United States: California Court decision a reminder to review website privacy practices

25 Apr 2024 6 minute read

- Share by email
- Share on
- Twitter
- LinkedIn
- Facebook
- Google plus
- Get link
- Get QR Code
- Download
- Print

CIPA CDAFA Privacy Consumer Class Action

In brief

In Esparza v. Kohl’s, Inc., Plaintiff brought a putative class action accusing Kohl’s of allowing a third party to unlawfully eavesdrop on him while he had a brief conversation with an agent on a chat feature on Kohl’s website.

Kohl’s moved to dismiss all claims, but the United States District Court for the Southern District of California granted the motion only as to the claims for violation of the California Constitution and intrusion upon seclusion. The court allowed Plaintiff’s claims under the California Invasion of Privacy Act (CIPA) and the California Computer Data Access and Fraud Act (CDAFA), to move forward.

This decision is significant because it confirms that sharing electronic data with third-party applications or service providers without the website visitor’s consent creates a risk of lawsuits and potential liability for website defendants in states that require all parties to consent to interception of communications.

Background

Plaintiff Miguel Esparza is a California resident who visited Defendant Kohl’s, Inc.’s (“Kohl’s”) website and had a brief conversation with an agent through the website’s chat feature. He alleged in his first amended complaint that Kohl’s allowed a third party, Ada Support Inc. (ASI), to embed its chat technology code into the chat feature offered on Kohl’s website to enable eavesdropping. He further asserts that ASI’s alleged malware tools secretly installed a “persistent cookie” on users’ devices and de-anonymized website visitors. Plaintiff also claimed that, after he used the website’s chat feature, Kohl’s obtained his personal Information and embedded his identity into the malware companies’ database, which the malware companies share with companies that purchase their products.

Plaintiff asserted claims for: (1) violation of the CIPA, (2) violation of the CDAFA, (3) invasion of privacy, and (4) intrusion upon seclusion. Kohl’s moved to dismiss all claims pursuant to Federal Rule of Civil Procedure 12(b)(6).

CIPA section 631(a), Clause Two imposes liability on anyone “who willfully and without the consent to all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within” California.

CIPA section 631(a), Clause Three imposes liability on anyone “who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained . . .”

The CDAFA imposes liability on a person who “knowingly accesses and without permission . . . uses any data, computer, computer system, or computer network in order to . . . wrongfully control or obtain money, property, or data.” It also imposes liability on a person who “knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.”

The court's decision

As discussed above, the court granted Kohl’s motion to dismiss in part and denied it in part.

Plaintiff’s CIPA claims

The court first addressed Plaintiff’s CIPA claims. The court found that Plaintiff plausibly pleaded that Kohl’s violated section 631(a), Clause Two by allowing ASI to “listen in” on chats between Kohl’s website users and its customer service representatives. The court discussed different aspects of a Clause Two claim: consent, the party exemption rule, content, and the “in transit” requirement.

First, the court found that Plaintiff met his burden to plead lack of consent to the recording of his web chats at the motion to dismiss stage, since he alleged that neither he nor the putative class members either expressly or impliedly consented to Kohl’s actions simply by chatting with the agent on the chat function.

The court next addressed Kohl’s party-exemption rule, whereby Kohl’s argued that ASI acted as a recorder for Kohl’s, and thus ASI was entitled to the exemption whereby parties cannot be held liable under CIPA § 631(a) for eavesdropping on their own conversations. The court noted a split in California courts on whether this exemption extends to third parties—with some holding that software providers who embed code into a party’s website are not parties themselves, since they are akin to pressing one’s ear against a door to hear a conversation, while other courts reason that these software providers are not eavesdroppers because they merely provide a tool, like a tape recorder. The court refused to answer the question at this stage, deferring it to after discovery.

The court next found that Plaintiff, in alleging that whenever a consumer chats on Kohl’s website, the chat is routed through ASI’s servers for ASI to collect a transcript of the chat, sufficiently alleged facts plausibly showing that Kohl’s recorded the content of Plaintiff’s communications with Kohl’s.

Finally, the court found that Plaintiff successfully pleaded that ASI intercepted his chat with Kohl’s, since Kohl’s website chat feature operates through ASI servers, allowing real-time interception of the communication.

The court then found that Plaintiff stated a violation of section 631(a), Clause Three because it alleged that ASI intercepts chat transcripts and provides them to identity resolution malware companies and other third parties, to enable targeted marketing by Kohl’s and these malware companies. The court found to be a plausible inference that ASI uses the information it gathers for its and Kohl’s benefit.

Plaintiff’s CDAFA claims

The court also found that Plaintiff adequately stated a claim for breach of the CDAFA, Cal. Penal Code § 501(c)(1)–(2). The court followed the broadened definition of “without permission” as stated by the Southern District of California in Greenley v. Kochava, Inc., finding that the phrase “without permission” is not limited to conduct that circumvents a device barrier or hacks into a computer system.

The court also found that Plaintiff sufficiently pled that Kohl’s has a stake in the value of his misappropriated data, citing to the Ninth Circuit’s decision in In re Facebook holding that browsing histories carry financial value.

Plaintiff’s invasion of privacy & intrusion upon seclusion claims

Plaintiff did not prevail on all counts because the court dismissed his invasion of privacy and intrusion upon seclusion claims. The court found that the FAC did not plead any facts suggesting that Kohl’s collected intimate or sensitive personally identifiable information or otherwise disregarded Plaintiff’s privacy choices while holding itself out as respecting them. The fact that ASI’s software captured Plaintiff’s personal details and browsing history was insufficient to show a serious invasion of a protected privacy interest under Ninth Circuit law.

Key takeaways

This decision builds upon a string of recent privacy cases in which courts have found that using third-party entities to collect website visitors’ information without the visitors’ consent could violate state wiretapping statutes. For example, in Popa v. Harriet Carter Gifts, Inc., the Third Circuit reversed a grant of summary judgment for defendants on claims that a shopping website and a marketing service violated Pennsylvania anti-wiretapping law by collecting and sharing records of digital activities without consent.
Many states, including California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Nevada, Pennsylvania and Washington, allow for a private cause of action for a violation of the states’ wiretapping laws. In these states, the risk of class action wiretapping litigation based on website tracking and “eavesdropping” of personal information is on the rise.
Future Plaintiffs in California will likely rely on this decision in formulating their complaints and opposing defendants’ motions to dismiss in wiretapping cases. The court here found for Plaintiff on a number of CIPA issues, including lack of consent, the party exemption rule, the content of Plaintiff’s communications, and the in transit requirement. We can expect that future Plaintiffs will use the court’s language to attempt to craft their complaints so as to survive motions to dismiss.
To reduce the risk of liability and litigation, companies should review their privacy policies and website to ensure that there are adequate disclosures and consents.

Contact Information

Michael McCutcheon
Partner
Chicago
Read my Bio
michael.mccutcheon@bakermckenzie.com

Edward Totino
Partner
Los Angeles
Read my Bio
edward.totino@bakermckenzie.com

Nancy Sims
Partner
Los Angeles
Read my Bio
nancy.sims@bakermckenzie.com

John Treat
Associate
Los Angeles
Read my Bio
john.treat@bakermckenzie.com

Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.