`
`
`Ann Marie Mortimer (State Bar No. 169077)
`amortimer@HuntonAK.com
`Jason J. Kim (State Bar No. 221476)
`kimj@HuntonAK.com
`Jeff R. R. Nelson (State Bar No. 301546)
`jnelson@HuntonAK.com
`HUNTON ANDREWS KURTH LLP
`550 South Hope Street, Suite 2000
`Los Angeles, California 90071-2627
`Telephone: (213) 532-2000
`Facsimile: (213) 532-2020
` Attorneys for Plaintiff
`FACEBOOK, INC.
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`SAN FRANCISCO DIVISION
`
`
`
` CASE NO.: 3:20-cv-01461
`FACEBOOK, INC., a Delaware
`corporation,
` COMPLAINT; DEMAND FOR
`
`Plaintiff,
`JURY TRIAL
`
`v.
` ONEAUDIENCE LLC,
`
`Defendant.
`
`
`
`
`
`
`
`
`
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`3:20-cv-01461
`
`12345678910111213141516171819202122232425262728
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`
`
`12345678910111213141516171819202122232425262728
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 2 of 37
`
`
`INTRODUCTION
`1.
`Beginning no later than September 2019, Defendant OneAudience LLC
`(“OneAudience”) controlled a software development kit (“SDK”) designed to
`improperly obtain user data from Facebook, Google, and Twitter (“the malicious
`SDK”). OneAudience promoted the malicious SDK to third-party application (“app”)
`developers, who – in exchange for payment from OneAudience – bundled the malicious
`SDK with other software components within their apps. These apps were distributed
`online to app users on various app stores, including the Google Play Store, and included
`shopping, gaming, and utility-type apps. After a user installed one of these apps on
`their device, the malicious SDK enabled OneAudience to collect information about the
`user from their device and their Facebook, Google, or Twitter accounts, in instances
`where the user logged into the app using those accounts. With respect to Facebook,
`OneAudience used the malicious SDK – without authorization from Facebook – to
`access and obtain a user’s name, email address, locale (i.e. the country that the user
`logged in from), time zone, Facebook ID, and, in limited instances, gender.
`2.
`In November 2019, Facebook took technical and legal enforcement
`measures against OneAudience, including disabling accounts, sending a cease and
`desist letter, notifying users, and requesting an audit, pursuant to Facebook Platform
`Policy 7.9. OneAudience has refused to fully cooperate with Facebook’s audit request,
`therefore Facebook brings this action to protect its users and hold OneAudience
`accountable for violations of Facebook’s Terms of Service and Policies, as well as
`federal and California law.
`PARTIES
`3.
`Facebook is a Delaware corporation with its principal place of business in
`Menlo Park, San Mateo County, California.
`Defendant OneAudience is a New Jersey company that purports to provide
`4.
`marketing and data analytics solutions. Ex. 1 & 2. OneAudience collected user data in
`order to provide services to advertisers and other marketing companies. Ex. 2.
`
`1
`
` 3:20cv01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`
`
`12345678910111213141516171819202122232425262728
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 3 of 37
`
`
` OneAudience has an office located at 222 Bridge Plaza South, Fort Lee,
`5.
`New Jersey. Ex. 1. Between at least 2017 to 2019, one or more OneAudience
`employees created and administered at least one Facebook Page and app on behalf of
`OneAudience.
`JURISDICTION AND VENUE
`6.
`The Court has federal question jurisdiction over the federal causes of
`action alleged in this Complaint pursuant to 28 U.S.C. § 1331.
`7.
`The Court has supplemental jurisdiction under 28 U.S.C. § 1367 over the
`state law causes of action alleged in this Complaint because they arise out of the same
`nucleus of operative fact as Facebook’s federal claims.
`8.
`In addition, the Court has jurisdiction under 28 U.S.C. § 1332 over all
`causes of action alleged in this Complaint because complete diversity exists and the
`amount in controversy exceeds $75,000.
`9.
`The Court has personal jurisdiction over OneAudience because it
`knowingly directed and targeted its scheme at Facebook, which has its principal place
`of business in California. Defendants also used Facebook’s developer and advertising
`platforms, and transacted business using Facebook, and otherwise engaged in
`commerce in California.
`10. The Court also has personal jurisdiction over OneAudience because
`OneAudience used the Facebook Platform and thereby agreed to Facebook’s Terms of
`Service (“TOS”). By agreeing to the TOS, OneAudience, in relevant part, agreed to
`submit to the personal jurisdiction of this Court for litigating claims, causes of action,
`or disputes with Facebook.
`11. Venue is proper in this District under 28 U.S.C. § 1391(b) because a
`substantial part of the events giving rise to the claims asserted in this lawsuit occurred
`here. 12. Pursuant to Civil L.R. 3-2(c), this case may be assigned to either the San
`Francisco or Oakland division because Facebook is located in San Mateo County.
`
`2
`
` 3:20cv01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`
`
`12345678910111213141516171819202122232425262728
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 4 of 37
`
`
`FACTUAL ALLEGATIONS
`A. Background
`13. Facebook is a social networking website and mobile application that
`enables its users to create their own personal profiles and connect with each other on
`mobile devices and personal computers. As of October 2019, Facebook daily active
`users averaged 1.62 billion and monthly active users averaged 2.44 billion.
`14. Facebook also operates a developer platform referred to as the “Facebook
`Platform.” This platform enables app developers (“Developers”) to run apps that
`interact with Facebook and Facebook users.
`15. Facebook permits Developers to access and interact with the Facebook
`Platform, subject to and restricted by Facebook’s TOS and Platform Policies.1
`B. Facebook’s TOS
`16. All Facebook users, including Developers and Page administrators, agree
`to comply with Facebook’s TOS when they create a Facebook account. Everyone who
`Facebook must
`agree
`to
`Facebook’s
`TOS
`(available
`at
`uses
`https://www.facebook.com/terms.php), and other rules that govern different types of
`access to, and use of, Facebook. These other rules include Facebook’s Community
`Standards (available at https://www.facebook.com/communitystandards/), Platform
`Policies (available at https://developers.facebook.com/policy/), and Facebook’s
`Commercial Terms (available at https://www.facebook.com/legal/commercial_terms).
`17. Section 2.3 of the TOS prohibits accessing or collecting data using
`automated means (without Facebook’s prior permission) or attempting to access data
`without permission.
`
`Over the years, the “Platform Policies” have been called the “Developer Principles and
`1
`Policies,” the “Platform Guidelines,” or the “Developer Terms of Service.” For simplicity, this
`Complaint uses the term “Platform Policies” to refer to these policies.
`
`3
`
` 3:20cv01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`
`
`12345678910111213141516171819202122232425262728
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 5 of 37
`
`
`18. Section 3.2 of the TOS prohibits using Facebook to do anything that
`“violates these Terms, and other terms and policies,” and that “is unlawful, misleading,
`discriminatory or fraudulent.”
`C. Platform Policies
`19. All Developers operating on the Facebook Platform agree to the Platform
`Policies. 20. The Platform Policies impose obligations and restrictions on Developers,
`including that Developers must obtain consent from the users of their apps before they
`can access their users’ data on Facebook. The Platform Policies largely restrict
`Developers from using Facebook data outside of the environment of the app, for any
`purpose other than enhancing the app users’ experience on the app.
`21. Through the Policies, Developers agree that Facebook can audit their apps
`to ensure compliance with the Platform Policies and other Facebook policies. Further,
`Developers agree to provide proof of such compliance if Facebook so requests.
`Developers agree to the Platform Policies at the time they first sign up to the Platform,
`and continue to agree to the Platform Policies as a condition of using the Facebook
`Platform. Over time, these Platform Policies have imposed substantially the same
`restrictions on the use and collection of Facebook data.
`22. The relevant Platform Policies include:
` “Don’t sell, license, or purchase any data obtained from us or our services.”
`Facebook Section 2.9.
` “Don’t directly or indirectly transfer any data that you receive from us
`(including anonymous, aggregate, or derived data) to any ad network, data
`broker or other advertising or monetization-related service.” Section 2.10.
` “[Facebook] or an independent auditor acting on our behalf may audit your
`app, systems, and records to ensure your use of Platform and data you receive
`from us is safe and complies with our Terms, and that you've complied with
`our requests and requests from people who use Facebook to delete user data
`
`4
`
`3:20cv01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`
`
`
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 6 of 37
`
`obtained through our Platform. If requested, you must provide proof that your
`app complies with our terms.” Section 7.9.
` “Comply with all applicable laws and regulations.” Section 5.8.
`D. OneAudience Agreed to Facebook’s TOS and Platform Policies.
`23. OneAudience created two public Facebook Pages—a profile on Facebook
`used to promote a business or other commercial, political, or charitable organization or
`endeavor—on or about March 31, 2016 and January 5, 2017. OneAudience also created
`a Facebook business account on or about July 13, 2016. At all relevant times,
`OneAudience was a Facebook user that agreed to and was bound by the TOS.
`24. Between approximately 2017 and 2019, OneAudience’s employees and
`agents created and operated at least two apps on behalf of OneAudience on the
`Facebook Platform. OneAudience’s employees and agents accepted and agreed to be
`bound by the Platform Policies on behalf of OneAudience. These apps did not contain
`the malicious SDK.
`E. The “Facebook Login” Feature.
`25. “Facebook Login” is a feature available to Facebook users, which lets them
`log into third-party mobile and desktop apps using their Facebook login credentials.
`Facebook Login allows users to customize and optimize their online experiences and to
`create accounts with third-party apps without having to set multiple usernames and
`passwords. In turn, these third-party web apps can use the Facebook Login feature for
`user authentication and to enhance a user’s experience on the app.
`26. Third-party app developers create independent web-based mobile and
`desktop apps. In order to use the Facebook Login feature on their apps, third-party apps
`developers must have a Facebook account and register a developer account with
`Facebook. In doing so, they must agree to Facebook’s TOS and Platform Policies.
`27. The Facebook Login feature protects Facebook users’ credentials and
`information in several ways. First, when users provide their credentials for the purpose
`of logging into the third-party app using the Facebook Login feature, those credentials
`
`5
`3:20cv01461
`
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`12345678910111213141516171819202122232425262728
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`
`
`12345678910111213141516171819202122232425262728
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 7 of 37
`
`
`are communicated only to Facebook’s servers, not to the servers of the app. When a
`user logs into an app using Facebook Login, the user is assigned a unique identifying
`digital key or token for the specific app, which authenticates the user to Facebook
`computers (the digital key). The digital key allowed the user to access the app without
`having to enter his or her credentials on every occasion and, in turn, allowed the app to
`access the user’s data on Facebook with the user’s consent.
`28. Second, before any user’s public Facebook profile information is sent to
`the app for verification purposes, the user must first provide consent through a custom
`dialogue box that asks whether the user wants to share the information that the app has
`requested. F. OneAudience Used the Malicious SDK to Obtain Facebook User Data
`Without Facebook’s Authorization.
`29. OneAudience used the malicious SDK in order to access and obtain user
`data from Facebook, without Facebook’s authorization.
`30. The malicious SDK was programmed to collect the digital key that
`Facebook assigned exclusively to a third-party app for a single user. OneAudience used
`the misappropriated digital key to make automated requests for data from Facebook.
`OneAudience misrepresented the source of those requests as the third-party app
`authorized to use the digital key. In fact, it was the malicious SDK that made the
`requests on behalf of OneAudience.
`31. OneAudience caused the malicious SDK to send requests for the users’
`name, locale (i.e., the country that the user logged in from), time zone, email address,
`Facebook ID, and gender. Ex. 3. Facebook’s technical restrictions prevented
`OneAudience from accessing any user data that the user had not authorized the app to
`obtain. For example, if a user had not authorized the app to access gender information,
`Facebook computers denied the malicious SDK’s request for the app user’s gender.
`32. OneAudience caused the malicious SDK to send unauthorized requests (or
`API calls) for user data to Facebook computers in approximately 24-hour intervals. In
`
`6
`
`3:20cv01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`
`
`12345678910111213141516171819202122232425262728
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 8 of 37
`
`
`instances where the malicious SDK was able to fraudulently obtain Facebook data, it
`was programmed to send that data to a remote server controlled by OneAudience using
`the domain api.oneaudience.com/api/devices. Ex. 4 & 5.
`33. OneAudience also caused the malicious SDK to collect data from the
`user’s device. The collection of that information was unrelated to Facebook.
`OneAudience collected call logs, cell tower and other location information, contacts,
`browser information, email, and information about apps installed on the device. Ex. 6
`– 11. 34. On information and belief, OneAudience compiled the data they harvested
`from the user’s device and Facebook (and other services) in order to provide marketing
`services to their customers.
`35. On its website, OneAudience falsely represented that OneAudience and its
`parent company, Bridge Company, were partners with Facebook. OneAudience’s
`website also falsely represented that it was “committed to the transparency of [their]
`mobile driven audiences and relationships” and sourced “data responsibly.” In fact,
`OneAudience did not obtain data through any partnerships with Facebook and instead
`obtained data through the malicious SDK.
`G. Facebook’s Enforcement and Request for an Audit Pursuant to the
`Platform Policies.
`36.
`In November 2019, Facebook took technical and legal enforcement
`measures against OneAudience, including disabling apps, sending a cease and desist
`letter, notifying users, and requesting an audit, pursuant to Facebook Platform Policy
`7.9. 37. On or about November 21, 2019, Facebook sent OneAudience a cease and
`desist letter (“C&D”). The C&D letter informed OneAudience that it had violated
`Facebook’s TOS and Platform Policies, including selling data obtained from Facebook
`and accessing and collecting information in unauthorized ways, including collecting
`information in an automated way without Facebook’s express permission.
`
`7
`
`3:20cv01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`
`
`
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 9 of 37
`
`38. Among other things, the C&D letter demanded that OneAudience:
`a. Provide a full accounting of any Facebook user data in their possession;
`b. Identify all of the apps that had installed the malicious SDK;
`c. Provide a copy of the software code used to interact with Facebook; and
`d. Delete and destroy all Facebook user data and provide evidence and
`documentation verifying that this had taken place.
`39. Between November 26, 2019, to January 31, 2020, OneAudience provided
`limited responses to Facebook’s requests for information, but maintained that it would
`comply with the requests for information and request for an audit on an ongoing basis.
`40.
`In its correspondence, OneAudience also represented that it had
`“inadvertently” engaged in unauthorized API call activity to acquire data from
`Facebook. OneAudience claimed that the malicious SDK had been developed by a
`company called AppJolt, which did not disclose the existence or functionality of the
`malicious SDK to OneAudience. This claim is inconsistent with publicly available
`information about AppJolt and OneAudience. Specifically, AppJolt was acquired by
`OneAudience’s parent company, Bridge Marketing, and the founder of AppJolt became
`the founder of OneAudience. OneAudience had access to the malicious SDK and its
`developer since at least 2016.
`41.
` OneAudience further claimed that the data collected by the malicious
`SDK had been deleted on a regular basis from OneAudience’s data systems (even
`though it had been purportedly collected without OneAudience’s knowledge).
`42. On January 23, 2020, Facebook requested a telephone interview with
`relevant OneAudience employees to verify OneAudience’s representations. On or about
`January 31, 2020, OneAudience refused Facebook’s request for an interview.
`H. OneAudience’s Unlawful Acts Have Caused Facebook Substantial Harm.
`43. OneAudience’s breaches of Facebook’s Terms and Policies and other
`misconduct described above have harmed Facebook, including by negatively impacting
`Facebook’s service.
`
`8
`
`3:20cv01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`12345678910111213141516171819202122232425262728
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`
`
`12345678910111213141516171819202122232425262728
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 10 of 37
`
`
`44. OneAudience’s misconduct has caused Facebook to spend resources
`investigating and redressing OneAudience’s wrongful conduct. Facebook has suffered
`damages attributable to the efforts and resources it has used to investigate, address, and
`mitigate the matters set forth in this Complaint.
`45. OneAudience has been unjustly enriched by its activities at the expense of
`Facebook.
`FIRST CAUSE OF ACTION
`(Breach of Contract)
`46. Facebook incorporates all other paragraphs as if fully set forth herein.
`47. OneAudience agreed and became bound by Facebook’s TOS and Platform
`Policies when it created various Facebook Pages and apps.
`48. OneAudience breached these agreements with Facebook by taking the
`actions described above in violation of TOS 2.3, 3.2 and Platform Policies 2.9, 2.10, 5.8
`and 7.9. 49. Facebook has performed all conditions, covenants, and promises required
`of it in accordance with its agreements with OneAudience.
`50. OneAudience’s breaches have caused Facebook to incur damages,
`including the expenditure of resources to investigate and respond to OneAudience’s
`fraudulent scheme and unauthorized access.
`SECOND CAUSE OF ACTION
`(Violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, et seq.)
`51. Facebook incorporates all other paragraphs as if fully set forth herein.
`52. Facebook’s computer network is comprised of protected computers
`involved in interstate and foreign commerce and communication as defined by 18
`U.S.C. § 1030(e)(2).
`53. OneAudience knowingly and with intent to defraud, accessed Facebook’s
`computer network without Facebook’s authorization. Namely, OneAudience used the
`malicious SDK to infect the app users’ devices and obtain a digital key, without
`
`9
`
`3:20cv01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`
`
`12345678910111213141516171819202122232425262728
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 11 of 37
`
`
`Facebook’s authorization, to make API calls to Facebook protected computers while
`purporting to be a third-party app.
`54. OneAudience violated 18 U.S.C. § 1030(a)(2) because it intentionally
`accessed and caused to be accessed Facebook protected computers improperly using
`misappropriated digital keys.
`55.
`In violation of 18 U.S.C. § 1030(a)(4), OneAudience knowingly and with
`intent to defraud accessed Facebook’s protected computers, by sending unauthorized
`commands, namely, API calls with stolen digital keys. These API calls purported to
`originate from third-party apps, but in fact originated from OneAudience’s malicious
`SDK. These commands were directed to Facebook’s computer network for the purpose
`of obtaining data from Facebook without authorization and furthering OneAudience’s
`data harvesting scheme, and obtaining anything of value, including revenue, customers,
`and user data.
`56. OneAudience’s conduct has caused a loss to Facebook during a one-year
`period in excess of $5,000.
`57. OneAudience’s actions caused Facebook to incur losses and other
`economic damages, including the expenditure of resources to investigate and respond
`to OneAudience’s fraudulent scheme and unauthorized access.
`58. Facebook suffered damages as a result of these violations.
`THIRD CAUSE OF ACTION
`(California Penal Code § 502)
`59. Facebook incorporates all other paragraphs as if fully set forth herein.
`60. OneAudience knowingly accessed and without permission otherwise used
`Facebook’s data, computers, computer system, and computer network in order to (A)
`devise or execute any scheme or artifice to defraud and deceive, and (B) to wrongfully
`control or obtain money, property, or data, in violation of California Penal Code §
`502(c)(1).
`
`10
`
`3:20cv01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 12 of 37
`
`
`61. OneAudience knowingly accessed and without permission took data from
`Facebook’s computers, computer systems, and/or computer networks in violation of
`California Penal Code § 502(c)(2).
`62. OneAudience knowingly and without permission used or caused to be used
`Facebook’s computer services in violation of California Penal Code § 502(c)(3).
`63. OneAudience knowingly and without permission accessed or caused to be
`accessed Facebook’s computers, computer systems, and/or computer networks in
`violation of California Penal Code § 502(c)(7).
`64. Because Facebook suffered damages and a loss as a result of
`OneAudience’s actions and continues to suffer damages as result of OneAudience’s
`actions (including those described above), Facebook is entitled to compensatory
`damages, attorney’s fees, and any other amount of damages to be proven at trial, as well
`as injunctive relief under California Penal Code § 502(e)(1) and (2).
`65. Because OneAudience willfully violated Section 502, and there is clear
`and convincing evidence that OneAudience committed “fraud” as defined by Section
`3294 of the Civil Code, Facebook entitled to punitive and exemplary damages under
`California Penal Code § 502(e)(4). PRAYER FOR RELIEF
`Facebook seeks judgment awarding the following relief:
`1.
`That the Court enter judgment against Defendant that Defendant has:
`a. Breached its contract with Facebook, in violation of California law;
`b. Violated the Computer Fraud and Abuse Act, in violation of 18 U.S.C.
`§ 1030;
`c. Violated the California Comprehensive Computer Data Access and
`Fraud Act, in violation of California Penal Code § 502.
`That the Court enter a permanent injunction:
`a. Ordering Defendant to comply with Platform Policy 7.9 and respond,
`fully and accurately, to Facebook’s requests for information and proof
`
`11
`
`3:20cv01461
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`2.
`
`12345678910111213141516171819202122232425262728
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`
`
`
`
`12345678910111213141516171819202122232425262728
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`of compliance with Facebook’s Policies, including a forensic data
`audit;
`b. Barring Defendant from accessing or attempting to access Facebook’s
`website and computer systems;
`c. Barring Defendant from creating or maintaining any Facebook
`accounts in violation of Facebook’s TOS and Platform Policies;
`d. Barring Defendant from engaging in any activity to defraud Facebook
`or its users; and
`e. Barring Defendant from engaging in any activity, or facilitating others
`to do the same, that violates Facebook’s TOS and Platform Policies, or
`other related policies referenced herein.
`3.
`That Facebook be awarded damages, including, but not limited to,
`compensatory, statutory, and punitive damages, as permitted by law and in such
`amounts to be proven at trial.
`That Facebook be awarded a recovery in restitution equal to any unjust
`4.
`enrichment enjoyed by Defendant.
`5.
`That Facebook be awarded its reasonable costs, including reasonable
`attorneys’ fees.
`6.
`That Facebook be awarded pre- and post-judgment interest as allowed by
`law.
`/ / /
`/ / /
`/ / /
`/ / /
`/ / /
`/ / /
`/ / /
`/ / /
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 13 of 37
`
`
`
`12
`
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`3:20cv01461
`
`
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 14 of 37
`
`
`That the Court grant all such other and further relief as the Court may deem
`7.
`just and proper.
`
`Dated: February 27, 2020
`HUNTON ANDREWS KURTH LLP
`
`By: /s/ Ann Marie Mortimer
`
`
`Ann Marie Mortimer
`Jason J. Kim
`Jeff R. R. Nelson
`Attorneys for Plaintiff
`FACEBOOK, INC.
`Platform Enforcement and
`Litigation
`Facebook, Inc.
`Jessica Romero
`Michael Chmelar
`Olivia Gonzalez
`
`
`
`12345678910111213141516171819202122232425262728
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`
`
`
`
`
`
`
`
`13
`
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`
`
`3:20-cv-01461
`
`
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 15 of 37
`
`
`DEMAND FOR JURY TRIAL
`Plaintiff hereby demands a trial by jury on all issues triable to a jury.
`
`Dated: February 27, 2020
`HUNTON ANDREWS KURTH LLP
`
`By: /s/ Ann Marie Mortimer
`
`
`Ann Marie Mortimer
`Jason J. Kim
`Jeff R. R. Nelson
`Attorneys for Plaintiff
`FACEBOOK, INC.
`Platform Enforcement and
`Litigation
`Facebook, Inc.
`Jessica Romero
`Michael Chmelar
`Olivia Gonzalez
`
`
`
`
`
`
`099900.12852 EMF_US 77547286v1
`
`14
`
`COMPLAINT; DEMAND FOR JURY TRIAL
`
`
`
`3:20-cv-01461
`
`12345678910111213141516171819202122232425262728
`
`Los Angeles, California 90071-2627
`550 South Hope Street, Suite 2000
`Hunton Andrews Kurth LLP
`
`
`
`
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 16 of 37
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 16 of 37
`
`EXHIBIT 1
`
`EXHIBIT 1
`
`15
`
`15
`
`
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 17 of 37
`EN
`02/19/2020 - oneaudience.com/privacy as on 2019-08-23 via archive.org
`
`• 0 •
`
`(3 Privacy Policy - oneAudience
`
`X
`
`C
`
`a web.archive.org/web/20190823024606/http://www.oneaudience.com/privacy/
`
`http://www.oneaudience.com/privacy/
`
`43 captures
`
`5 Feb 2017 - 23 Aug 2019
`
`a* ono
`
`Go
`
`JUL AUG SEP
`23
`
`2018 2019 202
`
`61 11
`
`IIIi
`0 0 01
`111
`
`About this capture
`
`oneAud ience
`
`DEVELOPERS INSIGHTS
`
`GET STARTED
`
`LOGIN
`
`BACK] [ EULA
`
`OPT-OUT
`
`12. Contacting Us About Privacy Questions or
`Concerns
`
`If you have any questions regarding our Privacy
`
`Policy, or in the event that you wish to verify which
`
`of your Personal Information we have collected,
`
`please contact us at privacy@oneaudience.com or
`by mailing us at:
`
`oneAudience
`
`222 Bridge Plaza South
`
`=art Lee, NJ 07024
`
`
`
`
`
`16
`
`
`
`
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 18 of 37
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 18 of 37
`
`EXHIBIT 2
`
`EXHIBIT 2
`
`17
`
`17
`
`
`
`Case 4:20-cv-01461-KAW Document 1 Filed 02/27/20 Page 19 of 37
`What We Collect
`As detailed in our permission screen, our SDK collects the following PII if user permits:
`
`• Advertising ID:(cid:3)(cid:48)(cid:82)(cid:69)(cid:76)(cid:79)(cid:72)(cid:3)(cid:36)(cid:71)(cid:89)(cid:72)(cid:85)(cid:87)(cid:76)(cid:86)(cid:76)(cid:81)(cid:74)(cid:3)(cid:918)(cid:71)(cid:72)(cid:81)(cid:87)(cid:76)(cid:564)(cid:70)(cid:68)(cid:87)(cid:76)(cid:82)(cid:81)
`• Carrier: The devices carrier
`• Device Language: Language preference on the user’s device
`• Device Manufacturer: The manufacturer of the device such as samsung, sony, HTC
`• Device Model: The model of the device such as Samsung 8, iPhone 6S
`• Location: The latitude and longitude of the device
`• Hashed Email: The hashed email to identify a real device and prevent mobile fraud
`• User Platform: User’s device platform such as Android, iOS, Blackberry, Windows, other
`
`How the Data is Used
`
`SOK
`
`Embed SDK into 3rd
`party mobile apps.
`
`O
`
`(cid:56)(cid:86)(cid:72)(cid:85)(cid:3)(cid:70)(cid:82)(cid:81)(cid:564)(cid:85)(cid:80)(cid:86)(cid:3)(cid:40)(cid:81)(cid:71)(cid:3)(cid:56)(cid:86)(cid:72)(cid:85)(cid:3)(cid:47)(cid:76)(cid:70)(cid:72)(cid:81)(cid:86)(cid:72)(cid:3)
`(cid:36)(cid:74)(cid:85)(cid:72)(cid:72)(cid:80)(cid:72)(cid:81)(cid:87)(cid:3)(cid:68)(cid:81)(cid:71)(cid:3)(cid:54)(cid:39)(cid:46)(cid:3)(cid:76)(cid:71)(cid:72)(cid:81)(cid:87)(cid:76)(cid:564)(cid:72)(cid:86)(cid:3)
`mobile info including:
`• Mobile Ad ID
`•
`App Ownership
`•
`Location
`•
`Hashed Emails
`•
`Device Make & Model
`
`Overlay SDK/EMAIL/ONLINE
`data to identify individuals
`
`Create audience from
`mobile data
`
`(cid:36)(cid:79)(cid:79)(cid:3)(cid:82)(cid:73)(cid:3)(cid:82)(cid:88)(cid:85)(cid:3)(cid:71)(cid:68)(cid:87)(cid:68)(cid:3)(cid:76)(cid:86)(cid:3)(cid:83)(cid:72)(cid:85)(cid:80)(cid:76)(cid:86)(cid:86)(cid:76)(cid:82)(cid:81)(cid:16)(cid:69)(cid:68)(cid:86)(cid:72)(cid:71)(cid:3)(cid:68)(cid:81)(cid:71)(cid:3)(cid:73)(cid:88)(cid:79)(cid:79)(cid:92)(cid:16)(cid:70)(cid:82)(cid:80)(cid:83)(cid:79)(cid:76)(cid:68)(cid:81)(cid:87)(cid:15)(cid:3)(cid:80)(cid:72)(cid:68)(cid:81)(cid:76)(cid:81)(cid:74)(cid:3)(cid:76)(cid:87)(cid:519)(cid:86)(cid:3)(cid:69)(cid:72)(cid:72)(cid:81)(cid:3)(cid:70)(cid:82)(cid:81)(cid:564)(cid:85)(cid:80)(cid:72)(cid:71)(cid:3)(cid:69)(cid:92)(cid:3)(cid:87)(cid:75)(cid:72)(cid:3)(cid:88)(cid:86)(cid:72)(cid:85)(cid:3)(cid:87)(cid:82)(cid:3)
`access and collect his or her personal data. We are also transparent in our terms and conditions
`and privacy policy so the user is aware of what is being collected and how it is being used. The user
`(cid:75)(cid:68)(cid:86)(cid:3)(cid:87)(cid:75)(cid:72)(cid:3)(cid:73)(cid:85)(cid:72)(cid:72)(cid:71)(cid:82)(cid:80)(cid:3)(cid:87)(cid:82)(cid:3)(cid:82)(cid:83)(cid:87)(cid:3)(cid:76)(cid:81)(cid:3)(cid:82)(cid:85)(cid:3)(cid:82)(cid:83)(cid:87)(cid:3)(cid:82)(cid:88)(cid:87)(cid:3)(cid:68)(cid:87)(cid:3)(cid:68)(cid:81)(cid:92)(cid:3)(cid:83)(cid:82)(cid:76)(cid:81)(cid:87)(cid:3)(cid:90)(cid:76)(cid:87)(cid:75)(cid:82)(cid:88)(cid:87)(cid:3)(cid:68)(cid:909)(cid:72)(cid:70)(cid:87)(cid:76)(cid:81)(cid:74)(cid:3)(cid:75)(cid:76)(cid:86)(cid:3)(cid:82)(cid:85)(cid:3)(cid:75)(cid:72)(cid:85)(cid:3)(cid:68)(cid:70)(cid:70)(cid:72)(cid:86)(cid:86)(cid:3)(cid:87)(ci