California stands apart from other states in that a right to privacy is specifically included in the state constitution.  As a result, data privacy litigations are frequently filed in California courts that not only assert various violations of California statutory law, but also violation of residents’ constitutional right to privacy.  However, not all of these claims are ultimately successful—many of them are dismissed at the pleadings stage.  Indeed, last month a California district court dismissed a data privacy class action litigation involving claims brought under California law against a wellness company.  Graham v. Noom, Inc., 2021 U.S. Dist. LEXIS 68710 (N.D. Cal., Apr. 8, 2021).  Read on to learn more.

Noom is a web application that helps its users lose weight and lead healthier lifestyles.  Noom uses FullStory’s software (called “session replay”) to record what visitors are doing on the Noom website, such as their keystrokes, mouse clicks, and page scrolling, which allows companies to see how visitors use their website.

Plaintiffs, a putative California class, alleged that FullStory was illegally wiretapping their communications with Noom, and Noom aided and abetted the eavesdropping; and therefore, Plaintiffs’ right to privacy under California’s Invasion of Privacy Act (CIPA) and the California Constitution.  Specifically, Plaintiffs alleged (1) eavesdropping in violation of CIPA, (2) sale of eavesdropping software, in violation of CIPA, and (3) invasion of privacy in violation of California’s Constitution.

Plaintiffs claim they browsed Noom’s website to consider Noom’s diet offerings.  While browsing Noom’s website, FullStory’s Session Replay software purportedly captured their keystrokes and mouse clicks on the website, dates and times of their visits, duration of the visits, their IP addresses, their locations at the time of the visits, their browser types, and the operating system on their devices.  Plaintiffs also asserted in the Complaint that users of Noom’s website complete a form and enter personally identifiable information and protected health information (including height, weight, gender, age, diet, some medical information, and email address).  However, Plaintiffs asserted that this data was collected regardless of whether a user actually completed the form.

Defendants argued that the Plaintiffs did not state a statutory or constitutional claim for invasion of privacy; and moved to dismiss Plaintiffs claim on three grounds: 1) there was no wrongful eavesdropping, 2) the claim rests in part on collection of info that is not protected content, and 3) Noom’s privacy policy discloses the data collection.

Under Section 631(a) of the CIPA, an individual is liable if he or she secretly listens to another person’s conversation.  Plaintiffs argued that FullStory was not a party to the communications, and therefore is subject to CIPA liability for recording them.  The Court, however, disagreed.  Assessing Plaintiffs’ claim, the Court found there was no alleged wrongdoing, and consequently, Noom was not subject to CIPA liability.  The Court reasoned that there were no allegations that FullStory intercepted and used the data itself; rather, the Court found that FullStory is an extension of Noom because it provides a tool allowing Noom to record and analyze its own data.  To put it otherwise, the Court held that FullStory is not an independent party who mined information from Noom, and thus, it cannot be held liable under Section 631(a) of the CIPA.

Section 631(a) of the CIPA prohibits unauthorized accessing content of any communication.  In light of the statutory language, the Court dismissed Plaintiffs claim because it did not meet the definition of “content.”  Specifically, Plaintiffs did not dispute that the information it collected (IP addresses, locations, browser types, and operating systems) is not content.  The Court left open the possibility to distinguish content from other non-content records if Plaintiffs choose to amend their Complaint.

Defendants argued that Noom’s privacy policy discloses that Noom “may use various methods and technologies” to store or collect usage information, specifically referencing tracking technologies.  The privacy policy is available through a link at the bottom of Noom’s homepage.  Even then, Plaintiffs argued that they could not meaningfully consent to wiretapping through the privacy policy because the wiretapping occurred before they could read the policy at the bottom of the webpage.  However, in light of incomplete briefing on this issue, the Court declined to dismiss the Complaint on this basis.

Ultimately, the Court granted Defendants’ Motion to Dismiss, allowing Plaintiffs to amend their Complaint within 21 days.  On April 29, 2021, Plaintiffs filed a Second Amended Class Action Complaint (ECF 59).  Stay tuned with CPW to learn more about how this litigation unfolds in light of this development.