Use of Certain Technologies to Track Web Session Data May be Unlawful
Attention Lead Generators
The Ninth Circuit Court of Appeals recently held that use of certain technologies on a websites in order to track and record web session data before obtaining affirmative consent may be a violation of California’s wiretap statute.
In the case of Javier v. Assurance IQ, LLC and ActiveProspect Inc. (*not precedent except as provided by Ninth Circuit Rule 36-3), Florentino Javier (“Javier”) appealed from the district court’s order granting Assurance IQ, LLC’s (“Assurance”) and ActiveProspect Inc.’s (“ActiveProspect”) motion to dismiss for failure to state a claim.
Assurance is an insurance platform that owns and operates websites where users can request life insurance quotes from Assurance and its insurance partners. To operate such websites, Assurance purportedly relies on a product created by ActiveProspect called “TrustedForm.”
TrustedForm records user’s interactions with the website and creates a unique certificate for each user certifying that the user agreed to be contacted.
In January 2019, Javier allegedly visited one such website (the “Website”). To request an insurance quote, he purportedly answered a series of questions about his demographic information and medical history. Purportedly unbeknownst to Javier, TrustedForm allegedly captured in real time every second of his interaction with Website and supposedly created a video recording of that interaction.
Javier subsequently filed a class action complaint against Assurance and ActiveProspect in the Northern District of California. He alleged that defendants violated Section 631(a) of the California Invasion of Privacy Act (“CIPA”). Cal. Penal Code § 631(a).
The district court did not reach any of Defendants’ other arguments.
The Ninth Circuit Court of Appeals considered that while written in terms of wiretapping, Section 631(a) applies to Internet communications. It makes liable anyone who “reads, or attempts to read, or to learn the contents” of a communication “without the consent of all parties to the communication.” Cal. Penal Code § 631(a).
The district court held that consent under Section 631(a) is valid even if it is given after the communication has taken place. The Court Appeals disagreed.
“When interpreting state law, federal courts are bound by decisions of the state’s highest court. In the absence of such a decision, a federal court must predict how the highest state court would decide the issue . . . .” PSM Holding Corp. v. Nat’l Farm Fin. Corp., 884 F.3d 812, 820 (9th Cir. 2018) (quoting Ariz. Elec. Power Co-Op., Inc. v. Berkeley, 59 F.3d 988, 991 (9th Cir. 1995)).
The Court of Appeals “must therefore predict whether the California Supreme Court would interpret Section 631(a) to require prior consent.” “The California Supreme Court has stated that another provision in CIPA, Section 632, requires prior consent even though the text of that section contains only the word “consent.” See Cal. Penal Code § 632.
It wrote that Section 632 “prohibits . . . a party . . . from recording [a] conversation without first informing all parties to the conversation that the conversation is being recorded.” Kearney v. Salomon Smith Barney, Inc., 137 P.3d 914, 930 (Cal. 2006) (emphasis added). Further, the California Supreme Court has written about Section 631:
As discussed by the Court of Appeals, secret monitoring denies the speaker an important aspect of privacy of communication—the right to control the nature and extent of the firsthand dissemination of his statements. Partly because of this factor, the Privacy Act has been read to require the assent of all parties to a communication before another may listen. Thus, the Legislature could reasonably have contemplated that [S]ection 631 . . . would prohibit the type of surreptitious monitoring of private conversations alleged here . . . . Ribas v. Clark, 696 P.2d 637, 640–41 (Cal. 1985) (emphasis added) (citations omitted).
Though both of these statements were dicta, the Court of Appeals opined that it is “bound to follow the considered dicta as well as the holdings of the California Supreme Court when applying California law.” Aceves v. Allstate Ins. Co., 68 F.3d 1160, 1164 (9th Cir. 1995) (citing Rocky Mountain Fire & Cas. Co. v. Dairyland Ins. Co., 452 F.2d 603, 603–04 (9th Cir. 1971)).
“Finally, the California Supreme Court has also emphasized that all CIPA provisions are to be interpreted in light of the broad privacy-protecting statutory purposes of CIPA. Ribas, 696 P.2d at 639–41; Smith v. LoanMe, Inc., 483 P.3d 869, 879 (Cal. 2021) (“The interpretation of section 632.7 we adopt is better aligned with the aims and declarations [of CIPA] than a narrower interpretation would be.”).”
Based on these statements by the California Supreme Court, the Court of Appeals concluded that the California Supreme Court would interpret Section 631(a) to require the prior consent of all parties to a communication. It held that Javier sufficiently alleged that he did not provide express prior consent to ActiveProspect’s alleged wiretapping of his communications with Assurance.
According to the complaint, as stated by the Court of Appeals, neither Assurance nor ActiveProspect asked for Javier’s consent prior to his filling out the insurance questionnaire online, even though ActiveProspect was purportedly recording Javier’s information as he was providing it. The Court of Appeals decided that Javier therefore alleged sufficient acts to plausibly state a claim that, under Section 631(a), his communications with Assurance were purportedly recorded without his valid express prior consent.
The Court of Appeals reversed the district court’s dismissal of Javier’s Second Amended Complaint and remanded for proceedings accordingly. It did not reach defendants’ other arguments, including whether Javier impliedly consented to the data collection, whether ActiveProspect is a third party under Section 631(a), and whether the statute of limitations had run.
A concurring opinion by the Court of Appeals stated that the lower court ruled that seeking “retroactive consent” is acceptable under California Invasion of Privacy Act (“CIPA”), Cal. Penal Code § 631. In part, the district court relied on California contract principles in making that determination. “While California contract law appears to allow for after-the-fact ratification, see Cal. Civ. Code § 1588, CIPA codified the common law tort of invasion of privacy.” See In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 598 (9th Cir. 2020) (“[T]he legislative history and statutory text demonstrate that . . . the California legislature intended to protect . . . historical privacy rights when [it] passed . . . CIPA.” (simplified)).
“So rather than a contracts lens, we should review this case through a torts lens. And to my knowledge, no case shows that California has adopted retroactive consent as a defense to an invasion of privacy tort.”
You can review the opinion here.
TAKEAWAY: Website operators and lead generators that continue to rely upon third-party technologies that monitor and record web session data in the absence of prior consent, including that of California consumers, are taking risk. At least according to the Ninth Circuit, affirmative assent to website agreements such as privacy policies and terms of services is not itself tantamount to prior consent, for example, if recording has already commenced.
Richard B. Newman of Hinch Newman LLP is a leading advertising compliance and FTC defense lawyer at Hinch Newman LLP. He represents digital marketers that are subject to FTC investigations and enforcement actions.
Informational purposes only. Not legal advice. May be considered attorney advertising.