Following a surge of cases in California federal and state courts, we are now beginning to see how courts are addressing key arguments raised in threshold motions to dismiss. In particular, decisions are starting to grapple with (i) whether the live chat software provider is a “party” to the “communication,” (ii) whether the communication is “intercepted” while “in transit,” and (iii) for Section 632.7, which prohibits the unconsented recording of telephone communications, whether the statute covers online chat communications involving a cellular device. Thus far, most CIPA claims in “live chat” cases have been dismissed (many with leave to amend), but time will tell if the trend continues and how the issues play out on the merits.
CIPA Background
In enacting CIPA in 1967, the California legislature declared its “intent to protect the right of privacy of the people of this state from what it perceived as a serious threat to the free exercise of personal liberties ….” Flanagan v. Flanagan, 27 Cal. 4th 766, 775 (2002). Specifically, the Legislature found that “advances in science and technology have led to the development of new devices and techniques for the purpose of eavesdropping upon private communications,” creating a “serious threat to the free exercise of personal liberties and cannot be tolerated in a free and civilized society.” Cal. Penal Code § 630. The legislature tacked on a private right of action with up to $5,000 per violation in statutory damages. Id. § 637.2.
Some of the early targets of the plaintiffs’ bar were businesses that recorded inbound or outbound telephone calls. Plaintiffs argued that such recordings without the consent of the call participant violated CIPA Sections 632 and 632.7.
As internet-based technologies emerged as a key feature of online commerce, the plaintiffs’ bar identified new targets for CIPA claims. Plaintiffs initially focused on organizations’ use of cookie technology, which can collect information about user browsing activities. Courts grappled with how CIPA and other wiretap laws mapped onto these technologies that did not exist when the statutes were first enacted.1
The plaintiffs’ bar then pivoted to other internet-based technologies. For example, the plaintiffs’ bar targeted website operators’ use of “session replay” software, which captures certain user interactions (e.g., mouse movements, page scrolling, keystrokes) on a website or application running the software.2 Plaintiffs brought most of these CIPA claims under Section 631(a) of the statute, which makes it unlawful to “willfully and without the consent of all parties to the communication … read[], or attempt[] to read, or to learn the contents … of any message, report, or communication while the same is in transit ….” (emphasis added). That Section also prohibits anyone who “aids, agrees with, employs, or conspires with any person or persons” to commit one or more of the aforementioned acts. Id.
Since then, the plaintiffs’ bar has expanded its scope to challenge various website analytics technologies as well as “live chat” features used on websites. Over the past year and a half more than 70 putative class actions alleging violations of CIPA based on the use of live chat technology have been filed in California state and federal courts. In these cases, plaintiffs generally allege that website operators that deploy third party chat feature technology on their websites—and grant the third party access to the chat content in real time—are aiding or abetting the interception of customer communications with the website.
In addition to claims under Section 631(a), plaintiffs also have begun to assert claims under Section 632.7 in this wave of live chat litigation. Section 632.7 makes it unlawful for anyone “without the consent of all of the parties to a communication” to “intercept[] or receive[] and intentionally record[], or assist[] in the interception or reception and intentional recordation of, a communication transmitted between” any combination of cellular, landline, and cordless telephones. This Section, in contrast to Section 631(a), applies to interceptions or recordings of a qualifying communication regardless of whether the defendant is a party to the communication, and there is no specific requirement that the recording occurs while the communication “is in transit.”
California Courts Assess CIPA Chat Feature Claims
As the first wave of live chat CIPA cases reach the motion to dismiss phase, courts have considered the following issues:
Party to Communication
While California courts have held that a party cannot eavesdrop on its own conversation,3 the question becomes more nuanced when a third party provides the live chat technology. California courts have assessed whether the technology is more akin to a tape recorder utilized by the party to the conversation or an eavesdropper pressing up against a door to listen to a conversation.4 In past CIPA cases, when the third party simply captures and stores data on behalf of one of the communicants – for example, as a vendor to the website – and does not independently use and profit off the data, courts have found that the third party operates as an extension of the communicant (i.e., the website); thus, there is no aiding and abetting liability under Section 631(a).5 Courts have continued to apply this analysis in evaluating CIPA live chat claims,6 with a particular focus on whether chat data is being independently used by the third-party software provider.7
Intercepted in Transit
To state a claim under CIPA Section 631(a), the plaintiff must allege that the communication was intercepted “while in transit,” which courts have held to mean “acquired during transmission, not while it is in electronic storage.”8 California courts inundated with cookie cutter CIPA live chat complaints have largely rejected vague allegations that the interception occurred “while in transit” without additional supporting factual allegations to show how or when the interception took place. For example, in Esparza v. Lenox Corp., the Northern District of California recently dismissed the plaintiff’s complaint because the plaintiff failed to assert facts beyond the statement that some unknown third party not involved in the action “eavesdrops” somehow “in real time.”9 The court found that the plaintiff presented no theory of recovery—leaving many questions unanswered, such as “is there an actual third-party individual that is simultaneously reading the customer chat? Is it embedded code from a third-party software vendor that is automatically creating chat transcripts for someone other than defendant?”10 While the required degree of pleading specificity may not be settled, courts have found that simply stating the interception occurred “while in transit” is insufficient alone to create standing.11
Section 632.7 Telephone Requirement
On its face, Section 632.7’s requirement that the communication at issue be between two telephones12 would appear ill-suited to support a claim based on chat communications between a customer and customer support representative/bot. However, there is some inconsistency in the case law over whether Section 632.7 requires only one, or both parties, to be using a telephone, including in the context of live chat technology.13 Thus, this is likely to remain an active area of litigation until more precedent develops.
Organizations Should Proactively Review Their Chat Notifications and Consent:
While recent decisions have given organizations a number of defenses to raise at the outset of CIPA litigation, we expect the plaintiffs’ bar to continue to bring CIPA claims based on websites’ live chat features. To mitigate this risk, there are a number of actions organizations can consider taking to undercut potential CIPA claims. For example, because CIPA claims hinge on purported lack of consent, a readily accessible just-in-time notice or privacy policy that clearly and conspicuously discloses that the live chat feature collects and/or shares user information with third parties may bolster defenses to claims that rely on end users being unaware of the “interception” of their electronic communications. Similarly, requiring online users to provide unambiguous consent to the recording of their chat communications prior to the initiation of a live chat would strengthen early challenges to CIPA claims.
Organizations should consider integrating these types of chat-related efforts alongside their compliance preparations for California’s new Bot Disclosure Law, which prohibits the use of undeclared bots to communicate or interact with another person in California in order to influence the user’s purchasing or voting behaviors. See Cal. Bus. & Prof. Code § 17940. The Bot Disclosure Law does not provide for a private right of action, however, it does provide for civil penalties up to $2,500 per violation enforceable by the California Attorney General, and has been cited by plaintiffs as an underlying violation of consumer unfair competition claims.
The months ahead will provide further clarity on the direction of live chat litigation and whether the plaintiffs’ bar’s more expansive application of CIPA will gain traction in the courts or before arbitrators. Organizations and their counsel should continue to monitor developments in this evolving area of the law.
Authored by Vassi Iliadis, Bret Cohen, Adam Cooke, and Jay Ettinger.
References