James v. The Walt Disney Co.

• Docket Number: 23-cv-02500-EMC (EMC)
• Decision Date: 08 November 2023
• Parties: AMIN JAMES, et al., Plaintiffs, v. THE WALT DISNEY COMPANY, Defendants.
• Court: U.S. District Court — Northern District of California

1

AMIN JAMES, et al., Plaintiffs, v. THE WALT DISNEY COMPANY, Defendants.

No. 23-cv-02500-EMC (EMC)

United States District Court, N.D. California

November 8, 2023

ORDER GRANTING IN PART AND

DENYING IN PART DEFENDANT'S

MOTION TO DISMISS

DOCKET NO. 15

EDWARD M. CHEN, UNITED STATES DISTRICT JUDGE

Plaintiffs Amin James and David Sevesind (collectively “Plaintiffs”) have filed a class action against Defendant The Walt Disney Company (“Disney”). Plaintiffs assert that their privacy rights, as protected by Pennsylvania and California statutory law, have been violated because there is Oracle software embedded in Disney's ESPN.com website that captures and collects data as individuals use the website (e.g., pages viewed, keystrokes, mouse clicks, etc.). Currently pending before the Court is Disney's motion to dismiss for lack of standing and for failure to state a claim for relief.

Having considered the parties' briefs as well as the oral argument of counsel, the Court hereby GRANTS in part and DENIES in part Disney's motion.

I. FACTUAL & PROCEDURAL BACKGROUND

In their complaint, Plaintiffs allege as follows.

Disney is a company that owns and operates the website ESPN.com. See Compl. ¶ 8. Embedded on the ESPN.com website is Oracle software, in particular, a tool known as Oracle BlueKai which is part of a line of products known as Oracle CX.^[1] BlueKai intercepts and collects website visitors' electronic communications with the website. See Compl. ¶¶ 1, 14, 17. The data collected is used to market to and attract new customers for Disney. See Compl. ¶ 22.

Furthermore, “Oracle does not simply manage their clients' data[;] Oracle also retains and uses the same data to assist other clients” (i.e., clients other than Disney). Compl. ¶ 30 (emphasis added).

23. To enable Oracle to track website users, website owners insert a “Core Tag” - “bk-coretage.js” - into their webpages and applications, unbeknownst to the webpage or application visitor.

24. When a user visits a website that has Core Tag in the code, the user's browser sends a “GET request” to the website server. The server responds by sending HTML code to the user's browser. The HTML code includes a JavaScript that contains the Core Tag which instructs the user's browser to send another GET request to Oracle. Oracle then utilizes the Core Tag to collect data for BlueKai. Through this process, Oracle is able to extract the website visitor user attributes. ....

26. The data Oracle BlueKai collects includes but is not limited to:

(a) HTML page properties;

(b) Pages viewed;

(c) Purchase intent;

(d) Add-to-cart actions;

(e) Keystrokes;

(f) Search terms entered; and

(g) “Mouse click events.”

....

31. To summarize, website owners a Core Tag onto their websites, which enables Oracle BlueKai to collect significant user data. Oracle then associates that data to a specific user, compiles that data with other data about the user Oracle has in its possession, and provides that data to website owners to enable website owners to hyper target users in marketing campaigns. Oracle then retains that data and uses it to assist other website owners.

Compl. ¶¶ 23-24, 26, 31 (footnotes omitted).

According to Plaintiffs, Disney entered into a “contractual arrangement” with Oracle “to intercept communications between [Disney] and visitors to the [ESPN.com] website.” Compl. ¶ 33.

Mr. James is a resident of Pennsylvania and, in December 2022, visited the ESPN.com website on his computer. See Compl. ¶ 5. Mr. Davis is a resident of California and, in May 2023, visited the website on his computer. See Compl. ¶ 6. When each used the website, his communications on the website were intercepted by Oracle. See Compl. ¶¶ 37-38; see also Compl. ¶ 5 (referring to keystrokes, mouse clicks, and “other communications”).

Based on, inter alia, the above allegations, Plaintiffs have asserted two causes of action: (1) a violation of the Pennsylvania Wiretapping and Electronic Surveillance Control Act, 18 Pa. C.S. § 5701 et seq.; and (2) a violation of the California Invasion of Privacy Act. See Cal. Pen. Code § 631. Plaintiffs have identified three different classes: (1) a nationwide class of all persons who visited the ESPN.com website and who had electronic communications intercepted; (2) a Pennsylvania subclass; and (3) a California subclass. See Compl. ¶¶ 40-42.

Although not entirely clear, it appears that Plaintiffs are suing Disney because Oracle intercepted data for the benefit of Disney and because Oracle then used that data for the benefit of other companies as well.

II. DISCUSSION

A. Legal Standard

As noted above, Disney seeks to dismiss both for lack of standing and failure to state a claim for relief. The motion to dismiss for lack of standing is brought pursuant to Federal Rule of Civil Procedure 12(b)(1), and for failure to state a claim for relief pursuant to Rule 12(b)(6).

A Rule 12(b)(1) motion for lack of standing can be facial in nature or factual. See Pride v. Correa, 719 F.3d 1130, 1139 (9th Cir. 2013). “In a facial attack, the challenger asserts that the allegations contained in a complaint are insufficient on their face to invoke federal jurisdiction. By contrast, in a factual attack, the challenger disputes the truth of the allegations that, by themselves, would otherwise invoke federal jurisdiction. ” Safe Air For Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004). Here, Disney makes a facial attack on standing.

To overcome a Rule 12(b)(6) motion to dismiss after the Supreme Court's decisions in Ashcroft v. Iqbal, 556 U.S. 662 (2009), and Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007), a plaintiff's “factual allegations [in the complaint] ‘must . . . suggest that the claim has at least a plausible chance of success.'” Levitt v. Yelp! Inc., 765 F.3d 1123, 1135 (9th Cir. 2014). The court “accept[s] factual allegations in the complaint as true and construe[s] the pleadings in the light most favorable to the nonmoving party.” Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d 1025, 1031 (9th Cir. 2008). But “allegations in a complaint . . . may not simply recite the elements of a cause of action [and] must contain sufficient allegations of underlying facts to give fair notice and to enable the opposing party to defend itself effectively.” Levitt, 765 F.3d at 1135 (internal quotation marks omitted). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678. “The plausibility standard is not akin to a probability requirement, but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Id. (internal quotation marks omitted).

B. Rule 12(b)(1) Motion - Standing

Disney argues first the Court lacks subject matter jurisdiction over the case because, based on the allegations in the complaint, Plaintiffs do not have standing. Disney's argument is based on a Supreme Court decision, TransUnion LLC v. Ramirez, 141 S.Ct. 2190 (2021), and several district court cases that have interpreted TransUnion.

TransUnion involved a class action where claims for violation of the Fair Credit Reporting Act (“FCRA”) were asserted. According to the named plaintiff, TransUnion violated the FCRA based on a product it offered called OFAC Name Screen Alert.

OFAC is the U.S. Treasury Department's Office of Foreign Assets Control. OFAC maintains a list of “specially designated nationals” who threaten America's national security. Individuals on the OFAC list are terrorists, drug traffickers, or other serious criminals. It is generally unlawful to transact business with any person on the list. TransUnion created the OFAC Name Screen Alert to help businesses avoid transacting with individuals on OFAC 's list.

Id. at 2201. The product, however, “generated many false positives” because it would place an alert on a credit report indicating a potential match based on first and last names only. Id. The plaintiff alleged that TransUnion violated the FCRA when, e.g., it failed to follow reasonable procedures to ensure the accuracy of information in his credit file. See id. at 2202.

Before trial, the parties stipulated that (1) the class had 8,185 members but that (2) “only 1,853 members . . . had their credit reports disseminated by TransUnion to potential creditors” during the relevant period. Id. The district court held that all 8,185 members had Article III standing. See id. The issue before the Supreme Court was whether that decision on standing was correct.

The focus of the Supreme Court was whether the class members had suffered an injury in fact - i.e., a concrete injury that was real and not abstract. See id. at 2203. The Supreme Court asked:

What makes a harm concrete for purposes of Article III? As a general matter, the Court has explained that “history and tradition offer a meaningful guide to the types of cases that Article III empowers federal courts to consider.” And with respect to the concrete-harm requirement in particular, this Court's opinion in Spokeo v Robins indicated that courts should assess whether the alleged injury to the plaintiff has a “close relationship” to a harm “traditionally” recognized as providing a basis for a lawsuit in American courts. That inquiry asks whether plaintiffs have identified a close historical or common-law analogue for their asserted injury. Spokeo does not require an exact duplicate in American history and tradition. But Spokeo is not an open-ended invitation for federal courts to loosen Article III based on contemporary, evolving beliefs about what kinds of suits should be heard in federal courts.

As Spokeo explained, certain harms readily qualify as concrete

...