Opinion
22-cv-04792-RS
04-03-2024
MICHAEL KATZ-LACABE, et al., Plaintiffs, v. ORACLE AMERICA, INC., Defendant.
ORDER GRANTING MOTION TO DISMISS AND GRANTING SEALING MOTIONS
RICHARD SEEBORG, CHIEF UNITED STATES DISTRICT JUDGE.
I. INTRODUCTION
In this putative data privacy class action, Plaintiffs aver Defendant Oracle America, Inc.'s collection and use of internet users' personal data violates their right to privacy as enshrined in the California Constitution and various state and federal privacy statutes. Oracle now moves to dismiss two causes of action in the Second Amended Class Action Complaint (“SAC”): (1) the Electronic Communications Privacy Act (“ECPA”) (Federal Wiretap Act) claim and (2) the intrusion upon seclusion claim premised on Florida common law. Both parties have also filed administrative motions to seal portions of their sur-reply briefs. For the reasons that follow, Oracle's motion to dismiss is granted. The parties' sealing motions are also granted.
The factual background of this case is based on the well-pled allegations in the SAC, which are taken as true for the purposes of this motion. This background is presented in greater detail in orders resolving previous motions to dismiss in this action.
Plaintiffs are two named individuals-Michael Katz-Lacabe and Dr. Jennifer Golbeck- who purport to represent five separate classes of individuals. Despite taking precautions to maintain privacy and prevent third-party collection of their data, Plaintiffs each received a document from Oracle (an “OARRR”) indicating it had tracked, compiled, and analyzed their web browsing and other activity, thereby creating an “electronic profile” of them. See Dkt. 54, at 2, 6. Plaintiffs aver Oracle tracks their internet activity across numerous websites with various technological tools, their location through partnership with the company PlaceIQ, and their financial data, and then makes that information available to third parties without Plaintiffs' consent.
In the order resolving Oracle's previous motion to dismiss (the “10/3 Order”), Plaintiffs' causes of action for (1) intrusion upon seclusion claim under Florida common law and (2) violation of the ECPA were dismissed with leave to amend. The intrusion upon seclusion claim was dismissed on the grounds Plaintiffs failed to show any particular “electronic space” where Plaintiff Golbeck had a reasonable expectation of privacy and into which Oracle intruded. The ECPA claim was dismissed because Plaintiffs failed to show Oracle had the requisite tortious motivation to invoke the crime-tort “exception to the exception” in the statute. On November 17, 2023, Plaintiffs filed the SAC, which purports to amend the deficiencies identified in the 10/3 Order for each cause of action. Oracle again moves to dismiss both. The parties have also filed administrative motions to seal portions of their respective sur-reply briefs, which were filed to address a dispute that arose after Oracle filed its reply brief.
III. MOTION TO DISMISS
A. Legal Standard
A complaint must contain “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). While “detailed factual allegations” are not required, a complaint must have sufficient factual allegations to state a claim that is “plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citing Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 570 (2007)). A claim is facially plausible “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. (citing Twombly, 550 U.S. at 556). This standard asks for “more than a sheer possibility that a defendant has acted unlawfully.” Id. The determination is a context-specific task requiring the court “to draw on its judicial experience and common sense.” Id. at 679.
A Rule 12(b)(6) motion to dismiss tests the sufficiency of the claims alleged in the complaint. Dismissal under Rule 12(b)(6) may be based on either the “lack of a cognizable legal theory” or on “the absence of sufficient facts alleged under a cognizable legal theory.” See Conservation Force v. Salazar, 646 F.3d 1240, 1242 (9th Cir. 2011) (internal quotation marks and citation omitted). When evaluating such a motion, the court must accept all allegations of material fact in the complaint as true and construe them in the light most favorable to the non-moving party. In re Quality Sys., Inc. Sec. Litig., 865 F.3d 1130, 1140 (9th Cir. 2017). It must also “draw all reasonable inferences in favor of the nonmoving party.” Usher v. City of Los Angeles, 828 F.2d 556, 561 (9th Cir. 1987).
B. DISCUSSION
1. ECPA Claim (Federal Wiretap Act)
a. New factual averments in the SAC
Plaintiffs, once again, invoke the “exception to the exception” in 18 U.S.C. § 2511(2)(d) in opposing dismissal of their ECPA cause of action. Under the statute, interception of a communication may be lawful “where one of the parties to the communication has given prior consent to such interception.” 18 U.S.C. § 2511(2)(d). This exception, however, ceases to apply where any “communication is intercepted for the purpose of committing any criminal or tortious act.” Id. Plaintiffs' ECPA claim has now been dismissed twice on the grounds the third-party websites that deployed Oracle's tools consented to the interceptions at issue and Plaintiffs have not pled sufficient facts to invoke the crime-tort exception to this rule. Plaintiffs contend the SAC now sufficiently pleads the crime-tort exception. Specifically, Plaintiffs make six new “sets” of allegations revolving around: (1) statements made by Oracle's former CEO, (2) a statement by an Oracle senior executive, (3) Oracle's internal statements about alcohol-related profiling, (4) a former Oracle employee's statement about user privacy tools, (5) Oracle's criticism of Google's privacy-invasive practices, and (6) Oracle's collection of data enabling political profiling and targeting. See Dkt. 90, at 8. These averments were added to the SAC to demonstrate Oracle had tortious intent underlying its data collection practices. They do not do so.
To start, none of the statements Plaintiffs attribute to Larry Ellison (Oracle's former CEO), a senior executive, or Oracle in the past help plead tortious intent. Plaintiffs first point to statements Ellison made in 2001 about the need for a “national ID system” and about the nature of privacy. Id. at 9. These decades-old statements do not show Oracle acted with tortious intent for purposes of the ECPA claim. Accepting that “Oracle's goal [was] tracking and compiling the online and offline activity” of internet users, id., this goal does not demonstrate tortious motivation. Plaintiffs further claim Oracle knew its data collection was “invasive and illegal” because an Oracle executive wrote a blog post in 2021 that it was “ridiculous” for Google to claim it was a party to communications it intercepted online. Id. at 9-11. This executive's opinion as to whether a data-collecting entity like Oracle or Google is a party to communications demonstrates neither that the executive thought the legality of the data collection depended on whether Oracle was a party nor that Oracle acted with a tortious purpose. Finally, Plaintiffs do not explain how Oracle's alleged “alcohol-based targeting” demonstrates tortious intent. See id. at 11. Plaintiffs point to no evidence that the sale of alcohol-related segments is unlawful and do not show Oracle had tortious intent in collecting or selling such data.
The SAC refers to a single anonymous source quoted in a 2019 news article as expressing reservations about alcohol-based targeting.
Plaintiffs newly aver that a former Oracle employee, posting anonymously on an internet message board, referred to an Oracle privacy tool as “purposefully never updated and knowingly inaccurate.” Id. at 11-12. Plaintiffs offer this statement as evidence Oracle employees were aware “the company's privacy practices were problematic” but that Oracle prevented users from taking privacy-protective actions. Id. at 12. Even construing this allegation in the light most favorable to Plaintiffs (assuming that the anonymous poster was in fact a former Oracle employee and that Oracle built a privacy tool it knew was imperfect), it fails to show tortious intent. At most, it supports the unremarkable proposition that an Oracle employee thought the company could be investing more resources into protecting users' privacy. Plaintiffs also point to Oracle's 2019 criticism of Google in a document submitted “in the context of proposals of changes to Australian privacy laws” to show Oracle “must know its own conduct tortiously intrudes on people's privacy.” Id. at 12, 13 (emphasis in original). The First Amended Complaint made a similar reference to Google's conduct. As before, an allegation that another company's data collection practices were insufficiently privacy-protective in the context of another nation's privacy laws does not tend to show Oracle had tortious intent in this case.
Plaintiffs refer to the tool as a “data opt-out tool.” Dkt. 90, at 11.
Oracle requests that the entire comment thread in which this anonymous post occurs (Exhibit B), as well as two other documents to which Plaintiffs cite in the SAC (Exhibits A & C) be incorporated by reference into the SAC. See Dkts. 88-1, 92-1. Plaintiffs object to incorporation of Exhibit B on the grounds Oracle's request amounts to an improper attempt to generate a factual dispute at the motion to dismiss stage. The doctrine of incorporation by reference is meant to prevent plaintiffs “from selecting only portions of documents that support their claims.” Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 1002 (9th Cir. 2018). Plaintiffs have not objected to incorporation by reference of Exhibits A or C. Incorporation by reference of all three documents is appropriate under Khoja, and Oracle's request for incorporation by reference of all three documents is granted. That said, the message board post to which Plaintiffs point does not tend to show tortious intent even when considered in isolation.
Finally, Plaintiffs aver Oracle misrepresented how it uses the data it collects to the public (and to the Court) and that these misrepresentations evince tortious intent. Specifically, they claim Oracle offered “sensitive interest segments,” including segments based on political orientation, for sale as late as May 2021 and still creates political profiles of internet users while maintaining they did neither to the public. Id. at 14. Oracle argues that even if Plaintiffs' allegations that it has misrepresented, or is currently misrepresenting, the extent to which it gathers political data and sells it in its public-facing communications are taken as true, such misrepresentation(s) would not demonstrate tortious intent given Plaintiffs' recognition Oracle collected data pursuant to its profit incentive.
Plaintiffs' claims relating to alleged misrepresentations are, once again, insufficient to invoke the crime-tort exception. Plaintiffs fail plausibly to allege Oracle's underlying motivation in collecting and selling data about internet users was anything other than to generate revenue. See, e.g., In re DoubleClick Inc. Priv. Litig., 154 F.Supp.2d 497, 519 (S.D.N.Y. 2001); In re Google Inc. Gmail Litig., No. 13-md-2430, 2014 WL 1102660, at *18 n.13 (N.D. Cal. Mar. 18, 2014). Plaintiffs acknowledge the “language of Oracle's disclosures has evolved over the last four years.” Dkt. 99, at 4. Though Plaintiffs aver Oracle sought to hide its data collection and sales efforts because it knew they were “privacy-invasive and harmful,” Dkt. 90, at 16, they do not plausibly allege Oracle thought any such efforts were tortious or point to any authority for the proposition such collection or sales was unlawful. Indeed, the central facts Plaintiffs allege in support of a misrepresentation theory establish only that Oracle had a privacy policy in August 2022 that was at odds with its data collection practices as late as May 2021. See SAC ¶¶ 128, 130. All told, accepting all of Plaintiffs' material factual allegations as true and construing them in the light most favorable to them, Plaintiffs' arguments that Oracle misrepresented its privacy practices to consumers do not show it collected or sold data with tortious intent.
b. Consent
The federal Wiretap Act is a one-party consent statute. See 18 U.S.C. § 2511(2)(d). As was true at earlier motions to dismiss in this case, Oracle's customers chose to deploy Oracle's tools on their websites, and it necessarily follows that “one of the parties to the communication”-the websites themselves-gave “prior consent to such interception.” Id. Plaintiffs now argue that because Oracle attempted to mislead the public as to its “privacy-invasive conduct,” it has “failed to demonstrate the websites consented to Oracle's interceptions.” Dkt. 90, at 16-18. They attempt to distinguish this case from Rodriguez v. Google, LLC, No. 20-cv-4688, 2021 WL 2026726 (N.D. Cal. May 21, 2021), which refused to adopt a “consent-upon-consent” framework dependent on a user's privacy expectations, by claiming third-party websites “do not understand or consent to the scope of Oracle's further uses of the communications it intercepted.” Dkt. 90, at 17.
Oracle's basis for invoking the one-party consent exception to the federal Wiretap Act is as clear in this motion as it has been previously. Indeed, in its opposition to Oracle's previous motion to dismiss, Plaintiffs did not contest the exception's applicability. Third-party websites agreed to deploy Oracle's data collection tool, and Plaintiffs offer no plausible reason to conclude their consent was conditioned on Oracle limiting the types of data it collected or how it then used that data. Plaintiffs' argument is similar to the theory rejected in Rodriguez that websites do not actually consent to Oracle's data interception where interception may theoretically conflict with “individual privacy expectations.” Rodriguez, 2021 WL 2026726, at *5. To the contrary, the Oracle-generated technical guide repeatedly cited in the SAC explains to Oracle's customers how Oracle's data collection tool works and how, for instance, customers can “organize the online user attributes” they ingest. See Dkt. 92, at 14. Oracle's customers seem to have had clear instruction regarding what data Oracle's tools would collect and even how they could modify the operation of those tools. Plaintiffs' new arguments fail to make a plausible showing the third-party websites did not consent to Oracle's data interceptions.
See Oracle Data Cloud Core Tag Implementation, Oracle, https://perma.cc/8XVU-8Z2F. Though it appears neither party sought incorporation by reference of this document, sua sponte incorporation by reference is appropriate given that it is repeatedly cited in the SAC. See, e.g., In re Tesla, Inc. Sec. Litig., 477 F.Supp.3d 903, 934 n.12 (N.D. Cal. 2020).
c. Arguments raised in sur-reply
In their sur-reply, Plaintiffs accuse Oracle of withholding discovery and misrepresenting whether it creates sensitive interest segments based on customer data regarding, for example, users' political orientations. Plaintiffs argue Oracle produced additional discovery after filing its reply brief, that this additional production demonstrates Oracle created sensitive interest segments during the course of this litigation despite disavowing doing so, that this conduct “harms class members,” and that Oracle's prior nondisclosure of this conduct shows tortious intent. Id. at 1, 46. Plaintiffs argue they should be granted leave to amend the SAC to include this new material should their ECPA cause of action be dismissed. The question, at this stage, is whether the late disclosure of this data warrants granting leave to amend yet again. For the following reasons, it does not.
First, the timing of Oracle's disclosure would not help Plaintiffs show the underlying interceptions were made with the tortious intent necessary for the crime-tort exception to apply. Oracle represents it generated the discovery material in response to Plaintiffs' discovery requests, “does not generate or use such records in the ordinary course of business,” and “expend[ed] considerable resources to create” it. Dkt. 101, at 1 (emphasis omitted). Plaintiffs do not make a plausible showing that the timing of Oracle's production demonstrates tortious intent.
Second, Plaintiffs claim the substance of Oracle's discovery production shows Oracle has misrepresented its data collection policies to the public and to the Court and does, in fact, create and sell sensitive interest segments. This allegation mirrors similar claims Plaintiffs make throughout the SAC and their opposition to Oracle's motion to dismiss. Plaintiffs have repeatedly alleged, for example, that Oracle's data collection is “invasive,” see, e.g., Dkt. 99, at 1, but this claim is insufficient plausibly to allege Oracle had tortious motivation in collecting data. The fact data collection or sales might at some later point be deemed tortious does not justify application of the crime-tort exception. See In re DoubleClick Inc. Privacy Litig., 154 F.Supp.2d at 518-19 (noting “a culpable mind does not accompany every tortious act”). Plaintiffs' new allegations, in short, do not warrant granting leave to amend given they mirror allegations Plaintiffs have made before.
2. Intrusion Upon Seclusion Claim (Florida Common Law)
To state a claim for intrusion upon seclusion under Florida law, a plaintiff must show an intrusion onto a private place that would be highly offensive to a reasonable person. Hammer v. Sorensen, 824 Fed.Appx. 689, 695 (11th Cir. 2020). Intrusions can be either physical or electronic. Spilfogel v. Fox Broad. Co., 433 Fed.Appx. 724, 726 (11th Cir. 2011). The requirement that a plaintiff must “show an intrusion into a private place and not merely a private activity” goes beyond the Restatement (Second) of Torts, which has no such “private place” requirement. Id. (citing Allstate Ins. Co. v. Ginsberg, 863 So.2d 156, 161 n.3, 162 (Fla. 2003)). Courts have declined to extend Florida's protections against the invasion of privacy tort (of which intrusion upon seclusion is a subtype) to instances in which a party accesses digital files. See Celestine v. Capital One, No. 17-20237-Civ, 2017 WL 2838185, at *3 (S.D. Fla. June 30, 2017) (accessing a credit report does not constitute intrusion into a “place”); Bradley v. City of St. Cloud, No. 6:12-cv-1348-Orl-37TBS, 2013 WL 3270403, at *5 (M.D. Fla. June 26, 2013) (similar, for medical records).
Plaintiffs aver Oracle intruded into two private places-Plaintiff Golbeck's home and her password-protected devices-in a manner that would be highly offensive to a reasonable person. Plaintiffs' renewed attempts to argue Oracle's collection of browsing data constitute an invasion into a private place do not merit a different conclusion than that reached on Oracle's previous motion to dismiss. Targeting a household for advertising purposes is entirely different than surveilling a home, just as collecting many pieces of information about an individual does not transform what previously was not an intrusion into a physical place into such an intrusion. Plaintiffs try to characterize online browsing as “activity taking place within the confines” of the home, but, as Oracle notes, this browsing activity is “shared with website operators and her internet service provider,” Dkt. 88, at 4.
Similarly, the fact Golbeck may have kept her devices password-protected does not change the fact that her “communications with websites” constituted open conduct on the web rather than activity in a private place. Dkt. 90, at 21 (citing SAC ¶ 181). As before, Golbeck cites no authority for the proposition that collection of browsing data constitutes an intrusion into a private quarter. “Golbeck's conduct on the web . . . is neither password protected nor private.” Dkt. 92, at 3 n.3. Since Golbeck has not plausibly alleged Oracle intruded into a “private place,” her intrusion upon seclusion claim under Florida law must be dismissed.
IV. SEALING MOTIONS
The parties have filed administrative motions to seal parts of their sur-reply briefs. There is a strong presumption in favor of allowing public access when deciding whether materials should be sealed. See Apple Inc. v. Psystar Corp., 658 F.3d 1150, 1162 (9th Cir. 2011). A request to seal must be narrowly tailored. Civ. L.R. 79-5(c)(3). To overcome the presumption in favor of public access to a judicial record, there generally must be “compelling reasons supported by specific factual findings.” Kamakana v. City & Cty. of Honolulu, 447 F.3d 1172, 1178 (9th Cir. 2006) (“The mere fact that the production of records may lead to a litigant's embarrassment, incrimination, or exposure to further litigation will not, without more, compel the court to seal its records.”). Where a litigant presents compelling reasons to seal material, the court must then balance the interests of the public and the party seeking sealing. Ctr. for Auto Safety v. Chrysler Grp., LLC, 809 F.3d 1092, 1096-97 (9th Cir. 2016). This balancing test involves such factors as the public's interest in understanding the functioning of the judicial process and the volume of material sought to be sealed. See Zakinov v. Ripple Labs, Inc., No. 18-cv-6753, 2023 WL 5280193, at *1 (N.D. Cal. Aug. 15, 2023).
Here, Plaintiffs and Oracle seek to redact limited portions of their sur-reply briefs. It appears-as Plaintiffs represent-that the material to be sealed is at least as sensitive as information that has previously been permitted to be submitted under seal. Thus, the parties will be permitted to file the portions of each sur-reply brief they designate as sensitive under seal.
V. CONCLUSION
Plaintiffs' intrusion upon seclusion claim under Florida law is dismissed without leave to amend. Likewise, Plaintiffs' ECPA claim is dismissed without leave to amend. Dismissal of both claims without leave to amend is appropriate because amendment would be futile. The parties' administrative motions to seal are granted. Per the case schedule to which the parties previously stipulated, Defendant must file an answer to the SAC within 30 days of the date of this order.
IT IS SO ORDERED.