Brian MOUNT, Thomas Naiman, individually and on behalf of other similarly situated persons, Plaintiffs–Appellants, v. PULSEPOINT, INC., Defendant–Appellee.
AMENDED SUMMARY ORDER
Plaintiffs Brian Mount and Thomas Naiman appeal the Fed. R. Civ. P. 12(b)(6) dismissal of their state-law claims of deceptive business practices, see N.Y. Gen. Bus. Law § 349 (“§ 349”), and unjust enrichment, both of which stem from defendant PulsePoint, Inc.'s alleged circumvention of web-browser privacy features and its placement of tracking cookies on plaintiffs' computers in order to gather information about their internet use. PulsePoint defends the dismissal and further reiterates its challenge to plaintiffs' Article III standing, which the district court had rejected. See Fed. R. Civ. P. 12(b)(1). We review de novo both plaintiffs' standing and the dismissal of their complaint pursuant to Fed. R. Civ. P. 12(b)(6). See Allco Fin. Ltd. v. Klee, 805 F.3d 89, 93 (2d Cir. 2015). As to the latter, the pleadings, viewed most favorably to plaintiffs, must state “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). Conclusory allegations of law do not suffice. See Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). In applying these standards here, we assume the parties' familiarity with the facts and record of prior proceedings, which we reference only as necessary to explain our decision to affirm for substantially the reasons stated by the district court in its thorough and well-reasoned decision. See Mount v. PulsePoint, Inc., No. 13 CIV. 6592 (NRB), 2016 WL 5080131 (S.D.N.Y. Aug. 17, 2016).
PulsePoint contends that plaintiffs fail to demonstrate the injury in fact necessary for Article III standing. See, e.g., Strubel v. Comenity Bank, 842 F.3d 181, 188–89 (2d Cir. 2016). To demonstrate injury in fact, a plaintiff must show the “invasion of a legally protected interest” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992); accord Strubel v. Comenity Bank, 842 F.3d at 188. A plaintiff may carry this burden by alleging harm having “a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1549 (2016).
The district court determined that plaintiffs adequately alleged two injuries in fact: loss of privacy and effect upon web-browser functionality. We agree as to loss of privacy and, therefore, need not address the latter. As the district court observed, PulsePoint's alleged unauthorized accessing and monitoring of plaintiffs' web-browsing activity implicates harms similar to those associated with the common law tort of intrusion upon seclusion so as to satisfy the requirement of concreteness. See Mount v. PulsePoint, Inc., 2016 WL 5080131, at *4 (citing In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262, 294 (3d Cir. 2016); In re Google Inc. Cookie Placement Consumer Privacy Litig., 806 F.3d 125, 149–51 (3d Cir. 2015)).
PulsePoint argues that Nickelodeon and Google are distinguishable because those cases involved the collection of information identifiable or associable with individual users, something not alleged here. The cases themselves, however, do not signal that individual identification is required for standing purposes, nor does the common law tort of intrusion upon seclusion. See Restatement (Second) of Torts § 652B (1977) (observing that intrusion upon seclusion may be committed by “use of the defendant's senses, with or without mechanical aids, to oversee or overhear the plaintiff's private affairs”). Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015), also does not assist defendants. The court found that the plaintiffs in that case did have standing to sue, and it only “refrain[ed] from supporting standing on plaintiffs' allegation that they had suffered ‘a concrete injury in the loss of their private information’ because they had no property right in that information.” Id. at 695. Further, the Remijas plaintiffs did not allege an invasion of privacy akin to the common law tort at issue here.
Accordingly, like the district court, we reject PulsePoint's standing challenge.
2. Failure To State Claim
a. New York General Business Law § 3491. Legal Standard
To state a § 349 claim, plaintiff must allege that defendant has engaged in (1) consumer-oriented conduct, (2) that is materially misleading, and (3) that caused plaintiff injury. See Koch v. Acker, Merrall & Condit Co., 18 N.Y.3d 940, 941, 944 N.Y.S.2d 452, 452 (2012). The third requirement, the only one here in dispute, demands actual injury, though not necessarily pecuniary harm. See Stutman v. Chem. Bank, 95 N.Y.2d 24, 29, 709 N.Y.S.2d 892, 896 (2000). Plaintiffs' satisfaction of the injury requirement for standing does not necessarily satisfy the injury requirement of § 349. See In re Methyl Tertiary Butyl Ether (“MTBE”) Prods. Liab. Litig., 725 F.3d 65, 105, 107 (2d Cir. 2013) (recognizing constitutional standing may not per se establish injury under New York state law).
2. Privacy Loss Injury
Plaintiffs argue that the alleged invasion of their privacy constitutes injury cognizable by § 349. No New York court, however, has ever construed § 349 to reach the privacy invasion alleged here, i.e., collection of internet users' aggregated, anonymized web-browsing data. Rather, § 349 injury has been recognized only where confidential, individually identifiable information—such as medical records or a Social Security number—is collected without the individual's knowledge or consent. See Mount v. PulsePoint, Inc., 2016 WL 5080131, at *11–12 (citing Meyerson v. Prime Realty Servs., LLC, 7 Misc. 3d 911, 912, 796 N.Y.S.2d 848, 850 (Sup. Ct. N.Y. Cty. 2005); Anonymous v. CVS Corp., 188 Misc. 2d 616, 618, 728 N.Y.S.2d 333, 335 (Sup. Ct. N.Y. Cty. 2001)). Plaintiffs' argument urging a more expansive interpretation of these precedents is not persuasive largely for the reasons stated by the district court. See id. at *12 (“[B]oth decisions treated the information at issue as presumptively confidential ․ [and] [p]laintiffs supply no basis for us to assume that New York courts would consider the information allegedly collected here to possess a similar status.”). We express no view on whether an injury needs to be “material” to satisfy the statutory requirement. Rather, we conclude only that, absent any allegations that the data collected would or could be associated with individual users (or some other alleged factual basis for a cognizable privacy injury), there is no basis in New York law to recognize a cognizable injury under § 349.
Insofar as plaintiffs urge us to take judicial notice of five documents pertaining to § 349's legislative history, those documents warrant no different result. They speak only to the expected efficacy of consumer enforcement of § 349. Similarly, the notices of assurances by attorneys general serve to establish only that New York's Attorney General relied therein upon authority conferred by § 349, which, as to the Attorney General, does not require a demonstration of injury at all. See N.Y. Gen. Bus. Law § 349(b).
Accordingly, plaintiffs cannot rely on a privacy injury not cognizable by § 349 to state a claim under that statute.
3. Other Injuries
Plaintiffs urge two other bases for identifying § 349 injury: degradation in the value of their computers and misappropriation of their personal information. Neither persuades. Plaintiffs conceded below that they alleged no performance issues or other tangible harm to their devices, and their argument on appeal—that the disabling of a cookie-blocker and installation of cookies on their computers was “unauthorized access,” which they contend is itself a § 349 injury—has no support in case law and is, moreover, belied by plaintiffs' apparent concession that such access is insufficient to constitute trespass to chattel. Insofar as plaintiffs' “unauthorized access” argument attempts to circumvent the district court's conclusion that no trespass-to-chattel injury is alleged, see Mount v. PulsePoint, Inc., 2016 WL 5080131, at *9–10, plaintiffs cite no authority suggesting that de minimis access to their computers qualifies as “injury” under § 349, which, as we have already noted, has never been construed to reach such harms. Plaintiffs' “misappropriation” theory of injury rests on their professed loss of the ability to monetize the anonymous web browsing information allegedly collected by PulsePoint.1 This theory fails because plaintiffs do not allege that PulsePoint's data collection practices actually deprived them of any opportunity to sell their own personalized information. See id. at *6.
Accordingly, because plaintiffs failed to plead injury cognizable under § 349, that statutory claim was correctly dismissed.
b. Unjust Enrichment
To state a claim for unjust enrichment under New York law, a plaintiff must plead facts showing “that (1) defendant was enriched, (2) at plaintiff's expense, and (3) equity and good conscience militate against permitting defendant to retain what plaintiff is seeking to recover.” Diesel Props S.r.l. v. Greystone Bus. Credit II LLC, 631 F.3d 42, 55 (2d Cir. 2011) (internal quotation marks omitted); see also Mandarin Trading Ltd. v. Wildenstein, 16 N.Y.3d 173, 183, 919 N.Y.S.2d 465, 472 (2011) (stating that conclusory allegations are insufficient). As the district court observed, plaintiffs admitted that their theory of unjust enrichment was based solely on injury stemming from the alleged misappropriation of their browsing information. See Mount v. PulsePoint, Inc., 2016 WL 5080131, at *13. The district court consequently determined that plaintiffs' failure to allege specific loss or deprivation of opportunity to profit from that information warranted dismissal of their claim. See id.; Edelman v. Starwood Capital Grp., LLC, 70 A.D.3d 246, 250, 892 N.Y.S.2d 37, 41 (1st Dep't 2009) (rejecting unjust-enrichment claim where proprietary information was wrongfully obtained from plaintiff, but defendants' use “did not come at plaintiffs' expense, and plaintiffs did not suffer any loss in connection with that use”). Without opining on whether plaintiffs may have been able to state an unjust-enrichment claim on some other basis under New York law,2 we simply hold that no different conclusion obtains here merely because plaintiffs characterize the relief they seek as equitable restitution, rather than damages. See Mandarin Trading Ltd. v. Wildenstein, 16 N.Y.3d at 183, 919 N.Y.S.2d at 472 (requiring in all cases that plaintiffs plead enrichment at their expense).
Accordingly, because plaintiffs failed to plead common law unjust enrichment, that claim was properly dismissed.
We have considered the parties' remaining arguments and conclude that they are without merit. Accordingly, the August 17, 2016 judgment of the district court is AFFIRMED.
1. To the extent that plaintiffs now argue that they were deprived of the benefit of their web browser's cookie-blocking feature, the complaint contains no allegations which suggest plaintiffs were aware of this feature, or otherwise derived value from it.
2. The conclusion that plaintiffs have sufficiently alleged harm bearing a close relationship to the common law tort of intrusion upon seclusion to establish their standing is not tantamount to a finding that they have adequately alleged an intentional violation of a legal right as a basis for their unjust enrichment claim. Cf. Am. Psychiatric Ass'n v. Anthem Health Plans, Inc., 821 F.3d 352, 359 (2d Cir. 2016) (“[T]he absence of a valid cause of action does not implicate subject-matter jurisdiction․” (alteration omitted) (quoting Lexmark Int'l Inc. v. Static Control Components, Inc., 134 S. Ct. 1377, 1386–87 n.4 (2014)).