In an unpublished decision issued May 31 by the US Court of Appeals for the Ninth Circuit, the Court interpreted the California Invasion of Privacy Act, CA Penal Code § 630 et seq. (CIPA), and ruled that the plaintiff had alleged a claim under Section 631(a) of the CIPA, reversing a district court holding that consent under Section 631(a) was valid even if given after the communication between a website and a website user had taken place. Javier v. Assurance IQ, LLC, DC No. 4:20-cv-02860-JSW. This ruling creates an additional compliance obligation for businesses that collect information from California users of the business’s website prior to obtaining express prior consent.
The Court’s Holding. Under the facts in issue, the Court considered whether a website operator that was gathering consumer insurance leads using a third party software product that recorded California users’ interactions with such website required the potential customer’s consent before providing any personal information (the flow of the website required the consumer to consent to the use of his/her information after completion of the online insurance questionnaire). The Court’s opinion reversing the district court hinged on its interpretation of Section 631(a) of the CIPA, which provides in relevant part as follows:
Any person who, by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable by a fine not exceeding two thousand five hundred dollars ($2,500), or by imprisonment in the county jail not exceeding one year, or by imprisonment pursuant to subdivision (h) of Section 1170, or by both a fine and imprisonment in the county jail or pursuant to subdivision (h) of Section 1170 (emphasis added).
In reaching its decision, the Court held that “the California Supreme Court would interpret Section 631(a) to require the prior consent of all parties to a communication.”[i] In so holding, the Court reversed the district court’s decision to grant the defendant’s motion to dismiss on this claim. Importantly, the Court found that the website in issue was “recording [the plaintiff’s] information as he was providing it, . . . [and] therefore alleged sufficient facts to plausibly state a claim that, under Section 631(a), his communications . . . were recorded . . . without his valid express prior consent.”
This holding’s implications are significant with respect to website operator’s collection of customer information in California. Although certain obligations already exist in California law with respect to the collection of consumer information,[ii] this ruling is certain to entice the plaintiffs’ bar to allege violations of the CIPA in instances where a website operator does not obtain prior express consent from a website user before collecting information about such user.