Brodsky v. Apple Inc., Case No. 19-CV-00712-LHK

• Citation: 445 F.Supp.3d 110
• Decision Date: 07 April 2020
• Docket Number: Case No. 19-CV-00712-LHK
• Parties: Jay BRODSKY, et al., Plaintiffs, v. APPLE INC., Defendant.
• Court: U.S. District Court — Northern District of California

445 F.Supp.3d 110

Jay BRODSKY, et al., Plaintiffs,

v.APPLE INC., Defendant.

Case No. 19-CV-00712-LHK

United States District Court, N.D. California, San Jose Division.

Signed April 7, 2020

Deepali Apurva Brahmbhatt, Peter Reza Afrasiabi, One LLP, Newport Beach, CA, John E. Lord, One LLP, Beverly Hills, CA, for Plaintiffs Jay Brodsky, Brian Tracey, Alex Bishop, Brendan Schwartz.

Deepali Apurva Brahmbhatt, One LLP, Newport Beach, CA, for Plaintiffs William Richardson, John Kyslowsky.

David Michael Walsh, Esq., Morrison & Foerster, Los Angeles, CA, Erin Patricia Lupfer, Morrison and Foerster LLP, San Diego, CA, Lauren Lynn Erker, Tiffany Cheung, Morrison & Foerster LLP, San Francisco, CA, for Defendant.

ORDER GRANTING MOTION TO DISMISS WITH PREJUDICE

Re: Dkt. No. 46

LUCY H. KOH, United States District Judge Plaintiffs Jay Brodsky, Brian Tracey, Alex Bishop, Brendan Schwartz, William Richardson, and John Kyslowsky ("Plaintiffs") bring this putative class action against Defendant Apple Inc. ("Apple") for alleged privacy and property violations based on Apple's two-factor authentication login tool. The Court previously granted Apple's motion to dismiss the First Amended Complaint ("FAC"), but granted Plaintiffs leave to amend. ECF No. 40 ("Order"). Currently before the Court is Apple's motion to dismiss Plaintiffs' Second Amended Complaint ("SAC"). ECF No. 46 ("Mot.").¹ Because the SAC fails to cure deficiencies previously identified in the Court's prior Order, the Court GRANTS Apple's motion to dismiss with prejudice.

I. BACKGROUND

A. Factual Background

Plaintiffs are residents of New York, California, Ohio, Pennsylvania, Colorado, and Texas. ECF No. 43 ¶ 8 ("SAC"). Apple is a California corporation that designs and sells products including iPhones, iPads, Macbooks, Apple TVs, and Apple Watches. Id. ¶¶ 9, 17. Once a consumer buys an Apple product, the Apple product is associated with the consumer's Apple ID, which is an individual's email address. Id. ¶¶ 20, 34. An Apple ID is required to use Apple services, such as FaceTime and iMessage. Id. ¶ 20.

Plaintiffs allege that Apple's provision of two-factor authentication ("2FA") as an Apple ID login process violates Plaintiffs' right to privacy. Id. ¶ 1. As in the FAC, the SAC identically alleges that 2FA is enabled in three instances: "(i) a software update occurs on one of the Apple devices; (ii) on creation of a new Apple ID; or (iii) owner of the Apple device turns on two-factor authentication in the Settings." Id. ¶ 35; see also FAC ¶ 16.

When enabled, 2FA requires a multi-step login process before a user can access Apple services. First, the user must enter his Apple ID password on the Apple device on which the user wishes to use Apple services. SAC ¶ 42. Second, the user must enter his Apple ID password on a second trusted Apple device and wait to receive a six-digit verification code on the second Apple device. Id. Third, the user must enter the six-digit verification code on the first Apple device. Id. According to Plaintiffs, 2FA takes "2-5 or more minutes" than other login processes. Id. ; see also FAC ¶ 17 (pleading identical allegations).

After 2FA is enabled, Apple will sometimes send an email to the user that explains that the user can disable 2FA: "If you didn't enable two-factor authentication and believe someone else has access to your account, you can return to your previous security settings. This link and your Apple ID security questions will expire on October 15, 2018." SAC ¶ 61; FAC ¶ 18. Plaintiffs allege that the link allowing a user to disable 2FA expires within 14 days after 2FA's enablement, and that afterwards, Plaintiffs cannot disable 2FA. SAC ¶¶ 2, 3, 61. The email also explains that 2FA "is an additional layer of security designed to ensure that you're the only person who can access your account, even if someone knows your password" and that 2FA "significantly improves the security of your Apple ID and helps protect the photos, documents, and other data you store with Apple." Id. ¶ 61.

Plaintiff Brodsky alleges that in September 2015, a software update enabled 2FA for Plaintiff Brodsky's Apple ID. Id. ¶ 37. As in the FAC, the SAC includes the exact same allegations that "Plaintiff Brodsky's Apple devices had a software update that enabled 2FA for Apple ID without his knowledge or consent on or around September of 2015." Id. ; see also FAC ¶ 19.

Plaintiff Tracey alleges that "[o]n or around September 2017, 2FA was turned on for Plaintiff Tracey's Apple ID after a software update on his Apple devices." SAC ¶ 38. Specifically, Plaintiff Tracey alleges that "[h]e needs access to the latest software updates for his work," but that "Apple does not provide an option to upgrade software without 2FA." Id. Plaintiff Tracey, however, does not allege that he did not voluntarily consent to the software update that included enabling 2FA.

The SAC alleges that the remaining four Named Plaintiffs—Plaintiffs Bishop, Schwartz, Richardson, and Kyslowsky—"do not remember when 2FA was enabled for them." Id. ¶ 39. Instead, the SAC alleges the following as to the remaining four Named Plaintiffs. As to Plaintiff Bishop, the SAC alleges that on or around January 2019, "based on an unforeseen consequence outside of his control," Plaintiff Bishop "lost access to his trusted device to receive his 2FA passcode." Id. ¶ 48. Plaintiff Bishop could not access Apple services using Apple ID "for days." Id.

As to Plaintiff Schwartz, the SAC alleges that Plaintiff Schwartz lost his second trusted Apple device "based on events outside of his control." Id. ¶ 49. Then, Apple placed Plaintiff Schwartz in its account recovery process and Plaintiff Schwartz could not use his Apple ID "for months." Id.

As to Plaintiff Richardson, the SAC alleges that Plaintiff Richardson "was locked out of [his devices] when he could not recollect offhand his password on one of the devices on or around April 2019." Id. ¶ 50. Plaintiff Richardson allegedly lost access to his downloaded and purchased data and spent $219.94 installing new hardware and software. Id.

As to Plaintiff Kyslowsky, the SAC does not include any details about when, how, or why he was locked out of his Apple devices.

Plaintiffs, however, do assert that they paid for third-party apps in "monthly, yearly, or one-time subscription[s]" and that 2FA "intercepts access to Third-Party Apps" and Apple services. Id. ¶¶ 21, 46, 51. According to Plaintiffs, 2FA thereby "virtually dispossesse[s]" Plaintiffs of their access to these third-party apps and Apple services for the duration of time necessary to login through 2FA. Id. ¶¶ 44, 46.

B. Procedural History

On February 8, 2019, Plaintiff Brodsky filed the instant case against Apple. ECF No. 1. On March 29, 2019, Plaintiffs filed the FAC, which added Tracey, Bishop, and Schwartz as named Plaintiffs. The FAC alleged five causes of action: (1) trespass to chattels, FAC ¶¶ 47-52; (2) violation of the California Invasion of Privacy Act ("CIPA"), California Penal Code § 631, id. ¶¶ 53-56; (3) violation of the California Computer Crime Law ("CCCL"), California Penal Code § 502, id. ¶¶ 57-69; (4) violation of the Computer Fraud and Abuse Act ("CFAA"), 18 U.S.C. § 1030, id. ¶¶ 70-78; and (5) unjust enrichment, id. ¶¶ 79-81. Plaintiffs brought suit on behalf of the following putative class:

All persons or entities in the United States who own or owned an Apple Watch, iPhone, iPad, MacBook, or iMac or use Apple Services that have enabled two-factor authentication ("2FA"), subsequently want to disable 2FA, and are not allowed to disable 2FA.

Id. ¶ 29. The class period began "when Apple introduced 2FA in 2015." Id. ¶ 28.

On May 1, 2019, Apple filed a motion to dismiss Plaintiffs' FAC. ECF No. 32. On May 15, 2019, Plaintiffs filed an opposition. On May 22, 2019, Apple filed a reply in support of its motion to dismiss. ECF No. 37.

On May 15, 2019, the parties filed a joint case management statement. ECF No. 35. In the joint case management statement, Apple asked the Court to stay discovery until after the Court determines whether Plaintiffs can state a claim. Id. at 6. On May 16, 2019, the Court stayed discovery "until the Court orders otherwise." ECF No. 36.

On August 30, 2019, the Court granted Apple's motion to dismiss all five of Plaintiffs' causes of action. ECF No. 40 ("Order"). First, the Court dismissed Plaintiffs' claim for trespass to chattels for two reasons. Id. at 5-8. Plaintiffs did not adequately allege a claim for trespass to chattels because "Plaintiff [did] not allege facts to indicate that Plaintiffs failed to authorize the enablement of 2FA." Id. at 6. Specifically, the Court concluded that the FAC "allege[d] that 2FA is enabled when an Apple ID user voluntarily turn[ed] on 2FA, install[ed] a software update, or create[d] a new Apple ID," but that "[n]one of those means to enable 2FA permit[ted] Apple to enable 2FA unilaterally and without Plaintiffs' authorization." Id. Plaintiff Brodsky did not allege whether he read or reviewed the software update or "whether the message disclosed that the update would enable 2FA." Id. at 7. Additionally, the Court held that Plaintiffs had not alleged that any trespass harmed Plaintiffs as required under binding California Supreme Court precedent. Id. Rather, Plaintiffs only pleaded that "each login process [took] an additional estimated 2-5 more minutes with 2FA," and such allegations were "plainly insufficient to allege the requisite showing of harm." Id. In situations where Plaintiffs argued that they "suffer[ed] longer dispossessions," the Court nonetheless concluded that Apple did not proximately cause Plaintiffs' dispossession from their Apple devices or services because the FAC "d[id] not allege that Apple or 2FA led Plaintiffs to lose access to their trusted devices." Id. at 8. Rather, the FAC simply alleged that Plaintiffs lost access based on events "outside of [their] control." Id. Accordingly, the Court granted Apple's motion to dismiss Plaintiffs'...