Search for:
Cybersecurity, Data and Tech

United States: California Court decision a reminder to review website privacy practices

By , , and 7 Mins Read

In brief

In Esparza v. Kohl’s, Inc., Plaintiff brought a putative class action accusing Kohl’s of allowing a third party to unlawfully eavesdrop on him while he had a brief conversation with an agent on a chat feature on Kohl’s website.

Kohl’s moved to dismiss all claims, but the United States District Court for the Southern District of California granted the motion only as to the claims for violation of the California Constitution and intrusion upon seclusion. The court allowed Plaintiff’s claims under the California Invasion of Privacy Act (CIPA) and the California Computer Data Access and Fraud Act (CDAFA), to move forward.

This decision is significant because it confirms that sharing electronic data with third-party applications or service providers without the website visitor’s consent creates a risk of lawsuits and potential liability for website defendants in states that require all parties to consent to interception of communications.

Contents

  1. Background
  2. The court’s decision
  3. Key takeaways

Background

Plaintiff Miguel Esparza is a California resident who visited Defendant Kohl’s, Inc.’s (“Kohl’s”) website and had a brief conversation with an agent through the website’s chat feature. He alleged in his first amended complaint that Kohl’s allowed a third party, Ada Support Inc. (ASI), to embed its chat technology code into the chat feature offered on Kohl’s website to enable eavesdropping. He further asserts that ASI’s alleged malware tools secretly installed a “persistent cookie” on users’ devices and de-anonymized website visitors. Plaintiff also claimed that, after he used the website’s chat feature, Kohl’s obtained his personal Information and embedded his identity into the malware companies’ database, which the malware companies share with companies that purchase their products.

Plaintiff asserted claims for: (1) violation of the CIPA, (2) violation of the CDAFA, (3) invasion of privacy, and (4) intrusion upon seclusion. Kohl’s moved to dismiss all claims pursuant to Federal Rule of Civil Procedure 12(b)(6).

CIPA section 631(a), Clause Two imposes liability on anyone “who willfully and without the consent to all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within” California.

CIPA section 631(a), Clause Three imposes liability on anyone “who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained . . .”

The CDAFA imposes liability on a person who “knowingly accesses and without permission . . . uses any data, computer, computer system, or computer network in order to . . . wrongfully control or obtain money, property, or data.” It also imposes liability on a person who “knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.”

The court’s decision

As discussed above, the court granted Kohl’s motion to dismiss in part and denied it in part.

Plaintiff’s CIPA claims

The court first addressed Plaintiff’s CIPA claims. The court found that Plaintiff plausibly pleaded that Kohl’s violated section 631(a), Clause Two by allowing ASI to “listen in” on chats between Kohl’s website users and its customer service representatives. The court discussed different aspects of a Clause Two claim: consent, the party exemption rule, content, and the “in transit” requirement.

First, the court found that Plaintiff met his burden to plead lack of consent to the recording of his web chats at the motion to dismiss stage, since he alleged that neither he nor the putative class members either expressly or impliedly consented to Kohl’s actions simply by chatting with the agent on the chat function.

The court next addressed Kohl’s party-exemption rule, whereby Kohl’s argued that ASI acted as a recorder for Kohl’s, and thus ASI was entitled to the exemption whereby parties cannot be held liable under CIPA § 631(a) for eavesdropping on their own conversations. The court noted a split in California courts on whether this exemption extends to third parties—with some holding that software providers who embed code into a party’s website are not parties themselves, since they are akin to pressing one’s ear against a door to hear a conversation, while other courts reason that these software providers are not eavesdroppers because they merely provide a tool, like a tape recorder. The court refused to answer the question at this stage, deferring it to after discovery.

The court next found that Plaintiff, in alleging that whenever a consumer chats on Kohl’s website, the chat is routed through ASI’s servers for ASI to collect a transcript of the chat, sufficiently alleged facts plausibly showing that Kohl’s recorded the content of Plaintiff’s communications with Kohl’s.

Finally, the court found that Plaintiff successfully pleaded that ASI intercepted his chat with Kohl’s, since Kohl’s website chat feature operates through ASI servers, allowing real-time interception of the communication.

The court then found that Plaintiff stated a violation of section 631(a), Clause Three because it alleged that ASI intercepts chat transcripts and provides them to identity resolution malware companies and other third parties, to enable targeted marketing by Kohl’s and these malware companies. The court found to be a plausible inference that ASI uses the information it gathers for its and Kohl’s benefit.

Plaintiff’s CDAFA claims

The court also found that Plaintiff adequately stated a claim for breach of the CDAFA, Cal. Penal Code § 501(c)(1)–(2). The court followed the broadened definition of “without permission” as stated by the Southern District of California in Greenley v. Kochava, Inc., finding that the phrase “without permission” is not limited to conduct that circumvents a device barrier or hacks into a computer system.

The court also found that Plaintiff sufficiently pled that Kohl’s has a stake in the value of his misappropriated data, citing to the Ninth Circuit’s decision in In re Facebook holding that browsing histories carry financial value.

Plaintiff’s invasion of privacy & intrusion upon seclusion claims

Plaintiff did not prevail on all counts because the court dismissed his invasion of privacy and intrusion upon seclusion claims. The court found that the FAC did not plead any facts suggesting that Kohl’s collected intimate or sensitive personally identifiable information or otherwise disregarded Plaintiff’s privacy choices while holding itself out as respecting them. The fact that ASI’s software captured Plaintiff’s personal details and browsing history was insufficient to show a serious invasion of a protected privacy interest under Ninth Circuit law.

Key takeaways

  • This decision builds upon a string of recent privacy cases in which courts have found that using third-party entities to collect website visitors’ information without the visitors’ consent could violate state wiretapping statutes. For example, in Popa v. Harriet Carter Gifts, Inc., the Third Circuit reversed a grant of summary judgment for defendants on claims that a shopping website and a marketing service violated Pennsylvania anti-wiretapping law by collecting and sharing records of digital activities without consent.
  • Many states, including California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Nevada, Pennsylvania and Washington, allow for a private cause of action for a violation of the states’ wiretapping laws. In these states, the risk of class action wiretapping litigation based on website tracking and “eavesdropping” of personal information is on the rise.
  • Future Plaintiffs in California will likely rely on this decision in formulating their complaints and opposing defendants’ motions to dismiss in wiretapping cases. The court here found for Plaintiff on a number of CIPA issues, including lack of consent, the party exemption rule, the content of Plaintiff’s communications, and the in transit requirement. We can expect that future Plaintiffs will use the court’s language to attempt to craft their complaints so as to survive motions to dismiss.
  • To reduce the risk of liability and litigation, companies should review their privacy policies and website to ensure that there are adequate disclosures and consents.
Categories:
Author

Michael C. McCutcheon regularly represents US and international entities in complex commercial litigation and arbitration matters.
Michael has contributed articles to Law360, the Illinois Institute for Continuing Legal Education on advanced trial practice, Illinois Association of Defense Trial Counsel's Quarterly, Defense Research Institute's For the Defense and In-House Defense Quarterly, and the Loyola Consumer Law Review. He is also an active participant in the Firm's pro bono program and was the inaugural recipient of the Firm's "Award of Excellence" for pro bono and public service.

Author

Edward D. Totino is a partner in the North America Securities Litigation Group of Baker McKenzie's Los Angeles office.

Author

Nancy is a partner in our Firm's North America Litigation and Government Enforcement Group and is based in our Los Angeles office.

Author

John is an associate in our Firm’s North America Litigation & Government Enforcement Practice Group and is based in our Los Angeles office.

Related Posts

Write A Comment