In brief

In Esparza v. Kohl’s, Inc., Plaintiff brought a putative class action accusing Kohl’s of allowing a third party to unlawfully eavesdrop on him while he had a brief conversation with an agent on a chat feature on Kohl’s website.

Kohl’s moved to dismiss all claims, but the United States District Court for the Southern District of California granted the motion only as to the claims for violation of the California Constitution and intrusion upon seclusion. The court allowed Plaintiff’s claims under the California Invasion of Privacy Act (CIPA) and the California Computer Data Access and Fraud Act (CDAFA), to move forward.

This decision is significant because it confirms that sharing electronic data with third-party applications or service providers without the website visitor’s consent creates a risk of lawsuits and potential liability for website defendants in states that require all parties to consent to interception of communications.

Background

Plaintiff Miguel Esparza is a California resident who visited Defendant Kohl’s, Inc.’s (“Kohl’s”) website and had a brief conversation with an agent through the website’s chat feature. He alleged in his first amended complaint that Kohl’s allowed a third party, Ada Support Inc. (ASI), to embed its chat technology code into the chat feature offered on Kohl’s website to enable eavesdropping. He further asserts that ASI’s alleged malware tools secretly installed a “persistent cookie” on users’ devices and de-anonymized website visitors. Plaintiff also claimed that, after he used the website’s chat feature, Kohl’s obtained his personal Information and embedded his identity into the malware companies’ database, which the malware companies share with companies that purchase their products.

Plaintiff asserted claims for: (1) violation of the CIPA, (2) violation of the CDAFA, (3) invasion of privacy, and (4) intrusion upon seclusion. Kohl’s moved to dismiss all claims pursuant to Federal Rule of Civil Procedure 12(b)(6).

CIPA section 631(a), Clause Two imposes liability on anyone “who willfully and without the consent to all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within” California.

CIPA section 631(a), Clause Three imposes liability on anyone “who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained . . .”

The CDAFA imposes liability on a person who “knowingly accesses and without permission . . . uses any data, computer, computer system, or computer network in order to . . . wrongfully control or obtain money, property, or data.” It also imposes liability on a person who “knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.”

The court’s decision

As discussed above, the court granted Kohl’s motion to dismiss in part and denied it in part.

Plaintiff’s CIPA claims

The court first addressed Plaintiff’s CIPA claims. The court found that Plaintiff plausibly pleaded that Kohl’s violated section 631(a), Clause Two by allowing ASI to “listen in” on chats between Kohl’s website users and its customer service representatives. The court discussed different aspects of a Clause Two claim: consent, the party exemption rule, content, and the “in transit” requirement.

First, the court found that Plaintiff met his burden to plead lack of consent to the recording of his web chats at the motion to dismiss stage, since he alleged that neither he nor the putative class members either expressly or impliedly consented to Kohl’s actions simply by chatting with the agent on the chat function.

The court next addressed Kohl’s party-exemption rule, whereby Kohl’s argued that ASI acted as a recorder for Kohl’s, and thus ASI was entitled to the exemption whereby parties cannot be held liable under CIPA § 631(a) for eavesdropping on their own conversations. The court noted a split in California courts on whether this exemption extends to third parties—with some holding that software providers who embed code into a party’s website are not parties themselves, since they are akin to pressing one’s ear against a door to hear a conversation, while other courts reason that these software providers are not eavesdroppers because they merely provide a tool, like a tape recorder. The court refused to answer the question at this stage, deferring it to after discovery.

The court next found that Plaintiff, in alleging that whenever a consumer chats on Kohl’s website, the chat is routed through ASI’s servers for ASI to collect a transcript of the chat, sufficiently alleged facts plausibly showing that Kohl’s recorded the content of Plaintiff’s communications with Kohl’s.

Finally, the court found that Plaintiff successfully pleaded that ASI intercepted his chat with Kohl’s, since Kohl’s website chat feature operates through ASI servers, allowing real-time interception of the communication.

The court then found that Plaintiff stated a violation of section 631(a), Clause Three because it alleged that ASI intercepts chat transcripts and provides them to identity resolution malware companies and other third parties, to enable targeted marketing by Kohl’s and these malware companies. The court found to be a plausible inference that ASI uses the information it gathers for its and Kohl’s benefit.

Plaintiff’s CDAFA claims

The court also found that Plaintiff adequately stated a claim for breach of the CDAFA, Cal. Penal Code § 501(c)(1)–(2). The court followed the broadened definition of “without permission” as stated by the Southern District of California in Greenley v. Kochava, Inc., finding that the phrase “without permission” is not limited to conduct that circumvents a device barrier or hacks into a computer system.

The court also found that Plaintiff sufficiently pled that Kohl’s has a stake in the value of his misappropriated data, citing to the Ninth Circuit’s decision in In re Facebook holding that browsing histories carry financial value.

Plaintiff’s invasion of privacy & intrusion upon seclusion claims

Plaintiff did not prevail on all counts because the court dismissed his invasion of privacy and intrusion upon seclusion claims. The court found that the FAC did not plead any facts suggesting that Kohl’s collected intimate or sensitive personally identifiable information or otherwise disregarded Plaintiff’s privacy choices while holding itself out as respecting them. The fact that ASI’s software captured Plaintiff’s personal details and browsing history was insufficient to show a serious invasion of a protected privacy interest under Ninth Circuit law.

Key takeaways

  • This decision builds upon a string of recent privacy cases in which courts have found that using third-party entities to collect website visitors’ information without the visitors’ consent could violate state wiretapping statutes. For example, in Popa v. Harriet Carter Gifts, Inc., the Third Circuit reversed a grant of summary judgment for defendants on claims that a shopping website and a marketing service violated Pennsylvania anti-wiretapping law by collecting and sharing records of digital activities without consent.
  • Many states, including California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Nevada, Pennsylvania and Washington, allow for a private cause of action for a violation of the states’ wiretapping laws. In these states, the risk of class action wiretapping litigation based on website tracking and “eavesdropping” of personal information is on the rise.
  • Future Plaintiffs in California will likely rely on this decision in formulating their complaints and opposing defendants’ motions to dismiss in wiretapping cases. The court here found for Plaintiff on a number of CIPA issues, including lack of consent, the party exemption rule, the content of Plaintiff’s communications, and the in transit requirement. We can expect that future Plaintiffs will use the court’s language to attempt to craft their complaints so as to survive motions to dismiss.
  • To reduce the risk of liability and litigation, companies should review their privacy policies and website to ensure that there are adequate disclosures and consents.

Author

Michael C. McCutcheon is a partner in Baker McKenzie's Chicago office. He regularly represents US and international entities in complex commercial litigation and arbitration matters. Michael has contributed articles to Law360, the Illinois Institute for Continuing Legal Education on advanced trial practice, Illinois Association of Defense Trial Counsel's Quarterly, Defense Research Institute's For the Defense and In-House Defense Quarterly, and the Loyola Consumer Law Review. He is also an active participant in the Firm's pro bono program and was the inaugural recipient of the Firm's "Award of Excellence" for pro bono and public service. Michael focuses on diverse matters involving international commercial litigation and arbitration, with emphasis on the financial, private equity, manufacturing and consumer goods industries. He is particularly experienced in the defense of class action lawsuits and has published on the topic extensively throughout his career. He also advises on litigation prevention, risk management as well as regulatory compliance matters arising under a broad range of federal and state privacy, consumer, and health and safety statutes. Michael has extensive trial and appellate experience, and has been recognized by his peers in the areas of class action and mass tort litigation.

Author

Edward D. Totino is a partner in the North America Securities Litigation Group of Baker McKenzie's Los Angeles office. Ed's practice focuses on class actions, complex commercial litigation and securities litigation. He represents a broad spectrum of clients including financial institutions, fintech companies, manufacturers, retailers, and hospitality businesses. In recent years, Ed has defended class actions brought under the federal securities laws, the California Consumer Legal Remedies Act, the California Invasion of Privacy Act, and the federal Telephone Consumer Protection Act.

Author

Nancy is a partner in our Firm's North America Litigation and Government Enforcement Group and is based in our Los Angeles office. Nancy is a commercial litigator focusing on class actions and complex business disputes and investigations. Her previous experience includes representing clients in commercial matters based on contract claims, unfair competition, false advertising, fraud and related business torts in both court litigation and arbitration. In particular, Nancy's litigation practice involves defending class actions in the consumer, franchise, insurance, and labor and employment spaces. Nancy also has significant experience representing franchisors in disputes with franchisees involving joint employer allegations, misclassification claims, contract claims. She has represented clients in putative class actions and other litigation with a combined exposure of over USD 1 billion. In addition, Nancy also has extensive experience conducting corporate internal investigations and government investigations, including those implicating the Foreign Corrupt Practices Act and UK Bribery Act. Nancy also previously served as a full-time judicial extern to the Honorable Steven Reinhardt of the US Court of Appeals for the Ninth Circuit.

Author

John is an associate in our Firm’s North America Litigation & Government Enforcement Practice Group and is based in our Los Angeles office. John represents clients in complex commercial litigation in federal and state court, as well as in domestic and international arbitration concerning contracts, financial services disputes, construction projects, and insurance, among others