In Wesch v. Yodlee, Inc., 20-cv-05991 (N.D. Cal.) individual consumer plaintiffs brought a putative class action against defendants Yodlee, Inc. and its parent company Envestnet, Inc.  Yodlee provides software to financial institutions to facilitate online transactions.  Plaintiffs accuse defendants of secretly collecting and retaining their user information without their consent, and selling that information to third parties.  Plaintiffs asserted a raft of claims against defendants, alleging violation of the federal Stored Communications Act (“SCA”) and the federal Computer Fraud and Abuse Act (“CFAA”), as well as state law claims for invasion of privacy, unjust enrichment, willful deception, as well as violation of California’s Unfair Competition Law (“UCL”), California’s Comprehensive Data Access and Fraud Act (“CDAFA”), and the California Anti-Phishing Act of 2005.

Yodlee moved to dismiss all of these claims on the merits, and Envestnet moved to dismiss for lack of jurisdiction.  The court’s opinion granting in part, denying in part, and withhold judgment on portions of these motions is noteworthy for two reasons.  First, it gives the plaintiffs tremendous leeway to remedy and even supplement each of their deficient claims.  Second, it provides a comprehensive primer on how data privacy claims should be pleaded in California to avoid early dismissal (and how a defendant can challenge the sufficiency of each of these claims at the motion to dismiss stage).

With respect to the federal claims, Yodlee was successful…sort of.  Under the SCA, the plaintiffs were required to plead that Yodlee “knowingly divulged to any person or entity the contents of a communication while in electronic storage by that service.”  While the plaintiffs successfully alleged that Yodlee accessed the contents of a communication, they failed to plead that the manner and purpose in which Yodlee collected the data met the definition of “electronic storage” under the SCA.  The SCA states that “electronic storage” consists of “temporary, intermediate storage” of information “for the purposes of backup protection.”  Here, Yodlee retained the information for lengthy periods of time, and the plaintiffs alleged that the purpose of this retention was to regularly misuse the data.  The court dismissed the claim, but with leave to amend (as it did with respect to every other dismissed claim).

Likewise, the court dismissed the CFAA claim, which requires a showing that a defendant exceeded its authorized access to a computer system, causing damage to the data or computer system itself, causing loss or harm.  The court dismissed this claim due to plaintiffs’ failure to plead loss or harm in anything other than a conclusory fashion.  However, the court not only gave plaintiffs leave to amend this claim to meet the pleading requirements, it went through each element of the CFAA claim and informed the plaintiffs whether they had sufficiently pleaded the elements.  If they had not, as in the case of the “damage” prong, the court then provided plaintiffs guidance on how to properly plead each of those elements in its amended complaint.

With respect to the state claims, the CDAFA claim requires substantively the same showing as the CFAA claim.  The court likewise dismissed the CDAFA claim for failure to sufficiently plead harm with leave to amend, and gave additional guidance to the plaintiffs on how to properly plead each element of the claim.

The court declined to dismiss the invasion of privacy claim, the unjust enrichment claim, and the willful deception claim.  The Anti-Phishing Act claim survived because plaintiffs successfully pleaded that Yodlee induced them to provide identifying information by representing itself as the financial institutions who used its software without the authority or approval of the business.  (This one is unsurprising.  Without additional evidence, it’s incredibly difficult at the pleading stage to rebut an allegation that a defendant lacked authorization from a third party.)  The court found that plaintiffs lacked standing under the UCL because they did not allege that they lost money or property as the result of Yodlee’s unfair competition.  But, consistent with the other dismissed claims, plaintiffs were given the opportunity to amend their complaint to allege that loss.

Finally, the court withheld ruling on Envestnet’s motion to dismiss for lack of jurisdiction.  Envestnet was brought in under the theory ofalter ego jurisdiction – that there was, in effect, no separation between Envestnet and its subsidiary.  Although an “extreme remedy, sparingly used,” in the court’s words, and one for which plaintiffs had failed to plead sufficient facts to proceed, the court permitted the plaintiffs to conduct limited jurisdictional discovery and reserved ruling on the motion to dismiss until after the discovery was complete.

If you’ve made it this far, you get that the court did quite a bit in this opinion.  From a plaintiff’s perspective, this opinion is not only a roadmap on how to plead each of these claims against a defendant, it is strong support for an argument that even clearly flawed pleadings should not be dismissed with prejudice.  From a defendant’s perspective, it is a roadmap on how to challenge the sufficiency of multiple consumer privacy claims, particularly in venues where plaintiffs do not request leave to amend and/or the court is not inclined to permit amendment following a successful motion to dismiss.

We anticipate that this case will not only see some interesting briefing and arguments in the coming months, but that the court’s opinion will be used in litigation across California and the country in the months and years to come.  And we’ll be keeping an eye on it for you.