Dear Retail Clients and Friends:
There has been a string of recent class action complaints filed and threatened against various retailers pursuant to the California Invasion of Privacy Act (CIPA), California Penal Code Section 631. The claims center around chat or session replay functions of ecommerce websites. This edition of Morgan Lewis Retail Did You Know? takes a look at the legal issues related to these claims, including potential defenses.
California Penal Code Section 631, California’s “wiretapping” law, makes liable anyone who “reads, or attempts to read, or to learn the contents” of a communication “without the consent of all parties to the communication.” Although written in terms of wiretapping, Section 631(a) has been found to apply to communications conducted over the internet. See Javier v. Assurance IQ, LLC, 2022 WL 1744107, at *1 (9th Cir. May 31, 2022). Violations of Section 631 are “punishable by a fine not exceeding two thousand five hundred dollars ($2,500), or by imprisonment,” or both.
In these recently filed lawsuits, the plaintiffs allege there is “illegal wiretapping” of communications on a retailer’s website by the retailer using “keystroke monitoring” software without consumers’ consent.
Although there are slight variations in the individual plaintiffs’ factual allegations, the plaintiffs generally allege that they visited the retailer defendant’s website and communicated on the website with someone whom they believed to be a customer service representative. After engaging in these communications, the plaintiffs allegedly discovered that the website uses a “chatbot” program that impersonates an actual human and encourages consumers to share their personal information.
Regardless of whether the communications occur with a chatbot or a real person, the claim is that the retailer logs, records, and stores the conversations using embedded wiretapping technology. There are also sometimes allegations that the contents of the chat or keystroke monitoring are intercepted by or shared with third parties.
As more fully set forth below, we believe these claims have no merit.
Retailers facing such allegations have a number of available defenses, which can be considered early on in a case. These potential defenses include, but are not limited to, the following.
Liability Requires a Third-Party Communication
To state a claim, the consumer must allege that the defendant was a third party to the communications. Courts have held that where the defendant is a party to communications with a consumer, it has no liability to the consumer under California’s wiretapping law. See Saleh v. Nike, Inc., 562 F. Supp. 3d 503, 519 (C.D. Cal. 2021).
Is the Alleged Recorded Information ‘Content’ Under CIPA?
Courts have held that a customer's keystrokes, mouse clicks, pages viewed, IP address, and similar information do not constitute “content” under CIPA. See Yoon v. Lululemon USA, Inc., 549 F. Supp. 3d 1073, 1082-83 (C.D. Cal. 2021).
Injury and Standing to Seek Injunctive Relief
Where a consumer alleges that a company merely possesses software that allegedly recorded the consumer’s keystrokes and other interactions with the company’s website, the consumer may lack standing to bring a claim under CIPA. See Saleh, 562 F. Supp. 3d at 522-23. A plaintiff similarly lacks standing to seek injunctive relief if they fail to plead their intent to use the website in the future. See Graham v. Noom, Inc., 533 F. Supp. 3d 823, 836 (N.D. Cal. 2021).
Prior Consent Is a Defense Under CIPA
Prior consent is an absolute defense to a CIPA claim. In some instances, defendants may be able to argue that the consumer provided prior consent to the communications or interactions at issue. The availability of this defense will depend on the particular circumstances surrounding the consumer’s interaction with the website.
We can leverage our experience defending similar actions and offer a class action defense team that has been repeatedly recognized as one of the best in the nation. We can also offer guidance to our clients on strategies to mitigate risks of these types of lawsuits, including through the development of online disclosures, prior consent agreements, and enhancements to privacy policies. We can help retailers be sure that they address these issues in ways that comply with accessibility and other requirements.
If you have any questions or would like more information on the issues discussed in this Retail Did You Know?, please reach out to your Morgan Lewis contact or any of our retail practice leaders: