SHAH v. CAPITAL ONE FINANCIAL CORPORATION (2025)

ORDER GRANTING-IN-PART DENYING-IN-PART MOTION TO DISMISS

Re: Dkt. No. 24

Plaintiffs Vishal Shah, Gary Ingraham, Deia Williams, and Devin Rose (collectively, “Plaintiffs”), individually and on behalf of all others similarly situated, bring forth this class action against Defendant Capital One Financial Corporation (“Defendant”). Plaintiffs, who are current customers or credit card applicants of Defendant, allege that Defendant unlawfully disclosed Plaintiffs’ personal and financial information to third and fourth parties.

Before the Court is Defendant's motion to dismiss. Having considered the parties’ briefs, oral arguments, the relevant legal authority, and for the reasons below, the Court GRANTS-IN-PART and DENIES-IN-PART Defendant's motion to dismiss.

I. BACKGROUND

Defendant is a financial institution that provides financial services across the United States and internationally. ECF 1, (Complaint, “Compl.”) ¶ 2. To provide its services, Defendant used a website that allowed customers to access their account, financial services, and apply for “financial products like credit cards.” Id. Defendant's website allegedly contained “invisible Third Party online tracking technologies” that “instantaneously and surreptitiously duplicate[d] communications with that webpage and sen[t] them to the Third Party.” Id. ¶ 42. These communications included Plaintiffs’ and Class Members’ (1) employment information; (2) bank account information; (3) citizenship and dual citizenship status; (4) credit card preapproval and eligibility; (5) credit card approval and eligibility; (6) existing user, or Customer, status; (7) browsing activities, including viewed pages and content; (8) credit card application status; and (9) other information collected through an internet “cookie.” Id. ¶ 187. Defendant used this information for third and fourth parties’ marketing and sales. Id. ¶ 47.

The trackers on Defendant's website came from Google, Microsoft, DoubleClick, New Relic, Adobe, Everest, Skai/Kenshoo, Snowplow, Biocatch, Tealium, and Facebook/Meta Pixel. Id. ¶ 51. Facebook, for instance, tracked users and the type of actions they took on Defendant's website and used this information to “find new customers, drive sales, and understand ad impact.” Id. ¶ 48. When a customer used the Defendant's website, Facebook would get an event informing it about the user's activity. Id. ¶ 68. Defendant's website transmitted to Facebook the specific page viewed by the customer, the customer's IP address, cookies, and personal and financial information. Id. ¶ 76. Similarly, Google trackers allowed “Defendant to track and share with Google (1) who use[d] Capital One's website; (2) what [was] performed on the website; (3) when users visit[ed] the website; (4) where on the website users perform[ed] these actions; and (5) how users navigate[d] through the website to perform these actions.” Id. ¶ 52. Defendant used these trackers since at least November 30, 2023, and as recently as June 24, 2024. Id. ¶ 61.

A. Named Plaintiffs received unwanted advertising after using Defendant's website.

The named Plaintiffs allege that that they used Defendant's website and then received targeted marketing ads from third-party websites. For instance, Plaintiff Shah alleges that he had a checking account with Defendant and then applied for and was approved for a credit card. Id. ¶¶ 144–151. After he applied for the credit card, Shah began to get advertisements for NerdWallet and Credit Karma advertising random credit cards, along with advertisements for credit cards from Defendant's competitors, on his Facebook feed. Id. ¶¶ 153–55.

Plaintiff Rose also had a credit card with Defendant. Id. ¶ 156. Shortly after he applied for this credit card, Defendant's advertisements began appearing on his Facebook feed. Id. ¶ 162. Rose also received advertisements from other credit card companies and for loans. Id. ¶ 163.

Similarly, Plaintiff Ingraham does not have an account with Defendant but used Defendant's website to apply for Defendant's credit card. Id. ¶ 165. He was not approved, but still received advertisements from Discover Cards, Chase, and Chime on his Facebook feed. Id. ¶¶ 166, 169–171.

Finally, Plaintiff Williams applied for a credit card with Defendant, was not approved, and was “constantly bombarded with credit card advertisements on Facebook,” leading her to block Defendant on social media. Id. ¶¶ 173–74, 177.

All Plaintiffs allege that they did not sign any written authorization permitting Defendant to send their personal and financial information to third or fourth parties. Id. ¶ 181. Instead, Plaintiffs “reasonably expected that their communications with [Defendant] were confidential, solely between each Plaintiff and [Defendant].” Id. ¶ 182.

B. Plaintiffs agreed to Defendant's privacy policy.

The complaint alleges that all customers using Defendant's website must agree to the terms of Defendant's privacy policy for online use (“Online Private Policy”). Id. ¶ 92. The targeted advertising section of Defendant's Online Privacy Policy reads:

We and our third-party providers may collect information about your activities on our Online Services and across different websites, mobile apps, and devices over time for targeted advertising purposes. These providers may then show you ads, including across the internet and mobile apps, and other devices, based in part on the information they have collected or that we have shared with them.

For example, when you visit the Capital One website and explore our products, our advertising providers may use that information to determine which ads to show you when you go to other, non-Capital One websites. Similarly, when you view a Capital One ad on your computer, our advertising providers may use that information when deciding whether to show you a subsequent ad on your laptop or mobile device. For more information about targeted advertising, please see the Network Advertising Initiative's (NAI) Understanding Online Advertising page.

ECF 1, Ex. B, at 7. The Online Privacy Policy also provides information for how individuals may opt out of the targeted advertising, including that customers may visit three opt out pages or adjust the privacy settings on their mobile devices. Id. at 8. The Online Privacy Policy notes that a customer's preferences will only apply to “the specific browser or device” from which they opt out, and that a customer must opt out separately from all their browsers and devices. Id. It cautions that if a customer “delete[s] cookies, change[s] web browsers, reset[s] [their] mobile advertising ID, or use[s] a different device,” they may need to opt out again. Id.

C. Plaintiffs filed the instant action.

Plaintiffs assert the following seventeen causes of action against Defendant in the complaint: (1) negligence; (2) negligence per se; (3) invasion of privacy under the California Constitution; (4) violation of the Comprehensive Computer Data Access and Fraud Act (“CDAFA”); (5) violation of the Unfair Competition Law (“UCL”); (6) violation of the California Consumer Privacy Act (“CCPA”); (7) violation of the California Customer Records Act (“CRA”); (8) breach of express and implied contract; (9) unjust enrichment; (10) bailment; (11) declaratory judgment; (12) breach of confidence; (13) violation of the California Invasion of Privacy Act (“CIPA”); (14) violation of the Federal Wiretap Act, Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. § 2511(1); (15) violation of the ECPA, 18 U.S.C. § 2511(3)(a); (16) violation of Title II of the Electronic Communications Privacy Act (“Stored Communications Act”); and (17) violation of the Computer Fraud and Abuse Act (“CFAA”).

On October 28, 2024, Defendant filed a motion to dismiss. ECF 24 (“Mot.”). Plaintiffs filed an opposition on November 27, 2024. ECF 35 (“Opp'n”). Defendant filed a reply. ECF 48 (“Reply”). The Court held oral arguments on January 21, 2025. ECF 57.

II. LEGAL STANDARD

A motion to dismiss under Rule 12(b)(6) tests the legal sufficiency of claims alleged in the complaint. Ileto v. Glock Inc., 349 F.3d 1191, 1199–1200 (9th Cir. 2003). The Court's review is limited to the contents of the complaint. Allarcom Pay Television, Ltd. v. Gen. Instrument Corp., 69 F.3d 381, 385 (9th Cir. 1995). All allegations of material fact contained in the complaint are taken as true. Id.; Erickson v. Pardus, 551 U.S. 89, 94, 127 S.Ct. 2197, 167 L.Ed.2d 1081 (2007). However, legally conclusory statements, not supported by actual factual allegations, need not be accepted. Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). A plaintiff's obligation to provide the grounds of his entitlement to relief “requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). Rather, the allegations in the complaint “must be enough to raise a right to relief above the speculative level.” Id.

A motion to dismiss should be granted if the complaint does not proffer enough facts to state a claim for relief that is plausible on its face. Id. at 558–559, 127 S.Ct. 1955. “[W]here the well-pleaded facts do not permit the court to infer more than the mere possibility of misconduct,” the complaint has not shown that the pleader is entitled to relief. Iqbal, 556 U.S. at 679, 129 S.Ct. 1937.

III. DISCUSSION

A. The Court first turns to the two threshold issues.

Defendant seeks to dismiss the entire complaint for two overarching reasons: (1) the complaint's exhibits conflict with Plaintiffs’ key allegations and (2) Plaintiffs fail to allege that Defendant disclosed Plaintiffs’ personal information and financial information. Mot. at 5.

i. Plaintiffs’ allegations of unauthorized disclosure do not conflict with the exhibits attached to the complaint.

A court may consider exhibits for the purposes of a motion to dismiss when they are submitted with a complaint. Durning v. First Boston Corp., 815 F.2d 1265, 1267 (9th Cir. 1987). “[T]he district court may treat such a document as part of the complaint, and thus may assume that its contents are true for purposes of a motion to dismiss under Rule 12(b)(6).” U.S. v. Ritchie, 342 F.3d 903, 908 (9th Cir. 2003). “In addition, the court may disregard allegations in the complaint if contradicted by facts established in exhibits attached to the complaint.” Sumner Peck Ranch, Inc. v. Bureau of Reclamation, 823 F. Supp. 715, 720 (E.D. Cal. 1993) (citing Durning, 815 F.2d at 1267); see also Gonzalez v. Planned Parenthood of L.A., 759 F.3d 1112, 1115 (9th Cir. 2014) (“Although we normally treat all of plaintiff's factual allegations in a complaint as true, we ‘need not ․ accept as true allegations that contradict matters properly subject to judicial notice or by exhibit.’ ”).

Here, Defendant contends that Plaintiffs’ allegations directly conflict with Defendant's Online Privacy Policy because Defendant discloses that it releases customer information for third party marketing. Mot. at 6. Defendant's Online Privacy Policy states that Defendant “may allow companies to collect information ․ including to target advertising to [a customer] based on personal information collected across different websites, mobile apps, and devices over time.” ECF 1, Ex. B, at 5. The Online Privacy Policy contains a section titled “targeted advertising” that states that Defendant and its “third-party providers may collect information” about a customers’ activities on “different websites, mobile apps, and devices over time” and that these “providers may show” the customer ads “based in part on the information they have collected or that [Defendant has] shared with them.” Id. at 7.

However, while the Online Privacy Policy states that it collects information about a customer's internet activities, it does not state that it releases that customer's personal information such as employment information and credit card preapproval or approval status, which Plaintiffs allege that it collects. Compl. ¶ 187; ECF 1, Ex. B, at 8. Therefore, the Online Privacy Policy does not directly conflict with Plaintiffs’ allegations. See Gonzalez, 759 F.3d at 1116 (holding that the attached exhibits contradicted with plaintiff's allegations when they “fatally undercut” the allegations so that plaintiff could not “state a plausible claim”). As a result, the Court will take Plaintiffs’ allegations in the complaint as true. See Sprewell v. Golden State Warriors, 266 F.3d 979, 988 (9th Cir. 2001) (holding that a court takes all the allegations of material fact as true unless they contradict matters “properly subject to judicial notice or by exhibit”).

Accordingly, Plaintiffs’ allegations do not directly conflict with the Online Privacy Policy.

a. The Court need not reach Defendant's other arguments as to the first threshold issue because they involve factual disputes.

Defendant also argues that Plaintiffs consented to the disclosure of their personal information, that Defendant provided sufficient opt out instruction, and that the disclosures did not involve fourth parties. Mot. at 6–8. Because the issue of whether Plaintiffs consented to Defendant's disclosure of their personal information is a factual question, the Court need not reach it at the motion to dismiss stage. See Cottle v. Plaid Inc., 536 F. Supp. 3d 461, 491 (N.D. Cal. 2021) (finding that the issue of consent, which is a “key factual dispute” must be decided “on the merits rather than a Rule 12 motion”). The Court also need not reach the other arguments because they are factual disputes. See In re Splunk Inc. v. Sec. Litig., 592 F. Supp. 3d 919, 946 (N.D. Cal. 2022) (finding that the Court “may not resolve factual disputes at the pleading stage”).

Because Plaintiffs’ allegations do not conflict with the complaint's exhibits, and because the Court may not decide factual disputes at the pleadings stage, the Court DENIES Defendant's motion to dismiss as to the first threshold issue.

ii. Plaintiffs allege sufficient disclosures of their personal and financial information.

For the second threshold issue, Defendant argues that Plaintiffs’ failure to allege specific disclosures of their personal and financial information “separately forecloses their claims.” Mot. at 8.

Plaintiffs must allege in more than a conclusory manner that Defendant disclosed data to third parties. See Cousin v. Sharp Healthcare, 681 F. Supp. 3d 1117, 1123 (S.D. Cal. 2023) (explaining that plaintiffs must provide that the defendant disclosed their personal information with more than conclusory allegations). The Court finds that they did. For instance, Plaintiffs allege that they interacted with Defendant's website, which they allege contained third party trackers. Compl. ¶ 51. They allege that they put their personal and financial information, including employment information, bank account information, citizenship status, and credit card preapproval or eligibility, into Defendant's website and then received third- and fourth-party advertisements. See id. ¶¶ 150, 151, 159, 169, 177, 187. They further allege that as a result of using Defendant's website, their information was transmitted to third party trackers such as Google, Microsoft, and Meta, without their consent. Id. ¶ 51, 186. Because Plaintiffs allege that the actions they took on Defendant's website resulted in the transmission of their information to third parties, they have provided sufficient factual allegations to allege the disclosure of their personal information. See R.C. v. Walgreen Co., 733 F. Supp. 3d 876, 891 (C.D. Cal. 2024) (finding that plaintiffs provided sufficient factual detail about the actions they took on the defendant's website when they provided facts that they used the website with trackers on it).

Plaintiffs, therefore, sufficiently state a claim as to the disclosure of their personal information.

Accordingly, because Plaintiffs state a claim that Defendant disclosed Plaintiffs’ personal information, the Court DENIES Defendant's motion to dismiss as to the second threshold issue.

B. The Court next turns to Plaintiffs’ causes of action.

Separate from the threshold issues, Defendant seeks to dismiss Plaintiffs’ complaint for the following causes of action: negligence; negligence per se; invasion of privacy; CDAFA; UCL; CCPA; CRA; breach of express contract; breach of implied contract; breach of confidence; unjust enrichment; bailment; declaratory judgment; ECPA; CIPA; Stored Communication Act; CFAA. Mot. at 1–2. The Court now reviews each individually.

i. Plaintiffs state a claim as to negligence.

“To state a claim for negligence in California, a plaintiff must establish the following elements: (1) the defendant had a duty, or an ‘obligation to conform to a certain standard of conduct for the protection of others against unreasonable risks,’ (2) the defendant breached that duty, (3) that breach proximately caused the plaintiff's injuries, and (4) damages.” Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1038–39 (N.D. Cal. 2019) (internal citations omitted).

a. Plaintiffs plead a valid duty of care.

Defendant first argues that Plaintiffs have not identified that Defendant owed them a valid duty arising under the Gramm-Leach-Bliley Act (“GLBA”) or the Federal Trade Commission (“FTC”) Act because neither statute provides a private right of action. Mot. at 10. Defendant, however, conflates negligence and negligence per se; whether the FTC Act confers a private right of action is an issue for negligence per se. See Baton v. Ledger SAS, 740 F. Supp. 3d 847, 906–912 (N.D. Cal. 2024) (explaining that district courts do not permit negligence per se claims to hinge on the FTC Act, but did not analyze whether the FTC Act applies to negligence claims); In re Accellion, Inc. Data Breach Litig., 713 F. Supp. 3d 623, 631–39 (N.D. Cal. 2024) (same).

Furthermore, the Court finds that Plaintiffs have alleged a valid duty of care. When determining whether a valid duty exists, California courts turn to several factors, including “the foreseeability of harm to the plaintiff, the degree of certainty that the plaintiff suffered injury, the closeness of the connection between the defendant's conduct and the injury suffered, the moral blame attached to the defendant's conduct, the policy of preventing future harm, the extent of the burden to the defendant and the consequences to the community of imposing a duty to exercise care with resulting liability for breach, and the availability, cost, and prevalence of insurance for the risk involved.” Bass, 394 F. Supp. 3d at 1039 (internal citations omitted).

Here, Defendant's alleged lack of reasonable care in handling Plaintiffs’ personal information caused foreseeable harm to Plaintiffs. See id. (“The lack of reasonable care in the handling of personal information can foreseeably harm the individuals providing the information.”). Plaintiffs therefore alleged a valid duty of care by alleging that they placed trust in Defendant to protect their personal information, which Defendant the disclosed. Id.

b. The economic loss doctrine does not apply.

“Under the economic loss doctrine, purely economic losses are not recoverable in tort.” Baton, 740 F. Supp. 3d at 911 (internal citations omitted). “A purely economic loss is shorthand for pecuniary or commercial loss that does not arise from actionable physical, emotional or reputational injury to persons or physical injury to property.” Id. (internal citations omitted). Courts tend to apply the economic loss rule when they are concerned about “imposing liability in an indeterminate amount for an indeterminate time to an indeterminate class” or in deference to a contract between litigating parties. In re Meta Pixel Tax Filing Cases, 724 F. Supp. 3d 987, 1020 (N.D. Cal. 2024).

While Defendant argues that the economic loss rule bars Plaintiffs’ negligence claims because Plaintiffs’ injuries are purely economic in nature, Plaintiffs also plead non-economic harms. Mot. at 11. Plaintiffs, for instance, allege that their injuries include the lost time and money incurred to mitigate the effect of the use of their information. Compl. ¶ 224. Court have found that lost time is not an economic loss. See, e.g., Bass, 394 F. Supp. 3d at 1039 (concluding that the loss of time is not a “pure economic loss”); Baton, 740 F. Supp. 3d at 911 (finding that the economic loss rule did not apply in data breach cases where there was a loss of time); In re Meta Pixel Tax Filing Cases, 724 F. Supp. 3d at 1020 (explaining that the plaintiffs’ negligence claims are not “foreclosed by the economic loss rule” when plaintiffs allege harms such as the loss of time and resources). Because Plaintiffs plead non-economic injuries, the pleadings are sufficient for purposes of the motion to dismiss.

Accordingly, Plaintiffs state a claim as to negligence. The Court DENIES Defendant's motion to dismiss as to negligence.

ii. Plaintiffs do not state a claim as to negligence per se.

“The doctrine of negligence per se is not a separate cause of action, but creates an evidentiary presumption that affects the standard of care in a cause of action for negligence.” Dent v. Nat'l Football League, 968 F.3d 1126, 1130 (9th Cir. 2020) (internal citations omitted).

Defendant next argues that negligence per se is not a standalone cause of action. Mot. at 10. Because negligence per se is not a separate cause of action, and because Plaintiffs bring a negligence per se cause of action in addition to a negligence claim, the negligence per se claim is not proper. Compl. ¶ 228; see In re Accellion, 713 F. Supp. 3d at 639 (dismissing plaintiffs’ negligence per se claim because it is not a separate cause of action but denying the motion to dismiss as to the negligence claim); Toy v. Life Line Screening of Am. Ltd., No. 23-cv-04651-RFL, 2024 WL 1701263, at *5 (N.D. Cal. Mar. 19, 2024) (“To the extent [the plaintiff] is asserting a negligence per se claim separate from her negligence claim, the motion to dismiss the negligence per se claim is granted without leave to amend.”).

Accordingly, the Court GRANTS Defendant's motion to dismiss the negligence per se claim without leave to amend.

iii. Plaintiffs do not state a claim for invasion of privacy under the California Constitution.

“The California Constitution sets a high bar for establishing an invasion of privacy claim.” In re Yahoo Mail Litig., 7 F. Supp. 3d 1016, 1038 (N.D. Cal. 2014) (internal citations omitted). To state a claim for invasion of privacy under the California Constitution, plaintiffs must show that “(1) they possess a legally protected privacy interest, (2) they maintain a reasonable expectation of privacy, and (3) the intrusion is so serious as to contribute an egregious breach of the social norms such that the breach is highly offensive.” In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 601 (9th Cir. 2020) (cleaned up) (internal citations omitted). “A reasonable expectation of privacy is an objective entitlement founded on broadly based and widely accepted community norms.” In re Yahoo Mail Litig., 7 F. Supp. 3d at 1037. “Accepted community norms” include advance notice to plaintiffs and “whether [plaintiffs] had the opportunity to consent to or reject the very thing that constitutes invasion.” Id.

Regardless of whether Plaintiffs possessed a legally protected privacy interest or maintained a reasonable expectation of privacy, Plaintiffs here do not allege an intrusion that is highly offensive as a matter of public policy. Plaintiffs allege that Defendant disclosed personal information in the form of employment information, bank account information, and their eligibility for preapproval or approval for a credit card, but this information does not rise to the level of an “egregious breach of social norms.” Compl. ¶ 4; see Hammerling v. Google LLC, 615 F. Supp. 3d 1069, 1090 (N.D. Cal. 2022) (“Courts in this district have held that data collection and disclosure to third parties that is routine commercial behavior is not a highly offensive intrusion of privacy.”); In re Yahoo Mail Litig., 7 F. Supp. 3d at 1038 (“Even the disclosure of very personal information has not been deemed an egregious breach of social norms sufficient to establish a constitutional right to privacy”); Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1025 (N.D. Cal. 2012) (finding that the disclosure of personal information, such as social security numbers, was not an “egregious breach of the social norms”); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1063 (N.D. Cal. 2012) (finding that the disclosure of the unique device identifier number, personal data, and geolocation information was not an egregious breach of privacy).

Accordingly, the Court GRANTS Defendant's motion to dismiss as to the invasion of privacy without prejudice.

iv. Plaintiffs lack statutory standing under the CDAFA and the UCL.

“The CDAFA prohibits certain computer-based conduct such as knowingly and without permission accessing or causing to be accessed any computer, computer system, or computer network.” Cottle, 536 F. Supp. 3d at 487 (internal citations omitted). “The CDAFA provides that only an individual who has ‘suffer[ed] damage or loss by reason of a violation’ of the statute may bring a civil action ‘for compensatory damages and injunctive relief or other equitable relief.’ ” Id. (citing Cal. Penal Code § 502(e)(1)). “[T]he CDAFA does not define damages or loss, and does not contain a specific monetary threshold for loss related to violations of the statute.” Id. (internal citations omitted).

Similarly, the UCL prohibits “unlawful, unfair or fraudulent business act or practice.” Cal. Bus. & Prof. Code § 17200. To have standing under the UCL, a plaintiff must “establish that they (1) suffered an injury in fact and (2) lost money or property as a result of the unfair competition.” Birdsong v. Apple, Inc., 590 F.3d 955, 959 (9th Cir. 2009).

Here, Plaintiffs state that they had a property interest in their personal information and that Plaintiffs lost money and property when Defendant disclosed their personal information with third parties. Compl. ¶¶ 273–74. However, Plaintiffs’ personal information does not constitute property. See Low, 900 F. Supp. 2d at 1030 (explaining that the “weight of authority” holds that a plaintiff's personal information does not constitute property); In re iPhone Application Litig., 844 F. Supp. 2d at 1074–75 (holding that personal information is not property). Additionally, Plaintiffs do not plead that they “ever attempted or intended to participate in the market for the information” Defendant disclosed or that they derived economic value from that information. Lau v. Gen Digit. Inc., No. 22-cv-08981-JST, 2023 WL 10553772, at *7 (N.D. Cal. Sept. 13, 2023). As a result, Plaintiffs fail to allege that they had a property interest in their personal information.

Plaintiffs also cannot make an argument that the profit Defendant made as a result of disclosing Plaintiffs’ data is sufficient to demonstrate a loss. See In re Facebook, Inc. v. Consumer Priv. User Profile Litig., 402 F. Supp. 3d 767, 804 (N.D. Cal. 2019) (“Facebook may have gained money through its sharing or use of the plaintiffs’ information, but that's different from saying the plaintiffs lost money.”); Hazel v. Prudential Fin., Inc., No. 22-cv-07465-CRB, 2023 WL 3933073, at *6 (N.D. Cal. June 9, 2023) (explaining that even if a company made money off of the sharing or use of a plaintiff's information, that company's gain of money does not equal a plaintiff's loss of money or property).

Furthermore, even an argument that Plaintiffs experienced a diminution of the value of their private and personal information would not confer standing. See Doe v. Meta Platforms, Inc., 690 F. Supp. 3d 1064, 1082 (N.D. Cal. 2023) (finding that a diminution of the value of disclosed information was not a loss or damage). Plaintiffs, therefore, cannot allege lost money or property for purposes of standing under the CDAFA or the UCL.

Accordingly, the Court GRANTS Defendant's motion to dismiss for lack of standing as to the CDAFA and the UCL without prejudice.

v. Plaintiffs state a valid claim under the CCPA.

The CCPA provides a limited civil cause of action for any “consumer whose nonencrypted and nonredacted personal information ․ is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security practices.” Cal. Civ. Code § 1798.150(a)(1). Under the CCPA, “[a] third party shall not sell or share personal information about a consumer that has been sold to, or shared with, the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out.” Id. § 1798.115.

Although the CCPA “calls for enforcement by the California Attorney General,” it allows a private right of action in the event of a security breach. Delgado v. Meta Platforms, Inc., 718 F. Supp. 3d 1146, 1155 (N.D. Cal. 2024). Courts, however, have also permitted the CCPA claims to survive a motion to dismiss in cases where the plaintiff does not allege a data breach, but instead where the “defendants disclosed plaintiff's personal information without his consent due to the business's failure to maintain reasonable security practices.” M.G. v. Therapymatch, Inc., No. 23-cv-04422-AMO, 2024 WL 4219992, at *7 (N.D. Cal. Sept. 16, 2024).

In this case, Plaintiffs allege that Defendant knowingly collected, used, and sold Plaintiffs’ personal information to third and fourth parties without their consent. Compl. ¶ 292. Because Plaintiffs allege that Defendant allowed third parties to embed trackers, such as Google and Microsoft, on its website and that these trackers transmitted Plaintiffs’ personal information, Plaintiffs need not allege a data breach. Id. ¶¶ 51–52; see Therapymatch, 2024 WL 4219992, at *7 (finding that the plaintiff did not need to allege a data breach where the plaintiff disclosed plaintiff's personal information without his consent); Stasi v. Inmediata Health Grp. Corp., 501 F. Supp. 3d 898, 924 (S.D. Cal. 2020) (finding that plaintiffs alleged a sufficient CCPA claim when defendants disclosed their personal information over the internet but there was no theft). Because Plaintiffs plead that Defendant disclosed their personal information without their consent, Plaintiffs state a CCPA claim.

Accordingly, the Court DENIES Defendant's motion to dismiss as to the CCPA claim.

vi. Plaintiffs do not state a claim of the CRA under section 1789.81.5 and 1798.82 of the California Civil Code.

The Court first addresses Plaintiffs’ CRA claim under section 1789.81.5. Defendant argues that because Defendant is a financial institution, as Plaintiffs state, it is therefore exempt from liability for any violations of section 1798.81.5(b) of the California Civil Code. Plaintiffs allege that Defendant is a business within the meaning of section 1798.81.5(b). Compl. ¶ 301. Because Defendant is a financial institution under section 1798.81.5, the Court GRANTS Defendant's motion to dismiss without leave to amend as to Plaintiffs’ section 1789.81.5 claims. See Cal. Civ. Code § 1798.81(e)(2) (exempting financial institutions from liability under section 1798.81.5); Chen v. JPMorgan Chase Bank, N.A., 745 F.Supp.3d 1025, 1033–34 (C.D. Cal. 2024) (dismissing the plaintiffs’ section 17998.81.5(b) claims because the defendant is a financial institution).

The Court next addresses Plaintiffs’ CRA claim under Section 1798.82. “The CRA regulates businesses with regard to treatment and notification procedures relating to their customers’ personal information.” In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., 613 F. Supp. 3d 1284, 1300 (S.D. Cal. 2020). It requires businesses to “maintain reasonable security procedures and practices appropriate to the nature of the information” and to protect “personal information from unauthorized access, destruction, use, modification, or disclosure.” Cal. Civ. Code § 1798.81.5. Section 1798.82 requires a business that “owns or licenses computerized data that includes personal information” to disclose a “breach of the security of the system following discovery or notification of the breach.” Id. § 1798.82(a).

Plaintiffs allege that the CRA applies because Defendant knew that Plaintiffs’ information was acquired by unauthorized persons and failed to disclose it to Plaintiffs. Compl. ¶¶ 303–04. However, there must be a breach of security to show a CRA claim. See Cal. Civ. Code § 1798.82(a) (stating that a person or business shall “disclose a breach of security of the system following discovery or notification of the breach”). Here, Plaintiffs fail to allege that there was a breach of security. Compl. ¶ 303. Furthermore, a claim under section 1798.82 is “not actionable for the breach itself” but instead for the “unreasonably delayed notification,” so Plaintiffs must allege when the breach occurred. See Chen, 745 F.Supp.3d at 1034. Plaintiffs not only fail to allege that there was a security breach, but also fail to allege when Defendant became aware of the alleged breach. See id. (dismissing the CRA claim because the plaintiff did not make it clear whether the transfers of funds constituted “security breaches”).

Accordingly, the Court GRANTS Defendant's motion to dismiss as to the CRA section 1798.82 claim without prejudice.

vii. Plaintiffs do not state as claim for breach of express contract.

“To state a claim for breach of contract, Plaintiffs must allege four elements: (1) the existence of a contract, (2) plaintiffs’ performance under the contract, (3) defendant's breach, and (4) damage to the plaintiff.” Hammerling, 615 F. Supp. 3d at 1094 (citing In re Facebook, Inc. Internet Tracking Litig., 956 F. 3d at 610).

The Court finds that Plaintiffs did not state a claim as to the breach of express contract. In the complaint, Plaintiffs allege that they entered a contract with Defendant, but Plaintiffs then fail to cite to any specific section of the contract that Defendant allegedly violated. Compl. ¶¶ 307, 311. Instead, Plaintiffs state generally that Defendant breached its express contract with Plaintiffs “to protect their nonpublic personal information.” Id. ¶ 308. They do not cite where in the contract Defendant agreed to protect their nonpublic personal information or when Defendant explicitly promised not to disclose their data. Id. Plaintiffs, therefore, do not state a claim that Defendant breached anything it promised. See Hammerling, 615 F. Supp. 3d at 1095 (finding that Plaintiffs could not state a claim for breach of contract without alleging that a “specific promise” was breached).

Accordingly, the Court GRANTS Defendant's Motion to Dismiss as to the breach of express contract without prejudice.

viii. Plaintiffs also fail to state a claim as to breach of implied contract.

“The elements for a breach of an implied in fact contract are (1) the existence of the contract; (2) performance by the plaintiff or excuse for nonperformance; (3) breach by the defendant; (4) damages.” Prostar Wireless Grp., LLC v. Domino's Pizza, Inc., 360 F. Supp. 3d 994, 1010 (N.D. Cal. 2018) (internal citations omitted). An implied contract “consists of obligations arising from a mutual agreement and intent to promise where the agreement and promise have not been expressed in words.” Id.

Here, Plaintiffs allege that they had an implied contract with Defendant that it would keep their personal information confidential. Opp'n at 18. Plaintiffs do not state a claim because they fail to expand on the nature of the implied contract. See In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953, 982 (N.D. Cal. 2016) (finding that plaintiffs must elaborate into the scope of the implied contract to state an implied contract claim). Plaintiffs also fail to differentiate the express contract claim from the implied contract claim. Compl. ¶¶ 308, 309. Plaintiffs must elaborate on whether the implied contract involves separate promises from the express contract because if Plaintiffs allege that there is an express contract on the matter, they cannot also allege an implied contract. See Hammerling, 615 F. Supp. 3d at 1096 (explaining that there cannot be an implied contact where there is a “valid express contract covering the same subject matter). Because Plaintiffs have not done so, they do not state a claim as to implied contract.

Accordingly, the Court GRANTS Defendant's motion to dismiss as to breach of implied contract without prejudice.

i. Plaintiffs fail to allege a breach of confidence claim.

A breach of confidence claim is grounded on “an implied-in-law or quasi-contractual theory.” Berkla v. Corel Corp., 302 F.3d 909, 918 (9th Cir. 2002). A plaintiff cannot state a claim as to breach of contract when an express contract covers the same subject matter because there cannot be a valid express and implied contract “each embracing the same subject matter, existing at the same time.” Id.

Here, Plaintiffs do not state a claim as to breach of confidence because they allege that both express and implied contracts exist. Compl. ¶¶ 306–12. Because Plaintiffs allege the existence of an express contract, the express contract precludes the breach of confidence claim. See Toy, 2024 WL 1701263, at *3 (explaining that a breach of confidence claim “may not lie where a valid express contract covering the same subject matter exists”).

Accordingly, the Court GRANTS Defendant's motion to dismiss as to breach of confidence without prejudice.

ii. Plaintiffs state a claim for unjust enrichment.

As courts in the Northern District have previously found, “California law on unjust enrichment remains somewhat unclear.” Hammerling, 615 F. Supp. 3d at 1096. The Ninth Circuit has previously held that unjust enrichment is not an independent cause of action but has described “the theory underlying a claim that a defendant has been unjustly conferred a benefit through mistake, fraud, coercion, or request.” Id. (citing Astiana v. Hain Celestial Grp., Inc., 783 F.3d 753, 762 (9th Cir. 2015)). “When a plaintiff alleges unjust enrichment, a court may construe the cause of action as a quasi-contract claim seeking restitution,” but the quasi-contract claim does not hold “when an enforceable, binding agreement exists defining the rights of the parties.” Id. (internal citations omitted).

Both the Ninth Circuit and the California Supreme Court have allowed independent claims for unjust enrichment to proceed. See Bruton v. Gerber Prod. Co., 703 F. App'x 468, 470 (9th Cir. 2017) (permitting an unjust enrichment independent cause of action to proceed in an insurance case); In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F. Supp. 3d 767, 803 (N.D. Cal. 2019) (permitting an independent unjust enrichment claim alongside valid breach of contract and fraud claims). “To allege unjust enrichment as an independent cause of action, a plaintiff must show that the defendant received an unjustly retained a benefit at the plaintiff's expense.” Katz-Lacabe v. Oracle Am., Inc., 668 F. Supp. 3d 928, 945 (N.D. Cal. 2023).

Here, Plaintiffs may bring an unjust enrichment claim because Plaintiffs allege that Defendant benefited from using Plaintiffs’ information and that Plaintiffs’ remedies at law are inadequate. Compl. ¶ 320. These allegations are all that is necessary at this stage in the proceedings. See A.J. v. LMND Med. Grp., No. 24-cv-03288-RFL, 2024 WL 4579143, at *4 (N.D. Cal. Oct. 25, 2024) (finding that plaintiffs’ allegation that defendant benefitted from their information by exchanging it without their consent and that plaintiffs failed to receive the benefit of their bargain was sufficient to preclude dismissal); Meta Platforms, 690 F. Supp. 3d at 1086 (permitting plaintiffs to plead an unjust enrichment claim in a motion to dismiss because plaintiffs allege that their remedies at law are inadequate).

Accordingly, the Court DENIES Defendant's motion to dismiss as to unjust enrichment.

iii. Plaintiffs do not state a claim as to bailment.

Bailment is the “deposit of personal property with another, usually for a particular purpose.” United States v. Alcaraz-Garcia, 79 F.3d 769, 774 n.11 (9th Cir. 1996). California law has defined it as “the delivery of a thing in trust for a purpose upon an implied or express contract.” Whitcombe v. Stevedoring Servs. of Am., 2 F.3d 312, 317 (9th Cir. 1993).

In this case, Plaintiffs do not allege a deposit of personal property that falls within the scope of bailment because they only allege that they deposited their personal information, which is not personal property under bailment. See Worldwide Media, Inc. v. Twitter, Inc., 17-cv-07335-VKD, 2018 WL 5304852, at *11 (N.D. Cal. Oct. 24, 2018) (finding that credit card information was not personal property for purposes of bailment because it was not something defendant could take custody of and then later return); In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942, 974 (S.D. Cal. 2012) (finding that a plaintiff's personal information was not personal property in the sense that a plaintiff “somehow delivered this property” and then “expected it be returned.”). Plaintiffs, therefore, have not stated a claim as to bailment.

Accordingly, the Court GRANTS Defendant's motion to dismiss as to bailment with prejudice.

iv. Plaintiffs state a claim as to declaratory judgment.

“Declaratory relief is a remedy, not an independent cause of action.” Baton, 740 F. Supp. 3d at 913; see also Fiedler v. Clark, 714 F.2d 77, 79 (9th Cir. 1983) (holding that the Declaratory Judgment Act does not provide an independent jurisdictional basis for suits in federal court, and instead “only permits the district court to adopt a specific remedy when jurisdiction exists”). It must be predicated on an actual controversy, which is definite and concrete ․ real and substantial.” Id. (internal citations omitted).

Although Defendant contends that the declaratory judgment claim is duplicative of other claims, Plaintiffs may still bring a declaratory judgment cause of action at the motion to dismiss stage. See Cottle, 536 F. Supp. 3d at 483 (finding that other courts in the Northern District of California have denied “motions to dismiss equitable claims because plaintiffs may pursue alternative remedies at the pleading stage”). Furthermore, Plaintiffs’ claims for declaratory judgment are predicated on negligence, a claim for which Plaintiffs have sufficiently stated a claim. Compl. ¶ 332. Therefore, Plaintiffs state a claim as to declaratory judgment. See Baton, 740 F. Supp. 3d at 913 (permitting a declaratory judgment claim to survive a motion to dismiss because it was predicated on the well-plead negligence claim).

Accordingly, the Court DENIES Defendant's motion to dismiss as to declaratory judgment.

v. Plaintiffs state a claim for violation of the ECPA.

The ECPA “prohibits unauthorized ‘interception’ of an ‘electronic communication.’ ” Meta Platforms, 690 F. Supp. 3d at 1075 (citing In re Facebook, Inc. Internet Tracking Litig., 956 F.3d at 606–07). To state a claim, a plaintiff must “plausibly allege” that Defendant intentionally intercepted the contents of Plaintiffs’ electronic communications using a device. Id. The one-party consent exemption provides that it is not unlawful for “a person not acting under color of law to intercept a wire, oral, or electronic communication” when that person is a party to the communication “or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted” to commit a crime or tort. 18 U.S.C. § 2511(2)(d).

Defendant argues that the “one-party consent exemption” applies because Defendant was a party to the communications. Mot. at 21. Here, Plaintiffs do allege in the complaint that Defendant intercepted Plaintiffs’ electronic communications. Compl. ¶ 376. However, Plaintiffs also allege that Defendant intercepted the contents of the electronic communications for an unauthorized purpose, which resulted in tortious acts. Id. ¶ 380. Because Defendant's actions are allegedly tortious, the one-party exemption does not apply. See Meta Platforms, 690 F. Supp. 3d at 1078 (holding that the “one-party consent exemption” does not apply when the party acts for the purpose of committing a tort).

Another reason that the one-party exemption does not apply is because the issue of whether Plaintiffs consented to Defendant's conduct is at the center of the dispute. Because consent is a factual determination, it cannot be determined on the pleadings. See id. (whether actual consent was given is an “evidence-bound” determination that is “inappropriate to reach on this motion”); see also Brown v. Google LLC, 685 F. Supp. 3d 909, 934 (N.D. Cal. 2023) (denying a motion for summary judgment on the consent prong because a “triable issue exist[ed] relative to the scope of [defendant's] consent”). Therefore, Plaintiffs state a claim as to the ECPA.

Accordingly, the Court DENIES Defendant's motion to dismiss as to the ECPA.

vi. Plaintiffs state a claim under the CIPA.

Defendant argues that Plaintiffs fail to state a claim under both sections 631 and 632. Mot. at 18. The Court addresses each section in turn.

a. Plaintiffs sufficiently state a claim as to section 631.

California Penal Code § 631(a)(2) applies to anyone who:

(2) willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message ․ while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state

Section 637.2 provides a civil cause of action for damages or an injunction to anyone “injured by a violation of this chapter ․ against the person who committed the violation ․ [.]” Cal. Pen. Code § 637.2.

Defendant argues that Plaintiffs’ CIPA claims under sections 631 fail because Plaintiffs consented to the data sharing practices in the privacy policy, do not allege that any third party read a communication “in transit,” and do not allege that Defendant disclosed “contents” of a communication. Mot. at 18, 19, 20. As for the first issue, Plaintiffs allege that Defendant recorded confidential communications without Plaintiffs’ authorization and consent, and then transmitted the communications to third parties. Compl. ¶¶ 352–53. Because this issue once again involves whether Plaintiffs consented, Plaintiffs’ allegations are sufficient for them to state a claim at this stage. See Javier v. Assurance IQ, LLC, 649 F. Supp. 3d. 891, 897 (N.D. Cal. 2023) (whether plaintiff gave implied consent “does not provide a basis for dismissal of the Section 631 claim against [the defendant] at this stage”).

Plaintiffs also sufficiently allege that Defendant accessed the communications in transit and provide details on how Defendant installed third-party trackers on its website. Compl. ¶ 51. Because these trackers allegedly recorded Plaintiffs’ activities for the purposes of marketing and tracked Plaintiffs’ activities and personal information, Plaintiffs plausibly allege that Defendant intercepted the communications while they were in transit. Id. ¶¶ 49, 52; see Doe v. Eating Recovery Ctr. LLC, No. 23-cv-05561-VC, 2024 WL 2852210, at *1 (N.D. Cal. June 4, 2024) (finding that plaintiff pled that Meta intercepted communications in transit because it alleged that Meta's transmission of information was instantaneous); Toy, 2024 WL 1701263, at *1 (finding that the complaint properly alleged that the Meta Pixel intercepted users’ interactions with the defendant's website in transit when it offered detailed allegations about how Meta Pixel worked).

Finally, Plaintiffs plead that Defendant disclosed “contents” of a communication under the CIPA. In the complaint, Plaintiffs state that the “contents” of their communication included Plaintiffs’ personal information, which is a content under CIPA. Compl. ¶ 354; see In re Google RTB Consumer Priv. Litig., 606 F. Supp. 3d 935, 949 (N.D. Cal. 2022) (finding that the definition of a content consists of both the communication and substance of the communication at issue). Because Plaintiffs’ communications included Plaintiffs’ personal information, Defendant therefore disclosed contents of the communication. As a result, Plaintiffs have sufficiently stated a claim as to section 631.

b. Plaintiffs sufficiently state a claim as to section 632.

Section 632 punishes a person who “intentionally and without the consent of all parties to a confidential communication, uses an electronic amplifying or recording device to eavesdrop upon or record the confidential communication.” Cal. Pen. Code § 632(a).

Again, because this issue hinges on whether Plaintiffs consented to Defendant's disclosure, the Court finds that Plaintiffs allegations are sufficient for purposes of a motion to dismiss. See Meta Platforms, 690 F. Supp. 3d at 1078 (finding that the issue of whether plaintiffs actually consented is inappropriate at the pleadings stage).

Accordingly, the Court DENIES Defendant's motion to dismiss as to the CIPA.

vii. Plaintiffs do not state a claim for violations of the Stored Communications Act.

The Stored Communications Act “created a private right of action against anyone who ‘(1) intentionally accesses without authorization a facility through which an electronic communications service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.’ ” In re iPhone Application Litig., 844 F. Supp. 2d at 1057 (citing 18 U.S.C. § 2701(a)). “To state a claim under the [Stored Communications Act], Plaintiffs must allege that Defendants accessed without authorization ‘a facility through which an electronic communication service is provided.’ ” Id. (citing 18 U.S.C. § 2701(a)(1)). The Stored Communications Act, however, only provides liability for a provider that is a “remote computing services” or “electronic communication services.” Low, 900 F. Supp. 2d at 1022. An “electronic communication service” is “any service which provides to users thereof the ability to send and receive wire or electronic communications.” In re iPhone Application Litig., 844 F. Supp. 2d at 1057 (citing 18 U.S.C. § 2510(15)).

Plaintiffs allege in the complaint that Defendant is an electronic communication service because Defendant “intentionally procures and embeds” Plaintiffs’ personal information through the tracking technology on Defendant's website. Compl. ¶ 401. Defendant, however, is not an electronic communication service because its website does not allow customers to send and receive messages to third parties. Compare with In re Betterhelp, Inc., No. 23-cv-01033-RS, 2024 WL 4504527, at *2 (N.D. Cal. Oct. 15, 2024) (finding that the defendant was an electronic communication service because defendant's customers communicated with third parties through the “conduit” of defendant's websites). Instead, Defendant's website allows the third parties to track Plaintiffs’ personal information. Compl. ¶ 51. Plaintiffs themselves state that Plaintiffs were unaware of the presence of the trackers, and do not allege that they communicated with the third parties. Id. Because Defendant's website does not allow customers to send and receive messages to third parties, Defendant is not an electronic communication service. See Crowley v. CyberSource Corp., 166 F. Supp. 2d 1263, 1270 (N.D. Cal. 2001) (finding that the defendant was not an electronic communication service simply because it received emails from customers when it did not independently provide such services). Defendant, therefore, is not subject to liability under the Stored Communications Act.

Accordingly, the Court GRANTS Defendant's motion to dismiss as to the Stored Communications Act with prejudice because no amendment would change the fact that Defendant is not an electronic communication service.

viii. Plaintiffs do not allege a violation of the CFAA.

The CFAA makes intentionally accessing a computer without authorization a federal crime. 18 U.S.C. § 1030(a)(2)(C). It imposes a civil liability when someone “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access” unless the “object of the fraud” is less than $5,000 in any 1-year period.” Id. § 1030(a)(4). “The term ‘loss’ means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system or information to its condition prior to the offense ․” Cottle, 536 F. Supp. 3d at 485 (citing 18 U.S.C. § 1030(e)(11)).

Plaintiffs do not state a claim as to CFAA because they do not allege with specificity a loss of $5,000. Here, Plaintiffs allege in a conclusory manner that Defendant's conduct caused loss of $5,000 in value for Plaintiffs, but never state how to value the loss. Compl. ¶ 419. The complaint only states that that “secret transmission” of Plaintiffs’ personal information caused this loss, but it does not go into further detail. Id. The alleged loss is therefore speculative, and insufficient for purposes of the CFAA. See Cottle, 536 F. Supp. 3d at 486 (dismissing plaintiffs’ CFAA claims because they do not allege how to value the alleged loss of their financial information and because plaintiffs do not allege that they suffered an “actual, concrete loss as a result of losing ‘protection of their banking data’ ”). Because Plaintiffs here do not sufficiently allege that they lost more than $5,000, they cannot state a CFAA claim.

Accordingly, the Court GRANTS Defendant's motion to dismiss as to the CFAA claim without prejudice.

IV. LEAVE TO AMEND

Pursuant to Rule 15(a)(2), a party may amend its pleadings with the opposing party's written consent or the court's leave. Fed. R. Civ. P. 15(a)(2). “The court should freely give leave when justice so requires.” Id. This policy is applied with “extreme liberality.” Eminence Cap., LLC v. Aspeon, Inc., 316 F.3d 1048, 1051 (9th Cir. 2003) (internal citation omitted). The nonmovant bears the burden of demonstrating why leave to amend should not be granted. DCD Programs, Ltd. v. Leighton, 833 F.2d 183, 187 (9th Cir. 1987). The Supreme Court has outlined five factors to consider in deciding whether leave to amend is warranted: (1) bad faith on the part of the movant, (2) undue delay by the movant, (3) repeated amendments by the movant, (4) undue prejudice to the nonmovant, and (5) futility of the proposed amendment. Foman v. Davis, 371 U.S. 178, 182, 83 S.Ct. 227, 9 L.Ed.2d 222 (1962). “Amendment need not be permitted when it would be futile—that is, when no set of facts can be proved under the amendment to the pleadings that would constitute a valid and sufficient claim.” Invenergy Thermal LLC v. Watson, No. 23-3857, 2024 WL 5205745, at *3 (9th Cir. 2024) (internal quotation omitted).

The Court finds that the prejudice to Defendant in allowing amendment is minimal. Furthermore, amendment is not futile. Plaintiffs have only submitted one complaint, and there is sufficient evidence in the complaint to show that additional facts could cure the complaint's deficiencies as to many of the causes of action. After considering the remaining Rule 15 factors, the Court finds that the presumption in favor of granting leave to amend as to the issues where facts may change the analysis. However, the Court declines to grant leave to amend as to negligence per se, bailment, and the Stored Communications Act because amendment would be futile.

The Court does not give leave to amend for Plaintiffs to add any additional claims to the complaint. Should the scope of any amendment exceed the leave to amend granted by this order, the Court will strike the offending portions of the pleading under Rule 12(f). See Fed. R. Civ. P. 12(f) (“The court may strike from a pleading an insufficient defense or any redundant, immaterial, impertinent, or scandalous matter. The court may strike from a pleading an insufficient defense or any redundant, immaterial, impertinent, or scandalous matter. The court may act: (1) on its own; or (2) on motion made by a party either before responding to the pleading or, if a response is not allowed, within 21 days after being served with the pleading.”).

V. CONCLUSION

For the foregoing reasons, the Court GRANTS-IN-PART and DENIES-IN-PART Defendant's motion to dismiss.

The Court GRANTS Defendant's motion to dismiss with prejudice as to negligence per se; bailment; and the Stored Communications Act.

The Court GRANTS Defendant's motion to dismiss with leave to amend as to invasion of privacy under the California Constitution; CDAFA; UCL; breach of express contract; breach of implied contract; breach of confidence; and CFAA.

The Court DENIES Defendant's motion to dismiss as to negligence; CCPA; unjust enrichment; declaratory judgment; ECPA; and CIPA.

Plaintiffs may file an amended complaint consistent with this order within 14 days of this Order and no later than March 17, 2025. No new claims or parties may be added without the Court's prior approval. A failure to meet this deadline will result in dismissal with prejudice under Federal Rule of Civil Procedure 41(b).

This Order terminates ECF 24.

IT IS SO ORDERED.

TRINA L. THOMPSON, United States District Judge