Privacy Claims Against GitHub Fail

ARGUMENT

VI. PLAINTIFFS’ PRIVACY CLAIMS AGAINST GITHUB FAIL.

Plaintiffs attempt to claim that GitHub invaded their privacy (Counts VIII, IX, and X) at the same time that the overall thrust of the Complaint is a failure to publicly attribute their identity to code. The Complaint does not identify any specific privacy-related provision of any alleged contract that was violated or how; does not allege a data breach that could yield liability under the California Consumer Privacy Act (“CCPA”); and does not identify any personal data that was negligently handled nor how that occurred. As noted in Part I.B, supra, no facts in the Complaint explain how Plaintiffs were harmed by any privacy-based conduct by GitHub.

Whatever privacy-based claim Plaintiffs purport to advance, at a minimum they must provide a description of the PII at issue and a plausible allegation of some conduct in connection with that PII. Plaintiffs fail to provide those basics. See Compl. ¶¶ 215-39. The Complaint uses the conclusory terms “personal data,” “personal information,” and “PII” in describing Plaintiffs’ claims, e.g., Compl. ¶¶ 220, 228-29, but never defines those terms or specifies the actual data types discussed. Similarly, the Complaint insinuates that GitHub is collecting, distributing, using, or selling such information, but does so without alleging any facts. See Compl. ¶¶ 220, 229-33, 236-37. Plaintiffs never identify which personal information is involved, how it is captured, shared, sold, or otherwise distributed, or how any of this has resulted or is likely to result in concrete injury. Plaintiffs thus fail to provide basic notice of their claims for breach of GitHub’s Privacy Policy, violation of the CCPA, or negligence, necessitating dismissal.

The CCPA claim, moreover, faces a particularly demanding standard that Plaintiffs do not even attempt to satisfy. The CCPA provides a limited private right of action. See Cal. Civ. Code § 1798.150. It allows a private claim only if a consumer’s “nonencrypted or nonredacted personal information, as defined in [§ 1798.81.5(d)(1)(A)], is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” It is thus § 1798.81.5(d)(1)(A)—not § 1798.140(o)(1), as Plaintiffs allege, Compl. ¶ 228—that defines personal information for purposes of a CCPA claim. That provision defines such information as last name and first name or first initial, plus one or more of a social security number, driver’s license or similar number, account number or card number with access code or password that would give access to a financial account, medical information, health insurance information, biometric data, or genetic data. See Cal. Civ. Code § 1798.81.5(d). Plaintiffs’ allegations of misuse of unspecified PII are not actionable under § 1798.150, because Plaintiffs fail to plead any facts regarding data security or theft of the specified categories of data that could support a CCPA claim. Simply parroting the language of the statute is not enough to plausibly plead a claim, see Cork v. CC-Palo Alto, Inc., 534 F. Supp. 3d 1156, 1183 (N.D. Cal. 2021), and that is particularly true here where the facts described in the Complaint regarding training a machine learning model on publicly available data appears to be far afield from the ordinary fact patterns in data breach cases.