A growing area of privacy litigation concerns claims brought under federal and state wiretapping laws against website operators.  In many of those cases, plaintiffs allege that their personal information was improperly intercepted and disclosed to third parties, including in relation to information purportedly provided through a website’s chat feature.  Last month, a federal court in California rejected certain claims under these circumstances, signaling growing skepticism of this legal theory.  Licea v. Old Navy, LLC, 2023 WL 3012527 (C.D. Cal. Apr. 19, 2023).  Read on to learn more.

In Licea, Plaintiff alleged that Old Navy’s website contains an online chat feature.  Plaintiff’s claims concerned two functions allegedly embedded in the chat feature.  The first function allegedly allowed Defendant to “record[ ] and create[ ] transcripts” of all customer conversations conducted in the chat. The second function, Plaintiff asserted, allowed third-party companies to intercept customer chats in “real time” and “retain transcripts.”

Plaintiff filed suit under the California Invasion of Privacy Act (“CIPA”), seeking to represent a putative class of consumers who accessed Defendant’s website and used the chat feature.  Section 631(a) of CIPA prohibits “intentional wiretapping,” “willfully attempting to learn the contents or meaning of a communication in transit over a wire,” or “attempting to use or communicate information obtained as a result of engaging in either of the two previous activities.”  Defendant moved to dismiss the Complaint, including Plaintiff’s Section 631(a) claims.  Assessing the adequacy of Plaintiff’s complaint, the Court ruled in favor of Defendant for Plaintiff’s claims under this subsection.

Defendant first argued that Plaintiff failed to plausibly allege that any communications were intercepted in transit as required for liability under the statute.  On that front, the Court disagreed.  Resolving all reasonable inferences to be drawn from the Complaint in Plaintiff’s favor (as is required for purposes of a motion to dismiss), the Court held the allegations that Defendant (1) uses a third-party service to “covertly embed[ ] code into its chat feature that automatically records and creates transcripts of all such private conversations,” and (2) “allows at least one third party … to secretly intercept in real time, eavesdrop upon, and retain transcripts of Defendant’s chat communications with unsuspecting website visitors” sufficed in regards to this element (at least at the pleadings stage).

However, the Court ruled Plaintiff’s CIPA Section 631(a) claims failed for other reasons.  Importantly, CIPA exempts from liability any individual or entity who is a “party” to the “communication.  As a result, one participant in a conversation cannot be held to have wiretapped another.  Here, because Defendant was a party to the customer chats at issue in Plaintiff’s complaint, the party-exemption applied and Defendant could not be directly liable for wiretapping under CIPA.

Plaintiff’s Complaint alleged in the alternative that Defendant violated CIPA’s wiretap provision by “aid[ing] and abett[ing] … at least one third party to eavesdrop upon conversations.” In support of this allegation Plaintiff offered only the conclusory assertion that “Defendant … allows a third party to eavesdrop on such communications … to harvest data for financial gain”.  The Court held this allegation was insufficient to plead a claim for derivative liability under CIPA, also dismissing Plaintiff’s Section 631(a) derivative liability claim on this basis.  Notably, Plaintiff’s claim under Section 632.7 of CIIPA was found adequately pled and survived dismissal.

This case is congruent with the rulings of a handful of other courts dismissing similar CIPA claims this year although case law in this area is decidedly mixed.  CIPA precedent continues to evolve as the plaintiff’s bar seeks to expand state and federal wiretap laws to apply in the context of website analytics and chat tools.  These features are commonly used by online retailers to improve website functionality and enhance the experience of website visitors.  Moreover, most website visitors arguably consented to these practices, as these issues are frequently addressed in a company’s online terms of service.  In light of the rise in CIPA litigation, website operators have also adopted other specific privacy disclaimers or introductory statements for consumer chat sessions. For more, stay tuned.  Privacy World will be there to keep you in the loop.