Meta Platforms, Inc. v. BrandTotal Ltd. et al, No. 3:2020cv07182 - Document 344 (N.D. Cal. 2022)

Court Description: Redacted version of 339 order granting in part and denying in part 246 motion for sanctions, 268 Defendants' motion for summary judgment, and 272 Plaintiff's motion for summary judgment. This order also resolves various administrative motions to file under seal, pending further filings as stated herein. Signed by Chief Magistrate Judge Joseph C. Spero on May 27, 2022. (jcslc2, COURT STAFF) (Filed on 6/6/2022)
Download PDF
Meta Platforms, Inc. v. BrandTotal Ltd. et al Doc. 344 1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 META PLATFORMS, INC., 7 Plaintiff, 8 v. 9 BRANDTOTAL LTD., et al., 10 Defendants. United States District Court Northern District of California 11 12 13 I. Case No. 20-cv-07182-JCS ORDER REGARDING MOTION FOR SANCTIONS AND MOTIONS FOR SUMMARY JUDGMENT Re: Dkt. Nos. 246, 268, 272 Provisionally Filed Under Seal Redacted Public Version INTRODUCTION Plaintiff Meta Platforms, Inc. (“Meta”) and Defendants BrandTotal Ltd. and Unimania, 14 15 Inc. (collectively, “BrandTotal”) each move for summary judgment. Meta also moves for 16 sanctions based on purported spoliation of evidence and perjured testimony. The Court held a 17 hearing on May 16, 2022. Each of those motions is GRANTED in part and DENIED in part, as 18 discussed below.1 This order does not resolve the parties’ motions to exclude expert testimony 19 (dkts. 248, 251), which will be addressed in a separate order. This order is provisionally filed under seal. Any party that believes compelling reasons 20 21 warrant sealing any portion of this order may bring a motion no later than June 3, 2022 to retain 22 narrowly tailored redactions under seal. 23 II. OVERVIEW AND PROCEDURAL HISTORY Meta is a technology company that, among other things, operates two ubiquitous social 24 25 networks: Facebook and Instagram. Much of its revenue is derived from selling the right to 26 advertise on those services. Meta provides its advertising clients with information about how their 27 1 28 The parties have consented to the jurisdiction of a magistrate judge for all purposes pursuant to 28 U.S.C. § 636(c). United States District Court Northern District of California 1 ads are served to users. 2 BrandTotal provides advertising consulting services to corporate clients regarding how 3 those clients’ and their competitors’ digital advertisements are presented to social media users. 4 One of its primary methods of collecting that information is incentivizing individual users, whom 5 it refers to as “panelists,” to share data about the advertisements they are served while browsing 6 social networks. The primary product at issue in this case, a browser extension called UpVoice, 7 awards users points that can be redeemed for gift cards in exchange for using a browser extension 8 that automatically sends data to BrandTotal while a user browses websites like Facebook. Other 9 BrandTotal products, many of which are now defunct, provided less tangible incentives to users, 10 allowing them to do things like keep track of the advertisements they had seen or view other users’ 11 Instagram stories anonymously, again in exchange for collecting advertising data for BrandTotal. 12 Two of those products, addressed below in the context of Meta’s motion for sanctions, also logged 13 users’ Instagram access credentials to a server that BrandTotal used primarily for debugging its 14 software for period of around four months. The current version of UpVoice introduced in 2021 (“UpVoice 2021”) (as well as a 15 16 Spanish-language near-equivalent product called Calix that BrandTotal recently developed in 17 partnership with a third-party2) merely logs information that Facebook transmits to the user about 18 advertisements in the course of the user’s regular interaction with the website, as well as 19 demographic information that the user specifically enters into UpVoice (rather than UpVoice 20 collecting it from Facebook). Earlier versions of UpVoice and BrandTotal’s other products 21 automatically caused users’ browsers to query Facebook’s servers for information, and collected 22 demographic information about users from Facebook in addition to information about 23 advertisements. BrandTotal also gathers data more proactively: its servers collect data directly 24 from webpages that are publicly available for most advertisements on Facebook, it hires 25 contractors to gather data using a program called the “Restricted Panel Extension” for 26 advertisements that are not available to the public and instead require a user to be logged in (for 27 2 28 See Schultz MSJ Decl. Ex. 23 (Martens Supp’l Report) ¶¶ 23–26; id. Ex. 25 (Regev Feb. 2022 Dep.) at 86:21–89:15. 2 1 example, age-restricted ads for alcohol),3 and it has at least at times used Facebook accounts that it 2 purchased or created (which BrandTotal refers to internally as “Muppets”) to access information 3 on Facebook. After successfully petitioning Google to remove the then-existing version of UpVoice from 4 5 its online store, Meta—known at the time as Facebook, Inc.—filed claims against BrandTotal in 6 California state court on October 1, 2020. Meta quickly dismissed that case without prejudice and 7 filed the present case here on October 14, 2020. BrandTotal filed counterclaims and moved for a 8 temporary restraining order (“TRO”). The Court denied that motion for failure to show that the 9 relief BrandTotal sought was in the public interest. Order re TRO (dkt. 63).4 On February 19, 2021, the Court granted Meta’s motion to dismiss all of BrandTotal’s 10 United States District Court Northern District of California 11 counterclaims, largely with leave to amend. 1st MTD Order (dkt. 108).5 BrandTotal reasserted all of its counterclaims in an amended pleading. On June 3, 2021, 12 13 the Court dismissed BrandTotal’s declaratory judgment counterclaims, BrandTotal’s counterclaim 14 for intentional interference with contract to the extent it was based on contracts with investors, 15 BrandTotal’s interference with prospective advantage counterclaim to the extent it was based on 16 potential customers and investors, and BrandTotal’s counterclaims under the “unfair” and 17 “fraudulent” prongs of the UCL. 2d MTD Order (dkts. 152, 158).6 The Court denied Meta’s 18 motion to dismiss BrandTotal’s interference with contract and prospective advantage 19 counterclaims and to the extent they were based on existing customers, panelists, and Google, and 20 its counterclaim under the “unlawful” prong of the UCL. Id. 21 BrandTotal moved for a preliminary injunction, but the parties agreed at the hearing to 22 resolve that motion with a commitment by Meta not to interfere with UpVoice 2021 while this 23 3 24 25 26 27 28 See Schultz MSJ Decl. Ex. 25 (Regev Feb. 2022 Dep.) at 131:8–144:11. Facebook, Inc. v. BrandTotal Ltd., 499 F. Supp. 3d 720, 725 (N.D. Cal. 2020). Citations herein to the Court’s previous orders refer to page numbers of the versions filed in the Court’s ECF docket. 5 Facebook, Inc. v. BrandTotal Ltd., No. 20-cv-07182-JCS, 2021 WL 662168 (N.D. Cal. Feb. 19, 2021). 6 Facebook, Inc. v. BrandTotal Ltd., No. 20-cv-07182-JCS, 2021 WL 2354751 (N.D. Cal. June 9, 2021). This order was initially filed under seal in an abundance of caution, and unsealed after Meta declined to seek sealing and BrandTotal failed to sufficiently justify its proposed redactions. See dkt. 157. 3 4 1 case is pending without providing notice to BrandTotal in advance, and a commitment by 2 BrandTotal to notify Meta of any changes to the UpVoice 2021 code. Dkt. 150. On August 31, 2021, the Court denied BrandTotal’s motion for leave to add a defamation United States District Court Northern District of California 3 4 counterclaim after the deadline to amend pleadings had expired, and dismissed with prejudice 5 BrandTotal’s reasserted counterclaim under the UCL’s “unfair” prong for failure to allege Meta’s 6 market power in a relevant product market. 3d MTD Order (dkt. 178).7 7 BrandTotal’s operative third amended counterclaims assert the following theories: 8 (1) intentional interference with BrandTotal’s contracts with its corporate customers, its panelists, 9 and Google, 3d Am. Counterclaims (dkt. 183) ¶¶ 94–130; (2) intentional interference with 10 prospective economic advantage regarding the same relationships, id. ¶¶ 131–39; and (3) violation 11 of the UCL’s “unlawful” prong by virtue of the intentional interference theories, id. ¶¶ 140–46. 12 Since BrandTotal did not challenge the sufficiency of Meta’s allegations through a motion 13 to dismiss and Meta never sought preliminary injunctive relief, Meta’s claims against BrandTotal 14 have not been directly at issue in any previous motion. Meta asserts the following claims in its 15 operative first amended complaint: (1) breach of contract, citing the Facebook and Instagram 16 terms of use, 1st Am. Compl. (“FAC,” dkt. 148) ¶¶ 83–89; (2) unjust enrichment, id. ¶¶ 90–96; 17 (3) violation of the Computer Fraud and Abuse Act (“CFAA,” 18 U.S.C. § 1030), id. ¶¶ 97–102; 18 (4) violation of California’s Comprehensive Computer Data Access and Fraud Act (“CDAFA,” 19 Cal. Penal Code § 502), id. ¶¶ 103–11; (5) intentional interference with Meta’s contracts with its 20 users, id. ¶¶ 112–18; and (6) violation of the “unlawful,” “unfair,” and “fraudulent” prongs of the 21 UCL, id. ¶¶ 119–26. 22 III. META’S MOTION FOR SANCTIONS 23 A. 24 Meta’s sanctions motion primarily concerns two related issues: (1) data from a debugging 25 log called Rapid7 that BrandTotal allowed to be deleted on a regular schedule, including after this 26 action commenced and purportedly after learning that it was relevant; and (2) deposition testimony Background 27 7 28 Facebook, Inc. v. BrandTotal Ltd., No. 20-cv-07182-JCS, 2021 WL 3885981 (N.D. Cal. Aug. 31, 2021). 4 1 by BrandTotal’s Rule 30(b)(6) witness and then-Vice President of Research and Development 2 Oren Dor stating, inaccurately, that BrandTotal’s Anonymous Story Viewer product did not 3 transmit access credentials to BrandTotal’s servers. 4 5 its various software products. The Rapid7 log received information about processes executed by 6 BrandTotal’s software and stored that information for a period of thirty days, with each entry 7 automatically deleted thirty days after it was created. See O’Laughlin Decl. (dkt. 246-2) Ex. 5 8 (Regev Nov. 2021 Dep.) at 194:20–22. According to BrandTotal, the Rapid7 log was used only 9 for troubleshooting and debugging, not for BrandTotal’s business of preparing marketing insights 10 11 United States District Court Northern District of California At all relevant times, BrandTotal has used Rapid7 as a logger tool to track the operation of for its customers. Regev Sanctions Decl. (dkt. 288-1) ¶¶ 5–6. As of October of 2020, at least some BrandTotal developers knew that “access tokens and 12 cookies” from users of certain BrandTotal products (Story Savebox and Anonymous Story 13 Viewer, or “ASV”) had been sent to the Rapid7 log, but until BrandTotal Vice President Yair 14 Regev’s November 18, 2021 deposition, BrandTotal took no steps to preserve those logs and 15 prevents their automatic deletion. O’Laughlin Decl. Ex. 5 (Regev Nov. 2021 Dep.) at 196:11– 16 197:21. Meta’s data security team also knew as of October 2020 that ASV collected and 17 exfiltrated users session ID tokens and sessions IDs, which would be sufficient for a third party to 18 make requests to Instagram servers as if that third party were the user, Karve Oct. 2020 Decl. (dkt. 19 42) ¶¶ 22–23, but it is not clear from the record that Meta knew at that time where or how 20 BrandTotal stored that data after collecting it. According to Regev, Meta would have been able to 21 determine from BrandTotal’s source code what information was sent to Rapid7. Regev Sanctions 22 Decl. ¶ 6. After Meta filed a declaration in October of 2020 address the collection of user access 23 credentials, BrandTotal modified ASV and Story Savebox to cease doing so, but did not take steps 24 to preserve the Rapid7 logs or prevent their automatic deletion. 25 During deposition in January of 2021 related to BrandTotal’s efforts to obtain a 26 preliminary injunction, Dor testified on behalf of BrandTotal that ASV had never transmitted 27 users’ session tokens or session IDs (which could be used to access Instagram as if one were that 28 user) to BrandTotal’s servers. O’Laughlin Decl. Ex. 1 (Dor Jan. 2021 Dep.) at 128:17–130:3. 5 United States District Court Northern District of California 1 Dor’s successor, Regev, conceded that Dor’s testimony on that subject was inaccurate and did not 2 reflect what BrandTotal knew at the time of Dor’s deposition. O’Laughlin Decl. Ex. 5 (Regev 3 Nov. 2021 Dep.) at 184:13–186:2. After leaving the company in 2021, Dor testified in a March 4 2022 deposition that he did not recall whether BrandTotal used Rapid7 or any other logging 5 service, and that although he oversaw developers, his own role was not sufficiently technical for 6 him to have “connected to these logs” during his time at BrandTotal. Schultz Sanctions Decl. 7 (dkt. 293-1) Ex. 27 (Dor March 2022 Dep.) at 74:6–75:5. BrandTotal altered the software to 8 remove the collection of access credentials around four months after it started collecting that data, 9 and ASV was removed from the Google’s browser extension store in October of 2020, but 10 BrandTotal’s Rapid7 log may have continued to receive that information from users who 11 downloaded ASV while it was available from Google and who did not update their software after 12 the code was altered. Regev Sanctions Decl. ¶ 12; O’Laughlin Decl. Ex. 5 (Regev Nov. 2021 13 Dep.) at 186:6–21. Neither ASV nor Story Savebox is currently available for download. 14 O’Laughlin Decl. Ex. 5 (Regev Nov. 2021 Dep.) at 186:3–5. 15 Meta’s attorneys first learned at some point after September 17, 2021 that data from 16 Facebook and Instagram was stored in the Rapid7 logs, BrandTotal thereafter produced excerpts 17 of the Rapid7 data, and Meta confirmed from Regev during his November 18, 2021 testimony that 18 the Rapid7 logs had at one point contained users’ access tokens but older logs had been lost due to 19 the thirty-day retention and automatic deletion process. See O’Laughlin Decl. Ex. 13 (email from 20 Meta’s counsel to BrandTotal’s counsel). In response to a specific request by Meta’s counsel, 21 BrandTotal produced all Rapid7 data that remained available at that time (running from October 22 2021), and continued to do so on a weekly basis beyond the close of expert discovery. Taylor 23 Sanctions Decl. (dkt. 288-2) ¶¶ 19–20. 24 Meta does not dispute BrandTotal’s contention that none of BrandTotal’s source code 25 produced in this litigation—either for BrandTotal’s consumer products or for its own server-side 26 operations—draws data from the Rapid7 log, as opposed to sending data to it. See Regev 27 Sanctions Decl. ¶ 10. Meta has not identified evidence indicating that any other BrandTotal 28 product collected the sort of access credentials at issue, or that newly installed versions of ASV or 6 1 Story Savebox did so at any time beyond the approximately four-month period ending in October 2 of 2020. See id. ¶¶ 11–12. 3 Meta seeks an order imposing the following adverse presumption against BrandTotal: 4 1. The Court will treat the following facts as established for purposes of adjudicating Meta’s summary judgment motion, and that the factfinder at trial will be instructed that it may presume: 5 6 a. Defendants were obligated to preserve the data logged on the Rapid7 server between October 2020 and October 2021, but intentionally failed to do so because the data was unfavorable to Defendants. 7 8 b. The deleted data would have shown that between October 2020 and October 2021 (i) Defendants continuously misappropriated access credentials from Meta users and exfiltrated them to BrandTotal-controlled servers; (ii) Defendants did not anonymize or encrypt this sensitive data; (c) [sic] Defendants used these access credentials to pose as legitimate Meta users and scrape passwordprotected data from Meta’s computers, in violation of Meta’s Terms of Service; and (iv) Defendants attempted to conceal the collection and use of these access credentials because they knew their conduct was unlawful. 9 10 United States District Court Northern District of California 11 12 13 14 16 c. The deleted data would have shown that between October 2020 and October 2021, Defendants continuously used accounts they created or purchased in order to gain access to Facebook and Instagram, pose as legitimate Meta users, and scrape data from Meta’s computers in violation of Meta’s Terms of Service. 17 Proposed Order re Sanctions (dkt. 246-28). Meta also seeks to preclude BrandTotal “from relying 18 on Mr. Oren Dor’s January 13, 2021 testimony,” and to recover its “fees and costs, including 19 expert costs, incurred in connection with bringing this motion.” Id. 15 20 BrandTotal argues that it “did not intentionally (or even affirmatively) delete anything,” 21 but “[r]ather, the data within the logger tool merely expired after 30-days as part of BrandTotal’s 22 ordinary course of business.” Opp’n to Sanctions (dkt. 288) at 2. It also argues that Meta was not 23 prejudiced because other evidence shows the conduct at issue, id. at 13–15, that the relief Meta 24 seeks is excessive, id. at 15–18, and that it should be permitted to use Dor’s testimony, id. at 18– 25 21. Based on its contention that sanctions are not appropriate, BrandTotal also argues that it 26 should not be required to pay Meta’s attorneys’ fees. Id. at 21–22. 27 B. 28 “Federal courts have the authority to sanction litigants for discovery abuses both under the Legal Standard for Discovery Sanctions 7 1 Federal Rules of Civil Procedure and pursuant to the court’s inherent power to prevent abuse of 2 the judicial process.” Network Appliance, Inc. v. Bluearc Corp., No. C 03-5665 MHP, 2005 WL 3 1513099, at *2 (N.D. Cal. June 27, 2005) (citing Chambers v. NASCO, Inc., 501 U.S. 32, 45–46 4 (1991); In re Yagman, 796 F.2d 1165, 1187 (9th Cir. 1986)). Rule 16(f) of the Federal Rules of 5 Civil Procedure allows a court to order sanctions where a party or its attorney fails to obey a 6 pretrial order. Rule 37(b)(2)(A) specifically addresses sanctions that may be imposed on a party 7 that has failed to comply with a discovery order, including striking pleadings in whole or in part, 8 dismissal, entry of default judgment, contempt of court, and an order “directing that the matters 9 embraced in the order or other designated facts be taken as established for purposes of the action, 10 United States District Court Northern District of California 11 as the prevailing party claims.” See Fed. R. Civ. P. 37(b)(2)(A)(i). Rule 37(e) provides that “[i]f electronically stored information that should have been 12 preserved in the anticipation or conduct of litigation is lost because a party failed to take 13 reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery,” 14 a court that finds prejudice to another party as a result may “order measures no greater than 15 necessary to cure the prejudice,” and a court that finds “that the party acted with the intent to 16 deprive another party of the information’s use in the litigation may” presume that the information 17 was unfavorable, instruct the jury that it may or must so presume, or enter judgment against the 18 culpable party. Fed. R. Civ. P. 37(e). 19 A district court also has inherent authority to impose sanctions for spoliation of evidence. 20 Leon v. IDX Sys. Corp., 464 F.3d 951, 958 (9th Cir. 2006); Glover v. BIC Corp., 6 F.3d 1318, 21 1329 (9th Cir. 1993). The majority of courts use a three-part test to determine whether spoliation 22 occurred, consisting of the following elements: “‘(1) that the party having control over the 23 evidence had an obligation to preserve it at the time it was destroyed; (2) that the records were 24 destroyed with a “culpable state of mind;” and (3) that the evidence was “relevant” to the party’s 25 claim or defense such that a reasonable trier of fact could find that it would support that claim or 26 defense.’” Apple Inc. v. Samsung Elecs. Co., 881 F. Supp. 2d 1132, 1138 (N.D. Cal. 2012) 27 (quoting Zubulake v. UBS Warburg LLC, 220 F.R.D. 212, 215 (S.D.N.Y. 2003)) (footnotes 28 omitted). “[T]he ‘culpable state of mind’ factor is satisfied by a showing that the evidence was 8 1 destroyed knowingly, even if without intent to breach a duty to preserve it, or negligently.” 2 Residential Funding Corp. v. DeGeorge Fin. Corp., 306 F.3d 99, 108 (2d Cir. 2002) (cleaned up; 3 emphasis omitted); see Miranda v. Wyatt, 677 F. App’x 432, 432–33 (9th Cir. 2017) (citing 4 Residential Funding with approval and noting the parties’ agreement that it “provides an 5 appropriate test for determining when an adverse inference instruction can be given”); Katzman v. 6 L.A. Cty. Metro. Transp. Auth., No. 13-cv-00438-LHK, 2015 WL 13861765, at *9–10 (N.D. Cal. 7 Mar. 26, 2015) (applying the Residential Funding test). 8 United States District Court Northern District of California 9 If spoliation is found, courts often consider three factors to determine whether and what type of sanctions to issue: “(1) the degree of fault of the party who altered or destroyed the 10 evidence; (2) the degree of prejudice suffered by the opposing party; and (3) whether there is a 11 lesser sanction that will avoid substantial unfairness to the opposing party.” Nursing Home 12 Pension Fund v. Oracle Corp., 254 F.R.D. 559, 563 (N.D. Cal. 2008) (quoting Schmid v. 13 Milwaukee Elec. Tool Corp., 13 F.3d 76, 79 (3d Cir. 1994)). Among other sanctions, trial courts 14 have “the broad discretionary power to permit a jury to draw an adverse inference from the 15 destruction or spoliation against the party or witness responsible for that behavior” so long as the 16 party responsible had “simple notice of ‘potential relevance to the litigation,’” with no requirement 17 to prove bad faith. Glover, 6 F.3d at 1329 (quoting Akiona v. United States, 938 F.2d 158, 161 18 (9th Cir. 1991)). 19 C. 20 21 BrandTotal’s Conduct Warrants a Permissive (as Opposed to Mandatory) Adverse Inference Instruction The relief that Meta seeks here is internally inconsistent: while Meta asks the Court to treat 22 certain facts as established for the purpose of Meta’s summary judgment motion, it seeks an 23 instruction at trial only that the jury may presume such facts to be true. See Proposed Sanctions 24 Order (dkt. 246-28). Such an approach is in tension with the usual rules for summary judgment, 25 where courts view the facts and draw all possible inferences in the light most favorable to the 26 nonmoving party, in order to determine whether the nonmoving party could prevail at trial. 27 Meta’s approach here could potentially have the Court grant summary judgment in Meta’s favor 28 on a record where BrandTotal might prevail if the case went to trial. Meta cites no authority for 9 1 imposing sanctions in that manner and does not offer a reason to do so. The Court evaluates the 2 motion without regard to the phase of the case as if it requests, in the first instance, a mandatory 3 presumption that the facts Meta has set forth are true, or, as an alternative lesser sanction, an 4 instruction that the finder of fact may presume those facts to be true. United States District Court Northern District of California 5 The Court has little trouble concluding that the Rapid7 database—which provided a 6 detailed running log of the operation of BrandTotal’s software, recording at least to some degree 7 the actual data BrandTotal collected from Facebook and Instagram—included information relevant 8 to the case, that BrandTotal knew it included that information, and that BrandTotal should have 9 taken steps to preserve it once litigation was contemplated, i.e., no later than when Meta filed its 10 first complaint against BrandTotal in state court. There is no dispute that BrandTotal failed to do 11 so until roughly a year after the case began. See, e.g., O’Laughlin Decl. Ex. 5 (Regev Nov. 2021 12 Dep.) at 196:15–18. The Court is also satisfied that the loss of a real-time log of at least some of 13 BrandTotal’s data collection prejudices Meta’s ability to understand and prove the scope and 14 nature of that conduct. As one example, there currently does not appear to be any way to assess 15 how many users’ access credentials were logged by BrandTotal or when BrandTotal stopped 16 receiving that information from users of outdated versions of its products. Similarly, the Rapid7 17 logs would have provided greater insight than is now available as to how extensively BrandTotal 18 used “fake” accounts that it purchased or created to gather data from Facebook and Instagram 19 from October 2020 to October 2021. There is also no dispute that the deleted Rapid7 logs cannot 20 be replaced or recovered through additional discovery. Meta has therefore established the basic 21 elements of spoliation for the purpose of Rule 37(e). 22 When it comes to the specific relief Meta seeks, however, Meta has not met Rule 23 37(e)(2)’s requirement to show that BrandTotal “acted with the intent to deprive another party of 24 the information’s use in the litigation,” as would be necessary for an adverse inference 25 presumption or instruction under that rule. Fed. R. Civ. P. 37(e)(2). BrandTotal’s position that it 26 merely negligently failed to take steps to counteract the automatic deletion process of its Rapid7 27 subscription is plausible. While BrandTotal certainly should have recognized its obligation to 28 preserve those records, it is not hard to imagine that BrandTotal’s employees might have 10 1 overlooked their transient diagnostic log as a source of relevant and discoverable information 2 while they, presumably, took steps to preserve more obvious sources of relevant information like 3 email accounts and the databases they used to prepare analysis for BrandTotal’s corporate clients.8 4 Negligence—even gross negligence—in failing to retain relevant evidence is not sufficient to 5 support an adverse inference under Rule 37(e)(2). Porter v. City & Cty. of San Francisco, No. 16- 6 cv-03771-CW (DMR), 2018 WL 4215602, at *4 (N.D. Cal. Sept. 5, 2018). While it is possible 7 that BrandTotal intentionally failed to preserve the Rapid7 logs that documented its collection of 8 user access credentials, and BrandTotal having affirmatively acted to alter its programs to cease 9 collecting those credentials lends at least some support to that theory, Meta has not shown that to United States District Court Northern District of California 10 be the most likely explanation for the ongoing automatic deletion of those logs. 11 In Porter, the City and County of San Francisco did not dispute that it had an obligation to 12 preserve the recording of a call to law enforcement. Id. at *3. The court found that the city failed 13 to take reasonable steps to do so, that the recording could not be restored or replaced after it was 14 deleted pursuant to a two-year retention policy, and that the plaintiff was prejudiced by losing 15 evidence potentially relevant to a witness’s credibility or other issues in the case. Id. at *3–4. 16 Turning to the intent requirement of Rule 37(e)(2), however, the court found that the city’s mere 17 failure to recognize its obligation to preserve the call and deviate from its regular deletion 18 schedule was not sufficient to show that intentionally prevented the plaintiff from obtaining that 19 evidence. Id. at *4 (“While CCSF certainly should have done more, and should have acted earlier 20 to preserve a piece of evidence as central as a recording of the dispatch call, there is no evidence 21 that CCSF decided to erase the Okupnik call when it was under pressure to produce it.”). The 22 court instead determined that the jury should be instructed as to what occurred, and allowed to 23 8 24 25 26 27 28 The type of information at issue distinguishes this case from WeRide Corp. v. Kun Huang, where the court found bad faith for the purpose of terminating sanctions under Rule 37(b) based on a party having “left in place the autodelete setting on its email server, began using DingTalk’s ephemeral messaging feature, and maintained a policy of deleting the email accounts and wiping the computers of former employees.” WeRide, No. 5:18-cv-07233-EJD, 2020 WL 1967209, at *10 (N.D. Cal. Apr. 24, 2020); see also John v. County of Lake, No. 18-cv-06935-WHA (SK), 2020 WL 3630391, at *4, *6–7 (N.D. Cal. July 3, 2020) (finding the requisite intent for Rule 37(e)(2) where “the District Court explicitly warned Defendants to put in place policies to preserve evidence and to stop any policy of destruction, but Defendants did not do so,” instead actively deleting emails and text messages). 11 1 2 3 4 5 6 7 Since the Okupnik call cannot be restored or retrieved, and constitutes relevant and material evidence, the court finds that an appropriate sanction is to inform the jury that the call was spoliated. To that end, the court orders that the jury may hear a short factual statement at trial regarding the spoliation of this evidence. The statement should inform the jury that CCSF had a duty to preserve a copy of the Okupnik call, and that despite this duty, the recording of the call was erased and is no longer available. As a result, CCSF’s actions have prevented the jury from hearing what Okupnik communicated to SFSD in that call, how he communicated it, and what SFSD said in response to Okupnik. 8 Id. The court also awarded the plaintiff his attorneys’ fees for bringing the sanctions motion, but 9 not for “time spent in the meet and confer process, because such work was necessary regardless of 10 11 United States District Court Northern District of California draw its own conclusions: whether a sanctions motion ensued.” Id. at *5. In another case from this district, the defendant improperly failed to preserve video footage 12 of the plaintiff’s slip-and-fall injury at the defendant’s gas station, prejudicing the plaintiff’s 13 ability to prove his case. Phan v. Costco Wholesale Corp., No. 19-cv-05713-YGR, 2020 WL 14 5074349, at *2–3 (N.D. Cal. Aug. 24, 2020). In the absence of any evidence of malicious intent, 15 however, the court declined to infer that the loss of the video was anything more than 16 “sloppiness,” and thus found that Rule 37(e)(2) was not satisfied. Id. at *3. Rather than an 17 instruction as to any particular adverse inference or barring the defendant from pursuing a 18 particular theory, the court determined that California’s CACI 204 model instruction was 19 appropriate, allowing the jury to determine whether the destruction of evidence was intentional 20 and whether to infer that the video was unfavorable to the defense, without specifically laying out 21 what facts the jury might infer. Id. at *4. 22 Here, as in Porter and Phan, Rule 37(e)(2) is not satisfied because Meta has not offered 23 sufficient evidence of any intent by BrandTotal to deprive Meta of the lost Rapid7 logs. Meta is 24 therefore not entitled to a mandatory adverse inference presumption or instruction under that rule. 25 BrandTotal’s negligence could potentially support an adverse inference instruction under 26 the Court’s inherent authority even if not under Rule 37(e). See, e.g., Posner v. Hillstone Rest. 27 Grp., Inc., No. 219CV00507TLNKJN, 2022 WL 705602, at *5–7 (E.D. Cal. Mar. 9, 2022) 28 (issuing a “flexible” instruction leaving to the jury the question of what inference to draw, based 12 United States District Court Northern District of California 1 on a broader standard of culpability that intent and without discussing Rule 37(e)). The particular 2 instruction Meta seeks, however, is too far removed from the evidence that is in the record. To the 3 extent Meta asks the Court to accept as proven that the deleted Rapid7 logs would have revealed a 4 year-long practice of exfiltrating users’ access credentials and using that information to pose as 5 those users and scrape data, it identifies no evidence besides the absence of the logs to support 6 those allegations. While Meta is correct that the mere absence of corroborating evidence does not 7 necessarily negate an adverse inference, it offers no meaningful response to BrandTotal’s 8 argument that, had BrandTotal been systematically misusing the access tokens collected in its 9 Rapid7 logs, its source code would include calls for data from that repository. Instead, Meta relies 10 solely on the facts that: (1) BrandTotal engineers had access to manually review the Rapid7 logs; 11 and (2) BrandTotal sometimes had to replace the access tokens that it created using fake accounts 12 because Meta sometimes blocked them. In the Court’s view, whatever inferences might be drawn 13 from those facts is best left to the jury—or, in the context of any claims tried to the Court, for 14 resolution after trial. Under the circumstances, the Court finds that instructions similar to those used in Porter, 15 16 Phan, and Posner are appropriate. If the case proceeds to trial, the jury will be instructed that 17 BrandTotal had a duty to preserve its Rapid7 logs from October of 2020 through October of 2021 18 but failed to do so. The jury will also receive the CACI 204 instruction, modified as follows: 19 You may consider whether one party intentionally concealed or destroyed evidence, or intentionally allowed evidence to be lost.9 If you decide that a party did so, you may decide that the evidence would have been unfavorable to that party. 20 21 22 D. 23 On December 23, 2021, the parties agreed that BrandTotal would not rely on any Dor’s Testimony 24 testimony from Dor postdating that stipulation. Stipulation (dkt. 215) ¶ 10; see also Order on 25 Stipulation (dkt. 216). Meta now argues that as a result of Dor’s purported perjury regarding the 26 27 9 28 The emphasis here indicates an addition to the model instruction to address the facts of this case. The instruction as presented to the jury will include the same text without emphasis. 13 United States District Court Northern District of California 1 sort of data BrandTotal collected,10 BrandTotal also should not be permitted to rely on his 2 previous deposition testimony. 3 While Meta is correct that courts may impose sanctions for a party’s perjured testimony, it 4 cites no case imposing a comparable sanction to what it seeks here. See Sanctions Mot. (dkt. 246) 5 at 20 (citing Valley Eng’rs Inc v. Elec. Eng’g Co., 158 F.3d 1051, 1058 (9th Cir. 1998) (imposing 6 case-dispositive sanctions in an extreme case); Excel Innovations, Inc. v. Indivos Corp., No. C-03- 7 3125 MMC (JCS), 2006 WL 8439364, at *13 (N.D. Cal. Nov. 21, 2006) (same); Bowoto v. 8 Chevron Texaco Corp., No. C 99-02506 SI, 2008 WL 552456, at *3 (N.D. Cal. Feb. 27, 2008) 9 (denying a motion for sanctions that asked the court to infer perjury, and deferring that issue to the 10 jury, but imposing lesser sanctions for failure to preserve evidence)). Meta has not argued that the 11 case-dispositive sanctions imposed in Valley Engineers and Excel Innovations are warranted here. 12 Nor has it offered any explanation for why the particular remedy it seeks is appropriate. BrandTotal has not materially relied on any testimony by Dor in its summary judgment 13 14 briefing, so this portion of the sanctions motion does not affect the outcome of the parties’ motions 15 for summary judgment. See Defs.’ Opp’n to MSJ (dkt. 299) at 3 (citing Dor’s testimony to show a 16 2018 change to BrandTotal’s security practices, which is not relevant to the outcome of the motion 17 and is supported by other evidence); Defs.’ MSJ Reply (dkt. 311) at 17 (addressing portions of 18 Dor’s testimony offered by Meta, for facts also confirmed by Meta’s expert witness). It is not 19 clear if or how BrandTotal would seek to use Dor’s past testimony at trial. 20 While it is possible that Dor lied in his deposition, it is not clear that he was not simply 21 mistaken or uninformed about the nature of the Rapid7 log and the two BrandTotal products at 22 issue, which were not central to the case at that time. Taking into account that “credibility of 23 witnesses is almost categorically a trial issue,” Alameda Books, Inc. v. City of Los Angeles, 631 24 F.3d 1031, 1042–43 (9th Cir. 2011), that Meta would likely be able to impeach any testimony 25 10 26 27 28 In its reply, Meta argues for the first time that even if Dor’s statements were not knowingly false, BrandTotal violated its discovery obligations by failing to correct Dor’s false statements, and that later representations by BrandTotal regarding the nature of its data collection were also false. Sanctions Reply at 11–12. BrandTotal had no opportunity to respond to these arguments, and no reason is apparent why Meta could not have raised them in its motion if it intended to pursue them. The Court therefore declines to consider them. 14 United States District Court Northern District of California 1 from Dor with his testimony that BrandTotal has now acknowledged to be false and with any 2 circumstantial evidence that it believes indicates he would have known the truth, and that it is 3 difficult to assess any potential prejudice to Meta of allowing Dor’s testimony at trial without 4 knowing what testimony BrandTotal might seek to use, the Court declines at this time to prevent 5 BrandTotal from offering it. This order is without prejudice to any argument that Meta might 6 raise with respect to the fairness of any particular testimony BrandTotal seeks to use at trial. 7 E. 8 While Meta has not shown that it is entitled to an adverse inference sanction under Rule 9 37(e)(2), it has shown spoliation of relevant evidence at least through BrandTotal’s negligence, Attorneys’ Fees 10 and that an instruction informing the jury of BrandTotal’s obligation to preserve that evidence and 11 failure to do so is appropriate. An award of attorneys’ fees for bringing a sanctions motion is an 12 appropriate remedy for spoliation under Rule 37(e)(1) as “measures no greater than necessary to 13 cure the prejudice,” even where a party fails to show bad faith under Rule 37(e)(2). Aramark 14 Mgmt., LLC v. Borgquist, No. 8:18-cv-01888-JLS-KESx, 2021 WL 864067, at *22 (C.D. Cal. Jan. 15 27, 2021), recommendation adopted, 2021 WL 863746 (C.D. Cal. Mar. 8, 2021). BrandTotal does 16 not dispute that proposition, arguing only that Meta should be denied fees because its motion 17 should be denied on its merits. Opp’n to Sanctions at 21–22. 18 The Court finds that an award of attorneys’ fees is appropriate to cure the prejudice to 19 Meta that resulted from BrandTotal’s spoliation of evidence. Based on Meta’s overreach in 20 seeking a more extreme remedy under Rule 37(e)(2), however, the Court concludes that not all of 21 the fees expended in bringing this motion were reasonably incurred. BrandTotal is therefore 22 ORDERED to reimburse seventy-five percent of the fees and costs Meta incurred in bringing its 23 motion for sanctions. See Fox v. Vice, 563 U.S. 826, 838 (2011) (“The essential goal in shifting 24 fees is to do rough justice, not to achieve auditing perfection.”). 25 The parties shall meet and confer by videoconference and file no later than June 10, 2022 26 either: (1) a stipulation as to the amount of such fees and costs; or (2) a joint letter brief no longer 27 than five pages laying out their respective positions on the value of fees and costs to be awarded. 28 15 1 2 MOTIONS FOR SUMMARY JUDGMENT BrandTotal seeks summary adjudication or judgment in its favor on the following issues: 3 (1) that section 3.2.3 of the Facebook terms of service is unenforceable as contrary to public 4 policy; (2) that section 3.2.3 is unconscionable; (3) that Meta cannot prevail on its CFAA and 5 CDAFA claims; and (4) that Meta cannot prevail on its UCL claim. Defs.’ MSJ (dkt. 268). 6 BrandTotal asserts in its reply that it is also entitled to summary judgment on Meta’s tortious 7 interference claim with respect to UpVoice 2021 for reasons other than the purported 8 unenforceability of Meta’s terms of service, Defs.’ MSJ Reply at 13, but the Court declines to 9 address that argument raised for the first time in the reply. 10 United States District Court Northern District of California IV. Meta seeks summary judgment on its own claims for breach of contract and violation of 11 the CFAA and CDAFA, and partial summary judgment on its UCL claim. Pl.’s MSJ (dkt. 272) at 12 10–22. It also seeks summary judgment on BrandTotal’s counterclaims for interference and under 13 the UCL. Id. at 23–35. 14 A. 15 Summary judgment on a claim or defense is appropriate “if the movant shows that there is Legal Standard 16 no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of 17 law.” Fed. R. Civ. P. 56(a). In order to prevail, a party moving for summary judgment must show 18 the absence of a genuine issue of material fact with respect to an essential element of the non- 19 moving party’s claim, or to a defense on which the non-moving party will bear the burden of 20 persuasion at trial. Celotex Corp. v. Catrett, 477 U.S. 317, 323 (1986). 21 Once the movant has made this showing, the burden then shifts to the party opposing 22 summary judgment to designate “‘specific facts showing there is a genuine issue for trial.’” Id. 23 (citation omitted); see also Fed. R. Civ. P. 56(c)(1) (“A party asserting that a fact . . . is genuinely 24 disputed must support the assertion by . . . citing to particular parts of materials in the record 25 . . . .”). “[T]he inquiry involved in a ruling on a motion for summary judgment . . . implicates the 26 substantive evidentiary standard of proof that would apply at the trial on the merits.” Anderson v. 27 Liberty Lobby Inc., 477 U.S. 242, 252 (1986). The non-moving party has the burden of 28 identifying, with reasonable particularity, the evidence that precludes summary judgment. Keenan 16 United States District Court Northern District of California 1 v. Allan, 91 F.3d 1275, 1279 (9th Cir. 1996). Thus, it is not the task of the court “‘to scour the 2 record in search of a genuine issue of triable fact.’” Id. (citation omitted); see Carmen v. S.F. 3 Unified Sch. Dist., 237 F.3d 1026, 1031 (9th Cir. 2001); Fed. R. Civ. P. 56(c)(3). 4 A party need not present evidence to support or oppose a motion for summary judgment in 5 a form that would be admissible at trial, but the contents of the parties’ evidence must be amenable 6 to presentation in an admissible form. See Fraser v. Goodale, 342 F.3d 1032, 1036–37 (9th Cir. 7 2003). Neither conclusory, speculative testimony in affidavits nor arguments in moving papers 8 are sufficient to raise genuine issues of fact and defeat summary judgment. Thornhill Publ’g Co., 9 Inc. v. GTE Corp., 594 F.2d 730, 738 (9th Cir. 1979). On summary judgment, the court draws all 10 reasonable factual inferences in favor of the non-movant, Scott v. Harris, 550 U.S. 372, 378 11 (2007), but where a rational trier of fact could not find for the non-moving party based on the 12 record as a whole, there is no “genuine issue for trial” and summary judgment is appropriate. 13 Matsushita Elec. Indus. Co. v. Zenith Radio, 475 U.S. 574, 587 (1986). 14 B. 15 Under California law, the “cause of action for damages for breach of contract is comprised Breach of Contract 16 of the following elements: (1) the contract, (2) plaintiff’s performance or excuse for 17 nonperformance, (3) defendant’s breach, and (4) the resulting damages to plaintiff.” Armstrong 18 Petroleum Corp. v. Tri-Valley Oil & Gas Co., 116 Cal. App. 4th 1375, 1391 n.6 (2004). The contractual provision most central to this case is section 3.2.3 of Meta’s terms of use 19 20 for Facebook, which reads as follows: 21 You may not access or collect data from our Products using automated means (without our prior permission) or attempt to access data you do not have permission to access. 22 23 Schultz MSJ Decl. (dkt. 272-6) Ex. 5 § Section 4.2. states that the terms of use generally 24 11 25 26 27 28 In 2017, when BrandTotal created some of the accounts at issue, the relevant provision read: “You will not collect users’ content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without our prior permission.” Dor TRO Decl. Ex. I at 2, § 3.2. BrandTotal suggests that was a narrower restriction but does not explain why that is so. See Defs.’ MSJ at 10; Defs.’ MSJ Reply at 9–10. To the extent BrandTotal’s argument rests on the list of particular methods of automated collection included in the older version but omitted from the newer version, the Court finds that the use of 17 1 terminate as an agreement when Meta disables a user’s account, but specifically provides that 2 section 3, as well as subsections 4.2 through 4.5, remain in effect. Id. § 4.2. Instagram’s terms of 3 use include a similar clause, but since the relevant portion of the Facebook terms of use govern all 4 of Meta’s products, the Instagram terms are largely redundant in this case. 5 6 7 United States District Court Northern District of California 8 1. BrandTotal’s Motion Regarding Breach of Contract BrandTotal seeks summary judgment on Meta’s contract claim based on two defenses: that section 3.2.3 violates public policy, and that it is unconscionable. a. Section 3.2.3 and Public Policy 9 BrandTotal contends that the prohibition of unauthorized automated access violates public 10 policies related to consumer data ownership, Defs.’ MSJ at 15–18, market competition, id. at 18– 11 22, and the free flow of information and speech, id. at 22–27. 12 “Under general principles of California contract law, a contract is unlawful, and therefore 13 unenforceable, if it is ‘[c]ontrary to an express provision of law’ or ‘[c]ontrary to the policy of 14 express law, though not expressly prohibited.’” Sheppard, Mullin, Richter & Hampton, LLP v. J- 15 M Mfg. Co., 6 Cal. 5th 59, 73 (2018) (quoting Cal. Civ. Code § 1667) (alterations in original). 16 According to the California Supreme Court, however, that doctrine is not limited to public policies 17 embodied in express law. Instead, that court has “also held that a contract or transaction may be 18 found contrary to public policy even if the Legislature has not yet spoken to the issue.” Id.12 In a 19 1953 case that the more recent Sheppard, Mullin decision cited with approval, the court stated that 20 “‘public policy’ is inherently not subject to precise definition,” encompassing “principle of law 21 which holds that no citizen can lawfully do that which has a tendency to be injurious to the public 22 or against the public good” such that “anything which tends to undermine that sense of security for 23 individual rights, whether of personal liberty or private property, which any citizen ought to feel, 24 is against public policy.” Safeway Stores, Inc. v. Retail Clerks Int’l Ass’n, 41 Cal. 2d 567, 575 25 26 27 28 “such as” to introduce the parenthetical plainly indicates that it is intended as an incomplete list of examples and not to limit the scope of the restriction. 12 Meta cites Sheppard, Mullin for the proposition that contracts may only be invalidated as contrary to public policy where they implicate express law, Pl.’s Opp’n to MSJ (dkt. 303) at 4, which is the opposite of what that case says. 18 1 (1953) (citation and internal quotation marks omitted). “‘Whether a contract is illegal or contrary 2 to public policy is a question of law to be determined from the circumstances of each particular 3 case.’” Dunkin v. Boskey, 82 Cal. App. 4th 171, 183 (2000) (quoting Jackson v. Rogers & Wells 4 210 Cal.App.3d 336, 349–350 (1989)). The principle that a court may decline to enforce a contract based on public interest beyond United States District Court Northern District of California 5 6 express law is in tension with an even older line of U.S. Supreme Court precedent holding that 7 because “the term ‘public policy’ is vague, there must be found definite indications in the law of 8 the sovereignty to justify the invalidation of a contract as contrary to that policy,” as “ascertained 9 by reference to the laws and legal precedents and not from general considerations of supposed 10 public interests.” Muschany v. United States, 324 U.S. 49, 65–66 (1945). Muschany involved 11 contracts between private parties and the United States, which were invoked by those parties as 12 defendants in a federal eminent domain suit as evidence of the fair value of their property, and 13 which the United States argued were unenforceable as contrary to federal policy. Id. at 51–54. 14 On its own, it could perhaps be read narrowly as a matter of federal common law, with no 15 application to the California contract claim at issue here, as perhaps could many more recent cases 16 restating its rule in the context of labor arbitration and collective bargaining agreements. See, e.g., 17 E. Associated Coal Corp. v. United Mine Workers of Am., Dist. 17, 531 U.S. 57, 62 (2000) (“The 18 Court has made clear that any such public policy must be explicit, well defined, and dominant. It 19 must be ascertained by reference to the laws and legal precedents and not from general 20 considerations of supposed public interests.” (cleaned up)). Some of the cases on which 21 Muschany relied, however, involved the Supreme Court examining state law. In Vidal v. Girard’s Executors, 43 U.S. (2 How.) 127 (1844), the Court declined to 22 23 invalidate a charitable bequest that prohibited the school for orphans it established from 24 employing religious ministers. Despite accepting the proposition that “that the Christian religion 25 is a part of the common law of Pennsylvania,”13 the Court determined that the bequest did not 26 13 27 28 Vidal predated the Fourteenth Amendment, which through its guarantee of due process incorporates the First Amendment’s Establishment Clause against the states, and would of course prohibit a state’s common law from incorporating a particular religion. See Everson v. Bd. of Ed., 19 1 impugn or bar the teaching of Christianity, and declined to inquire further as to “general 2 considerations of the supposed public interests and policy of Pennsylvania upon this subject, 3 beyond what its constitution and laws and judicial decisions make known to us,” because “[t]he 4 question, what is the public policy of a state, and what is contrary to it, if inquired into beyond 5 these limits, will be found to be one of great vagueness and uncertainty, and to involve discussion 6 which scarcely come within the range of judicial duty and functions.” Id. at 197–98. 7 In another case on which Muschany relied, Twin City Pipe Line Co. v. Harding Glass Co., 8 283 U.S. 353 (1931), the Court considered whether any public policy of Arkansas invalidated a 9 settlement agreement among various Arkansas corporate entities, taking a cautious approach 10 deferential to established law: United States District Court Northern District of California 11 The meaning of the phrase ‘public policy’ is vague and variable; courts have not defined it, and there is no fixed rule by which to determine what contracts are repugnant to it. The principle that contracts in contravention of public policy are not enforceable should be applied with caution and only in cases plainly within the reasons on which that doctrine rests. It is only because of the dominant public interest that one who, like respondent, has had the benefit of performance by the other party will be permitted to avoid his own promise. . . . 12 13 14 15 16 In determining whether the contract here in question contravenes the public policy of Arkansas, the Constitution, laws, and judicial decisions of that state, and as well the applicable principles of the common law, are to be considered. Primarily it is for the lawmakers to determine the public policy of the state. 17 18 19 20 Id. at 356–57. The parties here have not addressed this tension between federal and California caselaw or 21 how best to resolve it in this case, and BrandTotal has generally tethered its public policy 22 arguments to specific sources of law. This Court therefore does not reach questions of whether the 23 U.S. Supreme Court’s requirement that “public policy” in this context must be rooted in positive 24 law is best viewed as a matter of due process (such that California authority to the contrary might 25 be wrongly decided) or a prudential limit of the federal courts (such that the authority to invalidate 26 27 28 330 U.S. 1, 13–16 (1947). Other terms of the bequest at issue in Vidal remained the subject of litigation for more than a century, including a racial restriction that was ultimately held unconstitutional. See generally, e.g., Pennsylvania v. Brown, 392 F.2d 120 (3d Cir. 1968). 20 United States District Court Northern District of California 1 a contract might be broader if this case were in state court), or whether the California Supreme 2 Court’s recognition of broader authority in Safeway and Sheppard, Mullin is itself the sort of state 3 law precedent that the U.S. Supreme Court might accept as sufficiently establishing a public 4 policy—here, a policy that courts should intervene as necessary to prevent harm to the general 5 public good—that could be weighed against a party’s interest in enforcing a contract. Even under 6 the California courts’ approach, “questions of public policy are primarily for the legislative 7 department to determine,” Sheppard, Mullin, 6 Cal. 5th at 73 (cleaned up), and “[t]he power of the 8 courts to declare a contract void for being in contravention of sound public policy . . . should be 9 exercised only in cases free from doubt,” Dunkin, 82 Cal. App. 4th at 184 (cleaned up). Meta has 10 at least some interest in policing the manner in which users access data on its social networks—an 11 interest that is at least to some degree shared by its users. No background principle of public 12 policy independent of any codified law unquestionably compels the conclusion that section 3.2.3 13 is unenforceable. 14 Having determined that a basic sense of what is in the public interest is not sufficient here 15 to invalidate section 3.2.3, the Court proceeds to consider the particular constitutional and 16 statutory policies BrandTotal has advanced. 17 18 i. California Consumer Privacy Laws BrandTotal cites the California Consumer Privacy Act (“CCPA”) and the California 19 Privacy Rights Act (“CPRA”) as espousing a principle of user control of data sufficient to 20 invalidate section 3.2.3. Defs.’ MSJ at 15–16. 21 The Court has repeatedly “rejected BrandTotal’s scattershot citations to the CCPA that 22 failed to tie that law’s actual requirements to the conduct at issue in this case,” noting that the “fact 23 that information about advertising interactions falls within the statute’s definition of ‘personal 24 information’ does not, in itself, say anything about whether Facebook must provide BrandTotal 25 access to such information.” 3d MTD Order at 12. BrandTotal’s present motion does not go 26 significantly further when it comes to the CCPA, citing only the same definition that the Court has 27 previously found insufficient, as well as a comment in legislative history from one of its authors, 28 then-Assemblymember (and now Superior Court Judge) Edwin Chau, that “Californians should 21 1 have a right to choose how their personal information is collected and used.” Defs.’ MSJ at 16 2 (emphasis omitted). That statement could mean many things, and in any event, is only the opinion 3 of a single legislator. If the CCPA, as duly enacted, in fact established a policy requiring 4 Facebook to allow the sort of access at issue here, the Court would expect BrandTotal to be able to 5 cite some part of the legislation itself, as opposed to merely a sponsor’s aspirational comment in 6 support of its passage. BrandTotal is more specific in addressing the CPRA (a law enacted by California voters United States District Court Northern District of California 7 8 through a 2020 ballot initiative that amends portions of the CCPA), citing its statements of 9 purpose “that ‘the ability of individuals to control the use, including the sale, of their personal 10 information’ is ‘fundamental to’ their right of privacy under the California Constitution,” “that 11 ‘[c]onsumers should be able to control the use of their personal information’ and ‘should have 12 meaningful options over how it is collected, used, and disclosed,’” and “that ‘[c]onsumers should 13 benefit from businesses’ use of their personal information.’” Defs.’ MSJ at 15–16 (quoting CPRA 14 §§ 2(A), 3(A)(2), 3(A)(7)14) (alterations in original). This argument has at least two weaknesses. First, with narrow exceptions, the CPRA does 15 16 not become operative until January 1, 2023. CPRA § 31(a). While the CPRA sets forth state 17 policies to enhance users’ control over their personal information, it also incorporates a policy of 18 allowing businesses time to adapt their operations to the new law. Relying on the CPRA to 19 invalidate Meta’s terms of use before most of the substantive provisions of that law take effect 20 would undermine the latter policy and potentially conflict with the stated intent of the voters. 21 Second, the CPRA recognizes a number of policy interests besides data control and portability, 22 including that “[b]usinesses should take reasonable precautions to protect consumers’ personal 23 information from a security breach,” CPRA § 3(B)(6), and that while “[t]he law should enable 24 pro-consumer new products and services and promote efficiency of implementation for business,” 25 26 27 28 14 The parties’ briefs do not cite any source to access the text of the CPRA, which was enacted through a ballot initiative submitted in 2019 and accepted by California voters in 2020. The Court takes judicial notice of the text submitted by the sponsor of the initiative on November 4, 2019, available on the California Attorney General’s website at 22 1 that interest is contingent on ensuring “that the amendments do not compromise or weaken 2 consumer privacy,” id. § 3(C)(5).15 Presumably informed at least in part by balancing those 3 interests, the CPRA creates substantive law establishing a variety of specific rights, obligations, 4 and procedures—most of which relate to consumers’ rights to understand and limit the manner in 5 which businesses use their personal information, not to expanding the means by which users can 6 interact with social media platforms. BrandTotal has not cited any substantive, codified provision 7 of the CPRA that prevents Meta from enforcing section 3.2.3, and the Court hesitates to infer that 8 the voters intended that effect when they did not enact any law governing the conduct at issue.16 9 See Dunkin, 82 Cal. App. 4th at 183–84 (requiring caution before finding a contract contrary to 10 public policy). At least with respect to UpVoice 2021, which has removed many of the more questionable United States District Court Northern District of California 11 12 methods of data collection employed by some of BrandTotal’s earlier products, there is certainly 13 an argument that allowing users to record and sell data regarding the advertisements that Facebook 14 shows them would further a public policy of establishing user ownership of personal data and 15 empowering users to share in the financial benefits that flow from that data. See, e.g., CPRA 16 §§ 2(A), 3(A)(7). But the application of that policy to a social media platform’s ability to restrict 17 automated access, as Meta has with section 3.2.3, is by no means straightforward. Mindful that 18 “questions of public policy are primarily for the legislative department to determine,” Sheppard, 19 20 21 22 23 24 25 26 27 28 15 The potential for automated access and collection of data from a social networking platform to weaken consumer privacy is fairly obvious: many users choose to share information with only certain people, and might reasonably expect that the platform would prevent other users from automatically recording that data and selling it to data aggregators or other third parties for commercial use. While BrandTotal’s programs did not, at least for the most part, collect thirdparty personal information directly implicating such concerns, that privacy interest nevertheless reflects a valid public policy interest acknowledged in the CPRA and weighing against invalidating contractual prohibitions on unauthorized automated data collection. 16 One provision of the CCPA (materially unchanged by the CPRA) that BrandTotal has not addressed requires businesses to disclose (among other information) “[t]he specific pieces of personal information it has collected about that consumer . . . upon receipt of a verifiable consumer request from the consumer.” Cal. Civ. Code § 1798.110(a)(5), (b). If Meta collects information about what advertisements it has shown to particular users, that provision might require Meta to disclose that information to users who request it. But it is of little use to BrandTotal here because it creates a specific process for requesting and providing the data, rather than suggesting that users have a right to collect that data themselves, notwithstanding Meta’s terms of use, by any means they see fit. 23 1 Mullin, 6 Cal. 5th at 73, the Court declines to hold section 3.2.3 is unenforceable on this basis. 2 ii. Next, BrandTotal contends that section 3.2.3 is unenforceable because it subverts the 3 4 policy of market competition underlying section 1 of the Sherman Act and section 16600 of the 5 California Business and Professions Code. Defs.’ MSJ at 18. Despite arguing throughout this case that Meta monopolizes the market for social media 6 United States District Court Northern District of California Market Competition 7 advertising, and by extension social media advertising analytics, BrandTotal has at no point 8 asserted a claim under the Sherman Act. The closest it has come is attempting to state a claim 9 under the “unfair” prong of the UCL, which requires showing a violation of either the letter or the 10 spirit of the antitrust laws. See, e.g., 2d MTD Order at 24–25; 3d MTD Order at 9–10. The Court 11 ultimately dismissed that claim with prejudice because, despite repeated attempts, BrandTotal 12 failed to provide plausible allegations of a product market, market power, or any basis for an 13 exception to the usual rule that the antitrust laws permit market participants to refuse to deal with 14 their competitors. See 1st MTD Order at 16–17; 2d MTD Order at 24–28; 3d MTD Order at 10– 15 18. 16 Section 1 of the Sherman Act prohibits any “contract, combination in the form of trust or 17 otherwise, or conspiracy, in restraint of trade or commerce.” 15 U.S.C. § 1. The Supreme Court 18 has long held that the Sherman Act is not as broad as its literal language might suggest, and “that 19 Congress intended to outlaw only unreasonable restraints.” Texaco v. Dagher, 547 U.S. 1, 5 20 (2006) (quoting State Oil Co. v. Khan, 522 U.S. 3, 10 (1997), and adding emphasis). Courts 21 “generally evaluate whether a practice unreasonably restrains trade in violation of Section 1 under 22 the “rule of reason,” Brantley v. NBC Universal, Inc., 675 F.3d 1192, 1197 (9th Cir. 2012), which 23 “requires a fact-intensive market-level analysis of the claims.” Choker v. Pet Emergency Clinic, 24 P.S. ex rel. Bd. of Directors, No. 2:20-CV-00417-SAB, 2021 WL 934037, at *4 (E.D. Wash. Mar. 25 11, 2021) (citing Harris v. Safeway, Inc., 651 F.3d 1118, 1133 (9th Cir. 2011)). One element of 26 any rule of reason claim is defining a product market that “must encompass the product at issue as 27 well as all economic substitutes for the product.” Hicks v. PGA Tour, Inc., 897 F.3d 1109, 1120– 28 21 (9th Cir. 2018). 24 1 BrandTotal has offered no meaningful economic analysis of the market it asserts for social 2 media advertising analytics, and leaves key questions unanswered. Are there competitors besides 3 Meta and BrandTotal? What is each party’s market share? Could other methods of advertising 4 analysis serve as substitutes for the type of data collection and processing BrandTotal performs? 5 Cf. Wilcox Report ¶¶ 31, 33, 34, 40 (BrandTotal’s expert witness discussing survey-based 6 methods of collecting advertising intelligence). What qualifies as “social media,” as opposed to 7 other forms of internet advertising that customers might seek to analyze?17 Instead, BrandTotal relies on mere assertions in its motion that section 3.2.3 “not only 8 United States District Court Northern District of California 9 completely extinguishes all competition for analysis of Facebook advertising, but also has a 10 malign ripple effect on competition in the advertising analytics market more broadly,” Defs.’ MSJ 11 at 20, which it contends in its reply that Meta has not contested, Defs.’ MSJ Reply at 4. But in the 12 context of summary judgment, as the party advancing an affirmative defense of contract 13 unenforceability, BrandTotal has the burden to support its assertions with evidence, which it has 14 not done. BrandTotal’s motion cites evidence that it competes with Facebook, and that its 15 customers have sought BrandTotal’s services to better understand their own advertising campaigns 16 despite Facebook offering them similar analysis, Defs.’ MSJ at 19–21, but cites no evidence 17 beyond that regarding the nature of the market at issue or whether the sort of data collection barred 18 by section 3.2.3 is necessary to competing in that market. The Court having previously 19 “assume[d] for the sake of argument that BrandTotal’s alleged markets” for “Third Party 20 Commercial Advertising Information” on “personal social networking services in the United 21 States” or on Facebook and Instagram were “sufficiently plausible to survive the limited scrutiny 22 17 23 24 25 26 27 28 The report of BrandTotal’s expert witness Dr. Wilcox—which BrandTotal does not cite in its arguments regarding section 3.2.3—touches on some related issues, noting the difficulty of collecting automated data from “walled garden” websites that restrict access, Wilcox Report ¶¶ 44–49, and Meta’s domination of the social media advertising market (but not any market for advertising analytics), e.g., id. ¶ 59, but does not provide the sort of market analysis that would be necessary to find Meta’s conduct unreasonable for the purpose of the Sherman Act. Wilcox’s ultimate conclusions, that “the information BrandTotal collects from social media channels . . . is properly considered public information” and that BrandTotal’s “are the same type of services that have been offered in the advertising industry for decades,” id. ¶ 126, do not speak to whether section 3.2.3 of Meta’s terms of use unreasonably restrains competition. As a media and marketing professor rather than an economist, Dr. Wilcox would likely not be qualified to offer opinions on a relevant market for an antitrust claim. 25 1 of Rule 12(b)(6),” 3d MTD Order at 14–16—an issue the Court did not need to resolve because 2 BrandTotal’s UCL claim had other defects—does not relieve BrandTotal of the obligation to 3 support any market definition and effects to competition that it might seek to rely on here with 4 evidence. Nor is it the Court’s role “to scour the record in search of” any evidence that might 5 support BrandTotal’s position despite not being cited in its briefs. Keenan, 91 F.3d at 1279.18 While BrandTotal is correct that it need not show a violation of the letter of the Sherman United States District Court Northern District of California 6 7 Act to render section 3.2.3 unenforceable, but instead could prevail by showing a violation of 8 policies underlying that law, see Sheppard, Mullin, 6 Cal. 5th at 73, that analysis is similar to the 9 BrandTotal’s putative UCL claim that the Court repeatedly addressed and dismissed on the 10 pleadings, where a plaintiff must show “conduct that threatens an incipient violation of an antitrust 11 law, or violates the policy or spirit of one of those laws because its effects are comparable to or the 12 same as a violation of the law, or otherwise significantly threatens or harms competition.” Cel- 13 Tech Commc’ns, Inc. v. L.A. Cellular Tel. Co., 20 Cal. 4th 163, 187 (1999)). A party seeking to 14 establish a violation of the “spirit” of the antitrust laws for the purpose of such a claim, without 15 showing an actual violation, must identify and prove some “‘unusual’ aspect of the alleged 16 conduct that would make that conduct something that violates the ‘policy and spirit’ of the 17 antitrust laws without violating the actual laws themselves,” comparable to the Cel-Tech 18 defendant’s “‘privileged status as one of two holders of a lucrative government-licensed 19 duopoly.’” Synopsys, Inc. v. ATopTech, Inc., No. C 13-2965 MMC, 2015 WL 4719048, at *10 20 (N.D. Cal. Aug. 7, 2015) (quoting Cel-Tech, 20 Cal. 4th at 190). The Court finds the same 21 analysis appropriate in considering whether the policy underlying the Sherman Act is sufficient to 22 render section 3.2.3 unenforceable without showing a violation of that law. Cf. Epic Games, Inc. 23 v. Apple Inc., No. 4:20-cv-05640-YGR, 2021 WL 4128925, at *122 (N.D. Cal. Sept. 10, 2021) 24 (declining to hold contracts unenforceable for violating policy favoring competitive markets even 25 26 27 28 18 Even if BrandTotal had provided evidence to support the basic elements of a rule of reason claim, it would still face a hurdle in overcoming the general rule that the antitrust laws impose no requirement to deal with a competitor. BrandTotal asserts for the first time in its reply that the “essential facilities” doctrine applies, but again cites no evidence to support its contention that automated collection of data from Facebook is an essential facility. Defs.’ MSJ Reply at 5–6. 26 1 where the court determined that portions of the contracts violated the “unfair” prong of the UCL). Here, as the Court has previously held on a motion to dismiss BrandTotal’s UCL 2 3 unfairness claim, BrandTotal’s “theory of what makes Facebook’s conduct unfair is relatively 4 straightforward: Facebook is extremely large and powerful,” and uses that clout to advance its 5 own competitive interests and prevent BrandTotal from effectively competing. 2d MTD Order at 6 25–26. Once again, BrandTotal has not identified any unusual circumstances of this case that 7 would threaten competition while evading antitrust enforcement under the actual terms of the 8 antitrust laws, nor has it shown a violation of the antitrust laws. Absent such a showing, the Court 9 declines to hold that the policies underlying those laws require invalidating Meta’s terms of use. Section 16600 is a somewhat different law from the Sherman Act.19 That statute provides United States District Court Northern District of California 10 11 that, subject to exceptions, “every contract by which anyone is restrained from engaging in a 12 lawful profession, trade, or business of any kind is to that extent void.” Cal. Bus. & Prof. Code 13 § 16600. It is often invoked in cases involving non-compete agreements that purport to prevent an 14 employee from later working for their employer’s competitors, or anti-poaching agreements where 15 two businesses agree not to hire each other’s employees (or to pay a penalty if they do). See VL 16 Sys., Inc. v. Unisen, Inc., 152 Cal. App. 4th 708, 713 (2007). This case does not implicate that sort 17 of direct agreement not to compete or not to hire. Section 16600 and its “substantively identical” predecessor statute have also, albeit less 18 19 commonly, been applied in cases considering agreements to secure monopolies or fix prices—the 20 sort of context addressed by section 1 of the Sherman Act—but when invoked in that manner, it is 21 subject to the rule of reason. See Ixchel Pharma, LLC v. Biogen, Inc., 9 Cal. 5th 1130, 1154–56 22 (2020). The same issues discussed above in the context of the Sherman Act therefore also apply 23 to section 16600: BrandTotal has not shown, through evidence, harm to competition under the rule 24 of reason. In hiQ Labs, Inc. v. LinkedIn Corporation, 31 F.4th 1180 (9th Cir. 2022), the Ninth Circuit 25 26 recently reaffirmed its decision (which had been vacated for reconsideration in light of an 27 19 28 BrandTotal has not invoked the Cartwright Act, Cal. Bus. & Prof. Code §§ 16700–70, California’s closer analogue to section 1 of the Sherman Act. 27 United States District Court Northern District of California 1 intervening Supreme Court decision addressing the CFAA) affirming a preliminary injunction 2 preventing LinkedIn from taking action to block a data analysis company and potential LinkedIn 3 competitor, hiQ, from accessing information that LinkedIn made available to the general public. 4 The Ninth Circuit relied in part on public policy concerns “that giving companies like LinkedIn 5 free rein to decide, on any basis, who can collect and use data—data that the companies do not 6 own, that they otherwise make publicly available to viewers, and that the companies themselves 7 collect and use—risks the possible creation of information monopolies that would disserve the 8 public interest.” Id. at 1202. But in addition to the distinction that not all of the data at issue in 9 this case is publicly accessible without a Facebook or Instagram account, hiQ involved a live 10 claim by hiQ under “unfair” prong of the UCL, id. at 1194 n.10, an antitrust theory that 11 BrandTotal attempted to pursue but failed to support here. The procedural context also differs: 12 granting a preliminary injunction is a matter of discretion, see id. at 1188, and this Court is aware 13 of no authority requiring the same degree of deference to policy that has been specifically declared 14 by the legislature (or existing caselaw) in the public interest portion of that inquiry as is necessary 15 in considering whether to hold a contract unenforceable. The Court therefore does not construe 16 hiQ as suggesting that a contract can be invalidated for its purportedly anticompetitive effects 17 without a showing of harm to competition through the established framework of competition 18 claims, i.e., either the rule of reason or special circumstances recognized as warranting heightened 19 scrutiny. 20 Taking into account the caution that is always appropriate in considering whether a 21 contract should be declared unenforceable as contrary to public policy, the Court holds that 22 BrandTotal has not met its burden to set aside section 3.2.3 based on harm to competition. 23 24 iii. Free Speech and Flow of Information BrandTotal contends that section 3.2.3. impermissibly burdens interests in free speech and 25 the flow of information, rooted in the First Amendment to the U.S. Constitution and Article I, 26 Section 7 of the California Constitution. Defs.’ MSJ at 22–27. That section of the California 27 Constitution relates to due process and equal protection. BrandTotal does not specifically discuss 28 its terms, instead only citing it in passing at the start of its argument regarding free speech. Id. at 28 United States District Court Northern District of California 1 22. The Court understands that citation as intended to assert that California law incorporates the 2 free speech protections of the federal Constitution. For reasons that are not clear, BrandTotal has 3 not cited the California Constitution’s own free speech protection at Article I, Section 2, which “is 4 at least as broad as and in some ways broader than the comparable provisions of the federal 5 Constitution’s First Amendment.” Kasky v. Nike, Inc., 27 Cal. 4th 939, 958–59 (2002) (cleaned 6 up).20 7 The Supreme Court has recognized that the First Amendment protects commercial 8 advertising, in part due to the need for public “information as to who is producing and selling what 9 product, for what reason, and at what price” to allow for informed participation in and regulation 10 of the economy. Va. State Bd. of Pharmacy v. Va. Citizens Consumer Council, Inc., 425 U.S. 748, 11 765 (1976). The conduct at issue here, however, is a few steps removed from the state restrictions 12 on advertising in the Board of Pharmacy case. This case does not concern direct state action, 13 although BrandTotal is correct that judicial enforcement of a private contract restricting speech 14 can implicate the First Amendment at least to some degree.21 But BrandTotal does not argue that 15 section 3.2.3 prevents anyone from advertising their services. Nor does section 3.2.3 directly 16 prevent anyone from sharing information about advertisements—the provision is not implicated 17 by a Facebook user discussing the advertisements they have seen, for example, or even by 18 advertising consultants manually browsing Facebook’s public ad library to prepare reports for 19 clients. Instead, section 3.2.3 prohibits a particular method of interacting with Meta’s services: 20 “access[ing] or collect[ing] data from [Meta’s] products using automated means,” one application 21 of which is BrandTotal’s automated collection of advertising data. BrandTotal cites no authority 22 20 23 24 25 26 27 28 BrandTotal cites Kasky solely for its summary of the U.S. Supreme Court’s Board of Pharmacy decision discussed below. See Defs.’ MSJ at 22 (quoting Kasky, 27 Cal. 4th at 951). The issue before the California Supreme Court in Kasky was whether statements by Nike about the working conditions in its factories were commercial speech subject to diminished First Amendment protection if determined to be false or misleading, and thus properly within the scope of the state’s consumer protection laws, which the court answered in the affirmative. That holding is of no use to BrandTotal here. 21 See, e.g., Nat’l Abortion Fed’n v. Ctr. for Med. Progress, No. 15-cv-03522-WHO, 2016 WL 454082, at *18–21 (N.D. Cal. Feb. 5, 2016) (issuing an injunction to enforce a confidentiality agreement based on the conclusion that the defendants knowingly waived their first amendment rights by entering the agreement, and that any public interest in disclosure of the information at issue was insufficient to compel a different result), aff’d, 685 F. App’x 623 (9th Cir. 2017). 29 1 finding a contract unenforceable based on the reasoning of Board of Pharmacy in a context so far 2 removed from that case, and instead similar to the facts here. Nor is it otherwise clear that the 3 effect of this access restriction so burdens users’ ability to speak to what they have seen on 4 Facebook that policies underlying the First Amendment require declaring it unenforceable. The second line of cases on which BrandTotal relies for its free speech arguments stems United States District Court Northern District of California 5 6 from Lear, Inc. v. Adkins, 395 U.S. 653 (1969), where the Supreme Court held that an inventor 7 could not rely on estoppel against a licensee or the contractual force of a license agreement to 8 recover royalties if his patent were held invalid. See Defs.’ MSJ at 22–23. Circuit courts have 9 divided as to whether or when Lear applies outside the context of patent law. Compare Idaho 10 Potato Comm’n v. M & M Produce Farm & Sales, 335 F.3d 130, 135–39 (2d Cir. 2003) (applying 11 Lear to hold that a defendant who had agreed, as part of a since-lapsed license agreement, never to 12 challenge the validity of certain certification marks registered with the USPTO was not estopped 13 from doing so because enforcing the agreement undermined free market principles related to the 14 purpose of certification marks), with Saturday Evening Post Co. v. Rumbleseat Press, Inc., 816 15 F.2d 1191, 1200 (7th Cir. 1987)22 (declining to apply Lear to copyright because the “economic 16 power conferred is much smaller” than that conferred by a patent, and noting that the Sherman Act 17 is a more appropriate framework for any such contract with a meaningful effect on competition), 18 and Beer Nut, Inc. v. King Nut Co., 477 F.2d 326, 328–29 (6th Cir. 1973) (balancing the interests 19 addressed in Lear to hold that it does not apply in the trademark context, and that a licensee was 20 estopped from contesting the validity of a mark). Regardless, unlike a license agreement, section 21 3.2.3 does not govern the publication or use of information once obtained; it prohibits some forms 22 of access to Meta’s servers. Lear and its progeny do not show that Meta’s terms of use are 23 unenforceable. In its reply, BrandTotal abandons any effort to link this argument to precedent, dismissing 24 25 Meta’s “focus[] on distinguishing cases that BrandTotal cited for a general proposition . . . that 26 27 28 22 Saturday Evening Post was recognized as abrogated with respect to an unrelated holding regarding harmless error review in Glickenhaus & Co. v. Household Int’l, Inc., 787 F.3d 408, 426 n.12 (7th Cir. 2015). 30 United States District Court Northern District of California 1 there is a judicially recognized public interest in the free flow of information online” as immaterial 2 when that “general proposition . . . is not legitimately in dispute.” Defs.’ MSJ Reply at 8. 3 BrandTotal instead reiterates the “real-world information throttling effect of Meta’s enforcement,” 4 citing Meta’s efforts to block research at New York University regarding advertising on Facebook, 5 as well as the FTC’s criticism of those efforts and stated position that “efforts to shield targeted 6 advertising practices from scrutiny run counter to” protection of user privacy. Id. (citing Fussner 7 MSJ Decl. (dkt. 268-1) Ex. R (FTC Letter)). But BrandTotal has not identified authority that 8 would void Meta’s terms of use as to the NYU researchers any more than with respect to itself, 9 and the FTC’s statement of concern is not the sort of legislatively or judicially declared public 10 policy that courts have held sufficient to invalidate a contract. BrandTotal’s general interest in 11 free flow of information is defined too vaguely to support setting aside a contract regarding means 12 of access without a showing that the courts or legislature have determined that interest outweighs 13 the competing interest in enforceability of contracts under comparable circumstances. Cf. Beer 14 Nuts, 477 F.2d at 329 (finding the public interest in avoiding depletion of marks that could be used 15 in commerce “is not so great that it should take precedence over the rule of the law of contracts 16 that a person should be held to his undertakings”). 17 18 19 20 The Court therefore concludes that BrandTotal has not shown Meta’s terms of use to be unenforceable as contrary to public policy. b. Unconscionability BrandTotal argues that the terms of use are unconscionable, specifically addressing: (1) the 21 provision in section 4 extending certain restrictions (including section 3) beyond the termination 22 of an account; and (2) a limitation of Meta’s liability to no more than the greater of $100 or the 23 amount the user has paid Meta in the previous year. Defs.’ MSJ at 32–33. Although BrandTotal 24 focuses on those provisions as substantially unfair, it argues that the appropriate remedy is to 25 deem section 3.2.3 unenforceable. Id. at 33. 26 Meta contends that BrandTotal waived its unconscionability defense by failing to include it 27 in its October 2021 response to an interrogatory requesting “the full basis for [BrandTotal’s] 28 contention” that “it did not breach any contacts with [Meta]” or that the terms of use “were not[] 31 United States District Court Northern District of California 1 valid contracts between [Meta] and [BrandTotal].” See Schultz MSJ Decl. Ex. 36 at 9 2 (Interrogatory No. 20). BrandTotal argues that it provided sufficient notice of its 3 unconscionability defense by pleading it in its answer and including it in a later response to a 4 different interrogatory, where BrandTotal stated that Meta’s enforcement of its terms of use was 5 not a legitimate business purpose for interfering with BrandTotal’s contracts because, among other 6 reasons, the terms of use “are overly broad, unconscionable, and contrary to public policy.” See 7 Burrell Opp’n Decl. (dkt. 303-1) Ex. 29 at 6 (November 2021 response to Interrogatory No. 25). 8 While BrandTotal’s should have included unconscionability in its response to Meta’s contention 9 interrogatory for defenses to breach of contract, or should have supplemented that response to do 10 so, the Court assumes for the sake of argument that the subsequent interrogatory response 11 asserting that the terms of use are unconscionable provided sufficient notice of BrandTotal’s 12 position to avoid waiver. In any event, BrandTotal has not shown that the relevant provisions of 13 the terms of use should be set aside as unconscionable. 14 “In order to render a contract unenforceable under the doctrine of unconscionability, there 15 must be both a procedural and substantive element of unconscionability.” Ferguson v. 16 Countrywide Credit Indus., Inc., 298 F.3d 778, 783 (9th Cir. 2002) (citing Armendariz v. Found. 17 Health Psychcare Servs., Inc., 24 Cal. 4th 83, 6 P.3d 669, 690 (2000)). “[T]he former focus[es] 18 on ‘oppression’ or ‘surprise’ due to unequal bargaining power, the latter on ‘overly harsh’ or ‘one- 19 sided’ results.” Armendariz, 24 Cal. 4th at 114 (citation omitted). While both of those aspects 20 must be present to find the contract unconscionable, “they need not be present in the same 21 degree[:] . . . the more substantively oppressive the contract term, the less evidence of procedural 22 unconscionability is required to come to the conclusion that the term is unenforceable, and vice 23 versa.” Id. “Unconscionability is ultimately a question of law for the court.” Marin Storage & 24 Trucking, Inc. v. Benco Contracting & Eng’g, Inc., 89 Cal. App. 4th 1042, 1055 (2001). Neither 25 party has suggested here that the question of whether Facebook’s terms are unconscionable is 26 inappropriate for resolution on summary judgment. 27 “Procedural unconscionability ‘concerns the manner in which the contract was negotiated 28 and the circumstances of the parties at that time.’” Ferguson, 298 F.3d at 783 (quoting Kinney v. 32 United States District Court Northern District of California 1 United Healthcare Servs., Inc., 70 Cal. App. 4th 1322, 1329 (1999)). That analysis “begins with 2 an inquiry into whether the contract is one of adhesion.” Armendariz, 24 Cal. 4th at 113. 3 “California courts have consistently held that where a party in a position of unequal bargaining 4 power is presented with an offending clause without the opportunity for meaningful negotiation, 5 oppression and, therefore, procedural unconscionability, are present.” Ferguson, 298 F.3d at 784. 6 That test is met with respect to Meta’s terms of use, at least for nearly all users.23 There is no 7 dispute that BrandTotal was offered Meta’s terms on a take-it-or-leave-it basis, with no power to 8 negotiate. Under California law, that is enough to meet the procedural element of 9 unconscionability. See Baltazar v. Forever 21, Inc., 62 Cal. 4th 1237, 1244 (2016) (“Ordinary 10 contracts of adhesion, although they are indispensable facts of modern life that are generally 11 enforced, contain a degree of procedural unconscionability even without any notable surprises, and 12 bear within them the clear danger of oppression and overreaching.” (cleaned up)). 13 Meta’s argument that “courts routinely conclude that sign-up flows like Meta’s are 14 sufficient to bind users to terms of service” misses the mark. See Pl.’s Opp’n to MSJ (dkt. 303) at 15 21. The cases Meta cites considered whether the users had consented to the terms, held that they 16 had, and either did not reach questions of unconscionability or found at least some degree of 17 procedural unconscionability. See Britt v. ContextLogic, Inc., No. 3:20-cv-04333-WHA, 2021 18 WL 1338553 (N.D. Cal. Apr. 9, 2021) (finding mutuals assent and declining to reach questions of 19 unconscionability as properly delegated to an arbitrator); Nevarez v. Forty Niners Football Co., 20 LLC, No. 16-cv-07013, 2017 WL 3492110, at *12 (N.D. Cal. Aug. 15, 2017) (finding “a low 21 degree of procedural unconscionability” sufficient to consider whether the contract was highly 22 substantively unconscionable); Loewen v. Lyft, Inc., 129 F. Supp. 3d 945, 956 (N.D. Cal. 2015) 23 (same); Swift v. Zynga Game Network, Inc., 805 F. Supp. 2d 904, 915 (N.D. Cal. 2011) (noting 24 that the plaintiff failed to address the standard for unconscionability or present any argument as to 25 26 27 28 23 The Court need not consider here whether a sufficiently powerful counterparty, such as another Fortune 500 company or a government entity, might have enough bargaining power to effectively negotiate the terms under which it accessed Meta’s products. 33 1 why the terms of service at issue were procedurally unconscionable).24 Because Meta’s terms of 2 use are a contract of adhesion, at least as applied to BrandTotal, they are sufficiently procedurally 3 unconscionable to proceed to BrandTotal’s arguments regarding substantive unconscionability. Since the test uses a sliding scale where the degree of each form unconscionability is 4 5 relevant, however, there is reason to evaluate other aspects of procedural unconscionability before 6 turning to the substantive terms of the agreement. BrandTotal notes that Meta’s sign-up process 7 includes only text in a small font informing users that “[b]y clicking Sign Up, you agree to our 8 Terms, Data Policy and Cookies Policy,” with “Terms” as a small hyperlink, but does not 9 specifically present users with the terms or include a separate box to check to indicate that the user 10 agrees to those terms. Defs.’ MSJ at 31 (citing Martens Opening Report ¶¶ 63–66). Any inconspicuousness of the terms of use might be relevant to whether it is procedurally United States District Court Northern District of California 11 12 unconscionable as to individuals creating accounts for personal use. See In re Facebook Biometric 13 Info. Priv. Litig., 185 F. Supp. 3d 1155, 1166 (N.D. Cal. 2016) (raising concerns about Facebook’s 14 process of obtaining consent to its terms of use, but finding them enforceable). As to BrandTotal, 15 however, it is less clear why that should matter. BrandTotal is a business built around collecting 16 data from social networks and other websites. It would reasonably have been expected to seek out 17 and understand those terms before agreeing to them. See Burrell Opp’n Dec. Ex. 30 (Leibovich 18 Nov. 2021 Dep.) at 20:23–22:5 (confirming the BrandTotal’s CEO knew before this lawsuit that 19 all Facebook users must agree to the terms of service before creating an account). BrandTotal in 20 fact sought a legal opinion regarding section 3.2.3, albeit belatedly in 2019, years after it had first 21 created accounts. See Burrell Opp’n Decl. Ex. 4.25 Although as noted above Meta’s terms were at 22 least to some degree procedurally unconscionable because BrandTotal had no meaningful 23 opportunity to negotiate them, the manner in which Meta presented them during the sign-up 24 25 24 26 27 28 Fagerstrom v., Inc., 141 F. Supp. 3d 1051, 1068 (S.D. Cal. 2015), aff’d sub nom. Wiseley v., Inc., 709 F. App’x 862 (9th Cir. 2017), applied Washington rather than California law, which differs in its treatment of this doctrine. 25 BrandTotal has not pursued a defense based on the advice it received at that time, that advertisements on Facebook did not fall within the scope of Meta’s “products” for the purpose of section 3.2.3. See Burrell Opp’n Decl. Ex. 4. 34 1 process adds little to the analysis with respect to a sophisticated user like BrandTotal.26 The Court 2 therefore concludes that the terms of use, as applied to BrandTotal, are only procedurally 3 unconscionable in that they represent a contract of adhesion. Accordingly, “‘the agreement will be 4 enforceable unless the degree of substantive unconscionability is high.’” Loewen, 129 F. Supp. 3d 5 at 956 (quoting Serpa v. Cal. Sur. Investigations, Inc., 215 Cal. App. 4th 695, 704 (2013)). BrandTotal’s motion for summary judgment does not argue that section 3.2.3, standing United States District Court Northern District of California 6 7 alone, meets that standard. Instead, BrandTotal focuses on section 4.2’s provision that section 3 8 (and certain subsections of section 4) remain in place following termination of the remainder of 9 the agreement when a user deletes their account of Meta disables it, and section 4.3’s limitation of 10 Meta’s liability to exclude certain forms of damages and limit monetary damages against Meta to 11 “not exceed the greater of $100 or the amount [the user] has paid [Meta] in the past twelve 12 months.” Schultz MSJ Decl. Ex. 5, §§ 4.2–3; see Defs.’ MSJ at 32–33. In its reply, BrandTotal 13 contends that section 3.2.3 is itself substantively unconscionable for the reasons stated in its 14 arguments regarding public policy, Defs.’ MSJ Reply at 15–16, but for the same reasons discussed 15 above in the Court’s analysis of those arguments, BrandTotal has not shown that any public policy 16 implication of section 3.2.3 meets the high standard of substantive unconscionability applicable 17 where the only meaningful procedural defect is a contract of adhesion. Turning to the related provisions BrandTotal has invoked, the Court is not persuaded that 18 19 the survival of section 3.2.3 beyond the termination of an account is substantively unconscionable. 20 That is not to say that any open-ended commitments in exchange for the temporary provision of a 21 service would be enforceable. The provision at issue here, though, relates specifically to the 22 manner in which a user continues to access Meta’s services after their account is terminated. If a 23 user were to walk away from Meta’s products entirely, the continuing force of section 3.2.3 would 24 have no effect on them. Notwithstanding the importance of social media platforms as “what for 25 26 27 28 26 BrandTotal also argues that the sign-up page contradicts section 4 by stating that users “‘can opt out any time’ from the ‘Terms, Data Policy and Cookies’ referenced in the prior sentence.” Defs.’ MSJ at 32. In context, that language clearly applies to receiving text messages, not to the terms of use. Martens Opening Report ¶ 64 (screenshot of the sign-up page, including the text: “You may receive SMS Notifications from us and can opt out any time.”). 35 1 many are the principal sources for knowing current events, checking ads for employment, 2 speaking and listening in the modern public square, and otherwise exploring the vast realms of 3 human thought and knowledge,” Packingham v. North Carolina, 137 S. Ct. 1730, 1737 (2017), it 4 is not manifestly unreasonable for a user to agree, in return for the free services that Meta 5 provides, not to subvert the rules regarding automated access that Meta has put in place for its 6 platforms, even after termination of an account. BrandTotal has not shown the high degree of 7 oppression necessary to prevail on this argument in light of the relatively minor degree of 8 procedural unconscionability at issue.27 As for the limitation of liability, that provision is only connected to section 3.2.3 in that, by United States District Court Northern District of California 9 10 its terms, Meta could potentially recover far greater damages from BrandTotal for violating 11 section 3.2.3 than BrandTotal could recover from Meta on any potential claim of its own. The 12 limitation of liability is certainly “one-sided,” see Armendariz, 24 Cal. 4th at 114, but it is only 13 tangentially related to section 3.2.3. California law grants “a trial court some discretion as to 14 whether to sever or restrict [an] unconscionable provision or whether to refuse to enforce the 15 entire agreement,” but “contemplate the latter course only when an agreement is ‘permeated’ by 16 unconscionability.” Id. at 122 (examining Cal. Civ. Code § 1670.5(a)). Here, if the limitation of 17 liability is unconscionable, the appropriate course would be to decline to enforce that provision, 18 not any other provision (like section 3.2.3) that confers rights or obligations on either party from 19 which liability might arise. BrandTotal’s motion only seeks to declare section 3.2.3 20 unenforceable, and has not focused on whether section 4.3 is itself enforceable. Regardless, 21 because this order disposes of BrandTotal’s remaining counterclaims against Meta, the validity of 22 section 4.3 is not relevant to the outcome of the case. To the extent BrandTotal is asserting that Meta’s terms are unconscionable as applied to 23 24 25 26 27 28 27 It is not entirely clear whether Meta is taking the position that even non-automated access by BrandTotal to public (i.e., non-password-protected) portions of Facebook is a violation of section 3.2.3.’s prohibition against “attempt[ing] to access data you do not have permission to access” because Meta has revoked BrandTotal’s access to its products. In light of the concerns raised by the Supreme Court in Packingham and the Ninth Circuit in hiQ, enforcing the terms of use in that manner would raise greater concerns. The Court declines to resolve that issue on the briefing the parties have provided, which did not focus on it. 36 United States District Court Northern District of California 1 BrandTotal’s “panelist” users as a defense to Meta’s interference with contract claim, the 2 particular terms that it has argued create substantively unconscionability have no relevance to the 3 panelists in this case. The panelists are current rather than former Facebook users, so section 4’s 4 extension of certain prohibitions past termination of an account does not affect them, and they are 5 not bringing any claims against Meta, so the limitation of damages against Meta also does not 6 affect them. Even if those provisions were not enforceable against panelists—in fact, even if 7 section 3.2.3 were unenforceable—that would not affect the analysis of whether BrandTotal 8 interfered with Meta’s contracts with “panelist” users by inducing those users to share their access 9 credentials with BrandTotal, which is the only basis Meta has asserted for interference with 10 contract. See FAC ¶¶ 112–18 (Meta’s tortious interference claim). Neither party has moved for 11 summary judgment on Meta’s interference claim beyond this issue, so the Court does not address 12 that claim beyond holding that BrandTotal is not entitled to summary judgment that Meta’s terms 13 of use are unconscionable with respect to panelists in any material way. Because BrandTotal has not shown sufficient substantive unconscionability of section 14 15 3.2.3 to render it unenforceable in conjunction with the relatively minor procedural 16 unconscionability of a contract of adhesion, BrandTotal’s motion for summary judgment on this 17 issue is DENIED. 18 2. Meta’s Motion Regarding Breach of Contract Meta seeks summary judgment in its favor on its breach of contract claim. Pl.’s MSJ at 19 20 10–16. Again, this claim has four elements: “(1) the contract, (2) plaintiff’s performance or 21 excuse for nonperformance, (3) defendant’s breach, and (4) the resulting damages to plaintiff.” 22 Armstrong Petroleum Corp. v. Tri-Valley Oil & Gas Co., 116 Cal. App. 4th 1375, 1391 n.6 23 (2004). 24 25 a. The Contract There is no dispute that BrandTotal created a number of accounts on Meta’s platforms, and 26 that all users who create accounts indicate that they agree to Meta’s terms of use. See, e.g., 27 Schultz MSJ Decl. Ex. 35 at 3 (responses to Request Nos. 21 and 22, admitting knowledge that all 28 Facebook and Instagram users must agree to the applicable terms of use). BrandTotal contests two 37 1 aspects of the element requiring the existence of a contract: whether the terms of use were 2 enforceable, and whether their effect terminated when Meta disabled BrandTotal’s corporate 3 accounts. As discussed above in the context of BrandTotal’s motion, BrandTotal has not met its 4 burden to show that the terms of use are unenforceable due to either public policy or 5 unconscionability, and the Court holds as a matter of law that they are not. United States District Court Northern District of California 6 As for termination, the terms of use specifically provide that section 3—including section 7 3.2.3’s prohibition of unauthorized automated access and data collection—survives after a user 8 deletes their account or Meta terminates an account. Schultz MSJ Decl. Ex. 5 § 4.2. As discussed 9 above, BrandTotal has not shown that term to be unconscionable. Nor does it conflict with section 10 3’s preface that the commitments stated therein are required in exchange for Meta providing 11 services. See id. § 3, Defs.’ Opp’n to MSJ at 20–21. As BrandTotal has admitted, Meta did 12 provide services. Schultz MSJ Decl. Ex. 35 at 2 (response to Request No. 19). That Meta requires 13 an ongoing commitment not to take certain action in return for services that might not last as long 14 as that commitment is a coherent structure for an agreement, and section 4.2 is sufficiently clear as 15 to its survival clause to dispel any reasonable confusion. BrandTotal therefore remains bound by 16 section 3, including section 3.2.3. 17 Even if the relevant provisions of the terms of use did not survive the termination of an 18 account, some of the “Muppet” accounts that BrandTotal employees created for data collection 19 and debugging remained active as of 2022. Schultz MSJ Decl. Ex. 14 (Vardi Dep.) at 142:5– 20 146:8. BrandTotal’s assertion that it “disputes . . . that any of those accounts belong to 21 BrandTotal” is not supported by evidence. See Defs.’ Opp’n to MSJ at 21. BrandTotal thus 22 remains bound by the terms of use. 23 24 b. Meta’s Performance BrandTotal specifically admitted performance by Meta prior to September 30, 2020. 25 Schultz MSJ Decl. Ex. 35 at 2 (response to Request No. 19). There is evidence that certain 26 accounts created by BrandTotal remained active as of February of 2022, suggesting that Meta has 27 continued to perform under the terms of use at least as to accounts not terminated. See id. Ex. 14 28 (Vardi Dep.) at 142:5–146:8. In its response to a contention interrogatory that included a request 38 1 to describe “whether you contend . . . that Facebook and/or Instagram did not perform their 2 obligations,” BrandTotal did not include any such assertion. Id. Ex. 36 at 9 (Interrogatory No. 3 20). Nor has BrandTotal argued in its briefing that any nonperformance is a defense to these 4 claims. Meta is entitled to summary judgment as to its own performance under the terms of use. 5 c. 6 The parties do not dispute that at least some conduct by BrandTotal breached the terms of 7 use as written. Meta offers evidence that BrandTotal accessed and collected data from Facebook 8 and Instagram using automated means through its various consumer products installed by users 9 and through back-end processes from its own servers. See, e.g., Martens Opening Report ¶¶ 28– 10 50 (summary of opinions). In disputing the element of breach, BrandTotal argues only that UpVoice 2021 does not 11 United States District Court Northern District of California Breach by BrandTotal 12 breach Meta’s terms of use, because it collects data only from panelists’ computers. Defs.’ Opp’n 13 to MSJ at 22. In an October 2021 response to an interrogatory seeking all of BrandTotal’s 14 contentions that it did not breach the terms of use or that the terms are not enforceable, BrandTotal 15 asserted only that the terms of use are unenforceable as against public policy and that the parties’ 16 contractual relationship ended when Meta terminated BrandTotal’s accounts in October of 2020. 17 Schultz MSJ Decl. Ex. 36 at 9–11 (response to Interrogatory No. 20). Moreover, in a 18 supplemental response to a request for admission that BrandTotal “collect[s] information and data 19 from password-protected locations on the Facebook and Instagram platforms,” BrandTotal 20 admitted that “the versions of UpVoice released after February 26, 2021, collect only the creative 21 ID of an advertisement, the advertiser name, and the advertiser page name from password-protect 22 locations of Facebook.” Id. Ex. 21 at 2 (supplemental response to Request No. 1). 23 BrandTotal has therefore waived any argument that UpVoice 2021—or any other conduct 24 alleged in Facebook’s amended complaint—did not violate the terms of use as written.28 Meta is 25 26 27 28 28 There is perhaps some tension between this holding and the Court’s holding below that UpVoice 2021 does not access Meta’s servers for the purpose of the CFAA. Any such tension results at least in part from BrandTotal’s waiver of arguments with respect to breach of contract. The Court does not reach the question of whether BrandTotal could have prevailed on the question of whether UpVoice 2021 breaches section 3.2.3 had it preserved that argument. 39 1 2 3 d. Damages Finally, BrandTotal disputes the element of damage. Defs.’ Opp’n to MSJ at 13–20. The 4 only compensatory damages Meta has asserted are based on the cost of its investigation in 5 response to BrandTotal’s breach, but it also argues that it should be permitted to proceed based on 6 a theory of unjust enrichment or the possibility of nominal damages. 7 Although damages are often recited as an element of a breach of contract claim, a recent 8 California appellate decision reaffirmed older authority holding that nominal damages are 9 available for breach of contract and can support entry of judgment in favor of a plaintiff who 10 11 United States District Court Northern District of California entitled to summary judgment on the issue of breach. 12 13 14 15 16 17 suffered “no appreciable harm”: We agree the trial court should have awarded nominal damages in light of the jury’s unchallenged finding of breach. [California Civil Code] Section 3360 provides: “When a breach of duty has caused no appreciable detriment to the party affected, he may yet recover nominal damages.” California courts have applied section 3360 to conclude that “[a] plaintiff is entitled to recover nominal damages for the breach of a contract, despite inability to show that actual damage was inflicted upon him.” (Sweet v. Johnson (1959) 169 Cal.App.2d 630, 632, 337 P.2d 499 (Sweet).) Nominal damages may be properly awarded for the violation of a contractual right because “failure to perform a contractual duty is, in itself, a legal wrong that is fully distinct from the actual damages.” (Ibid.) 18 Elation Sys., Inc. v. Fenn Bridge LLC, 71 Cal. App. 5th 958, 965–66 (2021). The court 19 specifically rejected the reasoning of two Ninth Circuit cases on which BrandTotal relies to assert 20 that actual damages are a necessary element of the claim, in part because they did not “consider[] 21 the availability of nominal damages in the absence of actual damage.” Id. at 967 (“Accordingly, 22 we follow California law as provided in section 3360 and Sweet . . . and do not find Aguilera or 23 Ruiz persuasive on the point.”); see Defs.’ Opp’n to MSJ at 14–17 (citing, e.g., Aguilera v. Pirelli 24 Armstrong Tire Corp., 223 F.3d 1010, 1015 (9th Cir. 2000); Ruiz v. Gap, Inc., 622 F. Supp. 2d 25 908 (N.D. Cal. 2009), aff’d, 380 F. App’x 689 (9th Cir. 2010)). 26 Ninth Circuit interpretations of state law are “only binding in the absence of any 27 subsequent indication from the California courts that our interpretation was incorrect.” and “[i]n 28 the absence of a pronouncement by the highest court of a state, the federal courts must follow the 40 1 decision of the intermediate appellate courts of the state unless there is convincing evidence that 2 the highest court of the state would decide differently.” Owen ex rel. Owen v. United States, 713 3 F.2d 1461, 1464 (9th Cir. 1983) (cleaned up). The Court is aware of no convincing evidence that 4 the California Supreme Court would decide this issue differently from the Elations Systems court’s 5 conclusion that even a plaintiff who has not suffered actual damages may prevail on a claim for 6 breach of contract. United States District Court Northern District of California 7 Meta seeks summary judgment only as to liability, and not as to any particular amount of 8 damages. See Pl.’s Prop’d Order (dkt. 272-9). Nor has BrandTotal moved for summary 9 judgment—as opposed to arguing in its opposition to Meta’s motion—that any particular portion 10 of Meta’s damages are not compensable. See generally Defs.’ MSJ. The Court therefore need not 11 decide at this juncture whether Meta is entitled to all of the damages it has asserted, and declines 12 to do so when no party specifically sought summary judgment as to such issues. Since at least 13 nominal damages are available and sufficient to support the claim, Meta is entitled to judgment in 14 its favor on its claim for breach of contract, with the amount of any actual damages to be proven at 15 trial. Meta’s motion for summary judgment on this claim is GRANTED. 16 C. 17 Both parties seek summary judgment on at least some aspects of Meta’s claims under the Meta’s CFAA and CDAFA Claims 18 CFAA and the CDAFA. The CFAA “subjects to criminal liability anyone who ‘intentionally 19 accesses a computer without authorization or exceeds authorized access,’ and thereby obtains 20 computer information. 18 U.S.C. § 1030(a)(2). It defines the term ‘exceeds authorized access’ to 21 mean ‘to access a computer with authorization and to use such access to obtain or alter 22 information in the computer that the accesser is not entitled so to obtain or alter.’ § 1030(e)(6).” 23 Van Buren v. United States, 141 S. Ct. 1648, 1652 (2021). It also allows for a civil action for 24 damages and injunctive relief by “[a]ny person who suffers damage or loss by reason of a 25 violation of this section,” provided that at least one of several conditions are met. 18 U.S.C. 26 § 1030(g). The condition on which Meta hangs its claim here is a requirement to show a loss of at 27 least $5,000 during a one-year period. Pl.’s MSJ at 18; see 18 U.S.C. § 1030(a)(5)(B)(i). 28 “[T]he CFAA was enacted ‘primarily to address the growing problem of computer 41 1 hacking,’ such that the en banc Ninth Circuit has favored an interpretation of the statute that 2 ‘maintains the CFAA’s focus on hacking rather than turning it into a sweeping Internet-policing 3 mandate.’” Brodsky v. Apple Inc., 445 F. Supp. 3d 110, 129 (N.D. Cal. 2020) (quoting United 4 States v. Nosal (“Nosal I”), 676 F.3d 854, 858 (2012) (en banc)). Moreover, since the CFAA “is 5 primarily a criminal statute,” and is interpreted consistently in the criminal and civil contexts, the 6 rule of lenity applies and “requires courts to limit [its] reach . . . to the clear import of [its] text and 7 construe any ambiguity against” enforcement. LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 8 1134–35 (9th Cir. 2009). United States District Court Northern District of California 9 California’s CDAFA, also sometimes cited as the California Computer Crime Law or 10 simply Penal Code section 502, is a state law counterpart to the CFAA. Courts have held that 11 CDAFA claims generally “rise or fall with . . . CFAA claims because the necessary elements of 12 Section 502 do not differ materially from the necessary elements of the CFAA, except in terms of 13 damages.” Brodsky, 445 F. Supp. 3d at 129 (cleaned up). One difference between the two statutes 14 is that the CDAFA “does not impose a minimum of $5,000 in damages.” Id. The parties here 15 appear to agree that, with the exception of the minimum damages requirement under the CFAA, 16 these claims are coextensive for the purpose of the present motions. 17 18 1. BrandTotal’s Motion Regarding the CFAA and CDAFA BrandTotal seeks summary judgment on these claims only “with respect to UpVoice 2021 19 and ongoing server-side collection.” Defs.’ MSJ at 33 (heading capitalization altered). It 20 contends that UpVoice 2021 only accesses panelists’ computers, not Meta’s computers. 21 BrandTotal also assert that under its current practices of collecting data directly from Facebook 22 servers, it only accesses publicly available websites, which are outside the scope of the statutes. 23 Beginning with the question of whether UpVoice 2021 “accesses” Meta’s computers 24 within the meaning of the CFAA, the Court agrees with BrandTotal that it does not. Meta’s expert 25 David Martens only identifies that program as using “reactive” data collection, logging and 26 sending to BrandTotal data that users receive from Facebook through their normal use of the 27 website. See Martens Opening Report § 8.3.1. Meta cites evidence from BrandTotal witnesses 28 that UpVoice 2021 “‘listen[s] to network data being transmitted over the wire’ from Meta’s 42 United States District Court Northern District of California 1 computers, [Burrell Opp’n Decl.] Ex. 35 (Sherwood Rebuttal Rep.) ¶ 90, and ‘pars[es] different 2 elements’ from ‘Facebook’s social feed,’ [id.] Ex. 36 (Dor March 10, 2021 Dep. Tr.) at 44:14- 3 45:11. According to Meta, those functions constitute “‘communicat[ing] with” Meta’s servers, 4 which one decision has suggested establishes “access” for the purpose of the CFAA. Pl.’s Opp’n 5 to MSJ at 26 (quoting United States v. Nosal, 930 F. Supp. 2d 1051, 1063 (N.D. Cal. 2013) (in 6 turn quoting Black’s Law Dictionary))) (alteration in Meta’s brief). But the evidence that Meta 7 cites only describes UpVoice accessing and processing the data that Meta has sent to the 8 individual users—incidentally, information that Meta has never argued users are not free to share 9 as they see fit—not proactively “accessing” or “communicating with” Meta’s servers. Meta cites 10 no case extending the CFAA to comparable conduct, and the statute is at most ambiguous as to 11 whether it could encompass BrandTotal analyzing data on users’ computers that the users are 12 authorized to access from Facebook. Under the rule of lenity, the Court is required to construe 13 such ambiguity narrowly, and holds that the statute does not encompass UpVoice 2021’s data 14 collection, at least where it is installed by individuals who are not subject to any sort of direction 15 by BrandTotal. BrandTotal’s motion for summary judgment is GRANTED as to that issue. 16 Turning to the question of BrandTotal’s access to Meta’s servers using its own computers, 17 BrandTotal agrees that Meta revoked its access in October of 2020. The parties dispute whether 18 BrandTotal continues to access password-protected portions of Facebook, or limits its access to 19 portions of Facebook that are available to the public without a password. 20 Before reaching that dispute as to what, exactly, BrandTotal is doing, the Court begins 21 with the question of whether the CFAA governs access to non-password-protected pages on 22 Facebook and Instagram. The Ninth Circuit considered that question in hiQ, holding both before 23 and after remand by the Supreme Court “that the concept of ‘without authorization’ does not apply 24 to public websites.” hiQ, 31 F.4th at 1199 (applying the “gates up” or “gates down” framework 25 that the Supreme Court set forth in Van Buren, 141 S. Ct. at 1658–59). The parties’ regular 26 briefing on the present motions occurred after the Supreme Court vacated the Ninth Circuit’s first 27 hiQ decision for reconsideration in light of Van Buren and before the Ninth Circuit reaffirmed that 28 decision on remand. Meta’s argument that the CFAA applies where a specific party’s access to an 43 1 otherwise public website has been revoked, see Pl.’s Opp’n to MSJ at 28–29, was therefore 2 potentially viable at the time Meta filed its briefs, but has since been foreclosed by circuit 3 precedent.29 In a supplemental brief that Meta filed after the Ninth Circuit issued its new hiQ decision, United States District Court Northern District of California 4 5 Meta contends that the advertisement pages at issue are not actually public, but instead that “the 6 general default for [those pages] is password protection” because while “Meta allows non- 7 authenticated users to access certain ad URLs a very limited number of times, it then redirects 8 them to a log-in page and prevents further access.” Pl.’s Supp’l Br. (dkt. 327) at 3 (citing Schultz 9 MSJ Decl. Ex. 1 (Martens Opening Report) ¶¶ 209–21; id. Ex. 20 (Sherwood Report) ¶ 142 10 (asserting that most advertisement pages can be accessed without a password but acknowledging 11 that Meta “restricts even this otherwise publicly available information by imposing technical 12 limitations such as ‘lockout mechanisms.’”). In the Court’s view, these restrictions differ in 13 degree rather than in kind from the technological restrictions that LinkedIn employed in hiQ to 14 attempt to block automated and otherwise suspicious access, which the Ninth Circuit apparently 15 considered insufficient to bring LinkedIn’s otherwise public pages within the scope of the CFAA. 16 See hiQ, 31 F.4th at 1186 (“For example, LinkedIn’s Quicksand system detects non-human 17 activity indicative of scraping; its Sentinel system throttles (slows or limits) or even blocks 18 activity from suspicious IP addresses; and its Org Block system generates a list of known ‘bad’ IP 19 addresses serving as large-scale scrapers.”). As the panel held in that case, the statute’s concept of 20 access without authorization is predicated on the general public lacking authorization to access the 21 material at issue at all: 22 [T]he wording of the statute, forbidding “access[] . . . without authorization,” 18 U.S.C. § 1030(a)(2), suggests a baseline in which access is not generally available and so permission is ordinarily 23 24 25 26 27 28 29 Formally, the Ninth Circuit held only that the plaintiff in hiQ raised “serious questions” that the CFAA did not preempt its tortious interference claim, which was sufficient to affirm the district court’s preliminary injunction. 31 F.4th at 1201. The panel’s statement that “Van Buren . . . reinforces our conclusion that the concept of ‘without authorization’ does not apply to public websites,” id. at 1199, however, is a clear expression of its view of the law that this Court is not inclined to disregard, and Meta has not argued that the Court should treat it as anything but binding. 44 required. “Authorization” is an affirmative notion, indicating that access is restricted to those specially recognized or admitted. . . . Where the default is free access without authorization, in ordinary parlance one would characterize selective denial of access as a ban, not as a lack of “authorization.” 1 2 3 4 Id. at 1195–96. Following hiQ, the Court holds that where a website is made available to the public United States District Court Northern District of California 5 6 without any authentication requirement in at least the first instance, “the concept of ‘without 7 authorization’ does not apply,” see id. at 1199, even if the owner employs technological measures 8 to block specific users, suspicious activity, or—as here—repeated access beyond a particular 9 threshold. To hold otherwise could bring conduct ranging far beyond the CFAA’s purpose of 10 preventing “hacking” within its scope of potential criminal liability, such as a user accessing a 11 newspaper’s website from a smartphone after receiving notice on their computer that they had 12 reached their monthly limit of free articles. The precedential decision in hiQ and the rule of lenity 13 foreclose such an interpretation of the statute. Accordingly, BrandTotal is entitled to summary 14 adjudication that such access does not violate the CFAA (or the nearly-coextensive CDAFA), and 15 its motion is GRANTED as to that issue.30 Whether BrandTotal’s current practices are limited to accessing those public pages is a 16 17 different question. For one thing, there is no dispute that BrandTotal currently uses its “Restricted 18 Panel Extension” program to gather from particular restricted advertisement URLs that 19 BrandTotal directs contractors to navigate to with the extension installed. Burrell Opp’n Decl. Ex. 20 39 (Regev Feb. 2022 Dep.) at 134:3–14. BrandTotal has not sought summary adjudication that 21 such conduct, which uses a different program than UpVoice 2021, does not violate the CFAA, 22 although as discussed separately below, the Court holds that Meta is not entitled to summary 23 judgment on that issue. Meta asserts that BrandTotal has also engaged directly with password-protected pages 24 25 since Meta revoked its access in October of 2020. BrandTotal concedes that it only “modified its 26 27 28 30 The record suggests BrandTotal’s Calix product uses the same relevant process as UpVoice 2021 to gather data, but BrandTotal has not sought summary judgment with respect to that product, and the Court declines to address the issue sua sponte. 45 United States District Court Northern District of California 1 server-side collection software in ‘late October, beginning of November 2021,’” i.e., more than a 2 year after Meta revoked its access, “to stop using access credentials of purchased users to collect 3 information on restricted pages.” Defs.’ MSJ Reply at 18 (citing Taylor Reply Decl. (dkt. 311-1) 4 Ex. KK (Regev Feb. 2022 Dep.) at 143:14–18) (emphasis added). Meta’s expert witness 5 identified “tens of thousands” of instances starting in October of 2021where BrandTotal’s Rapid7 6 logs reflected that BrandTotal used account names or access credentials from Facebook and 7 Instagram accounts that BrandTotal created or purchased in its code, Martens Sanctions Decl. (dkt. 8 246-1) ¶¶ 33–35, and specific instances where access tokens from Facebook accounts were “used 9 by BrandTotal’s Direct Collection software” in November and December of 2021, Martens 10 Opening Report ¶¶ 363–69. BrandTotal’s Vice President Regev testified that BrandTotal still at 11 least sometimes uses access codes when testing or debugging software like the Restricted Panel 12 Extension, Burrell Opp’n Decl. Ex. 39 (Regev Feb. 2022 Dep.) at 157:12–159:19, and that some 13 access tokens that appear in the Rapid7 logs are related to leftover code in BrandTotal’s software 14 that still calls up that information despite not using it for “instantiating a scraping service,” id. at 15 159:20–160:16. It is not entirely clear from Regev’s testimony whether any of that debugging 16 software or leftover code actually connects to password-protected pages on Facebook. Such a 17 connection, even if not used to collect data, could violate the CFAA. 18 Given that the record is less than clear as to how BrandTotal currently uses access tokens, 19 the Court declines to resolve the question of whether BrandTotal’s “ongoing server-side data 20 collection” violates the CFAA, see Defs.’ MSJ at 34–35, which may turn more on semantic 21 questions of what that term encompasses than on whether any of BrandTotal’s ongoing operations 22 (such as testing software) violate the statute, and even by its terms would seem to raise disputed 23 issues of fact as to whether a jury should credit Martens’s opinion (which BrandTotal has not 24 moved to exclude) “that BrandTotal was using Access Tokens associated with specific individuals 25 as part of its Direct Collection activities,” Martens Opening Report ¶ 369. BrandTotal’s motion 26 for summary judgment as to that issue is therefore DENIED, except for the more limited holding 27 above that access to non-password-protected pages does not implicate the CFAA or the CDAFA. 28 46 1 2 Meta’s Motion Regarding the CFAA and CDAFA Meta seeks judgment in its favor on its CFAA and CDAFA claims. Pl.’s MSJ at 16–22. 3 To the extent it seeks judgment that BrandTotal’s collection of data from panelists using UpVoice 4 2021, or its direct access to non-password-protected portions of Meta’s platforms violates those 5 statutes, id. at 20–21, its motion is DENIED for the reasons discussed above. 6 United States District Court Northern District of California 2. BrandTotal does not dispute that Meta revoked its authorization to access Meta’s platforms 7 as of October 1, 2020. See Burrell Opp’n Decl. Ex. 28 at 12–14 (response to Interrogatory No. 8 21). Meta does not argue that BrandTotal lacked authorization before that date. The relevant 9 period for this claim is therefore from October 1, 2020 to the present, and Meta is entitled to 10 summary adjudication that any direct access by BrandTotal to password-protected Meta servers 11 during that period was not authorized. 12 13 a. Losses of at Least $5,000 BrandTotal contends that Meta is not entitled to summary judgment that it has incurred the 14 required loss of at least $5,000 in a one-year period as a result of BrandTotal’s purportedly 15 unauthorized access. Defs.’ Opp’n to MSJ at 22 (citing 18 U.S.C. § 1030(c)(4)(A)(i)(1)). Meta 16 relies entirely on its own internal investigation costs to establish those damages, asserting that it 17 “incurred $98,784 in losses identifying, analyzing, and responding to BrandTotal’s conduct” after 18 October 1, 2020. Pl.’s MSJ at 18 (citing Prowse Report (dkt. 272-5) ¶ 38). 19 Meta also argues that BrandTotal waived any defense based on lack of damages by failing 20 to raise it in response to a contention interrogatory. Pl.’s MSJ Reply (dkt. 314) at 11. The 21 interrogatory at issue reads as follows: 22 23 24 25 26 27 28 INTERROGATORY NO. 21: Separately for each of Your Products, to the extent you contend that You did not violate the CFAA or CDAFA, describe in detail the full basis for Your contention (including by identifying all facts, Documents and witnesses that relate to Your contention). Your response should include the full basis for Your contention, if any, that You did not “knowingly,” “with intent to defraud,” or “intentionally” “access” a protected Facebook or Instagram computer “without authorization or exceeding authorization” or did not “obtain information” from a protected Facebook or Instagram computer as those terms are used for purposes of establishing liability under the CFAA, or did not “knowingly” “access” and “without permission” “alter, damage, delete, destroy, or otherwise use” or “take, copy, or make use of” any “data, computer, 47 1 2 3 Burrell Opp’n Decl. Ex. 28 at 12. Meta did not ask for any potential defense; it asked for the basis 4 for BrandTotal’s contention that it did not violate the statute. BrandTotal’s defense that Meta did 5 not incur at least $5,000 in losses is not contingent on BrandTotal having complied with the 6 statute. In other words, even if BrandTotal violated the CFAA, Meta could not bring a civil claim 7 against it unless it had sufficient losses (or satisfied one of the other potential criteria of 18 U.S.C. 8 § 1030(c)(4)(A)(i), which it has not asserted). BrandTotal was not required to answer a question 9 Meta did not ask in this interrogatory, and thus did not waive this defense by failing to disclose it 10 11 United States District Court Northern District of California computer system, or computer network” or “computer services” as those terms are used for purposes of establishing liability under the CDAFA. 12 13 14 15 16 17 in that response. Turning to the merits of this element of the claim, the parties dispute whether investigative costs are cognizable. The statute defines “loss” as: any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service[.] 18 U.S.C. § 1030(e)(11). As BrandTotal notes, some district courts have held that this definition “makes clear 18 Congress’s intent to restrict civil actions under subsection (I) to the traditional computer ‘hacker’ 19 scenario—where the hacker deletes information, infects computers, or crashes networks.” AtPac, 20 Inc. v. Aptitude Solutions, Inc., 730 F.Supp.2d 1174, 1185 (E.D. Cal. 2010); see also Welenco, Inc. 21 v. Corbell, 126 F. Supp. 3d 1154, 1169 (E.D. Cal. 2015) (quoting and following AtPac); In re 22 iPhone Application Litig., 844 F. Supp. 2d 1040, 1067 (N.D. Cal. 2012) (same). The Supreme 23 Court recently construed the “loss” provision somewhat similarly, noting that it “relates to costs 24 caused by harm to computer data, programs, systems, or information services” and “focus[es] on 25 technological harms—such as the corruption of files—of the type unauthorized users cause to 26 computer systems and data,” and that such an understanding of the civil provisions of the CFAA 27 informed the Court’s analysis of the criminal case before it. Van Buren, 141 S. Ct. at 1659–60. 28 The Ninth Circuit took that analysis one step further, interpreting Van Buren as having “concluded 48 United States District Court Northern District of California 1 that this civil remedies provision requires a showing of” such technological harm. hiQ, 31 F.4th 2 at 1195 n.12. 3 That line of cases could be construed as abrogating a slew of previous district court 4 decisions holding that investigative costs are recoverable under the CFAA and count towards the 5 requisite loss, potentially including attorneys’ fees to the extent they are incurred for investigative 6 purposes or similarly in “responding” to a violation. See, e.g., Distinct Media Ltd. v. Shutov, No. 7 15-cv-03312-NC, 2017 WL 1234400, at *6 (N.D. Cal. Mar. 10, 2017) (awarding on default 8 judgment “attorneys’ fees associated with its investigative efforts, including court-approved 9 discovery to identify” the defendant); United States v. Nosal, No. CR-08-0237 EMC, 2014 WL 10 121519, at *4–5 (N.D. Cal. Jan. 13, 2014) (noting that “judges in this district have routinely held 11 that such investigation costs are included within the definition of § 1030(e)(11),” while 12 acknowledging decision from other districts construing the statute more narrowly); NCMIC Fin. 13 Corp. v. Artino, 638 F. Supp. 2d 1042, 1065–66 (S.D. Iowa 2009) (“Although attorneys’ fees in 14 prosecuting a CFAA action do not count toward the $5000 statutory threshold, attorneys’ fees 15 incurred responding to the actual CFAA violation to place the plaintiff in their ex ante position are 16 permissible as costs incurred as part of the response to a CFAA violation, including the 17 investigation of an offense.” (cleaned up)). Interpreting Van Buren and hiQ in that manner would 18 also call into question the Ninth Circuit’s earlier decision in Facebook v. Power Ventures, Inc., 19 where the court held “that Facebook suffered a loss within the meaning of the CFAA” because it 20 was “undisputed that Facebook employees spent many hours, totaling more than $5,000 in costs, 21 analyzing, investigating, and responding to Power’s actions.” 844 F.3d 1058, 1066 (9th Cir. 22 2016). 23 The Court declines to construe Van Buren and hiQ as foreclosing a loss based on 24 Facebook’s investigative costs. Van Buren drew a contrast between loss related to a technological 25 breach and harm caused by later misuse of wrongfully obtained data, which is further removed 26 from the sort of access violation at issue here. 141 S. Ct. at 1659–60. There is no indication that 27 the Van Buren Court would place investigative costs as falling outside the scope of “the cost of 28 responding to an offense” that the statute specifically incorporates. 18 U.S.C. § 1030(e)(11). In 49 United States District Court Northern District of California 1 hiQ, the Ninth Circuit addressed this issue in a footnote and gave Van Buren a broad reading of 2 “requir[ing] a showing of ‘technological harms—such as the corruption of files,’” but does not 3 appear to have relied on that principle in concluding that the plaintiff showed serious issues that 4 LinkedIn would not be able to use the CFAA as a defense to tortious interference. See hiQ, 31 5 F.4th at 1195 n.12 (emphasis added). The opinion in hiQ did not address Power Ventures’ holding 6 that investigative costs were sufficient to meet the loss threshold, and the Court declines to 7 construe its dicta regarding the nature of “loss” as overruling that earlier precedent. 8 That said, Meta faces a hurdle in showing sufficient loss in that, as discussed above with 9 respect to UpVoice 2021 and BrandTotal’s access to non-password-protected websites, much of 10 the conduct Meta was investigating did not actually violate the CFAA. It is not clear from Dr. 11 Prowse’s report what costs Meta incurred in response to true violations, and Meta has not argued 12 or offered authority for the proposition that it can count costs to investigate potential violations 13 that do not turn out to be violations towards the $5,000 threshold. Meta’s motion for summary 14 judgment on its CFAA claim is therefore DENIED. 15 BrandTotal did not move for summary judgment on the issue of the $5,000 loss threshold. 16 Even it had, it likely would not be entitled to it, because a jury might reasonably infer that at least 17 $5,000 of the nearly $100,000 that Dr. Prowse identified in post–October 2020 investigation costs 18 was attributable to unauthorized access by BrandTotal. The Court also does not reach 19 BrandTotal’s argument—which it similarly raised only in opposition to Meta’s motion, not in its 20 own motion—that Meta’s losses were unrecoverable litigation expenses, but notes that despite 21 Meta’s attorneys’ involvement in supervising the investigation both before and after Meta filed its 22 complaint, Dr. Prowse’s description of the investigative work on which he based his cost analysis 23 tends to suggest that at least some of that work for the sort of response to BrandTotal’s access to 24 understand the nature of the violation that courts have held fall within the statutory definition of 25 “loss.”31 Because the CDAFA does not include the $5,000 loss threshold see Brodsky, 445 F. Supp. 26 27 31 28 While BrandTotal moves to exclude Dr. Prowse’s opinions regarding BrandTotal’s purported unjust enrichment, it did not move to exclude his opinions regarding Meta’s losses. 50 1 3d at 129, and because identifying issues that are not genuinely in dispute with respect to the 2 CFAA claim could streamline the issues to be addressed at trial, the Court proceeds to the 3 remaining elements of Meta’s CFAA and CDAFA claims. 4 United States District Court Northern District of California 5 b. Unauthorized Access to Meta’s Computers Aside from the forms of access already addressed above in the context of BrandTotal’s 6 motion, Meta asserts that BrandTotal continued to access password-protected Meta websites in a 7 number of ways after Meta revoked access: (1) through previously-installed copies of its various 8 consumer products, including the legacy version of UpVoice and versions of the ASV and Story 9 Savebox programs that collected access tokens, which continued requesting data from Facebook 10 and Instagram and sending data that data to BrandTotal after Google removed those products from 11 its online store, as well as the Phoenix and Social One applications for Android smartphones, 12 which Google never removed from its store and which continued to collect data from Meta’s 13 platforms in a similar manner to the pre-litigation version of UpVoice until February 2021; 14 (2) through the “Muppet” accounts that BrandTotal created or purchased to access restricted 15 pages; and (3) through the Restricted Panel Extension, which a BrandTotal contractor uses to 16 collect data from password-protected advertisement pages at BrandTotal’s direction. See Defs.’ 17 MSJ at 17–18; Defs.’ MSJ Reply at 14–15. 18 i. Legacy Products and Surviving Android Applications 19 BrandTotal does not respond to Meta’s arguments regarding legacy applications that 20 remained installed after October of 2020, and Meta does not return to that issue in its reply. 21 Meta’s expert witness Martens states in his report that many of BrandTotal’s legacy 22 applications—both those like the old version of UpVoice that were removed from Google’s store 23 but remained installed on some users’ computers, and the two applications (Phoenix and Social 24 One) that remained available for download—continued actively requesting data from Facebook’s 25 servers while users were logged into Facebook until February 23, 2021, when BrandTotal altered 26 code that those programs dynamically downloaded to execute their data collection, effectively 27 remotely shutting down that active collection. Martens Opening Report ¶¶ 518–21, 565. 28 BrandTotal’s two Android applications that targeted Instagram, ASV and Story Savebox, 51 United States District Court Northern District of California 1 continued to use active data collection of password-protected areas of Instagram even in versions 2 released after Meta revoked BrandTotal’s authorization, despite the ability of developers to force 3 users to upgrade Android applications, which BrandTotal never employed to cease collection 4 through those applications. Id. ¶¶ 386–403. BrandTotal has not moved to exclude those opinions 5 and does not address them in its opposition brief, and it is not the Court’s role to search the record 6 for potentially conflicting evidence that could create a dispute of fact. Keenan, 91 F.3d at 1279. 7 Moreover, BrandTotal’s Vice President Regev testified that ASV and Story Savebox continued to 8 collect data from Instagram through at least February of this year. Schultz MSJ Decl. Ex. 25 9 (Regev Feb. 2022 Dep.) at 40:18–22. 10 This method of hijacking a user’s logged-in session with Facebook or Instagram to 11 manipulate Meta’s servers to divulge further information is materially indistinguishable from the 12 conduct in Power Ventures, where even after Facebook explicitly revoked its authorization, the 13 defendant continued sending emails to users inviting them to share advertisements for Power 14 Ventures’ services with the users’ Facebook friends. 844 F.3d at 1063, 1067. If the user clicked a 15 link agreeing to do so, Power Ventures automatically “create[d] an event, photo, or status on the 16 user’s Facebook profile.” Id. at 1063. While the Ninth Circuit concluded that Power Ventures 17 had permission from the users to access their profiles, and that it initially reasonably believed that 18 permission was sufficient to authorize it to access Facebook’s servers, the court held that after 19 Facebook explicitly revoked Power Ventures’ authorization and attempted to block its IP 20 addresses, its continued use of that email campaign and manipulation of users’ accounts (even 21 with the users’ permission) constituted unauthorized access to Facebook’s servers. Id. at 1067–68. 22 Here, as in that case, it is of no consequence whether BrandTotal had permission from its panelists 23 to use their accounts for data collection. Once Meta revoked BrandTotal’s authorization to access 24 its platforms, BrandTotal’s continued use of its various programs to actively collect data while 25 panelists were logged into Facebook—which it had the power to stop, but did not before February 26 of 202132—violated the CFAA. Meta’s motion is GRANTED as to summary adjudication of that 27 32 28 If BrandTotal lacked any way to stop these previously installed programs from accessing Meta’s 52 1 issue with respect to its CFAA claim, and as to summary judgment on it CDAFA claim with 2 respect to that conduct. 3 United States District Court Northern District of California 4 ii. Direct Collection by BrandTotal BrandTotal’s direct collection of data also, in at least some instances, violated the CFAA 5 and CDAFA. While the testimony in the record regarding the extent to which BrandTotal used 6 “fake” user credentials to access restricted pages is muddled, BrandTotal concedes in its reply 7 brief in support of its own motion for summary judgment that it only “modified its server-side 8 collection software in ‘late October, beginning of November 2021’ to stop using access credentials 9 of purchased users to collect information on restricted pages.” Defs.’ MSJ Reply at 18 (citing 10 Taylor Reply Decl. Ex. KK (Regev Feb. 2022 Dep.) at 143:14–18 (describing when BrandTotal 11 began using the Restricted Panel Extension)); Burrell Opp’n Decl. Ex. 39 (Regev Feb. 2022 Dep.) 12 at 109:10–22 (stating that the only way BrandTotal could access restricted pages before it began 13 using the Restricted Panel Extension was by using “the fake users or some other technique”). 14 Meta’s expert witness Martens states that BrandTotal at times used to gather information from restricted advertisement pages that could only be 15 16 accessed by a logged-in account, although Meta does not specifically cite that portion of his report 17 in its briefing. Martens Opening Report ¶¶ 635–37. 18 19 20 Id. Meta is entitled to summary adjudication that direct access by BrandTotal to password- 21 protected areas of Meta’s platforms violated the CFAA and the CDAFA. Neither the frequency or 22 duration of such access, nor the degree to which it continued beyond the October or November 23 2021 rollout of the Restricted Panel Extension, is entirely clear, however, and to the extent those 24 questions are relevant to damages or any other aspect of these claims, they remain to be resolved 25 26 27 28 servers, its ongoing use of the data they collected might not violate the CFAA, which focuses on unauthorized access rather than misappropriation of information. But since BrandTotal has not contested Martens’s opinions that it could have remotely deactivated all of these programs’ ongoing proactive access to Meta’s platforms, its decision to allow them to keep accessing those servers amounts to a violation, and the Court need not decide whether the outcome would differ if BrandTotal had no control over the ongoing access. 53 1 at trial. 2 United States District Court Northern District of California 3 iii. Restricted Panel Extension BrandTotal began using the Restricted Panel Extension (“RPE”) in October or November 4 of 2021. Schultz MSJ Decl. Ex. 25 (Regev Feb. 2022 Dep.) at 143:14–18. BrandTotal collects 5 data by directing an individual it has contracted with through a third party to install the RPE and 6 visit specific restricted pages while logged into Facebook using that individual’s own account. Id. 7 at 134:3–140:19. Meta’s briefs do not identify any relevant technological difference between the 8 RPE and UpVoice 2021, instead focusing on the fact that the RPE is an “internal tool” used by 9 someone working at BrandTotal’s direction. Pl.’s MSJ Reply (dkt. 314) at 14. There is no 10 indication that Facebook has denied authorized access to the individual who uses the RPE, in their 11 individual capacity. The question, then, is whether someone who lacks authorized access to a 12 computer violates the CFAA by soliciting someone who has access to obtain particular data from 13 the computer. 14 The Supreme Court addressed in Van Buren the converse situation of whether the 15 individual accessing the computer under such an arrangement violates the CFAA, and held that 16 they do not, because their access is authorized. There, a police officer who was authorized to 17 access information in a law enforcement database used that database to look up the owner of a 18 license plate at the request of an acquaintance (who happened to be a confidential informant for 19 the FBI) in exchange for a promise of payment. 141 S. Ct. at 1653. The Court reversed the 20 officer’s criminal conviction under the CFAA because he “did not ‘excee[d] authorized access’ to 21 the database, as the CFAA defines that phrase, even though he obtained information from the 22 database for an improper purpose.” Id. at 1662. 23 Here, the question is analogous to whether the acquaintance who offered to pay the officer 24 for that information, and was not himself authorized to access it, would have violated the CFAA if 25 the offer had been genuine (rather than part of a sting operation). Few courts have addressed that 26 fact pattern, but the limited authority available suggests that hiring an authorized intermediary to 27 obtain data from a computer the principal is not authorized to access does not violate the statute. 28 In the Ninth Circuit’s en banc Nosal decision, a former employee of an executive search company, 54 United States District Court Northern District of California 1 David Nosal asked his former colleagues who still worked there to extract confidential 2 information from the company’s database in order to help him start a competing a business. Nosal 3 I, 676 F.3d at 856. Nosal was criminally charged with “with violations of [the CFAA], for aiding 4 and abetting the [current] employees in ‘exceed[ing their] authorized access’ with intent to 5 defraud.” Id. at 856 (final alteration in original). Presaging the Supreme Court’s Van Burden 6 decision, the Ninth Circuit affirmed dismissal, holding that company rules prohibiting misuse of 7 the information were not “restrictions on access” within the meaning of the CFAA, and the 8 charges therefore failed because the current employees were authorized to access the database. 9 See id. at 863–64. While the en banc court did not address whether Nosal could have been 10 charged under the CFAA on the grounds that his own conduct directing the extraction of 11 information violated the statute—since he, of course, was no longer authorized to access the 12 database—rather than for aiding and abetting his former colleagues’ violation, nothing in its 13 decision suggests that the prosecution could have taken that more straightforward approach. 14 On remand to the district court, the prosecution asserted additional facts regarding other 15 individuals: an authorized user, J.F., “logged on to the computer using her credentials, then handed 16 over the computer terminal to M.J. [an unauthorized user], who ran his own searches through the 17 . . . database and then downloaded files therefrom.” United States v. Nosal (“Nosal II”), 930 F. 18 Supp. 2d 1051, 1063 (N.D. Cal. 2013). Judge Chen held that was sufficient to allege that M.J. 19 accessed the computer without authorization, as it was equivalent to using J.F.’s credentials to 20 access what M.J. was not himself authorized to access. Id. He declined to reach the question of 21 whether the statute “should be read so broadly as to encompass the situation where an 22 unauthorized person looks over the shoulder of the authorized user to view password protected 23 information or files,” holding only that a violation occurred where the unauthorized person 24 actually interacted with the computer. Id. 25 In a 2015 case from this district, the plaintiff LED manufacturing companies alleged that 26 the defendants directed one of the plaintiffs’ employees to procure confidential information from 27 corporate computers before he left the plaintiffs’ employment to work for the defendants. 28 Koninklijke Philips N.V. v. Elec-Tech Int’l Co., No. 14-cv-02737-BLF, 2015 WL 1289984, at *2 55 United States District Court Northern District of California 1 (N.D. Cal. Mar. 20, 2015). In granting a motion to dismiss, Judge Freeman noted that the 2 plaintiffs did not provide sufficient allegations to establish an agency relationship, but held that 3 “even a well-pled agency allegation would leave the Plaintiffs no closer to stating a claim under 4 the CFAA,” because the defendants did not themselves access the plaintiffs computer and holding 5 them for directing the misuse of data by an authorized user would run afoul of the Ninth Circuit’s 6 conclusion in Nosal “that the CFAA was designed to target hacking, not misappropriation.” Id. at 7 *4. Judge Freeman noted that the facts alleged did not amount to an unauthorized user directly 8 interacting with the computer as in Nosal II, but instead merely misuse of information taken from 9 the computer by an authorized user. Id. at *5. That such misappropriation occurred at the 10 defendants’ direction did not mean the defendants “accessed” a computer within the meaning of 11 the statute. See also Dresser-Rand Co. v. Jones, 957 F. Supp. 2d 610, 615 (E.D. Pa. 2013) 12 (reaching the same conclusion in a similar case). Following the decision in Koninklijke, the Ninth Circuit confronted yet another 13 14 permutation of Nosal. In that iteration of the case, the relevant facts were that after Nosal and his 15 accomplices had left the company, the accomplices continued to access its network using the 16 access credentials of Nosal’s former executive assistant, who continued to work there at Nosal’s 17 request. United States v. Nosal (“Nosal III”), 844 F.3d 1024, 1029 (9th Cir. 2016). The Ninth 18 Circuit affirmed Nosal’s conviction for conspiracy to violate the CFAA, holding that his former 19 employer had unambiguously revoked his and his accomplices’ access and his former assistant 20 had no power to reinstate that access. Id. at 1029–30. Meta highlight’s the court’s conclusion that 21 “once authorization to access a computer has been affirmatively revoked, the user cannot sidestep 22 the statute by going through the back door and accessing the computer through a third party.” Id. 23 at 1028. But that case involved unauthorized parties using an authorized user’s credentials to 24 interact with the computer—more comparable to BrandTotal’s older products that affirmatively 25 requested data from Meta’s servers after an authorized user had logged in—not merely soliciting 26 an authorized user to collect and provide information, or even “look[ing] over the shoulder of the 27 authorized user,” cf. Nosal II, 930 F. Supp. 2d at 1063, as BrandTotal essentially does with the 28 RPE. 56 United States District Court Northern District of California 1 An unauthorized person hiring an authorized agent to extract information from a computer 2 system may violate any number of other laws, particularly if the information at issue is protected 3 as trade secrets or intellectual property. But extending the CFAA to encompass such conduct risks 4 “transform[ing] the CFAA from an anti-hacking statute into an expansive misappropriation 5 statute.” See Nosal I, 676 F.3d at 857. Meta cites no case applying the statute to similar facts, and 6 the Court declines to extend it to do so. While this interpretation of the CFAA (and by extension, 7 the CDAFA) might limit its usefulness for services like Meta that generally make authorized 8 access available for the asking, that outcome would be consistent with the Ninth Circuit’s view 9 that the CFAA is focused on hacking and not applicable to public websites. Accordingly, Meta’s 10 motion for summary judgment is DENIED as to the question of whether BrandTotal’s use of the 11 RPE violates the CFAA or the CDAFA. *** 12 13 Meta’s motions for summary judgment is GRANTED as to the question of whether active 14 collection of data from password-protected portions of Meta’s services by BrandTotal’s legacy 15 programs, and by BrandTotal directly, violated the CFAA and the CDAFA. Meta’s motion is 16 otherwise DENIED as to these claims. Meta will be entitled to judgment in its favor on the 17 CDAFA claim based on its legacy programs and direct access to password-protected material, 18 with relief to be determined at trial. Meta’s CFAA claim remains contingent on showing at trial at 19 least $5,000 in loss caused by BrandTotal’s violations. 20 D. 21 Both parties seek summary judgment on Meta’s claim under the UCL, which broadly Meta’s UCL Claim (Both Parties’ Motions) 22 prohibits unlawful, unfair, and fraudulent business acts. Korea Supply Co. v. Lockheed Martin 23 Corp., 29 Cal. 4th 1134, 1143 (2003). “Unlawful acts are anything that can properly be called a 24 business practice and that at the same time is forbidden by law . . . be it civil, criminal, federal, 25 state, or municipal, statutory, regulatory, or court-made, where court-made law is, for example a 26 violation of a prior court order.” Sybersound Records, Inc. v. UAV Corp., 517 F.3d 1137, 1151 27 (9th Cir. 2008) (ellipsis in original) (citations and internal quotation marks omitted). “Unfair acts 28 among competitors means ‘conduct that threatens an incipient violation of an antitrust law, or 57 1 violates the spirit or policy of those laws because its effects are comparable to or the same as a 2 violation of the law, or otherwise significantly threatens or harms competition.’” Id. at 1152 3 (quoting Cel-Tech, 20 Cal. 4th at 187). “Finally, fraudulent acts are ones where members of the 4 public are likely to be deceived.” Id. Meta’s amended complaint invokes all three prongs of that 5 statute, asserting that BrandTotal’s conduct is “unfair,” “fraudulent,” and “unlawful.” FAC 6 ¶¶ 119–26. 7 8 9 United States District Court Northern District of California 10 1. BrandTotal’s Motion: UpVoice 2021 BrandTotal has only sought summary judgment on this claim with respect to UpVoice 2021. Defs.’ MSJ at 35. Beginning with the “unlawful” prong, as discussed above, Meta is entitled to summary 11 judgment that BrandTotal’s use of UpVoice 2021 is a breach of Meta’s terms of use. But “breach 12 of contract may form the basis for UCL claims only if ‘it also constitutes conduct that is 13 ‘unlawful, or unfair, or fraudulent.’” Conder v. Home Sav. of Am., 680 F. Supp. 2d 1168, 1176 14 (C.D. Cal. 2010) (quoting Puentes v. Wells Fargo Home Mtg., Inc., 160 Cal. App. 4th 638, 645 15 (2008)) (emphasis omitted). As also discussed above, the Court holds that UpVoice 2021 does not 16 violate the CFAA or CDAFA, which are Meta’s only stated grounds for asserting a violation of 17 the “unlawful” prong of the UCL. Pl.’s Opp’n to MSJ at 33. 18 As stated in Meta’s complaint, the two grounds for its claim under the “fraudulent” prong 19 of the UCL are that BrandTotal “falsely represented to Facebook and Instagram’s users that 20 Facebook was a ‘participating site’ that sanctioned Defendants’ conduct,” and that BrandTotal 21 “deceived Facebook into providing them with access to its computer network by using the login 22 credentials of other users.” FAC ¶ 123. With respect to purported deception of users, BrandTotal 23 offers undisputed evidence that it removed the statement on which Meta bases its claim from its 24 website before launching UpVoice 2021. Leibovich TRO Decl. (dkt. 27-3) ¶ 29. Regardless, 25 “courts have recognized that UCL fraud plaintiffs must allege their own reliance—not the reliance 26 of third parties—to have standing,” such that competitors may not bring claims based on the 27 reliance of third party customers, much less based on a mere possibility of such reliance. See 28 O’Connor v. Uber Techs., Inc., 58 F. Supp. 3d 989, 1002 (N.D. Cal. 2014) (citing ZL Techs. v. 58 1 Gartner, Inc., No. CV 09–02393 JF (RS), 2009 WL 3706821, at *11 (N.D. Cal. Nov. 4, 2009); 2 Morgan v. AT & T Wireless Servs., Inc., 177 Cal. App. 4th 1235, 1255 (2009)); see also In re 3 Tobacco II Cases, 46 Cal. 4th 298, 326 (2009)). As for the purported misrepresentation directed 4 to Meta, there is no dispute that UpVoice 2021 does not send any sort of communication to Meta’s 5 servers, but instead merely records data that users receive from Facebook in the course of their 6 normal usage of the site. Meta thus has not identified any representation to it by UpVoice 2021 on 7 which it could have relied. Finally, as discussed at length in the Court’s previous orders in this case, a competitor 8 United States District Court Northern District of California 9 bringing a claim under the “unfair” prong must show “‘conduct that threatens an incipient 10 violation of an antitrust law, or violates the policy or spirit of one of those laws because its effects 11 are comparable to or the same as a violation of the law, or otherwise significantly threatens or 12 harms competition.’” E.g., 2d MTD Order at 25 (quoting Cel-Tech, 20 Cal. 4th at 187). Meta has 13 made no attempt to meet that standard here and has identified no evidence from which such an 14 effect on competition could be found. BrandTotal’s motion for summary judgment is therefore GRANTED as to a finding that its 15 16 use of UpVoice 2021 does not violate the UCL. Since that is the only conduct it addressed in its 17 motion, however, this holding does not reach any other past or present conduct by BrandTotal 18 aside from its distribution of that product and its collection of data from users who have installed 19 it. 20 21 2. Meta’s Motion Meta seeks partial summary judgment on its UCL claim to the extent BrandTotal violated 22 the CFAA and the CDAFA. Pl.’s MSJ at 22–23. BrandTotal argues in response only that its 23 conduct does not violate those statutes. Defs.’ Opp’n to MSJ at 26. Meta’s motion is therefore 24 granted in part and denied in part to the same extent as its CFAA and CDAFA claims discussed 25 above. In other words, Meta’s motion for summary judgment on its UCL claim is granted with 26 respect to conduct that the Court has found violates the CFAA and CDAFA, and denied with 27 respect to conduct that the Court found did not violate those statutes. 28 Except with respect to UpVoice 2021, neither party sought summary judgment on Meta’s 59 United States District Court Northern District of California 1 UCL claim to the extent it was based on the “unfair” or “fraudulent” prong. If Meta intends to 2 pursue this claim under those theories as to any conduct by BrandTotal besides the use of 3 UpVoice 2021, it may do so at trial. 4 E. 5 Meta seeks summary judgment in its favor on BrandTotal’s remaining counterclaims for BrandTotal’s Counterclaims (Meta’s Motion) 6 intentional interference with contract (with respect to existing customers, panelists, and Google), 7 intentional interference with prospective economic advantage (with respect to the same entities), 8 and violation of the “unlawful” prong of the UCL by virtue of the same tortious interference. Pl.’s 9 MSJ at 22–35. Since the elements of the two tortious interference theories largely overlap, and 10 BrandTotal’s surviving UCL counterclaim is predicated entirely on tortious interference, the Court 11 addresses these counterclaims together. 12 13 1. Legal Standard “‘The elements which a plaintiff must plead to state the cause of action for intentional 14 interference with contractual relations are (1) a valid contract between plaintiff and a third party; 15 (2) defendant’s knowledge of this contract; (3) defendant’s intentional acts designed to induce a 16 breach or disruption of the contractual relationship; (4) actual breach or disruption of the 17 contractual relationship; and (5) resulting damage.’” hiQ, 31 F.4th at 1191 (quoting Pac. Gas & 18 Elec. Co. v. Bear Stearns & Co. (“PG&E”), 50 Cal. 3d 1118, 1126 (1990)). While the typical case 19 involves actual breach, the element of “disruption” of a contract can also be satisfied “where the 20 plaintiff’s performance has been prevented or rendered more expensive or burdensome.” Id. at 21 1191 n.9 (citation and internal quotation marks omitted); see also PG&E, 50 Cal. 3d at 1129 22 (“[W]hile the tort of inducing breach of contract requires proof of a breach, the cause of action for 23 interference with contractual relations is distinct and requires only proof of interference.”). A 24 claim for interference with an at-will contract requires showing wrongfulness beyond mere 25 interference, based on its resemblance to a claim for interference with prospective relations—in 26 particular, the lack of any “legal basis in either case to expect the continuity of the relationship or 27 to make decisions in reliance on the relationship.” Ixchel, 9 Cal. 5th at 1147. 28 A claim for intentional interference with prospective economic relations is similar to 60 United States District Court Northern District of California 1 intentional interference with contract. “A plaintiff asserting this tort must show that the defendant 2 knowingly interfered with an ‘economic relationship between the plaintiff and some third party, 3 [which carries] the probability of future economic benefit to the plaintiff.’” Id. at 1141 (quoting 4 Korea Supply, 29 Cal. 4th 1134, 1153 (2003)) (alteration in original). “Although this need not be 5 a contractual relationship, an existing relationship is required.” Roth v. Rhodes, 25 Cal. App. 4th 6 530, 546 (1994) (citing Buckaloo v. Johnson, 14 Cal. 3d 815, 829 (1975), abrogated on other 7 grounds by Della Penna v. Toyota Motor Sales, U.S.A., Inc., 11 Cal. 4th 376 (1995)). As with a 8 claim based on an at-will contract, the plaintiff “must plead as an element of the claim that the 9 defendant’s conduct was ‘wrongful by some legal measure other than the fact of interference 10 itself.’” Ixchel, 9 Cal. 5th at 1142 (quoting Della Penna, 11 Cal. 4th at 393). “In this regard, ‘an 11 act is independently wrongful if it is unlawful, that is, if it is proscribed by some constitutional, 12 statutory, regulatory, common law, or other determinable legal standard.’” Reeves v. Hanlon, 33 13 Cal. 4th 1140, 1152 (2004) (quoting Korea Supply, 29 Cal. 4th at 1158). 14 15 2. Relevant Facts The act of interference on which BrandTotal bases these claims is Meta’s outreach to 16 Google regarding concerns about BrandTotal’s products, which led to the removal of UpVoice 17 from Google’s online store. See Defs.’ Opp’n to MSJ at 26–27. Specifically, after Meta had 18 investigated BrandTotal’s products over a period of years, Meta employee Jeremy Brewer wrote to 19 Google employee Benjamin Ackerman on September 21, 2020, that Meta believed UpVoice, 20 among other Google Chrome extensions, was “improperly scraping user PII (e.g., gender, 21 relationship status, ad interests, etc.) without proper disclosure.” Schultz MSJ Decl. Ex. 34. 22 Another Meta employee who had been involved with the investigation of BrandTotal, Sanchit 23 Karve, followed up that day to note that similar extensions from a company called “oinkandstuff” 24 had been removed by Google, and again a few days later to ask if Ackerman had “had a chance to 25 look into our request.” Id. Ackerman responded on September 29, 2020: “. . . I will get the three 26 that are live looked at. Just looking through their privacy policy it does look like they are 27 collecting a bunch of information for advertising purposes, which is a no no.” Id. 28 Karve states that he had begun investigating BrandTotal browser extensions in March of 61 1 2020 and had reached the following conclusions by the time Meta first reached out to Google: 2 As of September 21, 2020, I understood from our investigation that BrandTotal’s claim that it anonymized user data was misleading because it used a hash function on user IDs that did not fully or securely anonymize the information collected. Even with a properly hashed user ID, for example, it is possible to correlate information from different entries bearing the same hashed user ID to discovery the identity of the user. Additionally, because Facebook user IDs have defined lengths and ranges of valid values, they can be reverse engineered relatively easily even when hashed. I also understood from our investigation that BrandTotal’s method of data collection was not targeted, meaning that in order to collect one piece of information, its extensions also collected additional, related information. The collection of that additional information was not disclosed to users. And finally, I was also aware that multiple individuals in a household could be using an extension installed on a shared household computer, some of whom might have been unaware of the extension’s operation and data collection. 3 4 5 6 7 8 9 United States District Court Northern District of California 10 11 Karve Decl. (dkt. 272-1) ¶ 7. Karve also states that Brewer’s “email accurately described Meta’s 12 understanding of the operation of BrandTotal’s extensions and the substance of its disclosures to 13 users, as based upon our investigations at the time.” Id. ¶ 6. According to Karve, “[i]t is routine 14 for Meta to report applications and extensions that violate Facebook and Instagram terms to 15 Google.” Id. ¶ 9. Google—specifically Benjamin Ackerman—had opened an investigation into oinkandstuff 16 17 in March of 2020. Ackerman Decl. (dkt. 272-3) Attach. 1 at -3.33 Ackerman had also received a 18 report on September 17, 2020 of certain Chrome extensions believed to be developed by 19 BrandTotal’s affiliate Unimania improperly manipulating their reviews on Google’s store. 20 Ackerman Decl. ¶¶ 8–9. On September 29, 2020, the same day he responded to Karve, Ackerman 21 added a note to the oinkandstuff investigation stating that he “got a report from some contacts at 22 Facebook that the following extensions [including UpVoice] are also from oinkandstuff and are 23 collecting unnecessary data.” Id. Attach. 1 at -11. Based on a “quick look through their privacy 24 policy” he determined that it “looks like they are selling that data for advertisers.” Id. According 25 to Ackerman, Google ultimately removed UpVoice and the other extensions Meta reported based 26 on Google’s determination, after its own investigation, that they “obfuscated their code base, did 27 33 28 Citations in this order where page numbers begin with hyphens refer to Bates numbers used within exhibits, with leading letters and zeros omitted. 62 1 not provide users with the proper express opt-in for data collection, and lacked privacy policies 2 that were sufficiently clear regarding the data collected,” as well as their functional similarity to 3 the oinkandstuff extensions reported several months earlier that had already been removed. 4 Ackerman Decl. ¶ 13. 5 United States District Court Northern District of California 6 3. Meta Acted with a Legitimate Business Purpose Meta asserts that it was justified in any interference with BrandTotal’s contracts. “Under 7 California law, a legitimate business purpose can indeed justify interference with contract”—or 8 economic relations—“but not just any such purpose suffices.” See hiQ, 31 F.4th at 1192. 9 “‘Whether an intentional interference by a third party is justifiable depends upon a balancing of 10 the importance, social and private, of the objective advanced by the interference against the 11 importance of the interest interfered with, considering all circumstances including the nature of the 12 actor’s conduct and the relationship between the parties.’” Id. at 1193 (quoting Herron v. State 13 Farm Mut. Ins. Co., 56 Cal. 2d 202, 206 (1961)). Courts must determine whether the defendant’s 14 interest outweighs societal interests in stability of contracts (the defendant’s mere pursuit of 15 economic advantage generally does not), “whether the means of interference involve no more than 16 recognized trade practices,” “whether the conduct is within the realm of fair competition,” and— 17 most importantly—“whether the business interest is pretextual or asserted in good faith.” Id. 18 (citations and internal quotation marks omitted). A defendant’s enforcement of its own contract is 19 not an absolute defense to interference—even then, the “determinative question” is whether the 20 party acted in good faith. Richardson v. La Rancherita, 98 Cal. App. 3d 73, 81 (1979); see also 21 Webber v. Inland Empire Invs., 74 Cal. App. 4th 884, 902 (1999). 22 The Court previously denied Meta’s motion to dismiss this counterclaim based on the 23 legitimate purpose defense, holding that BrandTotal had “raise[d] at least a specter of bad faith 24 sufficient to render . . . plausible” its allegation that Meta’s statements to Google “‘were known by 25 [Meta] to be false, and its actions were malicious.’” 2d MTD Order at 14–15 (quoting 1st Am. 26 Counterclaim ¶ 149). The Court reached that conclusion in the highly deferential context of 27 whether the affirmative defense Meta asserted was “‘obvious from the face of’” BrandTotal’s 28 counterclaims. Id. (quoting Rivera v. Peri & Sons Farms, Inc., 735 F.3d 892, 902 (9th Cir. 2013)). 63 United States District Court Northern District of California 1 While BrandTotal is also entitled to a favorable standard here as the party opposing summary 2 judgment, it is no longer entitled to have its allegations that Meta knew its statement was false 3 merely taken as true, and must present sufficient evidence from which a reasonable jury could find 4 in its favor. 5 Contemporary documentation from Meta’s investigation indicates that Meta believed 6 BrandTotal was acting deceptively and abusing Meta’s platform. A March 31, 2020 internal 7 report on the success of one of Meta’s monitoring programs highlighted BrandTotal’s products 8 including UpVoice (as well as one other entity redacted in the record), asserting that “in most 9 cases users are unaware this data is being accessed” and concluding that BrandTotal’s “spider web 10 of services across different platforms to deceptively collect user metadata and ad targeting makes 11 [sic] highlights the need to take more severe enforcement / legal action.” Schultz MSJ Decl. Ex. 12 41 at -1166, -1169. The report notes that BrandTotal collects various categories of user data, and 13 that “while user ID and device ID is hashed before sending to remote server, this is misleading” 14 because “User ID hashing is considered ‘pseudo anonymized’ since you can still correlate 15 information from multiple entries bearing the same hashed user ID and discovery the user 16 identity.” Id. at -1169. Another document from Meta’s investigation similarly asserts that, despite 17 UpVoice employing techniques that would seem to anonymize user IDs, “the user id is still easily 18 recoverable.” Id. Ex. 40 at -28702. The latter document includes an “Enforcement Plan,” 19 prepared at a time when the enforcement date was “TBD,” that included “[c]ontact[ing] Google 20 CWS [i.e., Chrome Web Store] team to take down following chrome extensions,” including 21 UpVoice. Id. at -28716. 22 Regardless of whether Meta’s contemporary views of BrandTotal’s purportedly deceptive 23 collection of user data were accurate, BrandTotal’s assertion here that “nothing in the 24 contemporaneous documents obtained since the motion to dismiss hearing suggest Meta ‘believed’ 25 BrandTotal was collecting user PII ‘without proper disclosure,’” Defs.’ Opp’n to MSJ at 30, is not 26 accurate, because Meta apparently believed that many users were unaware of BrandTotal’s data 27 collection, and that it was “deceptive,” as early as April of 2020. Schultz MSJ Decl. Ex. 41 28 at -1166, -1169. Google’s ultimate conclusion after its own investigation that UpVoice “did not 64 United States District Court Northern District of California 1 provide users with the proper express opt-in for data collection, and lacked privacy policies that 2 were sufficiently clear regarding the data collected” lends credence to the conclusion that Meta’s 3 stated objections were genuine. See Ackerman Decl. ¶ 13. 4 There is certainly also evidence that Meta was concerned about BrandTotal’s “scraping” of 5 ads on Facebook and Instagram. See, e.g., Taylor Opp’n Decl. (dkt. 299-1) Ex. T at -14657 (April 6 2019 note reading: “Ads and targeted scraping is a priority for BU this half so to the extent they do 7 that at scale, I think it merits enforcement.”). There is also evidence that Meta knew some of its 8 advertising customers were using or interested in BrandTotal’s analytics services. See, e.g., id. 9 Ex. V (September 24, 2020 request to Karve from Meta’s “marketing insights team” for 10 information about UpVoice because “several advertiser partners [were] asking our sales team for 11 their POV on it’s [sic] capabilities,” to which Karve responded, “We’re enforcing on them this 12 week”); id. Ex. U (September 22, 2020 email among Facebook employees expressing interest in 13 better understanding BrandTotal and potentially exploring a partnership). 14 But as discussed above in the context Meta’s breach of contract claim, BrandTotal’s 15 scraping violates Meta’s terms of use, and BrandTotal has not met its burden to show that those 16 terms are unenforceable. Generally, “if a defendant’s ‘conduct was lawful and undertaken to 17 enforce its rights,’ it cannot be held liable for intentional interference with a contract even if it 18 knew that such conduct might interrupt a third party’s contract.” SIC Metals, Inc. v. Hyundai Steel 19 Co., 442 F. Supp. 3d 1251, 1256 (C.D. Cal. 2020) (quoting Webber v. Inland Empire Invs., 74 Cal. 20 App. 4th 884, 905 (1999)), aff’d, 838 F. Appx 315 (9th Cir. 2021). BrandTotal notes that SIC 21 Metals acknowledged an exception for fraud, see id. at 1257 (quoting Quelimane Co. v. Stewart 22 Title Guar. Co., 19 Cal. 4th 26, 56 (1998)). As discussed above, however, there is both 23 declaration testimony and corroborating evidence that Meta’s email to Google accurately reflected 24 its beliefs at the time about BrandTotal engaging in deceptive data collection. Discovery has now 25 closed, and BrandTotal identifies no evidence that Meta instead believed that BrandTotal provided 26 proper disclosures, or that its message was otherwise knowingly or recklessly false. 27 28 At the time of the events at issue, BrandTotal was routinely violating Meta’s terms of service at least by engaging in automated data collection without permission. Google determined 65 1 that UpVoice also violated the terms of its store by failing to “provide users with the proper 2 express opt-in for data collection” and “ privacy policies that were sufficiently clear regarding the 3 data collected.” See Ackerman Decl. ¶ 13. “[C]onsidering all circumstances including the nature 4 of the actor’s conduct and the relationship between the parties,” no reasonable jury could find on 5 this record that Meta reporting its genuinely held concerns about UpVoice’s data collection to 6 Google in order to allow Google to enforce its rules was illegitimate, even if—as appears to be the 7 case—the report was motivated in part by Meta’s desire to enforce its own separate contract terms 8 regarding automated access. Meta’s motion for summary judgment is therefore GRANTED as to 9 BrandTotal’s counterclaims for tortious interference, as well as the remaining UCL counterclaim 10 predicated on such interference. The Court does not reach the parties’ other arguments regarding these counterclaims, United States District Court Northern District of California 11 12 including whether BrandTotal’s contracts are enforceable, whether Meta knew of the contracts, 13 whether Meta’s interference proximately caused harm, and whether any conduct was 14 independently wrongful as needed to support a claim for interference with prospective relations or 15 an at-will contract. 16 V. 17 ADMINISTRATIVE MOTIONS TO FILE UNDER SEAL The parties have filed a number of administrative motions to file documents under seal, or 18 to consider whether an opponent’s confidential material should be sealed, in connection with the 19 present substantive motions and their motions to exclude expert testimony. See dkts. 245, 249, 20 250, 267, 270, 271, 280, 281, 287, 292, 294, 297, 298, 300, 302, 312, 313, 315, 326. All of the 21 motions at issue are “more than tangentially related to the merits of the case,” and thus require 22 “compelling reasons” to seal. See generally Ctr. for Auto. Safety v. Chrysler Grp., LLC, 809 F.3d 23 1092 (2016). 24 For the most part, the parties have limited their requests to sensitive information about 25 their respective operations that could cause competitive harm if disclosed. There is one exception: 26 BrandTotal’s designation of any discussion of its past practices of purchasing or creating “fake” 27 accounts to access Meta’s platforms. See, e.g., Defs.’ MSJ Reply at 18. BrandTotal asserts that it 28 does not use that technique anymore, so disclosing that it once did so does not reveal meaningful 66 United States District Court Northern District of California 1 information about its current operations that competitors or bad actors could exploit. Nor is the 2 disclosure of that concept likely to affect whether competitors might emulate it (and thereby gain 3 some advantage), since the idea of using a “fake” account to access social networking platforms is 4 obvious and widely used. See Defs.’ Opp’n to MSJ at 5 (“The use of ‘fake’ accounts is common 5 within the social media industry . . . .”). The parties’ motions to seal are DENIED as to passages 6 that BrandTotal considered confidential only based on discussion of that past practice. 7 Otherwise, the parties’ administrative motions to seal are GRANTED as to all proposed 8 redactions supported by their own or their opponent’s declarations, and DENIED as to material 9 identified for consideration of sealing solely based on an opponent’s designation that the opponent 10 did not seek to seal in a responsive declaration. BrandTotal shall file a statement no later than 11 June 10, 2022 identifying each of its confidentiality designations (for its own filings and Meta’s 12 filings) that is subject to the Court’s ruling above regarding fake accounts. If the Court finds 13 BrandTotal’s list insufficient, it will order further disclosure. The parties shall file revised public 14 versions conforming to this order—i.e., disclosing in the public record any opponent’s material 15 not substantiated with an opponent’s declaration, any material included on BrandTotal’s June 10, 16 2022 list, and any further information the Court might order disclosed—no later than June 24, 17 2022. 18 VI. 19 20 21 CONCLUSION For the reasons discussed above, Meta’s motion for sanctions and each party’s motion for summary judgment is GRANTED in part and DENIED in part. On the motion for sanctions, the Court finds that BrandTotal at least negligently failed to 22 preserve relevant evidence. The Court will instruct the jury that BrandTotal failed to preserve the 23 Rapid7 logs despite a duty to do so, and that the jury may draw an adverse inference if it finds that 24 failure was intentional. BrandTotal is ORDERED to reimburse seventy-five percent of Meta’s 25 fees and costs for bringing its sanctions motion. 26 Meta’s motion for summary judgment is GRANTED as to the following claims and issues: 27 (1) Meta is entitled to judgment on its claim for breach of contract; (2) Meta is entitled to 28 judgment on its CDAFA claim based on BrandTotal’s active data collection through legacy user 67 1 products beginning in October of 2020, and based on BrandTotal’s direct access to password- 2 protected pages on Meta’s platforms using fake or purchased user accounts; (3) Meta is entitled to 3 judgment on its UCL claim based on the same conduct; (3) the same conduct violated the CFAA, 4 and would entitle Meta to judgment on that claim if it can show resulting losses of at least $5,000; 5 and (4) Meta is entitled to judgment on all of BrandTotal’s remaining counterclaims. 6 7 (1) BrandTotal’s use of UpVoice 2021 does not violate the CFAA, the CDAFA or the UCL; and 8 (2) BrandTotal’s direct collection of data from non-password-protected pages on Meta’s platforms 9 does not violate the CFAA or the CDAFA, even where Meta has imposed technological barriers 10 United States District Court Northern District of California BrandTotal’s motion for summary judgment is GRANTED as to the following issues: attempting to block repeated or suspicious access. 11 The parties’ motions for summary judgment are otherwise DENIED. 12 The Court also GRANTS in large part the parties’ various administrative motions to file 13 under seal. In an abundance of caution, the Court has provisionally filed this order under seal. 14 Any party that believes any portion of this order cannot be publicly disclosed may bring a motion 15 identifying compelling reasons to maintain under seal narrowly tailored redactions no later than 16 June 3, 2022. If no such motion is filed by that date, the Court will file this order unredacted in 17 the public record. 18 19 20 21 IT IS SO ORDERED. Dated: May 27, 2022 ______________________________________ JOSEPH C. SPERO Chief Magistrate Judge 22 23 24 25 26 27 28 68
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.