1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 SYDNEY JI, et al., Case No. 21-cv-05143-HSG
8 Plaintiffs, ORDER GRANTING MOTIONS TO DISMISS WITH LEAVE TO AMEND 9 v. Re: Dkt. Nos. 47, 52, and 53 10 NAVER CORPORATION, et al., 11 Defendants.
12 13 Pending before the Court are Defendants’ motions to dismiss. See Dkt. Nos. 47 (“Naver 14 Mot.”), 52 (“Foreign LINE Mot.”), and 53 (“LINE E-A Mot.”). The motions are fully briefed. See 15 Dkt. Nos. 67 (“Naver Opp.”), 68 (“LINE Opp.”), 71 (“Naver Reply”), and 79 (“LINE Reply”).1 16 The Court held a hearing on May 12, 2022. See Dkt. No. 96. For the reasons detailed below, the 17 Court GRANTS the motions to dismiss WITH LEAVE TO AMEND. 18 I. BACKGROUND 19 Plaintiffs Sydney Ji, June Abe, Lee Shubert, Kira Tomlinson, Ranela Sunga, and Stefanie 20 Bonner (“Plaintiffs”) bring this putative class action against Defendants Naver Corporation 21 (“Naver”), Naver Cloud Corporation (“Naver Cloud”), Naver Cloud America Inc. f/k/a/ Naver 22 Business Platform America Inc. (“Naver Cloud America”), Snow Corporation (“Snow Corp.”), 23 1 The Naver Defendants and LINE E-A each submitted Requests for Judicial Notice (Dkt. Nos. 51 24 and 54, respectively). Plaintiffs did not file an opposition, so the Court grants the Requests, but only to the extent of simply recognizing the existence of the documents. None of the materials 25 submitted as part of the Requests for Judicial Notice are the basis for the ruling on the motions to dismiss. Plaintiffs also filed objections under Local Rule 7-3(d)(1) to the declarations submitted 26 with the Naver Reply (Dkt. No. 74) and the LINE Reply (Dkt. No. 75). The objections are sustained because submitting this new information with the reply brief is improper when it could 27 have been submitted earlier. Plaintiffs also filed a supplemental submission regarding SenseTime 1 Snow Inc., Z Holdings Corporation (“Z Holdings”), LINE Corporation (“Line Corp.”), LINE Plus 2 Corporation (“LINE Plus”), and LINE Euro-Americas Corporation (“LINE E-A”). See Dkt. No. 1 3 (“Complaint”) ¶¶ 5-19. 4 According to the Complaint, Defendants used two apps—LINE Messenger and B612—to 5 “surreptitiously collect vast troves of private and/or personally identifiable user data without user 6 consent—including unique biometric information and private message content.” Id. ¶¶ 1-3. LINE 7 Messenger is a messenger app which Plaintiffs allege “collects users’ biometric information such 8 as face geometry scans” through an embedded SenseTime software development kit (“SDK”). Id. 9 ¶ 2. Plaintiffs further allege that even though LINE “claims to provide ‘end-to-end’ encryption for 10 user chats,” “material portions of user messages . . . are intercepted and taken in unencrypted 11 form.” Id. According to Plaintiffs, the app’s users “have not consented to these activities.” Id. 12 B612 is an app that allows users to take and edit photos and videos. Id. ¶ 43. The app also 13 contains augmented reality (“AR”) features that “allow users to utilize filters to alter their image, 14 including, for example, making their skin appear smoother or changing their image into an 15 animated display like a stuffed animal.” Id. ¶ 44. Plaintiffs allege that B612 collects users’ 16 biometric information through the SenseTime SDK and then “transmits [] face geometry scans 17 from user devices to at least one of Defendants’ servers.” Id. ¶ 3. Plaintiffs further allege that the 18 app transmits user data “to non-secure servers in China and Hong Kong where, on information and 19 belief, it is available to the Chinese Communist Party for retention in a database used for 20 intelligence gathering and other purposes.” Id. According to Plaintiffs, the app’s users “have not 21 consented to these activities.” Id. 22 Plaintiffs bring ten causes of action, on behalf of themselves and a putative class, against 23 the Defendants: (1) “Negligence—All Plaintiffs”; (2) “Intrusion Upon Seclusion—Plaintiffs Ji, 24 Abe, Tomlinson, Sunga, and Bonner”; (3) “Violation of the Right to Privacy – California 25 Constitution—Plaintiffs Ji, Abe, Tomlinson, Sunga, and Bonner”; (4) “Violation of the California 26 Unfair Competition Law, Bus. & Prof. Code §§ 17200, et seq.—Plaintiffs Ji, Abe, Tomlinson, 27 Sunga, and Bonner”; (5) “Violation of the California False Advertising Law, Bus. & Prof. Code 1 California Invasion of Privacy Act, California Penal Code §§ 630, et seq.—Plaintiffs Ji, Abe, 2 Tomlinson, Sunga, and Bonner”; (7) “Violation of the Electronic Communications Privacy Act, 3 18 U.S.C. §§ 2510, et seq.—All Plaintiffs; (8) “Violation of the Computer Fraud and Abuse Act, 4 18 U.S.C. § 1030—All Plaintiffs”; (9) “Violation of the Illinois Biometric Information Privacy 5 Act, 740 ILCS 14/1, et seq.—Plaintiff Shubert”; and (10) “Restitution / Unjust Enrichment—All 6 Plaintiffs.” See generally id. 7 The Defendants have filed three motions to dismiss, on behalf of the following sub-groups: 8 1) the “Naver Defendants,” comprised of Naver, Naver Cloud, Naver Cloud America, Snow 9 Corp., and Snow Inc.; 2) the “Foreign LINE Defendants,” comprised of Z Holdings, Line Corp., 10 and Line Plus; and 3) LINE Euro-Americas. The Foreign LINE Defendants and LINE Euro- 11 Americas will be collectively referred to as the “LINE Defendants.” 12 II. LEGAL STANDARD 13 Federal Rule of Civil Procedure 8(a) requires that a complaint contain “a short and plain 14 statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). A 15 defendant may move to dismiss a complaint for failing to state a claim upon which relief can be 16 granted under Rule 12(b)(6). “Dismissal under Rule 12(b)(6) is appropriate only where the 17 complaint lacks a cognizable legal theory or sufficient facts to support a cognizable legal theory.” 18 Mendiondo v. Centinela Hosp. Med. Ctr., 521 F.3d 1097, 1104 (9th Cir. 2008). 19 To survive a Rule 12(b)(6) motion to dismiss, a plaintiff must plead “enough facts to state 20 a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 21 (2007). A claim is facially plausible when a plaintiff pleads “factual content that allows the court 22 to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft 23 v. Iqbal, 556 U.S. 662, 678 (2009). In reviewing the plausibility of a complaint, courts “accept 24 factual allegations in the complaint as true and construe the pleadings in the light most favorable 25 to the nonmoving party.” Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d 1025, 1031 (9th 26 Cir. 2008). Courts do not “accept as true allegations that are merely conclusory, unwarranted 27 deductions of fact, or unreasonable inferences.” In re Gilead Scis. Secs. Litig., 536 F.3d 1049, 1 2001)). 2 III. DISCUSSION 3 A. Personal Jurisdiction 4 Naver, Naver Cloud, and the Foreign LINE Defendants move to dismiss the Complaint 5 against them based on lack of personal jurisdiction. See Naver Mot. at 11; Foreign LINE Mot. at 6 3. “When a defendant moves to dismiss for lack of personal jurisdiction, the plaintiff bears the 7 burden of demonstrating that the court has jurisdiction over the defendant.” Pebble Beach Co. v. 8 Caddy, 453 F.3d 1151, 1154 (9th Cir. 2006). “The general rule is that personal jurisdiction over a 9 defendant is proper if it is permitted by a [state’s] long-arm statute and if the exercise of that 10 jurisdiction does not violate federal due process.” Id. In California, the long-arm statute extends 11 jurisdiction to the limits of due process, so the resolution of the Court’s jurisdiction turns on the 12 federal due process analysis. See id. at 1155. “For due process to be satisfied, a defendant, if not 13 present in the forum, must have sufficient ‘minimum contacts’ with the forum state such that the 14 assertion of jurisdiction ‘does not offend traditional notions of fair play and substantial justice.’” 15 Id. (quoting Int’l Shoe Co. v. Washington, 326 U.S. 310, 315 (1945)). 16 There are two potential bases for jurisdiction: general and specific. See Bristol-Myers 17 Squibb Co. v. Superior Court, 137 S. Ct. 1773, 1779-80 (2017). Here, the Plaintiffs claim the 18 Court has specific jurisdiction over Naver, Naver Cloud, and the Foreign LINE Defendants.2 The 19 Ninth Circuit uses the following three-prong test to analyze whether specific jurisdiction exists: (1) the non-resident defendant must purposefully direct [its] activities or 20 consummate some transaction with the forum or resident thereof; or perform some 21 act by which [it] purposefully avails itself of the privilege of conducting activities in the forum, thereby invoking the benefits and protections of its laws; (2) the claim 22 must be one which arises out of or relates to the defendant’s forum-related activities; and (3) the exercise of jurisdiction must comport with fair play and 23 substantial justice, i.e. it must be reasonable. 24 Schwarzenegger v. Fred Martin Motor Co., 374 F.3d 797, 802 (9th Cir. 2004). Plaintiffs bear the 25 burden on the first two prongs. Id. If they succeed in satisfying both, then the burden shifts to the 26 defendants to “present a compelling case” that the exercise of jurisdiction would not be 27 1 reasonable. Id. (quotation omitted). “If any of the three requirements is not satisfied, jurisdiction 2 in the forum would deprive the defendant of due process of law.” Omeluk v. Langsten Slip & 3 Batbyggeri A/S, 52 F.3d 267, 270 (9th Cir. 1995). 4 To assess “purposeful direction” under the first prong, courts apply the “effects test” to 5 determine whether the defendant “(1) committed an intentional act, (2) expressly aimed at the 6 forum state, (3) causing harm that the defendant knows is likely to be suffered in the forum state.” 7 Yahoo! Inc. v. La Ligue Contre Le Racisme Et L’Antisemitisme, 433 F. 3d 1199, 1206 (9th Cir. 8 2006) (quotation omitted). 9 “The parties may submit, and the court may consider, declarations and other evidence 10 outside the pleadings in determining whether it has personal jurisdiction.” Stack v. Progressive 11 Select Ins. Co., No. 20-cv-00338-LB, 2020 WL 5517300, at *4 (N.D. Cal. Sept. 14, 2020) (citing 12 Doe v. Unocal Corp., 248 F.3d 915, 922 (9th Cir. 2001)). “Although the court ‘may not assume 13 the truth of allegations in a pleading which are contradicted by affidavit,’ the court resolves factual 14 disputes in the plaintiff’s favor.” Toy v. Honeywell Int’l Inc., No. 19-CV-00325-HSG, 2019 WL 15 1904215, at *3 (N.D. Cal. Apr. 29, 2019) (quoting CollegeSource, Inc. v. AcademyOne, Inc., 653 16 F.3d 1066, 1073 (9th Cir. 2011)). 17 i. Naver and Naver Cloud 18 Naver and Naver Cloud argue that Plaintiffs’ claims against them should be dismissed 19 because the two “South Korean companies do not have sufficient contacts with California to 20 establish personal jurisdiction.” Naver Mot. at 11. Plaintiffs claim that “Naver owns and 21 operates, and at all relevant times owned and operated, the B612 app.” Naver Opp. at 3 (quoting 22 Compl. ¶ 23).3 Naver also has employees in the United States and, according to Plaintiffs, 23 Naver’s Chief Business Officer for North America is located in Palo Alto, California. Naver Opp. 24 3 Naver’s Chief Privacy Officer, Jinkyu Lee, submitted a declaration acknowledging that 25 “NAVER is the parent corporation to SNOW Corporation, the maker of the B612 app,” but asserting that it was “not involved in the development, operation, or marketing of the B612 app, 26 and has never provided customer service to users of that app.” Dkt. 48 (“Lee Decl.”) at ¶ 9. Plaintiffs argue that this declaration does not refute the possibility of Naver’s current involvement 27 with the B612 app. While the Court finds this semantic argument less than compelling, “as the 1 at 6. 2 Naver Cloud is a wholly owned subsidiary of Naver. Compl. ¶ 12. Plaintiffs claim in their 3 opposition that Naver Cloud “supports the Naver IT infrastructure involved in the collection and 4 transmission of LINE Messenger and B612 user data” and that it provides “ISP services for, and 5 uses its own devices to host, certain domains . . . that are directly involved in the unlawful 6 collection and transmission of LINE Messenger and B612 user data.” Naver Opp. at 3. Plaintiffs 7 also now assert that Naver Cloud “acquired, installed, operated, and managed LINE Corp.’s 8 server, data storage, and data management with respect to user data” including “user data from the 9 United States and California.” Naver Opp. at 4. Naver Cloud America (a U.S company based in 10 San Jose, California) is a wholly owned subsidiary of Naver Cloud. Compl. ¶ 37. Plaintiffs also 11 argue that “the contacts of Naver’s subsidiaries with California can be imputed to Naver because 12 they are its agents” but it does not identify where in its Complaint it pleads facts to support this 13 argument. Naver Opp. at 7. 14 The first prong of the specific jurisdiction test requires a party to either purposefully direct 15 its activities toward California or to purposefully avail itself of the privilege of conducting 16 activities in California. See Schwarzenegger, 374 F.3d at 802. Applying the Yahoo! “effects” test, 17 the Court finds that Plaintiffs have not pled sufficient facts to establish that Naver purposefully 18 directed its activities toward California or purposefully availed itself of the privilege of conducting 19 activities in California. See Yahoo, 433 F. 3d at 1206. Plaintiffs similarly fail to plead sufficient 20 facts to meet this requirement regarding Naver Cloud. At bottom, Plaintiffs have failed to allege 21 facts that show that Naver or Naver Cloud engaged in intentional acts “expressly aimed” at the 22 forum state. Pebble Beach Co., 453 F.3d at 1156. As Plaintiffs have not met the first prong of the 23 specific jurisdiction test as to Naver or Naver Cloud, the Court finds that the Complaint does not 24 establish personal jurisdiction over these two defendants. See id. at 1155 (holding that, as 25 “Plaintiff’s arguments fail under the first prong . . . we need not address whether the claim arose 26 out of or resulted from [Defendant’s] forum-related activities or whether an exercise of 27 jurisdiction is reasonable . . .”). The Complaint is DISMISSED WITH LEAVE TO AMEND as ii. Foreign LINE Defendants 1 The Foreign LINE Defendants argue that Plaintiffs’ claims against them should be 2 dismissed because the Court lacks personal jurisdiction over them. Foreign LINE Mot. at 4. 3 Plaintiffs claim that the Court has specific personal jurisdiction over the Foreign LINE Defendants 4 because each of the Foreign LINE Defendants “have committed intentional acts, as part of a global 5 enterprise of affiliated companies working together to make the LINE Messenger and B612 apps 6 available to consumers, unlawfully collecting use data through those apps, and generating 7 advertising revenue from the apps and the stolen user data.” Foreign LINE Opp. at 18. 8 Z Holdings is a subsidiary of a joint venture between Naver and third-party SoftBank 9 located in Tokyo. Compl. ¶ 16. For specific jurisdiction purposes, Plaintiffs contend that Z 10 Holdings’s “intentional act” is that it is “charged with operation of LINE Messenger, along with 11 its subsidiaries, including LINE Corp., LINE Plus, and LINE E-A.” LINE Opp. at 19-20. They 12 claim that Z Holdings’s operation of LINE Messenger is established by a report of the Special 13 Committee for Global Data Governance, which allegedly “confirm[s] that Z Holdings governs the 14 handling of user data by LINE Messenger and its other portfolio businesses.” Id. at 20. LINE 15 Corporation (“LINE Corp.”) is a wholly owned subsidiary of Z Holdings located in Tokyo. 16 Compl. ¶ 17. Plaintiffs contend that LINE Corp.’s “intentional act” is that it is the “the registrant 17 of key domains . . . that intercept and obtain user data sent from one LINE Messenger user to 18 another.” Id. at 20. Defendant LINE Plus Corporation (“LINE Plus”) is a wholly owned 19 subsidiary of LINE Corp. located in South Korea. Compl. ¶ 18. Plaintiffs contend that LINE 20 Plus’s “intentional act” is that it “provide[d] marketing and sales services for the LINE platform 21 outside of Japan.” Id. at 21. Finally, LINE Euro-Americas Corp. (“LINE E-A”), which does not 22 contest personal jurisdiction, is a Delaware corporation located in Palo Alto and Los Angeles and 23 it is a wholly owned subsidiary of LINE Plus. Compl. ¶ 19. 24 In summary, Plaintiffs contend that the Foreign LINE Defendants expressly aimed their 25 intentional acts at California in three ways. They first contend that the foreign LINE Defendants 26 collectively “promote the expansion of LINE Messenger’s user base in California” through LINE 27 Friends Inc., a non-party U.S. subsidiary of LINE Corp., that sells LINE Messenger merchandise 1 online and at a brick-and-mortar store in Los Angeles. Id. at 22. Second, Plaintiffs argue that 2 LINE E-A—a wholly owned subsidiary of LINE Plus headquartered in California—also 3 previously “promoted LINE Messenger in North and South America” and currently “supports 4 business-to-business activities and partnerships for LINE Plus and LINE Corp.” Id. (quotations 5 omitted). Third, Plaintiffs contend that LINE Plus was established “to more effectively pursue 6 global expansion [of LINE Messenger] outside of Japan” and “provide marketing and sales service 7 for the LINE platform outside of Japan.” Id. (quotations omitted). LINE Plus has had seven 8 employees in the United States, with at least two in California at some point. Id. Fourth, 9 Plaintiffs argue that “hardware used to intercept and obtain LINE Messenger user data is located 10 in California” because Naver Cloud and Naver Cloud America provide ISP services for “one of 11 the offending domains that Defendants have used to unlawfully intercept and obtain LINE 12 Messenger user data.” Id. at 23. 13 Plaintiffs fail to meet the requirements of the specific jurisdiction test as to the Foreign 14 LINE Defendants. See Schwarzenegger, 374 F.3d at 802. Applying the Yahoo! “effects” test, the 15 Court finds that Plaintiffs have not plead sufficient facts to establish that the Foreign LINE 16 Defendants purposefully directed their activities toward California or purposefully availed 17 themselves of the privilege of conducting activities in California. To begin with, LINE Messenger 18 itself has weak ties to California. Plaintiffs do not meaningfully dispute that (1) LINE Messenger 19 is a global communications app that has no particular focus on California; and (2) over 99.2% of 20 daily active LINE Messenger users are located outside of the United States. See Dkt. 52-5 (“Irie 21 Decl.”) at ¶ 3, 8-9. Plaintiffs also do not allege that any of the foreign LINE Defendants advertise 22 directly to California or target California consumers with third-party advertisements. As a result, 23 to the extent any of the foreign LINE Defendants operate LINE Messenger, that is not an 24 intentional act “expressly aimed” at California. See Voodoo SAS v. SayGames LLC, No. 19-cv- 25 07480-BLF, 2020 WL 3791657, at *4-6, 8 (N.D. Cal. July 7, 2020) (finding no personal 26 jurisdiction over the maker of an app in part because it was downloaded from outside the United 27 States 80% of the time). 1 like LINE-EA and LINE Friends are also unpersuasive. Plaintiffs’ allegations about LINE E-A 2 and LINE Plus fail to show that either of those entities has expressly aimed any action at 3 California. Claims that LINE E-A previously promoted LINE Messenger in two entire 4 continents—North and South America—do not equate to LINE E-A specifically targeting 5 California. And likewise, allegations that LINE Plus provides marketing and sales services for 6 LINE Messenger “outside of Japan” do not mean that LINE Plus directed any marketing or sales 7 services at California. Moreover, Plaintiffs do not allege any alter-ego or agency relationship 8 between those entities (LINE Opp. at 23) and the “unilateral activity of another party or a third 9 person is not an appropriate consideration when determining whether a defendant has sufficient 10 contacts with a forum State.” Walden v. Fiore, 571 U.S. 277, 284 (2014) (quotation omitted). 11 Finally, to the extent Plaintiffs justify jurisdiction based on the foreign entities’ ties to LINE 12 Friends Inc.—a non-party U.S. subsidiary of LINE Corp. that sells LINE Messenger merchandise 13 online and at a brick-and-mortar store in Los Angeles—none of the claims here “arise out of or 14 relate to” those activities, as required by the second prong of the specific jurisdiction test. 15 Schwarzenegger, 374 F.3d at 802. 16 As to LINE Plus, Plaintiffs additionally argue that it was established in 2013 to pursue 17 global expansion of the app and “provide marketing and sales services for the LINE platform 18 outside of Japan.” LINE Opp. at 22. Plaintiffs also argue that LINE Plus had at least two 19 employees in California as of April 2021. These asserted bases for jurisdiction are also 20 unpersuasive. First, promoting LINE Messenger “outside of Japan” generally is not the same as 21 promoting it in California specifically. And second, the presence of one or two employees in 22 California, without more, is not enough to establish specific jurisdiction here because there is no 23 indication that Plaintiffs’ claims “arise out of or relate to” the alleged presence of these employees. 24 Schwarzenegger, 374 F.3d at 802. All claims against the Foreign LINE Defendants are 25 DISMISSED WITH LEAVE TO AMEND. 26 iii. Jurisdictional Discovery 27 In the alternative, Plaintiffs ask the Court to order jurisdictional discovery. Jurisdictional 1 jurisdiction are controverted or where a more satisfactory showing of the facts is necessary.” Laub 2 v. U.S. Dep't of Interior, 342 F.3d 1080, 1093 (9th Cir. 2003). But “where a plaintiff's claim of 3 personal jurisdiction appears to be both attenuated and based on bare allegations in the face of 4 specific denials made by the defendants, the Court need not permit even limited discovery....” 5 Pebble Beach Co., 453 F.3d at 1160 (quotation omitted). Here, the Court finds that Plaintiffs’ 6 claim of personal jurisdiction is both attenuated and based on bare allegations. The Court thus 7 finds that Plaintiffs fail to make the threshold showing that jurisdictional discovery is warranted. 8 Accordingly, the Court DENIES Plaintiffs’ request for jurisdictional discovery, without prejudice 9 to renewal if Plaintiffs can adequately address the numerous pleading shortcomings identified in 10 this order, including the improper group pleading discussed below. 11 B. Group Pleading 12 One of the recurring problems with Plaintiffs’ complaint is that their claims repeatedly 13 raise allegations against undifferentiated groups of defendants, without specifying what entity or 14 entities supposedly took what particular actions. The Naver Defendants argue that “[p]leading ten 15 causes of action, without specifying which defendants they pertain to, or why each defendant’s 16 actions constitutes a legal violation, is plainly insufficient.” Naver Mot. at 16. The Court agrees 17 that Plaintiffs fail to plead the claims with enough specificity for Defendants to determine which 18 claims apply to which Defendants. This group pleading is not sufficient to put Defendants on 19 notice of the claims against them. The Complaint is DISMISSED WITH LEAVE TO AMEND 20 as to the Naver Defendants. 21 Raising a similar argument premised on the traceability requirement for Article III 22 standing, the LINE Defendants allege that Plaintiffs make no “specific allegations” as to the LINE 23 Defendants’ role in the purported injuries and argue that any causal relationship to any injury 24 Plaintiffs could have suffered could only exist between Plaintiffs and the various third parties 25 alleged to have collected data from the apps. LINE E-A Mot. at 3-4; Foreign LINE Defendants 26 Mot. at 24. As the Court found that it does not have personal jurisdiction over the Foreign LINE 27 Defendants, the Court only analyzes traceability as to LINE E-A. LINE E-A argues that the 1 A Mot. at 4. Plaintiffs argue that this argument amounts to “one tortfeasor blaming another, which 2 is insufficient.” LINE Opp. at 32. But Plaintiffs allege that the LINE Defendants (as a group, not 3 LINE E-A specifically) intercepted users’ private messages. Compl. at ¶¶ 77-88, 221, 235. This 4 is not sufficient to fulfill the Spokeo traceability requirement as it is not clear what role Plaintiffs 5 allege LINE E-A played in any of the claimed transgressions. Spokeo v. Robins, 578 U.S. 330, 6 338 (2016). The Complaint is DISMISSED WITH LEAVE TO AMEND as to the LINE E-A. 7 In any amended complaint, Plaintiffs must specify with particularity which entity took 8 which alleged actions, and may not evade this requirement by making allegations against groups 9 of “defendants” generically. 10 Even though the Complaint has been dismissed against all Defendants over which the 11 Court has jurisdiction, in the interest of streamlining any further pleading litigation, the Court 12 addresses certain key arguments below regarding Article III standing and failure to state a claim. 13 The Court does not address all of the arguments made by Defendants.4 14 C. Article III Standing 15 “As the party invoking federal jurisdiction, the plaintiffs bear the burden of demonstrating 16 that they have standing.” TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2207 (2021). To 17 establish standing, a “[p]laintiff must have (1) suffered an injury in fact, (2) that is fairly traceable 18 to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable 19 judicial decision.” Spokeo, 578 U.S. at 338. Further, “in a suit for damages, the mere risk of 20 future harm, standing alone, cannot qualify as a concrete harm.” See TransUnion, 141 S. Ct. at 21 2210-11. Defendants first argue that “Plaintiffs’ claims fail because they do not plausibly allege a 22 cognizable injury.” Naver Mot. at 5; see also Foreign LINE Defendants Mot. at 24; LINE EA 23 Mot. at 3. 24 “[U]nder Article III, an injury in law is not an injury in fact. Only those plaintiffs who 25 have been concretely harmed by a defendant's statutory violation may sue that private defendant 26
27 4 The Court does not address the LINE Defendants’ forum non conveniens argument (as it applies 1 over that violation in federal court.” TransUnion, 141 S. Ct. at 2205 (emphasis in original). 2 TransUnion also requires that “the asserted harm [have] a close relationship to a harm traditionally 3 recognized as providing a basis for a lawsuit in American courts—such as physical harm, 4 monetary harm, or various intangible harms. . .” Id. at 2200 (internal quotations omitted). This 5 test, however, “does not require an exact duplicate in American history and tradition.” Id. at 2204. 6 Plaintiffs’ Complaint identifies four theories of harm—invasion of privacy; harm to their 7 mobile devices as well as data usage and electricity costs; risk of identity theft and surveillance; 8 and diminution of value. 9 i. Invasion of Privacy 10 Plaintiffs make three main types of invasion of privacy claims: 1) Defendants took 11 Plaintiffs’ “User/Device Identifiers,” 2) Defendants took Plaintiffs’ “Biometric Identifiers” 12 (ostensibly through facial scans of user-submitted photos and videos), and 3) the LINE Defendants 13 intercepted Plaintiffs’ videos, URLs, and keywords. See Compl. ¶¶ 65, 77-88, 99, 135. Plaintiffs 14 argue that they have met the TransUnion “close analogue test” because they have identified 15 “disclosure of private information and intrusion upon seclusion” as the historical analogues. See 16 Naver Opp. at 11.5 17 a. User/Device Identifiers 18 Defendants argue that the “User/Device Identifiers” Plaintiffs mention in the Complaint 19 “are not the kind of sensitive information that can confer standing for a privacy claim” because 20 “Courts reject the idea that collection of this sort of information gives rise to privacy injury.” 21 Naver Mot. at 6. Plaintiffs argue that unlike “general location and contact information” which 22 may not be protectable, “Plaintiffs allege Defendants collected and disclosed highly sensitive 23 information, including Plaintiffs’ face geometry scans, video viewing histories, user and device 24 identifiers, and contents of their non-public messages.” Naver Opp. at 18, n.15. Defendants’ 25 argument in that section of the motion was limited to the proposition that the collection of “user 26 and device identifiers” cannot give rise to a privacy injury. As to those identifiers, the Court 27 1 agrees that Plaintiffs have not alleged enough facts to show that the “user and device identifiers” 2 are the type of information that could give rise to a privacy injury. See, e.g., In re Facebook, Inc. 3 Internet Tracking Litig., 956 F.3d 589, 604 (9th Cir. 2020), cert. denied sub nom. Facebook, Inc. 4 v. Davis, 141 S. Ct. 1684 (2021) (quotations omitted) (explaining that users do “not maintain a 5 reasonable expectation of privacy” in the “the to/from addresses of their messages or the IP 6 addresses of the websites they visit”; Heeger v. Facebook, Inc., 509 F. Supp. 3d 1182, 1189 (N.D. 7 Cal. 2020) (holding that “there is no legally protected privacy interest in IP addresses”); cf. In re 8 Zynga Priv. Litig., 750 F.3d 1098, 1107-08 (finding that “information about a user's 9 communication, not the communication itself” does not qualify as protected “content” under 10 ECPA). The Court addresses below other categories of information alleged. 11 b. Biometric Identifiers 12 Defendants next argue that “having one’s face scanned by a photo editing app is not a 13 privacy injury that would be traditionally recognized by American courts.” Naver Mot. at 6 14 (quotations omitted). For a claim based on the disclosure of private information and intrusion 15 upon seclusion, 1) there must be a reasonable expectation of privacy, and 2) the publicity or 16 intrusion must be “highly offensive.” See Facebook., 956 F.3d at 601. 17 Defendants argue that “an individual has no privacy interest in their own face.” Naver 18 Mot. at 6. The Ninth Circuit, however, has held that “that an invasion of an individual’s biometric 19 privacy rights has a close relationship to a harm that has traditionally been regarded as providing a 20 basis for a lawsuit in English or American courts.” Patel v. Facebook, Inc., 932 F.3d 1264, 1273 21 (9th Cir. 2019) (internal quotations omitted). In Patel, the Ninth Circuit found that the plaintiffs 22 had alleged a “concrete and particularized harm, sufficient to confer Article III standing” when 23 they claimed the defendant had violated the Illinois Biometric Information Privacy Act (BIPA) 24 “by collecting, using, and storing biometric identifiers (a “scan” of “face geometry”) from their 25 photos without obtaining a written release and without establishing a compliant retention 26 schedule.” Id. at 1268, 1275 (citations omitted). Defendants argue that “Plaintiffs’ unprecedented 27 claim that their privacy was violated when they willingly scanned their own faces with an app they 1 The Court, however, finds Defendants’ argument irreconcilable with Patel, which held that 2 plaintiffs suffered a concrete injury when the defendant there collected and stored a scan of their 3 “face geometry” from pictures posted on its website.6 Plaintiffs have alleged enough facts to 4 support Article III standing as to their invasion of privacy claims based on collection and storage 5 of biometric information. 6 ii. Harm to Mobile Devices 7 Defendants argue that Plaintiffs’ claim of “unspecified depletion of mobile resources is 8 insufficient to support standing.” Naver Mot. at 7 (citations omitted). Plaintiffs respond that 9 “battery depletion . . . is economic harm that confers Article III standing.” Naver Opp. at 13. 10 Defendants have the better argument. In analyzing this issue, district courts within this circuit have 11 distinguished between conduct that draws upon the user's cell phone battery frequently or systemically—and which is therefore more 12 likely to reduce battery life—and infrequent or episodic cell phone use that is likely to result only in a de minimis effect on the battery. 13 The former is enough to allege injury under the UCL: the latter is not. 14 Holt v. Facebook, Inc., 240 F. Supp. 3d 1021, 1035 (N.D. Cal. 2017). Plaintiffs do not allege facts 15 sufficient to show that their cell phone batteries were drained “frequently or systematically.” 16 Plaintiffs likewise make no allegations that support that Defendants’ alleged actions had anything 17 other than a de minimis effect on their data and electricity costs. Even if Plaintiffs’ UCL (claim 4) 18 and CIPA (claim 6) claims had not been dismissed based on improper group pleading, as pled they 19 would be subject to dismissal for lack of standing, and any amended complaint should address this 20 problem. 21 iii. Risk of Identity Theft and Surveillance 22 TransUnion held that in a suit for damages “pre-existing risk” of future harm cannot 23 6 Defendants argue that Patel is irreconcilable with TransUnion and that the Court should 24 therefore disregard Patel. See, e.g., Dkt. 97 (“Hearing Transcript”) at 9:15-17. The Court rejects Defendants’ argument because it fails to meet the Ninth Circuit’s controlling standard, which 25 requires TransUnion to “have undercut the theory or reasoning underlying [Patel] in such a way that the cases are clearly irreconcilable.” Miller v. Gammie, 335 F.3d 889, 900 (9th Cir. 2003) (en 26 banc). This is a high bar to clear and Defendants fail to do so. See Apache Stronghold v. United States, 38 F.4th 742, 763 (9th Cir. 2022) (quotations and citations omitted) (explaining that the 27 “clearly irreconcilable” condition “is a high standard” and concluding that “[i]f, as a panel, we can 1 “constitute a basis for the person’s injury and for damages” TransUnion, 141 S. Ct. at 2211 2 (2021). Plaintiffs claim that their information has been “transmitted to domains that are accessible 3 to the Chinese government, exposing [them] to a heightened, imminent risk of misuse, fraud, 4 identity theft, Chinese government surveillance and financial harm.” Compl. ¶ 179. Plaintiffs do 5 not allege, however, that the information actually has been taken by the Chinese government or 6 other entities. Defendants argue that these allegations of possible future injury and risk of harm 7 fail as a matter of law. Naver Mot. 7-8. The Court finds that Plaintiffs’ allegations amount to no 8 more than a conjectural and hypothetical risk of access or misuse, which is not sufficient under 9 TransUnion. See Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010) (finding 10 standing to sue where a laptop with sensitive employee data was stolen thereby creating an 11 increased risk of identity theft but explaining that had the allegations been “more conjectural or 12 hypothetical—for example, if no laptop had been stolen, and Plaintiffs had sued based on the risk 13 that it would be stolen at some point in the future—we would find the threat far less credible”). 14 Even if Plaintiffs’ negligence claim (claim 1) had not been dismissed based on improper group 15 pleading, as pled it would be subject to dismissal for lack of standing, and any amended complaint 16 should address this problem. 17 iv. Diminution of Value 18 Plaintiffs claim a “diminution of the value of their private and personally-identifiable 19 information” as part of the basis for their FAL claim (claim 5). Compl. ¶ 224. Defendants argue 20 that Plaintiffs “do not allege they actually wanted or attempted to sell, or in fact sold, their 21 information on any sort of market as required to plead this kind of injury.” Naver Mot. at 8. 22 Plaintiffs respond that “deprivation of a property interest in one’s personal information” is 23 “sufficient economic injury.” Naver Opp. at 13. Courts in this District have held that to proceed 24 on an economic injury theory, data privacy plaintiffs must allege the existence of a market for 25 their data and the impairment of the ability to participate in that market. See, e.g., Bass v. 26 Facebook, Inc., 394 F. Supp. 3d 1024, 1040 (N.D. Cal. 2019) (“It is not enough to merely say the 27 information was taken and therefore it has lost value . . . . That the information has external value, 1 money or property.”). Even if Plaintiffs’ FAL claim (claim 5) had not been dismissed based on 2 improper group pleading, as pled it would be subject to dismissal for lack of standing, and any 3 amended complaint should address this problem. 4 v. CFAA 5 Defendants argue that Plaintiffs’ CFAA claim “must also be dismissed for lack of 6 standing, because Plaintiffs do not allege any damage or loss to support their claim, as required by 7 the statute.” Naver Mot. at 8. The statute provides that “Any person who suffers damage or loss 8 by reason of a violation of this section may maintain a civil action against the violator to obtain 9 compensatory damages and injunctive relief or other equitable relief.” 18 U.S.C. § 1030(g). It is 10 not clear to the Court whether Plaintiffs disagree with Defendants’ position because the Court was 11 unable to follow their purported cross-reference.7 Even if Plaintiffs’ CFAA claim (claim 8) had 12 not been dismissed based on improper group pleading, as pled it would be subject to dismissal for 13 lack of standing, and any amended complaint should address this problem. 14 vi. Traceability 15 In addition to pleading an injury-in-fact, Plaintiffs must show that the injury “is fairly 16 traceable to the challenged conduct of the defendant.” Spokeo, 578 U.S. at 338. The Naver 17 Defendants argue that, in the context of the CIPA and ECPA claims, Plaintiffs have failed to 18 allege that Defendants 1) “engaged in any ‘conduct’ that could have brought about harm,” and that 19 2) Plaintiffs’ allegations are insufficient to show a “causal connection” between any alleged 20 conduct and injury or that any alleged injury is fairly traceable to the alleged conduct of the Naver 21 Defendants. Naver Mot. at 10-11. In light of its earlier finding that it lacks jurisdiction over 22 Naver and Naver Cloud, the Court will only analyze the traceability of the claims as to Naver 23 Cloud America, Snow Corp, and Snow Inc. Plaintiffs allege that Naver Cloud America 1) 24 supported the operation of the apps, 2) support the “Information Technology infrastructure for the 25
26 7 At several points in the briefing, the parties cross-referenced and incorporated by reference arguments made in other briefs in the case. This is improper and at times made it exceedingly 27 difficult to identify which arguments the parties were making or refuting. The parties are directed 1 Naver Defendants,” and 3) serve as the Internet Service Provider (ISP) for “and use their own 2 devices to host domains that are directly involved in the mishandling of U.S. user data.” Compl. ¶ 3 25, Naver Opp. at 14. Plaintiffs allege that Snow Corp. and Snow Inc. directly operate the B12 4 app, which “unlawfully collects users’ face geometry scans.” Compl. ¶¶ 3, 26, 27; see also Naver 5 Opp. at 14. 6 Plaintiffs miss the point. The root of the Naver Defendants’ argument is that the CIPA and 7 ECPA claims are based on messaging interception tied to the LINE Messenger app. Plaintiffs’ 8 allegations regarding the Naver Defendants’ control or support of the B612 app are irrelevant in 9 this context. In the CIPA and ECPA claims, Plaintiffs do not identify conduct on the part of Snow 10 Corp. or Snow Inc. that is fairly traceable to any injuries Plaintiffs may have suffered under CIPA 11 and ECPA. Even if Plaintiffs’ CIPA (claim 6) and ECPA (claim 7) claims had not been dismissed 12 based on improper group pleading, as pled against Snow Corp. and Snow Inc. they would be 13 subject to dismissal for lack of standing, and any amended complaint should address this problem. 14 As to Naver Cloud America, in the context of the CIPA and ECPA claims, Plaintiffs only 15 allege that it is one of the ISPs for a particular domain. Compl. ¶ 230. Plaintiffs allege that 16 “Defendants use devices linked to [this domain] to intercept videos contained in . . . chat 17 messages.”8 Id. This allegation of passive conduct is not sufficient for this Court to determine 18 that Plaintiffs’ alleged injuries are “fairly traceable to the challenged conduct of the defendant.” 19 Spokeo, 578 U.S. at 338. Even if Plaintiffs’ CIPA (claim 6) and ECPA (claim 7) claims had not 20 been dismissed based on improper group pleading, as pled against Naver Cloud America they 21 would be subject to dismissal for lack of standing, and any amended complaint should address this 22 problem. 23 D. Failure to State a Claim 24 i. Intrusion Upon Seclusion / California Constitutional Privacy Claim 25 When both intrusion upon seclusion and invasion of privacy claims are present, courts 26 8 For purposes of ruling on this issue, the Court assumes that Plaintiffs made a typo in writing out 27 the domain names and that “obs-us.line-apps.com” (the domain to which Defendants allegedly 1 conduct a combined inquiry that considers (1) the nature of any intrusion upon reasonable 2 expectations of privacy, and (2) the offensiveness or seriousness of the intrusion. Facebook., 956 3 F.3d at 601. 4 a. Facial Biometric Information 5 The Naver Defendants argue that Plaintiffs’ intrusion upon seclusion and California 6 Constitutional Privacy claims (claims 2 and 3) should be dismissed because “Plaintiffs had no 7 reasonable expectation of privacy in their facial image when using a selfie app to modify their 8 image.” Naver Mot. at 18. LINE E-A argues that claims 2 and 3 should be dismissed because 9 Plaintiffs “do not allege a reasonable expectation of privacy in a legally protected privacy 10 interest.” LINE E-A Mot. at 8. Plaintiffs have alleged that both the LINE and Naver defendants 11 have taken users’ “face geometry” information. Compl. ¶¶ 65. As explained above, in Patel the 12 Ninth Circuit recognized a cognizable privacy interest in one’s facial biometric information, even 13 in photos that have been uploaded to a photo-sharing site. See Patel, 932 F.3d at 1267, 1275. 14 Analogizing from Patel, this Court finds that Plaintiffs have plausibly alleged a cognizable 15 privacy interest in their facial biometric information. 16 b. User Information, Videos, URLs, and Keywords 17 LINE E-A also claims that the data allegedly collected by the LINE Defendants is not the 18 type of “sensitive and confidential information necessary to state a claim for invasion of privacy.” 19 LINE E-A Mot. at 8-9 (quotations omitted). Plaintiffs argue that the claims at issue here are 20 similar to the claims Plaintiffs made in In re Facebook, Inc. Internet Tracking Litig., where the 21 Ninth Circuit determined that the Plaintiffs had a reasonable expectation of privacy in URLs that 22 “could emanate from search terms inputted into a third-party search engine” and which “could 23 divulge a user's personal interests, queries, and habits on third-party websites operating outside of 24 [the defendant]'s platform.” 956 F.3d at 603; see also LINE Opp. at 38. Putting aside the 25 allegations about face geometry scans addressed above, the Court finds that the claims made here 26 are more analogous to those in In re Zynga Privacy Litigation, 750 F.3d 1098 (9th Cir. 2014). As 27 the Facebook court explained, in Zynga, the tracked URLs “revealed only that a . . . user had 1 websites after they had logged into their . . . user accounts” causing the linked material to appear 2 within the defendant’s interface. 956 F.3d at 605 (emphasis in original). Here, Plaintiffs allege 3 that LINE Messenger “tracks videos watched, created, liked, and/or commented on by users” . . . 4 “when a LINE Messenger user is operating within the LINE messenger timeline feature . . .” 5 Compl. ¶ 100. These allegations are not sufficient to state a claim for intrusion upon seclusion or 6 invasion of privacy. Cf. Zynga, 750 F.3d at 1108–09 (“[T]he referer header information at issue 7 here includes only basic identification and address information, not a search term or similar 8 communication made by the user, and therefore does not constitute the contents of a 9 communication.”). 10 ii. CIPA/ECPA 11 To establish a claim under CIPA, Plaintiffs must show that Defendants “maliciously and 12 without the consent of all parties to the communication, intercept[ed], receive[d], or assist[ed] in 13 intercepting or receiving a communication transmitted between” cellular devices. Cal. Penal Code 14 § 632.5(a). Plaintiffs have not alleged maliciousness, failing to state a claim under the section. 15 Plaintiffs then claim that their citation to Section 632.5(a) was a “mere scrivener’s error” 16 and that they intended to cite Section 632.7(a), which does not require maliciousness. LINE E-A 17 Opp. at 47-48, n.22. Section 632.7(a) requires Plaintiffs to allege that Defendants “without the 18 consent of all parties to a communication, intercept[ed] or receive[d] and intentionally record[ed], 19 or assist[ed] in the interception or reception and intentional recordation of, a communication 20 transmitted between two” devices. Cal. Penal Code § 632.7(a). As Defendants point out, Section 21 632.7(a) may not require maliciousness but it does require that Defendants recorded (or assisted in 22 recording) the communications. Even if Plaintiffs’ CIPA (claim 6) had not been dismissed based 23 on improper group pleading, as pled it would be subject to dismissal for failure state a claim (as it 24 did not allege recording), and any amended complaint should address this problem. 25 Under the ECPA sections cited by Plaintiffs, they must show: (1) the intentional 26 interception of wire, oral, or electronic communications; or (2) the intentional disclosure of the 27 contents of any intercepted wire, oral, or electronic communication. 18 U.S.C. § 2511(1)(a), (c). 1 communication app transmitting communications from the originating device to the recipient 2 device. See LINE E-A Mot. at 17. The Court finds that a determination of whether the 3 Defendants actions are covered under the “ordinary course of business exception” to the Wire 4 Tapping Act requires factual determinations that are not appropriate at this stage. 5 iii. CFAA 6 Plaintiffs allege that Defendants violated Section 1030(a)(2)(C) which allows punishment 7 of a Defendant who “intentionally accesses a computer without authorization or exceeds 8 authorized access, and thereby obtains . . . information from any protected computer.” 18 U.S.C. § 9 1030.9 Defendants claim that “data collection and device hacking are distinct” and that “only the 10 latter is at issue in a CFAA claim.” LINE Reply at 28. The Court agrees. See hiQ Labs, Inc. v. 11 LinkedIn Corp., 31 F.4th 1180, 1196 (9th Cir. 2022) (“The CFAA was enacted to prevent 12 intentional intrusion onto someone else's computer—specifically, computer hacking.”); cf. United 13 States v. Nosal, 676 F.3d 854, 857 (9th Cir. 2012) (declining to accept an interpretation that “would 14 transform the CFAA from an anti-hacking statute into an expansive misappropriation statute”). 15 Even if Plaintiffs’ CFAA (claim 8) had not been dismissed based on improper group pleading, as 16 pled it would be subject to dismissal for failure state a claim, and any amended complaint should 17 address this problem.10 18 // 19 // 20 // 21 // 22 // 23 9 In the LINE E-A Opposition, Plaintiffs claim that Defendants violated Sections 1030(a)(5)(A) 24 and 1030(a)(5)(C). LINE E-A Opp. at 48. The Court does not evaluate whether Plaintiffs’ claims are sufficient under these sections because they are not the basis for the cause of action that 25 Plaintiffs actually pled in the Complaint. 10 The Court need not address Plaintiffs’ BIPA claim, but notes that at least some courts 26 interpreting Illinois law have held that the alleged conduct needs to have taken place in Illinois. See Neals v. PAR Tech. Corp., 419 F. Supp. 3d 1088, 1091 (N.D. Ill. 2019); cf. Avery v. State 27 Farm Mutual Automobile Insurance Co., 216 Ill.2d 100, 186-187 (2005). Plaintiffs should 1 IV. CONCLUSION 2 Accordingly, the Court GRANTS the motions to dismiss WITH LEAVE TO AMEND. 3 || Plaintiffs shall file any amended complaint no later than 28 days from the date of this order. 4 IT IS SO ORDERED. 5 Dated: September 30, 2022 ® HAYWOOD S. GILLIAM, JR. 7 United States District Judge 8 9 10 11 12
© 15 16
= 17
Z 18 19 20 21 22 23 24 25 26 27 28