Judge David S. Cunningham, Case Number: 23STCV11136, Date: 2024-03-18 Tentative Ruling

Judge: David S. Cunningham, Case: 23STCV11136, Date: 2024-03-18 Tentative Ruling

* sustained with leave to amend as to the first cause of action (California Invasion of Privacy Act (“CIPA”), section 631), fifth cause of action (unjust enrichment), sixth cause of action (Unfair Competition Law (“UCL”)), seventh cause of action (larceny), and eighth cause of action (conversion); and

* overruled as to consent, the second cause of action (CIPA, section 632), third cause of action (right of privacy), and fourth cause of action (invasion of privacy/intrusion upon seclusion).

Defendant’s motion to strike is granted with leave to amend as to punitive damages.

1. Patients rightfully expect that their healthcare concerns and choices will be private. And the law protects the privacy of healthcare information. This case is about a serious violation of that core privacy interest.

2. Plaintiff, like millions of other class members, obtained healthcare from Kaiser Permanente (“Kaiser”). As for any medical provider, state and common law protect the privacy of the healthcare information held by Kaiser and exchanged between Plaintiff and Class Members, on the one hand, and Kaiser, on the other.

3. One place that legal protection is important is the Kaiser Website, which Kaiser Members use to access their medical records, including prescriptions and immunizations, research their medical conditions, find and communicate with doctors, and undertake other interactions related to the provision of healthcare services.

4. Unfortunately and unlawfully, Defendant . . . repeatedly and systematically violated that legally-protected privacy interest by extracting private health and personally identifiable information from Kaiser Members’ communications with the Kaiser Website.

5. Through Defendant’s code embedded on the Kaiser Website, Defendant has vacuumed up information about Kaiser Members’ medical conditions, immunizations, prescriptions, physician information, and other private data, including healthcare search terms, videos watched, and links accessed. All of that information is linked to particular patients because Defendant takes that data together with unique identifiers that allow Defendant to identify the corresponding Kaiser Member.

6. Plaintiff and Class Members did not consent to Defendant’s taking of this highly sensitive and legally-protected medical and other information. Defendant’s conduct is unlawful, and it must be stopped.

When considering demurrers, courts read the allegations liberally and in context, and “treat the demurrer as admitting all material facts properly pleaded, but not contentions, deductions or conclusions of fact or law.” (Serrano v. Priest (1971) 5 Cal.3d 584, 591.) “A demurrer tests the pleadings alone and not the evidence or other extrinsic matters. Therefore, it lies only where the defects appear on the face of the pleading or are judicially noticed.” (Hahn v. Mirda (2007) 147 Cal.App.4th 740, 747.) It is error “to sustain a demurrer without leave to amend if the plaintiff shows there is a reasonable possibility any defect identified by the defendant can be cured by amendment.” (Aubry v. Tri-City Hospital Dist. (1992) 2 Cal.4th 962, 967.)

“Motions to strike can be used to reach defects in or objections to pleadings that are not challengeable by demurrer.” (Edmon & Karnow, Cal. Practice Guide: Civ. Procedure Before Trial (The Rutter Group June 2023 Update) ¶ 7:156.) “Complaints, cross-complaints, answers and demurrers are all subject to a motion to strike [citation].” (Ibid.) “Moreover, a motion to strike can be used to attack the entire pleading, or any part thereof – i.e., even single words or phrases (unlike demurrers).” (Ibid.)

The motion can be used to strike “any ‘irrelevant, false or improper matter inserted in any pleading’” or “any pleading or part thereof ‘not drawn or filed in conformity with the laws of this state, a court rule, or an order of the court.’” (Id. at ¶ 7:167, emphasis in original.)

Defendant contends the demurrer should be sustained as to all causes of action because Plaintiff “consented to Kaiser’s service providers, like Adobe, processing her data to provide services to Kaiser.” (Motion, p. 7.) Defendant claims Plaintiff consented by agreeing to the privacy statement on Kaiser’s website each time she logged in. (See id. at pp. 5-7; see also Reply, pp. 1-3.)

* Defendant’s argument is based on documents that should not be judicially noticed (see ibid.); and

– does not include “an express disclosure that a third party is acquiring” the user’s “medical information” (id. at p. 5, emphasis in original).[1]

According to Defendant, the privacy statement appears on Kaiser’s website. Defendant asks the Court to judicially notice printouts from the website so that the privacy statement can be part of the record. (See RJN, Exs. B-T.)

The Court finds that the RJN should be denied because the website pages lack authentication and verification, but, alternatively, the Court could only judicially notice the existence of the documents, not the truth of their contents.[2]

Notably, it is unclear on the faces of the printouts whether the privacy statement remained consistent and in place for the entire alleged class period. The printouts are dated July 29, 2012 (Exhibit T), January 22, 2014 (Exhibit S), August 26, 2016 (Exhibit R), July 10, 2019 (Exhibit Q), April 1, 2020 (Exhibit P), September 15, 2020 (Exhibit O), April 19, 2021 (Exhibit N), August 29, 2021 (Exhibit M), and September 15, 2023 (Exhibit L). (See id. at p. 13.) The alleged class period for the UCL class, for example, would start four years before the filing of the complaint on May 16, 2023 – i.e., May 16, 2019. (See Stern, Business & Professions Code Section 17200 Practice (The Rutter Group March 2023 Update) ¶ 5:290 [noting that the UCL statute of limitations is four years].) The documents cover particular days in 2019, 2020, 2021, and 2023, and there is nothing for the year 2022. While Defendant wants the Court to assume that the privacy statement stayed the same throughout the alleged class period, it would be improper to make an assumption at the demurrer stage.

The documents also raise factual issues concerning conspicuousness and the steps by which users agreed to the privacy statement. It appears from the printouts of the login page that users had the option of clicking on a link to the privacy statement yet were not obligated to click on it. The link was in small font, creating doubt as to whether it was conspicuous enough. (See RJN, Ex. L, p. 148, Ex. K, p. 150.)

We may also disclose your personal information to third parties who provide services on our behalf to help with our business activities. These companies are authorized to use your personal information only as necessary to provide these services to use pursuant to written instructions. In such cases, these companies must abide by our data privacy and security requirements, and are not allowed to use your personal information they receive from use for any other purpose.

(Id. at Ex. L, § 13, emphasis added.) It is interesting that the statement utilizes the term “personal information.” “Personal information” is defined as “information that is individually identifiable.” (Id. at Ex. L, p. 152.) Missing from the definition, though, is a reference to medical information, which tends to render the definition vague, at least for now.

For these reasons, the Court rejects Defendant’s consent argument at this stage. The issue should be decided on a full record via a merits motion or at trial.

“Section 631 has been interpreted by California courts as containing three different clauses which cover ‘three distinct and mutually independent patterns of conduct.’” (Valenzuela v. Nationwide Mutual Ins. Co. (C.D. Cal. Aug. 14, 2023) No. 2:22-cv-06177-MEMF-SK, 2023 WL 5266033, at *3.) “The three patterns of conduct that Section 631 prohibits are: (1) ‘intentional wiretapping;’ (2) ‘attempting to learn the contents or meaning of a communication in transit over a wire;’ and (3) ‘attempting to use or communicate information obtained as a result of engaging in either of the previous two activities.’” (Ibid.) “In addition to these three clauses, Section 631 contains an aiding provision which imposes liability on anyone who ‘aids, agrees with, employs, or conspires with any person or persons’ in violating the three clauses described above.” (Ibid.)

Defendant asserts that Plaintiff’s cause of action only involves the second clause. Defendant contends the demurrer should be sustained because “[s]oftware providers, like Adobe, fall within [a] well-established ‘party exception’ when a website owner (Kaiser) uses them merely as an ‘extension’ or ‘tool,’ akin to a tape recorder as opposed to an independent third party who can later do something more with the information.” (Motion, p. 8; see also id. at pp. 9-10; Reply, pp. 3-4.)

In response, Plaintiff contends Defendant is liable because it “had the capability to use the collected information for other purposes[.]” (Opposition, p. 9.)

The case law on this issue is split. Both sides cite multiple cases that support their positions. (See Motion, p. 8 [citing Graham v. Noom (N.D. Cal. 2021) 533 F.Supp.3d 823]; see also id. at p. 9 n.8 [citing several other cases]; Opposition, pp. 9-10 [citing Javier v. Assurance IQ, LLC (N.D. Cal. 2023) 649 F.Supp.3d 891, among other cases].) The cited cases are federal decisions.

Defendant’s cases, led by Graham, seem to be policy-based whereas Plaintiff’s cases, led by Javier, focus on section 631’s plain language.

Statutory interpretation is supposed to start with the statute’s text. (See Medical Bd. of California v. Superior Court (2001) 88 Cal.App.4^th 1001, 1013.) Policy matters should come into play when the language is ambiguous and susceptible to more than one reasonable interpretation. (See Grassi v. Superior Court (2021) 73 Cal.App.5^th 283, 291.) When that happens, a court should review the legislative history, “look to additional canons of statutory construction” if need be, and then resort to policy considerations. (Ibid.; see also Imperial Merchant Services, Inc. v. Hunt (2009) 47 Cal.4^th 381, 388.)

The Court appreciates the policy arguments in Defendant’s cases, but Plaintiff’s cases appear more compatible with the plain language. The second clause makes it unlawful when a person “willfully and without consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit[.]” (Cal. Penal Code § 631, subd. (a).) Using or attempting to use the information, which Defendant’s cases require (see Graham, supra, 533 F.Supp.3d at 832 [reasoning that the plaintiff failed to allege that the third party “intercepted and used the data itself”]), is not part of the second clause; it is part of the third clause. Adding a use element to the second clause probably makes it indistinguishable from the third clause.

Nevertheless, the demurrer should be sustained with leave to amend. Plaintiff fails to highlight a paragraph in the complaint that alleges that Defendant had the capability to use Plaintiff’s personal information for another purpose. (See Complaint, ¶¶ 109-121.) Under her own cases, she needs to allege these kinds of facts to state a claim. (See, e.g., Javier, supra, 649 F.Supp.3d at 900 [denying motion to dismiss because the plaintiff alleged that the third party “can use that information for other purposes”].)

(a) A person who, intentionally and without the consent of all parties to a confidential communication, uses an electronic amplifying or recording device to eavesdrop upon or record the confidential communication, whether the communication is carried on among the parties in the presence of one another or by means of a telegraph, telephone, or other device, except a radio, shall be punished by a fine not exceeding two thousand five hundred dollars ($2,500) per violation, or imprisonment in a county jail not exceeding one year, or in the state prison, or by both that fine and imprisonment. . . .

Defendant contends the cause of action fails because Adobe did not use the alleged device, “and there are no well-pled allegations that Adobe intended to record any confidential communications without consent.” (Motion, p. 10; see also id. at pp. 11-12; Reply, pp. 4-5.)

Plaintiff claims Defendant’s argument “ignores the factual allegations that Adobe intercepted communications between patients and their medical provider, collected that data, and sent the Private Data to Adobe’s own servers.” (Opposition, p. 11, emphasis in original.)

Defendant’s first argument is unavailing. Defendant asserts that the device is Adobe software and that Kaiser, not Defendant, used the software on Kaiser’s website “to provide better service to its website users.” (Motion, p. 10.) The assertion is at odds with the complaint. Numerous paragraphs allege that Defendant intercepted and collected users’ data from the Kaiser website and transmitted the data to Defendant’s servers. (See, e.g., Complaint, ¶¶ 32, 34, 48, 90, 132.) The allegations allege use.

The Court also disagrees with Defendant’s second argument. Defendant cites Lozano v. City of Los Angeles (2022) 73 Cal.App.5^th 711 and Federated University Police Officers’ Association v. Regents of the University of California (C.D. Cal. July 29, 2015) No. 15-CV-00137-JLS-RNBx, 2015 WL 13273308 (“Federated”), claiming the complaint fails to state facts showing intent to record. (See Motion, pp. 11-12.) The Court found just one paragraph that expressly mentions intent – paragraph 130. It is based on information and belief. (See Complaint, ¶ 130.) Still, the situation here is different than the situation in Lozano, a writ-of-mandate case, where the defendant only understood that “it was deploying recording devices that might happen to record a confidential communication[.]” (Lozano, supra, 73 Cal.App.5^th at 728, emphasis in original.) Plaintiff’s allegation that Defendant knew the Adobe software was recording users’ personal information must be accepted as true, and intent can be inferred from the paragraphs stating that Defendant intercepted, collected, and transmitted the information to Adobe-controlled servers.[3]

“[A] plaintiff alleging an invasion of privacy in violation of the state constitutional right to privacy must establish each of the following: (1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by defendant constituting a serious invasion of privacy.” (Feminist Women’s Health Center v. Superior Court (1997) 52 Cal.App.4^th 1234, 1246.)

* “Adobe is a mere extension or tool of Kaiser” (Motion, p. 12; see also Reply, pp. 5-6); and

* “courts are unwilling to find a legally protected interest in browsing data for only one website, as opposed to scrapping data across the entire Internet” (Motion, p. 12; see also Reply, p. 6).

The Court reiterates that case law is split as to the mere-extension exception. The Court declines to apply the exception here because Defendant’s cases appear to be inconsistent with the statutory language.

At this point, Plaintiff’s action seems different than Defendant’s two one-website cases. Yoon v. Lululemon USA, Inc. (C.D. Cal. 2021) 549 F.Supp.3d 1073 cites In re Google Location History Litigation (N.D. Cal. 2019) 428 F.Supp.3d 185 (“Google”) for the proposition that “courts have been less willing to find that users have a cognizable privacy interest in browsing data collected only while users interact with the website of the defendant company.” (Yoon, supra, 549 F.Supp.3d at 1086, emphasis added.) “Plaintiff challenges Adobe’s collection of data during patients’ use of Kaiser’s website.” (Opposition, pp. 12-13, emphasis in original.) Defendant does not cite a case applying the one-website rule to the facts alleged here.

To the extent Defendant contends Plaintiff fails to identify a legally protected privacy interest, the Court disagrees. Paragraph 136 states: “Plaintiff and Class Members have a legally protected privacy interest in their Private Data, including PHI and PII, that Defendant has intercepted and collected.” (Complaint, ¶ 136.) Plaintiff’s personal information consisted, in part, of personal medical information. Unless defense counsel cites a case at the hearing that holds, as a matter of law, that users do not have a protected privacy interest in their personal medical information, the Court intends to find the first element satisfied.

The second and third elements necessitate factual determinations. (See Google, supra, 428 F.Supp.3d at 196 [“Whether a plaintiff has a reasonable expectation of privacy in the circumstances and whether a defendant's conduct constitutes a serious invasion of privacy are mixed questions of law and fact.”].)[4]

An “action for intrusion [upon seclusion] has two elements: (1) intrusion into a private place, conversation or matter, (2) in a manner highly offensive to a reasonable person.” (Shulman v. Group W Productions, Inc. (1998) 18 Cal.4^th 200, 231.)

The demurrer is overruled. The arguments and analysis for intrusion are the same as the arguments and analysis for the right-of-privacy cause of action. (See Motion, pp. 12-14; see also Opposition, pp. 12-14; Reply, pp. 5-6.)[5]

The parties disagree as to whether unjust enrichment can be a standalone cause of action. (See Motion, pp. 19-20; see also Opposition, p. 20; Reply, p. 10.)

The demurrer is sustained. There is a split of authority (see, e.g., O’Grady v. Merchant Exchange Productions, Inc. (2019) 41 Cal.App.5^th 771, 791 [recognizing the split]), but the Second District Court of Appeal lands on the side of it not being a cause of action. (See Bank of New York Mellon v. Citibank, N.A. (2017) 8 Cal.App.5^th 935, 955 [stating that “[u]njust enrichment is not a cause of action, . . . or even a remedy, but rather a general principle, underling various legal doctrines and remedies”], internal quotation marks omitted; see also Jogani v. Superior Court (2008) 165 Cal.App.4^th 901, 911 [same].)

The Court grants Plaintiff leave to amend to assert unjust enrichment in connection with a recognized cause of action.

“[T]he UCL permits a cause of action to be brought if a practice violates some other law. In effect, the ‘unlawful’ prong of § 17200 makes a violation of the underlying law a per se violation of § 17200.” (Stern, supra, at ¶ 3:53.) “Virtually any law or regulation — federal or state, statutory or common law — can serve as predicate for a § 17200 ‘unlawful’ violation. Thus, if a ‘business practice’ violates any law — literally — it also violates § 17200 and may be redressed under that section. [Citation.] As the California Supreme Court has said, § 17200 ‘borrows’ violations of other laws and treats them as unlawful practices independently actionable under § 17200.” (Id. at ¶ 3:56.)

“The second ‘wrong’ proscribed by § 17200 is ‘unfair’ business practices. Because § 17200's definition of the five proscribed ‘wrongs’ is set forth in the disjunctive, a business practice can be ‘unfair’ — and violative of § 17200 — even if it is not ‘deceptive’ and even if it is ‘lawful.’” (Id. at ¶ 3:112.) “The ‘unfair’ standard is intentionally broad, allowing courts maximum discretion to prohibit new schemes to defraud.” (Id. at ¶ 3:113.)

“The third type of conduct proscribed by § 17200 is ‘fraudulent’ business practices.” (Id. at ¶ 3:153.) “A business practice is ‘fraudulent’ within the meaning of § 17200 if ‘members of the public are likely to be deceived.’” (Id. at ¶ 3:154.) “An advertisement's potentially deceptive effect is measured by the audience to which it is addressed. Under the UCL and False Advertising statute, this will usually be the ‘reasonable person’ standard.” (Ibid.)

Proposition 64 limits “private standing . . . to any ‘person who has suffered injury in fact and has lost money or property’ as a result of unfair competition [citations].” (Kwikset Corp. v. Superior Court (2011) 51 Cal.4^th 310 320-321.) “The intent of this change was to confine standing to those actually injured by a defendant's business practices and to curtail the prior practice of filing suits on behalf of clients who have not used the defendant's product or service, viewed the defendant's advertising, or had any other business dealing with the defendant. . . .” (Id. at 321, internal quotation marks omitted.)

Defendant contends Plaintiff lacks standing because personal information does not qualify as lost property. (See Motion, pp. 16-17; see also Reply, pp. 8-9.)

Plaintiff claims several courts have determined that “allegations of improper collection of plaintiff’s personal information is an economic injury that confers standing.” (Opposition, p. 17.)

“The law is volatile as to whether loss of private information – e.g., as a result of a data breach – constitutes loss of money or property.” (Stern, supra, at ¶ 7:72.5.) “Many cases hold that it does not.” (Ibid. [collecting cases]; see also Guzzetta, Cal. Practice Guide: Privacy Law (The Rutter Group November 2023 Update) ¶ 2:754 [collecting cases and stating that “courts ‘have consistently rejected’ use of personal information . . . as equivalent to loss of ‘money or property’”].)

The Court turns to Moore v. Centrelake Medical Group, Inc. (2022) 83 Cal.App.5^th 515. There, the Second District held that the plaintiffs’ benefit-of-the-bargain theory supported standing (see Moore, supra, 83 Cal.App.5^th at 527-530) but their lost-value theory did not:

Appellants properly pled only that their PII was stolen and disseminated, and that a market for it existed. They did not allege they ever attempted or intended to participate in this market, or otherwise to derive economic value from their PII. Nor did they allege that any prospective purchaser of their PII might learn that their PII had been stolen in this data breach and, as a result, refuse to enter into a transaction with them, or insist on less favorable terms. In the absence of any such allegation, appellants failed to adequately plead that they lost money or property in the form of the value of their PII.

Plaintiff and Defendant both discuss Moore. Plaintiff argues that the lost-value portion is dicta and that the Court should follow In re Facebook, Inc. Internet Tracking Litigation (9^th Cir. 2020) 956 F.3d 589 (“Facebook Tracking”) instead. (See Opposition, p. 17.) Defendant contends Moore is on point. (See Reply, pp. 8-9.)

The Court agrees with Defendant. Moore is a published Second District opinion, it postdates Facebook Tracking, and Facebook Tracking did not involve a UCL claim. (See Facebook Tracking, supra, 956 F.3d at 597.)

Moore helps Defendant and hurts Plaintiff in two ways. One, Plaintiff does not allege a benefit-of-the-bargain theory in the complaint. Two, her lost-value allegations are conclusory and do not contain all of the details that Moore requires. (See, e.g., Complaint, ¶ 179.)

The demurrer is sustained with leave to amend to add allegations that establish standing in line with Moore.

Defendant asserts that the unlawful prong is unsatisfied because Plaintiff fails to allege a violation of an underlying statute and that the unfair prong is unsatisfied because Plaintiff fails to allege specific facts that show “immoral, unethical, oppressive, unscrupulous or substantially injurious” conduct. (Motion, p. 18; see also Reply, pp. 9-10.)

The Court disagrees as to the unlawful prong. Any of the other causes of action in the complaint can be a predicate for Plaintiff’s unlawful UCL claim. The viability of the claim depends on whether she sufficiently alleges at least one of the other causes of action. Because she alleges a section 632 claim and privacy claims, the unlawful prong is met.

Defendant’s argument regarding the unfair prong is basically a lack-of-detail argument. Since leave to amend is granted for the standing issue, Plaintiff should feel free to use that opportunity to add detail to the unfair UCL claim as well (if she wants to).

Defendant claims restitution and disgorgement are unavailable because “Plaintiff does not allege that [Defendant] took money from her at all[.]” (Motion, p. 19.)

Plaintiff contends the complaint alleges that Defendant’s conduct diminished the value of her private information. She contends she is entitled to restitution as a consequence. (See Opposition, pp. 19-20.)

The Court agrees with Defendant. Plaintiff’s cited case – Brown v. Google LLC (N.D. Cal., Dec. 12, 2021) No. 20-CV-03664-LHK, 2021 WL 6064009 – does suggest that restitution can be recovered by a plaintiff who alleges, and is able to quantify, a “diminution” in the value of his or her personal information. (Brown, supra, 2021 WL 6064009, at *18.) However, as explained above in the standing section and below in the conversion section, Plaintiff’s diminished-value allegations are conclusory. The demurrer is sustained with leave to amend.

“[T]he elements required to show” larceny “are simply that [1] property was stolen or obtained in a manner constituting theft, [2] the defendant knew the property was so stolen or obtained, and [3] the defendant received or had possession of the stolen property.” (Switzer v. Wood (2019) 35 Cal.App.5^th 116, 126.)

* Plaintiff fails to allege that Defendant stole her data (see ibid.; see also Reply, p. 8);

* “there are no specific allegations that [Defendant] had actual knowledge that it was ‘receiving’ stolen property” (Motion, p. 16; see also Reply, p. 8);

* the allegedly stolen data is in Kaiser’s possession, not Defendant’s (see ibid.); and

The first point is addressed in the conversion section. In summary, there is a split of authority.

In response to the third point, Plaintiff cites paragraph 185, which states that “Defendant knew that this data was obtained in a manner constituting theft.” (Complaint, ¶ 185.) The statement is conclusory, so the Court is inclined to sustain the demurrer with leave to amend unless, during oral arguments, Plaintiff’s counsel is able to identify other paragraphs with specific allegations showing knowledge.[6]

The fourth point is unavailing. The complaint states that the data is collected by Defendant and transmitted to Defendant’s servers. (See id. at ¶ 32.) This is sufficient.

The fifth point is correct. The demurrer is sustained with leave to amend because Plaintiff’s damages allegations are conclusory (further detail is provided in the conversion section).

“‘Conversion is the wrongful exercise of dominion over the property of another. The elements of a conversion claim are: (1) the plaintiff's ownership or right to possession of the property; (2) the defendant’s conversion by a wrongful act or disposition of property rights; and (3) damages. . . .’ [Citation.]” (Welco Electronics, Inc. v. Mora (2014) 223 Cal.App.4^th 202, 208.)

Defendant contends the conversion cause of action fails because personal data is not property, and Plaintiff fails to allege damages. (See Motion, pp. 14-15; see also Reply, pp. 7-8.)

Plaintiff asserts that “modern precedents recogniz[e] ‘the property value of personal information.’” (Opposition, p. 14.)

Defendant’s cases – federal decisions – purport to analyze conversion under California law and hold that “‘personal information’ does not constitute property.” (Low v. LinkedIn Corp. (N.D. Cal.. 2012) 900 F.Supp.2d 1010, 1030 [finding that “personal browsing history and other personally identifiable information – including full name, email address, mailing address, zip code, telephone number, and credit card number” did not qualify as property]; see also In re iPhone Application Litigation (N.D. Cal. 2012) 844 F.Supp.2d 1040, 1075 [finding the same as to “user’s location, zip code, device identifier, and other data”].)

Plaintiff’s cases, while not conversion actions, do identify a change in the way personal information is viewed. Opris v. Sincera Reproductive Medicine (E.D. Pa. May 24, 2022) No. 21-3072, 2022 WL 1639417 is a negligence case under Pennsylvania law. It states that there is a “growing trend . . . to recognize” “the property value of personal information.” (Opris, supra, 2022 WL 1639417, at *8.) Calhoun v. Google LLC (N.D. Cal. 2021) 526 F.Supp.3d 605 analyzes the UCL. It holds that loss of personal information suffices as lost property for standing under the UCL. (See Calhoun, supra, 526 F.Supp.3d at 636; see also In re Marriott International, Inc., Customer Data Security Breach Litigation (D. Md. 2020) 440 F.Supp.3d 447, 461 [analyzing Article III standing]; In re Yahoo! Inc. Customer Data Security Breach Litigation (N.D. Cal. Aug. 30, 2017) No. 16-MD-02752-LHK, 2017 WL 3727318, at *14 [same].)

A significant question for the Court is how the Second District would rule. What is more likely? That the Second District would side with the trend or would not?

In 2011, the Second District rejected a UCL claim because the plaintiffs failed to demonstrate that “collection and recordation of their personal identification information” “translate[d] into a loss of money or property.” (Archer v. United Rentals, Inc. (2011) 195 Cal.App.4^th 807, 816.)

In 2022, the Second District held that the plaintiffs’ lost-value allegations failed to confer standing. (See Moore, supra, 83 Cal.App.5^th at 538.)

The Second District decisions, especially Moore, suggest that personal information can be property if the allegations contain the requisite details. (See ibid.) Though a UCL claim is not the same as a conversion claim, the Court finds the decisions persuasive and analogous since the UCL requires lost property for standing. Indeed, the Court cannot think of a policy reason for treating the meaning of property under the UCL differently than the meaning of property for conversion.

Defendant contends the request for punitive damages should be stricken because Plaintiff fails to allege malice, oppression, or fraud with particularity and to identify misconduct by specific corporate employees. (See Motion, p. 20; see also Reply, p. 10.)

Plaintiff contends it is premature to strike the request since “additional facts . . . may be revealed” through discovery. (Opposition, p. 20.)

[1] Plaintiff claims Kaiser’s notices of privacy practices expressly state that Kaiser will get the user’s express consent before disclosing personal health information. (See id. at p. 7.) The notices are not part of the record, and there is no request to judicially notice them. The

[2] The Court is judicially noticing Exhibit A because it is a public document filed with the federal government.

[3] Federated is distinguishable. The Federated complaint alleged that the defendant “merely s[old] and install[ed] the recording system.” (Federated, supra, 2015 WL 13273308, at *10.) Plaintiff’s complaint alleges interception, collection, and transmission to Defendant’s servers.

[4] Defendant claims “Plaintiff did not have a reasonable expectation of privacy because Kaiser squarely disclosed in its Privacy Statement that data is shared with third-party providers like Adobe.” (Motion, p. 13.) This argument is discussed in the consent section. To repeat, consent is a factual issue.

[5] Analysis of the right-of-privacy and intrusion elements “is effectively identical” such that both claims often get analyzed together. (Google, supra, 428 F.Supp.3d at 196.)

[6] Plaintiff also cites paragraphs 31, 32, and 52. (See Opposition, p. 16.) They say nothing about Defendant’s purported knowledge of receiving stolen property. (See Complaint, ¶¶ 31, 32, 52.)

[7] The Court agrees with Defendant that the damages allegations are conclusory. Paragraph 89 states that unauthorized access to Plaintiff’s private information “has diminished the value” of the data. (Complaint, ¶ 89.) Paragraph 190 states that Plaintiff has been “damaged[.]” (Id. at ¶ 190.) Plaintiff should amend to add facts explaining the alleged diminishment. (See Motion, pp. 14-15; see also Reply, pp. 7-8.)