Readers of this blog are aware of the never-ending stream of lawsuits alleging that the use of third-party tracking technology to collect consumer data on company websites is tantamount to illegal wiretapping in violation of the California Invasion of Privacy Act (“CIPA”). Below, we discuss a recent decision in which a California federal court dealt a significant blow to future CIPA litigation claims.
Court Grants Summary Judgment on Plaintiff’s CIPA Claim
In Williams v. DDR Media, LLC and Lead Intelligence Inc. d/b/a Jornaya, Plaintiff alleged that DDR Media’s use of a Jornaya product, TCPA Guardian, to record Plaintiff’s keystrokes, clicks, and other interactions while visiting DDR Media’s website constituted illegal wiretapping in violation of CIPA. Specifically, Plaintiff asserted that TCPA Guardian captured her name, email address, and phone number, and that Defendants used this tracking software to tap the lines of communication between her and DDR Media’s website. Plaintiff alleged a single cause of action under CIPA § 631(a). Jornaya denied that it read, attempted to read, or to learn the contents of any information input by Plaintiff while visiting DDR Media’s website. After several rounds of motions to dismiss, the Court directed the parties to conduct limited discovery on the issues of: (1) how TCPA Guardian functions; and (2) whether Jornaya reads, or attempts to read, or to learn the contents or meaning of electronic communications. At the conclusion of this limited discovery, Jornaya then filed a Motion for Summary Judgment.
With its Motion for Summary Judgment, Jornaya submitted a detailed Declaration explaining how: (1) TCPA Guardian works; and (2) consumer data was transmitted from the DDR Media website to Jornaya’s servers. According to Jornaya, TCPA Guardian uses a script to capture, among other things: (1) consumer interactions on websites; and (2) the website’s visual characteristics, including Telephone Consumer Protection Act (“TCPA”) or other disclosure language present on a website (i.e., consumer consent to receive autodialed calls and/or texts). Jornaya further explained that an algorithm, utilizing a process known as “hashing,” transforms the data consumers input on third-party client websites that use TCPA Guardian into an alphanumeric string, and essentially discards the original consumer-entered data. The original consumer data is stored for milliseconds before it is overwritten by the hashing algorithm. Addressing this process, Plaintiff contended that a reasonable jury could conclude that the initial step of processing and evaluating the data that consumers enter constitutes reading or attempting to read, or to learn the contents of the data. In response, Jornaya argued that it could not interpret or understand consumers’ data because the hashing process transforms the consumers’ data into an incomprehensible “hash” almost instantaneously.
The Court agreed with Jornaya and, as such, granted its Motion for Summary Judgment. In its decision, the Court determined that the phrase “reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication in CIPA requires some effort at understanding the substantive meaning of the message, report or communication . . . .” Because the evidence demonstrated that the data Jornaya received automatically was transformed into a hash with no substantive meaning, the Court concluded that TCPA Guardian does not read, attempt to read, or to learn the contents or meaning of the information that is input on websites that use the TCPA Guardian software.
What Is The Significance of This CIPA Decision?
As our readers know, this CIPA decision follows in the footsteps of a recent favorable decision from Massachusetts’ highest court in which the court dismissed similar wiretapping claims. Although these decisions certainly are a win for industry, companies should anticipate that illegal wiretapping claims will continue to be filed in dual-party consent states.
If your website uses software to track consumer interactions, your company should consider reviewing: (1) if, when, and how notice of collection, or consent to collect, and use such consumer data is effectuated; and (2) with whom your company shares this information. If your company is named as a defendant in a wiretapping lawsuit, it is imperative that you evaluate whether you have viable defenses. Failing to do so may result in lengthy and costly litigation that could have been avoided.
[View source.]
