Github Motion to dismiss Court Filing, retrieved on January 26, 2023 is part of HackerNoon’s Legal PDF Series. You can jump to any part in this filing here. This part is 24 of 26.
VI. PLAINTIFFS’ PRIVACY CLAIMS AGAINST GITHUB FAIL.
Plaintiffs attempt to claim that GitHub invaded their privacy (Counts VIII, IX, and X) at the same time that the overall thrust of the Complaint is a failure to publicly attribute their identity to code. The Complaint does not identify any specific privacy-related provision of any alleged contract that was violated or how; does not allege a data breach that could yield liability under the California Consumer Privacy Act (“CCPA”); and does not identify any personal data that was negligently handled nor how that occurred. As noted in Part I.B, supra, no facts in the Complaint explain how Plaintiffs were harmed by any privacy-based conduct by GitHub.
Whatever privacy-based claim Plaintiffs purport to advance, at a minimum they must provide a description of the PII at issue and a plausible allegation of some conduct in connection with that PII. Plaintiffs fail to provide those basics. See Compl. ¶¶ 215-39. The Complaint uses the conclusory terms “personal data,” “personal information,” and “PII” in describing Plaintiffs’ claims, e.g., Compl. ¶¶ 220, 228-29, but never defines those terms or specifies the actual data types discussed. Similarly, the Complaint insinuates that GitHub is collecting, distributing, using, or selling such information, but does so without alleging any facts. See Compl. ¶¶ 220, 229-33, 236-37. Plaintiffs never identify which personal information is involved, how it is captured, shared, sold, or otherwise distributed, or how any of this has resulted or is likely to result in concrete injury. Plaintiffs thus fail to provide basic notice of their claims for breach of GitHub’s Privacy Policy, violation of the CCPA, or negligence, necessitating dismissal.
The CCPA claim, moreover, faces a particularly demanding standard that Plaintiffs do not even attempt to satisfy. The CCPA provides a limited private right of action. See Cal. Civ. Code § 1798.150. It allows a private claim only if a consumer’s “nonencrypted or nonredacted personal information, as defined in [§ 1798.81.5(d)(1)(A)], is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” It is thus § 1798.81.5(d)(1)(A)—not § 1798.140(o)(1), as Plaintiffs allege, Compl. ¶ 228—that defines personal information for purposes of a CCPA claim. That provision defines such information as last name and first name or first initial, plus one or more of a social security number, driver’s license or similar number, account number or card number with access code or password that would give access to a financial account, medical information, health insurance information, biometric data, or genetic data. See Cal. Civ. Code § 1798.81.5(d). Plaintiffs’ allegations of misuse of unspecified PII are not actionable under § 1798.150, because Plaintiffs fail to plead any facts regarding data security or theft of the specified categories of data that could support a CCPA claim. Simply parroting the language of the statute is not enough to plausibly plead a claim, see Cork v. CC-Palo Alto, Inc., 534 F. Supp. 3d 1156, 1183 (N.D. Cal. 2021), and that is particularly true here where the facts described in the Complaint regarding training a machine learning model on publicly available data appears to be far afield from the ordinary fact patterns in data breach cases.
Continue Reading Here.
About HackerNoon Legal PDF Series: We bring you the most important technical and insightful public domain court case filings.
This court case 4:22-cv-06823-JST retrieved on September 11, 2023, from documentcloud.org is part of the public domain. The court-created documents are works of the federal government, and under copyright law, are automatically placed in the public domain and may be shared without legal restriction.