A judge in the Northern District of California granted in part and denied in part Oracle America, Inc.’s motion to dismiss a putative class action alleging that the data broker collects and sells internet users’ personal information for targeting advertising and other purposes in violation of wiretapping acts and privacy-based laws. See Order Granting in Part and Denying in Part Motion to Dismiss, Katz-Lacabe v. Oracle Am., No. 3:22-cv-04792-RS (N.D. Cal. Apr. 6, 2023). In the suit against Oracle, the three named plaintiffs – residents of California, Florida, and Ireland – purported to represent five separate classes of individuals, including a California class, nationwide class, and global class.
The court dismissed plaintiffs’ claim that Oracle violated the Unfair Competition Law due to lack of standing, as plaintiffs did not allege a specific monetary or economic loss that stemmed from the misappropriation of their personal data. Additionally, the court dismissed plaintiffs’ unjust enrichment claim, finding plaintiffs did not demonstrate that Oracle unjustly retained a benefit at their expense. Plaintiffs’ Federal Wiretap Act claim was also dismissed, as the court found that Oracle’s customers chose to deploy Oracle’s tools on their websites, thereby satisfying one-party consent under the federal statute.
However, the court left intact plaintiffs’ wiretapping claim under the California Invasion of Privacy Act (“CIPA”). First, the court held that Oracle could not rely on the party exception to CIPA at this stage, as plaintiffs alleged that Oracle went beyond assisting the website operator by also using the information gathered to purportedly create and sell user profiles. Further, the court found that plaintiffs sufficiently alleged that Oracle intercepted “contents” of communications within the meaning of the statute. The court noted that “contents” refers to the intended message conveyed by the communication, and determined that only two types of information were at issue: referral URLs that might contain “problematic” elements and web form entries that might contain personally identifiable information. The court observed that plaintiffs’ lack of specificity made the determination a close call. However, considering “both of these pieces of information” and construing the allegations “in the light most favorable to Plaintiffs,” the court concluded that plaintiffs had pled “just barely enough” to withstand dismissal.
The court also declined to dismiss plaintiffs’ claims for invasion of privacy under the California Constitution and intrusion upon seclusion under California common law. Plaintiffs’ allegations that Oracle accumulated and aggregated vast data to create profiles on users were sufficient, in the court’s view, to allege a highly offensive intrusion at the pleading stage. However, the court dismissed the intrusion upon seclusion claim as to the nationwide class and global class, explaining that the privacy laws of Florida and Europe differ from California, and that California did not have a great interest in applying its own law.