Judge Upinder S. Kalra, Case Number: 23STCV16165, Date: 2024-02-07 Tentative Ruling

1. Demurrer to the entire First Amended Complaint for failure to state sufficient facts to constitute a cause of action and for uncertainty.

2. Motion to Strike various portions of the First Amended Complaint that pertain to punitive damages and attorneys’ fees.

1. Defendant’s Demurrer is SUSTAINED as to the Second Cause of Action with leave to amend;

2. Defendant’s Demurrer is OVERRULED as to the First, Third, Fourth, and Fifth Causes of Action;

On July 11, 2023, Plaintiff Jose J. Licea (Plaintiff) filed a Complaint against Defendant Globecast America Incorporated d/b/a Globecast.com (Defendant) with five causes of action for: (1) California Unauthorized Access to Computer Data Act Penal Code Section 502; (2) California Invasion of Privacy Act Penal Code Section 630-638; (3) California Invasion of Privacy; (4) Intrusion Upon Seclusion; and (5) Publication of Private Information.

On October 24, 2023, Plaintiff filed the operative First Amended Complaint (FAC) with five causes of action for: (1) Comprehensive Computer Data and Access Fraud Act Penal Code Section 502; (2) California Invasion of Privacy Act Penal Code Section 638.51; (3) California Invasion of Privacy; (4) Intrusion Upon Seclusion; and (5) Publication of Private Information.

According to the FAC, Defendant uses spyware on its website to obtain user data in real-time and share it with others. Plaintiff is a consumer privacy advocate who works as a tester to ensure that companies abide by the privacy obligations imposed by federal law.

On December 26, 2023, Defendant filed the instant demurrer and motion to strike. On January 25, 2024, Plaintiff filed oppositions. On January 31, 2024, Defendant filed replies.

The court grants Defendant’s request for judicial notice as to Exhibit A and Exhibit B. (Evid. Code § 452(d), (h); See Kalnoki v. First American Trustee Servicing Solutions, LLC (2017) 8 Cal.App.5th 23,37.) However, the court only takes judicial notice of the foregoing documents only as to “the existence, content and authenticity of public records and other specified documents”; it does not take judicial notice of the truth of the factual matters asserted in those documents. (Dominguez v. Bonta (2022) 87 Cal. App. 5th 389, 400.)¿¿The court denies Plaintiff’s request for judicial notice.

A demurrer for sufficiency tests whether the complaint states a cause of action.¿(Hahn v. Mirda¿(2007) 147 Cal.App.4th 740, 747.) When considering demurrers, courts read the allegations liberally and in context.¿In a demurrer proceeding, the defects must be apparent on the face of the pleading or via proper judicial notice.¿(Donabedian v. Mercury Ins. Co. (2004) 116 Cal.App.4th 968, 994.)¿“A demurrer tests the pleadings alone and not the evidence or other extrinsic matters. …. The only issue involved in a demurrer hearing is whether the complaint, as it stands, unconnected with extraneous matters, states a cause of action.”¿(Hahn¿147 Cal.App.4th at 747.)

The court may, upon a motion, or at any time in its discretion, and upon terms it deems proper, strike any irrelevant, false, or improper matter inserted in any pleading. (CCP § 436(a).) The court may also strike all or any part of any pleading not drawn or filed in conformity with the laws of this state, a court rule, or an order of the court. (Id., § 436(b).) The grounds for moving to strike must appear on the face of the pleading or by way of judicial notice. (Id.¿§¿437.)¿“When the defect which justifies striking a complaint is capable of cure, the court should allow leave to amend.” (Vaccaro v. Kaiman¿(1998) 63 Cal.App.4th 761, 768.)¿

Prior to filing a demurrer, the demurring party is required to satisfy their meet and confer obligations pursuant to Code of Civ. Proc. (CCP) §430.41 and demonstrate that they so satisfied their meet and confer obligation by submitting a declaration pursuant to CCP §430.41(a)(2) & (3). The meet and confer requirement also applies to motions to strike. (CCP § 435.5.) Here, Defendant refers to a supporting declaration indicating meet and confer efforts, but the court does not find such a declaration included with the moving papers. According to the notice in the Demurrer, the parties exchanged emails on November 13, 15, and 27, 2023. It is unclear what the parties discussed, if anything. As such, the court cannot determine if meet and confer sufficiently occurred. Still, failure to meet and confer is not a sufficient ground to overrule or sustain a demurrer. (CCP § 430.41(a)(4).)

First Cause of Action – Comprehensive Computer Data and Access Fraud Act, Penal Code § 502

Defendant contends that Plaintiff lacks standing to sue because he has not alleged economic harm or loss and that Plaintiff failed to allege that Defendant accessed his data without permission. Plaintiff argues that his IP address holds value, that consent is an affirmative defense, and that he has sufficiently alleged lack of consent.

Cal. Penal Code § 502(e) (Sec. 502) allows “civil action against the violator [of subdivision c] for compensatory damages and injunctive relief or other equitable relief.” Someone violates Sec. 502(c)(1) when they “[k]nowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.” Someone violates Sec. 502(c)(2) when they “[k]nowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.”

· “Access” means to gain entry to, instruct, cause input to, cause output from, cause data processing with, or communicate with, the logical, arithmetical, or memory function resources of a computer, computer system, or computer network. (502(b)(1))

· “Data” means a representation of information, knowledge, facts, concepts, computer software, or computer programs or instructions. Data may be in any form, in storage media, or as stored in the memory of the computer or in transit or presented on a display device. (502(b)(8))

· “Injury” means any alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by the access, or the denial of access to legitimate users of a computer system, network, or program. (502(b)(10))

The statute does not define “without permission.” While the court is unaware of any California authority interpreting § 502, one federal court interpreted it in the context of continued access after receiving a letter rescinding permission (Facebook, Inc. v. Power Ventures, Inc., (2016) 844 F.3d 1058), others say that circumventing technical or code-based barriers in place to restrict a user’s access may be sufficient (West v. Ronquillo-Morgan (2020) 526 F.Supp.3d 737; Williams v. Facebook, Inc. (2018) 384 F.Supp.3d 1043), and others do not require such technical circumvention but apply a plain meaning to the phrase (Greenley v. Kochava, Inc. 2023 WL 4833466).

Upon reviewing the FAC, Plaintiff has sufficiently alleged facts supporting a cause of action for violation of Section 502(c)(2). First, Plaintiff alleges that Defendant “obtained the IP address of Plaintiff,” “match[ed] Plaintiff’s IP address with Plaintiff’s name, face, location, e-mail, and browsing history,” and “embedded Plaintiff’s identity into LP’s [sic] extensive ‘gray market CAI database.” (FAC ¶ 21.) Second, Plaintiff alleges that as a result of Defendant’s conduct “Plaintiff has been de-anonymized and plaintiff’s personal information has been added to LF’s extensive database and shared with thousands of companies,” “Plaintiff has been bombarded with targeted advertising,” “Plaintiff can no longer surf the web anonymously,” and “Plaintiff has been exposed to heightened risk of identity theft.” (FAC. ¶ 23.) Third, Plaintiff alleges that he did not “provide authorization for the use of Plaintiff’s personal information nor did Plaintiff have any control over its use to produce revenue.” (FAC ¶ 34.) Taken together, this sufficiently alleges a violation of Sec. 502(c)(2), which Plaintiff claims in the FAC. (FAC ¶ 29.)

Accordingly, the court OVERRULES the demurrer as to the first cause of action.

Second Cause of Action – California Invasion of Privacy Act, Penal Code § 638.51

Defendant contends Penal Code § 638.51 was intended to protect against unlawful intrusions by law enforcement in the criminal context and that Plaintiff consented to the collection of his information. Plaintiff argues that a plain reading of Penal Code § 638.51 supports his interpretation that the statute is not limited to law enforcement as “persons,” that the legislative history does not limit the scope to law enforcement personnel, and that Defendant’s consent argument lacks merit.

This statute prohibits any person from installing or using a pen register (defined in Penal Code § 638.50(b)) or trap and trace device (defined in Penal Code. § 638.50(c)) without first obtaining a court order. (Penal Code § 638.51(a), (d)—good faith reliance on court order is complete defense to civil or criminal action brought under this section.)

Upon reviewing the FAC, Plaintiff has not sufficiently alleged a cause of action for violating Section 638.51. Notably, Plaintiff did not allege that Defendant acted “without first obtaining a court order.” The court is not otherwise persuaded, and declines to develop, Defendant’s argument that Section 638.51 only applies to law enforcement.

Accordingly, the court SUSTAINS the demurrer as to the second cause of action with leave to amend.

Third Cause of Action & Fourth Cause of Action – California Invasion of Privacy & Intrusion Upon Seclusion

Defendant contends that Plaintiff’s consent bars his claims for invasion of privacy and intrusion upon seclusion. Plaintiff argues consent is an affirmative defense and that Plaintiff has sufficiently alleges lack of consent.

Generally, invasion of privacy requires: (1) a legally protected privacy interest; (2) reasonable expectation of privacy under the circumstances; and (3) defendant’s serious invasion of privacy. Four distinct kinds of activities have been found to violate this privacy protection and give rise to tort liability: (1) intrusion into private matters; (2) public disclosure of private facts; (3) publicity placing a person in a false light; and (4) misappropriation of a person’s name or likeness. To prevail on an invasion of privacy claim, the plaintiff must have conducted himself or herself in a manner consistent with an actual expectation of privacy. (Moreno v. Hanford Sentinel, Inc. (2009) 172 Cal.App.4th 1125, 1129; Lachtman v. Regents of University of California (2007) 158 Cal.App.4th 187, 213.)

Intrusion upon private affairs requires: (1) the defendant must intentionally intrude into a place, conversation, or matter as to which the plaintiff has a reasonable expectation of privacy; and (2) the intrusion must occur in a manner highly offensive to a reasonable person. (Hernandez v. Hillsides, Inc. (2009) 47 Cal.4th 272, 286.)

Upon reviewing the FAC, Plaintiff has sufficiently alleged a cause of action for invasion of privacy. First, Plaintiff alleges a privacy interest in his web-browsing history and personal information. (FAC ¶ 48.) Second, Plaintiff alleges that Defendant secretly accessed Plaintiff’s device, gathering personal details about Plaintiff (IP address, name, face, location, e-mail, browsing history) and facilitated the disclosure of this personal information to third parties who did not have legal access to the information. (FAC ¶¶ 21, 46, 47, and 50.)

Similarly, Plaintiff has also sufficiently alleged a cause of action for intrusion upon seclusion. As above, Plaintiff alleges that Defendant secretly accessed Plaintiff’s device, gathering personal details about Plaintiff (IP address, name, face, location, e-mail, browsing history) and facilitated the disclosure of this personal information to third parties who did not have legal access to the information. (FAC ¶¶ 21, 46, 47, and 50.) Second, Plaintiff alleges that Defendant mined his personal data and shared it with hundreds of other companies. (FAC ¶ 55.) Third, Plaintiff alleges that a reasonable person would be highly offended by Defendant’s actions of collecting the information, de-anonymizing Plaintiff, and sharing it with unknown companies without his consent. (FAC ¶¶ 59, 60, 61.)

Accordingly, the court OVERRULES the demurrer as to the third and fourth causes of action.

Defendant contends that Plaintiff failed to allege that Defendant made a public disclosure, that IP addresses are not private facts, and that Plaintiff consented to the disclosure of information. Plaintiff argues that he alleged publication to hundreds of different companies, and that he has a reasonable expectation of privacy in his IP address[1], that he has sufficiently alleged such expectation of privacy, whether the privacy invasion is highly offensive is a fact question for the jury, and the consent argument lacks merit.

To establish tort liability for invasion of invasion of privacy based on publication of private facts, “the plaintiff must plead and prove (1) public disclosure (2) of a private fact (3) that would be offensive and objectionable to the reasonable person and (4) is not of legitimate public concern.” (Jackson v. Mayweather (2017) 10 Cal.App.5th 1240, 1256.) The disclosure must be “be widely published and not confined to a few persons or limited circumstances.” (Hill v. National Collegiate Athletic Assn’n (1994) 7 Cal.4th 1, 27; Catsouras v. Department of Calif. Highway Patrol (2010) 181 Cal.App.4th 856, 904.)

Upon reviewing the FAC, Plaintiff has sufficiently alleged a cause of action for publication of private facts. First, Plaintiff alleged that Defendant shared Plaintiff’s personal information with hundreds of different companies.[2] (FAC ¶ 66.) Second, Plaintiff alleges that Defendant obtained Plaintiff’s IP address, which lead to collecting Plaintiff’s name, face, location, e-mail, and browsing history. (FAC ¶ 21.) Third, Plaintiff alleges that sharing and selling this personal information would be highly offensive to a reasonable person. (FAC ¶ 68.) Finally, while not explicitly alleged, it can be inferred from reading the FAC completely and in context that Plaintiff’s browsing history and IP address are not legitimately of public concern.

Accordingly, the court OVERRULES Defendant’s demurrer to the fifth cause of action.

Defendant contends that Plaintiff has failed to sufficiently allege facts supporting a claim for punitive damages. Defendant did not provide argument challenging the attorneys’ fees.[3] Plaintiff argues that punitive damages are recoverable pursuant to the alleged statutory violations and for invasion of privacy.[4]

To obtain punitive damages, a plaintiff must plead sufficient facts in support of punitive damages.¿ (See¿Hilliard v. A.H. Robins Co.¿(1983) 148 Cal.App.3d 374, 391-92.)¿ In addition,¿punitive damages are allowed only where “it is proven by clear and convincing evidence that the defendant has been guilty of oppression, fraud, or malice.”¿ (Civ. Code, § 3294,¿subd. (a).)¿ Courts have viewed despicable conduct as conduct “so vile, base, contemptible, miserable, wretched or loathsome that it would be looked down upon and despised by ordinary decent people. (Scott v. Phoenix Schools, Inc., (2009) 175 Cal.App.4th 702, 715.)¿¿

Further, Civil Code § 3294(c) provides the definition of malice, oppression, and fraud. Malice is “conduct which is intended by the defendant to cause injury to the plaintiff or despicable conduct which is carried on by the defendant with a willful and conscious disregard of the rights or safety of others.” Oppression is “despicable conduct that subjects a person to cruel and unjust hardship in conscious disregard of that person's rights.” Fraud is “an intentional misrepresentation, deceit, or concealment of a material fact known to the defendant with the intention on the part of the defendant of thereby depriving a person of property or legal rights or otherwise causing injury.”¿

Upon reviewing the FAC, the court agrees with Defendant that Plaintiff has not sufficiently alleged facts supporting a claim for punitive damages. Reading the FAC in its entirety, the only factual allegations the court finds are that Defendant “secretly installed spyware on its website,” “shares” the various private information discussed above with other companies, and did so without Plaintiff’s consent. (FAC ¶¶ 16, 18, 21.) Plaintiff does not have factual allegations of malice, oppression, or fraud.

Accordingly, the court GRANTS Defendant’s motion to strike as to the portions pertaining to punitive damages with leave to amend.

1.Defendant’s Demurrer is SUSTAINED as to the Second Cause of Action with 10 days leave to amend;

2.Defendant’s Demurrer is OVERRULED as to the First, Third, Fourth, and Fifth Causes of Action;

[1] Reliance on California’s Electronic Communications Privacy Act (ECPA) is misplaced because it prohibits government entity activity.

[2] The court rejects Defendant’s argument that 100 companies is not vast enough to constitute the public. (See, e.g., Kinsey v. Macur (1980) 107 Cal.App.3d 265, 272 [noting mailing letters to 20 people was sufficient public disclosure.])

[3] As such, the court declines to develop that argument.

[4] Section 502(4) provides that punitive damages may be available if a plaintiff proves by clear and convincing evidence that the defendant has been guilty of oppression, fraud, or malice.