In brief
In Esparza v. Kohlâs, Inc., Plaintiff brought a putative class action accusing Kohlâs of allowing a third party to unlawfully eavesdrop on him while he had a brief conversation with an agent on a chat feature on Kohlâs website.
Kohlâs moved to dismiss all claims, but the United States District Court for the Southern District of California granted the motion only as to the claims for violation of the California Constitution and intrusion upon seclusion. The court allowed Plaintiffâs claims under the California Invasion of Privacy Act (CIPA) and the California Computer Data Access and Fraud Act (CDAFA), to move forward.
This decision is significant because it confirms that sharing electronic data with third-party applications or service providers without the website visitorâs consent creates a risk of lawsuits and potential liability for website defendants in states that require all parties to consent to interception of communications.
Contents
Background
Plaintiff Miguel Esparza is a California resident who visited Defendant Kohlâs, Inc.âs (âKohlâsâ) website and had a brief conversation with an agent through the websiteâs chat feature. He alleged in his first amended complaint that Kohlâs allowed a third party, Ada Support Inc. (ASI), to embed its chat technology code into the chat feature offered on Kohlâs website to enable eavesdropping. He further asserts that ASIâs alleged malware tools secretly installed a âpersistent cookieâ on usersâ devices and de-anonymized website visitors. Plaintiff also claimed that, after he used the websiteâs chat feature, Kohlâs obtained his personal Information and embedded his identity into the malware companiesâ database, which the malware companies share with companies that purchase their products.
Plaintiff asserted claims for: (1) violation of the CIPA, (2) violation of the CDAFA, (3) invasion of privacy, and (4) intrusion upon seclusion. Kohlâs moved to dismiss all claims pursuant to Federal Rule of Civil Procedure 12(b)(6).
CIPA section 631(a), Clause Two imposes liability on anyone âwho willfully and without the consent to all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place withinâ California.
CIPA section 631(a), Clause Three imposes liability on anyone âwho uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained . . .â
The CDAFA imposes liability on a person who âknowingly accesses and without permission . . . uses any data, computer, computer system, or computer network in order to . . . wrongfully control or obtain money, property, or data.â It also imposes liability on a person who âknowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.â
The court’s decision
As discussed above, the court granted Kohlâs motion to dismiss in part and denied it in part.
Plaintiffâs CIPA claims
The court first addressed Plaintiffâs CIPA claims. The court found that Plaintiff plausibly pleaded that Kohlâs violated section 631(a), Clause Two by allowing ASI to âlisten inâ on chats between Kohlâs website users and its customer service representatives. The court discussed different aspects of a Clause Two claim: consent, the party exemption rule, content, and the âin transitâ requirement.
First, the court found that Plaintiff met his burden to plead lack of consent to the recording of his web chats at the motion to dismiss stage, since he alleged that neither he nor the putative class members either expressly or impliedly consented to Kohlâs actions simply by chatting with the agent on the chat function.
The court next addressed Kohlâs party-exemption rule, whereby Kohlâs argued that ASI acted as a recorder for Kohlâs, and thus ASI was entitled to the exemption whereby parties cannot be held liable under CIPA § 631(a) for eavesdropping on their own conversations. The court noted a split in California courts on whether this exemption extends to third partiesâwith some holding that software providers who embed code into a partyâs website are not parties themselves, since they are akin to pressing oneâs ear against a door to hear a conversation, while other courts reason that these software providers are not eavesdroppers because they merely provide a tool, like a tape recorder. The court refused to answer the question at this stage, deferring it to after discovery.
The court next found that Plaintiff, in alleging that whenever a consumer chats on Kohlâs website, the chat is routed through ASIâs servers for ASI to collect a transcript of the chat, sufficiently alleged facts plausibly showing that Kohlâs recorded the content of Plaintiffâs communications with Kohlâs.
Finally, the court found that Plaintiff successfully pleaded that ASI intercepted his chat with Kohlâs, since Kohlâs website chat feature operates through ASI servers, allowing real-time interception of the communication.
The court then found that Plaintiff stated a violation of section 631(a), Clause Three because it alleged that ASI intercepts chat transcripts and provides them to identity resolution malware companies and other third parties, to enable targeted marketing by Kohlâs and these malware companies. The court found to be a plausible inference that ASI uses the information it gathers for its and Kohlâs benefit.
Plaintiffâs CDAFA claims
The court also found that Plaintiff adequately stated a claim for breach of the CDAFA, Cal. Penal Code § 501(c)(1)â(2). The court followed the broadened definition of âwithout permissionâ as stated by the Southern District of California in Greenley v. Kochava, Inc., finding that the phrase âwithout permissionâ is not limited to conduct that circumvents a device barrier or hacks into a computer system.
The court also found that Plaintiff sufficiently pled that Kohlâs has a stake in the value of his misappropriated data, citing to the Ninth Circuitâs decision in In re Facebook holding that browsing histories carry financial value.
Plaintiffâs invasion of privacy & intrusion upon seclusion claims
Plaintiff did not prevail on all counts because the court dismissed his invasion of privacy and intrusion upon seclusion claims. The court found that the FAC did not plead any facts suggesting that Kohlâs collected intimate or sensitive personally identifiable information or otherwise disregarded Plaintiffâs privacy choices while holding itself out as respecting them. The fact that ASIâs software captured Plaintiffâs personal details and browsing history was insufficient to show a serious invasion of a protected privacy interest under Ninth Circuit law.
Key takeaways
- This decision builds upon a string of recent privacy cases in which courts have found that using third-party entities to collect website visitorsâ information without the visitorsâ consent could violate state wiretapping statutes. For example, in Popa v. Harriet Carter Gifts, Inc., the Third Circuit reversed a grant of summary judgment for defendants on claims that a shopping website and a marketing service violated Pennsylvania anti-wiretapping law by collecting and sharing records of digital activities without consent.
- Many states, including California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Nevada, Pennsylvania and Washington, allow for a private cause of action for a violation of the statesâ wiretapping laws. In these states, the risk of class action wiretapping litigation based on website tracking and âeavesdroppingâ of personal information is on the rise.
- Future Plaintiffs in California will likely rely on this decision in formulating their complaints and opposing defendantsâ motions to dismiss in wiretapping cases. The court here found for Plaintiff on a number of CIPA issues, including lack of consent, the party exemption rule, the content of Plaintiffâs communications, and the in transit requirement. We can expect that future Plaintiffs will use the courtâs language to attempt to craft their complaints so as to survive motions to dismiss.
- To reduce the risk of liability and litigation, companies should review their privacy policies and website to ensure that there are adequate disclosures and consents.