Last summer, the Court of Appeals for the Ninth Circuit buoyed plaintiffs’ lawyers interest in “session replay” software when it revived a putative class action against a website operator and a session replay software provider for violations of the California Invasion of Privacy Act (CIPA). Earlier this month, addressing issues left by the Ninth Circuit for remand, the district court dismissed the same complaint as being barred by the statute of limitations. Javier, No. 3:20-cv-02860-CRB, 2023 WL 114225 (N.D. Cal. Jan. 5, 2023). However, the District Court’s decision, in addition to giving plaintiff an opportunity to refile, rejected other defendants’ arguments on the application of CIPA to session replay software. Ultimately, the Court’s opinion may prove to bolster future plaintiff’s claims.
A short refresher on the technology at issue: session replay software captures certain aspects of a user’s interactions on web applications (mouse movements, clicks, typing, etc.) along with underlying contextual user data to help website operators enhance users’ experiences. Accordingly, session replay software allows a website operator to recreate (or “replay”) a visitor’s journey on a web site or within a mobile application or web application. Rather than focusing on user activity after leaving a particular website, session replay software concerns how a user interacts with a specific website.
In the Javier case, the plaintiff has brought claims under Section 631 of CIPA against a website operator and the maker of session replay software called “TrustedForm” (ActiveProspect). CIPA, like other state wiretap laws, provides for liability against third-party eavesdroppers and those that abet eavesdropping when one party to a communication has not consented to the eavesdropping. In reversing the previous order dismissing the case, the Ninth Circuit held that plaintiff’s allegations that he did not consent to having his session tracked before agreeing to the website’s privacy policy were sufficient. However, the Court did not address three of the defendants other defenses: (1) that the plaintiff gave “implied consent”, (2) that the software provider is not a ”third party” under CIPA, and (3) that the statute of limitations had run. On remand, the District Court rejected two of defendants’ arguments and accepted, for now, the third.
Implied Consent
Defendants first argued that even before plaintiff consented to session replay via the website privacy policy, he gave implied consent “the moment he arrived at [the operator’s] website” and began filling out a webform. The Court quickly dismissed this argument, holding that while the plaintiff’s use of the website may show that he consented to the website operator’s collection of his information, it provides no evidence that he consented to the third-party software provider’s collection of the information, which is the key question for wiretap claims.
Third-Party Eavesdropper
Defendants’ also argued that plaintiff’s CIPA claims fail because the software provider was not a “third party” under the statute; instead it was merely an “extension” or “tool” of a first party. So far, this argument has divided courts in an intra-circuit split.
One side of the split has held that where the alleged third party (the session replay software provider) is doing only what the party to the communication (website operator) directs, and does not use the information for its own benefit, then that purported third party is nothing more than ‘an extension’ of the party and cannot be liable under a statute concerned only with non-party recording. See Graham v. Noom, Inc., 533 F. Supp. 3d 823, 833 (N.D. Cal. 2021) (Beeler, J.); Johnson v. Blue Nile, Inc., No. 20-CV-08183-LB, 2021 WL 1312771, at *2 (N.D. Cal. Apr. 8, 2021) (Beeler, J.); Yale v. Clicktale, Inc., No. 20-CV-07575-LB, 2021 WL 1428400, at *3 (N.D. Cal. Apr. 15, 2021) (Beeler, J.); Williams v. What If Holdings, LLC, No. 22-cv-3780, 2022 WL 17869275 (N.D. Cal. Dec. 22, 2022) (Alsup, J.).
The other side of the split, and the winning side in Javier, holds that software providers are not “extensions” of participants to the conversation equivalent to inanimate tape recorders. See Revitch v. New Moosejaw, LLC, No. 18-CV-06827-VC, 2019 WL 5485330, at *2 (N.D. Cal. Oct. 23, 2019) (Chhabria, J.); Yoon v. Lululemon USA, Inc., 549 F. Supp. 3d 1073, 1081 (C.D. Cal. 2021) (Holcomb, J.). The court in Javier emphasized that there is no intentionality or “use” requirement in Section 631 and that such a requirement would render parts of the statute superfluous.
While the Court denied defendants’ motion to dismiss on this argument, it left open the factual question for a later stage whether the “the ubiquity of services like ActiveProspect on the internet effectively renders it party” to the communication such that the plaintiff would have not been an unannounced third party.
Statute of Limitations
Finally, the defendants were successful, at least for now, on their statute of limitations argument. CIPA has a one-year statute of limitations, and the plaintiff filed his complaint 14 months after his visit to the website.
Plaintiff argued that his claims were not barred by the statute of limitations because of the “delayed discovery doctrine”, where the time did not start to run until he should have suspected that he suffered a legal injury caused by wrongdoing. The Court held that plaintiff could not invoke the delayed discovery doctrine because he admitted to “assum[ing]” that the website operator would collect his data, and thus was on notice of his potential injury and that a third party may be aiding in the collection. The Court pointed to the website’s privacy policy, which states that it “may use third party vendors to assist” with “monitoring and analyzing Site activity.” The Court also noted that there were no plausible allegations that the website “surreptitiously” hid its use of session replay software.
However, the Court ultimately decided that “it is not clear that this defect cannot be cured by amendment” and granted plaintiff leave to amend as to the delayed discovery rule.
***
With the Court granting plaintiff leave to amend, it is possible that there may still be more to come with Javier. More importantly, the Court’s rulings against defendants’ defenses can only bolster future plaintiff’s filings.
After its decision granting the motion to dismiss, the Court granted an administrative motion to relate another class action against the same session replay vendor and the parent company of the website operate for a related website. In other words, there is no signs of session replay litigation slowing down. Privacy World will be here to break down the developments. Stay tuned.