McDonald v. Aps

• Decision Date: 22 May 2019
• Docket Number: Case No. 17-cv-04419-JD,Case No. 17-cv-04344-JD, Case No. 17-cv-04492-JD
• Citation: 385 F.Supp.3d 1022
• Court: U.S. District Court — Northern District of California
• Parties: Michael MCDONALD et al., Plaintiffs, v. KILOO APS et al., Defendants. Amanda Rushing et al., Plaintiffs, v. The Walt Disney Company et al., Defendants. Amanda Rushing et al., Plaintiffs, v. Viacom Inc. et al., Defendants.

385 F.Supp.3d 1022

Michael MCDONALD et al., Plaintiffs,

v.KILOO APS et al., Defendants.

Amanda Rushing et al., Plaintiffs,

v.The Walt Disney Company et al., Defendants.

Amanda Rushing et al., Plaintiffs,

v.Viacom Inc. et al., Defendants.

Case No. 17-cv-04344-JD

Case No. 17-cv-04419-JD

Case No. 17-cv-04492-JD

United States District Court, N.D. California.

Signed May 22, 2019

Allen Carney, David F. Slade, Pro Hac Vice, Joseph Henry Bates, III, Carney Bates Pulliam, PLLC, Little Rock, AR, Michael W. Sobol, Facundo Bouzat, Lieff Cabraser Heimann & Bernstein, LLP, San Francisco, CA, Abbye Rose Klamann Ognibene, Douglas I. Cuthbertson, Pro Hac Vice, Nicholas Diamand, Pro Hac Vice, Sean Adam Petterson, Lieff Cabraser Heimann and Bernstein, LLP, New York, NY, for Plaintiffs.

Emily Johnson Henn, Kathryn Elizabeth Cahoy, Covington & Burling LLP, Palo Alto, CA, Sonya Diane Winner, Covington & Burling LLP, Benjamin Hansel Kleine, Matthew Dean Brown, Amy McCowan Smith, Kelly Elizabeth Fabian, Cooley LLP, Alexandra Eve Laks, Morrison Foerster LLP, San Francisco, CA, Amy Rebecca Lawrence, David Frank McDowell, Purvi Govindlal Patel, Morrison Foerster LLP, Los Angeles, CA, for Defendants.

ORDER RE MOTIONS TO DISMISS

Re: Dkt. No. 193, 195, 202, 204, 205

JAMES DONATO, United States District Judge

These cases are related actions brought by parents over gaming apps for kids. McDonald v. Kiloo , Case No. 17-4344, involves the "Subway Surfers" app. Rushing v. The Walt Disney Company , Case No. 17-4419, involves "Princess Palace Pets" and four versions of "Where's My Water?" Rushing v. Viacom Inc. , Case No. 17-4492, challenges "Llama Spit Spit." All of the cases are putative class actions and allege that the apps were used to track online behavior on a device and user-specific level, and that defendants exploited the data, without disclosure or consent, for profit. In effect, the complaints allege that the apps were covert collectors of behavioral data for delivery of targeted advertising to users, namely the kids who played the games.

Plaintiffs have sued a number of "developer defendants" and "SDK defendants." The developer defendants, which include Disney, Viacom, Kiloo and Sybo, are the companies that created the games and made them available for download. The SDK defendants are mobile advertising and app monetization companies that provide "software development kits" containing code to collect user data. These defendants include AdColony, Chartboost, Tapjoy, Flurry and other entities. Plaintiffs allege that the developer defendants embedded the SDK defendants' code into the games to gather and transmit to the SDK defendants "persistent identifiers" and personal data for tracking, profiling and ad targeting.

All the cases assert privacy claims under the California Constitution and for intrusion upon seclusion under California law. The Disney case adds a privacy claim under Massachusetts law.¹ The Kiloo and Disney cases also include consumer protection claims under New York's General Business Law § 349, and Disney further invokes the California Unfair Competition Law and the Massachusetts Unfair and Deceptive Trade Practices Statute.

The Court related the cases but did not consolidate them for trial. Plaintiffs filed amended complaints as a result of prior proceedings, mainly to avoid potential preemption under the federal Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501 - 6506 ("COPPA"). See Dkt. No. 159. Defendants seek to dismiss the amended complaints under Rule 12(b)(6) and in some cases for lack of personal jurisdiction, with several arguments made on a joint basis and others on a defendant-specific basis. This order resolves these motions.

BACKGROUND

The operative allegations are the same in all the cases, as tailored to the pertinent developers and SDK defendants for each game. The allegations in Kiloo are representative of the cases as a whole, and are used here as the context for the motions.

As alleged in the Kiloo amended complaint (Dkt. No. 268-1, "KAC"), a parent or child downloads and installs a gaming app onto a cell phone or other mobile device for play. KAC ¶ 28. When the app is launched, it connects immediately to a server hosted by the developer and begins sending data even before the user plays the game. Id. ¶ 40. The data sharing is invisible to the user. Id. As the user plays the game, the embedded SDK code communicates with the SDK defendant's individual server. Id. ¶ 42. The SDK code sends requests or "calls" for an ad to the server, and the user's personal data is sent with each call. Id. As a result of the call, the user "may receive a single ad, but nonetheless multiple SDKs have exfiltrated to their servers the user's Personal Data." Id. The advertisements displayed in the gaming app to the user can be "video ads, wherein users ‘watch a video ad and are rewarded with virtual currency.’ " Id. ¶¶ 46, 99. The user might also be shown "pop-up ads between game plays." Id. ¶¶ 131-132. These ads "are targeted at specific users based on complex profiles assembled using their persistent identifiers, and other information bundled with those identifiers and sent to the SDK Defendants pursuant to the SDK coding inputted into the app and downloaded onto users' devices." Id. ¶ 133.

The KAC alleges that the user data harvested by the SDKs includes (1) an ID for Advertisers ("IDFA") and ID for Vendors ("IDFV") for Apple devices; (2) an Android Advertising ID ("AAID") and Android ID for Android devices; (3) the device's International Mobile Equipment Identity ("IMEI"); (4) the specific device name; (5) IP address; (6) timestamp, i.e. , the time at which an advertising event is recorded; and (7) Device Fingerprint data, including the user's language, time zone and country, and mobile network or carrier. See , e.g. , KAC ¶¶ 47-52. Plaintiffs allege that the SDK defendants retain this user data. SDKs "store[ ] and analyze[ ] the Personal Data to enable continued tracking of the user, such as what ads she has already seen, what actions she took in response to those ads, other online behavior, and additional demographic data." Id. ¶ 42. This allows the SDK defendants -- "and other entities in the ad network" -- to "monitor, profile, track her over time, across devices, and across the Internet." Id.

Plaintiffs supplement these allegations with facts specific to several of the SDK defendants. Flurry is said to assign a unique ID number to each user to continue tracking them within the Flurry database. Id. ¶ 64 n.33. It combines personal information directly gathered on users "with information received about users from third-parties" such as Facebook or Twitter, as well as "user activity on other sites and apps." Id. ¶ 65. Flurry "shares information it collects from its users within its affiliated brands and with ‘publishers, advertisers, measurement analytics, apps, or other companies." Id. ¶ 66. The information collected on a user includes "name, gender, birthdate, geolocation information, search queries, mobile device identifier, mobile phone number, alternative email addresses, contacts, contact information (including online contact information), nicknames and aliases, physical address, IP address, other persistent identifiers, and any other information [a] child [user] may share with [Flurry] or [Flurry's] partners, such as photos, videos or audio files that contain [a child user's] image or voice." Id. ¶ 67.

SDK Vungle is alleged to have the capacity to "share Personal Data with other, undisclosed third-parties," and plaintiffs allege that their forensic analysis shows that Vungle sent a user's IDFA/AAID and other personal data to a "separate online marketing company called Adjust." Id. ¶ 73. This transmission "permitted Adjust to track the user's activities subsequent to viewing the ad." Id. Such tracking, "known as ‘ad attribution,’ " enables online marketing companies to "track users on behalf of advertisers, observing the users' behavior over time to determine whether an ad leads a user to install the advertised app and, thus, whether a specific ad influenced behavior and was commercially profitable." Id. SDK defendants AdColony and Flurry are alleged to have advertised their ability to accomplish ad attribution "even where users have attempted to limit ad tracking." Id. ¶¶ 137(a), (b). Similar allegations are made about the other SDK defendants. SDK Kochava is alleged to have marketed its ability to "match individual users to their devices using what it calls ‘cross-device algorithms.’ " Dkt. No. 117-1 ("DAC") ¶ 58. These algorithms purportedly allowed Kochava to "track user behavior and to identify users -- including children -- at the individual level, even where there are multiple users of the same device." Id.

The gravamen of the complaints is that the "Developer Defendants and the SDK Defendants, in coordination, collect and use the Personal Data described [in the complaint] to track, profile, and target children with targeted advertising." KAC ¶ 110. Plaintiffs allege that "[w]hen children are tracked over time and across the Internet, various activities are linked to a unique and persistent identifier to construct a profile of the user of a given mobile device." Id. ¶ 111. While a persistent identifier in isolation is a "string of numbers uniquely identifying a user," when "linked to other data points about the same user, such as app usage, geographic location (including likely domicile), and Internet navigation, it discloses a personal profile that can be exploited in a commercial context." Id. Plaintiffs allege that defendants "aggregate this data, and also buy it from and sell it to other third-parties." Id. ¶ 112. Plaintiffs add that personal digital devices "are increasingly associated with individual users, rather than families," and that even children often "have their own devices; as of 2017, 45% of children younger than 8-years-old had their own mobile device." Id. ¶¶ 117, 144.

Plaintiffs contend that...