Docket Entries Since Last Update
NOTE: This court's RSS feed does not list MOTION entries, so Bloomberg Law cannot detect them and thus they will not be listed here. However, motions will be included if you update the docket.
JASEN SILVER ET AL., Plaintiffs, v. STRIPE INC., Defendant.
July 28, 2021, Filed
July 28, 2021, Decided
For Jasen Silver, on behalf of themselves and those similarly situated, Plaintiff: Todd M. Kennedy, Gutride Safier LLP, San Francisco, CA; Hayley A Reynolds, Gutride Safier LLP, San Francisco, San Francisco, CA; Marie Ann McCrary, Seth Adam Safier, Gutride Safier LLP, San Francisco, CA.
For Jill Lienhard, on behalf of themselves and those similarly situated, Patricia Tysinger, on behalf of themselves and those similarly situated, Victoria Waters, on behalf of themselves and those similarly situated, Alaina Jones, on behalf of themselves and those similarly situated, Plaintiffs: Todd M. Kennedy, LEAD ATTORNEY, PRO HAC VICE, Gutride Safier LLP, San Francisco, CA; Hayley A Reynolds, Gutride Safier LLP, San Francisco, San Francisco, CA; Marie Ann McCrary, Seth Adam Safier, Gutride Safier LLP, San Francisco, CA.
For Stripe, Inc., Defendant: Jonathan Hugh Blavin, LEAD ATTORNEY, Attorney at Law, Munger, Tolles & Olson, LLP, San Francisco, CA; Rosemarie T Ring, LEAD ATTORNEY, Munger Tolles and Olson, San Francisco, CA; Sarah Sun Lee, LEAD ATTORNEY, Munger, Tolles and Olson LLP, Los Angeles, CA; Laura Maria Lopez, Munger Tolles Olson, United Sta, Los Angeles, CA.
YVONNE GONZALEZ ROGERS, UNITED STATES DISTRICT JUDGE.
YVONNE GONZALEZ ROGERS
Order Granting in Part and Denying in Part Defendant's Motion to Dismiss Plaintiffs'
Re: Dkt. No. 48
Plaintiffs Jasen Silver, Jill Lienhard, Patricia Tysinger, Victoria Waters, and Alaina Jones bring this amended class action complaint against defendant Stripe Inc. ("Stripe") alleging violations of various privacy laws. (Dkt. No. 47.) ("First Amended Complaint" or "FAC.") Plaintiffs assert nine causes of action: (1) violation of the California Invasion of Privacy Act ("CIPA") under California Penal Code § 631 ; (2) violation of CIPA under California Penal Code § 635 ; (3) violation of the Florida Security of Communications Act ("FSCA"), Florida Statutes § 934 ; (4) violation of Washington's Wiretap Act, Revised Code of Washington § 9.73.030 ; (5) violation of the Utah Notice of Intent to Sell Nonpublic Personal Information Act, Utah Code Ann. § 13-37-201 ; (6) invasion of privacy under California's constitution; (7) intrusion upon seclusion (California); (8) violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code § 17200 , et seq.; and (9) unjust enrichment.
Having once considered a motion to dismiss, now before the Court is Stripe's motion to dismiss all causes of action of the revised First Amended Complaint. (Dkt. Nos. 47 and 48.) The matter was fully briefed by the parties. (See also Dkt. Nos. 51 and 53.)
The Court has carefully considered the papers submitted, the pleadings in this action, oral argument, and for the reasons set forth below, it GRANTS IN PART AND DENIES IN PART the motion to dismiss plaintiffs' first amended complaint.1
The First Amended Complaint alleges as follows:
Stripe violated various privacy laws by secretly tracking, collecting, and storing the personal data and web activity of visitors to merchants ' website. (FAC ¶¶ 1, 206.) It then created Stripe Elements, a software code that allows merchants [*2] to integrate Stripe's payment platform into their applications. ( Id. ¶ 3.) Merchants that use Stripe Elements, in this case Instacart, as a payment platform do not usually contain any identifying information or identification to alert consumers that their transactions are being processed by Stripe. ( Id. ¶ 4.) Specifically, there is no branding on the payment screens indicating that Stripe is involved, and other than by looking into the detailed coding of the website and the platform, consumers cannot tell that Stripe is obtaining or storing sensitive information, including financial information. ( Id. ¶¶ 4-6.)
Consequently, most users think that they are communicating directly with the merchant , when they are in fact communicating directly with Stripe. ( Id.) In addition to sensitive financial information, Stripe collects, stores, and uses the following information:
• the consumer's mouse movements and clicks;
• the consumer's keystrokes;
• the consumer's IP address and internet service provider;
• the geolocation of the consumer and his or her device;
• the consumer's device brand and model, browser, and operating system;
• the number of cards that have been used at the consumer's IP address;
• the number of declined cards the consumer had used with Stripe;
• a record of when the consumer's attempted purchases were declined;
• the name of the consumer's bank or card issuer;
• whether or not the consumer had sufficient funds for the transaction;
• the time of day the consumer makes the purchase;
• other processing codes returned by the consumer's bank, such as "do not honor" codes or those relating to stolen cards; and
• whether the consumer later disputes the charge.("at-issue data") ( Id. ¶¶ 7, 36.)
Stripe takes all the collected information, correlates all payments the consumer made across its entire platform, and then—without informing the consumer—provides much of it to its other merchants . ( Id. ¶ 9.)
Next, Stripe installs cookies on consumers' computers and mobile devices, "so that Stripe can track their purchasing behavior across its vast merchant network." ( Id. ¶ 8.) For example, merchants are able to view a consumer's history of transactions processed by Stripe. ( Id.) Using this history, Stripe makes what is known as a "Risk Insights," which assigns a risk score to each consumer's transactions based on numerous factors. ( Id. ¶ 10.) At no time does Stripe inform consumers who use Stripe Elements that any of the alleged conduct is taking place. ( Id. ¶ 12.)
TWe, our partners, our advertisers, and third-party advertising networks use various technologies to collect information, including but not limited to cookies, pixels, scripts, and device identifiers. . . . Our partners, advertisers, and third-party advertising networks may use these technologies to collect information about your online activity over time and across different websites or online services.(Blavin Decl., Ex. C at 2, § II (emphases supplied.))
A. Consideration of Consent is Appropriate
Consideration of consent is appropriate on a motion to dismiss where lack of consent is an element of the claim. E.g. Garcia v. Enter Holdings, Inc., 78 F. Supp. 3d 1125 , 1136 (N.D. Cal. 2015) ("[d]efendants may properly challenge [p]laintiffs's allegations regarding lack of consent through the instant motion to dismiss); Javier v. Assurance IQ, LLC, No. 4:20-CV-02860-JSW, [2021 BL 92074], 2021 U.S. Dist. LEXIS 48777 , [2021 BL 92074], 2021 WL 940319 , at *2 (N.D. Cal. Mar. 9, 2021) (explaining that "consent generally defeats privacy claims" and granting motion to dismiss); Smith v. Facebook, Inc., 745 F.App'x, 8 , 9 (9th Cir. 2018) (affirming motion to dismiss based on consent).
A. Consideration of Consent is Appropriate
Internet users can form online contract, and therefore consent, in a variety of ways. See Colgate v. JUUL Labs, Inc., 402 F. Supp. 3d 728 , 763 (N.D. Cal. 2019) (discussing different forms of online contracts). The Ninth Circuit recognizes three main types of contracts formed on the internet: "clickwrap", "browsewrap", and "sign-in wrap" agreements. "Clickwrap" agreements require website users to click on an "I agree" box after they are presented with a list of terms and conditions. Id. "Browsewrap" agreements do not require the express consent, but instead operate by placing a hyperlink with the governing terms and conditions at the bottom of the [*4] website. Id. In "browsewrap" agreements, a user gives consent just by using the website. Id. "Sign-in-wrap" agreements are those that present a screen that states that acceptance of a separate agreement is required before a user can access an internet product or service. Id.
The Ninth Circuit requires that online contracts put a website user on actual or inquiry notice of its terms. Nguyen v. Barnes & Noble Inc., 763 F.3d 1171 , 1177 (9th Cir. 2014). In doing so, the notice must be conspicuous, that is it must put "a reasonably prudent user on inquiry notice of the contracts." Id. Whether a user has such inquiry notice "depends on the design and content of the website and the agreement's webpage." Id.
Courts have found that "[a] binding contract is created if a plaintiff is provided with an opportunity to review the terms of service in the form of a hyperlink," and it is "sufficient to require a user to affirmatively accept the terms, even if the terms are not presented on the same page as the acceptance button as long as the user has access to the terms of service." Moretti v. Hertz Corp., No. C 13-02972 JSW, [2014 BL 102175], 2014 U.S. Dist. LEXIS 50660 , [2014 BL 102175], 2014 WL 1410432 , at *2 (N.D. Cal. Apr. 11, 2014); In re Facebook Biometric Info. Priv. Litig., 185 F. Supp. 3d 1155 , 1166 (N.D. Cal. 2016) (user agreement enforceable where user had to "take some action—a click of a dual-purpose box—from which assent might be inferred").
(See FAC, ¶ 30, Fig. 2.)
C. Wiretap Claims: First, Second, Third, and Fourth Causes of Action
Thus, the Court finds that plaintiffs consented to the collection of the data at-issue. Accordingly, the Court GRANTS the motion to dismiss as to plaintiffs' wiretap claims (first, second, third, and fourth causes of action) based on plaintiffs' consent to the collection of the data.
D. Utah's Notice of Intent to Sell Nonpublic Personal Information: Fifth Cause of
Under Utah's Notice of Intent to Sell Nonpublic Personal Information Act, a commercial entity that enters into a "consumer transaction" with a consumer must give notice to the consumer before the entity discloses nonpublic information to a third-party. Utah Code Ann. § 13-37-201(1) . The statute defines a "consumer transaction" as "the use of nonpublic personal information in relation to a transaction with a person if the transaction is for primarily personal, family, or household purpose." Id. § 13-37-102(4 ).
The Court finds that the complaint, on its face, sufficiently alleges a claim under Utah's statute. Plaintiffs allege that Stripe qualifies as a business entity under the statute because Stripe conducts business in Utah. Further, the complaint sufficiently alleges that Stripe conducted "consumer transactions" with plaintiffs. For instance, the complaint alleges that Stripe collected plaintiffs' personal information while they used Instacart to shop for "personal, family and household purposes." [*7] In return, as alleged, Stripe then processed plaintiffs' payment, allowing plaintiffs to complete the transaction. The Court finds that the complaint alleges sufficient facts to state a claim under the statute.
However, class action relief is unavailable under the statute. Section 13-37-203(3) provides that "a person may not bring a class action" for violation of the statute. Utah Code Ann. § 13-37-203(3) . Thus, the Court DENIES the motion to dismiss as to Ms. Alaina Jones individually, the Utah resident named in the complaint, but GRANTS the motion as to the Utah Class.
E. Invasion of Privacy and Intrusion Upon Seclusion: Sixth and Seventh Causes of Action
To state a claim for invasion of privacy under the California Constitution, a plaintiff must plead: (1) they possess a legally protected privacy interest, (2) they maintain a reasonable expectation of privacy, and (3) the intrusion is highly offensive. Hernandez v. Hillsides, Inc., 47 Cal 4th 272 , 287 , 97 Cal. Rptr. 3d 274 , 211 P.3d 1063 (2009).
A claim for intrusion upon seclusion under California common law involves similar elements. Plaintiffs must show that: (1) a defendant "intentionally intrude[d] into a place, conversation, or matter as to which the plaintiff has a reasonable expectation of privacy," and (2) that the intrusion was "highly offensive" to a reasonable person. Id. at 286 .
Because of the similarity of the tests, courts consider the claims together and ask whether: (1) there exist a reasonable expectation of privacy, and (2) the intrusion was highly offensive. See In re Facebook, Inc., Internet Tracking Litig., 956 F. 3d 589 , 605 (9th Cir. 2020). However, whether a conduct was highly offensive cannot be resolved at the pleading stage. Id. at 606 .
Thus, the relevant question here is whether plaintiffs would reasonably expect that a third party such as Stripe would disclose plaintiffs' data to other third parties.2 Plaintiffs argue that Instacart's policy does not disclose Stripe's disclosure activities. Specifically, plaintiffs claim that the policy does not disclose that Stripe would use their data to create and share risk profiles with their merchants.
Stripe relies on the following notice in Instacart's policy to argue that there is proper notice of Stripe's disclosure practice:
We may share your information when we believe that the disclosure is reasonably necessary to (a) comply with applicable laws, regulations, legal process, or requests from law enforcement or regulatory authorities, (b) prevent, detect, or otherwise handle fraud, security, or technical issues, and (c) protect the safety, rights, or property of any person, the public, or Instacart.Blavin Decl., Ex. C at 4, § IV.
The nature and volume of the collected information is also important. Plaintiffs allege that Stripe collected comprehensive information relating to plaintiffs' web browsing histories, financial information, device information, and online purchase activities. This information, according to plaintiffs, was then compiled into report, assigned a Risk Score, and then made available to all of Stripe's merchants for their personal use.
Taking plaintiffs' allegations, as required at this stage of litigation, the Court finds that plaintiffs' allegations that Stripe compiled and disseminated plaintiffs' sensitive data precludes the Court from finding that plaintiffs have no reasonable expectation of privacy. Thus, plaintiffs' allegations are sufficient to survive a motion to dismiss. Accordingly, the Court DENIES the motion as to plaintiffs' sixth and seventh causes of action.
F. UCL: Eighth Cause of Action
The UCL prohibits "any unlawful, unfair or fraudulent business act or practice." Hodsdon v. Mars, Inc., 891 F.3d 857 , 865 (9th Cir. 2018) (citing Cal. Bus. & Prof. Code § 17200 ). Here, plaintiffs assert a UCL claim under all three prongs: unlawful, unfair, and fraudulent. The Court addresses each.
The unlawful prong of the UCL prohibits "anything that can properly be called a business practice and that at the same time is forbidden by law." Cel-Tech Commc'ns., Inc. v. L.A. Cellular Telephone Co., 20 Cal.4th 163 , 180 , 83 Cal. Rptr. 2d 548 , 973 P.2d 527 (1999) (quotation marks and citations omitted). "By proscribing 'any unlawful' business practice, the UCL permits injured consumers to 'borrow' violations of other laws and treat them as unlawful competition that is independently actionable." In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197 , 1225 (N.D. Cal. 2014) (quoting Cel-Tech Commc'ns., 20 Cal.4th at 180 ).
Plaintiffs allege that Stripe's conduct is unlawful under the UCL because it violates: (i) CIPA §§ 631 and 635 ; (ii) the California Online Privacy Protection Act of 2003 ("CalOPPA"), Cal. Bus. & Prof. Code § 22575 , et seq.; and (iii) and the Cal. Civ. Code § 1798 , et seq. FAC ¶ 206.
With regards to the CIPA claims, the unlawful prong fails in light of the foregoing analysis.
With the remainder of the laws cited, the complaint does an inadequate job of explaining the specific violations of those statutes. This is especially so where, as Stripe correctly notes, the CCPA has no private right of action and on its face states that consumers may not use the CCPA as a basis for a private right of action under any statute. Cal. Civ. Code § 1798.150(c) ("Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law."). Indeed, plaintiffs' opposition inappropriately attempts to explain [*9] the specific violations of CalOPPA where the complaint itself falls short. This is impermissible. See e.g., Harrison v. Robinson Rancheria Band of Pomo Indians Bus. Council, No. 13-cv-01413-JST, 2013 U.S. Dist. LEXIS 142165 , [2013 BL 267344], 2013 WL 5442987 , at *4 (N.D. Cal. Sept. 30, 2013) ("In their opposition brief, Plaintiffs offer a new theory . . . not hinted at in the complaint. 'It is axiomatic that the complaint may not be amended by briefs in opposition to a motion to dismiss.'").
Thus, plaintiffs' UCL claim under the unlawful prong fails. Accordingly, the Court GRANTS the motion to dismiss as to plaintiffs' cause of action on this ground.
The "fraudulent" prong of the UCL "requires a showing [that] members of the public are likely to be deceived." Wang v. Massey Chevrolet, 97 Cal. App. 4th 856 , 871 , 118 Cal. Rptr. 2d 770 (2002). Claims stated under the fraud prong of the UCL are subject to the particularity requirements of Federal Rule of Civil Procedure 9(b) . Under this Rule, in alleging fraud or mistake, a party must state with particularity the circumstances constituting fraud or mistake. Plaintiffs must include an account of the time, place, and specific content of the false representations at issue." In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953 , 990 (N.D. Cal. 2016) (dismissing claims under the fraud prong of the UCL where plaintiffs failed to include an account of the time of the false representations at issue) (citations and quotations omitted).
Here, under this heightened standard, plaintiffs have not stated with sufficient particularity allegations to state a cause of action under the fraudulent prong of the UCL. Further, plaintiffs do not and cannot show that Stripe had an affirmative duty to disclose its data collection practices. "[A] failure to disclose a fact one has no affirmative duty to disclose is [not] 'likely to deceive' anyone within the meaning of the UCL." Daugherty v. Am. Honda Motor Co., 144 Cal. App. 4th 824 , 838 , 51 Cal. Rptr. 3d 118 (2006); see also Berryman v. Merit Prop. Mgmt., Inc., 152 Cal. App. 4th 1544 , 1557 , 62 Cal. Rptr. 3d 177 (2007) ("Absent a duty to disclose, the failure to do so does not support a claim under the fraudulent prong of the UCL.").
Thus, plaintiffs' UCL claim under the fraudulent prong also fails. Accordingly, the Court GRANTS the motion as to plaintiffs' cause of action on this ground.
There are two standards for determining what is "unfair competition" under the UCL. The first standard, in the context of claims brought by consumers, requires allegations that the challenged conduct violates a "public policy" that is "tethered" to a specific constitutional, statutory, or regulatory provision. Gregory v. Albertson's, Inc., 104 Cal. App. 4th 845 , 853 , 128 Cal. Rptr. 2d 389 (2002). The second standard "involves balancing the harm to the consumer against the utility of the defendant's practice." Lozano v. AT & T Wireless Servs., Inc., 504 F.3d 718 , 735 (9th Cir. 2007.)
Here plaintiffs argue that Stripe's conduct is unfair under the UCL because Stripe intruded on communications that plaintiffs reasonably believed to be private and then sold those communications to any of its customers and merchants that were ever involved in a transaction with plaintiffs. Plaintiffs also argue that the nature of Stripe's conduct offends public policy. To the extent plaintiffs' claims relate to Stripe's disclosure of plaintiffs' information, and not Stripe's collection [*10] of such information, the Court finds that the complaint sufficiently alleges facts to state a claim under the unfair prong of the UCL. Plaintiffs' claims fail, however, to the extent that they rely on Stripe's collection of the information.
Accordingly, the Court DENIES the motion as to plaintiffs' cause of action under the unfair prong of the UCL.
G. Unjust Enrichment: Ninth Cause of Action
"To state a claim for unjust enrichment, Plaintiff must allege 'receipt of a benefit and unjust retention of the benefit at the expense of another.'" Lectrodryer v. SeoulBank, 77 Cal. App. 4th 723 , 726 , 91 Cal. Rptr. 2d 881 (Cal. Ct. App. 2000). In California, "there is not a standalone cause of action for 'unjust enrichment,' which is synonymous with 'restitution.'" Astiana v. Hain Celestial Grp., Inc., 783 F.3d 753 , 762 (9th Cir. 2015); see also Brodsky v. Apple Inc., No. 19-cv-00712, [2019 BL 327648], 2019 U.S. Dist. LEXIS 148808 , [2019 BL 327648], 2019 WL 4141936 , at *10 (N.D. Cal. Aug. 30, 2019) ("[C]ourts have consistently dismissed stand-alone claims for unjust enrichment."). Instead, at best, it is a species of fraud. See Moose Run, LLC v. Libric, No. 19-cv-01879-MMC, 2020 U.S. Dist. LEXIS 107077 , [2020 BL 226586], 2020 WL 3316097 , at *5 (N.D. Cal. June 18, 2020) ("A cause of action titled 'unjust enrichment,' however, can be construed as a claim that the plaintiff is entitled to restitution under the theory 'the defendant obtained a benefit from the plaintiff by fraud.'"). To proceed on a theory based on fraud, the plaintiff "choose[s] not to sue in tort, but instead to seek restitution on a quasi-contract theory (an election referred to at common law as waiving the tort and suing in assumpsit)." Id.
Here, however, plaintiffs did not "waiv[e] the tort," but, rather, chose to "sue in tort," by also proceeding with their tort and statutory claims. Under such circumstances, plaintiffs are not entitled to restitution under a quasi-contract theory. See id ; In re Apple and AT&T iPad Unlimited Data Plan Litig., 802 F. Supp. 2d 1070 , 1077 (N.D. Cal. 2011) ("plaintiffs cannot assert unjust enrichment claims that are merely duplicative of statutory or tort claims") (citing cases). This is especially so where plaintiffs have not alleged that they were "misled or that defendant breached any express or implied covenant as it relates" to the alleged conduct. Doe v. Epic Games, Inc., 435 F. Supp. 3d 1024 , 1052 (N.D. Cal. 2020). Moreover, this claim also fails in light of the Court's prior analysis as to fraud under the UCL.
Accordingly, the Court Grants the motion to dismiss as to plaintiffs' unjust enrichment claims.
Based on the foregoing, the Court Orders:
• the motion to dismiss as to plaintiffs' first, second, third, and fourth causes ofaction is Granted Without Leave to Amend ;
• the motion to dismiss as to plaintiffs' fifth cause of action is Denied as to Ms.Alaina Jones, and Granted Without Leave to Amend as to the Utah Class;
• the motion to dismiss as to plaintiffs' sixth and seventh causes of action is Denied ;
• the motion to dismiss as to plaintiffs' eighth cause of action is Denied as to theUCL's unfair prong but Granted Without Leave to Amend as to the fraud andunlawful prongs; and
• the motion to dismiss as to plaintiff's ninth cause of action is Granted Without Leave to Amend .
Stripe shall file an answer to plaintiffs' amended complaint within twenty-one (21) days from the date of this Order. The parties shall appear [*11] for a Case Management Conference on Monday, August 30, 2021 at 2:00 PM.
This Order terminates Docket Number 48.
It Is So Ordered .
Dated: July 28, 2021
/s/ Yvonne Gonzalez Rogers
Yvonne Gonzalez Rogers
United States District Judge
The parties do not dispute the legal standard for a motion to dismiss under Federal Rule of Civil Procedure 12(b)(6) . The Court applies the well-accepted principles articulated by the parties.
Having already found that plaintiffs consented to the collection of the at-issue data, the Court's remaining analysis only focuses on Stripe's disclosure of the information.