ORDER GRANTING MOTION OF APPLE INC. TO DISMISS WITH LEAVE TO AMEND

YVONNE GONZALEZ ROGERS, District Judge.

Plaintiff Maria Pirozzi brings this putative class action against Defendant Apple Inc. ("Apple") for failing to prevent third-party software applications distributed through its online App Store from uploading user information from their mobile devices without permission. Plaintiff asserts six claims against Apple: (1) Violations of California's Unfair Competition Law ("UCL"), Cal. Bus. & Prof.Code §§ 17200 et seq.; (2) Violations of California's False Advertising Law ("FAL"), Cal. Bus. & Prof.Code §§ 17500 et seq.; (3) Violations of California's Consumer Legal Remedies Act ("CLRA"), Cal. Civ.Code §§ 1750 et seq.; (4) Negligent Misrepresentation; (5) Negligence; and (6) Unjust Enrichment.

Apple has filed a Motion to Dismiss on the grounds that Plaintiff's claims are barred by Section 230 of the Communications Decency Act, 47 U.S.C. § 230; Plaintiff lacks Article III standing; Plaintiff fails to satisfy the particularity requirement of Rule 9(b); and each of Plaintiff's claims fails to state a claim upon which relief can be granted.

Having carefully considered the papers submitted, the Amended Class Action Complaint ("CAC"), for the reasons set forth below, the Court hereby GRANTS the Motion to Dismiss WITH LEAVE TO AMEND.

I. BACKGROUND1

Plaintiff alleges as follows: Apple designs and manufactures three popular mobile devices: the iPhone, the iPod touch and the iPad (collectively "Apple Devices"). Owners of Apple Devices can customize their user experience by installing third-party software applications ("Apps"). (CAC ¶¶ 21-25.) These Apps are integral to users' experiences when operating Apple Devices. Apple operates an online "App Store" "where customers can shop for and acquire apps offered by Apple and third-party developers." (Id. ¶ 21.) The App Store is the exclusive source from which owners of Apple Devices can obtain Apps for their Apple Devices.

Apple completely controls users' experience from development of the Apple Device to development and selection of the Apps available at the Apps Store. (Id. ¶¶ 21, 25, 35.) Apple claims to "review every app on the App Store based on a set of technical, content, and design criteria." (Id. ¶ 38.) The App approval process "ensure[s] that applications are reliable, perform as expected, and are free of explicit and offensive material." (Id.)

The App Store Review Guidelines provide that "Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used." (Id.) "In order to offer an application for download in the App Store, a third-party developer must be registered as an `Apple Developer' and agree to the iOS Developer Agreement (the `IDA') [sic] and the Program License Agreement (the `PLA') with Apple as well as [a] $99 yearly registration fee." (Id. ¶ 29.) Among other provisions, the PLA contractually requires developers to obtain user consent before they collect any user or device data through their apps. (Id. ¶ 36.) Apple also "provides third-party developers with review guidelines, and conducts a review of all applications submitted for inclusion in the App Store for compliance with these documents." (Id. ¶ 29.) "The App Store Review Guidelines set forth the technical, design, and content guidelines [that] Apple [uses] when reviewing an app for inclusion in Apple's App Store." (Id. ¶ 36.)

According to Apple, its iOS operating system "`is highly secure from the moment you turn on your iPhone. All apps run in a safe environment, so a website or app can't access data from other apps. iOS also supports encrypted network communication to protect your sensitive information. To guard your privacy, apps requesting location information are required to get your permission first. You can set a passcode lock to prevent unauthorized access to your device[.]' Apple makes similar claims with respect to the iPad and the iPod Touch." (Id. ¶ 37 (alteration in original).)

Notwithstanding Apple's representations regarding its protection of users' personal information and the security of the iOS operating system, "Apple-approved apps have downloaded and/or copied users' private address book information (including names and contact information of users' contacts), location data, private photographs and videos without the users' knowledge or consent when a user agrees to allow an app to access the user's then current locations." (Id. ¶ 41.) "For example, in early February 2012, it was revealed that one such app, Path, was uploading data stored on users' Apple Devices (including address book and calendar) to its servers." (Id. ¶ 42.) "[O]ther popular apps such as Angry Birds, Cut-the-Rope, Twitter, Facebook, LinkedIn, Gowalla, Foodspotting, Instagram, Foursquare, Beluga, Yelp!, Hipster and Kik Messenger among others, have likewise downloaded users' data without their explicit consent in contrast to Apple's stated policy." (Id. ¶ 43.) And while "copying address book data, photos and videos without a user's consent is against Apple's rules ... [, Apple has] failed to properly screen apps and allowed such apps to be sold in the App Store." (Id. ¶ 46.)

Plaintiff does not specify when she reviewed any of these statements, but claims that she relied upon statements by Apple in her decision to purchase an Apple Device and in her decision to purchase Apps from the App Store. The 27-page CAC has only one paragraph regarding Named Plaintiff Maria Pirozzi:

(CAC ¶ 8.)

Plaintiff does not specify which Apple Device(s) she owns, which Apps she downloaded from the App Store, or whether any third-party App actually uploaded personal information from her mobile device. Rather, she alleges generically, that "Apple failed to properly safeguard Apple Devices and, instead, induced Plaintiff to purchase an Apple Device and to download apps under the premise that Plaintiff's private information would remain confidential." (Id. ¶ 3.) Plaintiff further alleges that "Apple failed to safeguard Plaintiff's personal information from potential misappropriation." (Id. ¶ 53.) Plaintiff has paid for third-party Apps through Apple's App Store that has left her personal information vulnerable to unauthorized access. (Id. ¶ 54.) On this basis, "Plaintiff alleges that Apple invaded and/or facilitated the invasion [of] her privacy, misappropriated and misused her personal information, and interfered with the operability of her mobile device." (Id. ¶ 4.)

II. STANDING ANALYSIS

Apple challenges Plaintiff's standing to bring this action and moves to dismiss pursuant to Rule 12(b)(1). A motion under Rule 12(b)(1) challenges the grounds for the Court's subject matter jurisdiction. See Fed.R.Civ.P. 12(b)(1). If a plaintiff lacks standing under Article III of the U.S. Constitution, then the Court lacks subject matter jurisdiction. Because standing is a threshold jurisdictional question, the Court will address this issue first. See Steel Company v. Citizens for a Better Environment, 523 U.S. 83, 94, 102, 118 S.Ct. 1003, 140 L.Ed.2d 210 (1998).

To establish Article III standing, a plaintiff must satisfy three elements: (1) "injury in fact — an invasion of a legally protected interest which is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical"; (2) causation — "there must be a causal connection between the injury and the conduct complained of'; and (3) redressability — "it must be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) (internal quotation marks, citations and footnote omitted). In the class action context, the named plaintiff must show that she personally has suffered an injury, not just that other members of the putative class suffered the injury. Lierboe v. State Farm Mut. Auto. Ins. Co., 350 F.3d 1018, 1022 (9th Cir.2003) ("if none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class.").

Apple argues that Plaintiff fails to allege that she lost money or that any third-party App uploaded personal information from her mobile device. Apple further argues that Plaintiff suffered no economic loss. However, Apple's arguments misconstrue the nature of Plaintiff's allegations in Counts I through IV of the CAC. As Apple recognizes, Plaintiff asserts that Apple's "misrepresentations and omitted material facts' purportedly induced her `to purchase [an] Apple Device.'" In that regard, Apple argues that Plaintiff fails to allege that she relied upon any statement when she purchased a third-party App.

Plaintiff alleges two injuries: (1) that she overpaid for her Apple Device and/or was induced to purchase an Apple Device; and (2) misappropriation of her valuable personal information. With respect to the first injury, Plaintiff alleges that she was "misled as to the nature and integrity of Apple's products." (CAC ¶ 60.) "Apple has repeatedly advertised that its products were safe and secure. Apple has further assured consumers that it closely monitors the apps available in the App Store." (Id. ¶ 68.) Plaintiff "acted in response to the statements made by Apple when [she] purchased an Apple Device." Plaintiff based her decision to purchase the Apple Device and/or purchase apps through the App Store in substantial part on Apple's misrepresentations. (Id. ¶ 71.)

Overpaying for goods or purchasing goods a person otherwise would not have purchased based upon alleged misrepresentations by the manufacturer would satisfy the injury-in-fact and causation requirements for Article III standing. Counts I through IV, for violations of California's UCL, FAL and CLRA, and Negligent Misrepresentation, allege that Plaintiff overpaid and/or purchased an Apple Device based upon Apple's alleged misrepresentations. However, Plaintiff fails to allege specifically which statements she found material to her decision to purchase an Apple Device or App. Based on the failure to allege these facts, Plaintiff has not suffered an injury-in-fact that is caused by the complained of conduct.

With respect to the second harm identified, misappropriation of her personal information, Plaintiff has not alleged that a third-party App developer actually misappropriated her personal information, only that her personal information is at a greater risk of being misappropriated. "The hypothetical threat of future harm due to a security risk to Plaintiff's personal information is insufficient to confer Article III standing." Hernandez v. Path, Inc., 12-CV-01515 YGR, 2012 WL 5194120, at *2 (N.D.Cal. Oct. 19, 2012) (citing Krottner v. Starbucks Corp., 628 F.3d 1139, 1141-43 (9th Cir.2010)). Plaintiff argues that In re iPhone Application Litig., 844 F.Supp.2d 1040, 1054 (N.D.Cal.2012) is particularly instructive. (Opp'n 15.) The Court agrees, but not for the reasons Plaintiff argues. In dismissing the plaintiffs' first complaint in In re iPhone Application Litigation, Judge Koh identified the following information required for Article III standing: "(a) which `iDevices they used;' (b) `which Defendant (if any) accessed or tracked their personal information;' (c) which apps they downloaded that `access[ed]/track[ed] their personal information,' and; (d) `what harm (if any) resulted from the access or tracking of their personal information.'" Id. at 1054 (citing In re iPhone Application Litig., 11-MD-02250 LHK, 2011 WL 4403963 (N.D.Cal. 2011)). The amended complaint in the iPhone Application Litigation addressed these deficiencies, and therefore, Judge Koh found that based on the facts alleged in the amended complaint, the plaintiffs had standing. Here, the CAC suffers from many of the same deficiencies as the original complaint in the iPhone Application Litigation.

At this juncture, Plaintiff fails to identify which Apple Devices she used; which Apps accessed or tracked her personal information (if any); or the resulting harm from the data collection. Should Plaintiff choose to proceed on the theory that she has been harmed by actual collection of her personal information, she will need to identify which of the Apple Devices she used, which Apps she downloaded that accessed or tracked her personal information (if any), and what harm (if any) resulted from the accessing or tracking of her personal information. Because her claim for Negligence (Count V) fails to allege any harm to Plaintiff from misappropriation of her personal information caused by Apple's alleged negligence, she lacks standing to bring that claim. Additionally, to the extent that Plaintiff believes that her personal information has inherent economic value, her Unjust Enrichment claim (Count VI) fails to allege that Apple ever received any of the personal information (or some other benefit from Plaintiff's personal information) that was purportedly collected by a third-party App maker. Therefore, as alleged, Plaintiff does not have standing to bring claims for Negligence (Count V) or Unjust Enrichment (Count VI).

Based on the foregoing analysis, the Court concludes that Plaintiff does not have standing. For that reason, all claims are DISMISSED WITH LEAVE TO AMEND consistent with this Order.

III. RULE 12(b)(6) ANALYSIS

A motion to dismiss under Rule 12(b)(6) tests the legal sufficiency of the claims alleged in the complaint. Ileto v. Glock, Inc., 349 F.3d 1191, 1199-1200 (9th Cir.2003). All allegations of material fact are taken as true. Johnson v. Lucent Techs., Inc., 653 F.3d 1000, 1010 (9th Cir. 2011). To withstand a motion to dismiss, "a complaint must contain sufficient factual matter, accepted as true, to `state a claim to relief that is plausible on its face.'" Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 557, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007)).2

A. COMMUNICATION DECENCY ACT

Apple argues that Section 230(c)(1) of the Communication Decency Act ("CDA"), 47 U.S.C. § 230, renders it immune from liability in this case. Section 230(c)(1) states: "[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider." Id. § 230(c)(1).

The CDA protects from liability (1) a provider of an interactive computer service (2) whom a plaintiff seeks to treat as a publisher (3) of information provided by another information content provider. Barnes v. Yahoo!, Inc., 570 F.3d 1096, 1100-01 (9th Cir.2009).3 "[A]n `interactive computer service' qualifies for immunity so long as it does not also function as an `information content provider' for the portion of the statement or publication at issue." Carafano v. Metrosplash.com, Inc., 339 F.3d 1119, 1123 (9th Cir.2003). The CDA is an affirmative defense that protects a service provider from liability for providing access to offensive or objectionable content that was created by another but the CDA does not protect a service provider for providing access to content that the service provider itself created. Barnes, supra, 570 F.3d at 1101-02. If an "interactive computer service" is responsible for the "creation or development of" the particular information at issue, then the service provider is an "information content provider" unprotected by the CDA. Carafano, supra, 339 F.3d at 1124-25. The issue for purposes of determining whether a defendant is immune from suit under the CDA, is not the name of the cause of action; but rather whether the cause of action inherently requires the court to treat the defendant as the "publisher or speaker" of content provided by another. Barnes, supra, 570 F.3d at 1101-02.

Apple argues that Plaintiff's claims against it are barred because Plaintiff seeks to impose liability on Apple for the content of third-party Apps distributed through Apple's website and for Apple's decisions to allow those Apps to be distributed through its website. According to Apple, the "misappropriation" of users' information is "at the heart of Plaintiff's case." Therefore, Apple believes that it is shielded from liability for its exercise of editorial discretion in approving and distributing Apps via its online App Store. (Mot. 9.) Apple's arguments, however, misconstrue the nature of certain of the allegations in the CAC.

Plaintiff's claims are not predicated solely upon Apple's approving and distributing Apps via its online App Store; Plaintiff also seeks to hold Apple liable for representations made by Apple itself. As Apple acknowledges, Plaintiff's claims include "allegations that Apple somehow misled Plaintiff as to the `nature and integrity of Apple's products.'" (Mot. 18.) To the extent that Plaintiff's claims allege that Apple's misrepresentations induced Plaintiff to purchase an Apple Device, those claims do not seek to hold Apple liable for making Apps available on its website. In that context, even if Apple acts as an "interactive computer service," Plaintiff seeks to hold it liable as the "information content provider" for the statements at issue.

That said, based on the scant record before the Court, it is premature to decide whether the CDA bars Plaintiff's claims. Unlike the findings in Carafano, supra, as to the role of Matchmaker.com for the content of information, if Apple is responsible for the "creation or development of [the] information" at issue, then Apple functions as an "information content provider" unprotected by the CDA. 339 F.3d at 1124-25. However, the Court cannot make that determination based on the allegations in the CAC.4

Accordingly, the Court cannot find that Apple is entitled to immunity under the CDA.

B. FRAUD WITH PARTICULARITY (COUNTS I-IV)

In actions alleging fraud, "the circumstances constituting fraud or mistake shall be stated with particularity." Fed. R.Civ.P. 9(b). Particularity under Rule 9(b) requires that the complaint allege specific facts regarding the fraudulent activity, such as the time, date, place, and content of the alleged fraudulent representation, how or why the representation was false or misleading, and in some cases, the identity of the person engaged in the fraud. In re GlenFed Sec. Litig., 42 F.3d 1541, 1547-49 (9th Cir.1994).

In other words, the pleader must provide the "who, what, when, where, and how" of the alleged fraud. Kearns v. Ford Motor Co., 567 F.3d 1120, 1124 (9th Cir.2009) (quoting Vess v. Ciba-Geigy Corp. USA, 317 F.3d 1097, 1105 (9th Cir. 2003)) (internal citations and quotations marks omitted). The particularity requirement of Rule 9(b) serves an important purpose "to give defendants notice of the particular misconduct ... so that they can defend against the charge and not just deny that they have done anything wrong." Vess, supra, 317 F.3d at 1106 (internal quotation marks omitted).

Regardless of whether fraud is an essential element of a consumer protection claim, where the claim "rel[ies] entirely on [a fraudulent course of conduct] as the bases of that claim ... the claim is said to be `grounded in fraud' or to `sound in fraud,' and the pleading ... as a whole must satisfy the particularity requirement of Rule 9(b)." Kearns, supra, 567 F.3d at 1125 (quoting Vess, supra, 317 F.3d at 1103-04). Plaintiff's claims under the UCL, FAL, CLRA, and for Negligent Misrepresentation (Counts I through IV) allege that Apple is misrepresenting the characteristics of its Apple Devices and Apps in the App Store. Therefore, those claims sound in fraud, and are subject to the heightened pleading requirements of Rule 9(b). Kearns, supra, 567 F.3d at 1127 (claims under the CLRA, UCL, and FAL that sound in fraud must satisfy Rule 9(b)'s heightened pleading requirement).

While Plaintiff identifies a number of representations5 made by Apple — on its App Store website, in its privacy policy, and in the App Store Review Guidelines — she fails to provide the particulars of her own experience reviewing or relying upon any of those statements. Nowhere in the CAC does Plaintiff specify when she was exposed to the statements or which ones she found material to her decisions to purchase an Apple Device or App. Nor does Plaintiff identify which Apple Device(s) or Apps she purchased in reliance upon any of the alleged misrepresentations. Additionally, though the CAC identifies a number of Apps which allegedly downloaded other users' private information, Plaintiff does not identify which Apps, if any, allegedly downloaded her personal information. These particulars need to be alleged to state the claims alleged in Counts I through IV, for violations of the UCL, FAL, CLRA, and for Negligent Misrepresentation.

Based on the foregoing analysis, Counts I through IV are DISMISSED WITH LEAVE TO AMEND consistent with this Order.

C. WHETHER PLAINTIFF'S CLAIMS FAIL TO STATE A CLAIM UNDER RULE 12(b)(6)

1. Count III: Violation of California's Consumer Legal Remedies Act, Cal. Civ.Code §§ 1750 et seq.

The CLRA prohibits "unfair methods of competition and unfair or deceptive acts or practices undertaken by any person in a transaction intended to result in or which results in the sale ... of goods or services to any consumer." Cal. Civ.Code § 1770(a). Plaintiff's CLRA claim alleges misrepresentations by Apple about the services that it offers. (See CAC ¶¶ 76-78.) Specifically, Plaintiff takes issue with Apple's representations that its services have characteristics, uses, benefits that they do not have (id. ¶ 76); Apple's representations that its services are of a particular standard, quality and grade when they are of another (id. ¶ 77); and Apple's advertisement of these services with the intent not to sell them as advertised (id. ¶ 78).

Apple argues that Plaintiff's CLRA claim fails because a person who uses the App Store is not a consumer,6 and the Apps identified in the CAC are not goods or services. Though not alleged in the CAC, according to Apple, the use of its App Store is free of charge, and the Apps identified in the CAC are free Apps. Based upon these additional facts that are not in the CAC, Apple argues that Plaintiff did not pay for Apple's services or software Apps when she used the App Store.

Plaintiff does not argue that she has stated a cause of action for violation of the CLRA with respect to any acts or practices in connection to the sale of services. Instead, in her opposition she argues that her CLRA claim is premised on the purchase of "goods," such as Apple Devices. The CAC does not so allege. Plaintiff has leave to amend her CLRA claim to allege unfair acts or deceptive acts or practices in a transaction for the sale of goods.

Based on the foregoing analysis, Plaintiff's CLRA claim is DISMISSED WITH LEAVE TO AMEND.

2. Count V: Negligence

The elements for a claim for negligence under California law are: "(1) a legal duty to use due care; (2) a breach of such legal duty; and (3) the breach as the proximate or legal cause of the resulting injury." 6 Witkin, Summary of Cal. Law, Torts § 835, p. 52 (10th ed. 2005). In this context, "legal duty" means the duty to use ordinary care in activities from which harm to the plaintiff might reasonably be anticipated. See id. at p. 53. "`The risk reasonably to be perceived defines the duty to be obeyed.'" Dillon v. Legg, 68 Cal.2d 728, 739, 69 Cal.Rptr. 72, 441 P.2d 912 (Cal.1968) (quoting Palsgraf v. Long Island R.R. Co. 248 N.Y. 339, 344, 162 N.E. 99 (N.Y.1928)).

Plaintiff's negligence claim does not specify the particular duty breached, but her opposition argues that "Apple owed a duty to Plaintiff to protect her personal information and data, and to take reasonable steps to protect her from the wrongful taking of her personal information and the wrongful invasion of her privacy." (Opp'n 22.) The CAC alleges that "Apple breached its duty by designing the Apple Devices so that app developers could acquire personal information without users' knowledge or permission, by failing to remove privacy-violating apps from the App Store, and by constructing and controlling consumers' user experience and mobile environment so that consumers could not reasonably avoid such privacy affecting actions." (CAC ¶ 90.)

Apple argues that it owes no legal duty to Plaintiff to protect her personal information from misappropriation by third-party App developers. (Mot. 22.) A defendant generally owes no duty to protect another from the conduct of third-parties. See, e.g., Tarasoff v. Regents of Univ. of Calif., 17 Cal.3d 425, 435 (Cal. 1976). Plaintiff argues that Apple's control over the user experience from development of the Apple Devices to selection of the Apps available at the Apps Store "creates a special relationship between Plaintiff and Apple." Plaintiff further argues that Apple undertook this duty by committing to review all Apps for adherence to its policy of requiring App developers to obtain user consent before downloading a user's personal information.

The Plaintiffs in In re iPhone Application Litig., alleged that Apple owed the same duty based on the same undertakings on the part of Apple. There, Judge Koh held that these allegations failed to allege an independent legal duty on the part of Apple to protect users' personal information from third-party App developers. 2011 WL 4403963, at *9. The court decisions that Plaintiff cites to argue that the parties have a "special relationship,"7 or that Apple voluntarily undertook this legal duty,8 do not support a contrary holding here. Therefore, the Court concludes that "Plaintiff's have not yet adequately pled or identified a legal duty on the part of Apple to protect users' personal information from third-party app developers." Id. If there is no duty, then there can be no breach.

Based on the foregoing analysis, the negligence claim is DISMISSED WITH LEAVE TO AMEND consistent with this Order.

3. Count VI: Unjust Enrichment

Plaintiff's Sixth Count alleges unjust enrichment. Unjust enrichment is a theory of recovery in quasi-contract, in which a plaintiff contends the defendant received a benefit to which it was not entitled. Paracor Fin. v. General Elec. Capital Corp., 96 F.3d 1151, 1167 (9th Cir.1996). To state a claim for unjust enrichment, Plaintiff must allege "receipt of a benefit and unjust retention of the benefit at the expense of another." Lectrodryer v. SeoulBank, 77 Cal.App.4th 723, 726, 91 Cal.Rptr.2d 881 (Cal.Ct.App.2000).

Plaintiff alleges that Apple "received revenue and/or other benefits as a result of unauthorized access to private user information, including, but not limited to user address book, private photos and video." Apple moves for dismissal of Count VI9 on the basis that that the CAC fails to explain how Apple has been unjustly enriched by the data collection practices of third-party Apps if the CAC does not allege that Apple ever received the data (or some other benefit from the data) purportedly collected by third-party App makers. Plaintiff argues that because she is entitled to restitution under the UCL, Apple's motion to dismiss the claim for unjust enrichment fails. Even though both causes of action provide a similar remedy, the elements required to state a claim are different. Plaintiff's claim for unjust enrichment fails to allege that Apple obtained a benefit. Therefore, she has failed to state a claim for unjust enrichment.

Based on the foregoing, Plaintiff's claim for Unjust Enrichment is DISMISSED WITH LEAVE TO AMEND consistent with this Order.

IV. CONCLUSION

For the reasons set forth above, the Motion to Dismiss is GRANTED.

Plaintiff's Amended Class Action Complaint is DISMISSED WITH LEAVE TO AMEND.

By no later than January 22, 2013, Plaintiff shall file a second amended complaint.

This Order Terminates Docket Number 18.

IT IS SO ORDERED.