In Re Google Inc. Cookie Placement Consumer Privacy Litigation

PRECEDENTIAL UNITED STATES COURT OF APPEALS FOR THE THIRD CIRCUIT _______________ No. 13-4300 _______________ IN RE: GOOGLE INC. COOKIE PLACEMENT CONSUMER PRIVACY LITIGATION William Gourley; Jose M. Bermudez; Nicholas Todd Heinrich; Lynne Krause, Appellants _______________ On Appeal from the United States District Court for the District of Delaware (No. 1-12-md-02358) District Judge: Honorable Sue L. Robinson _______________ Argued December 11, 2014 Before: FUENTES, FISHER, and KRAUSE, Circuit Judges (Opinion Filed: November 10, 2015) Jason O. Barnes, Esq. [ARGUED] Barnes & Associates 219 East Dunklin Street, Suite A Jefferson City, MO 65101 James P. Frickleton, Esq. Bartimus Frickleton Robertson & Gorny 11150 Overbrook Road, Suite 250 Leawood, KS 66211 Edward D. Robertson, Jr., Esq. Bartimus Frickleton Robertson & Gorny 715 Swifts Highway Jefferson City, MO 65109 Brian R. Strange, Esq. Strange & Carpenter 12100 Wilshire Boulevard Suite 1900 Los Angeles, CA 90025 Attorneys for Plaintiff-Appellants Colleen Bal, Esq. Michael H. Rubin, Esq. [ARGUED] Wilson, Sonsini, Goodrich & Rosati One Market Street Spear Tower, Suite 3300 San Francisco, CA 94105 2 Michael H. Rubin, Esq. Wilson, Sonsini, Goodrich & Rosati One Market Street Spear Tower, Suite 3300 San Francisco, CA 94105 Anthony J. Weibell, Esq. Wilson, Sonsini, Goodrich & Rosati 650 Page Mill Road Palo Alto, CA 94304 Attorneys for Defendant-Appellee Google Inc. Edward P. Boyle, Esq. David N. Cinotti, Esq. Venable 1270 Avenue of the Americas 24th Floor, Rockefeller Center New York, NY 10020 Travis S. Hunter, Esq. Rudolf Koch, Esq. Richards, Layton & Finger 920 North King Street One Rodney Square Wilmington, DE 19801 Attorneys for Defendant-Appellee Vibrant Media Inc. Lisa M. Coyle, Esq. Ropes & Gray 1211 Avenue of the Americas New York, NY 10036 3 Douglas H. Meal, Esq. Ropes & Gray 800 Boylston Street Prudential Tower Boston, MA 02199 Attorneys for Defendant-Appellees Media Innovation Group LLC and WPP PLC _______________ OPINION OF THE COURT _______________ FUENTES, Circuit Judge: This class action arises from allegations that the defendants, who run internet advertising businesses, placed tracking cookies on the plaintiffs’ web browsers in contravention of their browsers’ cookie blockers and defendant Google’s own public statements. At issue in this appeal is the District Court’s dismissal of each of the nine claims brought by the plaintiffs. As follows, we will affirm in part, vacate in part, and remand to the District Court for additional proceedings. I. Background A. Internet Advertising and Cookie-Based Tracking 4 In most users’ experience, webpages appear on browsers as integrated collages of text and images. As a technical matter, this content is delivered and aggregated from multiple independent servers. This includes advertising content, which is typically drawn from “third-party” servers owned by the advertisers themselves. The defendants in this case are internet advertising companies, and this suit concerns their practices in serving advertisements to the browsers of webpage visitors. The delivery of advertising content from third party servers to webpage visitors’ browsers is a highly technical process involving a series of communications between the visitor’s browser, the server of the visited website, and the server of the advertising company. In its specifics: The host website leaves part of its webpage blank where the third-party advertisements will appear. Upon receiving a “GET” request from a user seeking to display a particular webpage, the server for that webpage will subsequently respond to the browser, instructing the browser to send a “GET” request to the third-party company charged with serving the advertisements for that particular webpage. . . . The third-party server responds to the GET request by sending the advertisement to the user’s browser, which then displays it on the user’s device. The entire process occurs within milliseconds and the third-party content appears to arrive simultaneously with the first-party 5 content so that the user does not discern any separate GET requests from the third-parties.1 As the defendants deliver their advertisements directly to users from their own servers, the defendants have the capacity to vary how they populate their rented webpage space. This capacity permits targeting by which the defendants may serve different advertisements to different visitors. The general principle is that the more that an advertisement is tailored to its audience—sneakers for runners, legal pads for lawyers—the greater the advertisement’s expected value. Here, the value of customization, combined with the capacity for individuated advertisement service, impels internet advertisers to surmise whatever they can about each particular person requesting webpage content. As pled in the complaint: To inject the most targeted ads possible, and therefore charge higher rates to buyers of the ad space, these third-party companies . . . compile the [i]nternet histories of users. The third-party advertising companies use “third-party cookies” to accomplish this goal. In the process of injecting the advertisements into the first-party websites, the third-party advertising companies also place third-party cookies on user’s computing devices. Since the advertising companies place advertisements on multiple sites, these cookies allow these companies to 1 Compl. ¶ 41. 6 keep track of and monitor an individual user’s web activity over every website on which these companies inject ads.2 These third-party cookies are used by advertising companies to help create detailed profiles on individuals . . . by recording every communication request by that browser to sites that are participating in the ad network, including all search terms the user has entered. The information is sent to the companies and associated with unique cookies—that is how the tracking takes place. The cookie lets the tracker associate the web activity with a unique person using a unique browser on a device. Once the third-party cookie is placed in the browser, the next time the user goes to a website with the same [d]efendant’s advertisements, a copy of that request can be associated with the unique third-party cookie previously placed. Thus the tracker can track the behavior of the user . . . .3 B. Cookie Blocking, Circumvention, Deceit, and Discovery Individually tailored webpage advertisements are now ubiquitous. But, where cookie-based tracking is concerned, leading web browsers have designed built-in features to prevent the installation of cookies by third-party servers. The 2 Compl. ¶ 45. 3 Compl. ¶ 46. 7 complaint calls them “cookie blockers.” The cookie blockers of two browsers are at issue in this case. One is Microsoft’s Internet Explorer, which featured an “opt-in” cookie blocker that a user could elect to activate. The other is Apple’s Safari browser, which featured an “opt-out” cookie blocker that was activated by default. The complaint notes that the main Apple website page dedicated to Safari advertised its opt-out cookie blocker as a unique feature, stating that, “to better protect[] your privacy[,] Safari accepts cookies only from the websites you visit.”4 Likewise, the Safari browser labeled its default cookie setting as “Block cookies: From third parties and advertisers.”5 According to the complaint, the Safari and Internet Explorer cookie blockers were well-known to industry participants, including as to their existence, functionality, and purpose. More is alleged about Google in particular. Google’s Privacy Policy explained that “most browsers are initially set up to accept cookies, but you can reset your browser to refuse all cookies or to indicate when a cookie is being sent.”6 Google provided further assurances about the Safari cookie blocker specifically. Google offered a proprietary cookie blocker, a so-called “opt-out cookie” that, when downloaded, would prevent the installation of tracking cookies. On the public webpage Google maintained to describe its opt-out cookie, Google assured visitors that “Safari is set by default 4 Compl. ¶ 69. 5 Compl. ¶ 71. 6 Compl. ¶ 80. 8 to block all third party cookies. If you have not changed those settings, this option essentially accomplishes the same thing as setting the opt-out cookie.”7 In February 2012, Stanford graduate student Jonathan Mayer published an online report revealing that Google and the other defendants had discovered, and were surreptitiously exploiting, loopholes in both the Safari cookie blocker and the Internet Explorer cookie blocker.8 Safari’s cookie blocker turns out to have had a few exceptions, one of which was that it permitted third-party cookies if the browser submitted a certain form to the third-party. Because advertisement delivery does not, in the ordinary course, involve such forms, the exception ought not have provided a pathway to installing advertiser tracking cookies. But according to Mayer’s report, Google used code to command users’ web browsers to automatically submit a hidden form to Google when users visited websites embedded with Google advertisements. This covert form triggered the exception to the cookie blocker, and, used widely, enabled the broad placement of cookies on Safari browsers notwithstanding that the blocker—as Google publicly acknowledged—was designed to prevent just that. The other defendants, meanwhile, accomplished similar circumventions. As a result, the defendants could—and did— place third-party cookies on browsers with activated blockers. 7 Compl. ¶ 79. 8 Compl. ¶ 75; Jonathan Mayer, Web Policy Blog, Safari Trackers (Feb. 17, 2012), http://webpolicy.org/2012/02/17/safari-trackers/. 9 Mayer’s findings were concurrently published in the Wall Street Journal9 and drew the attention of the Federal Trade Commission and a consortium of state attorneys general. The Department of Justice filed suit under the Federal Trade Commission’s authorizing statute in the Northern District of California, and the action resolved by way of a stipulated order providing for a $22.5 million civil penalty.10 Google further agreed to certain forward-looking conditions related to internet privacy, but admitted no past acts or wrongdoing.11 Google similarly reached a $17 million 9 Compl. ¶ 74; Julia Angwin & Jennifer Valentino-Devries, Google’s iPhone Tracking: Web Giant, Others Bypassed Apple Browser Settings for Guarding Privacy, Wall Street Journal (Feb. 17, 2012), http://www.wsj.com/article_email/SB1000142405297020488 0404577225380456599176. 10 Compl. ¶¶ 166-68; United States v. Google, Inc., N.D. Cal. No. 12-cv-4177, Docs. 1, 30; see also Press Release, Federal Trade Commission, Google Will Pay $22.5 Million to Settle FTC Charges it Misrepresented Privacy Assurances to Users of Apple’s Safari Internet Browser: Privacy Settlement is the Largest FTC Penalty Ever for Violation of a Commission Order (Aug. 9, 2012), https://www.ftc.gov/news- events/press-releases/2012/08/google-will-pay-225-million- settle-ftc-charges-it-misrepresented. 11 Compl. ¶ 169; Google, N.D. Cal. No. 12-cv-4177, Docs. 30, 32. 10 settlement with 38 state attorneys general, including the California Attorney General.12 C. The Instant Suit Following Mayer’s report, a series of lawsuits were filed in federal district courts around the country. Those 12 See Settlement Agreement between Google, Inc. & the Attorneys General of the States of Alabama, Arizona, Arkansas, California, Connecticut, Florida, Illinois, Indiana, Iowa, Kansas, Kentucky, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Nebraska, Nevada, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington, and Wisconsin, as well as the District of Columbia, available at http://www.ncdoj.gov/News-and-Alerts/News-Releases-and- Advisories/Related-Information/Google-Safari-Settlement- Agreement.aspx; see also Claire Cain Miller, Google to Pay $17 Million to Settle Privacy Case, N.Y. Times (Nov. 18, 2013), http://www.nytimes.com/2013/11/19/technology/google-to- pay-17-million-to-settle-privacy-case.html. The settlement with the state attorneys general post-dated the District Court’s dismissal order, and thus the filing of the complaint. Because the fact of this settlement is well-documented and officially recognized by the many governmental parties to it, and because the public policy implications of imposing liability on defendant Google are highly relevant to the disposition of two of the plaintiffs’ claims, we will take judicial notice of Google’s settlement with the state attorneys general. 11 lawsuits were consolidated by the Multi-District Litigation panel and assigned to Judge Sue Robinson of the District of Delaware. This appeal is from the District Court’s dismissal of that consolidated case. The consolidated case was presented to the District Court as a putative class action, and four named plaintiffs— our appellants here—filed a consolidated class action complaint. The putative class consists of: all persons in the United States of America who used the Apple Safari or Microsoft Internet Explorer web browsers and who visited a website from which doubleclick.net (Google’s advertising serving service), PointRoll, Vibrant Media, Media Innovation Group, or WPP cookies were deployed as part of a scheme to circumvent the users’ browsers’ settings to block such cookies and which were thereby used to enable tracking of the class members[’] [i]nternet communications without consent.13 The complaint asserts three federal law claims against all defendants. Count I claims violation of the federal Wiretap Act, 18 U.S.C. § 2510 et seq. Count II claims violation of the Stored Communications Act, 18 U.S.C § 2701. And Count III claims violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. 13 Compl. ¶ 191. 12 The complaint also asserts six California state law claims against Google only. Count IV claims violation of the privacy right conferred by the California Constitution. Count V claims intrusion upon seclusion under California tort law. Count VI claims violation of the Unfair Competition Law, Cal. Bus. & Prof. Code § 17200. Count VII claims violation of the California Comprehensive Computer Data Access and Fraud Act, Cal. Penal Code § 502. Count VIII claims violation of the California Invasion of Privacy Act, Cal. Penal Code § 630 et seq. And Count IX claims violation of the California Consumers Legal Remedies Act, Cal. Civ. Code § 1750 et seq. The defendants moved to dismiss the entire complaint for lack of Article III standing and for failure to state any claim. Without definitively resolving the standing challenge, the District Court agreed with the defendants that the allegations in the complaint did not give rise to any action, and on that basis dismissed the complaint under Rule 12(b)(6).14 On appeal, the plaintiffs challenge the dismissal of each of their nine claims, and the defendants renew their contention that the plaintiffs lack Article III standing. II. Injury in Fact Before we reach the merits, we address the defendants’ argument that the plaintiffs lack standing. “[T]he question of standing is whether the litigant is entitled to have the court 14 In re Google Inc. Cookie Placement Consumer Privacy Litig., 988 F. Supp. 2d 434 (D. Del. 2013). 13 decide the merits of the dispute or of particular issues.”15 A core requirement of standing is that the plaintiff have suffered an injury in fact. The defendants contend that the plaintiffs fail to demonstrate injury in fact because they make insufficient allegations of pecuniary harm. For purposes of injury in fact, the defendants’ emphasis on economic loss is misplaced. In assessing injury in fact, we look for an “invasion . . . which is (a) concrete and particularized; and (b) actual or imminent, not conjectural or hypothetical.”16 Though the “injury must affect the plaintiff in a personal and individual way,”17 this standard does not demand that a plaintiff suffer any particular type of harm to have standing. Consequently, and contrary to the contentions of the defendants, a plaintiff need not show actual monetary loss for purposes of injury in fact. Rather, “the actual or threatened injury required by Art. III may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing.”18 Sure enough, the Supreme Court itself 15 Storino v. Borough of Point Pleasant Beach, 322 F.3d 293, 296 (3d Cir. 2003) (internal quotation marks omitted). “If [the] plaintiffs do not possess Article III standing, both the District Court and this Court lack subject matter jurisdiction to address the merits of [the] plaintiffs’ case.” Id. (internal quotation marks omitted). 16 Pichler v. UNITE, 542 F.3d 380, 390 (3d Cir. 2008) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992)). 17 Lujan, 504 U.S. at 560 n.1. 14 has permitted a plaintiff to bring suit for violations of federal privacy law absent any indication of pecuniary harm.19 The plaintiffs here base their claims on highly specific allegations that the defendants, in the course of serving advertisements to their personal web browsers, implanted tracking cookies on their personal computers. Irrespective of whether these allegations state a claim, the events that the complaint describes are concrete, particularized, and actual as to the plaintiffs. To the extent that the defendants believe that the alleged conduct implicates interests that are not legally protected, this is an issue of the merits rather than of standing. The plaintiffs show injury in fact, and we have jurisdiction to address the merits of their claims.20 18 Havens Realty Corp. v. Coleman, 455 U.S. 363, 373 (1982) (alteration in original) (internal quotation marks omitted); see also Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 183 (2000) (“[E]nvironmental plaintiffs adequately allege injury in fact when they aver that they use the affected area and are persons for whom the aesthetic and recreational values of the area will be lessened by the challenged activity.”) (internal quotation marks omitted). 19 See Doe v. Chao, 540 U.S. 614, 641 (2004) (Ginsburg, J., dissenting) (“Doe has standing to sue, the Court agrees, based on ‘allegations that he was “torn . . . all to pieces” and “greatly concerned and worried” because of the disclosure of his Social Security number and its potentially “devastating” consequences.’”). 20 The District Court had subject matter jurisdiction over the plaintiffs’ federal law claims under 28 U.S.C. § 1331. It had 15 III. Federal Claims Against All Defendants We first address the three federal law claims brought against all defendants. For the following reasons, we will vacate the dismissal of the plaintiffs’ Wiretap Act claim but affirm the dismissal of the plaintiffs’ claims under the Stored Communications Act and Computer Fraud and Abuse Act. A. The Federal Wiretap Act The federal Wiretap Act is codified at 18 U.S.C. § 2510 et seq. A plaintiff pleads a prima facie case under the Act by showing that the defendant “(1) intentionally (2) intercepted, endeavored to intercept or procured another person to intercept or endeavor to intercept (3) the contents of (4) an electronic communication, (5) using a device.”21 Of subject matter jurisdiction over the plaintiffs’ state law claims for two independent reasons: supplemental jurisdiction under 28 U.S.C. § 1367, and diversity jurisdiction under the Class Action Fairness Act, 28 U.S.C. § 1332(d). We have jurisdiction over the District Court’s final dismissal under 28 U.S.C. § 1291. 21 In re Pharmatrak, Inc. Privacy Litig., 329 F.3d 9, 18 (1st Cir. 2003) (citing 18 U.S.C. § 2511(1)(a)); see also §§ 2510(4) (providing that “‘intercept’ means the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device”), 2520 (providing a private right of action)). 16 several statutory exceptions, one is the exception of § 2511(2)(d). Section 2511(2)(d) provides that, ordinarily, no cause of action will lie against a private person “where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception.”22 1. Acquisition of “Content” The District Court dismissed the plaintiffs’ Wiretap Act claim on the basis that the defendants’ alleged conduct did not involve the acquisition of communications “content.” While the plaintiffs allege that the defendants acquired and tracked the URLs they visited, the Act defines “contents” as “any information concerning the substance, purport, or meaning of th[e] communication [at issue].”23 The District Court held that, “[a]s described by their name, ‘Universal Resource Locators,’ . . . . a URL is a location identifier and does not ‘concern [ ] the substance, purport, or meaning’ of an electronic communication.’”24 22 The exception does not apply if “such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” 18 U.S.C. § 2511(2)(d). 23 18 U.S.C. § 2510(8). 24 In re: Google, 988 F. Supp. 2d at 444 (final alteration in original) (quoting 18 U.S.C. § 2510(8)). 17 In Smith v. Maryland, the Supreme Court made clear the important difference between extrinsic information used to route a communication and the communicated content itself.25 In Smith, the Supreme Court found no Fourth Amendment violation from the government’s warrantless use of a pen register.26 Distinguishing its holding in Katz v. United States27 that warrantless wiretapping violated the Fourth Amendment, the Supreme Court explained that “a pen register differs significantly from the listening device employed in Katz, for pen registers do not acquire the contents of communications.”28 Rather, the Court explained, pen registers “disclose only the telephone numbers that have been dialed—a means of establishing communication. Neither the purport of any communication between the caller and the recipient of the call, their identities, nor whether the call was even completed is disclosed by pen registers.”29 Smith’s differentiation between the “means of establishing communication” and the “purport of a[] communication”30 looms large in federal surveillance law. 25 442 U.S. 735 (1979). 26 Id. at 745-46. 27 389 U.S. 347 (1967). 28 Id. at 741 (emphasis in original). 29 Id. (quoting United States v. New York Tel. Co., 434 U.S. 159, 167 (1977)). 30 Id. 18 Whereas the Wiretap Act governs the interception of communications “content[],”31 the separate federal Pen Register Act governs the acquisition of non-content “dialing, routing, addressing, [or] signaling information.”32 As the House of Representatives noted in its Report regarding the enactment of the PATRIOT Act, “the statutorily prescribed line between a communication’s contents and non-content information[] [is] a line identical to the constitutional distinction drawn by the U.S. Supreme Court in Smith v. Maryland.”33 Since Smith, location identifiers have classically been associated with non-content “means of establishing communication.”34 Nevertheless, the District Court’s 31 18 U.S.C. § 2510(4); see also id. § 2511(1)(a). 32 18 U.S.C. §§ 3121(c), 3127(3)-(4). Where surveillance by law enforcement is concerned, “[t]he difference in the standards for court approval of content-capturing wiretaps and non-content-capturing pen registers is dramatic—content information is protected by a ‘super-warrant,’ non-content information by a rubber stamp.” Matthew J. Tokson, The Content/Envelope Distinction in Internet Law, 50 Wm. & Mary L. Rev. 2105, 2120 (2009). 33 Report of the House of Representatives Judiciary Committee, H. Rep. No. 107-236, at 53, available at http://www.gpo.gov/fdsys/pkg/CRPT-107hrpt236/pdf/CRPT- 107hrpt236-pt1.pdf. 34 Smith, 442 U.S. at 741 (quoting New York Tel. Co., 434 U.S. at 167). 19 categorical assessment that location identifiers never “concern[] the substance, purport, or meaning” of a communication misses the mark.35 Often, a location identifier serves no routing function, but instead comprises part of a communication’s substance.36 As a leading treatise on criminal procedure explains: [T]he line between content and non-content information is inherently relative. If A sends a letter to B, asking him to deliver a package to C at a particular address, the contents of that letter are contents from A to B but mere non-content addressing information with respect to the delivery of the package to C. In the case of e- mail, for example, a list of e-mail addresses sent as an attachment to an e-mail communication from one person to another are contents rather than addressing information. In short, whether an e-mail address is content or non-content information depends entirely on the 37 circumstances. In essence, addresses, phone numbers, and URLs may be dialing, routing, addressing, or signaling information, but only when they are performing such a function. If an address, 35 18 U.S.C. § 2510(8). 36 See generally Orin Kerr, Websurfing and the Wiretap Act, Wash. Post. (June 4, 2015), https://www.washingtonpost.com/news/volokh- conspiracy/wp/2015/06/04/websurfing-and-the-wiretap-act/. 37 Wayne R. LaFave, et al., 2 Crim. Proc. § 4.4(d) (3d ed.). 20 phone number, or URL is instead part of the substantive information conveyed to the recipient, then by definition it is “content.” The different ways that an address can be used means, as Professor Orin Kerr puts it, that “the line between contents and metadata is not abstract but contextual with respect to each communication.”38 Thus, there is no general answer to the question of whether locational information is content. Rather, a “content” inquiry is a case-specific one turning on the role the location identifier played in the “intercepted” communication. Here, the complaint does not make clear whether the tracked URLs were acquired by the defendants from communications in which those URLs played a routing function. This is not, however, fatal to the plaintiffs’ claim. In a declassified opinion analyzing whether there was statutory authority for a National Security Agency surveillance program, the Foreign Intelligence Surveillance Court observed that the government possessed trap and trace authority over “dialing, routing, addressing, and signaling information . . . provided, however, that such information shall not include the contents of any information.”39 The 38 Kerr, Websurfing and the Wiretap Act. 39 [Redacted], No. PR/TT [Redacted] (FISA Ct. 2010), available at http://www.dni.gov/files/documents/1118/CLEANEDPRTT%2 02.pdf at 26 (quoting 18 U.S.C. § 3127(4)). 21 Surveillance Court read this to mean that, for purposes of federal surveillance law, information may well serve both a routing function and a content function. Noting the breadth of the statutory descriptions of routing information and “content,” the Surveillance Court concluded that routing information and “content” are not mutually exclusive categories, but rather ones that Congress expressly contemplated to be occasionally coextensive.40 Proceeding to identify exemplary areas where routing information and “content” overlap, the Surveillance Court pointed, “in particular,” to URL queries that involve reproduction of a search phrase entered by a user into a search engine.41 Quoting the District of Massachusetts, the Surveillance Court explained that, “if a user runs a search using an [i]nternet search engine, the ‘search phrase would appear in the URL after the first forward slash’ as part of the addressing information, but would also reveal contents, i.e., the ‘“substance” and “meaning” of the communication . . . that the user is conducting a search for information on a particular topic.’”42 For an example from another context, the court pointed to post-cut-through digits in the phone context “as 40 Id. at 31. 41 Id. at 32. 42 Id. at 32 (final alteration in original) (quoting In re Application of the U.S., 396 F. Supp. 2d 45, 49 (D. Mass. 2005)). 22 dialing information, some of which also constitutes contents.”43 The decision of the Surveillance Court is instructive in several ways relevant to our analysis here. The first of these is that, to the extent that the statutory definitions and conceptual categories of content and routing information overlap, Congress expressly contemplated the possibility of such an overlap. For the reasons stated by the Surveillance Court, we are persuaded that, under the surveillance laws, “dialing, routing, addressing, and signaling information” may also be “content.” Second, the Surveillance Court takes the position that queried URLs can be content as well as routing information, for instance in the case of URLs that reproduce search engine inquiries. Though some district courts have held that a URL is never content, the Surveillance Court decision is part of a growing chorus that some, if not most, queried URLs do contain content. In In re Zynga Privacy Litigation, the Ninth Circuit took the position that queried URLs are content if, but only if, they reproduce words from a search engine query.44 43 Id. at 33. As the Southern District of Texas has explained, “‘[p]ost-cut-through dialed digits’ are any numbers dialed from a telephone after the call is initially setup or ‘cut- through.’” In re Application of the U.S., 441 F. Supp. 2d 816, 818 (S.D. Tex. 2006). “Sometimes these digits transmit real information, such as bank account numbers, Social Security numbers, prescription numbers, and the like.” Id. 44 750 F.3d 1098, 1108-09 (9th Cir. 2014) (“[A] user’s request to a search engine for specific information could 23 In United States v. Forrester, meanwhile, a different panel of the Ninth Circuit noted that warrantless capture of URLs generally “might be more constitutionally problematic” than warrantless capture of IP addresses.45 The Forrester court explained that “[a] URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the person’s [i]nternet activity.”46 Akin to Forrester is the stance taken by the House Judiciary Committee in its PATRIOT Act report, which stated that a pen register order “could not be used to collect information other than ‘dialing, routing, addressing, and signaling’ information, such as the portion of a URL (Uniform Resource Locator) specifying Web search terms or constitute a communication such that divulging a URL containing that search term to a third party could amount to disclosure of the contents of a communication. But the referrer header information at issue here includes only basic identification and address information, not a search term or similar communication made by the user, and therefore does not constitute the contents of a communication.”). 45 512 F.3d 500, 510 n.6 (9th Cir. 2008). An “IP address” is “[t]he 10-digit identification tag used by computers to locate specific websites.” Black’s Law Dictionary (10th ed. 2014) (“Internet-protocol address”). 46 512 F.3d at 510 n.6; see also Tokson, The Content/Envelope Distinction in Internet Law, 50 Wm. & Mary L. Rev. at 2136 (“[S]tandard URLs . . . reveal every bit as much content as do URLs containing search terms.”). 24 the name of a requested file or article.”47 Though none of these authorities offer detailed reasoning on why they draw the “content” line where they do, what they have in common is that they assess whether a URL involves “contents” based on how much information would be revealed by disclosure of the URL. Third, the Surveillance Court’s example of post-cut- through digits in the telephone context—i.e. numbers dialed from a telephone after a call is already setup or “cut- through”—hints at a different reason why queried URLs might be considered content. A number of courts apart from the Surveillance Court—most prominently the D.C. Circuit— have found such digits to comprise communications content beyond the permissible scope of a pen register.48 URL queries 47 See H. Rep. No. 107-36, at 53. 48 See U.S. Telecom Ass’n v. F.C.C., 227 F.3d 450, 462 (D.C. Cir. 2000) (“Post-cut-through dialed digits can . . . represent call content. For example, subjects calling automated banking services enter account numbers. When calling voicemail systems, they enter passwords. When calling pagers, they dial digits that convey actual messages. And when calling pharmacies to renew prescriptions, they enter prescription numbers.”); In re Applications of the U.S., 515 F. Supp. 2d 325, 339 (E.D.N.Y. 2007) (“[T]he “Government’s request for access to all post-cut-through dialed digits is not clearly authorized by the Pen/Trap Statute, and . . . granting such a request would violate the Fourth Amendment . . . .”); In re Application of the U.S., 441 F. Supp. 2d at 827 (“Post-cut- through dialed digits . . . are not available to law enforcement under the Pen/Trap Statute.”). 25 bear functional analogues to this process, in that different portions of a queried URL may serve to convey different messages to different audiences. For instance, the domain name portion of the URL—everything before the “.com”— instructs a centralized web server to direct the user to a particular website, but post-domain name portions of the URL are designed to communicate to the visited website which webpage content to send the user.49 As stated above, we agree with the Surveillance Court that routing information and content are not mutually exclusive categories. And between the information revealed by highly detailed URLs and their functional parallels to post- cut-through digits, we are persuaded that—at a minimum— some queried URLs qualify as content.50 Indeed, the 49 See generally Jonathan Mayer, Web Browsing (Under the Pen Register Act and Wiretap Act), (Nov. 28, 2014). https://www.youtube.com/watch?v=7vFha-af7GE 50 We need not make a global determination as to what is content, and why, in the context of queried URLs. Lack of consensus, the complexity and rapid pace of change associated with the delivery of modern communications, and the facileness of direct analogy to mail and telephone cases counsel the utmost care in considering what is, and what is not, “content” in the context of web queries. Indeed, when it comes to differentiating content from non-content, Professor Kerr describes queried URLs as “the most difficult and discussed case.” Orin S. Kerr, Applying the Fourth Amendment to the Internet: A General Approach, 62 Stan. L. Rev. 1005, 1030 n. 93 (2010); see also Orin S. Kerr, Internet Surveillance Law after the USA Patriot Act: The Big Brother that Isn’t, 97 Nw. U. L. Rev. 607, 644-48 (2003); cf. Tokson, 26 defendants’ counsel acknowledged as much at argument.51 Because the complaint pleads a broad scheme in which the defendants generally acquired and tracked the plaintiffs’ internet usage, we are satisfied that this scheme, if it operated as alleged, involved the collection of at least some “content” within the meaning of the Wiretap Act.52 The Content/Envelope Distinction in Internet Law, 50 Wm. & Mary L. Rev. at 2136 (“Perhaps because it is so intuitive that search terms in a URL should be considered content, the treatment of content-revealing communications data is undertheorized in computer surveillance scholarship.”). 51 Oral Arg. Tr. at 44 (“We acknowledge that there may be URLs that could constitute content.”). 52 Because the URL information acquired and tracked by the defendants is “content” for purposes of the plaintiffs’ Wiretap Act claim, we need not consider whether the defendants acquired and/or tracked other “content” from the electronic transmissions at issue. Our understanding of the factual position of the defendants is that their cookies operate by adding a unique sequence of letters and/or numbers to any GET request transmitted from the user browser hosting the cookie to the advertiser server that set the cookie. See Oral Arg. Tr. at 25 (“The cookie doesn’t acquire anything. . . . The cookie doesn’t look for anything. It just sits on the browser and gets sent along with information that would otherwise be sent.”); id. at 26 (“Maybe it’s sort of like a bookmark. Information gets sent anyway every day, all the time. And then a cookie is placed. And thereafter the same information is sent, except that the cookie is there, too. It’s unique. It’s not personally identifying. It has nothing to do with the actual 27 2. Section 2511(2)(d) According to the defendants, even if we find that the plaintiffs adequately plead the acquisition of “content,” we may affirm nevertheless under § 2511(2)(d). Section 2511(2)(d) sets forth that “[i]t shall not be unlawful . . . for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication . . . unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” The defendants contend that they were the intended recipients of—and thus “parties” to— any electronic transmissions that they acquired and tracked, and that, as they committed no secondary criminal or tortious act, their conduct cannot have been unlawful under the statute. a. How the Information at Issue Was Acquired Before we can assess whether the defendants were “parties” to the electronic transmissions at issue, we must first identify what, exactly, are the transmissions at issue. In the portion of the complaint devoted to the plaintiffs’ Wiretap Act claim, the complaint states that “the [d]efendants’ third-party web tracking permitted them to information that’s being sent at that time.”). This is consistent with our understanding of the allegations of the plaintiffs, as discussed in detail below. 28 record information that [c]lass [m]embers exchanged with first-party websites . . . which [the d]efendants intercepted while not a party to those communications (hence third-party tracking)[.]”53 It continues to plead that “the defendants’ third-party tracking intercepted the class members’ communications while they were in transit from the class members’ computing devices to the web servers of the first- party websites the class members used their browsers to visit.”54 The highly specific allegations contained in the body of the complaint, however, give no credence to the complaint’s later allegations that the defendants acquired their internet history information from transmissions between the plaintiffs’ browsers and first-party websites. With respect to the mechanics of the defendants’ acquisition of web browsing information, the interior of the complaint says that, “[u]pon receiving a []GET[] request from a user seeking to display a particular webpage, the server for that webpage will subsequently respond to the browser, instructing the browser to send a []GET[] request to the third-party company charged with serving the advertisements for that particular webpage.”55 As to Google specifically, the complaint likewise pleads that “the server hosting the publisher’s webpage . . . instructs the user’s web browser to send a GET request to Google to display the relevant advertising information for the 53 Compl. ¶ 206. 54 Compl. ¶ 208. 55 Compl. ¶ 41. 29 space on the page for which Google has agreed to sell display advertisements.”56 If users’ browsers directly communicate with the defendants about the webpages they are visiting—as the complaint pleads with particularity—then there is no need for the defendants to acquire that information from transmissions to which they are not a party. After all, the defendants would have the information at issue anyway. Underscoring that there are direct transmissions between the plaintiffs and the defendants, the complaint notes that the defendants place cookies on web browsers “in the process of injecting the advertisements,”57 which are “serve[d] . . . directly from the third-party company’s servers rather than going through the individual website’s server.”58 The complaint’s descriptions of how tracking is accomplished, meanwhile, further supports that the information was captured from the plaintiffs’ GET requests to the defendants. According to the complaint: The information is sent to the companies and associated with unique cookies -- that is how the tracking takes place. The cookie lets the tracker associate the web activity with a unique person using a unique browser on a device. Once the third-party cookie is placed in the 56 Compl. ¶ 86. 57 Compl. ¶ 45. 58 Compl. ¶ 41. 30 browser, the next time the user goes to a webpage with the same [d]efendant’s advertisements, a copy of that request can be associated with the unique third-party cookie previously placed. Thus the tracker can track the behavior of the user[.]”59 If the information at issue is sent to the defendants in the ordinary course, then this description of the cookies makes sense. This is because in such a scenario the defendants need only associate information to track it, which can be successfully accomplished by affixing an identifier to that information. This is precisely how the complaint describes the defendants’ cookies’ function. With respect to Google, the complaint pleads installation of Google’s “id” cookie, “which is a unique and consistent identifier given to each user by Google for its use in tracking persons across the entire spectrum of websites on which Google places . . . cookies.”60 Google allegedly uses this cookie to “identif[y] users,” such that “the placement of the third-party cookies, placed by circumventing Plaintiffs’ and Class Members’ privacy settings, allows this identification to take place.”61 Likewise, as to two of the other defendants, the complaint says that “[t]he spokesman [for Vibrant] admitted Vibrant used the 59 Compl. ¶ 46. 60 Compl. ¶ 95. 61 Compl. ¶ 96. 31 trick ‘for unique user identification,’”62 and that “Media’s ‘id’ cookie is just that—an ‘ID’ or ‘identification’ cookie.”63 Just as the operative allegations in the complaint tend to support the inference that the cookies enabled the defendants to identify, and thus associate, information that the plaintiffs sent directly to them in the ordinary course, the operative allegations tend to negate any inference to the contrary. This is because, if the information at issue was not sent to the defendants in the ordinary course, mere identification cookies would not be sufficient for the defendants’ scheme. To accomplish their tracking in that instance, the defendants would have needed not an associative device, but one capable of capturing communications sent by the plaintiffs and intended for first- party websites, and then transmitting them to the defendants.64 There is no pleading of any such device, nor is 62 Compl. ¶ 151 63 Compl. ¶ 156 64 Cf. Pharmatrak, 329 F.3d at 22 (“[Pharmatrak’s code] automatically duplicated part of the communication between a user and a pharmaceutical client and sent this information to a third party (Pharmatrak).”); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1062 (N.D. Cal. 2012) (“The intended communication is between the users’ iPhone and the Wi-fi and cell phone towers, and Plaintiffs appear to allege that Apple designed its operating system to intercept that communication and transmit the information to Apple’s servers.”). 32 that function the ordinary function of a tracking cookie. As stated above, in discussing the function of the defendants’ cookies, the complaint describes them as having an associative function only.65 In view of our common sense reading of the operative allegations of the complaint, we note the factual position that the defendants advanced at argument: “The cookie doesn’t acquire anything . . . The cookie doesn’t look for anything. It just sits on the browser and gets sent along with information that would otherwise be sent.”66 The information at issue would be sent anyway because “the user’s web browser send[s] a GET request to Google to display the relevant advertising information for the space on the page for which Google has agreed to sell display advertisements.”67 We note also that, at argument, the plaintiffs’ counsel was directly asked on six separate occasions to clarify what transmissions they believed were improperly acquired and/or how the defendants’ cookies functioned.68 The plaintiffs’ counsel did not provide a direct response on any of these occasions. At the Rule 12(b)(6) stage “we accept the pleader’s description of what happened to him or her along with any 65 Compl. ¶¶ 46, 95, 96, 151, 156. 66 Oral Arg. Tr. at 25. 67 Compl. ¶ 86. 68 Oral Arg. Tr. at 9-10, 11, 12, 13, 14, 15. 33 conclusions that can reasonably be drawn therefrom.”69 This standard permits the dismissal of a complaint “when [the] defendant’s plausible alternative explanation is so convincing that plaintiff’s explanation is im plausible.”70 Here, the operative allegations of the complaint support only the conclusion that the defendants acquired the plaintiffs’ internet history information by way of GET requests that the plaintiffs sent directly to the defendants, and that the defendants deployed identifier cookies to make the information received from GET requests associable and thus trackable. And though the portion of the complaint pertaining to the Wiretap Act contains statements to the contrary, we need not give legal effect to “conclusory allegations” that are contradicted by the pleader’s actual description of what happened.71 In short, our understanding of the plaintiffs’ allegations is that the defendants acquired the plaintiffs’ internet history information when, in the course of requesting webpage advertising content at the direction of the visited website, the plaintiffs’ browsers sent that information directly to the defendants’ servers. 69 5B Fed. Prac. & Proc. Civ. § 1357 (3d ed.) (“Motions to Dismiss—Practice Under Rule 12(b)(6)”). 70 Starr v. Baca, 652 F.3d 1202, 1216 (9th Cir. 2011) (citing Fed. R. Civ. P. 8(a)(2); Ashcroft v. Iqbal, 556 U.S. 662 (2009); Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007)). 71 5B Fed. Prac. & Proc. Civ. § 1357. 34 b. Application of § 2511(2)(d) Because the defendants were the intended recipients of the transmissions at issue—i.e. GET requests that the plaintiffs’ browsers sent directly to the defendants’ servers— we agree that § 2511(2)(d) means the defendants have done nothing unlawful under the Wiretap Act. Tautologically, a communication will always consist of at least two parties: the speaker and/or sender, and at least one intended recipient. As the intended recipient of a communication is necessarily one of its parties, and the defendants were the intended recipients of the GET requests they acquired here, the defendants were parties to the transmissions at issue in this case. And under § 2511(2)(d), it is not unlawful for a private person “to intercept a wire, oral, or electronic communication where such person is a party to the communication.”72 In their reply brief, the plaintiffs raise three objections in response to the argument that their Wiretap Act claim must fail because the defendants were the intended recipients of the relevant communications. None are persuasive. First, the plaintiffs argue that we should not consider the defendants’ argument because the issue was not addressed by the District Court and because the defendants failed to raise the issue in the form of a cross-appeal. This is inapposite, for even if the defendants had never raised the issue at all, whether the plaintiffs have stated a claim is a matter of law to be determined from the face of their complaint. As always, we may affirm a district court’s 72 18 U.S.C. § 2511(2)(d). 35 judgment on grounds other than those considered by the district court itself.73 Second, the plaintiffs argue that the party exception should not apply for equitable reasons, in that the transmitted GET requests included cookie information that the communications included only because of the defendants’ surreptitious circumvention of the cookie blockers. The point here is that, though the plaintiffs sent the GET requests to the defendants voluntarily, they were induced to do so by deceit. Though we are no doubt troubled by the various deceits alleged in the complaint, we do not agree that a deceit upon the sender affects the presumptive non-liability of parties under § 2511(2)(d). “In the context of the statute, a party to the conversation is one who takes part in the conversation.”74 There is no statutory language indicating this excludes intended recipients who procured their entrance to a conversation through a fraud in the inducement, such as, here, 73 See Jones v. Se. Pa. Transp. Auth., __ F.3d __, 2015 WL 4746391, at *8 (3d Cir. Aug. 12, 2015). 74 Caro v. Weintraub, 618 F.3d 94, 97 (2d Cir. 2010) United States v. Pasha, 332 F.2d 193 (7th Cir. 1964) (“[I]mpersonation of the intended receiver is not an interception within the meaning of the statute.”); Clemons v. Waller, 82 Fed. App’x 436, 442 (6th Cir. 2003) (“By citing Pasha, Congress strongly intimated that one who impersonates the intended receiver of a communication may still be a party to that communication for the purposes of the federal wiretap statute and that such conduct is not proscribed by the statute.”). 36 by deceiving the plaintiffs’ browsers into thinking the cookie- setting entity was a first-party website. It is not unimaginable that the Wiretap Act would give legal effect to the fraudulent participation of a party to a conversation.75 It is, after all, a wiretapping statute.76 Indeed, it appears the absence of an equitable exception to § 2511(2)(d) is no accident. In United States v. Pasha, the Seventh Circuit held that a police officer who impersonated the intended recipient of a phone call did not violate the Wiretap Act.77 And, as the Sixth Circuit has explained: When amending the federal [W]iretap [A]ct in 1968 to its current state, Congress specifically mentioned Pasha in its discussions of the “party to the communication” provision. In discussing § 2511(2)(c), which is in pari materia with § 2511(2)(d) and differs from that provision only in that § 2511(2)(c) applies to persons acting under color of law, the Senate Judiciary Committee stated: 75 Cf. Desnick v. Am. Broad. Companies, Inc., 44 F.3d 1345, 1352 (7th Cir. 1995) (“The law’s willingness to give effect to consent procured by fraud is not limited to the tort of trespass.”). 76 See Black’s Law Dictionary (10th ed. 2014) (defining “wiretapping” as “electronic or mechanical eavesdropping”). 77 333 F.2d 193, 198 (7th Cir. 1964). 37 Paragraph 2(c) provides that it shall not be unlawful for a party to any wire or oral communication . . . to intercept such communication. It largely reflects existing law. Where one of the parties consents, it is not unlawful. . . . “[P]arty” would mean the person actually participating in the communication. (United States v. Pasha, 332 F.2d 193 (7th Cir. 1964)).78 We agree with the Sixth Circuit and the Fifth Circuit that, “[b]y citing Pasha, Congress strongly intimated that one who impersonates the intended receiver of a communication may still be a party to that communication for the purposes of the federal wiretap statute and that such conduct is not proscribed by the statute.”79 Likewise, we conclude it was by design that there is no statutory language by which the defendants’ various alleged deceits would vitiate their claims to be parties 78 Clemons v. Waller, 82 Fed. App’x 436, 442 (6th Cir. 2003) (quoting S. Rep. No. 90-1097, at 93-94 (1968)); see also United States v. Campagnuolo, 592 F.2d 852, 863 (5th Cir. 1979) (“It is clear from this passage that Congress intended to reaffirm the result in Pasha and make admissible communications to which a police officer is a party.”). 79 Clemons, 82 Fed. App’x at 442; accord Campagnuolo, 592 F.2d at 863. 38 to the relevant communications. The Wiretap Act is a wiretapping statute, and just because a scenario sounds in fraud or deceit does not mean it sounds in wiretapping.80 80 As § 2511(2)(d) contemplates that a “party” to a communication can “intercept” it, we are led to believe that the present version of the Wiretap Act gives “intercept” a broader connotation than “the ordinary meaning of ‘intercept’ . . . [which] is ‘to stop, seize, or interrupt in progress or course before arrival.’” See Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 878 (9th Cir. 2002) (quoting Webster’s Ninth New Collegiate Dictionary 630 (1985)); see also Goldman v. United States, 316 U.S. 129, 134 (1942) (“The natural meaning of the term ‘intercept’ . . . indicates the taking or seizure by the way or before arrival at the destined place.”), overruled on other grounds by Katz, 389 U.S. 347; Black’s Law Dictionary (10th ed. 2014) (defining “intercept” as “to covertly receive or listen to (a communication)”). We will not, therefore, adopt the defendants’ other alternative argument, which is that the plaintiffs’ Wiretap Act claim should fail for want of an “interception.” If the plaintiffs’ claims had been brought under the Wiretap Act as it existed when Pasha was decided, however, the plaintiffs would likely fail to show an “interception” for the same reason that, today, they fail to show that the defendants were not parties to the relevant communications within the meaning of § 2511(2)(d). See Pasha, 333 F.2d at 198 (“Interception connotes a situation in which by surreptitious means a third party overhears a telephone conversation between two persons. We believe that impersonation of the intended receiver is not an interception within the meaning of the statute.”). 39 Finally, the plaintiffs argue that § 2511(2)(d) should not apply because the defendants’ acquisition of the communications at issue was tortious under California law. The basis for this argument is that § 2511(2)(d) is inapplicable when the communication at issue is “intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” But the plaintiffs point to no legal authority providing that the exception to § 2511(2)(d) is triggered when, as here, the tortious conduct is the alleged wiretapping itself. By contrast, all authority of which we are aware indicates that the criminal or tortious acts contemplated by § 2511(2)(d) are acts secondary to the acquisition of the communication involving tortious or criminal use of the interception’s fruits.81 81 See Caro v. Weintraub, 618 F.3d 94, 98, 100 (2d Cir. 2010) (“[T]he defendant must have the intent to use the illicit recording to commit a tort or crime beyond the act of recording itself. . . . Intent may not be inferred simply by demonstrating that the intentional act of recording itself constituted a tort. A simultaneous tort arising from the act of recording itself is insufficient.”); Sussman v. Am. Broad. Companies, Inc., 186 F.3d 1200, 1202-03 (9th Cir. 1999) (“Under section 2511, the focus is not upon whether the interception itself violated another law; it is upon whether the purpose for the interception—its intended use—was criminal or tortious. . . . Where the purpose is not illegal or tortious, but the means are, the victims must seek redress elsewhere.”); Desnick, 44 F.3d at 1353 (“[T]here is no suggestion that the defendants sent the testers into the Wisconsin and Illinois offices for the purpose of defaming the plaintiffs by charging tampering with the glare machine.”). 40 As the Second Circuit explained in Caro v. Weintraub, “to survive a motion to dismiss, a plaintiff must plead sufficient facts to support an inference that the offender intercepted the communication for the purpose of a tortious or criminal act that is independent of the intentional act of recording.”82 And though the plaintiffs may well plead facts that constitute violations of California laws related to intrusion upon seclusion, for purposes of the exception to § 2511(2)(d), “[i]nvasion of privacy through intrusion upon seclusion presents a problem . . . —it is a tort that occurs through the act of interception itself.”83 As the plaintiffs plead no tortious or criminal use of the acquired internet histories, § 2511(2)(d) is not inapplicable on the basis of the criminal- tortious purpose exception. Based on the facts alleged in the pleadings, the defendants were parties to any communications that they acquired, such that their conduct is within the § 2511(2)(d) exception.84 We will accordingly affirm the District Court’s dismissal of the plaintiffs’ Wiretap Act claim. B. The Stored Communications Act We next address the plaintiffs’ claim for violation of the Stored Communications Act, 18 U.S.C. § 2701. Enacted in 1986, the Stored Communications Act was born from congressional recognition that neither existing federal statutes 82 Caro, 618 F.3d at 100 (emphasis added). 83 Id. at 101. 84 See 18 U.S.C. § 2511(2)(d). 41 nor the Fourth Amendment protected against potential intrusions on individual privacy arising from illicit access to “stored communications in remote computing operations and large data banks that stored e-mails.”85 To state a claim under the Stored Communications Act, a plaintiff must show that the defendant “(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.”86 The District Court dismissed this claim on the basis of the Act’s requirement that the illicit access be with respect to “a facility through which an electronic communication service is provided.”87 As pled in the complaint, the illicit access at issue was to the plaintiffs’ personal web browsers. 85 Garcia v. City of Laredo, Tex., 702 F.3d 788, 791 (5th Cir. 2012); see also id. at 793; United States v. Councilman, 418 F.3d 67, 80-81 (1st Cir. 2005) (en banc); S. Rep. No. 99-541, at 5 (1986); Orin S. Kerr, A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It, 72 Geo. Wash. L. Rev. 1208, 1209-15 (2004). 86 18 U.S.C. § 2701(a); see also id. § 2707(a) (cause of action). 87 In re: Google, 988 F. Supp. 2d at 445-47; 18 U.S.C. § 2701(a). 42 But according to the District Court, “an individual’s personal computing device is not a ‘facility through which an electronic communications service is provided.’”88 We agree, and we find persuasive the analysis of the Fifth Circuit in Garcia v. City of Laredo, which held that “a home computer of an end user is not protected by the [Act].”89 As noted by the Garcia court, though the Act does not define the term “facility,” the Act does define the term “electronic communication service,” which it defines as “any service which provides to users thereof the ability to send or receive wire or electronic communications.”90 This most naturally describes network service providers, and, indeed, “[c]ourts have interpreted the statute to apply to providers of a communication service such as telephone companies, [i]nternet or e-mail service providers, and bulletin board services.”91 The Act also defines “electronic storage” as “(A) 88 In re: Google, 988 F. Supp. 2d at 446. 89 702 F.3d at 793 (quoting Kerr, A User’s Guide to the Stored Communications Act, 72 Geo. Wash. L. Rev. at 1215). 90 18 U.S.C. § 2510(15) (incorporated by reference in 18 U.S.C. § 2711(1)); see also Garcia, 702 F.3d at 792. 91 Garcia, 702 F.3d at 792 (citing Councilman, 418 F.3d at 81-82; Theofel v. Farey-Jones, 359 F.3d 1066, 1075 (9th Cir. 2004); Steve Jackson Games, Inc. v. U.S. Secret Serv., 36 F.3d 457, 462-63 (5th Cir. 1994)); see also In re iPhone, 844 F. Supp. 2d. at 1057 (“[T]he computer systems of an email provider, a bulletin board system, or an [internet service provider] are uncontroversial examples of facilities that 43 any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.”92 Temporary storage incidental to transmission and storage for purposes of backup protection are not how personal computing devices keep communications, but how third party network service providers do—or at least did, in 1986.93 There is then the language of 18 U.S.C. § 2701(c)(1), which provides that the prohibitory language of the Act “does not apply with respect to conduct authorized . . . by the person or entity providing a wire or electronic communication service.” This makes sense when talking about third-party access to network service providers’ own facilities. But were the prohibitory language understood to apply to facilities other than those of network service providers, the language of the exception becomes problematic. As one district court has explained, “[i]t would certainly seem odd that the provider of a communication service could grant access to one’s home provide electronic communications services to multiple users.”). 92 18 U.S.C. § 2510(17). 93 See Kerr, A User’s Guide to the Stored Communications Act, 72 Geo. Wash. L. Rev. at 1213-15 (“The [Act] . . . freez[es] into the law the understandings of computer network use as of 1986.”) (citing S. Rep. No. 99-541 at 2-3). 44 computer to third parties, but that would be the result of [the plaintiffs’] argument.”94 The origin of the Stored Communications Act confirms that Congress crafted the statute to specifically protect information held by centralized communication providers. “‘Sen. Rep. No. 99–541 (1986)’s entire discussion of [the Stored Communications Act] deals only with facilities operated by electronic communications services such as “electronic bulletin boards” and “computer mail facilit[ies],” and the risk that communications temporarily stored in these facilities could be accessed by hackers. It makes no mention of individual users’ computers . . . .’”95 The plaintiffs take a different view, arguing that the plain language of the terms “facility” and “electronic communication service” are sufficiently flexible to encompass contemporary personal computing devices that are used to engage with telecommunications services. After all, when the Act was enacted, Black’s Law Dictionary defined “facilities” as “that which promotes the ease of any action, operations, transaction, or course of conduct.”96 And the 94 In re: iPhone, 844 F. Supp. 2d at 1058 (quoting Crowley v. CyberSource Corp., 166 F. Supp. 2d. 1263, 1270-71 (N.D. Cal. 2001)). 95 Garcia, 702 F.3d at 793 (second and third alterations in original) (quoting In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497, 512 (S.D.N.Y. 2001) (quoting S. Rep. No. 99–541, at 36). 96 Black’s Law Dictionary 705 (5th ed. 1979). 45 plaintiffs here use their web browsers to access network services such as email and websurfing. In considering the plaintiffs’ argument that we should give “facility” a broad, plain language meaning, we are reminded that “[a] fair reading of legislation demands a fair understanding of the legislative plan.”97 And we agree with the Fifth Circuit that the Act clearly shows a specific congressional intent to deal with the particular problem of private communications in network service providers’ possession. The textual cues surrounding the term “facility,” bolstered by the legislative history and enactment context of the Act, support the conclusion that “the words of the statute were carefully chosen: ‘[T]he statute envisions a provider (the [Internet Service Provider] or other network service provider) and a user (the individual with an account with the provider), with the user’s communication in the possession of the provider.’”98 And “[t]his is consistent with the [Act]’s purpose: home computers are already protected by the Fourth Amendment, so statutory protections are not needed.”99 In this context, “facility” is a term of art denoting where network service providers store private communications. 97 King v. Burwell, 135 S. Ct. 2480, 2496 (2015). 98 Garcia, 702 F.3d at 793 (emphases removed) (alteration in original) (quoting Kerr, A User’s Guide to the Stored Communications Act, 72 Geo. Wash. L. Rev. at 1215 n.47). 99 Kerr, A User’s Guide to the Stored Communications Act, 72 Geo. Wash. L. Rev. at 1215. 46 Other Courts of Appeals have understood the Act in a similar manner. In In re: Zynga Privacy Litigation, the Ninth Circuit explained that the Act “covers access to electronic information stored in third party computers.”100 So, too, the Eleventh Circuit in United States v. Steiger, which held that “the [Stored Communications Act] clearly applies, for example, to information stored with a phone company, Internet Service Provider (ISP), or electronic bulletin board system,” but that the Act “does not appear to apply to the [government’s] source’s hacking into [the plaintiff’s personal] computer . . . because there is no evidence that [the] computer maintained any ‘electronic communication service[.]’”101 The plaintiffs point to various district court decisions that have accepted that personal computers can be protected “facilities” under the Stored Communications Act.102 However, as another district court observes, these decisions “provide little analysis on this point of law, instead 100 750 F.3d at 1104 (emphasis added). 101 318 F.3d 1039, 1049 (11th Cir. 2003). In Steiger, the Eleventh Circuit noted that “reading . . . the Wiretap Act to cover only real-time interception of electronic communications, together with the apparent non-applicability of the [Stored Communications] Act to hacking into personal computers to retrieve information stored therein, reveals a legislative hiatus in the current laws purporting to protect privacy in electronic communications.” Id. 102 E.g., Cousineau v. Microsoft Corp., 992 F. Supp. 2d 1116, 1125 (W.D. Wash. 2012) Expert Janitorial, LLC v. Williams, 2010 WL 908740, at *5 (E.D. Tenn. 2010); Chance v. Ave. A, Inc., 165 F. Supp. 2d 1153, 1161 (W.D. Wash. 2001). 47 assuming [the plaintiffs’] position to be true due to lack of argument and then ultimately ruling on other grounds.”103 The plaintiffs point to no decision of any Court of Appeals holding that a personal computing device is protected by the Stored Communications Act. In sum, the defendants’ alleged conduct implicates no protected “facility.” The District Court’s dismissal of the claim for violation of the Act will therefore be affirmed. C. Computer Fraud and Abuse Act The plaintiffs’ final federal claim is for violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030. The Act creates a cause of action for persons “who suffer[] damage or loss” because, inter alia, a third party “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.”104 The District Court dismissed this claim for failing to meet the statutory requirement of “damage or loss.”105 Under the Act, “the term ‘damage’ means any impairment to the integrity or availability of data, a program, a system, or 103 In re iPhone, 844 F. Supp. 2d at 1057-58. 104 18 U.S.C. § 1030(a)(2)(C), (g). 105 In re Google, 988 F. Supp. 2d at 448. 48 information.”106 Meanwhile, “the term ‘loss’ means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.”107 On appeal, the plaintiffs contend that they have properly pled “loss” under the statute because they have alleged that their “impermissibly seized [p]ersonally [i]dentifiable [i]nformation is both ‘currency’ and a marketable ‘commodity.’”108 By capturing and making economic use of such information, the plaintiffs say, the defendants have taken the value of such information for themselves, depriving the plaintiffs of their own ability to sell their internet usage information. Insofar as the plaintiffs have a right to capture that value for themselves, the plaintiffs contend that the defendants’ conduct has caused them harm. The complaint plausibly alleges a market for internet history information such as that compiled by the defendants. Further, the defendants’ alleged practices make sense only if that information, tracked and associated, had value. However, when it comes to showing “loss,” the plaintiffs’ argument lacks traction. They allege no facts suggesting that they ever 106 18 U.S.C. § 1030(e)(8). 107 Id. § 1030(e)(11). 108 Appellants’ Br. 45. 49 participated or intended to participate in the market they identify, or that the defendants prevented them from capturing the full value of their internet usage information for themselves. For example, they do not allege that they sought to monetize information about their internet usage, nor that they ever stored their information with a future sale in mind. Moreover, the plaintiffs do not allege that they incurred costs, lost opportunities to sell, or lost the value of their data as a result of their data having been collected by others. To connect their allegations to the statutory “loss” requirement, the plaintiffs’ briefing emphasizes that lost revenue may constitute “loss” as that term is defined in the Act.109 This is inapposite, however, in that the plaintiffs had no revenue. We see no “damage” or “loss” in the pleadings. We will therefore affirm the District Court’s dismissal of the claim for violation of the Computer Fraud and Abuse Act. IV. State Law Claims Against Google We now turn to the five California state law claims brought against Google only. A. Freestanding Privacy Claims We first consider, in tandem, the plaintiffs’ freestanding privacy claims under the California Constitution110 and California tort law. 109 Id. at 43-45. 110 Article I, Section 1 of the California Constitution states: “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending 50 “A privacy violation based on the common law tort of intrusion has two elements.”111 “First, the defendant must intentionally intrude into a place, conversation, or matter as to which the plaintiff has a reasonable expectation of privacy.”112 This means “the defendant must have ‘penetrated some zone of physical or sensory privacy . . . or obtained unwanted access to data’ by electronic or other covert means, in violation of the law or social norms.”113 Second, “the intrusion must occur in a manner highly offensive to a reasonable person.”114 “The right to privacy in the California Constitution sets standards similar to the common law tort of intrusion.”115 “First, [the plaintiff] must possess a legally protected privacy interest. . . . Second, the plaintiff’s expectations of privacy must be reasonable. . . . Third, the plaintiff must show that the life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.” 111 Hernandez v. Hillsides, Inc., 211 P.3d 1063, 1072 (Cal. 2009). 112 Id. 113 Id. (quoting Shulman v. Group W Prods., Inc., 955 P.2d 469, 490 (Cal. 1998)). 114 Id. 115 Id. at 1073. 51 intrusion is so serious ‘in nature, scope, and actual or potential impact as to constitute an egregious breach of the social norms.’”116 When presented with parallel privacy claims under tort law and the California Constitution, the California Supreme Court has performed a dual inquiry “under the rubric of both . . . tests.”117 This “consider[s] (1) the nature of any intrusion upon reasonable expectations of privacy, and (2) the offensiveness or seriousness of the intrusion, including any justification and other relevant interests.”118 In evaluating the offensiveness of an invasion, the court is to consider “pragmatic policy concerns” such that “no cause of action will lie for accidental, misguided, or excusable acts of overstepping upon legitimate privacy rights.”119 In dismissing the freestanding privacy claims, the District Court concluded that Google’s alleged practices “did not rise to the level of a serious invasion of privacy or an egregious breach of social norms.”120 Contending the District 116 Id. (quoting Hill v. Nat’l Collegiate Athletic Assn., 865 P.2d 633, 655 (Cal. 1994)). 117 Id. at 1073-74. 118 Id. at 1074. 119 Id. at 1079; Hill, 865 P.2d at 675 (“Whether [a] plaintiff has a reasonable expectation of privacy in the circumstances and whether [a] defendant’s conduct constitutes a serious invasion of privacy are mixed questions of law and fact.”). 120 In re Google, 988 F. Supp. 2d at 449. 52 Court got it right, Google says the plaintiffs voluntarily sent Google all the internet usage information at issue.121 Moreover, Google argues, tracking cookies are routine.122 Pointing to cases describing cookies as, more or less, innocuous,123 Google offers that courts “routinely” find no actionable privacy invasion in cases involving tracking, collation, and disclosure of internet usage information.124 Google gives particular attention to Low v. LinkedIn, where the Northern District of California explained that “[e]ven disclosure of personal information, including social security numbers, does not constitute an ‘egregious breach of the social norms’ to establish an invasion of privacy claim.”125 For purposes of California privacy law, Google’s emphasis on tracking and disclosure amounts to a smokescreen. What is notable about this case is how Google accomplished its tracking. Allegedly, this was by overriding the plaintiffs’ cookie blockers, while concurrently announcing in its Privacy Policy that internet users could 121 Google Br. at 59 (emphasis in original). 122 Id. 123 Id. at 61 (citing, e.g., Pharmatrak, 329 F.3d at 14 (“Cookies are widely used on the internet by reputable websites to promote convenience and customization.”)). 124 Id. at 62 (citing Stern v. Weinstein, 512 Fed. App’x 701, 702 (9th Cir. 2013)). 125 Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1025 (N.D. Cal. 2012). 53 “reset your browser to refuse all cookies.”126 Google further assured Safari users specifically that their cookie blockers meant that using Google’s in-house prophylactic would be extraneous. Characterized by deceit and disregard, the alleged conduct raises different issues than tracking or disclosure alone.127 Directly pertinent to whether Google’s alleged practices implicated a protected privacy interest, California tort law treats as actionable an “unwanted access to data by electronic or other covert means, in violation of the law or social norms.”128 Moreover, the California Constitution protects an interest in “conducting personal activities without observation,” with the reasonableness of any given expectation “rest[ing] on an examination of customs . . . as well as the opportunity to be notified in advance and consent to the intrusion.”129 To Google’s point, a sophisticated 126 Compl. ¶ 80. 127 See Kristen Lovin, SafariGate: Benign Behavior or Malignant Breach?, Colum. Sci. & Tech. L. Rev. (Feb. 22, 2012), http://stlr.org/2012/02/22/safarigate-benign-behavior- or-malignant-breach/ (“[O]ne could say that Google ignored the express desires of its users, elevating its own commercial interests over the user’s personal privacy interests. This kind of disregard may be particularly troubling given the relative bargaining power that an individual consumer has against a monolith like Google.”). 128 Hernandez, 211 P.3d at 1072 (internal quotation marks omitted). 129 Id. at 1073 (internal quotation marks omitted). 54 internet user may well have known that, in browsing the internet, her URL information was sent to Google. But such a user would also reasonably expect that her activated cookie blocker meant her URL queries would not be associated with each other due to cookies.130 As the activated cookie blocker equates, in our view, to an express, clearly communicated denial of consent for installation of cookies, we find Google “intru[ded] upon reasonable expectations of privacy.”131 As for whether the alleged conduct is “so serious in nature[] [and] scope . . . as to constitute an egregious breach of the social norms,”132 Google not only contravened the cookie blockers—it held itself out as respecting the cookie blockers. Whether or not data-based targeting is the internet’s pole star, users are entitled to deny consent, and they are entitled to rely on the public promises of the companies they deal with. Furthermore, Google’s alleged conduct was broad, touching untold millions of internet users; it was surreptitious, surfacing only because of the independent 130 It is no matter whether or not a given plaintiff had actual, subjective knowledge of her browser settings and the impact of those settings on the defendants’ tracking practices. Like a principal’s agent, a personal computing device acts as an extension of oneself for purposes of engaging with the internet. The decision to use one or another technology is the decision to choose its features, even if the lay user may not actually know what all those features are in their specifics. 131 Hernandez, 211 P.3d at 1074. 132 Id. at 1073 (internal quotation marks omitted). 55 research of Mayer and the Wall Street Journal; and it was of indefinite duration, with Google’s counsel conceding at argument that their tracking cookies have no natural lifespan. Particularly as concerns Google’s public statements regarding the Safari cookie blocker, we see no justification. Neither, apparently, do the elected branches, as California and federal executive agencies have themselves sought to penalize Google for the events alleged in the complaint.133 Based on the pled facts, a reasonable factfinder could indeed deem Google’s conduct “highly offensive” or “an egregious breach of social norms.”134 A reasonable jury could conclude that Google’s alleged practices constitute the serious invasion of privacy contemplated by California law. We will vacate the dismissal of the plaintiffs’ claims under the California Constitution and California tort law. B. California Invasion of Privacy Act We next consider the plaintiffs’ claim against Google for violation of the California Invasion of Privacy Act, Cal. Penal Code § 631(a). Like the federal Wiretap Act, § 631(a) “broadly prohibits the interception of wire communications and disclosure of the contents of such intercepted communications.”135 The California Supreme Court has 133 Compl. ¶¶ 166-68; infra n. 12. 134 Id. (internal quotation marks omitted). 135 Tavernetti v. Superior Court, 583 P.2d 737, 739 (Cal. 1978). 56 explained that “Section 631 was aimed at one aspect of the privacy problem—eavesdropping, or the secret monitoring of conversations by third parties.”136 The District Court dismissed the § 631(a) claim for the same reasons that it dismissed the plaintiffs’ federal wiretapping claim. As discussed above, the pleadings demonstrate that Google was itself a party to all the electronic transmissions that are the bases of the plaintiffs’ wiretapping claims.137 Because § 631 is aimed only at “eavesdropping, or the secret monitoring of conversations by third parties,”138 we will affirm the dismissal of the California Invasion of Privacy Act claim for the same reasons we affirm the dismissal of the federal Wiretap Act claim. 136 Ribas v. Clark, 696 P.2d 637, 640 (Cal. 1985); see also Powell v. Union Pac. R. Co., 864 F. Supp. 2d 949, 955 (E.D. Cal. 2012) (“Section 631 broadly proscribes third party access to ongoing communications.”); Thomasson v. GC Servs. Ltd. P’ship, 321 Fed. App’x 557, 559 (9th Cir. 2008) (“California courts interpret ‘eavesdrop,’ as used in § 632, to refer to a third party secretly listening to a conversation between two other parties.”). 137 Judge Fisher believes that under Ribas, 696 P.2d 637, Google may be liable under Section 631(a) for recording the communications and sharing them with third parties. Judge Fisher does not write separately as it does not appear that California law is developed sufficiently on this question to reverse the judgment of the District Court. 138 Ribas, 696 P.2d at 640. 57 C. Remaining State Law Claims We will affirm the District Court’s dismissals of the remaining state law claims against Google. The District Court dismissed the plaintiffs’ claim under the California Unfair Competition Law, Cal. Bus. & Prof. Code § 17200, on the basis that, under the statute, “private standing is limited to any ‘person who . . . has lost money or property’ as a result of unfair competition.”139 Likewise, the District Court dismissed the plaintiffs’ claim under the California Comprehensive Computer Data Access and Fraud Act, Cal. Penal Code § 502, on the basis of § 502’s requirement that a suit may only be brought by one who has “suffer[ed] damage or loss by reason of a violation.”140 As discussed above in connection with the Computer Fraud and Abuse Act, the complaint fails to show damage or actual loss. Accordingly, the dismissal of these claims was proper. The California Consumers Legal Remedies Act, Cal. Civ. Code § 1770, proscribes various “unfair methods of competition and unfair or deceptive acts or practices undertaken by any person in a transaction intended to result or which results in the sale or lease of goods or services to any consumer.”141 On appeal, the plaintiffs argue that they 139 Kwikset Corp. v. Superior Court, 246 P.3d 877, 884 (Cal. 2011) (quoting § 17204). 140 Cal. Penal Code § 502(e). 141 Cal. Civ. Code § 1770(a). 58 plead a forced “sale” whereby they gave their trackable internet history information in exchange for advertisements delivered to their browsers (i.e., the “services”). The plaintiffs present no caselaw in support of their expansive construction of “sale.” And California federal courts have expressly rejected defining “sale” as to include “transactions” based on non-tangible forms of payment, including internet usage information specifically.142 Likewise, Black’s Law Dictionary defines a sale as a “transfer or property or title for a price,” requiring specifically “a price in money paid or promised.”143 We follow the view of the California federal courts, and see no “sale . . . of services” in the allegations of the complaint. The dismissal of this claim was thus proper, too. V. Conclusion In light of the foregoing, we will dispose of the plaintiffs’ claims in the following manner. We will affirm the dismissal of the three federal law claims brought against all defendants. Because the defendants were parties to all electronic transmissions at issue in this 142 See Claridge v. RockYou, Inc., 785 F. Supp. 2d 855, 864 (N.D. Cal. 2011) (rejecting plaintiff’s contention that “his transfer of . . . information to defendant in exchange for free applications[] constitutes a ‘purchase’ or ‘lease’” as finding “no support under the specific statutory language of the [Act]”); Yunker v. Pandora Media, Inc., 2013 WL 1282980, at *12 (N.D. Cal. 2013) (same). 143 Black’s Law Dictionary (10th ed. 2014) (“Sale”). 59 case, and plaintiffs state no Wiretap Act violation per 18 U.S.C. § 2511(2)(d). The alleged intrusion upon the plaintiffs’ personal computing devices does not implicate a “facility” protected by the Stored Communications Act. And the plaintiffs plead no cognizable losses as required by the Computer Fraud and Abuse Act. We will vacate the District Court’s dismissal of the plaintiffs’ freestanding privacy claims against Google under the California Constitution and California tort law. A reasonable factfinder could conclude that the means by which defendants allegedly accomplished their tracking, i.e., by way of a deceitful override of the plaintiffs’ cookie blockers, marks the serious invasion of privacy contemplated by California law. But we will affirm the dismissal of the remainder of the plaintiffs’ state law claims. The plaintiffs fail to plead a violation of the California Invasion of Privacy Act for the same reason that they fail to plead a violation of the federal Wiretap Act. Likewise, because they do not show loss, the plaintiffs fail to show violations of the California Unfair Competition Law or the California Comprehensive Computer Data Access and Fraud Act. Finally, the plaintiffs do not plead a “sale” as required by the California Consumers Legal Remedies Act. 60