In just the past few weeks, multiple class actions have been filed in California against a variety of companies, including Tiffany & Co., Dollar Shave Club, Goodyear Tires, M.A.C. Cosmetics and Michael Kors USA, making the surprising allegation that the companies engage in illegal wiretapping of online communications with consumers. The complaints—all filed by the same lawyer—allege that the defendants secretly deploy “keystroke monitoring” software that is used to intercept, monitor and record communications with visitors to their websites. The plaintiffs assert, on behalf of themselves and putative class members, that by doing so, the defendants have violated the California Invasion of Privacy Act (Cal. Penal Code Section 631).
The complaints primarily revolve around consumers’ communications with sophisticated “chatbots” that “convincingly” impersonate an actual human. According the complaints’ allegations, the chatbots not only encourage consumers to share their personal information but record and store the entire conversation without the consumer’s knowledge or permission. Thus, any company that uses chatbots is a potential target of these class action lawsuits.
Section 631(a) of California’s Penal Code imposes liability upon any entity that engages in conduct prohibited by that section—i.e., “by means of any machine, instrument, contrivance, or in any other manner”:
(1) “intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system,” or
(2) “willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state” or
(3) “uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section.”
As noted in the Ninth Circuit’s recent decision in Javier v. Assurance IQ, LLC, “[t]hough written in terms of wiretapping, Section 631(a) applies to Internet communications [and] makes liable anyone who ‘reads, or attempts to read, or to learn the contents’ of a communication ‘without the consent of all parties to the communication.’” 21-16351, 2022 WL 1744107, at *1 (9th Cir. May 31, 2022). In Javier, the plaintiffs alleged that one of the defendants operated an insurance website that used the other defendant’s software to “record user’s interactions with the website and create a unique certificate for each user certifying that the user agreed to be contacted” with marketing communications. Id. The California federal district court had dismissed the case, holding that the plaintiff “had retroactively consented to the conduct at issue by agreeing to [the defendant’s] privacy policy, and that retroactive consent is valid under Section 631(a).” Id. The Ninth Circuit reversed on the basis that it believed “the California Supreme Court would interpret Section 631(a) to require the prior consent of all parties to a communication.” Id. at 2 (emphasis added). On remand, defendants recently moved to dismiss on issues not decided by the Ninth Circuit, including whether the plaintiff gave implied consent to the data collection. Regardless, website operators should confer with their legal counsel before deploying technology that captures online consumer consent to marketing communications, which has become ubiquitous in the telemarketing space.
While Section 631(a) is a criminal statute, California law allows alleged victims to bring a civil lawsuit. Specifically, under Penal Code Section 637.2, any person who has been injured by a violation of Section 631(among other code sections) may bring an action against the person who committed the violation to enjoin or restrain any such violation, as well as obtain damages of the greater of $5,000 per violation or three times the amount of actual damages, if any, sustained by the plaintiff. Notably, the plaintiff need not have suffered or be threatened with actual damages. In addition to these remedies, the plaintiffs in these recently filed actions also seek recovery of their attorneys’ fees and costs, as well as punitive damages.
While these recent filings in California seem based on a novel theory, they are not. For instance, in the aftermath of the Ninth Circuit’s ruling in the In re Facebook Internet Tracking Litigation, which adopted the First and Seventh Circuits’ reasoning that “simultaneous, unknown duplication and communication of GET requests do not exempt a defendant from liability under the [federal and state wiretap statutes’] party exception,” numerous lawsuits were filed on that basis. Davis v. Facebook, Inc., 956 F.3d 589, 608 (2020).
Indeed, similar cases were filed in Florida and recently dismissed. Specifically, in March 2021, two plaintiffs filed separate lawsuits against Whirlpool Corporation alleging that the company unlawfully intercepted website visitor information by using “session replay” technology. In those cases, the federal judge found that the state’s wiretapping law does not apply to the company’s use of marketing analytics software to capture browsing histories, personal interests, or similar data. Cardoso v. Whirlpool Corp., Case No. 21-CV-60784-WPD, 9/15/21 and Connor v. Whirlpool Corp., Case No. 21-CV-14180-WPD, 9/15/21(] S.D. Florida) Case ( S.D. Florida). Likewise, in September 2021, another Florida federal court judge dismissed a class action against Costco when the court determined that mouse clicks, pages viewed, scroll movements and other actions do not convey contents or communications. [Goldstein v. Costco Wholesale Corp., Case No. 21-CV-80601-RAR], Case No. 9:21-cv-80601 ([9/9/21] S.D. Florida).
However, in the most recent California filings, the plaintiffs attempt to plead around the case law against them, focusing specifically on their communications with the defendant companies’ chatbots. While it is unclear whether these plaintiffs ultimately will succeed, it is clear that this area of the law remains unsettled, inviting further litigation.
Additionally, companies need to be concerned about how these claims can affect their Environmental Social Governance (“ESG”) efforts and related reputation. MSCI, a leader in rating companies’ ESG efforts, lists privacy and data security as key issues taken into account.
How can liability best be avoided? Just as companies must inform consumers about their privacy rights, so too should companies inform consumers how their interactions with “chatbots” or their actions on the website will be recorded and how the data will be used, and they should seek consent to such uses before engaging the consumer with the technology. California law already requires disclosure of a communication with a bot, including prohibiting misleading a consumer about the artificial nature of the bot. Cal. Bus. & Profs. Code Section 17940. Most companies using bots to interact with consumers have already adapted to these requirements. Drafted carefully, these same disclosures can also use consumer-friendly language to ensure that everyone understands that communications with the bot—or even the clicks and keystrokes on a website—will be saved and analyzed to improve customer service.
