cannot exist. Marcatante, 657 F.3d at 440. The online services terms cover the same subject- matter as the alleged implied contracts—the provision of online services.4 So the
online services terms are the contracts that control, not any implied contract formed at the time of purchase. And plaintiffs have not alleged a breach of the express online services terms. Even if plaintiffs had alleged a breach of the online services terms, both the Learning Lodge terms and Kid Connect terms contain provisions that allow VTech to terminate the services at any time and without providing prior notice. [94-2]
§ 7.3; [94-3] § 2.7. Plaintiffs argue that these provisions are procedurally and substantively unconscionable, mostly because the online services terms added those provisions after plaintiffs had already bought their toys. As they put it, “[t]o hold these terms are enforceable would simply enable VTech to continue making promises to customers at the time of purchase, get them to pay for that promise,
4 Plaintiffs do not argue that the online services terms are not valid and enforceable contracts. and then retract those promises once the consumer gets home and opens the product they purchased, while keeping the premium the customers paid for itself.” [104] at 23 (citations omitted) (emphasis in original). Plaintiffs’ characterization of
the contract—an initial purchase contract later supplemented or amended by the online services terms—is incorrect. The express online services terms negate the existence of any implied purchase contract terms about the provision of online services. See Maness v. Santa Fe Park Enterprises, Inc., 298 Ill.App.3d 1014, 1023 (1998) (“[E]xpress contracts negate the existence of any implied in fact contract.”). So VTech did not contractually promise to provide online services and then take back the promise after plaintiffs had already purchased their toys—rather, the
parties mutually vacated their implied agreement by entering into an express one. There is no indication that plaintiffs did not have a full and fair opportunity to review the online terms before they agreed to them.5 So the provisions that allowed VTech to terminate the online services at any time are not unconscionable, and VTech was within its rights to suspend plaintiffs’ access to the online services. Plaintiffs also argue that VTech’s interpretation of the online services terms
as allowing VTech “unilateral, unfettered discretion to decide whether to provide the Online Services at all” would render the contracts illusory and unenforceable. [104] at 21. But instead of asking for a finding that the contracts are unenforceable, plaintiffs interpret the provisions at issue to mean “that VTech cannot be held liable
5 Plaintiffs were required to enter into the online services agreement to use the online features of the toys, but there is no suggestion or plausible inference that Plaintiffs were prohibited from returning the toys if they did not want to accept the online services agreement. for occasional outages (e.g., for software updates) or for discontinuing the Online Services many years after purchase.” [104] at 21. Plaintiffs’ interpretation of the terms of service is not consistent with its language, but even if I adopted plaintiffs’
interpretation, there is no allegation that VTech breached the contract: the suspension of Learning Lodge and Kid Connect very well may qualify as an “occasional outage.” VTech also argues that the limitations of liability contained in the online services terms preclude plaintiffs’ claims. Although I need not reach this argument, it remains true that the limitation of liability provisions in the online services terms disclaim liability for damages relating to the use of Learning Lodge and Kid
Connect. See [87] at 21–22. 2. Data-Protection Measures Plaintiffs claim that at the time of purchase, VTech promised plaintiffs “the implementation of effective and industry-standard security measures for the PII submitted through the Online Services,” [94] ¶¶ 150, 163, and that VTech broke that promise. Once again, this breach is based on an implied purchase contract. See [94] ¶¶ 149–50, 162–63. And, once again, express contracts exist on the same
subject-matter—the Privacy Policy and the online services terms. [94-2] § 6.1; [94- 3] § 11; [94-4]. So plaintiffs’ breach of contract based on the implied contract cannot exist. Plaintiffs have not alleged a breach of the express Privacy Policy or online services terms.6
6 In my opinion on the prior motion to dismiss, I interpreted plaintiffs’ claims as alleging that VTech breached the express contracts (the Learning Lodge terms and the Privacy VTech’s motion to dismiss Counts I and II is granted. B. Breach of Implied Warranty of Merchantability (Counts III-IV) Plaintiffs allege that VTech breached the implied warranty of the merchantability of its toys. To succeed on such a claim in Illinois, plaintiffs must
allege “(1) a sale of goods (2) by a merchant of those goods, and (3) [that] the goods were not of merchantable quality.” Brandt v. Boston Sci. Corp., 204 Ill.2d 640, 645 (2003). VTech argues that plaintiffs’ claims involve services, not goods. Everyone agrees that the toys alone are goods and the online services alone are not. So the question is whether the toys and online services were completely separate or mixed
and, if mixed, whether the mix of the two is more of a good or a service. Plaintiffs have sufficiently alleged that the purchase of the toys came with access to online services. This is apparent from the packaging, which emphasizes the access to online services. See [94] ¶¶ 25–28, 32. Because plaintiffs’ claim involves a mix of goods and services, it may proceed under the UCC only if the transaction was “predominantly for goods and incidentally for services.” Brandt, 204 Ill.2d at 645. As plaintiffs convincingly point out, one could apparently purchase the toy without
the online services, but one could not purchase the online services without the toy. [94] ¶ 38; [104] at 25–26. Indeed, the online services would be useless without the toy. This establishes that the sale predominately involved goods.
Policy), [87] at 15, and, in the operative complaint, plaintiffs do allege that VTech “expressly promised” to keep data secure in the Privacy Policy, [94] ¶¶ 48–49. But plaintiffs’ theory is that VTech breached a contract made at the time of purchase. The breach of contract claim is based on an implied purchase contract, not a breach of the Privacy Policy. [94] ¶¶ 149–50, 162–63; [104] at 8, 15. VTech also argues that plaintiffs have not established that anything is wrong with the toys themselves. Illinois law provides several requirements for a good to be merchantable, three of which plaintiffs rely on—the goods must “pass without
objection in the trade under the contract description,” be “fit for the ordinary purposes for which such goods are used,” and “conform to the promises or affirmations of fact made on the container or label if any.” 810 ILCS 5/2-314(2). Plaintiffs did not adequately plead a breach of any of the three. As to whether the toys “pass without objection in the trade under the contract description,” plaintiffs have not alleged what the contract description is or why the toys would be objectionable in the trade. Nor does the complaint contain any allegations of what
the “ordinary purposes” of the toys were or how the toys were not fit for those ordinary purposes. The complaint’s descriptions of the products—like the tablets that “provide an array of uses including interaction learning and video gaming” and the smartwatches that have “cameras, educational software and motion sensors”, [94] ¶ 37—actually seem to accurately describe what plaintiffs got. If the ordinary purposes of the toys were somehow more than that, plaintiffs needed to plead that.
Nor does the complaint suggest that the toys did not meet the promises made on their packaging. The photos of the packaging show that VTech represented that the tablet would have access to Learning Lodge, be capable of communication via Kid Connect, include a one-year subscription to Kid Connect, and come with two free downloadable apps from the Learning Lodge store. But the complaint does not adequately allege that those promises were not kept. VTech suspended access to Learning Lodge and Kid Connect, but the complaint does not allege that those services were never restored.7 Plaintiffs do not claim that any of them could never get their two free apps from Learning Lodge or subscription to Kid Connect, or that
their toys could never access the online services. Instead, plaintiffs claim that VTech broke a promise by interrupting their access to the online services, but that reads in an extra promise onto the packaging—that the online services would be provided without any interruption. The packaging does not say that. Finally, plaintiffs have not sufficiently alleged privity, which is required for an implied warranty claim. See Mekertichian v. Mercedes-Benz U.S.A., L.L.C., 347 Ill.App.3d 828, 832 (2004) (“[T]he UCC article II implied warranties give a buyer of
goods a potential cause of action only against his immediate seller.” (citation omitted)). Plaintiffs argue that the “direct relationship” exception to the privity requirement applies, because VTech directly marketed its toys to them and plaintiffs relied on the advertisements.8 Illinois has recognized an exception to the privity requirement “where there is a direct relationship between the manufacturer
7 In fact, the complaint acknowledges that access to Learning Lodge was restored on January 23, 2016. [94] ¶ 6 n.1. The prior complaint alleged that access to Kid Connect remained suspended, [44] ¶ 6, but that allegation has been omitted from this complaint. 8 The complaint also invokes (in a conclusory manner) the third-party beneficiary exception to privity, [94] ¶¶ 177, 192, which defendant argues was not sufficiently pleaded. [101] at 28. Plaintiffs did not respond to defendant’s argument about the third-party beneficiary exception and only responded to the “direct relationship” exception argument. [104] at 26– 28. Plaintiffs forfeited any argument that they have adequately pleaded a plausible claim under the third-party beneficiary doctrine. See Firestone Fin. Corp. v. Meyer, 796 F.3d 822, 825 (7th Cir. 2015) (“[A] party generally forfeits an argument or issue not raised in response to a motion to dismiss.”). The allegation that the plaintiffs are intended third- party beneficiaries is a conclusory one that I do not accept as true, and there are no other allegations that suggest some agreement between the retailers and VTech existed to benefit the plaintiffs. and the seller.” Frank’s Maint. & Eng’g, Inc. v. C. A. Roberts Co., 86 Ill.App.3d 980, 992 (1980). Plaintiffs point to recent federal cases that have interpreted the “direct relationship” exception as applying to circumstances in which manufacturers
advertise directly to consumers. See Elward v. Electrolux Home Prod., Inc., 214 F.Supp.3d 701, 705 (N.D. Ill. 2016); In re Rust-Oleum Restore Mktg., Sales Practices & Prod. Liab. Litig., 155 F.Supp.3d 772, 807 (N.D. Ill. 2016). I am not persuaded that the Illinois Supreme Court would conclude that advertising alone creates a direct relationship between a manufacturer and a customer (and no such binding authority has been cited), especially where, as here, there is no allegation that a plaintiff viewed a particular representation in an ad and relied on the
representation in making the purchase.9 In any event, as VTech asserts, the pleaded marketing is not sufficient because the advertisements did not contain an express warranty of data security. That is to say, in In re Rust-Oleum, plaintiffs’ merchantability claims arose from their reliance on the representations in the advertisements and marketing that supported application of the direct relationship exception. 155 F.Supp.3d at 807.
But here, plaintiffs could not have reasonably relied on the “kid safe” representations as a promise of cybersecurity, because those representations were not related to the kind of cybersecurity at issue in the complaint. And though
9 See Zaro v. Maserati N. Am., Inc., No. 07 C 3565, 2007 WL 4335431, at *4 (N.D. Ill. Dec. 6, 2007); Finch v. Ford Motor Co., 327 F.Supp.2d 942, 946 (N.D. Ill. 2004). The “direct relationship” exception laid out in Frank’s can be interpreted to be much narrower, only applying to situations where the customer’s identity is known. Schwebe v. AGC Flat Glass N. Am., Inc., No. 12 C 9873, 2013 WL 2151551, at *4 (N.D. Ill. May 16, 2013). plaintiffs alleged that they relied on VTech’s representations about the safety of their products, [94] ¶¶ 217, 249, plaintiffs did not allege that they relied on marketing representations that the toys would come with access to the online
services. The direct marketing did not put the parties in privity for the implied warranty of merchantability.10 VTech’s motion to dismiss Counts III and IV is granted. Because plaintiffs have already had an opportunity to amend their complaint and further amendment of the claims in Counts I through IV would be futile, the claims are dismissed with prejudice. C. Violation of the Illinois Consumer Fraud and Deceptive Business Practices Act (Counts V-VI) As its name implies, the ICFA prohibits, among other things, “[u]nfair or deceptive acts or practices . . . in the conduct of any trade or commerce.” 815 ILCS 505/2.11 The elements of a claim under the statute are: “(1) a deceptive act or
10 Neither party addressed a third potential privity exception raised in the complaint—the express warranty exception. [94] ¶¶ 178, 193 (“By extending express written warranties to end-users, VTech brought itself into privity of contract with Plaintiffs.”). The complaint invokes the exception in the form of a legal conclusion, which I do not accept as true, and plaintiffs did not argue for its application in response to VTech’s argument that plaintiffs did not establish privity. The exception applies when a manufacturer “expressly warranted its goods to the ultimate consumers and this was the basis for the bargain and relied upon by plaintiffs.” Kmak v. Sorin Grp. Deutschland GmbH, No. 17 CV 4759, 2017 WL 8199974, at *5 (N.D. Ill. Dec. 12, 2017) (citation omitted). Even if plaintiffs had not pleaded the exception in a conclusory manner and made the argument, the same principle that prevents application of the direct-relationship exception to privity prevents the express-warranty exception—plaintiffs have not sufficiently pleaded that they reasonably relied on an express warranty of cybersecurity when entering into a bargain with VTech. 11 The complaint also brings claims under other state consumer protection laws “[t]o the extent the Court rules that the choice of law provision discussed herein does not extend to allegations concerning state consumer protection laws.” [94] ¶ 205. VTech takes issue with this, arguing that these “mystery statutes” fail for lack of notice. Both parties have proceeded under Illinois law on this claim and neither have made an argument that non- practice by the defendant; (2) the defendant intended that the plaintiff rely on the deception; (3) the deceptive act occurred in a course of conduct involving trade or commerce; and (4) actual damage to the plaintiff; (5) proximately caused by the
deceptive act.” Philadelphia Indem. Ins. Co. v. Chicago Title Ins. Co., 771 F.3d 391, 402 (7th Cir. 2014) (citing De Bouse v. Bayer AG, 235 Ill.2d 544, 550 (2009)). Although these elements refer to deceptive conduct, they also apply to unfair conduct. Id. VTech argues that plaintiffs have only alleged deceptive conduct in the complaint, but plaintiffs argue that they have alleged both deceptive and unfair conduct. Allegations of deceptive and unfair conduct are subject to different
pleading standards. Federal Rule of Civil Procedure 9(b) requires a heightened pleading standard for allegations of fraud, and deceptive acts often sound in fraud. See Camasta v. Jos. A. Bank Clothiers, Inc., 761 F.3d 732, 737 (7th Cir. 2014); Pirelli Armstrong Tire Corp. Retiree Med. Benefits Tr. v. Walgreen Co., 631 F.3d 436, 446–47 (7th Cir. 2011). If Rule 9(b) applies, the “who, what, when, where, and how” of the fraud must be alleged with particularity. U.S. ex rel. Lusby v. Rolls-Royce
Corp., 570 F.3d 849, 853 (7th Cir. 2009). On the other hand, a claim alleging unfair practices is governed by the more relaxed pleading standards of Rule 8. Pirelli, 631 F.3d at 446. Plaintiffs allege only deceptive conduct. The ICFA claims are primarily based on VTech’s alleged misrepresentations that its toys were safe and secure, and the
Illinois law applies, so there is no reason to determine the fate of the “mystery statutes” at this point. corresponding failure to disclose that the toys were not safe—a course of conduct that is deceptive. Plaintiffs do not allege any separate conduct that is unfair. The complaint’s attempt to explain how VTech’s actions were also unfair just contains
more allegations about VTech’s promotion of its products as “safe” despite not implementing basic data protections. See [94] ¶¶ 226, 258. “Simply adding language of ‘unfairness’ instead of ‘misrepresentation’ does not alter the fact that [plaintiffs’] allegations are entirely grounded in fraud under the ICFA.” Camasta, 761 F.3d at 737. Plaintiffs also argue that they have alleged unfair conduct by pleading that VTech disregarded its ethical duty (and statutory duty, under the Children’s Online Privacy Protection Act) to protect its customers’ information and by pleading that
VTech harmed its customers in a way that the customers could not avoid and without any countervailing benefit to the customers. But this misses the issue. It is not that the alleged conduct is not unfair; it is that the alleged unfair conduct completely overlaps with the deceptive conduct. For example, plaintiffs allege that VTech’s violation of COPPA constituted “unlawful, unfair, and deceptive acts.” [94] ¶¶ 229, 261. Illinois law allows plaintiffs to predicate ICFA unfairness claims on
violations of other statutes (even if the violated statutes do not allow for private enforcement), Gainer Bank, N.A. v. Jenkins, 284 Ill.App.3d 500, 503 (1996), but plaintiffs cannot rely on the same conduct to establish separate unfair and deceptive theories under the ICFA. See Camasta, 761 F.3d at 737; Halperin v. Int’l Web Servs., LLC, 123 F.Supp.3d 999, 1007 (N.D. Ill. 2015). Even if a violation of COPPA did constitute separate conduct from the alleged misrepresentations and omissions, plaintiffs have not sufficiently pleaded that VTech violated COPPA. The allegation that “VTech’s retention and collection policies did not comply with COPPA,” [94] ¶¶ 229, 261, is a legal conclusion. Plaintiffs have not alleged any
unfair conduct separate from the deceptive conduct, and so Rule 9(b)’s heightened pleading requirement applies. To meet the standard for a claim of misrepresentation, the complaint must state “the identity of the person making the misrepresentation, the time, place and content of the misrepresentation, and the method by which the misrepresentation was communicated to the plaintiff[s].” U.S. ex rel. Grenadyor v. Ukrainian Vill. Pharmacy, Inc., 772 F.3d 1102, 1106 (7th Cir. 2014). But plaintiffs instead allege
their claims generally. Although plaintiffs’ focus on “on-box misrepresentations” in their briefing, [104] ¶ 30, it is not clear what specific misrepresentations plaintiffs rely on. The complaint suggests that the misrepresentations may come from three places—the Privacy Policy, the toys’ packaging, and VTech’s advertisements and marketing—but it does not connect the alleged misrepresentations to the plaintiffs. Not only does the complaint not allege when plaintiffs saw the Privacy Policy,
packaging, or advertisements, it does not allege that plaintiffs ever saw them. See De Bouse, 235 Ill.2d at 555 (“[W]e have repeatedly emphasized that in a consumer fraud action, the plaintiff must actually be deceived by a statement or omission. If there has been no communication with the plaintiff, there have been no statements and no omissions.”). See also In re Sears, Roebuck & Co. Tools Mktg. & Sales Practices Litig., No. 05 C 2623, 2009 WL 937256, at *6 (N.D. Ill. Apr. 6, 2009) (dismissing consumer fraud claim where plaintiffs did not allege that they saw the alleged misrepresentations or when they saw the misrepresentations). Instead, the complaint generally alleges that “[b]ecause of VTech’s express and implied
representations, [plaintiffs] reasonably believed that [their] PII and [their children’s] PII would be secure,” [94] ¶¶ 75, 81, 88, 96, 103, 109, 117, 125, without alleging what specific representations each plaintiff saw and when and where they saw them. That does not meet Rule 9(b)’s pleading requirements. This lack of particularity is also fatal to plaintiffs’ omissions theory of fraud.12 Plaintiffs allege that VTech failed to disclose a number of its data-protection practices, including its practices of storing passwords as simple “unsalted hashes,”
storing account-recovery secret questions as plain text, failing to use encryption when it transmitted data, failing to encrypt stored data, and others. [94] ¶¶ 219, 251. But plaintiffs did not plead where these facts should have been disclosed, which is insufficient to meet the bar set by Rule 9(b). See Carroll v. Fort James Corp., 470 F.3d 1171, 1174 (5th Cir. 2006) (Misrepresentation by omission “typically requires the claimant to plead the type of facts omitted, the place in which the
omissions should have appeared, and the way in which the omitted facts made the representations misleading.” (citation omitted)); Rowe v. Bankers Life & Cas. Co., No. 09-CV-00491, 2010 WL 3699928, at *6 (N.D. Ill. Sept. 13, 2010); Fujisawa
12 VTech’s response to plaintiffs’ omissions theory is that I already found the omissions to not be actionable when ruling on the prior motion to dismiss. In dismissing the claim in the earlier complaint, I said that it was “too much of a stretch to infer . . . that VTech’s inadequate data security constitutes a material omission at the point of purchase.” [87] at 26. But I am now addressing an amended complaint with new allegations. Pharm. Co. v. Kapoor, 814 F.Supp. 720, 727 (N.D. Ill. 1993). Even if I assume that plaintiffs imply that the data security details were omitted from the Privacy Policy (or the toys’ boxes or advertisements), plaintiffs still did not plead if or when they
saw it and so the omissions alone would still be insufficient to adequately plead fraud.13 To the extent plaintiffs’ consumers fraud claims are based on VTech’s representations that its toys are “kid safe,” they fail for another reason—plaintiffs have not adequately pleaded falsity. VTech argues that plaintiffs misconstrue the phrases “kid safe” and “kid friendly” to refer to data security, when in fact they refer to parental controls that allow parents to restrict their children’s access to
inappropriate content on the internet. VTech points to the complaint itself as evidence that its interpretation is the correct one: “VTech states that ‘The InnoTab® MAX Web Browser gives your child a safe environment to explore the Internet by limiting the sites he or she is allowed to visit. … For your convenience, VTech has selected several websites, videos and games with kid-safe content.” [94] ¶ 11 (emphasis in original). “[T]wo of the biggest drawbacks of children playing with adult tablets are: a.) the potential for unsupervised web access and b.) content that isn’t really meant for young children.” [94] ¶ 20. “Explore VTech-selected sites or manage your child’s access to websites with parental controls.” [94] ¶ 27.
13 A consumer fraud claim based on representations made in the Privacy Policy would be impermissible if it is just a claim for a breach of contract reframed as fraud. See Greenberger v. GEICO Gen. Ins. Co., 631 F.3d 392, 399–400 (7th Cir. 2011) (“[A] ‘deceptive act or practice’ involves more than the mere fact that a defendant promised something and then failed to do it. That type of ‘misrepresentation’ occurs every time a defendant breaches a contract.” (citation omitted)). [101] at 22. Plaintiffs argue that VTech’s interpretation of the phrases is too narrow. For example, the complaint includes a photo of a toy’s package that says, “Kid-Safe Wi-Fi Connection,” [94] ¶ 27, and plaintiffs argue that parents could
reasonably interpret that phrase to mean VTech would provide basic data protection. Plaintiffs have not sufficiently alleged deception with respect to the “kid safe” misrepresentations, because they have not alleged that the products were not “kid safe.” I am mindful that, as plaintiffs note, reasonable inferences are to be drawn in plaintiffs’ favor when resolving this motion. But plaintiffs’ interpretation of the “kid safe” representations is not a reasonable one. Most of the “kid safe” references
clearly speak to child-appropriate content. The phrase “Kid-Safe Wi-Fi Connection” is not deceptive either. There are no allegations that the children’s Wi-Fi connections were not safe or secure. Plaintiffs allege issues with VTech’s data- storage and encryption practices, but that is separate from the safety of the children’s Wi-Fi connections. The hacker breached VTech’s databases, not the children’s Wi-Fi connections. Plaintiffs have not pleaded allegations to show that
VTech’s toys were not “kid safe.”14
14 VTech makes two other arguments for dismissal. The first is that plaintiffs did not adequately plead actual damages because they must plead the specific price of other toys in the market to show that they paid a premium for their VTech toys. That is not correct. Plaintiffs have pleaded that if they knew of the security flaws, they would not have purchased the toys or would have paid less for them, e.g., [94] ¶¶ 79, 86, 94, and that is sufficient. See McDonnell v. Nature’s Way Prod., LLC, No. 16 C 5011, 2017 WL 1149336, at *3 (N.D. Ill. Mar. 28, 2017) (collecting cites). VTech also argues that the ICFA claims are duplicative of plaintiffs’ breach of contract claims. But I have dismissed the breach of contract claims, so they are no longer duplicative. VTech’s motion to dismiss Counts V and VI is granted. The claims are dismissed without prejudice. D. Unjust Enrichment Plaintiffs base their unjust enrichment claim on a familiar argument—that
VTech represented that its products were “safe” for children, but the toys were not safe because VTech did not implement basic cybersecurity measures. VTech argues that plaintiffs have not identified the law on which they are basing the unjust enrichment claim, instead improperly asserting it on behalf of a nationwide class. Because each state handles unjust enrichment claims differently, they argue, plaintiffs’ generic pleading is inappropriate and grounds for dismissal. Plaintiffs’
only response is to say that “any argument that a national unjust enrichment class cannot be certified is premature and not a basis for dismissing a claim at this stage of the litigation.” [104] at 36. For this proposition, plaintiffs cite to my opinion in Rysewyk v. Sears Holdings Corp., No. 15 CV 4519, 2015 WL 9259886 (N.D. Ill. Dec. 18, 2015). In that case, I did find that a motion to strike class allegations was premature, id. at *7–8, but this is not a motion to strike class allegations. VTech is not arguing against certification of the class in this motion, but rather appears to be
pointing out that plaintiffs’ failure to identify what law they are proceeding under does not provide them with adequate notice as required by Federal Rule of Civil Procedure 8. I agree that because VTech failed to identify the states’ laws on which they base their unjust enrichment claim, they failed to state a cause of action. See Avenarius v. Eaton Corp., 898 F.Supp.2d 729, 740 (D. Del. 2012) (“Generic pleading and generic responsive briefing is inappropriate given that states analyze unjust enrichment claims differently.”). See also In re Opana ER Antritrust Litig., 162 F.Supp.3d 704, 726 (N.D. Ill. 2016); In re Flonase Antitrust Litig., 610 F.Supp.2d 409, 419 (E.D. Pa. 2009); In re Wellbutrin XL Antitrust Litig., 260 F.R.D. 143, 167
(E.D. Pa. 2009). VTech also argues that the unjust enrichment claim is duplicative of the breach of contract claims and, since plaintiffs did not plead it in the alternative, it must be dismissed. Plaintiffs counter that their unjust enrichment claim not only was pleaded in the alternative to the breach of contract and warranty claims, but that the claim is also based on principles of tort law—specifically, fraud. In Illinois, “if an unjust enrichment claim rests on the same improper conduct alleged in
another claim, then the unjust enrichment claim will be tied to this related claim— and, of course, unjust enrichment will stand or fall with the related claim.” Cleary v. Philip Morris Inc., 656 F.3d 511, 517 (7th Cir. 2011). Whether it is contract or tort law, plaintiffs’ unjust enrichment claims are tied to either its breach of contract, implied warranty, or ICFA claims. And since those claims have fallen, so must the unjust enrichment claim.
VTech’s motion to dismiss the unjust enrichment claim is granted. The claim is dismissed without prejudice. IV. Conclusion VTech’s motion to dismiss, [100], is granted. The consumer fraud claims (Counts V and VI) and the unjust enrichment claim are dismissed without prejudice. The other claims are dismissed with prejudice. ENTER: | ° Manish 8. Shah United States District Judge Date: April 18, 2018