In Brown v. Google LLC, No. 4:20-CV-3664-YGR, 2023 WL 5029899, (N.D. Cal. Aug. 7, 2023), United States District Court Judge Yvonne Gonzalez Rogers details what constitutes standing to defeat a motion for summary judgment on breach of contract and various privacy violation claims:
“To have Article III standing to sue in federal court, plaintiffs must demonstrate, among other things, that they have suffered a concrete harm.” TransUnion LLC v. Ramirez, ––– U.S. ––––, 141 S.Ct. 2190, 2200, 210 L.Ed.2d 568 (2021). To determine what harms are sufficiently concrete for purposes of Article III, the Supreme Court has explained that “history and tradition offer a meaningful guide.” Id. at 2204 (cleaned up). Certain harms “readily qualify as concrete injuries under Art. III. The most obvious are traditional tangible harms, such as physical harms and monetary harms.” Id. Intangible harms, such as disclosure of private information or intrusion upon seclusion, have also been traditionally recognized. Id.; see also Eichenberger v. ESPN, 876 F.3d 979, 983 (9th Cir. 2017) (noting that “[v]iolations of the right to privacy have long been actionable at common law”).“As the party invoking federal jurisdiction, the plaintiffs bear the burden of demonstrating that they have standing.” Id. 2207. That burden changes as litigation develops. “In response to a summary judgment motion,” plaintiffs must demonstrate standing for each claim that they press and for each form of relief that they seek (for example, injunctive relief and damages).” Id. at 2208. That said, “the threshold question of whether plaintiff has standing (and the court has jurisdiction) is distinct from the merits of [their] claim.” Maya v. Centex Corp., 658 F.3d 1060, 1068 (9th Cir. 2011).For each of the seven counts,5 plaintiffs assert standing for two types of harm: breach of contract and invasion of privacy. They also seek two types of remedy: unjust enrichment and injunctive relief. The Court analyzes each.a. Standing as it Relates to the Nature of Harmi. Breach of Contract*4 Plaintiffs allege that they suffered harm under a breach of contract theory for Counts Six—breach of contract—and Seven—violation of California’s UCL. (4AC ¶ 272.) Plaintiffs proffer evidence that Google promised plaintiffs it would not collect their data while they were in private browsing mode and that it did so anyway. Google argues this is not enough—plaintiffs must show an additional concrete harm. According to Google, even assuming plaintiffs’ position, users will not have suffered a concrete harm. The Court disagrees.The “longstanding common law rule in most states,” including California, is that “the failure to perform a duty required by contract is a legal wrong, independently of actual damage sustained by the party to whom performance is due.” In re Google Referrer Header Privacy Litig., 465 F. Supp. 3d 999, 1010 (N.D. Cal. 2020) (citing Kenyon v. W. Union Tel. Co., 100 Cal. 454, 458, 35 P. 75 (1893) and 22 Am. Jur. 2d Damages § 17). In a suit for a violation of a private right—including “contract rights”—“courts historically presumed that the plaintiff suffered a de facto injury merely from having [their] personal, legal rights invaded.” Spokeo, Inc. v. Robins, 578 U.S. 330, 344, 136 S.Ct. 1540, 194 L.Ed.2d 635 (2016) (Thomas, J. concurring). That is why “a breach of contract claim accrues at the moment of breach and the injury, for standing purposes, is the breach itself.” In re Google Referrer, 465 F. Supp. 3d at 1011 (citing Alston v. Flagstar Bank, FSB, 609 Fed. App’x 2, 3 (D.C. Cir. 2015)).Nothing in TransUnion requires otherwise. As the Supreme Court held, the answer to what constitutes a concrete harm is rooted in historical practice. TransUnion, 141 S.Ct. at 2204. Plaintiffs can point to a “close historical or common-law analogue” to bring suit in federal court. Id. The instant action does not “merely seek[ ] to ensure a defendant’s compliance with regulatory law” or to remedy a “bare procedural violation.” Id. at 2206 (citing Spokeo, 578 U.S. at 345, 136 S.Ct. 1540 (Thomas, J. concurring)). Rather, plaintiffs allege a substantive breach of a private contract. Cf. Spokeo, 578 U.S. at 341, 136 S.Ct. 1540. That is sufficient for standing. As the Ninth Circuit recognized in finding standing for the same causes of action, “in an era where millions of Americans conduct their affairs increasingly through electronic devices, the assertion that federal courts are powerless to provide a remedy when an internet company surreptitiously collects private data is untenable.” In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 599 (9th Cir. 2020) (citing In re Google Inc. Cookie Placement Consumer Privacy Litig., 934 F.3d 316, 325 (3rd Cir. 2019) (cleaned up)).It is true, as Google notes, that some courts in this district have found that a breach of contract alone does not confer Article III standing. In re Google Referrer, 465 F.Supp.3d at 1011 (collecting cases). Those cases are inapplicable because in each of them plaintiffs sought only nominal damages. See, e.g. Svenson v. Google Inc., No. 13-cv-4080, 2016 WL 8943301 (N.D. Cal. Dec. 21, 2016). Here, plaintiffs are requesting actual damages and injunctive relief.The Court finds that plaintiffs have standing to bring their breach of contract and UCL claims. Google’s summary judgment motion on this point is Denied.ii. Invasion of PrivacyWith respect to the balance of the 4AC,6 plaintiffs root standing in a harm to privacy. Google responds that plaintiffs’ harm is not concrete enough to confer standing because it does not associate private browsing data with users’ profiles.*5 The Supreme Court has noted that certain torts, like the disclosure of private information and intrusion upon seclusion claims brought here, result in “intangible” but concrete harms. TransUnion, 141 S.Ct. at 2204. Where, as here, plaintiffs allege privacy harms in the context of both statutory and common law violations, courts are “guided in determining concreteness by both history and the judgment of Congress, or the legislature that enacted the statute.” Campbell v. Facebook, Inc., 951 F.3d 1106, 1116 (9th Cir. 2020) (cleaned up). Where a statute codifies procedural rights, the Supreme Court has held that their violation “would not invariably injure a concrete interest.” Eichenberger, 876 F.3d at 982 (citing Spokeo, 136 S.Ct. at 1549). In contrast, the violation of a statute that protects a “substantive right to privacy” does result in a concrete harm. Id. “Tellingly, privacy torts do not always require additional consequences to be actionable.” Eichenberger, 876 F.3d at 983 (citing Restatement (Second) of Torts § 652B cmt. b. (Am. Law Inst. 1977)). The intrusion into privacy itself is what makes a defendant liable. Id.The Ninth Circuit has found that each of the statutory claims brought here codify substantive rights to privacy. See In re Facebook Tracking, 956 F.3d at 598 (so holding for violations of the Wiretap Act, CIPA, CDAFA); Campbell, 951 F.3d at 1117–18 (so holding for UCL claims that were based on Wiretap Act and CIPA violations). Because plaintiffs’ claims also “arise under the core provisions of those statutes,” this Court finds that plaintiffs have Article III standing. See Campbell, 951 F.3d at 1118; see also Phillips v. United States Customs and Border Prot., 74 F.4th 986, –––– (9th Cir. 2023) (noting that Campbell is “consistent with many other cases in which we held that the plaintiffs had standing to challenge the retention of illegally obtained records because the retention amounted to an invasion of their privacy interests”).7Google’s argument that privacy harms are never concrete where only anonymized data is collected does not persuade given the evidence presented here. See Campbell, 951 F.3d at 1112. In Campbell, Facebook also argued that the plaintiffs lacked standing because the data at issue was “anonymized and aggregated.” Facebook’s Supplemental Br. Re: Spokeo, Inc. v. Robins, No. 17-16873, 2019 WL 2396054, at *1 (9th Cir. 2019). The Ninth Circuit disagreed. The court held that the only reason Facebook could access and use that data was because the users did not consent to the “collection and storage of information from private messages” from those users. Id. In short, because plaintiffs alleged that the defendant had collected their data “without consent,” Facebook had violated the “concrete privacy interests” that statutes like the Wiretap Act and CIPA protect, “regardless of how the collected data was later used.” Id. So too here. Plaintiffs have set forth specific facts demonstrating that the reason Google has access to their anonymous, aggregated data is through the collection and storage of information from users’ private browsing history without consent.8 That is enough, under Campbell, to confer standing given the sensitivity of the evidence at issue.9 That Google has a different view on the evidence does not mean that plaintiffs’ lack standing.*6 Google’s other cited authorities do not compel a different result.10 Rather, those cases confirm that the standing analysis is contextual. See, e.g., Facebook Tracking, 956 F.3d at 589–99 (finding standing not just because Facebook correlated data collected with users’ profiles but also because Facebook had promised not to collect users’ data after they logged out but did so anyway); I.C. v. Zynga, Inc., 600 F.Supp.3d 1034, 1049 (N.D. Cal. 2022) (finding a lack of standing where data at issue was not as sensitive as shown here, such as basic contact information, including one’s email address, phone number, or Facebook or Zynga username, is private information).What is more, plaintiffs set forth evidence that Google does store their data with unique identifiers. (PAF 25.)11 For example, plaintiffs have evidence that Google stores users’ regular and private browsing data in the same logs; it uses those mixed logs to send users personalized ads; and, even if the individual data points gathered are anonymous by themselves, when aggregated, Google can use them to “uniquely identify a user with a high probability of success.” (Dkt. No. 907-7, Ex. 77 ¶ 105.) This supports plaintiffs’ showing that they suffered concrete harm.For those reasons, the Court finds that plaintiffs have standing for counts One through Five. Google’s motion for summary judgment on this point is Denied.
Judge Gonzalez Rogers goes on to hold that triable issues of fact exist on the cause of action of violation of California Invasion of Privacy Act (CIPA):
Google seeks judgment on plaintiffs’ Section 632 claim on the grounds that the communications at issue are not confidential, namely the GET requests sent by users to third-party websites.31 Plaintiffs respond that users expect, when using Incognito mode, that those communications will remain private as to Google.Section 632 provides liability against “[e]very person who, intentionally and without the consent of all parties to a confidential communication, by means of any electronic amplifying or recording device, eavesdrops upon or records the confidential communication.” Cal. Penal Code. § 632. CIPA defines a “confidential communication” as:any communication carried on in circumstances as may reasonably indicate that any party to the communication desires it to be confined to the parties thereto, but excludes a communication made … in any [ ] circumstance in which the parties to the communication may reasonably expect that the communication may be overheard or recorded.Id. at § 632(c). “The standard of confidentiality is an objective one defined in terms of reasonableness.” Faulkner v. ADT Sec. Servs., Inc., 706 F.3d 1017, 1019 (9th Cir. 2013) (cleaned up).When users open Incognito mode, they are met with a Splash Screen. (Incognito Splash Screen.) That page tells users that they can now “browse privately, and other people who use this device won’t see your activity.” (Id.) It warns users, however, that their activity “might still be visible to:” websites they visit, their employer or school, or their internet service provider. (Id.) Notably absent from that list is Google itself.The Court agrees with plaintiffs that a user could reasonably understand the Incognito Splash Screen to disclose that, while users’ communications might be accessible (at least in part) to the delineated third parties, they would not be accessible to Google. Indeed, one of the named plaintiffs testified that was his understanding. (PAF 14.)Google’s contrary arguments fail. Google first makes two arguments regarding the meaning conveyed by the Splash Screen. Google says that the Incognito Screen makes clear that privacy in Incognito has limits by telling users that their activity will be visible to entities online, including websites, employers, and ISPs. It also argues that, because plaintiffs knew they could be “overheard” by someone else, they had no expectation of privacy against anyone else, including Google. These arguments merely highlight that a material dispute exists over Google’s disclosures here. Certainly, they do not persuade as a matter of law. Given the statute defines “confidential communications” as requiring knowledge of the “parties thereto,” and plaintiffs have proffered evidence that they did not know that Google was intercepting their communications, there is a reasonable argument that plaintiffs had an expectation of privacy against Google even if they knew others could be listening in. See Cal. Penal Code § 632(b) (stating that “parties thereto” mean entities “known by all parties” to be listening in). The Court, again, is guided by the way that Google itself chose to represent its private browsing mode: Google told users that they could “go Incognito” and “browse privately.” By browsing privately, plaintiffs could be said to have asserted their expectation of privacy. Google is welcome to make the counterargument at trial.*17 Second, invoking Campbell32, Google argues that, because websites record users’ private browsing activity, users have no expectation of privacy. All electronic communications are recorded; Google argues that means electronic communications are presumptively unprotected by CIPA.With respect to this argument, the Court begins with the statute. Nothing in Section 632 ties confidentiality to the mode in which a conversation is recorded. Rather, the inquiry is whether “any party to the communication desires it to be confined to the parties thereto.” Cal. Pen. Code § 630(c). These is a fact-intensive inquiry. For that reason, CIPA “has been read to require the assent of all parties to a communication before another may listen.” Ribas v. Clark, 38 Cal.3d 355, 361, 212 Cal.Rptr. 143, 696 P.2d 637 (Cal. 1985); see also Flanagan v. Flanagan, 27 Cal.4th 766, 775, 117 Cal.Rptr.2d 574, 41 P.3d 575 (2002) (citing to Ribas in support).33 As stated above, Google has not shown, as a matter of law, that all parties consented to it recording the communications here and therefore summary judgment is not appropriate.Google’s narrower argument, that California courts have developed a presumption that users do not have an expectation of privacy over internet communications, fails on examination. In Flanagan, the California Supreme Court resolved a split among its courts of appeal on the standard for confidentiality. It held that confidentiality, under Section 632, requires “nothing more than the existence of a reasonable expectation by one of the parties that no one is listening in or overhearing the conversation.” 27 Cal. 4th 766, 773, 117 Cal.Rptr.2d 574, 41 P.3d 575 (Cal. 2002). This was because there is a “critical distinction between eavesdropping upon or recording a conversation and later disseminating its content.” Id. at 775, 117 Cal.Rptr.2d 574, 41 P.3d 575. By focusing on “simultaneous dissemination, not secondhand repetition” the California Supreme Court held that Section 632 would better fulfill CIPA’s legislative purpose of protecting privacy interests. Id. In short, Section 632 protects against “intentional, nonconsensual recording” of communications “regardless of the content of the conversation” involved or how parties choose to disseminate it thereafter. Id. at 776, 117 Cal.Rptr.2d 574, 41 P.3d 575.True, the California Supreme Court has not yet opined on the contours of Section 632 confidentiality in the context of internet communications. See Smith v. LoanMe, Inc., 11 Cal.5th 183, 193, 276 Cal.Rptr.3d 746, 483 P.3d 869 (Cal. 2021) (noting that Flanagan remains the California Supreme Court’s most extensive discussion of the CIPA provisions at issue). Nonetheless, Flanagan and its progeny recognized that CIPA was intended to cover newer forms of communication. See Flanagan, 27 Cal.4th at 774, 117 Cal.Rptr.2d 574, 41 P.3d 575 (holding that, because Section 632 defines confidential communications as “includ[ing]” certain communications, and “includes” is “ordinarily a term of enlargement rather than limitation,” Section 632 should be interpreted inclusively); Smith, 11 Cal.5th at 191, 276 Cal.Rptr.3d 746, 483 P.3d 869 (noting that the California Legislature has updated CIPA to cover emerging technologies that raise new privacy issues). That said, numerous courts in this district have noted that “California appeals courts have generally found that Internet-based communications are not ‘confidential’ within the meaning of Section 632, because such communications can easily be shared by, for instance, the recipient(s) of the communications.” Campbell, 77 F.Supp.3d at 839.34*18 Notwithstanding those findings, California courts have never recognized a legal “presumption” that internet communications are not confidential under Section 632.35 Those cases refer to People v. Nakai, 183 Cal.App.4th 499, 107 Cal.Rptr.3d 402 (2010), which says nothing about a presumption.36 Instead, the Nakai court evaluated the specific circumstances of that case before it. There, the court determined that a criminal defendant did not have a reasonable expectation of privacy over his sexually explicit chats, shared over a Yahoo! Chatroom, with a minor. It did so because: Yahoo!’s Privacy Policy indicated that chat dialogues could be shared to investigate or prevent illegal activity; Yahoo! warned users that chats could be archived; defendant was communicating online with a person he did not know in real life (and who turned out not to be a minor at all); and defendant had expressed during the chats a fear that someone would overhear, suggesting he knew that the communications could be intercepted. 183 Cal.App.4th at 501, 512, 107 Cal.Rptr.3d 402.37Ultimately, Flanagan controls and instructs that the question under CIPA is whether, at the time of the conversation, the aggrieved party had a reasonable expectation that it would be “confined to the parties thereto.” Cal. Pen. Code § 632(c). On this question, the Court finds a triable issue exists. Given Google’s portrayal of Incognito mode and its failure to explicitly notify users it would be among the third parties recording their communications with other websites, plaintiffs could have had a reasonable expectation of privacy over their private browsing. That these communications occurred over the internet does not automatically mean that plaintiffs gave up that expectation of privacy they had when they went Incognito. Times change, as do modes of communication. What may have been a reasonable expectation in 2006 when Nakai was decided is not necessarily so in 2023.For those reasons, Google’s summary judgment motion as to plaintiffs’ CIPA claim is Denied.