Last month, a district court in the Northern District of California delivered a fatal blow to the Javier saga, dismissing his claim with prejudice. Javier v. Assurance IQ, LLC, No. 20-CV-02860-CRB, 2023 WL 3933070 (N.D. Cal. June 9, 2023). As we previously reported, the court’s holding concludes a drawn-out dispute on a website operator’s and software provider’s liability under the California Invasion of Privacy Act (“CIPA”) relating to the website’s use of session replay software. The court dismissed the plaintiff’s claims for a fifth time, this time without granting leave to amend.
A brief overview: session replay software captures certain aspects of a user’s interactions on web applications (mouse movements, clicks, typing, etc.) along with underlying contextual user data to help website operators enhance users’ experiences. Accordingly, session replay software allows a website operator to recreate (or “replay”) a visitor’s journey on a web site or within a mobile application or web application. Rather than focusing on user activity after leaving a particular website, session replay software concerns how a user interacts with a specific website.
The district court previously dismissed the Plaintiff’s complaint, but it was revived by the Ninth Circuit and remanded to the district court to address three defenses: (1) whether plaintiff gave “implied consent”, (2) whether the software provider is a “third party” under CIPA (as opposed to an extension of the website operator); and (3) whether the statute of limitations had run.
Subsequently, in January of this year, the district court dismissed the complaint as being barred by the statute of limitations. The court, however, rejected the Defendants’ argument that plaintiff impliedly consented to session reply “the moment he arrived at [AssuranceIQ’s] website” and began filling out the webform, finding that there was no evidence that the plaintiff consented to the third party’s collection of information. The court additionally denied Defendants’ motion on the grounds that ActiveProspect was not a “third party,” but left open the question whether the “ubiquity of services like ActiveProspect on the internet effectively renders it party” to the communication such that the defendant would not have been an unannounced third party. The court finally found that plaintiff’s claims were barred by the statute of limitations on the grounds that his 14-month delay in filing the complaint after he visited the website barred his claims. However, the court ultimately allowed plaintiff the amend his complaint to bolster his allegations as to the “delayed discovery doctrine” such that the limitations period would not have begun to run until he discovered the collection of his data and communications, because such collection activities were “surreptitiously” concealed.
The court rejected the first argument, as AssuranceIQ’s webform informed plaintiff that it and third parties may use his information for purposes other than providing him with an insurance quote, and that third parties may “assist” AssuranceIQ with “monitoring and analyzing Site activity.”
While Javier has come to a close, CIPA cases are far from dead. Privacy World will keep you posted on further developments.