Williams v. Facebook, Inc.

RICHARD SEEBORG, United States District Judge *1046I. INTRODUCTION

Defendant Facebook, Inc. ("Facebook") is a global social media and networking company. It owns and operates a website and smartphone applications for Android and iOS such as Facebook Messenger and Facebook Lite. In March 2018, the news website Ars Technica reported Facebook apps for Android were programmed to scrape user call and text data to monetize the information for advertising purposes. Facebook allegedly scraped data by exploiting a software vulnerability in the permission settings of older versions of the Android OS. When users installed older versions of Facebook Messenger or Facebook Lite on their Android smartphones a contact upload prompt to grant Facebook access to contact lists surreptitiously also granted access to user call and text logs. Facebook stopped data scraping once the Android OS eventually closed the vulnerability.

Plaintiffs are consumers from the states of California, Florida, Kansas, New York and Texas who bring claims for violations of California's Consumers Legal Remedies Act ("CLRA"), Cal. Civ. Code §§ 1750, et seq. ; California's Unfair Competition Law ("UCL"), Cal. Bus. & Prof. Code §§ 17200 -10; California's Computer Data Access and Fraud Act ("CDAFA"), Cal. Penal Code § 502 ; California's constitutional right to privacy; intrusion upon seclusion; trespass to personal property; New York's General Business Law ("GBL"), Gen. Bus. Law § 349; and unjust enrichment. Plaintiffs' theory of liability is Facebook failed to represent accurately or disclose it was collecting user data in violation of user privacy, and deprived users of any income generated from the use or sale of the data. Facebook's present motion seeks to dismiss all the claims without leave to amend.

Because plaintiffs do not identify in the complaint an omission or a specific misleading *1047contact upload prompt, they fail to state their fraud-based claims with sufficient particularity. The complaint also lacks factual averments supporting an injury in fact to establish standing for the CDAFA and GBL § 349 claims. Furthermore, the GBL claim is barred by Facebook's enforceable choice of law provision. Accordingly, the motion to dismiss is granted and plaintiffs are given 21 days leave to amend.

II. FACTUAL ALLEGATIONS1

In March 2018, Ars Technica reported Facebook was discretely collecting call and text data by exploiting a vulnerability in prior versions of the Android OS permission settings. Facebook Messenger and Facebook Lite users would receive a prompt during installation requesting permission to access their contact list. Prior to Android version 4.1, granting Facebook such access also surreptitiously granted the apps access to the user's call and text logs by default. Call logs appear to show years of incoming, outgoing, or missed calls, the date and time of each call, the number dialed, the individual called, and the duration of each call. Text logs contain similar sorts of data.

Plaintiffs aver Facebook failed to disclose its data scraping practices. Rather than granting the access solely for its friend recommendation algorithm, as a Facebook spokesperson represented, plaintiffs aver Facebook incorporated call and text logs into its user profiles to be monetized for advertising purposes. The advertising space on Facebook platforms attracts potential advertisers with the possibility to target specific demographic and interest groups based in part on the user data Facebook collects. Additionally, Facebook has entered agreements to share its user data with 61 different entities including Apple, UPS, Microsoft, Blackberry, and Samsung.

Even as the vulnerability was identified and patched in later Android versions, applications like Facebook Messenger and Facebook Lite could bypass the patch by specifying they were using an older pre-patched version of the Android Software Development Kit. It was not until October 2017 that the Android operating system fully deprecated this function in all its versions, which coincided with Facebook ceasing this means of data scraping. Recently, the Open Handset Alliance, the group responsible for developing the Android OS, also announced plans to change the permission settings in the next Android version so users will need to opt-in to share their call and text logs.

III. LEGAL STANDARD

A complaint must contain "a short and plain statement of the claim showing that the pleader is entitled to relief." FED. R. CIV. P. 8(a)(2). While "detailed factual allegations" are not required, a complaint must have sufficient factual allegations to "state a claim to relief that is plausible on its face." Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (citing Bell Atlantic v. Twombly , 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ). In addition, "in allegations of fraud or mistake, a party must state with particularity the circumstances constituting fraud and mistake." FED. R. CIV. P. 9(b). To satisfy this requirement, a plaintiff must plead "the who, what, when, where, and how that would suggest fraud." Cooper v. Pickett , 137 F.3d 616, 627 (9th Cir. 1997) (internal quotation marks omitted).

*1048"A plaintiff must set forth more than the neutral facts necessary to identify the transaction. The plaintiff must set forth what is false or misleading about a statement, and why it is false." Vess v. Ciba-Geigy Corp. USA , 317 F.3d 1097, 1106 (9th Cir. 2003) (internal quotation marks and alteration omitted).

A motion to dismiss a complaint under Rule 12(b)(6) of the Federal Rules of Civil Procedure tests the legal sufficiency of the claims alleged in the complaint. See Parks Sch. of Bus., Inc. v. Symington , 51 F.3d 1480, 1484 (9th Cir. 1995). Dismissal under Rule 12(b)(6) may be based either on the "lack of a cognizable legal theory" or on "the absence of sufficient facts alleged under a cognizable legal theory." Balistreri v. Pacifica Police Dep't , 901 F.2d 696, 699 (9th Cir. 1990). When evaluating such a motion, the court must accept all material allegations in the complaint as true, even if doubtful, and construe them in the light most favorable to the non-moving party. Twombly , 550 U.S. at 570, 127 S.Ct. 1955. "[C]onclusory allegations of law and unwarranted inferences," however, "are insufficient to defeat a motion to dismiss for failure to state a claim." Epstein v. Wash. Energy Co. , 83 F.3d 1136, 1140 (9th Cir. 1996) ; see also Iqbal , 556 U.S. at 678, 129 S.Ct. 1937 ("threadbare recitals of the elements of the claim for relief, supported by mere conclusory statements," are not taken as true). A claim is facially plausible "when the pleaded factual content allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Iqbal , 556 U.S. at 678, 129 S.Ct. 1937. This standard asks for "more than a sheer possibility that a defendant acted unlawfully." Id. When plaintiffs have failed to state a claim upon which relief can be granted, leave to amend should be granted unless "the complaint could not be saved by any amendment." Gompper v. VISX, Inc. , 298 F.3d 893, 898 (9th Cir. 2002).

To establish Article III standing, a plaintiff must satisfy three requirements: (1) "the plaintiff must have suffered an injury in fact," which is concrete and particularized as well as actual or imminent; (2) "there must be a causal connection between the injury and the conduct complained of," which is fairly traceable to defendant's actions; and (3) "it must be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." Lujan v. Defs. of Wildlife , 504 U.S. 555, 560-61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) (citations and internal quotation marks omitted). An injury is particularized when it "affect[s] the plaintiff in a personal and individual way," and is concrete when it is "real" as opposed to abstract. In re Facebook Internet Tracking Litig. , 263 F. Supp. 3d 836, 842 (N.D. Cal. 2017). "The party invoking federal jurisdiction bears the burden of establishing these elements." Lujan , 504 U.S. at 561, 112 S.Ct. 2130.

IV. DISCUSSION

Facebook seeks to dismiss the first amended consolidated class action complaint (hereafter "FACC" or "complaint") in its entirety without leave to amend. It makes two threshold challenges: (1) there is no injury in fact to confer standing; and (2) the contact upload prompt demonstrates Facebook users allowed it to collect call and text logs. In addition to these threshold challenges, Facebook raises separate arguments for the dismissal of each individual claim.2

*1049A. Standing

Facebook contests the sufficiency of plaintiffs' injury in fact. First, it asserts plaintiffs lack a particularized injury because the FACC offers only conclusory claims of a deprivation of income and an invasion of privacy without identifying injury to the plaintiffs themselves. See In re Google, Inc. Priv. Policy Litig. , No. 12-cv-01382-PSG, 2013 WL 6248499, at *5 (N.D. Cal. Dec. 3, 2013) ("a plaintiff must do more than point to the dollars in a defendant's pocket; he must sufficient[ly] allege that in the process he lost dollars of his own."). Second, Facebook challenges the concreteness of the injury. See In re Google, Inc. Privacy Policy Litig. , No. 12-cv-01382-PSG, 2012 WL 6738343, at *5 (N.D. Cal. Dec. 28, 2012) ("[N]othing in the precedent of the Ninth Circuit or other appellate courts confers standing on a party that has brought statutory or common law claims based on nothing more than the unauthorized disclosure of personal information.").

Plaintiffs assert a deprivation of income theory, relying on paragraphs sixteen to eighteen of their complaint, which they assert is sufficient to confer standing. These averments include Facebook's duopoly with Google in the online advertising space, FACC ¶ 16, its "over $ 10 billion of annual advertising sales," id. ¶ 17, and the monetization of "User Data by selling advertising space on its platforms and services," id. ¶ 18. Although the complaint suggests Facebook profits off the advertisements targeting its users, which use the information Facebook collects, none of its averments offer a particularized or concrete harm related to the individual plaintiffs' deprivation of any income.

Plaintiffs also aver an invasion of privacy theory conferring standing, which is particularized. Plaintiffs Olin, Nyamjom, Smith-Jackson, and Vega-Latker, were able to download the scraped data and confirm Facebook was in possession of their private call and text logs without their consent. FACC ¶¶ 5, 6, 7, 8. This is sufficient for the class claims. See In re iPhone Application Litig. , No. 11-MD-02250-LHK, 2011 WL 4403963, at *4 (N.D. Cal. Sept. 20, 2011) (citing Lierboe v. State Farm Mut. Auto. Ins. Co. , 350 F.3d 1018, 1022 (9th Cir. 2003) ("[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class.")).

As for concreteness, plaintiffs again rest on the theory of an intangible harm arising from Facebook monetizing their user data and disseminating their private information to third parties. See FACC ¶¶ 18, 25; see also Spokeo, Inc. v. Robins , --- U.S. ----, 136 S. Ct. 1540, 1549, 194 L.Ed.2d 635 (2016) ("Although tangible injuries are perhaps easier to recognize, we have confirmed in many of our previous cases that intangible injuries can nevertheless be concrete."). Relying on Van Patten v. Vertical Fitness Group, LLC , 847 F.3d 1037, 1043 (9th Cir. 2017), plaintiffs contend their intangible harm is concrete if the action will remedy "defendants' invasions of privacy, intrusion upon seclusion, and nuisance..." Oppo. at 11:2-6. In other words, the averred injury is the privacy violation itself. This does not end the analysis, however, as the Ninth Circuit reached this conclusion after acknowledging "both history and the judgment of Congress play important *1050roles" in determining a sufficient injury. Van Patten , 847 F.3d at 1042-43.

1. CDAFA and GBL § 349 Claims

In claims under the CDAFA and GBL § 349, before and after the Supreme Court's decision in Spokeo , courts have required plaintiffs to aver economic harm or actual injury. Standing to bring a CDAFA claim requires "a showing of economic harm or loss." In re Facebook Internet Tracking Litig. , 263 F. Supp. 3d at 842 ; see also In re Google Android Consumer Privacy Litig. , No. 11-MD-02264-JSW, 2013 WL 1283236, at *6 (N.D. Cal. Mar. 26, 2013) (requiring "damage or loss, beyond the mere invasion of statutory rights."). Likewise, for claims under GBL § 349, courts have historically dismissed complaints averring an "unquantifiable injury to a privacy interest." Shostack v. Diller , No. 15CV2255, 2016 WL 958687, at *5 (S.D.N.Y. Mar. 8, 2016).

Plaintiffs rely on an earlier case, Bose v. Interclick, Inc. , No. 10CV9183, 2011 WL 4343517, at *1-2 (S.D.N.Y. Aug. 17, 2011), to argue their privacy interests are sufficiently concrete for the GBL claim. More recent case law, however, has gone a different direction and requires actual harm. See, e.g. , Cohen v. Casper Sleep Inc. , No. 17CV9325, 2018 WL 3392877, at *8 (S.D.N.Y. July 12, 2018) (summarizing cases finding various invasion of privacy theories do not meet the GBL's injury requirement). Without a successful deprivation of income or actual loss, the CDAFA and GBL claims cannot proceed. It would not be enough for plaintiffs to rely on intangible invasion of privacy allegations, for example, without any claim the information had value before Facebook harvested it, diminished in value once Facebook accessed it, or was entirely unavailable to the plaintiffs after Facebook collected it.

2. Intrusion Upon Seclusion, Invasion of Privacy, and Unjust Enrichment Claims

Unlike the CDAFA and GBL claims, plaintiffs' failure to plead actual individualized deprivation of income is not fatal to the remaining common law claims. The complaint need not include economic injury to establish standing for the intrusion upon seclusion, invasion of privacy, or unjust enrichment claims. See In re Facebook Internet Tracking Litig. , 263 F. Supp. 3d at 843 ("a plaintiff need not show actual loss to establish standing for common-law claims of invasion of privacy and intrusion upon seclusion.").

As both parties recognize, courts in the Ninth Circuit "have routinely denied motions to dismiss based on Article III standing where a plaintiff alleges that his personal information was collected and then wrongfully disclosed, as opposed to alleging that his personal information was collected without his consent." In re Sony Gaming Networks & Customer Data Sec. Breach Litig. , 996 F. Supp. 2d 942, 962 (S.D. Cal. 2014). In Bassett v. ABM Parking Servs., Inc. , the Ninth Circuit reaffirmed, "[w]ithout disclosure of private information to a third party, it hardly matters that '[a]ctions to remedy ... invasions of privacy, intrusion upon seclusion, and nuisance have long been heard by American courts, and the right of privacy is recognized by most states.' " 883 F.3d 776, 780 (9th Cir. 2018) (quoting Van Patten v. Vertical Fitness Grp., LLC , 847 F.3d 1037, 1043 (9th Cir. 2017) ). Thus, standing for the remaining common law claims depends on the sufficiency of the averred disclosure of sensitive private information to third parties.

Here, plaintiffs have averred their own call and text log user data, and those of the putative class, was disclosed by Facebook to third parties. FACC ¶ 25 ("On *1051June 29, 2018, Facebook produced 747 pages of documents to Congress, which show that Facebook has agreements in place to share its user data with 61 different entities."). The complaint states Facebook collects information termed "user data" comprised of a broad range of information, such as a user's name, country, browsing habits, interests, age, gender, marital status, telephone number, email address, IP address, and "other categories." FACC ¶ 15. Facebook incorporated the call and text logs into its "user data" for all users who had the apps on Android OS, FACC ¶ 19, and Facebook shared the same "user data" pursuant to agreements it has with other entities, FACC ¶ 25.

Facebook contends the call and text logs are not sensitive information and cannot form the basis of a concrete injury in fact. Yet plaintiffs aver the call and text logs are "necessarily of a highly sensitive and private nature." FACC ¶ 69; see also FACC ¶¶ 74, 75. Whether someone has a reasonable expectation of privacy in their call and text logs would appear to involve a question of fact under California law. See Hill v. Nat'l Collegiate Athletic Assn. , 7 Cal. 4th 1, 40, 26 Cal.Rptr.2d 834, 865 P.2d 633, 657 (1994) ("Whether plaintiff has a reasonable expectation of privacy in the circumstances and whether defendant's conduct constitutes a serious invasion of privacy are mixed questions of law and fact.").

Accordingly, plaintiffs lack standing to pursue their CDAFA and GBL § 349 claims without a showing of an actual and individualized injury. Their privacy-based injury premised on the disclosure of their private information satisfies standing for the remaining intrusion upon seclusion, invasion of privacy, and unjust enrichment claims.

B. Facebook's Contact Upload Prompt

Facebook contends the case must be dismissed because the complete language of its contact upload prompt, which was omitted from the complaint, shows plaintiffs expressly allowed Facebook to collect their call and text history. Alternatively, Facebook asserts plaintiffs cannot satisfy notice pleading or the heightened pleading required of fraud cases without including the language of the prompt in the complaint.

1. Incorporation by Reference and Judicial Notice

Facebook relies on the language of a contact upload prompt that appears in the March 2018 Ars Technica article in support of its motion to dismiss. See Request for Judicial Notice (Dkt. No. 66). Incorporation by reference and judicial notice are both grossly overused and regularly confused in motions to dismiss as this case reflects.

Incorporation by reference is "a judicially created doctrine that treats certain documents as though they are part of the complaint itself." Khoja v. Orexigen Therapeutics, Inc. , 899 F.3d 988, 1002 (9th Cir. 2018). A defendant may seek to incorporate documents into the complaint "if the plaintiff refers extensively to the document or the document forms the basis of the plaintiff's claim." Id. (internal citations and quotations omitted). While the contents of incorporated documents may be assumed true, that assumption is improper if it "only serve[s] to dispute facts stated in a well-pleaded complaint." Id.

Similarly, courts may take judicial notice "without converting a motion to dismiss into a motion for summary judgment." Id. at 999. Documents whose existence cannot reasonably be questioned are susceptible to judicial notice; such as an undisputed copy of an archived public webpage.

*1052See Opperman v. Path, Inc. , 205 F. Supp. 3d 1064, 1080 (N.D. Cal. 2016) (granting judicial notice of a publicly available website). Yet the contents of the article are not appropriate for judicial notice if they are subject to reasonable dispute. See Khoja , 899 F.3d at 1000 (finding the district court abused its discretion by judicially noticing a transcript whose contents were disputed by the parties).

Here, there is no dispute the Ars Technica article is relied upon in the complaint, but it is not the basis of the claim. Facebook's conduct is. There is also a significant dispute about the relevance of the prompt shown in the article and the meaning of the article's content. Facebook contends the prompt in the article shows it disclosed its practices to users, while plaintiffs believe the article suggests the prompt was only an addition to the Facebook apps after October 2017. See Oppo. at 7 (Dkt. No. 74). In short, reference to the article in the complaint cannot be transformed into a finding that the prompt therein is indisputably the operative version for purposes of plaintiffs' claims. In other words, Facebook cannot advance defenses premised on the disputed prompt shown in the article through either incorporation by reference or judicial notice on a motion to dismiss.

2. Claims Based on Misrepresentations or Fraudulent Omissions

The more difficult issue is whether plaintiffs have adequately pleaded facts establishing specific misrepresentations or fraudulent omissions arising from a prompt which does not appear in the complaint. The nature of the averred misrepresentation sounds in fraud, and therefore Rule 9(b) applies to all such claims. See Concha v. London , 62 F.3d 1493, 1502 (9th Cir. 1995). Even though Rule 9(b)'s requirements are somewhat relaxed when the claims involve fraudulent omissions, "they are not eliminated." Waldrup v. Countrywide Fin. Corp. , No. 2:13-CV-08833-CAS, 2014 WL 3715131, at *5 (C.D. Cal. July 23, 2014). Plaintiffs are required to aver a fraud along with the "who, what, when, where, and how" of its existence. Cooper , 137 F.3d at 627. The fraud must "be specific enough to give defendants notice of the particular misconduct...so that they can defend against the charge and not just deny that they have done anything wrong." Kearns v. Ford Motor Co. , 567 F.3d 1120, 1124 (9th Cir. 2009) (internal quotations omitted). Requiring adequate notice ensures plaintiffs are deterred from filing complaints "as a pretext for the discovery of unknown wrongs." Id. at 1125.

Facebook asserts it lacks any notice of a prompt containing a specific misrepresentation, or notice of an "account of the time, place, and specific content of the false representations" if the prompt in the Ars Technica article is not judicially noticed or incorporated by way of the complaint. Swartz v. KPMG LLP , 476 F.3d 756, 764-65 (9th Cir. 2007) (internal quotation marks omitted). Plaintiffs dispute the need for a specific prompt in the complaint, and they omit any verbatim content of an operative prompt. This is a failure requiring dismissal.

Without any prompt identified, plaintiffs do not provide adequate notice of the misrepresentation or omission. Cooper , 137 F.3d at 627. Plaintiffs' argument that Facebook used a "standard Android prompt" to obtain user data falls short of the requisite specific wording of the misrepresentation, and there is no such averment or explanation in the complaint. Oppo. at 6. The only averment about "what" the fraud might entail is a representation that Facebook "was only collecting Plaintiffs' and Class members' 'Contact List' ..." without representing anything about "call logs and text data." FACC ¶ 40.

*1053The complaint quotes the Ars Technica article as reporting "Facebook never explicitly revealed that the data was being collected," yet it provides no contact upload prompt against which to assess that assertion. FACC ¶ 23. As pleaded, the complaint appears to be based on selective information from the article without any suggestion plaintiffs know what the specific prompt or prompts were at the time they installed the apps. More needs to be averred to satisfy the applicable rules of pleading.

C. California Computer Data Access and Fraud Act Claim

Plaintiffs' California subclass brings a claim for a violation of CDAFA § 502(c)(1)-(3) and (7). The CDAFA prohibits knowingly accessing, and without permission, using any data, computer, computer system, or computer network in certain prohibited ways. Cal. Pen. Code, § 502. A party acts "without permission" under the CDAFA when it "circumvents technical or code-based barriers in place to restrict or bar a user's access." NovelPoster v. Javitch Canfield Grp. , 140 F. Supp. 3d 938, 950 (N.D. Cal. 2014).

Setting aside the Rule 9(b) deficiencies in the complaint, plaintiffs adequately aver Facebook used and accessed their call and text logs without their permission, and specifically with the intention to "obtain money" at the expense of unwitting users. CDAFA § 502(c)(1) ; see FACC ¶¶ 1, 24, 91. Only Section 502(c)(1) requires plaintiffs to aver Facebook "altered, damaged, destroyed, or otherwise used any data...," while Sections 502(c)(2),(3), and (7) focus on access and use. Plaintiffs aver Facebook scraped call and text data from the Android device such as the type of call, the time of each call, the number dialed, the individual called, and the duration of each call. FACC ¶ 1. The lack of a disclosure, combined with Facebook's averred exploitation of the permission setting on older Android OS devices, is enough to plead Facebook circumvented technical barriers in violation of the CDAFA.

The complaint also adequately avers how Facebook used "computer services" under Section 502(c)(3). Facebook allegedly exploited "a software vulnerability in the permission settings of older versions of the Android OS," particularly prior to Android version 4.1. FACC ¶¶ 20-21. In the opposition, plaintiffs argue their general accusation of data scraping Android smartphones necessarily implies the use of "storage functions" and "Internet services" such as CPU and RAM, storage space on the device, and Wi-Fi and 4G to transmit data to Facebook. See Oppo. at 15:20-24. Facebook points out none of these averments are included in the complaint. Nonetheless, assuming it is true that Facebook exploited a vulnerability in Android OS smartphones, it is plausible Facebook did so using a computer service as defined in the CDAFA. Accordingly, if plaintiffs establish their standing and plead a fraud with sufficient particularity, the CDAFA claim could move forward.

D. Intrusion Upon Seclusion Claim

Common law intrusion upon seclusion requires: "(1) an intrusion into a private place, conversation, or matter (2) in a manner highly offensive to a reasonable person." Varnado v. Midland Funding LLC , 43 F. Supp. 3d 985, 991 (N.D. Cal. 2014). Facebook contends both factors are deficiently pleaded.

First, Facebook relies again on the contact upload prompt to show plaintiffs agreed to the disclosure of their information and had no reasonable expectation of privacy. See Shulman v. Group W Prods., Inc. , 18 Cal. 4th 200, 232, 74 Cal.Rptr.2d 843, 955 P.2d 469 (1998) (holding intrusion *1054upon seclusion claims not viable unless plaintiffs have "objectively reasonable expectation[s] of seclusion or solitude in the place, conversation or data source."). This argument is premature without the contact upload prompt being judicially noticed or incorporated by reference in the complaint.

Second, Facebook's more substantial challenge is levied against the "highly offensive" factor, which courts determine by "the degree of intrusion, the context, conduct and circumstances surrounding the intrusion as well as the intruder's motives and objectives, the setting into which he intrudes, and the expectations of those whose privacy is invaded." Med. Lab. Mgmt. Consultants v. ABC, Inc. , 306 F.3d 806, 819 (9th Cir. 2002). Courts find "the presence or absence of opportunities to consent voluntarily to activities impacting privacy interests obviously affects the expectations of the participant." Opperman v. Path, Inc. , 87 F. Supp. 3d 1018, 1059 (N.D. Cal. 2014).

Here, plaintiffs aver surreptitious collection, use, and dissemination of their call and text logs for Facebook's monetary gain. Facebook argues the disclosure of this type of data is not considered highly offensive as a matter of law. See In re Google, Inc. Privacy Policy Litig. , 58 F. Supp. 3d 968, 987-88 (N.D. Cal. 2014) (finding the disclosure of a person's name and identity, contact list, and contents of communications to third-party developers was not highly offensive); In re iPhone Application Litig. , 844 F. Supp. 2d 1040, 1063 (N.D. Cal. 2012) (finding the disclosure of a person's age, gender, and geolocation information was not a breach of social norms).

In response, plaintiffs in part rely on Opperman , which found unpersuasive Facebook's two primary cases owing to their lack of consideration for California's privacy norms. See Opperman v. Path, Inc. , 205 F. Supp. 3d 1064, 1079 (N.D. Cal. 2016) (finding the cases "unhelpful" as they made no effort to explain how the averred data privacy practices were "consistent with community notions of privacy as they existed at the time of the decision."). While not directly addressing that decision, Facebook simply repeats its conclusion that disclosure of call and text logs is not highly offensive. Reply at 13. The theft of a person's call and text logs, without the user's consent or knowledge as alleged in the FACC, may or may not be highly offensive to current privacy norms. It is indeed a factual question "best left for a jury." Opperman , 87 F. Supp. 3d at 1061. Accordingly, plaintiffs' intrusion upon seclusion claim could survive dismissal assuming Rule 9(b) is satisfied.

E. California Privacy Claim

Invasion of privacy in violation of the California Constitution requires: "(1) a legally protected privacy interest; (2) a reasonable expectation of privacy under the circumstances; and (3) conduct by the defendant that amounts to a serious invasion of the protected privacy interest." Low v. LinkedIn Corp. , 900 F. Supp. 2d 1010, 1024 (N.D. Cal. 2012) (citing Hill v. Nat'l Collegiate Athletic Ass'n , 7 Cal.4th 1, 26 Cal.Rptr.2d 834, 865 P.2d 633, 654-56 (1994) ).

For the first and second factors, Facebook asserts user call and text logs are not content considered a legally protected privacy interest and do not create any reasonable expectation of privacy. According to Facebook, the FACC only contains conclusory averments the user data is protected by the CDAFA. FACC ¶ 68. In response, plaintiffs invoke the California Constitution's protection of an interest in "conducting personal activities without observation."

*1055In re Google Inc. Cookie Placement Consumer Privacy Litig. , 806 F.3d 125, 151 (3d Cir. 2015) (internal citation omitted).

In re Google Inc. Cookie Placement and similar cases turned on a defendant's express promise not to collect information. The Court found whether plaintiffs voluntarily sent information to Google while using the internet was not the issue; rather, "[w]hat is notable about this case is how Google accomplished its tracking." Id. at 150 (emphasis in original). Google allegedly had overridden cookie blockers while concurrently announcing a Privacy Policy that users could refuse all cookies. Id. Facebook focuses on the violation of an "express promise"-which it contends is not the case here. Yet, exploiting a software vulnerability to collect call and text logs based on a user's consent to disclose only their "Contact List" is not any less characteristic of "deceit and disregard." Id. A fraudulent omission of Facebook's intent to collect more than what its users consented to (i.e., contact lists only) is little different from collecting data despite an affirmative representation to the contrary.

As for the final factor, Facebook relies on the same line of cases in the intrusion upon seclusion context to contend there is a lack of any serious invasion of privacy. It asserts more serious disclosures have not been considered invasions of privacy. See e.g. , In re iPhone Application Litig. , 844 F. Supp. 2d at 1063 (holding disclosure of personal data and geolocation information was not an egregious breach of social norms or a serious invasion of privacy); Folgelstrom v. Lamps Plus, Inc. , 195 Cal. App. 4th 986, 992, 125 Cal.Rptr.3d 260 (2011) (holding conduct is not a serious invasion of privacy if it merely is part of a "routine commercial behavior."). Yet, whether dissemination of private information is egregious or merely routine behavior remains a question of fact given plaintiffs averred lack of any advance notice or opportunity to consent to the data scraping. Considering Facebook's alleged conduct, if fraud is sufficiently averred, a jury could plausibly find a serious invasion of privacy.

F. New York GBL § 349 Claim

Plaintiff's New York subclass brings a claim for violation of the GBL § 349. The GBL prohibits "[d]eceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service." N.Y. Gen. Bus. Law § 349(a). To bring a claim under the GBL § 349, a plaintiff must aver "that a defendant has engaged in (1) consumer-oriented conduct that is (2) materially misleading and that (3) plaintiff suffered injury as a result of the allegedly deceptive act or practice." Orlander v. Staples, Inc. , 802 F.3d 289, 300 (2d Cir. 2015).

Facebook relies on its Statement of Rights and Responsibilities for a choice of law clause barring the GBL § 349 claim even if plaintiffs have standing. This argument depends on judicial notice of the Statement of Rights and Responsibilities which was in effect from January 30, 2015 through October 2017. Req. Jud. Not. at 1 (Dkt. No. 66). The existence of the publicly available Statement of Rights and Responsibilities is suitable for judicial notice because its existence cannot reasonably be questioned. See Letizia v. Facebook Inc. , 267 F. Supp. 3d 1235, 1242 (N.D. Cal. 2017) (granting judicial notice of a Facebook Statement of Rights and Responsibilities). In light of the holding in Khoja , however, only the fact this document states "the laws of the State of California will govern" is judicially noticed. Valco Decl. Ex. B at 6.

Plaintiffs do not dispute the authenticity of the document or its contents, but they disagree on whether this choice of law *1056clause is enforceable based on In re Facebook Biometric Info. Privacy Litig. ("Biometric"), 185 F. Supp. 3d 1155, 1168-70 (N.D. Cal. 2016). In contrast, Facebook relies on another case in this district, Palomino v. Facebook, Inc. , No. 16-CV-04230-HSG, 2017 WL 76901, at *4 (N.D. Cal. Jan. 9, 2017), which distinguished the Biometric case.

Courts apply a two-pronged choice of law test: "(1) whether the chosen state has a substantial relationship to the parties or their transaction, or (2) whether there is any other reasonable basis for the parties' choice of law." Washington Mut. Bank, FA v. Superior Court , 24 Cal. 4th 906, 916, 103 Cal.Rptr.2d 320, 15 P.3d 1071 (2001). If either prong is met the choice of law will be enforced unless "contrary to a fundamental policy" of the alternative state (New York in this case) and if the state "has a materially greater interest in the determination of the particular issue." Id. at 917, 103 Cal.Rptr.2d 320, 15 P.3d 1071.

Both prongs of the test are indisputably met here. California has an obvious substantial relationship to the parties and a reasonable basis to enforce its choice of law considering Facebook is "a California corporation with its principal place of business located at Menlo Park, California." FACC ¶ 9. Rather than dispute these initial portions of the analysis, however, plaintiffs focus entirely on the "fundamental policy" of New York and contend it has a greater interest in this case than California.

Considering both cases presented by plaintiffs and Facebook, Palomino is more applicable here. In Biometric , the court inquired into "which state, in the circumstances presented, will suffer greater impairment of its policies if the other state's law is applied." Biometric , 185 F. Supp. 3d at 1170. The case involved averments Facebook was collecting user biometric data secretly and without consent through the "Tag Suggestions program" on its website. Id. at 1160. Illinois had a specific policy and statute, the Biometric Privacy Act, drafted to protect its citizens' biometric data and premised on the state legislature's concern about corporations like Facebook collecting such personal biometrics. Id. To apply California law, which had no equivalent biometric data protection, would write the Biometric Privacy Act "out of existence." Id. at 1169. In contrast, Palomino dealt with a choice of law between California and New Jersey consumer statutes which were generally the same. See 2017 WL 76901, at *4 (finding California "has its own robust body of consumer protection law that strives to prevent consumer deception by prohibiting unlawful business practices and unconscionable contract provisions.").

Here, plaintiffs only argue there is a "fundamental policy" difference because the GBL § 349 was enacted "as a broad consumer protection measure." Bose v. Interclick, Inc. , 2011 WL 4343517, at *1-2 (S.D.N.Y. Aug. 17, 2011) (internal quotation marks and citation omitted). The GBL has a unique remedy, $ 50 statutory damages, which California consumer law lacks. See Oppo. at 22-23. Differences in the particulars of the consumer statutes are not enough, however, and do not represent a fundamentally different policy. The court in Palomino responded to this very type of argument, rejecting as irrelevant whether one state "affords different rights and remedies" because the inquiry must focus on the fundamental policies. 2017 WL 76901, at *4. There is no indication California's robust consumer protection law is contrary to New York's in their policy aims. Each broadly protects consumers from the deceptive practices alleged against Facebook in this case. Accordingly, *1057the GBL § 439 claim must be dismissed on choice of law grounds without leave to amend.

G. Unjust Enrichment Claim

Plaintiffs final claim for relief requests restitution for Facebook's "retention of the non-gratuitous benefits conferred on it." FACC ¶ 92. The Ninth Circuit has attempted to clarify a long-standing inconsistency in California law, now "allowing an independent claim for unjust enrichment to proceed." Bruton v. Gerber Prod. Co. , 703 F. App'x 468, 470 (9th Cir. 2017). California courts typically consider unjust enrichment a principle of quasi-contract which gives rise to restitution. See Rutherford Holdings, LLC v. Plaza Del Rey , 223 Cal. App. 4th 221, 231, 166 Cal.Rptr.3d 864 (2014). Courts can "construe the cause of action as a quasi-contract claim seeking restitution" to avoid an unjust benefit conferred to the defendant "through mistake, fraud, coercion, or request." Astiana v. Hain Celestial Grp., Inc. , 783 F.3d 753, 762 (9th Cir. 2015) (quoting 55 Cal. Jur. 3d Restitution § 2 ).

Facebook argues in its reply that an unjust enrichment claim is not viable where there is an express agreement. Whether the quasi-contract claim is "nonsensical because it was duplicative of or superfluous" to other claims or legal remedies, however, is no longer a ground for dismissal. Id. at 762-63 (citing Fed. R. Civ. P. 8(d)(2) ("A party may set out 2 or more statements of a claim or defense alternatively or hypothetically, either in a single count or defense or in separate ones.")).

Finally, Facebook's reliance on several opinions before the Ninth Circuit's holdings in Astiana is not persuasive, as these cases did not have the benefit of the Ninth Circuit's interpretation of California law on this subject. See Bruton , 703 F. App'x at 470 (reversing dismissal of an unjust enrichment claim because "when the district court dismissed this claim, California's case law on whether unjust enrichment could be sustained as a standalone cause of action was uncertain and inconsistent.").

Facebook asserts the plaintiffs fail to allege the elements of unjust enrichment in any event. An unjust enrichment claim requires the "receipt of a benefit and [the] unjust retention of the benefit at the expense of another." Lectrodryer v. SeoulBank , 77 Cal. App. 4th 723, 726, 91 Cal.Rptr.2d 881 (2000). To state a claim, plaintiffs must affirmatively aver Facebook received a benefit at its Facebook Messenger and Facebook Lite Android users' expense. See AccuImage Diagnostics Corp v. Terarecon, Inc. , 260 F. Supp. 2d 941, 958 (N.D. Cal. 2003).

The unjust enrichment claim could proceed, assuming plaintiffs can satisfy the pleading requirements of Rule 9(b). Plaintiffs charge Facebook with monetizing their user call and text logs. FACC ¶¶ 18, 19, 91. The benefit conferred to Facebook was based on a misrepresentation in the contact upload prompt for Facebook Messenger and Facebook Lite on Android smartphones. FACC ¶¶ 40,41. Plaintiffs also aver the benefit to Facebook occurred at the expense of its users' data privacy, including the privacy of the named plaintiffs. FACC ¶ 63.

V. CONCLUSION

For the foregoing reasons, the motion to dismiss is granted. The complaint does not include the allegedly fraudulent contact upload prompt or contain particularized averments of fraud to satisfy the heightened pleading requirements of Rule 9(b). Additionally, plaintiffs lack standing to pursue CDAFA and GBL § 349 claims without pleading an actual injury. The *1058GBL § 349 claim must be dismissed without leave to amend on choice of law grounds. As they are unopposed, the trespass to chattel, UCL, and CLRA claims are also dismissed without leave to amend. All other claims are dismissed with leave to amend within 21 days from the date of this Order.

IT IS SO ORDERED.

The factual background is based on the averments in the first amended consolidated class action complaint, which are taken as true for purposes of a motion to dismiss, as well as on documents incorporated by reference and judicially noticed.

Plaintiffs consented to dismissal of their trespass to chattel, UCL, and CLRA claims, but requested leave to amend "California-only claims" if their New York GBL claim is unsuccessful. See Oppo. at 3 n.1, 23 n.9. Because plaintiffs consented to dismissal and have not stated any basis for repleading these claims, they are dismissed without leave to amend.