Privacy laws that regulate cookies tend to crumble when implemented

In the 30 years since Tim Berners-Lee launched the "World Wide Web," publicly-accessible websites have become increasingly sophisticated in their adoption of website-tracking technology. The use of these technologies has been particularly acute on social media and commercial-retail websites, many of which have installed "cookies" that track website visitor activity. While states such as California have passed new statutes that require companies to inform consumers what personal information is being collected when their website is visited (see Cal. Civ. Code § 1798.100), the proliferation of website-tracking technology has largely not been accompanied by a regulatory scheme. Consequently, the plaintiffs' bar has been forced to rely on decades-old privacy statutes when bringing privacy class actions, which has proven vexing for courts trying to apply pre-internet privacy statutes to modern web-technology.

The plaintiffs' bar has utilized a litany of statutes, including the Video Privacy Protection Act (VPPA), Electronic Communications Privacy Act (ECPA), and the Fair Credit Reporting Act (FCRA). These lawsuits have generally focused on third-party tracking tools embedded on websites, such as session-replay and the Meta Pixel. For example, plaintiffs have brought dozens of class actions across the country under the VPPA - a statute enacted in the bygone era of Blockbuster to confer privacy protection over a person's video rental history - alleging that the tracking and transmission of a person's viewing of an embedded video on a website to Facebook runs afoul of the statute. See, e.g., Perry v. Cable News Network, Inc., No. 1:14-CV-02926-ELR, 2016 WL 4373708 (N.D. Ga. Apr. 20, 2016) aff'd, 854 F.3d 1336 (11th Cir. 2017); Lebakken v. WebMD, LLC, No. 1:22-CV-644-TWT, 2022 WL 16716151 (N.D. Ga. Nov. 4, 2022); Ambrose v. Bos. Globe Media Partners LLC, No. 1:22-CV-10195-RGS, 2022 WL 4329373 (D. Mass. Sept. 19, 2022); Wilson v. Triller, Inc., 598 F. Supp. 3d 82 (S.D.N.Y. Apr. 18, 2022); Bernardino v. Barnes & Noble Booksellers, Inc., No. 1:17-CV-04570-LAK-KHP, 2017 WL 3727230 (S.D.N.Y. Aug. 11, 2017); In re Hulu Privacy Litig., No. 3:11-CV-03764-LB, 2014 WL 1724344 (N.D. Cal. Apr. 28, 2014.) Plaintiffs have similarly alleged claims against companies for impermissibly infiltrating and monitoring nominally-designated Facebook "private" groups in violation of the ECPA. Davis v. HDR Inc., No. 2:21-CV-01903-PHX-ROS, 2023 WL 399796 (D. Ariz. Jan. 25, 2023) (class action under ECPA dismissed, finding that communications within private Facebook groups are "readily accessible to the public" (i.e., not private), and thus beyond the reach of the statute); Jackson v. Amazon.com, Inc., 559 F. Supp. 3d 1132 (S.D. Cal. 2021) (class action against online marketplace alleging violations of Wiretap Act, violations of Stored Communications Act, and state law claims including violations of California Invasion of Privacy Act.) Plaintiffs (and more recently the CFPB) have attempted to invoke the FCRA - the oldest data privacy statute - to govern behavioral and marketing data maintained by data brokers. Tailford v. Experian Info. Sols., Inc., 26 F.4th 1092 (9th Cir. 2022) (affirming the district court's dismissal of the action, finding that the Fair Credit Reporting Act should be narrowly construed to cover only traditional forms of credit data); see also Skiles v. Tesla, Inc., 472 F. Supp. 3d 566, 570 (N.D. Cal. 2020) (dismissing FCRA class action upon finding that a marketing report provided to Tesla did not constitute a "consumer report" under the FCRA); Consumer Financial Protection Bureau, CFPB Launches Inquiry Into the Business Practices of Data Brokers (March 15, 2023).

While courts have wrestled with resolving these various types of cases, the most challenging issues have arisen under the California Invasion of Privacy Act (CIPA). Cal. Penal Code § 630, et seq. These suits argue that a website's use of third-party chat-bots to record consumer communications violates CIPA's prohibition on non-consensual eavesdropping and wiretapping. The principal issues dividing courts revolve around two separate provisions of CIPA - 631 and 632.7.

On the first claim, judges in the Northern District of California and Central District of California have reached different decisions within the span of a few weeks. Starting up in the Northern District, two judges reached different conclusions as to whether the same third-party vendor - ActiveProspect - constituted "a third-party eavesdropper" under CIPA section 631(a). Compare Williams v. What If Holdings, LLC, No. 3:22-CV-03780-WHA, 2022 WL 17869275, *2 (N.D. Cal. Dec. 22, 2022) with Javier v. Assurance IQ, LLC, No. 4:20-CV-02860-CRB, 2023 WL 114225, *4-7 (N.D. Cal. Jan. 5, 2023); see also Esparza v. Lenox Corp., No. 3:22-CV-09004-WHA, 2023 WL 2541352 (N.D. Cal. Mar. 16, 2023) (dismissing claim under CIPA section 631(a) for failure to allege that the software vendor was a third-party eavesdropper.) Both courts agreed that a plaintiff alleging a derivative liability claim against the website-defendants must first establish that the unnamed third-party software vendors constituted "third-party eavesdroppers" under section 631. But according to What If Holdings, whether or not one constitutes a "third-party eavesdropper" turns on "whether [the third party] was an independent third party hired to eavesdrop on [the defendant's] communications, or whether [the third-party vendor's] software was merely a tool that [the defendant] used to record its own communications with plaintiff." What If Holdings, 2022 WL 17869275, at *3; see also Graham v. Noom, Inc., 533 F. Supp. 3d 823, 831 (N.D. Cal. 2021) (finding that a vendor cannot be a third-party eavesdropping for "provid[ing] a tool . . . that allows [the defendant] to record and analyze its own data in aid of [its] business.") Relying on Graham v. Noom, What If Holdings then found that because ActiveProspect merely provided "a tool that [the defendant] used to record its own communications with plaintiff," it was not a third-party eavesdropper under section 631. What If Holdings, 2022 WL 17869275, at *3. But Assurance flatly disagreed with this reading of the statute, finding that it improperly inserted "usage" and "intention" requirements into the statute that do not exist. Assurance, 2023 WL 114225, at *6. Accordingly, Assurance held that ActiveProspect was a "third-party eavesdropper" under the statute and therefore the plaintiff plausibly alleged a claim against the website defendant.

Nearly a month later, judges in the Central District began issuing decisions on these new CIPA claims. And just as in the Northern District, the Central District judges reached different decisions within the span of a few weeks. See Byars v. Goodyear Tire and Rubber Co., No. 5:22-cv-01358-SSS-KKx, 2023 WL 1788553 (C.D. Cal. Feb. 3, 2023); Byars v. Hot Topic, Inc., No. 5:22-CV-01652-JGB-KKx, 2023 WL 2026994 (C.D. Cal. Feb. 14, 2023); Annette Cody v. Boscov's, Inc., Case No. 8:22-cv-01434-SSS-KKx, 2023 WL 2338302 (C.D. Cal. Mar. 2, 2023); Licea v. Cinmar, LLC, No. 2:22-CV-06454-MWF-JEM, 2023 WL 2415592 (C.D. Cal. Mar. 7, 2023); Licea v. Am. Eagle Outfitters, Inc., No. 5:22-CV-01702-MWF-JPR, 2023 WL 2469630 (C.D. Cal. Mar. 7, 2023.) Indeed, Judge Sunshine Sykes denied a motion to dismiss in Goodyear, holding that the plaintiff sufficiently alleged that the defendant violated CIPA. Less than two weeks later, Judge Jesus Bernal reached opposite conclusions in granting the motion to dismiss in Hot Topic. Nearly two weeks after that, Judge Sykes seemingly reversed her decision in Goodyear in granting a motion to dismiss in Boscov's. And in the most recent decisions addressing these suits, Judge Michael Fitzgerald granted motions to dismiss in Cinmar and American Eagle.

Among the key differences in the decisions was the reliance on the party exemption in finding that the plaintiff could not state a claim under section 631(a) for aiding and abetting. Hot Topic, Boscov's, Cinmar, and American Eagle each followed the reasoning from What If Holdings, concluding that the plaintiff failed to allege sufficient facts to establish facts that the third-party vendors did more than provide a software tool to the website-defendants. Hot Topic, 2023 WL 2026994, at *9-10; Boscov's, 2023 WL 2338302, at *2; Cinmar, 2023 WL 2415592, at *9; American Eagle, 2023 WL 2469630, at *8. Goodyear, however, did not address this exemption.

As for the second type of claim under 632.7, the rulings have turned on differing interpretations of whether the statute only applies to communications involving two telephones or whether it could apply to computer-based communications. Hot Topic concluded that "[t]he unambiguous meaning of the statute is thus that it only applies to communications involving two telephones." 2023 WL 2026994, at *10. Cinmar and American Eagle offered additional specificity, explaining that "a communication covered by section 632.7 must have a cellular radio or cordless telephone on one side, and a cellular radio, cordless, or landline telephone on the other side." Cinmar, 2023 WL 2415592, at *12; American Eagle, 2023 WL 2469630, at *6. These courts therefore dismissed the plaintiffs' Section 632.7 claims because they "d[id] not, and cannot, allege that Defendant [was] using a telephone on the other end." Hot Topic, 2023 WL 2026994, at *10; see also Cinmar, 2023 WL 2415592, at *12-13; American Eagle, 2023 WL 2469630, at *6. Cinmar and American Eagle further explained that merely alleging that the plaintiff used a smartphone to communicate with the website's chat-bot would still not be sufficient to state a claim. Cinmar, 2023 WL 2415592, at *12; American Eagle, 2023 WL 2469630, at *6. That is because courts recognize that smartphones operate as both a telephone and a computer and thus communications stemming from a smartphone feature that "operates like a computer . . . fall[] outside of the scope of section 632.7." Cinmar, 2023 WL 2415592, at *12.

In contrast, Goodyear and Boscov's took a broader view of Section 632.7, finding that the statute did not require communications between "two telephones." Rather, Section 632.7 prohibits "the intentional recording of any communication without the consent of all parties where one of the parties is using a cellular or cordless telephone." Boscov's, 2023 WL 2338302, at *2 (collecting cases); see also Goodyear, 2023 WL 1788553, at *5 (finding that "courts have applied § 632.7 to internet-based communications and written communications" and "there is no requirement that [the plaintiff] allege the type of telephonic device used by [the defendant].") While Boscov's dismissed the plaintiff's Section 632.7 claim for failure to specify "whether she used a smartphone or other device covered by the statute to access Defendant's website," the court granted leave to amend. Boscov's, 2023 WL 2338302, at *3.

As these decisions make clear, privacy law remains unpredictable as courts continue to grapple with the application of decades-old privacy statutes to new tracking technology. Given the uncertainty of privacy law, corporations should take proactive measures to limit potential litigation. Straightforward changes such as installing "cookie" banners or including "clickwrap" agreements to acquire consumer consent will provide formidable protection against the next wave of privacy class actions brought by the plaintiffs' bar. These changes could also help mitigate the risk of governmental inquiries, as both the FTC and CFPB have ratcheted up their enforcement efforts over the data collection practices of companies.