ORDER GRANTING DEFENDANTS' MOTION TO DISMISS CONSOLIDATED CLASS ACTION COMPLAINT

Re: Dkt. No. 93

EDWARD J. DAVILA, United States District Judge.

This lawsuit stems from the revelation that Cambridge Analytica acquired the private Facebook data of millions of users and that, upon learning of this leak, Facebook allegedly attempted to suppress evidence of the breach contrary to its stated privacy policy.

Plaintiffs are persons who purchased shares of Facebook common stock between February 3, 2017 and July 25, 2018 (the "Class Period"), who believe that Mark Zuckerberg, Sheryl K. Sandberg, and David M. Wehner, collectively Defendants, made materially false and misleading statements and omissions in connection with the purchase and sale of Facebook stock. See Consolidated Complaint ("Compl.") ¶ 1, Dkt. 86. They allege that Defendants violated Section 10(b), 20(a), and 20A of the Securities Exchange Act of 1934 (the "Exchange Act") and Rule 10b-5 promulgated thereunder because Defendants made guarantees that the Cambridge Analytica, and related data-privacy scandals, would not impact Facebook stock while knowing this to be false. Specifically, Plaintiffs focus on Defendants' statements and omissions "concerning Facebook's privacy and data protection practices" and their impact on Facebook's stock price during two time periods: March and July 2018.

Defendants have filed a motion to dismiss the lawsuit arguing that Plaintiffs have not, and cannot, meet Rule 9(b)'s heightened pleading requirements for securities fraud and instead allege "an overarching hindsight theory." Motion to Dismiss ("Mot.") at 2, Dkt. 93. Defendants make four main arguments all centered around Plaintiffs' inability to meet the elements of securities fraud. First, Defendants argue Plaintiffs have not pled an actionable misstatement or omission because they have not identified any false statements. Defendants argue the 36 "actionable" statements or omissions Plaintiffs raise are, in fact, neither actionable nor fraudulent because Plaintiffs make no attempt to plead that Defendants lied or mislead investors. As explained infra Section III.C.1.a., as to all the allegations, only Statement 22 is actionable.

Second, Defendants argue Plaintiffs have not pled a strong inference of scienter because Plaintiffs do not (1) relate the alleged misstatements to any conduct establishing scienter or (2) show facts that the Defendants knew the challenged statements were false. Further, Defendants contend that Plaintiffs offer only conclusions without alleging any specific facts to support these conclusions. As explained infra Section III.C.2. the one actionable Statement, Statement 22 lacks scienter because Plaintiffs do not allege with sufficient particularity that Defendant Sandberg made the statement knowing it was false.

Third, Defendants contend that Plaintiffs fail to plead loss causation since Defendants had already warned investors of a potential stock decline and cannot trace any corrective disclosure to the stock price's drop. Finally, Defendants argue that Plaintiffs cannot show reliance based on a "fraud-on-the market" theory because the Cambridge Analytica scandal was already known a year before the start of the putative class action and so the market already reacted to the data breach. The Court does not reach these arguments because it GRANTS the Motion to Dismiss on alternative grounds.

Accordingly, the Plaintiffs do not adequately plead a securities fraud violation. Here, it is Plaintiffs' burden to point to plausible and particular facts tending to show fraudulent behavior by Defendants. Without such a showing, Plaintiffs cannot survive the higher evidentiary pleading standard enumerated in Rule 9 of the Federal Rules of Civil Procedure. See Fed. R. Civ. Pro. 9(b). Thus, for the reasons below, Defendants' Motion to Dismiss is GRANTED.

I. BACKGROUND

A. Factual Background1

Facebook was founded by Mark Zuckerberg who is now the Chief Executive Officer ("CEO") of the company. Compl. ¶ 28. Sheryl Sandberg is the Chief Organization Officer ("COO") and David Wehner is the Chief Financial Officer ("CFO") of Facebook. Id. ¶¶ 30-31. Facebook is a social-media networking website that allows users to create profiles and share information about themselves to their "community." Id. ¶ 37. The platform also enables third-party developers' applications or websites ("apps") to access users' information. Id. ¶¶ 45-46. Importantly before 2015, a user could consent to an app developer gaining access to their personal data and the personal data of his or her friends (referred to herein as "third-party consent"). Id. ¶ 46.

1. Relevant Agreements

Facebook-User Agreements. The use and sharing of data on Facebook are governed by an agreement between Facebook and users, including Facebook's Data Policy (also referred to as the "Data Use Policy" and the "Privacy Policy"), Ex. 24 & 35, and the Terms of Service (formerly "Statement of Rights and Responsibilities"), Compl. ¶ 4, 60, 200, 232. These agreements explain how users can control the use of their data. Id. ¶ 301(b).

Before 2015, Facebook's policies allowed users to share information about their friends with third-party app developers, i.e. "third-party consent." Id. ¶¶ 46, 82. Defendants subsequently announced that they would overhaul Facebook's privacy practices to better protect user data and would tell people if their data was shared with Cambridge Analytica. Id. ¶ 18. Specifically, in 2014, Facebook stated that changes would "dramatically limit the Facebook information apps could access," and "turn[ed] off users' ability to provide access to their friend's personal data." Id. ¶¶ 79, 251, 266(b), 280. However, in April 2018, it was revealed that Defendants still permitted third parties to access user data, known as "whitelisting." Id. ¶¶ 19, 140.

Facebook-App Developer Agreements. Third-party app developers must agree to Facebook's Platform Policies before offering apps on Facebook. ¶¶ 176, 301. This limits the use and collection of user data and requires developers to explain what type of information they will collect and how it will be used. Id. The policy prohibits developers from selling, licensing, or purchasing user data and from transferring data to advertisers or data brokers. Id. ¶ 301(c).

2. Relevant Events Allegedly Showing Material Misstatements or Omissions

Aleksandr Kogan and Cambridge Analytica. In 2013, Kogan, a professor and data researcher at Cambridge University, developed an app called "thisisyourdigitallife." Id. ¶ 80-81. This app was a personality quiz; users were told that the results would be used only for academic purposes. Id. ¶ 81. Around 270,000 people installed the app and consented to the sharing of their data. Id. ¶¶ 81-82. Due to Facebook's privacy policies, app developers were able to access data about "thisisyourdigitallife" user's Facebook friends. Id.

The December 2015 The Guardian Article and Defendants' Response. In December 2015, The Guardian reported that Kogan, through his company Global Science Research ("GSR"), sold information collected through the "thisisyourdigitallife" app to Cambridge Analytica, violating Facebook's policies. Id. ¶¶ 7, 150, 232, 280. This article indicated that Cambridge Analytica developed voter profiles using the data of tens of millions of Facebook users, which were then used for political purposes. Id. ¶¶ 80-81. Once news of the data leak broke, Defendants sent Cambridge Analytica a letter asking it to delete the data and provide confirmation of deletion. Id. ¶¶ 9, 90, 92, 96, 98, 150-51, 176. Defendants made no efforts to verify Cambridge Analytica's assurances that the data was deleted, investigate the extent of the use or distribution of data, or verify that the data had been deleted. Id. ¶ 9.

Reemergence of the Cambridge Analytica Story in 2018. On March 17, 2018, three years after the original Cambridge Analytica story broke, The New York Times and The Guardian reported that Defendants delayed acting to address the Cambridge Analytica data breach and that data had not been deleted but was used in connection with President Donald Trump's campaign. Id. ¶¶ 150, 153-54. These reports allegedly contradicted Defendants' representations of data protection, specifically the fact that user data could still be accessed by developers without user's knowledge or consent, i.e., whitelisting. Id. ¶ 14, 19. Facebook did, however, immediately suspend Cambridge Analytica, its parent company, and Cambridge Analytica employees from the Facebook platform. Id. ¶ 150.

In response to the stories, Facebook's common stock dropped nearly 7% on Monday, March 19, 2018, the first trading day after the news broke. Id. By March 27, 2018, the stock was trading as low as $152/share, a drop of nearly 18% in value from its price before the stories broke. Id. ¶ 15. The Securities and Exchange Commission ("SEC") began investigating "whether Facebook adequately warned investors that developers and other third parties may have obtained users' data without their permission or in violation of Facebook policies." Id. ¶ 16.

Facebook's First Quarter 2018 Earnings Report ("1Q18") and the GDPR. On April 25, 2018, Defendants released a favorable first quarter earnings report, 1Q18, which showed that user growth was unaffected by the continued Cambridge Analytica scandal. Id. ¶ 21. The report had quarterly revenue, earnings, and daily and monthly active user growth exceeding analyst expectations. Id. ¶¶ 21, 186, 188, 190, 270-71. Although a "handful" of advertisers had "paused spend" with Facebook after the Cambridge Analytica news, Defendants reported that this did not appear to reflect a "meaningful trend." Id. ¶ 274. Defendants also told investors that it anticipated expenses to increase year-over-year by "50% [to] 60%," because of the "significant investments [Facebook was] making in areas like safety and security" and due to increased hiring. Id. ¶ 275. The stock price climbed more than 9% following the release of this report. Id. ¶ 21. By July, Facebook's stock price was trading well above $200 per share. Id.

The new European privacy legislation, the General Data Protection Regulation2 (the "GDPR"), became effective the month after 1Q18 was released. Defendants addressed the possible impact of this legislation during the investor call. Id. ¶ 276. Defendants claimed that compliance with the GDPR would not be an issue because Facebook was almost compliant. Id. ¶ 20. On this call, however, Defendants noted that it was "early and difficult to know ... in advance" the business implications of the GDPR and anticipated that Facebook's European daily and monthly user base could "be flat to slightly down." Lutz Ex. 11, at 8, 23, Dkt. 95. Defendants noted that there was potential for impact and that they would monitor it closely. Id.

Facebook's Second Quarter 2018 Earnings Report ("2Q18"). The stock price increase ended on July 25, 2018 when Defendants released 2Q18, which showed a decline in total revenues. Id. ¶ 21. There, Defendants reported a significant decline in user-metrics in Europe, zero user growth in the United States, decelerating worldwide growth of active users, lower than expected revenue and earnings, and ballooning expenses affecting profitability. Id. As a result, the common stock price dropped nearly 19% on July 26, 2018, resulting in a single-day loss of approximately $100 billion in market capitalization. Id. ¶ 23. By July 30, 2018, the price of stock had fallen by 21%, shedding around $112 billion in market capitalization. Id.

Defendants attributed the user growth slowdown to the effects of the "GDPR rollout, consistent with the outlook we gave on the Q1 call," but noted that the "vast majority of people [had continued] opting in to ... third-party data use." Lutz Ex. 12 at 7, 18. Defendants maintain that this is consistent with their premonition during the Q1 call that there would be a "decline" in European users. Motion to Dismiss at 9, Dkt. 93.

Defendants' Sale of Facebook Stock. During the Class Period, Defendant Zuckerberg sold approximately 30,000 Facebook shares for proceeds of more than $5.3 billion, while Sandberg sold $389 million worth and Wehner $21 million worth during the same period. Compl. ¶ 13. These included large sales during the first quarter of 2018—more than triple what Defendants sold in the last quarter of 2017— before the 2Q18 report was released. Id.

3. Alleged Misstatements/Omissions

Plaintiffs allege Defendants made a total of 36 materially misleading statements or omissions in press releases, SEC filings, earnings calls, and public remarks at conferences. The Court has arranged these statements chronologically and by source and bolded/italicized the relevant part of the statement.

December 20153 Statements to The Guardian

Statement 1

"[M]isleading people or misusing their information is a direct violation of our policies and we will take swift action against companies that do...."

Statement 2

"[I]ncluding banning those companies from Facebook and requiring them to destroy all improperly collected data."

September 29, 2016 Facebook Privacy Policy

Statement 3

"We use the information we have to help verify accounts and activity, and to promote safety and security on and off of our Services, such as by investigating suspicious activity or violations of our terms or policies."

Statement 4

"We work hard to protect your account using teams of engineers, automated systems, and advanced technology such as encryption and machine learning."

Statement 5

"These partners must adhere to strict confidentiality obligations in a way that is consistent with this Data Policy and the agreements we enter into with them."

Statement 6

"Don't sell, license or purchase any data obtained from us or our services.... Don't transfer any data that you receive from us (including anonymous, aggregate or derived data) to any ad network, data broker or other advertising or monetization-related service.... Enforcement is both automated and manual, and can include disabling your app, restricting you and your app's access to platform functionality, requiring that you delete data, terminating our agreements with you or any other action that we deem appropriate."

Statement 7

"We notify our users with context around the status of their account and actionable recommendations if we assess they are at increased risk of future account compromise by sophisticated actors or when we have confirmed their accounts have been compromised."

Statement 8

"You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application settings. In addition... [w]hen you use an application, the application may ask for your permission to access your content and information as well as content and information that others have shared with you. We require applications to respect your privacy, and your agreement with that application will control how the application can use, store, and transfer that content and information. (To learn more about Platform, including how you can control what information other people may share with applications, read our Data Policy and Platform Page.)."

February 3, 2017 Facebook's 10-K Report: Data Breaches

Statement 9

"Security breaches and improper access to or disclosure of our data or user data, or other hacking and phishing attacks on our systems, could harm our reputation and adversely affect our business."

Statement 10

".... Any failure to prevent or mitigate security breaches and improper access to or disclosure of our data or user data could result in the loss or misuse of such data, which could harm our business and reputation and diminish our competitive position. In addition, computer malware, viruses, social engineering (predominantly spear phishing attacks), and general hacking have become more prevalent in our industry, have occurred on our systems in the past, and will occur on our systems in the future. As a result of our prominence, we believe that we are a particularly attractive target for such breaches and attacks. Such attacks may cause interruptions to the services we provide, degrade the user experience, cause users to lose confidence and trust in our products, or result in financial harm to us. Our efforts to protect our company data or the information we receive may also be unsuccessful due to software bugs or other technical malfunctions; employee, contractor, or vendor error or malfeasance; government surveillance; or other threats that evolve. In addition, third parties may attempt to fraudulently induce employees or users to disclose information in order to gain access to our data or our users' data."

Statement 11

"Although we have developed systems and processes that are designed to protect our data and user data, to prevent data loss, and to prevent or detect security breaches, we cannot assure you that such measures will provide absolute security."

Statement 12

"In addition, some of our developers or other partners, such as those that help us measure the effectiveness of ads, may receive or store information provided by us or by our users through mobile or web applications integrated with Facebook. We provide limited information to such third parties based on the scope of services provided to us. However, if these third parties or developers fail to adopt or adhere to adequate data security practices, or in the event of a breach of their networks, our data or our users' data may be improperly accessed, used, or disclosed.

Statement 13

"Affected users or government authorities could initiate legal or regulatory actions against us in connection with any security breaches or improper disclosure of data, which could cause us to incur significant expense and liability or result in orders or consent decrees forcing us to modify our business practices. Any of these events could have a material and adverse effect on our business, reputation, or financial results."

February 3, 2017 Facebook's 10-K Report: Risks Related to Business and Industry

Statement 14

"If we fail to retain existing users or add new users, or if our users decrease their level of engagement with our products, our revenue, financial results, and business may be significantly harmed.

The size of our user base and our users' level of engagement are critical to our success.... If people do not perceive our products to be useful, reliable, and trustworthy, we may not be able to attract or retain users or otherwise maintain or increase the frequency and duration of their engagement...."

Statement 15

"Any number of factors could potentially negatively affect user retention, growth, and engagement, including if:

Statement 16

Statement 17

February 3, 2017 Facebook's 10-K Report: Unfavorable Media and Regulatory Investigations

Statement 18

"Unfavorable media coverage could negatively affect our business."

Statement 19

"We have been subject to regulatory investigations and settlements, and we expect to continue to be subject to such proceedings and other inquiries in the future, which could cause us to incur substantial costs or require us to change our business practices in a manner materially adverse to our business."

April 27, 2017 White Paper

Statement 20

"Targeted data collection and theft can affect all types of victims.... [t]ypical methods include phishing with malware to infect a person's computer and credential theft to gain access to their online accounts....

Here are some of the steps we are taking:

Statement 21

October 12, 2017 Sandberg's Axios Interview

Statement 22

"[W]hen you share on Facebook, you need to know that no one's going to steal our data. No one is going to get your data that shouldn't have it ... you are controlling who you share with."

Statement 23

"Europe[ ] has passed a single privacy law and we are adhering to that.... privacy is something we take really seriously."

November 1, 2017 3Q17 Earnings Call

Statement 24

"On GDPR, the Facebook family of apps already applies the core principles of the framework because we built our services around transparency and control, and we're building on this to ensure that we comply in May of next year."

March 16, 2018 "Suspending Cambridge Analytica & SCL Group From Facebook" Post

Statement 25

"We are committed to vigorously enforcing our policies to protect people's information. We will take whatever steps are required to see that this happens. We will take legal action if necessary to hold them responsible and accountable for any unlawful behavior."

Statement 26

"In 2014, after hearing feedback from the Facebook community, we made an update to ensure that each person decides what information they want to share about themselves, including their friend list."

Statement 27

"This is just one of the many ways we give people the tools to control their experience. Before you decide to use an app, you can review the permissions the developer is requesting and choose which information to share. You can manage or revoke those permissions at any time. On an ongoing basis, we also do a variety of manual and automated checks to ensure compliance with our policies and a positive experience for users.

Statement 28

"These include steps such as random audits of existing apps along with the regular and proactive monitoring of the fastest growing apps. We enforce our policies in a variety of ways — from working with developers to fix the problem, to suspending developers from our platform, to pursuing litigation."

March 17, 2018 Addendum to Earlier Statements About Cambridge Analytica Event

Statement 29

"The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app,...."

Statement 30

"[E]veryone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked."

April 4, 2018 Defendant Zuckerberg's Telephonic Phone Conference

Statement 31

"You asked about the FTC consent order. We've worked hard to make sure that we comply with it. I think the reality here is that we need to take a broader view of our responsibility, rather than just the legal responsibility. We're focused on doing the right thing and making sure people's information is protected, and we're doing investigations.

Statement 32

"For Facebook specifically, one of the things we need to do and that I hope that more people look at are just the privacy controls that you have. I think, especially leading up to the GDPR event, a lot of people are asking us, "Okay, are you going to implement all those things?" And my answer is that we've had almost all of what's in there implemented for years, around the world, not just in Europe. So, to me, the fact that a lot of people might not be aware of that is an issue, and I think we could do a better job of putting these tools in front of people and not just offering them, and I would encourage people to use them and make sure that they're Comfortable with how their information is used on our services and others."

April 25, 2018 Defendant Zuckerberg's Personal Facebook Update

Statement 33

"Despite facing important challenges, our community continues to grow. More than 2.2 billion people now use Facebook every month and more than 1.4 billion people use it daily."

April 25, 2018 1Q18 Earnings Call

Statement 34

"We made a number of changes and are still making changes to prioritize meaningful interactions between people over passive consumption of content....

We've been rolling out new changes.... that [have] increased—or we've observed increases in some types of sharing and interaction between people based on that. We've also observed some continued declines as we've done this....

Overall, I'd say these changes are doing what we expected that they would do and helping people to connect more and have more meaningful interactions.... We think that this is going in the direction of building a strong community and a stronger business over the long term and we're optimistic about what we're seeing here."

Statement 35

"[W]e do not anticipate [that new European privacy regulations] will significantly impact advertising revenues."

Statement 36

"So on GDPR....

I don't know that we really see a doomsday scenario here. I think what we think is that depending on how people react to the controls and the ad settings, there could be some limitations on data usage. We believe that those will be relatively minor."

B. Procedural History

Following the collapse of Facebook's stock price, multiple lawsuits were filed against Defendants. One of these—Fan Yuan v. Facebook—was randomly assigned to this Court. See Dkt. 1. This Court consolidated that case with other related ones. See Order Granting Administrative Motion Relating Cases, Dkt. 23. On October 15, 2018, Plaintiffs submitted their consolidated class action amended complaint, which is the subject of the current motion to dismiss. Defendants also request judicial notice regarding facts pertaining to the motion to dismiss. See Request for Judicial Notice re Motion to Dismiss ("Req. Jud. Notice"), Dkt. 94.

II. JUDICIAL NOTICE

Defendants ask this Court to take judicial notice of Exhibits 1 through 34 attached to the declaration of Brian M. Lutz (the "Lutz declaration") and of Exhibits 35 through 37.

A. Legal Standard

Generally, district courts may not consider material outside the pleadings when assessing the sufficiency of a complaint under Rule 12(b)(6) of the Federal Rules of Civil Procedure. Lee v. City of L.A., 250 F.3d 668, 688 (9th Cir. 2001). When matters outside the pleadings are considered, the 12(b)(6) motion converts into a motion for summary judgment. Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 998 (9th Cir. 2018); see also Fed. R. Civ. P. 12(d). This rule does not apply to the incorporation by reference doctrine and judicial notice under Federal Rule of Evidence 201. Khoja, 899 F.3d at 998. These exceptions, however, should not be used to "undermin[e] ... the usual pleading burden[ ]." Id. (noting the "concerning pattern" in securities cases where exploiting the exceptions improperly defeats what would otherwise constitute adequately stated claims at the pleading stage).

Rule 201 permits a court to take judicial notice of an adjudicative fact "not subject to reasonable dispute," that is "generally known" or "can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned." Fed. R. Evid. 201(b). Specifically, a court may take judicial notice: (1) of matters of public record, Khoja, 899 F.3d at 999, (2) that the market was aware of information contained in news articles, Heliotrope Gen., Inc. v. Ford Motor Co., 189 F.3d 971, 981 n.18 (9th Cir. 1999), and (3) publicly accessible websites whose accuracy and authenticity is not subject to dispute, Daniels-Hall v. Nat'l Educ. Ass'n, 629 F.3d 992, 998-99 (9th Cir. 2010). A court may further consider facts contained in the noticed materials. Barron v. Reich, 13 F.3d 1370, 1377 (9th Cir. 1994).

Incorporation by reference treats certain documents as though they are part of the complaint itself. Daniels-Hall, 629 F.3d at 998. These are situations where the complaint "necessarily relies" upon a document or where the complaint alleges the contents of the document and the documents authenticity and relevance is not disputed. Coto Settlement v. Eisenberg, 593 F.3d 1031, 1038 (9th Cir. 2010). A defendant may seek to incorporate a document into the complaint "if the plaintiff refers extensively to the document or the document forms the basis of the plaintiff's claim." Khoja, 899 F.3d at 1002.

B. Discussion

1. Unopposed Items: Exhibits 2-5, 11-23, 25-29

Plaintiffs do not object to the judicial notice of these documents for any reason. Pl. Opp. to Jud. Notice at 4.

Exhibits 2-6 are Facebook SEC Filings. Judicial notice is GRANTED for these Exhibits because they are public filings made by Facebook with the SEC and thus are matters of public record not subject to reasonable dispute. Fed. R. Evid. 201(b); Khoja, 899 F.3d at 999; see also Weller v. Scout Analytics, Inc., 230 F.Supp.3d 1085, 1094 n.5 (N.D. Cal. 2017) (taking judicial notice of SEC filings).

Exhibits 11 & 12 are Transcripts of the Conference Calls following the release of the 2018 quarter earnings reports. Judicial notice is GRANTED because these are relied on extensively by Plaintiffs and are used as evidence to establish a material misstatement or omission. Further, they are also matters of public record. See In re Energy Recovery Inc. Sec. Litig., 2016 WL 324150, at *3 (N.D. Cal. Jan. 27, 2016) ("[T]ranscripts of conference earning calls are judicially noticeable because they are matters of public record.").

Exhibits 13-23 are news articles used to show that the market was aware of the information contained in the articles. Judicial notice is GRANTED because they are publicly available news articles. See In re Kalobios Pharm., Inc. Sec. Litig., 258 F.Supp.3d 999, 1003-04 (N.D. Cal. 2017) (granting judicial notice of four news articles). Further these articles were reprinted in full or in part in the Complaint and so are also incorporated by reference.

Exhibit 25 is Facebook's Data Policy and is used throughout Plaintiffs' Complaint to show changes that Facebook made to the policy. It is referenced throughout; specifically, ¶¶ 4, 60, 139, 200, 301(b), 302(a), 302(b), 302(e). Accordingly, judicial notice is GRANTED.

Exhibit 26 is the Facebook White Paper referenced and relied on in paragraphs 5, 120, 122, 230, 301, and 302 of the Complaint. Exhibit 27 is a 2018 Facebook press release referenced in paragraph 250. Exhibit 28 is a June 29, 2018 Facebook letter providing answers to written questions from the Energy and Commerce Committee of the U.S. House or Representatives, referenced in paragraph 206 of the Complaint. All these exhibits are referenced in the Complaint and are publicly available documents. Therefore, judicial notice is GRANTED.

Exhibit 29 is a Bloomberg stock table showing the historical stock prices of Facebook from January 2, 2018 to December 11, 2018. "Information about the stock price of publicly traded companies [is] the proper subject of judicial notice." In re Copper Mountain Sec. Litig., 311 F.Supp.2d 857, 864 (N.D. Cal. 2004). Judicial notice is GRANTED.

2. Semi-Opposed Items: Exhibits 1, 6-10

Plaintiffs object to judicial notice of Exhibits 1, 6-10. Pl. Opp. to Jud. Notice at 4. They do not object to this Court taking judicial notice of the existence of these documents, only of the facts contained therein. Id. at 1. Plaintiffs contend that Defendants seek to improperly use these exhibits to establish a defense to scienter by showing trades were made pursuant to a Rule 10b5-14 plan. Id. at 4 (citing Mot. at 24).

Exhibit 1 shows Defendant Zuckerberg's plan to gift substantially all his Facebook stock or the proceeds to philanthropy pursuant to a Rule 10b5-1 plan. Exhibit 6 is a Facebook Proxy Statement, which notifies shareholders that directors and officers have adopted Rule 10b5-1 plans. Exhibit 7 is Facebook's September 4, 2012 Current Report on Form 8-K, which contains the Company's insider trading policy and notes that Zuckerberg had not yet entered a Rule 10b5-1 plan. Exhibits 8-10 are SEC Form 4s which disclose Defendants' sales of Facebook stock and note that these were made pursuant to a Rule 10b5-1 plan.

Defendants clarify in their Reply that they are only asking for judicial notice as to the "existence of the Individual Defendants' 10b5-1 plans." Reply in Support of Request for Judicial Notice ("Reply Jud. Notice") at 2, Dkt. 104. Courts "may take judicial notice of SEC Forms 4, even when not referenced in the pleading, to prove that stock sales were made pursuant to a Rule 10b5-1 trading plan." City of Royal Oak Ret. Sys. v. Juniper Networks, Inc., 880 F.Supp.2d 1045, 1059 (N.D. Cal. 2012). Exhibits 1 and 6-10 are publicly available documents and it is proper for this Court to take judicial notice of the documents. The Court, however, agrees with Plaintiffs' contention that judicial notice is confined to recognizing only that a 10b5-1 trading plan existed. See also Patel v. Parnes, 253 F.R.D. 531, 546 (C.D. Cal. 2008) ("It is appropriate for the court to take judicial notice of the content of the SEC Forms 4 and the fact that they were filed with the agency. The truth of the content, and the inferences properly drawn from them, however, is not a proper subject of judicial notice under Rule 201."). Accordingly, Defendants' request is GRANTED but is limited to showing only that a Rule 10b5-1 plan existed and that stock sales were made pursuant to that plan, not that this plan confined Defendants' trading discretion. See Khoja, 899 F.3d at 999 (court cannot take judicial notice of disputed facts in records).

3. Opposed Items: Exhibits 24, 30-34

Plaintiffs object to any judicial notice of Exhibits 24, 30-34. Pl. Opp. to Jud. Notice at 7.

Exhibit 24 is Facebook's 2013 Data Policy. The exhibit was obtained using the Internet Archive's Wayback Machine. See U.S. ex. Rel. v. Newport Sensors, Inc., 2016 WL 8929246, at *3 (C.D. Cal. May 19, 2016) ("A court `may take judicial notice on its own,' and district courts in this circuit have routinely taken judicial notice of content from the Internet Archive's Wayback Machine pursuant to this rule, as we do here." (citations omitted)).

Plaintiffs argue that this Court should not take judicial notice because the facts of the policy are disputed and it is not relied on or referenced throughout. This policy is, however, implicitly referenced through-out; a central theme of the Complaint is that Facebook changed its 2013 Data Policy in 2015 to eliminate the provision that allowed third-party consent. See Compl. ¶¶ 79, 131, 176, 183, 203, 238, 251, 258(a), 264, 266(b), 268, 280, 288, & 302; see also Khoja, 899 F.3d at 1002 (noting incorporation by reference appropriate where Plaintiff references the document throughout). It would be unfair for Plaintiffs to reference this document to show the change in Facebook's Data Policy and suppress the actual policy. Plaintiffs repeatedly reference this change, and so their use of the document is more than "the mere mention of [its] existence." Cf. United States v. Ritchie, 342 F.3d 903, 908-09 (9th Cir. 2003). This Court agrees that Plaintiffs true contention is with the legal effect of the policy, which is outside the inquiry of judicial notice. See Reply Jud. Notice at 5. Because the policy is referenced throughout, the Court GRANTS Defendants' request.

Exhibits 30-33 are stock indices running from January 2, 2018 to December 11, 2018, showing the historical stock prices of different companies; specifically, Ex. 30 is Amazon, Ex. 31 is Apple, Ex. 32 is Alphabet, and Ex. 33 is Netflix. Exhibit 34 is the CBOE Volatility Index, a popular measure of the stock market's expectation of volatility, for the same period. These exhibits were not referenced or relied on through the complaint and so Defendants ask for judicial notice only. Plaintiffs argue that Defendants use these exhibits to support their argument that Plaintiffs' Complaint should be dismissed because of the "incredible volatility" in the stock market during the Class Period. Pl. Opp. to Jud. Notice at 9.

In Khoja, the Ninth Circuit cautioned against the use of judicial notice to allow defendants to "use the doctrine to insert their own version of events into the complaint to defeat otherwise cognizable claims." 899 F.3d at 1002. While the focus of the discussion was on incorporation-by-reference, this Court finds the logic of Khoja applicable to judicial notice as well. If this Court allows Defendants to submit Exhibits 30-34, it would permit Defendants to "short-circuit the resolution of a well-pleaded claim." Id. The question at this stage is not are there other explanations for Facebook's stock price falling but whether Plaintiffs adequately stated a claim for securities fraud. The stock prices of Apple, Google, and Netflix, and the overall volatility of the stock market during the Class Period do not help answer that question and so Defendants' request for judicial notice of Exhibits 30-34 is DENIED.

4. Items that Plaintiffs Did Not Receive a Chance to Respond to: Exhibits 35-37

Defendants also ask this Court to take judicial notice of three exhibits used to support its Reply in Support of its Motion to Dismiss. Request for Judicial Notice in Support of Facebook's Reply in Support of Motion to Dismiss, Dkt. 102, 103. Plaintiffs did not receive an opportunity to respond to this request because procedurally they had no leave to respond to Defendant's reply. Plaintiffs raised no objection to Defendants request for judicial notice of these three exhibits.

Exhibit 35 is a transcript of a March 21, 2018 witness examination of Sandy Parkilas before the Digital, Culture, Media, and Sports Committee of the House of Commons of the United Kingdom. This exhibit is referenced and repeatedly quoted in the Complaint. See ¶¶ 76-78; Coto, 593 F.3d at 1038 (noting that incorporation by reference is appropriate when "the contents of the document are alleged in a complaint"). Further, this a matter of public record not subject to reasonable dispute. Fed. R. Evid. 201(b); Khoja, 899 F.3d at 999. Accordingly, Defendants' request for judicial notice of Exhibit 35 is GRANTED.

Exhibit 36 is an excerpt of a Transcript of Proceedings from a February 1, 2019 hearing before Judge Chhabria regarding another data privacy action arising out of the Cambridge Analytica events. Defendants use this to support their theory that users consented to Cambridge Analytica obtaining their data. See Reply in Support of Motion to Dismiss ("Reply") at 8, Dkt. 101. Publicly available transcripts of court hearings are "not subject to reasonable dispute" and courts routinely take judicial notice of them. See In re: San Jose Airport Hotel, LLC, 2016 WL 3357175, at *4 n.1 (N.D. Cal. June 17, 2016) (taking judicial notice of transcripts of hearings before the bankruptcy court); Biggs v. Terhune, 334 F.3d 910, 915 n.3 (9th Cir. 2003) ("Materials from a proceeding in another tribunal are appropriate for judicial notice"), overruled on other grounds by Hayward v. Marshall, 603 F.3d 546 (9th Cir. 2010).

Defendants, however, misunderstand these cases; in each, the trial court materials being judicially noticed were used to show the trial court did or did not do something. In San Jose Airport Hotel, this Court judicially noticed the bankruptcy court's docket to show that it never ruled on a motion at issue. 2016 WL 3357175, at *4. Likewise, in Biggs, the Ninth Circuit judicially noticed that the trial court's transcript undertook the appropriate review of the Parole Board's hearing. 334 F.3d at 915. In contrast, here, Defendants are neither asking this Court to judicially notice another Court's ruling (or absence thereof) nor the reasoning used to support a ruling, they are asking this Court to judicially notice another judge's opining, at a hearing, on the issue of consent. The case law does not support this. Moreover, judicial notice on the issue of user consent is not appropriate because it cannot be "accurately and readily determined" given the fluidity and complexity of this area of the law. See In re Facebook Inc., Consumer Privacy User Profile Litig., 402 F.Supp.3d 767, 784-85, 2019 WL 4261048, at *8 (N.D. Cal. Sept. 9, 2019) (collecting cases); Fed. R. Evid. 201(b)(2). Accordingly, this request is DENIED.

Exhibit 37 is a Facebook blog post entitled "Notifications for targeted attacks" by Alex Stamos. This is a publicly available document and is cited and referenced in Exhibit 26, which Plaintiffs cite in their Complaint. See Diaz v. Intuit, Inc., 2018 WL 2215790, at *3 (N.D. Cal. May 15, 2018) ("Publically accessible websites and news articles are proper subjects of judicial notice." (citation omitted)). The Court GRANTS this request for judicial notice.

III. MOTION TO DISMISS

A. Legal Standard

To survive a Rule 12(b)(6) motion to dismiss, a complaint must contain sufficient factual matter to "state a claim to relief that is plausible on its face." Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009); Fed. R. Civ. Pro. 8(a). Threadbare recitals of the elements of a cause of action supported by mere conclusory statements "do not suffice." Ashcroft, 556 U.S. at 678, 129 S.Ct. 1937.

Securities fraud cases, however, must meet Rule 8's plausibility standard, the Private Securities Litigation Reform Act ("PSLRA"), and Rule 9(b)'s higher pleading standard. See Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308, 319-22, 127 S.Ct. 2499, 168 L.Ed.2d 179 (2007); Zucco Partners, LLC v. Digimarc, Corp., 552 F.3d 981, 991 (9th Cir. 2009).

The PSLRA mandates that securities fraud complaints "`specify'" each misleading statement, set forth the facts "`on which [a] belief'" that a statement is misleading was "`formed,'" and "`state with particularity facts giving rise to a strong inference that the defendant acted with the required state of mind [scienter].'" Dura Pharm., Inc. v. Broudo, 544 U.S. 336, 345, 125 S.Ct. 1627, 161 L.Ed.2d 577 (2005) (quoting 15 U.S.C. §§ 78u-4(b)(1)-(2)); see also Metzler Inv. GmbH v. Corinthian Colleges, Inc., 540 F.3d 1049, 1070 (9th. Cir. 2008) ("The PSLRA has exacting requirements for pleading `falsity.'"). Plaintiffs bear the burden of proving that the defendant's misrepresentations "`caused the loss for which the plaintiff seeks to recover.'" Dura Pharm., 544 U.S. at 345-46, 125 S.Ct. 1627 (quoting § 78u-4(b)(4)). In determining whether a "strong inference" of scienter has been sufficiently alleged, this Court must not only draw "inferences urged by the plaintiff," but also engage in a "comparative evaluation," thus examining and considering "competing inferences [in defendants' favor] drawn from the facts alleged." Tellabs, 551 U.S. at 314, 127 S.Ct. 2499. Hence, scienter must not only be "plausible or reasonable," it must also be "cogent and at least as compelling as any opposing inference of nonfraudulent intent." Id. at 324, 127 S.Ct. 2499.

Rule 9 further requires a plaintiff pleading securities fraud to state, with particularity, the circumstances constituting fraud or mistake. Fed. R. Civ. Pro 9(b).

B. Defendants' Motion to Dismiss

To show securities fraud under Section 10(b) and Rule 10b-5, plaintiffs must allege facts sufficient to establish (1) a material misrepresentation or omission; (2) made with scienter, i.e., a wrongful state of mind; (3) a connection between the misrepresentation and the purchase or sale of a security; (4) reliance upon the misrepresentation; (5) economic loss; and (6) loss causation. Loos v. Immersion Corp., 762 F.3d 880 (9th. Cir. 2014), amended (Sept. 11, 2014). "To determine whether a private securities fraud complaint can survive a motion to dismiss for failure to state a claim, the court must determine whether particular facts in the complaint, taken as a whole, raise a strong inference that defendants intentionally or with deliberate recklessness made false or misleading statements to investors." In re LeapFrog Enter., Inc. Sec. Litig., 527 F. Supp. 2d. 1033, 1039-40 (N.D. Cal. 2007).

In their Motion to Dismiss, Defendants challenge the sufficiency of Plaintiffs' Section 10b and Rule 10b-5 claim as to (1) misrepresentation, (2) scienter, (3) reliance, and (4) causation. Regarding misrepresentation, Defendants argue that Plaintiffs' "scattershot pleading" fails on multiple levels.

First, Defendants argue that Plaintiffs fail to allege particularized, contemporaneous facts inconsistent with Defendants' allegedly false statements, and thus do not meet the PSLRA. Mot. at 10. Defendants also contend that many of the challenged statements are forward-looking statements accompanied by appropriate cautionary language and are thus protected by the PSLRA's "Safe Harbor" Provision. See Mot. at 11, 14, 19. Finally, Defendants assert that many of the challenged statements (including some of the ones claimed to be forward-looking) are non-actionable expressions of corporate optimism. See id. at 11.

Defendants next argue that Plaintiffs fail to plead sufficient facts establishing the requisite inference of scienter because "Plaintiff offer[s] almost nothing but conclusions." Id. at 20. Defendants then argue that Plaintiffs fail to plead loss causation because there is no pleading of a specific misstatement, as opposed to some other fact, that foreseeably caused Plaintiffs' loss. Id. at 27. Rather, Defendants contend that the stock fluctuation was due to other forces. Id. Defendants next contend that Plaintiffs fail to plead reliance based on the fraud-on-the market theory because Plaintiffs already knew of the core information allegedly concealed. Id. at 33. Finally, Defendants argue that because Plaintiffs cannot show a primary Securities Act violation, their Section 20(a) and 20A claims must be dismissed. Id. at 34.

As discussed in detail below, the Court finds that Statement 22 is the only actionable statement, but that Plaintiffs failed to adequately plead scienter and thus GRANTS Defendants Motion to Dismiss.

C. Discussion

1. Misstatement or Omission

For a misstatement to be actionable, the statement must be both false and material. See Basic Inc. v. Levinson, 485 U.S. 224, 238, 108 S.Ct. 978, 99 L.Ed.2d 194 (1988) ("It is not enough that a statement is false or incomplete, if the misrepresented fact is otherwise insignificant."). To survive a motion to dismiss, a complaint must "specify each statement alleged to have been misleading, [and] the reason or reasons why the statement is misleading." Metzler Inv. GmbH, 540 F. 3d at 1070 (quoting 15 U.S.C. § 78u-4(b)(1)).

Statements are misleading only if they "affirmatively create an impression of a state of affairs that differs in a material way from the one that actually exists." Brody v. Transitional Hosp. Corp., 280 F.3d 997, 1006 (9th Cir. 2002). Rule 10b-5 prohibits "only misleading and untrue statements, not statements that are incomplete." Id. Silence, absent a duty to disclose, "is not misleading under Rule 10b-5." Basic, 485 U.S. at 239 n.17, 108 S.Ct. 978. "Often a statement will not mislead even if it is incomplete or does not include all relevant facts." Brody, 280 F.3d at 1006.

Not all material adverse events must be disclosed to investors. See In re Rigel Pharm., Inc. Sec. Litig., 697 F.3d 869, 880 n.8 (9th Cir. 2012) (discussing Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27, 38-45, 131 S.Ct. 1309, 179 L.Ed.2d 398 (2011)). Information that a reasonable investor might consider material need not always be disclosed; companies can control "what they have to disclose [per § 10(b)] by controlling what they say to the market." Matrixx, 563 U.S. at 45, 131 S.Ct. 1309. Consequently, omissions are only actionable if a defendant has a duty to disclose information and fails to do so. Basic, 485 U.S. at 239 n.17, 108 S.Ct. 978. Hence, if the omission does not "make the actual statement[ ] misleading," a company need not supplement the statement "even if investors would consider the omitted information significant." Rigel, 697 F.3d at 880 n.8.

Finally, an actionable statement must also "be capable of objective verification." Retail Wholesale & Dep't Store Union Local 338 Ret. Fund v. Hewlett-Packard Co., 845 F.3d 1268, 1275 (9th Cir. 2017). For example, business puffery or opinion (vague, optimistic statements) is not actionable because it does not "induce the reliance of a reasonable investor." Or. Pub. Emps. Ret. Fund v. Apollo Grp. Inc., 774 F.3d 598, 606 (9th Cir. 2014).

a. Application

The alleged material misstatements and omissions can be separated into four categories: first, material misstatements or omissions regarding Facebook's response to data misuse and privacy violations. For these, Plaintiffs allege actionable misstatements by Defendants because they mislead investors about how Facebook handled privacy violations by falsely stating that victims received notice when their data was compromised, that they would ensure the deletion of any purloined data, and that users could control their data, including where it went and with whom it was shared. Pl. Opp. at 5. Second, Plaintiffs allege that the risk disclosures (Defendants' 10-K forms) filed with the SEC were materially false and misleading because they failed to disclose the existence and magnitude of the risks created by Facebook's existing and uncorrected failures to protect user privacy, including the risk presented by the exposed data possessed by Cambridge Analytica and other privacy violations. Id. at 11. Third, Plaintiffs address material misstatements or omissions regarding Defendants' response to the Cambridge Analytica scandal. Plaintiffs allege that Defendants concealed the full extent that Cambridge Analytica damaged Facebook's image and thus mislead investors. Id. at 13; Compl. ¶¶ 149-52, 176. Finally, Plaintiffs allege that Defendants materially mislead investors by repeatedly assuring investors that Facebook was GDPR-compliant, when, in fact, it was not. Pl. Opp. at 17; Compl. ¶¶ 234-37.

In order to effectively address these categories of statements, the Court sorts the statements into headings based on Defendants arguments for dismissal, i.e., (1) Forward-Looking Statements, (2) General Statements of Corporate Optimism, and (3) Falsity (including the alleged omissions). To begin, this Court resolves whether Facebook's Privacy Policy statements are actionable.

i. Use of the Privacy Policy Statements

Defendants argue that the Privacy Policy Statements (Statements 3-7) are not actionable because these statements were not "made in connection with the purchase or sale of Facebook securities." Mot. at 20.

To give rise to a 10b-5 claim, a statement must be made "in a manner reasonably calculated to influence the investing public." McGann v. Ernst & Young, 102 F.3d 390, 397 (9th Cir. 1996). Plaintiffs first point the Court to Batwin v. Occam Networks, Inc., to show that a "materiality" argument is premature at this stage. 2008 WL 2676364, at *22 (C.D. Cal. July 1, 2008). Plaintiffs are correct that materiality arguments often are "inappropriate for resolution on a motion to dismiss." Id. But the question here is not whether an investor would find the information in the privacy statements material, but if they are the types of documents that a reasonable investor would look at while making purchasing decisions. These questions, while remarkably similar, are distinct. Batwin, thus, is not applicable.5

Defendants cite In re Lifelock, Inc. Securities Litigation, to argue that while Facebook's privacy policies may have some probative value in consumer protection litigation, they have none in a case alleging investor fraud. 690 F. App'x 947, 953-54 (9th Cir. 2017). The Lifelock court, however, specifically distinguished the simple ads at hand, from the "detailed drug advertisements in sophisticated medical journals" considered in In re Carter-Wallace, Inc. Securities Litigation, 150 F.3d 153, 154 (2d Cir. 1998). Here, Facebook's privacy policies are more like the detailed drug advertisements of Carter-Wallace and less like the "simple" advertisements discussed in Lifelock. See Pl. Opp. at 20 n.16. As Exhibit 24 and 25 show, Facebook's data policy is thorough and thus markedly different from the "simple descriptive chart" and "passive ads" at issue in Lifelock. Further, the Second Circuit, who has examined this issue more extensively, has "broadly construed" the phrase "in connection with" to account for Congressional intent. Carter-Wallace, 150 F.3d at 156. Accordingly, because this Court cannot say as a matter of law that a reasonable investor would not use the privacy policy when making investment decisions, the privacy policies may be used to show a material misstatement or omission.

ii. Forward-Looking Statements

Under the PSLRA "Safe Harbor" Provision, "forward-looking statements are not actionable as a matter of law if they are identified as such and accompanied by "meaningful cautionary statements identifying important facts that could cause actual results to differ materially from those in the forward looking statement." 15 U.S.C. § 78u-5(c)(1)(A)(i).

A forward-looking statement is "any statement regarding (1) financial projections, (2) plans and objectives of management for future operations, (3) future economic performance, or (4) the assumptions `underlying or related to' any of these issues." No. 84 Emp'r Teamster Joint Council Pension Trust Fund v. Am. W. Holding Corp., 320 F.3d 920, 936 (9th Cir. 2003) (citing 15 U.S.C. § 78u5(i)). "[I]f a forward-looking statement is identified as such and accompanied by meaningful cautionary statements, then the state of mind of the individual making the statement is irrelevant, and the statement is not actionable regardless of the plaintiff's showing of scienter." In re Cutera Sec. Litig., 610 F.3d 1103, 1112 (9th Cir.2010).

Here, Defendants argue that some of the challenged statements were forward-looking statements protected by the PSLRA's Safe Harbor. This Court holds that Statements 35 and 36 are inactionable forward-looking statements.

Statement 35 is a statement of anticipation regarding the impact of the GDPR made during an earnings call ("[W]e do not anticipate [GDPR] will significantly impact advertising revenues."). Compl. ¶ 273. Forward-looking statements made during earnings calls are protected under the PSLRA safe harbor. In re Mellanox Techs. Ltd. Secs. Litig., 2014 WL 12650991, at *14 (N.D. Cal. Mar. 31, 2014). Forward-looking statements are projections of revenues, income, earnings per share, management's plans or objectives for future operations and predictions of future economic performance. 15 U.S.C. § 78u-5(i)(1)(A)-(C). At the start of the call, Defendants stated "[O]ur remarks today will include forward-looking statements. Actual results may differ materially from those contemplated by these forward-looking statements." Ex. 11 at 1. Because Statement 35 is a statement of anticipation regarding a future economic performance accompanied by meaningful cautionary language, this is an inactionable forward-looking statement.

Statement 36 is a statement regarding predictions of the impact of the GDPR on ads, i.e. revenue ("We believe [GDPR impacts on ads] will be relatively minor."). Compl. ¶ 277. It was made on the same call as Statement 35 and is also a projection of future economic performance with meaningful, cautionary language. Accordingly, Statement 36 is an inactionable forward-looking statement.

For these reasons, the Court holds that Plaintiffs failed to plead falsity as required by the PSLRA for Statements 35 and 36. Accordingly, this Court GRANTS Defendants' motion to dismiss as to those statements.

iii. General Statements of Corporate Optimism/Puffery

In the Ninth Circuit, "vague, generalized assertions of corporate optimism or statements of `mere puffing' are not actionable material misrepresentations under federal securities laws" because no reasonable investor would rely on such statements. In re Fusion-io, 2015 WL 661869, at *14 (collecting cases). When valuing corporations, investors do not "rely on vague statements of optimism like `good,' `well-regarded,' or other feel good monikers." In re Cutera, 610 F.3d at 1111.

Statements like "[w]e are very pleased with the learning from our pilot launch," "so far we're getting really great feedback," and "we are very pleased with our progress to date," are inactionable puffery. Wozniak v. Align Tech., Inc., 850 F.Supp.2d 1029, 1036 (N.D. Cal. 2012). Likewise, "statements projecting `excellent results,' a `blowout winner' product, `significant sales gains,' and `10% to 30% growth rate over the next several years'" have been held not actionable as mere puffery. In re Fusion-io, 2015 WL 661869, at *14 (citing In re Cornerstone Propane Partners, L.P. Sec. Litig., 355 F.Supp.2d 1069, 1087 (N.D.Cal.2005)).

Statement 31 pertains to Defendant Zuckerberg's conference call statements about the FTC consent order. Compl. ¶ 261(b) ("We've worked hard to make sure that we comply with [the FTC order]."). Plaintiffs allege that this was a misstatement because it misleadingly assured investors that the Cambridge Analytica scandal, and any potential resulting regulatory action, was a "non-issue." Pl. Opp. at 13, 15. Defendants argue, and this Court agrees, that this statement is too vague to be actionable. See, e.g., Lomingkit v. Apollo Educ. Grp. Inc., 2017 WL 633148, at *23 (D. Ariz. Feb. 16, 2017) ("Courts often hold that statements regarding general legal compliance are too vague to be actionable misrepresentations or omissions."); see also Karam v. Corinthian Colls., Inc., 2012 WL 8499135, at *10 (C.D. Cal. Aug. 20, 2012) (holding statement "[c]ompliance for the organization has really been job one for us" inactionable puffery); In re Gentiva Sec. Litig., 932 F.Supp.2d 352, 370 (2013) ("The Court finds ... [statements] that the compliance program was "robust" or "best-of-class"... too general to cause reliance by a reasonable investor."). Because this a statement of general compliance, it is inactionable corporate puffery.

Moreover, companies are not required to engage in "self-flagellation" by disclosing unproven allegations. Haberland v. Bulkeley, 896 F.Supp.2d 410, 426 (E.D.N.C. 2012); In re Paypal Holdings, Inc., 2018 WL 466527, at *3 (N.D. Cal. Jan. 18, 2018) ("Federal securities laws do not impose upon companies a `duty to disclose uncharged, unadjudicated wrongdoing.'" (citing City of Pontiac Policemen's & Firemen's Ret. Sys. v. UBS AG, 752 F.3d 173, 184 (2d Cir. 2014)). At the time this statement was made, the FTC only stated an intent to investigate Facebook, but had not made any formal finding that Facebook violated the decree order. See Compl. ¶ 16 ("On March 26, 2018, the FTC formally announced an investigation into Facebook's breach of the consent decree...." (emphasis added)). Thus, Defendants had no requirement to elaborate on any potential privacy breaches. Accordingly, Statement 31 is not an actionable misstatement.

Statement 33 relates to statements made by Defendant Zuckerberg in an April 2018 Facebook post. He wrote that the Facebook community "continues to grow." Compl. ¶ 271. Plaintiffs argue that because there was a "basis" for doubt about growth, this statement is misleading and conceals user disengagement. The statement, however, is almost identical to statements this district has found to be inactionable puffery. See Cornerstone Propane, 355 F. Supp. 2d at 1087 (statement "10% to 30% growth over the next several years" inactionable puffery); LeapFrog, 527 F. Supp. 2d. at 1050 (vague statements like "[w]e are pleased with our progress" inactionable); City of Royal Oak Ret. Sys. v. Juniper Networks Inc., 880 F.Supp.2d 1045, 1064 (N.D. Cal. 2012) (statements like "our demand indicators are strong, our product portfolio is robust" inactionable corporate optimism). In response, Plaintiffs argue that this statement was deceptive because it misleadingly told investors that the Cambridge Analytica scandal was not affecting Facebook. This rebuttal, however, fails to allege that Facebook was not growing (thus rendering the statement false). Cf. In re Syntex Corp. Sec. Litig., 95 F.3d 922, 931 (9th Cir. 1996) ("Everything [was] going fine" actionable only because plaintiff "pled facts showing that the statements were false when made"). Accordingly, because Plaintiffs have not sufficiently pled falsity, this is an inactionable statement of corporate optimism.

Statement 34 is a statement of optimism ("[W]e're optimistic about what we're seeing here."). Compl. ¶ 273. The Court agrees with Defendants that this is a general statement of corporate optimism because it is a vague, "run-of-the-mill" statement expressing, quite literally, corporate optimism. Copper Mountain, 311 F. Supp. 2d at 868-69 ("run-of-the-mill" statements like "business remained strong" inactionable corporate optimism). Thus, this statement is not actionable.

For these reasons, the Court holds that Plaintiffs failed to plead falsity as required by the PSLRA for Statements 31, 33, and 34. Accordingly, this Court GRANTS Defendants' motion to dismiss as to those statements.

iv. Failure to Sufficiently Allege Falsity

To assert a claim under the PSLRA, the plaintiff must particularly plead the element of falsity. Zucco Partners, 552 F.3d at 990-91. "The PSLRA has exacting requirements for pleading `falsity.'" Metzler, 540 F.3d at 1070. To satisfy these "exacting requirements" a plaintiff must plead "specific facts indicating why" the statements at issue were false. Id.; Ronconi v. Larkin, 253 F.3d 423, 434 (9th Cir. 2001) ("Plaintiffs' complaint was required to allege specific facts that show" how statements were false). A plaintiff may rely on contemporaneous statements or conditions to demonstrate why statements were false when made, but such circumstantial evidence must be plead with particularity. In re Stratosphere Corp. Sec. Litig., 1997 WL 581032, at *13 (D. Nev. May 20, 1997) (noting that to plead falsity, plaintiff must provide "evidentiary facts contemporary to the alleged false or misleading statements from which this court can make inferences permissible under Rule 9(b)."). Thus, to be actionable, a statement must be false "at [the] time by the people who made them." Larkin, 253 F.3d at 430. The fact that a "prediction proves to be wrong in hindsight does not render the statement untrue when made." In re VeriFone Sec. Litig., 11 F.3d 865, 871 (9th Cir. 1993).

Statements 1 and 2 pertain to how Facebook said it generally responds to situations involving data violations; Defendants stated they would take "swift action" against companies that mislead people or misuse their information because this is a "direct violation of [Facebook] policies" and would require such companies to destroy improperly collected data. Compl. ¶¶ 227-28. First, Plaintiffs do not allege that misleading people or misusing their information is allowed under Facebook's policies, i.e., that it is not a "direct violation" of the policy. Rather, Plaintiffs allege that these statements were misleading because Facebook's actions in response to the Cambridge Analytica data breach, and other similar privacy violations, were "directly contrary" to these assertions. Id. ¶ 229.

Defendants stated they "will" take swift action;6 Plaintiffs must prove contemporaneous falsity, Stratosphere Corp., 1997 WL 581032, at *13, and allege specific facts demonstrating that, when the statements were made, Facebook did not intend to (1) take swift action and/or (2) promptly ban from Facebook companies that violated Facebook's policies and require those companies to destroy misappropriated data. See In re Fusion-io, Inc. Sec. Litig., 2015 WL 661869 (N.D. Cal. Feb. 12, 2015) (requiring plaintiff provide evidentiary facts contemporary to the alleged false statement from which court can make inferences permitted under Rule 9(b)). To show contemporaneous falsity, Plaintiffs argue that when these statements were first made in 2015, Facebook "had not taken any action to enforce its privacy policies until six months after the Cambridge Analytica data breach was publicly reported and more than a year after the Company had learned of it." Pl. Opp. at 7 (citing Compl. ¶¶ 86, 94-97). But what happened in 2015 is irrelevant, the Class Period starts in February 2017. When these statements were made in 2017, Facebook "did investigate the alleged data misuse, did remove Kogan's app from Facebook, and did obtain certifications and confirmations that all user data had been destroyed." Mot. at 11 (citing Compl. ¶¶ 9, 90, 92, 96, 98, 150-51, 176). Thus, this Court can infer they did take "swift action."

Plaintiffs next urge this Court to find the statements false because Defendants had not taken any "meaningful steps to `require' Cambridge Analytica to `destroy' the affected data, to investigate the extent of the breach, or even to identify the amount of data affected." Pl. Opp. at 7 (citing Compl. ¶¶ 90-93, 98-99, 104-08). Plaintiffs, however, never allege that Defendants promised to take "meaningful steps." Further, and more damning, Plaintiffs cannot escape the fact that Defendants did require Kogan to destroy the data, Compl. ¶ 9, and received confirmation from Kogan that this was done, id. ¶ 92.

Finally, these statements, by their terms, are outside the scope of the Cambridge Analytica matter and are thus outside the purview of Plaintiffs' claim. Compare Compl. ¶¶ 227, 228 ("Facebook, which told The Guardian in 2015 that it was investigating allegations that the company had improperly obtained data from its users, would not comment on the current status of that investigation." (emphasis added)), with id. ¶ 225 ("Facebook's false assurances that it had "take[n] swift action" in response to the Cambridge Analytica data breach ... remained alive and uncorrected in the market at the outset of the Class Period.").

For these reasons, the Court holds that Plaintiffs failed to plead falsity as required by the PSLRA for Statements 1 and 2. Accordingly, this Court GRANTS Defendants' motion to dismiss as to those statements.

Statements 3-8 refer to Facebook's 2016 Privacy Policy (now recorded at Exhibit 25). See Compl. ¶¶ 301-04. Defendants argue that these statements are not actionable because they are not adequately alleged to have been false or misleading. Mot. at 20; see also supra III. C.1.a.i. (holding privacy policy statements actionable).

Plaintiffs take issue with the "investigating suspicious activity or violations of our terms or policies" part of Statement 3. Compl. ¶¶ 301(a), 302(a). Plaintiffs argue this statement is false because Defendants "deliberately ignored information brought to its attention about such risks and violations," like the failure to "fully or promptly" investigate the Cambridge Analytic breach or "thousands of [other] reports of [privacy] violations." Id. ¶ 302(a). Plaintiffs, however do not: (1) provide this Court with specific occurrences of Defendants ignoring these "thousands of reports" or (2) specifically allege, with evidentiary facts, that Defendants did not investigate suspicious activity. To the contrary, Plaintiffs identify actions Defendants took to respond to data breaches, like Cambridge Analytica, thus showing they did investigate these violations. See, e.g., id. ¶ 99. Plaintiffs instead make conclusions that "Facebook [did not] make any attempt to investigate what data had been compromised or from which users, or how widely it had been distributed beyond Cambridge Analytica." Id. ¶ 91; cf. id. ¶ 104 (identifying Defendant Zuckerberg's expression of regret about not doing more to investigate the data breach). Defendants never represented (and Plaintiffs do not allege they did) that "investigate" means a "full or prompt" investigation. Because Plaintiffs have not identified specific occurrences of lack of investigation, they have not adequately alleged that this statement is false.

Regarding Statement 4, Plaintiffs allege that contrary to Defendants' assertion that they "work hard to protect ... account[s] using teams of engineer, automated systems, and advanced technology," the company had "no ability to track user data provided to developers or others, much less the ability to determine whether information had been used or shared beyond the extent authorized by the user, or what user data had been compromised, who had it, or how it was being used." Id. ¶ 302(b). Specifically, Plaintiffs allege that during the class period, Defendants were still concealing that it was unaware of how much data had been compromised or how many users were affected by the Cambridge Analytica breach. Id. Plaintiffs' allegation that the statement "working hard to protect accounts" is rendered false by the Cambridge Analytica breach and issues arising from the breach is a stretch. In this statement, Defendants do not profess an ability to track user data or that they can determine third-party data-use. Further, Plaintiffs do not allege contemporaneous facts that Defendants meant Statement 4 as an assurance that they could track data. Accordingly, this Court cannot infer a connection between the data breach and this statement.

Regarding Statements 5 and 8, Plaintiffs allege that contrary to Defendants assertion that: (1) Facebook's vendors, service providers, and other partners must "adhere to strict confidentiality obligations that is consistent with [Facebook's policies];" (2) Facebook "require[s] applications to respect [user] privacy, and [the user's] agreement with that application will control who the application can use, store, and transfer that content and information;" and (3) that Facebook "expected app developers and others to protect user's rights by making it clear what information is being collected and how it is used," Facebook "repeatedly ignored information brought to its attention about violations of those policies, and repeatedly authorized developers and others to use information in ways that were directly contrary to those policies." Id. ¶ 302(e). First, Plaintiffs do not allege that Facebook partners do not have to adhere to strict confidentiality obligations. Further, Statement 5, by its terms, only requires developers to adhere to strict confidentiality obligations, it makes no assertion about what Defendants will do with developers who do not adhere to this policy, and thus even if Defendants ignored violations, they never asserted here that they would affirmatively do something. Finally, Plaintiffs provide no specific evidentiary facts from which the Court can infer falsity, i.e., that at the time the statement was made, developers did not have to adhere to strict confidentiality obligations. Accordingly, Statement 5 is not actionable.

Regarding Statement 8, at the time of the Cambridge Analytica scandal, Facebook had a different privacy policy. See Ex. 24. This privacy policy did not have any guarantee about requiring apps to respect user privacy. The Cambridge Analytica scandal, thus, is irrelevant to this 2015/2016 privacy policy (and this is likely why Plaintiffs did not plead any Cambridge Analytica related issues regarding Statement 8). Moreover, Plaintiffs point this Court toward no specific instances of Facebook "repeatedly ignor[ing] information brought to its attention about violations [of Statement 8]" or "repeatedly authoriz[ing] developers and others to use information in ways that were directly contrary [to Statement 8]." Thus, the Court cannot conclude that Statement 8 is false as Plaintiffs have not met their burden of showing particular, evidentiary facts from which this Court can infer falsity.

Further regarding Statement 8, Plaintiffs argue that Defendants falsely stated that "[users] can control" how their information is shared through "privacy and application settings." Id. ¶ 302(f); Pl. Opp. at 9. Plaintiffs argue this is a false statement because Defendants "knew that Facebook's privacy policies and settings were deliberately confusing to users," especially regarding third-party consent. Compl. ¶ 302(f). But Plaintiffs offer no contemporaneous pieces of evidence from which this Court can infer Defendants knew users did not understand the policy. Further, Plaintiffs do not allege that users could not control information-sharing. Therefore, again, the Court cannot conclude that Statement 8 is an actionable false statement.

Regarding Statement 6, Plaintiffs allege that contrary to Defendants warning to app developers that Facebook would enforce its privacy policy to prevent app developers from selling or transferring user data, "or from using their customers' friend data outside of their customer's use of the app," Facebook failed to verify that user data compromised in the Cambridge Analytica data breach had been deleted and its enforcement of this policy was "limited, haphazard, and inconsistent." Id. ¶ 302(c).

The connection between Cambridge Analytica and Statement 6 is tenuous. Statement 6 makes no guarantees about verifying data deletion. Rather, by its terms, it specifies enforcement options like "disabling [an] app, restricting ... access, requiring that you delete data, [or] terminating our agreements with you." Cf. id. ¶ 313 (Defendants required Cambridge Analytica to delete the data per the policy); Id. ¶ 137 ("On May 14, 2018, CNN reported that `Facebook has suspended 200 apps for possible misuse of user data in the wake of the Cambridge Analytica scandal.'"). Further, Plaintiffs offer no specific facts from which this Court can infer that Defendants' enforcement was "limited, haphazard, and inconsistent." Accordingly, the Court cannot conclude that Statement 6 is false as Plaintiffs have not met their burden of showing particular, evidentiary facts from which this Court can infer falsity.

Plaintiffs contend that Statement 7 is false because Defendants did not "notify [their] users with context around the status of their account and actionable recommendations" when they "confirmed ... accounts [were] compromised." Specifically, Plaintiffs point to the fact that Defendants "failed to notify tens of millions of users whose data had been compromised by the Cambridge Analytica data breach." Id. ¶ 301(d). Defendants wrote this policy in 2017, an entire year after they thought that Cambridge Analytica had already deleted the data. Id. ¶ 153. Moreover, Plaintiffs have not shown that Defendants did not notify users once they confirmed accounts were compromised. Id. ¶ 93; Id. ¶ 18 ("Facebook, also, for the first time, started to notify data misuse victims and `tell people if their information may have been improperly shared with Cambridge Analytica.'"). The notification to users came after Facebook learned that Cambridge Analytica had not actually deleted user data. To discount this, Plaintiffs highlight Defendants admissions of regret to show an inadequate response to the breach, but never show that Defendants knew the accounts were compromised before this policy was enacted or before the 2018 articles. See id. ¶ 93. The Court, therefore, cannot conclude that this statement is actionable.

For these reasons, the Court holds that Plaintiffs failed to plead falsity as required by the PSLRA for Statements 3-8. Accordingly, this Court GRANTS Defendants' motion to dismiss as to those statements.

Statements 9-19 refer to Defendants' 10-K SEC risk disclosure statements. Plaintiffs main contention is that these statements are materially false and misleading because the risks they warned of already had materialized. Pl. Opp. at 11 (citing Compl. ¶¶ 6-13, 290-300). Essentially, they argue that Defendants intentionally omitted information about the "existence and magnitude of the risks" facing Facebook and thus mischaracterized threats facing Facebook as "future risks." Id. For example, Facebook warned investors, using contingent terms, that "[a]ny failure to prevent or mitigate security breaches and improper access to or disclosure of ... user data could result in the loss or misuse of such data, which could harm our business and reputation." Compl. ¶ 291. This, Plaintiffs contend, is a material misstatement because "Defendants knew ... they had not properly `mitigate[d]' the Cambridge Analytica data violation" by not investigating the full extent of the breach, notifying victims of the breach, and not receiving reliable assurances that the data had been deleted. Pl. Opp. at 11 (citing Compl. ¶¶ 8, 9, 90-93, 94-97, 100, 104-10). And, they allege, because Defendants knew of these risks, it was materially misleading to "warn" investors of "potential risks" to the Company by unaddressed privacy violations without revealing that those exact risk already existed. Id. at 12.

For a risk disclosure to be false, Plaintiffs must "allege facts indicating that [the] risk factor was already affecting [Facebook] to the extent that [D]efendants' statements were false" when made. Lloyd v. CVB Fin. Corp., 2012 WL 12883522, at *19 (C.D. Cal. Jan. 12, 2012) (emphasis added); Baker v. Seaworld Entm't, Inc., 2016 WL 2993481, at *12 (S.D. Cal. Mar. 31, 2016) (holding that risk disclosure statements not materially false or misleading because "[p]laintiffs ... fail to plausibly allege Defendants knew that [warned-of risks] were having any impact on attendance"); Williams v. Globus Med. Inc., 869 F.3d 235, 241-43 (3d Cir. 2017) (holding risk disclosures not materially misleading because risks plead by the plaintiffs "had not actually materialized at the time of either the 2013 10-K or the 2014 1Q 10-Q"). Plaintiffs do not allege that the Cambridge Analytica data breach was "already affecting Facebook" at the time these risk disclosures were made. Nor could they; these risk disclosure statements were made on February 3, 2017, Compl. ¶ 291, two years after the first 2015 The Guardian story about Cambridge Analytica, id. ¶ 7, and a year before the 2018 Cambridge Analytica The Guardian story, id. ¶ 14-15. This chronology undercuts Plaintiffs theory of events, namely that the second story reignited scrutiny and distrust, which caused the stock collapse. Id. ¶ 18-23. Accordingly, Plaintiffs have offered no proof that future risks stated in the risk disclosures had "actually affected" Facebook's reputation or stock because the risks of negative media attention or regulatory action had not yet materialized.

In the alternative, Plaintiffs argue that the statements were false because Defendants knew the statements were incomplete. See Berson v. Applied Signal Tech., 527 F.3d 982, 986 (9th Cir. 2008) (holding that the defendant's may have made a material misstatement when they omitted information of a known-risk). Plaintiffs rely on Sgarlata v. PayPal Holdings, Inc. as support that the risks facing Facebook had materialized. 2018 WL 6592771 (N.D. Cal. Dec. 13, 2018). There, the plaintiffs claimed that the defendants made material misstatements in press releases. Id. at *2. Specifically, the defendants released a statement that they were suspending operations due to the discovery of "securities vulnerabilities." Id. About a month later, the defendants revealed that over 1.6 million people's data had been potentially compromised. Id. The plaintiffs had plead, with particularity, that the defendants knew about the data breach when they made the original statement. Id. at *3. This allowed the court to conclude that the plaintiffs' claims satisfied falsity because the disclosure "could plausibly have created an impression that only a potential vulnerability and not an actual breach had been discovered."7 Id. at *7; see also Brody, 280 F.3d at 1006 ("[An omission] must affirmatively create an impression of a state of affairs that differs in a material way from the one that actually exists.").

In contrast, here, Plaintiffs fail to plead specific facts from which this Court can infer that Facebook knew of the risk still posed by the Cambridge Analytica breach and that a materially different "state of affairs" existed. Rather, Plaintiffs indicate that no risk had materialized because Defendants had asked and had received certifications from Kogan, Cambridge Analytica, and its affiliates that all Facebook user data had been destroyed and had banned Kogan and his app from Facebook. ¶¶ 9, 90, 92, 96, 98, 150-51, 176. Plaintiffs do not allege other particular facts from which this Court can infer Defendants knew these risk disclosures were false. See ¶ 78 (noting that Facebook did not know of any continued risk because it never audited its developers). Further, Facebook changed its privacy policy and restricted app developers access to data, leading the Court farther from the inference that Defendants knew a Cambridge Analytica-like event was likely to happen again. Id. ¶¶ 98, 251, 258, 266, 280. For this reason, Statements 9, 10, 13-19 are inactionable.

Plaintiffs' opposition points this Court towards Statement 11 to argue its language about "developing systems and processes designed to protect user data" is false because Defendants allowed third-party consent for years. Opp. at 12. These risk disclosures, however, were made after Facebook updated its privacy policy to no longer allow such consent. Plaintiffs next argue that because Facebook continues to provide device makers access to users' friends' data without their explicit consent ("whitelisting"), this disclosure is false.8 Pl. Opp. at 12. Plaintiffs, however, do not allege this whitelisting resulted in "data loss" or a "security breach" thus making the risk disclosure false. Compl. ¶ 291. Further, per Statement 12, Facebook discloses that such data sharing may occur.

Finally, Plaintiffs argue Statement 12 is false because it affirmatively reassures users that Facebook only gives third parties "limited" data. Id. ¶ 291. Plaintiffs contend that this is false because Facebook "didn't really care how the data was used" and exposed data to copying "a million times" by hundreds of third parties. Id. ¶ 131-48. Plaintiffs, however, seem to disregard the final part of this statement— "if these third parties ... fail to adopt or adhere to adequate security practices ... our data or users' data may be improperly accessed, used, or disclosed." Id. ¶ 291. Defendants, thus, make no guarantee that data given to app developers would be protected or that they would control app developers use of that data. Plaintiffs essentially only allege that Facebook did not audit developers after learning of a potential data storage problem. Id. ¶ 78. However, Facebook makes no contention that it would control the actions of these third-parties.

For these reasons, the Court holds that Plaintiffs failed to plead falsity as required by the PSLRA for Statements 9-19. Accordingly, this Court GRANTS Defendants' motion to dismiss as to those statements.

Statements 20 & 21 refer to the white paper issued by Facebook in April 2017 in which Defendants stated they would "notify specific people" targeted by sophisticated attackers and "proactively notify people" they believed would be targeted. Id. ¶ 230.

Plaintiffs argue that these are false statements because (1) Defendant Zuckerberg admitted to the U.S. Senate that Facebook made a conscious decision not to inform users whose data had been appropriated by Cambridge Analytica about the data breach, id. ¶¶ 93, 98, 100, (2) failed to either investigate other data-sharing instances with other app developers or notify potential victims of such data-sharing, id. ¶¶ 79, 131-48, and (3) continued to share user data in ways that violated its stated privacy policies by providing "whitelisted" mobile device makers access to users' friends data without notifying users, id. ¶¶ 138, 140, 183, 209-10.

Plaintiffs, however, seem to ignore that these statements refer to "targeted data collection and theft." Ex. 26 at 7 (emphasis added). Specifically, this page advised users about protecting their accounts from data collection by methods like "phishing9 with malware to infect a person's computer and credential theft to gain access to ... online accounts." Id. This Court rejects Plaintiffs' argument that "phishing with malware" was "merely an example of misconduct that could compromise user data." Pl. Opp. at 6. The portion of the paper with the "false statements" expressly confines itself to situations involving "malicious actors," who use "[t]ypical methods" like phishing. Ex. 26 at 7. Plaintiffs do not allege that Cambridge Analytica and other app developers used methods like "phishing with malware." Instead, Plaintiffs' complaint focuses on situations where user data was not obtained by phishing, but rather by app developers who accessed the platform with Facebook's permission and user consent. Compl. ¶¶ 46, 79, 150, 280. Contrary to Plaintiffs' contention, Hong is thus directly applicable10 because this portion of the white paper plainly does not bear on the Cambridge Analytica-type privacy issues. See Hong v. Extreme Networks, Inc., 2017 WL 1508991, at *15 (N.D. Cal. Apr. 27, 2017) (holding the plaintiffs' allegations of falsity insufficient because "the reasons Plaintiffs offer as to why the statements are false or misleading bear no connection to the substance of the statements themselves").

Further, by its very terms, notification was limited to people targeted by "sophisticated attackers." Ex. 26 at 7. This is defined as an "attacker suspected of working on behalf of a nation-state." Ex. 37 (cited in Ex. 26 at 7 n.5). The additional warning is shown if Facebook "has a strong suspicion that an attack could be government-sponsored." Id. Plaintiffs do not allege that Cambridge Analytica, or any other app developer, was "suspected of working on behalf of a nation state" or "government sponsored." Instead, Plaintiffs allege that Cambridge Analytica misappropriated Facebook user data for use in U.S. political campaigns, but not that they were sophisticated attackers who targeted users' accounts. Cf. Compl. ¶¶ 80-83. Defendants commitment in the white paper to warn users either proactively or post-attack by a sophisticated attacker, thus, has no relation to the allegations of misappropriation by Cambridge Analytica.

Finally, Plaintiffs attempt to show falsity by contrasting the white paper statements and Defendants' 2018 statements. In 2018, Defendants are quoted as saying "[they] should have [informed users]" and that they "got [it] wrong" by withholding notice from the Cambridge Analytica victims, Compl. ¶¶ 174-83. The connection, however, fails for two reasons: first, as demonstrated, the white paper has no relation (stated or implied) to the Cambridge Analytica scandal, and so statements made about the Cambridge Analytica or related data scandals are per se unrelated to the white paper's statements, which focuses on Facebook's phishing policy. Second, and relatedly, while these statements may demonstrate Defendants' regret, they do not contradict any alleged earlier statement by Defendants that affected users would be notified about the Cambridge Analytica breach.

For these reasons, the Court holds that Plaintiffs failed to plead falsity as required by the PSLRA for Statements 20 and 21. Accordingly, this Court GRANTS Defendants' motion to dismiss as to those statements.

Statement 2211 is Defendant Sandberg's 2017 statement that "no one is going to get your data that shouldn't have it" because "you're controlling who you share with." Compl. ¶ 234(a).

Plaintiffs allege two main theories of misconduct regarding consent: (i) third-party consent and (ii) whitelisting. This statement addresses theory (ii), specifically that Defendants were still involved in the harvesting of data by allowing certain whitelisted apps to access data contrary to the Privacy Policy. See Ex. 25.

Plaintiffs argue, and this Court agrees, that Plaintiffs have adequately pleaded that users could not control their data. See id. ¶¶ 138-40, 207, 209 (discussing how Facebook was overriding user privacy settings to provide data to mobile device makers, depriving users of control); Id. ¶¶ 102-03 (stating that Defendants knew that bad actors were able to access data). These allegations are particular enough to allow the Court to infer contemporaneous falsity —that is, that user's privacy choices were being "overridden" at the time this statement was made. Id. ¶¶ 140, 183 (stating that the whitelisting deals started in 2015); see also In re Facebook Inc., Consumer Privacy User Profile Litig., 402 F.Supp.3d at 795-96, 2019 WL 4261048, at *16 (holding whitelisted theory adequately pleaded because "complaint plausibly alleges that none of the users consented" to this type of sharing).

For these reasons, the Court holds that Plaintiffs adequately pleaded falsity as required by the PSLRA for Statement 22.

Statements 25-28 pertain to the update posted by Defendant Zuckerberg after the 2018 The Guardian article. Plaintiffs allege these statements are materially misleading because they were meant to cast doubt on news reports about Facebook's failure to address data breaches. Plaintiffs allege "Facebook had authorized Kogan ... to sell user data," "had taken no action against Kogan," "waited six months before asking Cambridge Analytica and other entities to certify all data had been destroyed," and "made no effort ... to identify what data had been compromised." Plaintiffs, however, allege no facts from which this Court can infer falsity— they offer no evidence Facebook authorized Kogan to sell data, they indicate that Facebook did take action against Kogan and Cambridge Analytica, and they never plead Facebook made promises to take action within a certain time frame.

For these reasons, the Court holds that Plaintiffs failed to plead falsity as required by the PSLRA for Statements 25-28. Accordingly, this Court GRANTS Defendants' motion to dismiss as to those statements.

Statements 29 & 30 pertain to the issue of consent, specifically whether users gave third-party consent.

In a Facebook post, Defendants wrote "[t]he claim that this is a data breach is completely false." (Statement 29), Compl. ¶ 255. Plaintiffs argue that this statement is materially misleading because (1) this was a huge data breach and (2) it undermined media reports concerning Facebook's lax privacy policies thus misleadingly reassuring investors that the Cambridge Analytica scandal was behind the Company. Id. ¶ 256-57. First, Plaintiffs state "[i]t was patently false to claim that the Cambridge Analytica scandal was "not a data breach." Id. ¶ 256. This, however, overlooks the fact that the post confined its meaning of "data breach" to "systems [being] infiltrated, ... passwords or sensitive pieces of information [being] stolen or hack[ing]." Id. Plaintiffs do not allege that this definition of a data breach was materially misleading or false or that the Cambridge Analytica scandal fit within this definition of data breach.

In this same post, Defendants wrote "everyone involved gave their consent. People knowingly provided their information." (Statement 30), Id. ¶ 255. Plaintiffs argue that this is a false statement because not all 87 million affected users consented to the data-sharing and none consented to the sale of their data for use in political campaigns. Pl. Opp. at 14. First, this statement never contends that people consented to the use of their data in political campaigns. Plaintiffs allege that saying people consented is false because people did not knowingly give consent to the data sharing by noting the number of affected people, that they did not get timely notice, and that the FTC consent order required them to report data violations.

Again, Plaintiffs allege three main theories of misconduct regarding consent: (i) third-party consent, (ii) whitelisting, and (iii) sharing of data with third-parties contrary to stated policy. At issue here, is category (i); Statement 30 directly addresses this type of consent. Exhibit 24 shows the privacy policy in place during the creation and implantation of the app "thisisyourdigitallife." This policy stated "Just like when you share information by email or elsewhere on the web, information you share on Facebook can be re-shared. This means that if you share something on Facebook, anyone who can see it can share it with others, including the games, applications, and websites they use." Ex. 24 at 4 (emphasis added). The policy also told users they could decline to allow this third-party consent but would have to actively opt-out, otherwise their data could be shared. Id.; see also In re Facebook Inc., Consumer Privacy User Profile Litig., 402 F.Supp.3d at 792, 2019 WL 4261048, at *14 ("Thus, contrary to the plaintiffs' argument, the language of these disclosures cannot be interpreted as misleading users into believing that they merely needed to adjust their privacy settings to `friends only' to protect their sensitive information from being disseminated to app developers. Users were told that they needed to adjust their application settings too.").

While Facebook's updated Privacy Policy restricts friends' ability to share data with third-party app developers, Ex. 25, Plaintiffs have provided no factual basis that the statement "everyone involved gave their consent" was false when made because they have not shown that users did not consent. In re Fusion-io, 2015 WL 661869, at *16 ("To satisfy these `exacting requirements,' a plaintiff must plead `specific facts indicating why' the statements at issue were false.").

For these reasons, the Court holds that Plaintiffs failed to plead falsity as required by the PSLRA for Statements 29 & 30. Accordingly, this Court GRANTS Defendants' motion to dismiss as to those statements.

Statements 23, 24, and 3212 are used by Plaintiffs to show that Defendants "misleadingly downplayed" the impact of the effect of the looming GDPR on business.

Statements 23, 24, and 32 are about the GDPR; Plaintiffs argue that Defendants falsely assured investors that Facebook was already "already adhering to or prepared to meet" the regulations, when they were not meeting the requirements. Compl. ¶¶ 233-37, 261, 276-77, 283. Defendants, however, never asserted that Facebook was fully compliant with the GDPR, only that "Europe ... passed a single privacy law and [Facebook is] adhering to that." Id. ¶ 201 (Statement 23). In other words, this expresses an intention to adhere to this privacy law, the statement is not a profession of being fully compliant. Facebook maintained only that it "applies the core principles [of the GDPR] ... and we're building on this to ensure that we comply in May of next year." Id. (emphasis added) (Statement 24); see also id. ¶ 202 ("[W]e've had almost all of what's in [the GDPR] implemented for years....") (emphasis added) (Statement 32). The statements show that Facebook knew it was not fully GDPR complaint, but that it intended to keep working to become GDPR compliant. To rebut this, Plaintiffs argue that the costs associated with GDPR implementation, specifically user growth and revenue costs, show that Facebook was not actually anywhere near being GDPR compliant. Pl. Opp. at 18. Defendants, however, specifically warned investors in April 2018 that implementation of the GDPR would impact advertising revenues and user growth by stating they expected "full-year 2018 total expenses [to] grow 50-60%" due to "significant investments we're making in areas like safety and security." Compl. ¶ 277, Ex. 11 at 8; see also Turocy v. El Pollo Loco Holdings, Inc., 2016 WL 4056209, at *8-10 (C.D. Cal. July 25, 2016) (holding not misleading statement where "allegedly omitted facts rendering the statement false were actually disclosed").

Further, Plaintiffs never identify a single provision of the GDPR that Facebook had not implemented at the time the challenged statements were made. Reply at 11. Instead, Plaintiffs rely on a fraud by hindsight pleading—they allege that GDPR compliance statements must have been false because user growth declined slightly once GDRP had been fully implemented. This is not permitted under PSRLA's strict pleading standards. See City of Roseville Emps. Ret. Sys. v. Sterling Fin. Corp., 963 F.Supp.2d 1092, 1109 (E.D. Wash. 2013) ("Without evidence of contemporaneous falsity, an allegation of a misleading representation, which entirely rests on later contradictory statements, constitutes an impermissible attempt to plead fraud by hindsight."). Accordingly, these statements are not actionable.

For these reasons, the Court holds that Plaintiffs failed to plead falsity as required by the PSLRA for Statements 25-28. Accordingly, this Court GRANTS Defendants' motion to dismiss as to those statements.

2. Scienter

Having determined that Statement 2213 is actionable, the next issue is whether Plaintiffs adequately pleaded a strong inference of scienter.

Scienter is required under the PSLRA and plaintiffs must plead "with particularity facts giving rise to a strong inference that the defendant acted with the requisite state of mind" regarding "each act or omission alleged." 15 U.S.C. 78u-4(b)(2)(A). It can be established by intent, knowledge, or certain levels of recklessness. In re VeriFone Holdings, Inc. Securities Litigation, 704 F.3d 694, 702 (9th Cir. 2012). Recklessness must be deliberate. Schueneman v. Arena Pharma., Inc., 840 F.3d 698, 705 (9th Cir. 2016) ("[S]cienter —a mental state that not only covers `intent to deceive, manipulate, or defraud,' but also `deliberate recklessness.'" (citations omitted)). Deliberate recklessness is an "extreme departure from the standards of ordinary care ... which presents a danger of misleading buyers or sellers that is either known to the defendant or is so obvious that the actor must have been aware of it." Id. Thus, recklessness only satisfies scienter under § 10(b) to the extent it reflects some degree of intentional or conscious misconduct. In re NVIDIA Corp. Sec. Litig., 768 F.3d 1046, 1053 (9th Cir. 2014).

A "strong inference" of scienter exists "only if a reasonable person would deem the inference of scienter cogent and at least as compelling as any opposing inference one could draw from the facts alleged." Tellabs, 551 U.S. at 324, 127 S.Ct. 2499. In reviewing a complaint under this standard, the court must consider "all reasonable inferences to be drawn from the allegations, including inferences unfavorable to the plaintiffs." Metzler, 540 F.3d at 1061. To plead a strong inference of scienter, plaintiffs must plead particularized facts demonstrating that the individual defendants knew the supposedly false statements challenged by the plaintiffs were false or misleading when made or had access to information demonstrating that the individual defendants were deliberately reckless in allowing the false statements to be made. See id. at 1068.

Plaintiffs allege Defendant Sandberg falsely claimed, "[N]o one is going to steal your data." Compl. ¶ 234(a). This Court held above that Plaintiffs adequately alleged that this is a materially misleading statement considering "whitelisting." To establish scienter, Plaintiffs rely on Sandberg's statements of regret, "witness accounts," "widespread privacy misconduct," and "the FTC Consent Decree."14

The witness accounts do not establish scienter because none of the witnesses establish that Sandberg intentionally or recklessly lied when she claimed users controlled their data. First, Plaintiffs argue that in 2016, Roger McNamee raised "red flags" about Facebook's "systemic problem of data misuse." Pl. Opp. at 23. McNamee discussed with Defendants a "systemic problem with algorithms and the business model of Facebook that allow bad actors to cause harm to innocent users of Facebook." Ex. 15 at 3. This could establish knowledge that Sandberg knew, in 2017 when she made Statement 22, that people's data could be vulnerable. Plaintiffs, however, do not allege, nor can this Court infer, that when Sandberg made this statement, a year after McNamee "raised red flags," that these processes were still allowing bad actors to cause harm to innocent users. The stronger inference is that Facebook had addressed these problems since Sandberg addressed security improvements following the Russian interference in the Axios Interview (the interview in which Statement 22 was made).

Similarly, Plaintiffs use the fact that Sandy Parakilas warned the "top five executives" at Facebook about "privacy vulnerabilities" at Facebook. But, this was five years before the Class Period began, Reply at 14, and thus suffers the same problem as McNamee's statement. Likewise, Christopher Wylie's testimony that "Facebook was first notified of [Cambridge Analytica's] harvesting scheme in 2015," Compl. ¶ 86(f), has little import considering she said "going to get" your data, therefore rendering the Cambridge Analytica breach irrelevant.

Next, Plaintiffs argue that widespread privacy misconduct at Facebook confirms scienter. Plaintiffs point to the New York Times article discussing "whitelisting" and that "the Company had struck agreements allowing phone and other device makers access to vast amounts of its users' personal information." Compl. ¶ 138. They argue that this alone is enough to establish scienter. But, none of the cases Plaintiffs cite support this conclusion. See In re Countrywide Fin. Corp. Sec. Litig., 588 F.Supp.2d 1132, 1190 (C.D. Cal. 2008) (holding complaint persuasively alleges that "systematic changes in Countrywide came from the top down and pervaded virtually every office" because directors and officers allegedly were regularly provided "detailed exception statistics"). Here, in contrast to Countrywide, Plaintiffs do not allege that Sandberg knew about whitelisting or was provided detailed information about it. It is not enough that Facebook's business model depends on users freely sharing their information and thus incentivizes misuse of data. See, e.g., Compl. ¶ 302(f); Metzler, 540 F.3d at 1068 ("As this court has noted on more than one occasion, corporate management's general awareness of the day-to-day workings of the company's business does not establish scienter—at least absent some additional allegation of specific information conveyed to management and related to the fraud.").

Third, Plaintiffs point to the FTC Decree to establish scienter because it put "Facebook on notice" that "its representations concerning its privacy practice needed to be completely accurate." Pl. Opp. at 26. Plaintiffs use In re Enron Corp. Sec., Deriv. & ERISA Litig., 235 F.Supp.2d 549 (S.D. Tex. 2002) to support this. However, there, the court mentioned the SEC Consent Decree in conjunction with many other factors; this combination gave rise to a strong inference of scienter. Id. at 706. The SEC Consent Decree alone was not enough to infer scienter and, likewise here, the FTC Consent Decree alone is insufficient to infer scienter as Plaintiffs have provided no particularized facts from which this Court can infer Sandberg consciously lied.

For these reasons, the Court finds that Plaintiffs fail to plead scienter as to Statement 22 as required by the PSLRA and so this Court GRANTS Defendants' motion to dismiss as to Statement 22.15

Plaintiffs also bring claims for violations of Sections 20(a) and (A) of the Exchange Act. Both these claims, however, depend on a primary violation of Section 10(b) or Rule 10b-5. Lipton v. Pathogenesis Corp., 284 F.3d 1027, 1035 n.15 (9th Cir. 2002) ("[T]o prevail on their claims for violations of § 20(a) and § 20A, plaintiffs must first allege a violation of § 10(b) or Rule 10b 5."). Because the Court determines Plaintiffs' claim under Section 10(b) and Rule 10b-5 fail, Defendants motion to dismiss these claims is also GRANTED.

IV. LEAVE TO AMEND

When dismissing a complaint for failure to state a claim, a court should grant leave to amend "unless it determines that the pleading could not possibly be cured by the allegation of other facts." Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000). Although the Court has determined that Plaintiffs fail to state a claim, it is possible Plaintiffs can cure their allegations by alleging, among other things, more particular facts as to why statements by the Individual Defendants were false when made. Accordingly, because Plaintiffs may salvage their Complaint, the Court finds amendment would not be futile. Plaintiffs' claims are therefore dismissed with leave to amend.

V. CONCLUSION

Defendants' motion to dismiss Plaintiffs' Complaint in its entirety is GRANTED with leave to amend. Should Plaintiffs choose to file an amended complaint, they must do so by October 26, 2019. Failure to do so, or failure to cure the deficiencies addressed in this Order, will result in dismissal of Plaintiffs' claims with prejudice. Plaintiffs may not add new claims or parties without leave of the Court or stipulation by the parties pursuant to Federal Rule of Civil Procedure 15.

IT IS SO ORDERED.