United States District Court Judge Cynthia Bashant, of the Central District of California, ruled on several privacy claims on a motion to dismiss.

Addressing injury in fact:

  • “Plaintiff alleges Defendant collected his personal information in violation of the California Constitution and various California statutes. (Am. Compl. ¶ 1.) Among the collected data are his “geolocation, … communications related to his personal characteristics, mode of living, purchase decisions, personal choices, app selections, spending habits, and click choices.” (Id. ¶ 38.) As in In re Facebook, Plaintiff’s inability to “control or prevent the unauthorized exploration” of his private affairs is the root of the alleged injury. See 959 F.3d at 599.”
  • “[T]he Complaint plausibly alleges Defendant collected Plaintiff’s data. To be sure, Plaintiff’s injury must be “specific to [him].” See Gaos v. Google Inc., No. 5:10-cv-4809 EJD, 2012 WL 1094646, at *3 (N.D. Cal. Mar. 29, 2012). There is, in other words, no standing if Plaintiff fails to allege that Defendant collected his data. But in this case, the Complaint adequately pleads an injury specific to him. The Complaint alleges, “Defendant openly acknowledges that its software development kit (SDK), made available to and inserted by other companies as a plug-in to their own smartphone applications, intercepts and reads massive amounts of consumer data using its technology in order to identify unique consumers and report on their travel and habits for marketing, verification, and other purposes.” (Am. Compl. ¶ 67.) Plaintiff further alleges that he “owns, carries, and regularly uses a cellular device that contains Defendant’s Kochava monitoring and intercepting SDK” embedded in apps (id. ¶ 36); “regularly uses his cell phone to access these application(s) in which Defendant utilizes its embedded SDK to track his geolocation, and to monitor and intercept communications” (id. ¶ 38); and “did not know until recently that his purchase decisions, his movements, and his locations, were being tracked by Defendant to market, sell, and advertise to him” (id. ¶ 40). This is enough for the Court to reasonably infer that Defendant collected and sold Plaintiff’s data.”
  • “[T]here is no constitutional requirement that Plaintiff demonstrate lost economic value.”
  • “Plaintiff alleges he did not consent to Defendant’s collection of his data. Defendant argues that users consented to its data practices in two ways: (1) they consented to sharing their location with a third-party app developer when they downloaded the application and (2) they failed to opt-out by contacting Defendant and requesting data deletion. (MTD 18, 23.) Neither constitutes consent.”

Addressing invasion of privacy:

  • “Far from the “routine collection of personally identifiable information,” Plaintiff alleges the surreptitious collection information that could reveal, for instance, a person’s religious affiliation, sexual orientation, and medical condition.”
  • “[T]he Amended Complaint outlines a data collection system that compiles “rich personal data,” including the “[i]dentification of sensitive and private characteristics of consumers from the location data sold.” (Am. Compl. ¶¶ 75, 99.) In both cases, the defendants “fingerprinted” users and correlated a vast amount of personal information without users’ knowledge. (Id. ¶ 75 (“Defendant is able to deliver targeted advertising … by in essence ‘fingerprinting’ each unique device and user, as well as connecting users across devices and devices across users.”)); In re Facebook, 956 F.3d at 599 (“Facebook gained a cradle-to-grave profile without users’ consent.”). Thus, the type of information amassed is similarly revealing, and the method is similarly secretive. These factors allow the Court to plausibly infer Defendant’s data-collection practices amount to an egregious breach of social norms.”

Addressing alleged violations of CIPA:

  • “[P]leading a CIPA violation does not require identifying a specific communication that was intercepted. Such an inference is reasonable given the detailed allegations of Defendant’s practices and Plaintiff’s alleged use of SDK-embedded apps.”
  • “California law prohibits the installation of a pen register without first obtaining a court order. Cal. Penal Code § 638.51 (“Section 638.51”)…Defendant argues that its SDK is not a “pen register” but provides no caselaw in support. Indeed, it seems no court has interpreted this provision of CIPA…the Court cannot ignore the expansive language in the California Legislature’s chosen definition. The definition is specific as to the type of data a pen register collects—“dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted,” but it is vague and inclusive as to the form of the collection tool—“a device or process.” See Cal. Penal Code § 538.50(b). This indicates courts should focus less on the form of the data collector and more on the result. Thus, the Court applies the plain meaning of a “process” to the statute. A process can take many forms. Surely among them is software that identifies consumers, gathers data, and correlates that data through unique “fingerprinting.” (Am. Compl. ¶¶ 67, 74.) Thus, the Court rejects the contention that a private company’s surreptitiously embedded software installed in a telephone cannot constitute a “pen register.””
  • Section 631 has two clauses: It punishes (1) persons who tap telegraph or telephone wires, lines, cables, and instruments and (2) persons who attempt to learn in an unauthorized manner the contents of communications passing over any wires, lines, and cables. See id.In re Google Inc., No. 13-MD-02430-LHK, 2013 WL 5423918, at *20 (N.D. Cal. Sept. 26, 2013)…Because Plaintiff’s claim relates to data collected from smartphone apps, only the second clause can sustain the cause of action…The allegations in this case fall on the “contents” of communication side of the line.”
  • “[T]o prevail on a Section 632 claim, “a plaintiff must prove (1) an electronic recording of or eavesdropping on (2) a ‘confidential communication’ (3) to which all parties did not consent.” In re Google Inc., 2013 WL 5423918, at *22…laintiff here alleges Defendant collected his “search terms” and other communications. (Am. Compl. ¶ 78.) But unlike the Brown-plaintiffs, Plaintiff here fails to allege any representations that his search terms would be kept private.”

DAVID GREENLEY, Plaintiff, v. KOCHAVA, INC., Defendant., No. 22-CV-01327-BAS-AHG, 2023 WL 4833466 (S.D. Cal. July 27, 2023).