Why the Website CIPA Claims Bubble Will Burst – The National Law Review
All right so I have been bombarded with questions aboutJavierover the last 10 days or so. Everyone wants the Czars take. So let me give it to you.
First, here is California Penal Code Section 631the bringer of weird wiretap claims in all of its unedited glory:
Any person who, by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable by a fine not exceeding two thousand five hundred dollars ($2,500), or by imprisonment in the county jail not exceeding one year, or by imprisonmentpursuant tosubdivision (h) of Section 1170, or by both a fine and imprisonment in the county jail orpursuant tosubdivision (h) of Section 1170. If the person has previously been convicted of a violation of this section orSection 632,632.5,632.6,632.7, or636, he or she is punishable by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the county jail not exceeding one year, or by imprisonmentpursuant tosubdivision (h) of Section 1170, or by boththatfine and imprisonment.
What a mess.
Read it fast and it seems to only apply to physical wiretapping. Read it slowly and it still seems that way.
But read it like a Ninth Circuit Court of Appeals panel and it applies to recording of information regarding events taking place on websites. And Im struggling with that.
Javiersays the statute applies to Active Prospect because [Section 631] makes liable anyone who reads, or attempts to read, or to learn the contents of a communication without the consent of all parties to the communication.
I see those words in there in the mishmash above. Here they are re-printed with emphasis:
Any person who willfully and without the consent ofall parties to the communication, attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this stateis [in trouble.]
So this is where I struggle.
In the first place, a website visit isnt a communication in my mind. Its an interaction with a bunch of servers with a human being on one end and a computer responding by either supplying or storing stuff on the other. I guess you can call that a sort of communication (the word is defined as the imparting or exchanging of information or news so I guess this counts) but I never think of time spent on a website as communication. But perhaps thats just me.
Getting past that, I am lost how Active Prospect is attempting to read or learn the contents or meaning of the communication when it records certain pieces of data being supplied by the consumer. As a reminder, Active Propsects Trusted Form simplyrecordsan interaction as it is taking place on a website at the behest of the website owner.This is done for the purpose of assisting the website owner to prove what took place during the web session; e.g. that a webform submission was made or that a disclosure was accepted by the consumer.
In the first place, the word store or record do not appear in this portion of 631, although those words feature prominently in 632 and other portions of the California Privacy Act. Instead 631 is focused on the literal realtime act ofunderstandingthe content of information being transferred in a communication. So if Active Prospect had agents truly listening in to the communicationi.e. watching the website visitthen I could see 631 being tripped. But merelystoringinformation is not read[ing] or learn[ing]its storing. Theres no computational assessment taking place. So nothing is being read or learned. So that should be the end of the case.
But no one seems to even be talking aboutthatissue. Everyone seems to have leapt over it.
Yet we have one more hurdle hereand its a real stunner that no one has jumped on this yet.
The final supremely interesting question in my mind is this:whenandwhereis the wiretap taking place? The statute says that the tap must take place eitherduringtransmission or as the transmission is beingsentorreceived. And, critically, the place of the tap has to bein California.
In the Active Prospect scenario it is pretty clear that the wiretap is not taking place where the information is beingsentAP is not residing on the Plaintiffs computer system like a cookie. Nor, it seems to me, is it taking placeduringtransmissionAP is not a backbone internet service provider capable of tracking the contents of signals travelling underseas cables, satellite transmissions, etc. Instead, APs conduct is taking place where the data isreceivedhere when Assurance receives the transmission.
But where is the receipt taking place?
I dont know this first hand, but I suspect the transmissions at issue were received nowhere and everywhere at the same timei.e. in cloud data centers.
Importantly, unlike Section 632that looks at the location of where the recorded party resides afterKearny Section 631 does not look at the location of the recorded party. Instead, it is focused solely onwhere the wiretap takes place.So unless Plaintiff can prove that the servers housing the AP java script that enabled the reading and learning at issue here was somehow physically located within California, this feels like a dead stick to me.
Interesting, as far as I can tellnoneof these issues were raised yet (and perhaps properly so since we are only at the pleadings stage in this case.)
Instead the big issues raised to date were: i) whether Plaintiffs consent to be recordedafterthe recording was taking place is a viable defense (district court said yes, appellate court said nothats the real thrust ofJavier); ii) whether Plaintiff impliedly consented to be recorded (no real discussion on this one yetand I like it because it could be a class killer); and iii) whether or not AP was a third-party.
This last question is an odd one.
When you read the long and laborious wording of Cal Penal Code Section 631 you dont see the phrase third party. Indeed, all you see if the words all partiessuggesting that if either party to a website communication records it without the others consent it (somehow) constitutes wiretapping.
Now that wouldnt make sense, of course, because reading or learning the content of a communication isliterallyall the recipient of a communication can do with it. So every communication (i.e. every website visit) would have a sender (the consumer) and a wiretapper (the website operator) if Californias Rule 631 were read the wayJavierreads it.
Mercifully, the California Supreme Court and other California appellate courts haveprobablyrejected this assertion, albeit in the context of cases decided before the internet existed. E.g.Warden v. Kahn,99 Cal.App.3d 805, 160 Cal. Rptr. 471, 475 (1979)([S]ection 631 has been held to apply only to eavesdropping by a third party and not to recording by a participant to a conversation.).
Relying on the old parties to a communication cant wiretap themselves line of cases a website operator should be perfectly free to record transmission of communicationsi.e. information regarding website visitswithout risk of violating CIPA. But afterJavierI really wish this line of cases was better developed and, you know, more applicable to the internet. (This is one of those examples where the expansion of substantive provisions by the courts may end up outrunning the common-sense exceptions that existed back when the substantive provisions were very narrow; see also the last 20 years of TCPA jurisprudence.)
And one otherreallyimportant thing to keep in mind. Californias famous call recording statute Section 632 is limited toconfidentialcommunications. Its wiretapping statute- Section 631 is not. So any old communication can be wiretapped.
Getting back to the pointAP is arguing it was not a third party, but rather an agent of Assurance for purposes of recoding the web session at issue. And if Assurance can record its own web session without it being wiretapping, then AP can do it for itor so the argument goes.
The problem for APand TrustedForm users everywhereis this case calledRevitch v. New Moosejaw, LLC, No. 18-cv-06827-VC, 2019 WL 5485330, at *1 (N.D. Cal. Oct. 23, 2019).
InMoosejawMoosejaw imbedded NaviStones code in its website, enabling NaviStone an online marketing company and data broker that deals in U.S. consumer data to collect visitor data such as keystrokes, mouse clicks, and page scrolling. NaviStone captured the data, de-anonymized it, and matched it with other databases, thereby creating marketing databases of identified website visitors. The district court held that the allegations plausibly pleaded a section 631(a) claim that NaviStone was a third-party eavesdropper. It rejected NaviStones contention that it received the communications directly and therefore was a party to them: it cannot be that anyone who receives a direct signal escapes liability by becoming a party to the communication. Someone who presses up against a door to listen to a conversation is no less an eavesdropper just because the sound waves from the next room reach his ears directly.
Respectfully, the Moosejaw court is bad at analogies. Navistone wasnt listening in from outside. It was seated at the table while consumers blabbed on and on with Moosejaw about their outdoor apparel needs (again, treating website visits as communications which I am still struggling with.) But at the end of the day the Moosejaw court held that Navistone wiretapped at that Moosejaw helped it do it. (Oh yeah, even though you cant wiretap yourself if you let someone else wiretap you then you can be liable for aiding and abetting the wiretapso Assurance can (theoretically) be liable for AP wiretapping, even though it could not have been directly sued for it. Fun right?)
On the other hand is the case ofGraham v FullStory20-cv-06903 Dkt. 51 (N.D. Cal. April 8, 2021). InGrahamthe Court held that a third-party that essentially gained access to the Defendants servers for the purpose of helping it to process and preserve data wasnotwiretapping:
Noom is a vendor that provides a software service that captures its clients data, hosts it on FullStorys servers, and allows the clients to analyze their data. Unlike NaviStones and Facebooks aggregation of data for resale, there are no allegations here that FullStory intercepted and used the data itself. Instead, as a service provider, FullStory is an extension of Noom. It provides a tool like the tape recorder in Rogers that allows Noom to record and analyze its own data in aid of Nooms business.22 See 52 Cal. App. 3d at 89799. It is not a third-party eavesdropper.
So is AP more like the tape recorder inGraham (that allowed only the website owner to keep records) or the tape recorder inMoosejaw(that monetized and sold those records)?
If we are being intellectually honest the resulting use of the data shouldnt matter at all. The statute prohibits reading or learningnot theuseof information read or learned. So a tape recorder is a tape recorder. And either the use of a tape recorder by the website owner is eavesdropping, or it isnt. And it isnt. If the recorded data is then sold without permissionthatmight be a problembut the problem it is isnt wiretapping.
But lets lean into theGraham/Moosejawdichotomy for a moment.
For my money a TrustedForm that is used for no reason other than to confirm that a TCPA consent was given is aGrahamscenario pure and true. TF serves a critical business record retention function and a critical evidentiary record keeping function. Thats it. And while Plaintiffs counsel are almost certainly hoping the lower court will followMoosejaw,I just dont see that happening here. AP is not selling off any data to enhance marketing efforts by third-parties.
Dont get me wrong I still struggle with the third party argument out of the gate. Feels like a square peg round hole argument given the other more significant interpretive issues I raised at the outset of this analysisbut to the extent AP is driving toward applyingGrahamas a shield, I think semantics will matter less than the facts: AP is a good company helping other good companies to do good (consumer-friendly) things. It is not stealing or compiling consumer information to sell for profit. If it were, things might be different. But it isnt. So it (and other users of APs TrustedForm product) DESERVE TO WIN.
(Reminder: Deserve to Win is a TM property of theTroutman Firm, and I even have thiscool video to prove itthanks)
So in conclusion:
Any attempt to apply 631 to website visits does violence to the words of the statute as well as common sensebut that hasnt stopped courts from doing it so far. And theyll probably keep doing itso watch out.;
I think AP will eventually win this thing becauseGrahamapplies the proper analysis and because this 631 fad is going to fizzle once Defendants actually start laying out the absurdity here;
In the meantime website operators areprobablysafe to record information about their own traffica line of cases from the 70s and 80s says thats ok (but capturing consent to do so is safest!);
DO NOT ever use any sort of third party to secretly monitor traffic on your website, record keystrokes, and then attempt to monetize non-anonymized datasuch as passwords or credit card numbers or purchasing decisions captured by a third party.Thatis trouble under CIPA (and preventing that conduct is why the Ninth Circuit ruled the way it did inJavier). If you plan to do that capture consent BEFORE you do it;
The Plaintiffs bar shouldnt be so bullish on these website CIPA cases as theyre professing to be. Sure the defense bar hasnt really found its footing here yetweve seen that beforebut they will. And when they do, these data analytic/web session recording cases are deadeven if cookie and non-consented data transfer cases continue to gain steam.
Happy Monday TCPAWorld!
Continue reading here:
Why the Website CIPA Claims Bubble Will Burst - The National Law Review