Hogan Lovells 2024 Election Impact and Congressional Outlook Report
Over the last 18 months, a new privacy litigation battlefront has emerged: Website operators across a range of industries find themselves inundated with class action suits or requests for arbitration based on alleged violation of Sections 631(a) and 632.7 of the California Invasion of Privacy Act (“CIPA”), which carries statutory penalties of up to $5,000 “per violation.” CIPA is the 50+ year old California analogue to the federal Wiretap Act intended to prohibit the wiretapping and eavesdropping of communications. However, the plaintiffs’ bar has been testing more expansive applications of CIPA in the context of ubiquitous and commonplace online technologies. One technology that has been a focal point of recent litigation is the “live chat” feature commonly used on customer-facing websites and often powered by third party software providers.
Following a surge of cases in California federal and state courts, we are now beginning to see how courts are addressing key arguments raised in threshold motions to dismiss. In particular, decisions are starting to grapple with (i) whether the live chat software provider is a “party” to the “communication,” (ii) whether the communication is “intercepted” while “in transit,” and (iii) for Section 632.7, which prohibits the unconsented recording of telephone communications, whether the statute covers online chat communications involving a cellular device. Thus far, most CIPA claims in “live chat” cases have been dismissed (many with leave to amend), but time will tell if the trend continues and how the issues play out on the merits.
In enacting CIPA in 1967, the California legislature declared its “intent to protect the right of privacy of the people of this state from what it perceived as a serious threat to the free exercise of personal liberties ….” Flanagan v. Flanagan, 27 Cal. 4th 766, 775 (2002). Specifically, the Legislature found that “advances in science and technology have led to the development of new devices and techniques for the purpose of eavesdropping upon private communications,” creating a “serious threat to the free exercise of personal liberties and cannot be tolerated in a free and civilized society.” Cal. Penal Code § 630. The legislature tacked on a private right of action with up to $5,000 per violation in statutory damages. Id. § 637.2.
Some of the early targets of the plaintiffs’ bar were businesses that recorded inbound or outbound telephone calls. Plaintiffs argued that such recordings without the consent of the call participant violated CIPA Sections 632 and 632.7.
As internet-based technologies emerged as a key feature of online commerce, the plaintiffs’ bar identified new targets for CIPA claims. Plaintiffs initially focused on organizations’ use of cookie technology, which can collect information about user browsing activities. Courts grappled with how CIPA and other wiretap laws mapped onto these technologies that did not exist when the statutes were first enacted.1
The plaintiffs’ bar then pivoted to other internet-based technologies. For example, the plaintiffs’ bar targeted website operators’ use of “session replay” software, which captures certain user interactions (e.g., mouse movements, page scrolling, keystrokes) on a website or application running the software.2 Plaintiffs brought most of these CIPA claims under Section 631(a) of the statute, which makes it unlawful to “willfully and without the consent of all parties to the communication … read[], or attempt[] to read, or to learn the contents … of any message, report, or communication while the same is in transit ….” (emphasis added). That Section also prohibits anyone who “aids, agrees with, employs, or conspires with any person or persons” to commit one or more of the aforementioned acts. Id.
Since then, the plaintiffs’ bar has expanded its scope to challenge various website analytics technologies as well as “live chat” features used on websites. Over the past year and a half more than 70 putative class actions alleging violations of CIPA based on the use of live chat technology have been filed in California state and federal courts. In these cases, plaintiffs generally allege that website operators that deploy third party chat feature technology on their websites—and grant the third party access to the chat content in real time—are aiding or abetting the interception of customer communications with the website.
In addition to claims under Section 631(a), plaintiffs also have begun to assert claims under Section 632.7 in this wave of live chat litigation. Section 632.7 makes it unlawful for anyone “without the consent of all of the parties to a communication” to “intercept[] or receive[] and intentionally record[], or assist[] in the interception or reception and intentional recordation of, a communication transmitted between” any combination of cellular, landline, and cordless telephones. This Section, in contrast to Section 631(a), applies to interceptions or recordings of a qualifying communication regardless of whether the defendant is a party to the communication, and there is no specific requirement that the recording occurs while the communication “is in transit.”
As the first wave of live chat CIPA cases reach the motion to dismiss phase, courts have considered the following issues:
While California courts have held that a party cannot eavesdrop on its own conversation,3 the question becomes more nuanced when a third party provides the live chat technology. California courts have assessed whether the technology is more akin to a tape recorder utilized by the party to the conversation or an eavesdropper pressing up against a door to listen to a conversation.4 In past CIPA cases, when the third party simply captures and stores data on behalf of one of the communicants – for example, as a vendor to the website – and does not independently use and profit off the data, courts have found that the third party operates as an extension of the communicant (i.e., the website); thus, there is no aiding and abetting liability under Section 631(a).5 Courts have continued to apply this analysis in evaluating CIPA live chat claims,6 with a particular focus on whether chat data is being independently used by the third-party software provider.7
To state a claim under CIPA Section 631(a), the plaintiff must allege that the communication was intercepted “while in transit,” which courts have held to mean “acquired during transmission, not while it is in electronic storage.”8 California courts inundated with cookie cutter CIPA live chat complaints have largely rejected vague allegations that the interception occurred “while in transit” without additional supporting factual allegations to show how or when the interception took place. For example, in Esparza v. Lenox Corp., the Northern District of California recently dismissed the plaintiff’s complaint because the plaintiff failed to assert facts beyond the statement that some unknown third party not involved in the action “eavesdrops” somehow “in real time.”9 The court found that the plaintiff presented no theory of recovery—leaving many questions unanswered, such as “is there an actual third-party individual that is simultaneously reading the customer chat? Is it embedded code from a third-party software vendor that is automatically creating chat transcripts for someone other than defendant?”10 While the required degree of pleading specificity may not be settled, courts have found that simply stating the interception occurred “while in transit” is insufficient alone to create standing.11
On its face, Section 632.7’s requirement that the communication at issue be between two telephones12 would appear ill-suited to support a claim based on chat communications between a customer and customer support representative/bot. However, there is some inconsistency in the case law over whether Section 632.7 requires only one, or both parties, to be using a telephone, including in the context of live chat technology.13 Thus, this is likely to remain an active area of litigation until more precedent develops.
While recent decisions have given organizations a number of defenses to raise at the outset of CIPA litigation, we expect the plaintiffs’ bar to continue to bring CIPA claims based on websites’ live chat features. To mitigate this risk, there are a number of actions organizations can consider taking to undercut potential CIPA claims. For example, because CIPA claims hinge on purported lack of consent, a readily accessible just-in-time notice or privacy policy that clearly and conspicuously discloses that the live chat feature collects and/or shares user information with third parties may bolster defenses to claims that rely on end users being unaware of the “interception” of their electronic communications. Similarly, requiring online users to provide unambiguous consent to the recording of their chat communications prior to the initiation of a live chat would strengthen early challenges to CIPA claims.
Organizations should consider integrating these types of chat-related efforts alongside their compliance preparations for California’s new Bot Disclosure Law, which prohibits the use of undeclared bots to communicate or interact with another person in California in order to influence the user’s purchasing or voting behaviors. See Cal. Bus. & Prof. Code § 17940. The Bot Disclosure Law does not provide for a private right of action, however, it does provide for civil penalties up to $2,500 per violation enforceable by the California Attorney General, and has been cited by plaintiffs as an underlying violation of consumer unfair competition claims.
The months ahead will provide further clarity on the direction of live chat litigation and whether the plaintiffs’ bar’s more expansive application of CIPA will gain traction in the courts or before arbitrators. Organizations and their counsel should continue to monitor developments in this evolving area of the law.
Authored by Vassi Iliadis, Bret Cohen, Adam Cooke, and Jay Ettinger.
1 In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589 (9th Cir. 2020); In re Google Inc. Cookie Placement Consumer Priv. Litig., 806 F.3d 125 (3d Cir. 2015); In re Nickelodeon Consumer Priv. Litig., 827 F.3d 262 (3d Cir. 2016).
2 See e.g., Yoon v. Lululemon USA, Inc., 549 F. Supp. 3d 1073 (C.D. Cal. July 15, 2021); Graham v. Noom, Inc., 533 F. Supp. 3d 823 (N.D. Cal. 2021); Johnson v. Blue Nile, Inc., 2021 WL 1312771 (N.D. Cal. Apr. 8, 2021).
3 Rogers v. Ulrich, 125 Cal. Rptr. 306, 309 (Cal. Ct. App. 1975).
4 Licea v. Am. Eagle Outfitters, Inc., 2023 WL 2469630, at *7 (C.D. Cal. Mar. 7, 2023) (citation omitted).
5 See, e.g., Graham v. Noom, 533 F.Supp.3d 823, 833 (N.D. Cal. 2021) (dismissing Section 631(a) claims based on session replay software where third party software provider solely enabled party to communication to record and analyze its own data—akin to a tape recorder).
6 See e.g., Am. Eagle Outfitters, Inc., 2023 WL 2469630, at *7 (“Plaintiffs’ allegations suggest a situation more akin to Graham, where the court found that a third party was not an eavesdropper where their software collected clients’ data, kept the data on its servers, and allowed clients to analyze their data.”); Byars v. Hot Topic, Inc., 2023 WL 2026994, at *9-10 (C.D. Cal. Feb. 14, 2023) (similar).
7 See, e.g., Am. Eagle Outfitters, Inc., 2023 WL 2469630, at *7 (“[N]owhere [in the pleadings] suggest that the third party has the ability to use the information independently.”).
8 Mastel v. Miniclip SA, 549 F. Supp. 3d 1129, 1137 (E.D. Cal. 2021).
9 2023 WL 2541352, at *3 (N.D. Cal. Mar. 16, 2023).
10 Id.
11 Licea, 2023 WL 2469630 at *9 (“Plaintiff’s bare allegations that the third party secretly intercepts (during transmission and in real time) is conclusory and does not allege specific facts as to how or when the interception takes place, which has been found to fall short of stating a plausible claim under section 631(a).”) (cleaned up).
12 “[T]he interception or reception and intentional recordation of, a communication transmitted between two cellular radio telephones, a cellular radio telephone and a landline telephone, two cordless telephones, a cordless telephone and a landline telephone, or a cordless telephone and a cellular radio telephone.” Cal. Penal Code § 632.7.
13 Compare Licea v. Cinmar, LLC, 2023 WL 2415592, at *13 (C.D. Cal. Mar. 7, 2023) (“The Court determines that Section 632.7 only applies to the five types of calls enumerated ….”) with Cody v. Boscov’s, Inc., 2023 WL 2338302, at *3 (C.D. Cal. Mar. 2, 2023) (“The Court, however, rejects Defendant’s argument that, because she cannot allege that both parties were using a qualifying telephone device to conduct the customer chats, Plaintiff’s claim necessarily fails.”); see also Licea v. Old Navy, LLC, 2023 WL 3012527, at *3-4 (C.D. Cal. Apr. 19, 2023) (concluding that complaint alleged sufficient facts to state a violation of Section 632.7 using live chat technology).