In just the past few weeks, multiple class actions have been filed in California against a variety of companies, including Tiffany & Co., Dollar Shave Club, Goodyear Tires, M.A.C. Cosmetics and Michael Kors USA, making the surprising allegation that the companies engage in illegal wiretapping of online communications with consumers. The complaints—all filed by the same lawyer—allege that the defendants secretly deploy “keystroke monitoring” software that is used to intercept, monitor and record communications with visitors to their websites. The plaintiffs assert, on behalf of themselves and putative class members, that by doing so, the defendants have violated the California Invasion of Privacy Act (Cal. Penal Code Section 631).
The complaints primarily revolve around consumers’ communications with sophisticated “chatbots” that “convincingly” impersonate an actual human. According the complaints’ allegations, the chatbots not only encourage consumers to share their personal information but record and store the entire conversation without the consumer’s knowledge or permission. Thus, any company that uses chatbots is a potential target of these class action lawsuits.
Section 631(a) of California’s Penal Code imposes liability upon any entity that engages in conduct prohibited by that section—i.e., “by means of any machine, instrument, contrivance, or in any other manner”:
(1) “intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system,” or
(2) “willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state” or
(3) “uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section.”
While Section 631(a) is a criminal statute, California law allows alleged victims to bring a civil lawsuit. Specifically, under Penal Code Section 637.2, any person who has been injured by a violation of Section 631(among other code sections) may bring an action against the person who committed the violation to enjoin or restrain any such violation, as well as obtain damages of the greater of $5,000 per violation or three times the amount of actual damages, if any, sustained by the plaintiff. Notably, the plaintiff need not have suffered or be threatened with actual damages. In addition to these remedies, the plaintiffs in these recently filed actions also seek recovery of their attorneys’ fees and costs, as well as punitive damages.
While these recent filings in California seem based on a novel theory, they are not. For instance, in the aftermath of the Ninth Circuit’s ruling in the In re Facebook Internet Tracking Litigation, which adopted the First and Seventh Circuits’ reasoning that “simultaneous, unknown duplication and communication of GET requests do not exempt a defendant from liability under the [federal and state wiretap statutes’] party exception,” numerous lawsuits were filed on that basis. Davis v. Facebook, Inc., 956 F.3d 589, 608 (2020).
Indeed, similar cases were filed in Florida and recently dismissed. Specifically, in March 2021, two plaintiffs filed separate lawsuits against Whirlpool Corporation alleging that the company unlawfully intercepted website visitor information by using “session replay” technology. In those cases, the federal judge found that the state’s wiretapping law does not apply to the company’s use of marketing analytics software to capture browsing histories, personal interests, or similar data. Cardoso v. Whirlpool Corp., Case No. 21-CV-60784-WPD, 9/15/21 and Connor v. Whirlpool Corp., Case No. 21-CV-14180-WPD, 9/15/21(] S.D. Florida) Case ( S.D. Florida). Likewise, in September 2021, another Florida federal court judge dismissed a class action against Costco when the court determined that mouse clicks, pages viewed, scroll movements and other actions do not convey contents or communications. [Goldstein v. Costco Wholesale Corp., Case No. 21-CV-80601-RAR], Case No. 9:21-cv-80601 ([9/9/21] S.D. Florida).
However, in the most recent California filings, the plaintiffs attempt to plead around the case law against them, focusing specifically on their communications with the defendant companies’ chatbots. While it is unclear whether these plaintiffs ultimately will succeed, it is clear that this area of the law remains unsettled, inviting further litigation.
Additionally, companies need to be concerned about how these claims can affect their Environmental Social Governance (“ESG”) efforts and related reputation. MSCI, a leader in rating companies’ ESG efforts, lists privacy and data security as key issues taken into account.
How can liability best be avoided? Just as companies must inform consumers about their privacy rights, so too should companies inform consumers how their interactions with “chatbots” or their actions on the website will be recorded and how the data will be used, and they should seek consent to such uses before engaging the consumer with the technology. California law already requires disclosure of a communication with a bot, including prohibiting misleading a consumer about the artificial nature of the bot. Cal. Bus. & Profs. Code Section 17940. Most companies using bots to interact with consumers have already adapted to these requirements. Drafted carefully, these same disclosures can also use consumer-friendly language to ensure that everyone understands that communications with the bot—or even the clicks and keystrokes on a website—will be saved and analyzed to improve customer service.