Opinion
22-cv-07465-CRB
06-09-2023
ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS
CHARLES R. BREYER, UNITED STATES DISTRICT JUDGE
Plaintiffs Tyrone Hazel, Roxane Evans, Valerie Torres, and Rhonda Hyman allege that Prudential Financial employed a software provider, ActiveProspect (together, “Defendants”) to collect their information without their consent as they sought a life insurance quote. See Am. Compl. (dkt. 18). Plaintiffs bring claims for violations of Section 631 of the California Invasion of Privacy Act (“CIPA”), Invasion of Privacy under the California Constitution, and the California Unfair Competition Law (“UCL”). Id. ¶¶ 89-121.
This action is just the latest in a long line of cases challenging the use of third-party software to record website visitors' activity without their knowledge, including ActiveProspect's “TrustedForm” software in particular. In a related case, Javier v. Assurance IQ, the Court held that the plaintiff had plausibly pleaded that ActiveProspect was a third-party eavesdropper within the meaning of Section 631(a). Javier v. Assurance IQ, LLC, No. 20-CV-02860-CRB, 2023 WL 114225, at *3-6 (N.D. Cal. Jan. 5, 2023). That order, however, did not address Defendants' primary argument for dismissal of the Section 631(a) claim here: That Plaintiffs fail to plead that their communications on Prudential's website were intercepted “in transit.” Mot. (dkt. 21) at 6-9.
See, e.g., Javier v. Assurance IQ, LLC, No. 20-CV-02860-CRB, 2023 WL 114225 (N.D. Cal. Jan. 5, 2023); Williams v. What If Holdings, LLC, No. C 22-03780 WHA, 2022 WL 17869275 (N.D. Cal. Dec. 22, 2022).
Finding this matter suitable for resolution without oral argument pursuant to Civil Local Rule 7-1(b), as explained below, the Court DENIES Defendants' motion as to Plaintiffs' Section 631(a) and Invasion of Privacy claims, and GRANTS Defendants' motion as to Plaintiffs' UCL claim.
I. BACKGROUND
Prudential runs an online platform for users to seek life insurance quotes. Am. Compl. ¶ 1. A user enters information about their demographics, family situation, and medical history, and then clicks “Continue, I Agree,” which signals that the user has “received Prudential's Privacy Notice,” which they can review by clicking a link on that same page. Id. ¶¶ 43, 45. Prudential's privacy notice states that it “may share your personal information, including information about your transactions and experiences, among Prudential companies and with other non-Prudential companies who perform services for us or on our behalf, for our everyday business purposes.” Id. ¶ 46.
Prudential partners with ActiveProspect to provide software for its website. Id. ¶ 36. ActiveProspect makes a software product called “TrustedForm,” a “lead certification product” that helps businesses authenticate user interactions with a website and document user consent. Id. ¶ 24. Specifically, TrustedForm is a piece of code that can be pasted into a webpage to record “keystrokes, mouse clicks, data entry, and other electronic communications of visitors to websites,” id. ¶ 28, and “begins the moment a user accesses or interacts with” that webpage. Id. ¶ 29. As a result, a website owner has a record of a users' entire interaction on its webform, which is hosted on ActiveProspect's servers. Id. ¶¶ 30-31.
Plaintiffs each visited Prudential's website between March 2022 and January 2023. Id. ¶¶ 57, 61, 65, 69. They entered the requested information, including medical information, to obtain a life insurance quote. Id. ¶¶ 59, 63, 67, 71. Plaintiffs assert that they did not know, as they filled out the webform on Prudential's website, that their information was also being “intercepted” by ActiveProspect. Id. ¶¶ 60, 64, 68, 72.
II. LEGAL STANDARD
Under Rule 12(b)(6) of the Federal Rules of Civil Procedure, a complaint may be dismissed for failure to state a claim for which relief may be granted. Fed.R.Civ.P. 12(b)(6). Rule 12(b)(6) applies when a complaint lacks either a “cognizable legal theory” or “sufficient facts alleged” under such a theory. Godecke v. Kinetic Concepts, Inc., 937 F.3d 1201, 1208 (9th Cir. 2019). Whether a complaint contains sufficient factual allegations depends on whether it pleads enough facts to “state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). A claim is plausible “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. at 678. When evaluating a motion to dismiss, the Court “must presume all factual allegations of the complaint to be true and draw all reasonable inferences in favor of the nonmoving party.” Usher v. City of Los Angeles, 828 F.2d 556, 561 (9th Cir. 1987). However, it is “not bound to accept as true a legal conclusion couched as a factual allegation.” Papasan v. Allain, 478 U.S. 265, 286 (1986); Clegg v. Cult Awareness Network, 18 F.3d 752, 754-55 (9th Cir. 1994).
III. DISCUSSION
The Court addresses the Plaintiffs' claims in the following order: First, their claim under Section 631(a) of CIPA; second, their claim for invasion of privacy under the California Constitution; and finally, their claim under the unlawful and unfair prongs of the UCL.
A. Section 631(a)
Defendants argue that Plaintiffs' CIPA claim should be dismissed for two reasons. First, Plaintiffs fail to plausibly plead that their communications were intercepted “in transit”; and second, they fail to plausibly plead that ActiveProspect was a third-party eavesdropper.
1. “In Transit”
To bring a claim under the second prong of Section 631(a), a plaintiff must plead that another person “willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state.” Cal. Penal Code § 631(a) (emphasis added).
Courts often look to the federal Wiretap Act, which prohibits the unauthorized “intercept[tion]” of an “electronic communication,” to interpret the “in transit” prong of Section 631(a). See, e.g., Licea v. Cinmar, LLC, No. CV 22-6454-MWF (JEM), 2023 WL 2415592, at *9 (C.D. Cal. Mar. 7, 2023); cf. In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 606-07 (9th Cir. 2020) (applying the same caselaw to interpret the “party exception” to the federal Wiretap Act and Section 631). Under the Wiretap Act, courts define “interception” narrowly: for data to be “intercepted,” “it must be acquired during transmission, not while it is in electronic storage.” Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 878 (9th Cir. 2002); see also NovelPoster v. Javitch Canfield Grp., 140 F.Supp.3d 938, 951-954 (N.D. Cal. 2014) (applying Konop to dismiss Wiretap Act and CIPA claims). Thus, “any ‘interception under the meaning of the statute must occur during transmission of the communication.” NovelPoster, 140 F.Supp.3d at 953 (citing Konop, 302 F.3d at 878); see also Mastel v. Miniclip SA, 549 F.Supp.3d 1129, 1137 (E.D. Cal. 2021) (“[T]he crucial question under § 631(a)'s second clause is whether [plaintiff] has plausibly alleged that [defendant] read one of his communications while it was still in transit, i.e., before it reached its intended recipient.”).
Plaintiffs allege that ActiveProspect's software “records consumer interactions with a website in real time.” Am. Compl. ¶ 2. By embedding ActiveProspect's TrustedForm software onto their webforms, websites can “surreptitiously observe and record visitors' keystrokes, mouse clicks, and other electronic communications,” beginning from the moment a user accesses the webpage, through TrustedForm's “VideoReplay” feature. Id. ¶¶ 3, 25, 29. This “data collection occurs in real time,” when “the verification server [ActiveProspect] collects information about the visitor and the lead generator [Prudential] during the communication session.” Id. ¶ 30. Once a user is moving through the webform, ActiveProspect's server “begins to monitor the webpage for any changes,” that is, any mouse movements, mouse clicks, scrolling, or data entry. Id. ¶ 31. These VideoReplay files are then stored on ActiveProspect servers. Id. ¶ 33.
Plaintiffs' allegations are far more specific than the conclusory allegations regularly held to fail to plead an interception “in transit” under CIPA and the Wiretap Act. See, e.g., Rosenow v. Facebook, Inc., No. 19-CV-1297-WQH-MDD, 2020 WL 1984062, at *7 (S.D. Cal. Apr. 27, 2020) (pleading only that “Yahoo knowingly used an algorithm to intercept and scan Plaintiff's incoming chat messages for content during transit before placing them in electronic storage” was conclusory); Rodriguez v. Google LLC, No. 20-CV-04688-RS, 2022 WL 214552, at *2 (N.D. Cal. Jan. 25, 2022) (“Using the word ‘intercept' repeatedly is simply not enough without the addition of specific facts that make it plausible Google is intercepting their data in transit.”); Valenzuela v. Keurig Green Mountain, Inc., No. 22-CV-09042-JSC, 2023 WL 3707181, at *5 (N.D. Cal. May 24, 2023) (holding that allegations that do “little more than restate the pleading requirement of real time interception” do not state a claim under CIPA).
Further, neither of the two documents Defendants point to-ActiveProspect's TrustedForm patent nor the article on ActiveProspect's community forum-squarely contradict Plaintiffs' allegations. Defendants point to Figure 1 of the patent, which shows the visitor (i.e., Plaintiffs), with an arrow pointing to the lead generator (i.e., Prudential) and two arrows from the lead generator to the verification server (i.e., ActiveProspect) and a lead buyer (i.e., a third party who may be interested in offering Plaintiffs a life insurance quote). See RJN Ex. 1 at 2. But the patent also states that that Figure 1 “illustrates a simplified block diagram of a communication system that may be utilized according to an embodiment of the present disclosure,” in other words, it cannot be relied upon to show that, as a matter of law, a user's information is always stored with the lead generator before it is transferred on to the verification server. Id. at 9; see also id. (stating that the figures are “by way of illustration only” and the “invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein”). Therefore, whether the process by which ActiveProspect's server becomes “aware” of the user filling out the webform and begins “monitoring the web page for any changes” happens while the user's communication with the website is “in transit” or in storage under Section 631(a) cannot be answered as a matter of law by reference to the patent alone. Am. Compl. ¶ 31 (quoting RJN Ex. 1). And though the forum article does not state that recording of the customer's activity on the website hosting TrustedForm begins “the moment a user accesses or interacts with a webpage using TrustedForm,” Id. ¶ 29, it does state that Trusted Form “records” a user's “interact[ions] with the webpage” such as when they “enter text into fields, change drop-downs, click on buttons, or move[] the mouse,” and the “lead generator” (i.e., Prudential) “can control when TrustedForm . . . begins recording a consumer's interaction with a web page.” Reply RJN Ex. A. Presumably, then, Prudential could have set TrustedForm to begin recording Plaintiffs' movements the moment they began using the webform, as Plaintiffs allege.
The Court incorporates by reference ActiveProspect's TrustedForm patent, which is quoted extensively in the amended complaint, and the article on ActiveProspect's community forum titled “Active Prospect's Session Replay,” which forms the basis of Plaintiffs' allegation that ActiveProspect's “recording” begins “the moment a user accesses or interacts with a webpage using TrustedForm.” Am. Compl. ¶¶ 23, 29 & n.9, 30-31; RJN (dkt. 22) at 1; Reply RJN (dkt. 25) at 1; Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 1002 (9th Cir. 2018). Incorporation by reference “prevents plaintiffs from selecting only portions of documents that support their claims, while omitting portions of those very documents that weaken-or doom-their claims.” Khoja, 899 F.3d at 1002. By citing portions of the patent and website and seeking to shield the rest from the Court's consideration, Plaintiffs attempt to do exactly that.
In sum, neither of these documents squarely contradict Plaintiffs' otherwise plausible allegation that TrustedForm recorded their actions on Prudential's website before their information was stored by Prudential. Whether that information was intercepted by TrustedForm before it was stored by Prudential as Plaintiffs allege, or vice versa, is a question for summary judgment.
2. Third-Party Eavesdropper
As in Javier, Defendants again argue that ActiveProspect is not a third-party eavesdropper to the Plaintiffs' communications with Prudential. Recognizing that Defendants primarily make this argument to preserve it for appeal because the Court discussed it at length (and disagreed) in Javier, the Court addresses this argument briefly for the sake of a full record.
Defendants contend that the question that must be asked to determine whether ActiveProspect is a third party is “whether it undertook the alleged recording of the data on its own or on Prudential's behalf.” Reply (dkt. 24) at 6. But, as the Court articulated in Javier, the concern is not on whose behalf the recording is undertaken, but whether the recorder is capable of using the recording for other ends. Javier, 2023 WL 114225, at *6. That is the difference between the tape recorder in Rogers and the eavesdropping friend in Ribas, and that is why ActiveProspect's TrustedForm software is not, as a matter of law, more akin to the former than the latter. Id.; Am. Compl. ¶ 35.
Defendants also argue that because ActiveProspect's standard form End User License Agreement would only allow ActiveProspect “to use aggregate data” for other purposes, it thus could not use “Plaintiffs' individual information for its own benefit.” Reply at 7 (quoting Am. Compl. ¶ 35 (emphasis added)). But just because ActiveProspect may be able to use Plaintiffs' information in aggregate for other purposes, and not individually for other purposes, does not mean that ActiveProspect is any less an eavesdropper, or any more a tape recorder, under Section 631(a).
Because both of Defendants' arguments for dismissal of the Section 631(a) claim fail, their motion is denied as to that claim.
B. Invasion of Privacy
To state a claim for invasion of privacy under the California Constitution, Plaintiffs must plead (1) a legally protected privacy interest, (2) a reasonable expectation for privacy, and (3) that the intrusion is so serious as to amount to an egregious breach of the social norms. Facebook Tracking, 956 F.3d at 601 (citing Hernandez v. Hillsides, 47 Cal.4th 272, 287 (2009)). Defendants argue only that Plaintiffs fail to meet the third prong.
To plead that the intrusion represented an “egregious breach of the social norms,” courts consider whether a defendant's actions were “highly offensive to a reasonable person.” Id. at 606 (quoting Hernandez, 47 Cal.4th at 287). This requires a “holistic consideration of factors such as the likelihood of serious harm to the victim, the degree and setting of the intrusion, the intruder's motives and objectives, and whether countervailing interests or social norms render the intrusion inoffensive.” Id. This inquiry also “focuses on the degree to which the intrusion is unacceptable as a matter of public policy.” Id.
Plaintiffs allege that ActiveProspect's VideoReplay feature records a website visitor's “keystrokes, mouse clicks, and data entry,” as well as the amount of time spent on the website and the geographic location of the visitor. Am. Compl. ¶ 28. This monitoring can begin “the moment a user accesses or interacts with a webpage,” before the user has the opportunity to review the website's privacy notice. Id. ¶¶ 29, 45-48. When filling out the form to get a life insurance quote on Prudential's website, Plaintiffs entered their medical information, including their height and weight, their medical conditions (including mental and psychological conditions), and treatment history, including their use of prescription medications. Id. ¶¶ 39, 43.
The Court cannot conclude, as a matter of law, that ActiveProspect's collection of this sensitive information would not be “highly offensive to a reasonable person.” Defendants point to a line of cases that hold that collection and disclosure of routine commercial information is not a “highly offensive” intrusion of privacy. See, e.g., Low v. LinkedIn Corp., 900 F.Supp.2d 1010, 1025 (N.D. Cal. 2012); Hammerling v. Google LLC, 615 F.Supp.3d 1069, 1090 (N.D. Cal. 2022). But the information collected in those cases-primarily a user's browsing history and related data-is far less personal than the Plaintiffs' self-assessment of their medical history in Prudential's webform. See Am. Compl. ¶¶ 39, 43; see also Katz-Lacabe v. Oracle Am., Inc., No. 22-CV-04792-RS, 2023 WL 2838118, at *7 (N.D. Cal. Apr. 6, 2023) (holding that allegations that the defendant collected “sensitive health and personal safety information,” from plaintiffs were sufficient to plead a “highly offensive” intrusion).
Of course, as Defendants point out, Plaintiffs “voluntarily provided” their health information so they could obtain a life insurance quote. And they did-to Prudential. But they did not agree to be monitored by ActiveProspect as they moved through Prudential's webform, before they even had the opportunity to review Prudential's privacy notice. Courts consider surreptitious monitoring a critical factor in deciding whether a plaintiff has plausibly pleaded that an intrusion is “highly offensive.” See Facebook Tracking, 956 F.3d at 606 (pointing to “allegations of surreptitious data collection” as a key reason why the plaintiffs' allegations should survive a motion to dismiss).
Finally, Defendants point to a line of cases reasoning that a highly offensive intrusion cannot occur where a plaintiff does not plead a similarly highly offensive use of the information, such as selling the plaintiffs' personal data. Folgelstrom v. Lamps Plus, Inc., 195 Cal.App.4th 986, 993 (2011), as modified (June 7, 2011); Sunbelt Rentals, Inc. v. Victor, 43 F.Supp.3d 1026, 1036 (N.D. Cal. 2014); Mitchell v. Reg'l Serv. Corp., No. C 13-04212 JSW, 2014 WL 12607809, at *5 (N.D. Cal. Apr. 23, 2014). The Court notes that it could be argued that ActiveProspect's use of Plaintiffs' data to “certify” them as “leads” for buyers does, in fact, exceed Plaintiffs' reasonable expectations of what their information would be used for. See, e.g., Am. Compl. ¶¶ 24, 36-37. But even if it is a close question whether such use is highly offensive or mere “routine commercial behavior,” the Court is mindful of the Ninth Circuit's instruction that whether an intrusion is highly offensive is not typically a question that should be resolved at the pleading stage. See Facebook Tracking, 956 F.3d at 606; Katz-Lacabe, 2023 WL 2838118, at *8. Accordingly, Plaintiffs' claim for invasion of privacy survives Defendants' motion.
C. UCL
Finally, Defendants argue that Plaintiffs fail to state a UCL claim because they fail to demonstrate UCL standing. The Court agrees.
“[T]o bring a UCL claim, a plaintiff must have UCL standing, which is distinct from Article III standing.” See, e.g., Mastel, 549 F.Supp.3d at 1144. To demonstrate UCL standing, a plaintiff “must establish that they (1) suffered an injury in fact and (2) lost money or property as a result of the unfair competition.” Birdsong v. Apple, Inc., 590 F.3d 955, 959 (9th Cir. 2009) (citing Cal. Bus. & Prof. Code § 17204); see also Ehret v. Uber Techs., Inc., 68 F.Supp.3d 1121, 1132 (N.D. Cal. Sept. 17, 2014) (“[A] federal plaintiff's [Article III] injury in fact may be intangible and need not involve lost money or property . . . a UCL plaintiff's ‘injury in fact' [must] specifically involve lost money or property.” (internal quotation marks omitted)).
Plaintiffs allege that they shared personal data with Prudential that ActiveProspect intercepted without their knowledge or consent; that ActiveProspect made money off of their data; and that their data is a valuable commodity. See Am. Compl. ¶¶ 3-4, 36-37, 56. But just because Plaintiffs' data is valuable in the abstract, and because ActiveProspect might have made money from it, does not mean that Plaintiffs have “lost money or property” as a result. See, e.g., Hart v. TWC Prod. & Tech. LLC, 526 F.Supp.3d 592, 603 (N.D. Cal. 2021); Bass v. Facebook, Inc., 394 F.Supp.3d 1024, 1040 (N.D. Cal. 2019) (“That the information has external value, but no economic value to plaintiff, cannot serve to establish that plaintiff has personally lost money or property.”); In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F.Supp.3d 767, 804 (N.D. Cal. 2019) (“Facebook may have gained money through its sharing or use of the plaintiffs' information, but that's different from saying the plaintiffs lost money.”). Plaintiffs' argument to the contrary relies on cases holding that tracking and collection of data is an injury sufficient to confer Article III standing. See, e.g., Facebook Tracking, 956 F.3d at 600. Of course, as many courts have pointed out, a plaintiff may have Article III standing but nevertheless fail to demonstrate UCL standing. See Ehret, 68 F.Supp.3d at 1132 (remarking that “standing under the UCL is far narrower than traditional standing requirements”). As a result, Plaintiffs' UCL claim is dismissed.
Because Plaintiffs' UCL claims fail on standing grounds, the Court need not address Defendants' other arguments for their dismissal.
IV. CONCLUSION
For the foregoing reasons, the Coni! DENIES Defendants' motion as to Plaintiffs' Section 631 and invasion of privacy claims and GRANTS Defendants' motion as to Plaintiffs' UCL claims.
IT IS SO ORDERED.