In recent weeks, several class action lawsuits have been filed in California against various companies, including Tiffany & Co., Dollar Shave Club, Goodyear Tires, MAC Cosmetics and Michael Kors USA, making the startling allegation that the companies are engaging in illegal wiretapping of on line communication with consumers. The complaints – all filed by the same attorney – allege that the defendants covertly deploy “keystroke monitoring” software that is used to intercept, monitor and record communications with visitors to their websites. Plaintiffs assert, on behalf of themselves and putative class members, that by doing so, Defendants violated the California Invasion of Privacy Act (Cal. Penal Code Section 631).
The complaints mainly relate to consumer communications with sophisticated “chatbots” that impersonate a human being in a “convincing” way. According to the complaints, chatbots not only encourage consumers to share their personal information, but record and store the entire conversation without the consumer’s knowledge or permission. Thus, any company that uses chatbots is a potential target of these class action lawsuits.
Section 631(a) of the California Penal Code imposes liability on any entity that engages in conduct prohibited by that section, i.e. “by means of any machine, instrument, device or other way ” :
(1) “intentionally taps or makes any unauthorized connection, whether physically, electrically, acoustically, by induction or otherwise, with any telegraph or telephone wire, line, cable or instrument, including wire, line , cable or instrument of any internal telephone communication system”, or
(2) “willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads or attempts to read, or learn the contents or meaning of any message, report or communication while it is in transit or passing over any wire, line, or cable, or is sent or received at any place in such condition” or
(3) “use or attempt to use, in any way or for any purpose, or communicate in any way, any information so obtained, or which aids, agrees with, employs or conspires with one or more persons to unlawfully do, permit or cause to be done any of the acts or things mentioned above in this section.”
While Section 631(a) is criminal law, California law allows alleged victims to bring a civil action. Specifically, under Section 637.2 of the Penal Code, any person who has been injured by a violation of Section 631 (among other sections of the code) may bring an action against the person who committed the violation to enjoin or restrain such violation, as well as recover damages. the greater of $5,000 per violation or three times the amount of actual damages, if any, suffered by the plaintiff. In particular, it is not necessary that the plaintiff has suffered or is threatened with suffering actual damages. In addition to these remedies, the plaintiffs in these recently filed actions are also seeking recovery of their attorneys’ fees and expenses, as well as punitive damages.
Although these recent deposits in California seem based on a new theory, they are not. For example, following the Ninth Circuit’s decision in the In re Facebook Internet Tracking Litigationwhich adopted the reasoning of the First and Seventh Circuits that “the simultaneous and unknown duplication and communication of GET requests does not excuse a defendant from liability under the [federal and state wiretap statutes’] party exception”, many lawsuits have been filed on this basis. Davis vs. Facebook, Inc.956 F.3d 589, 608 (2020).
Indeed, similar cases have been filed in Florida and recently dismissed. Specifically, in March 2021, two plaintiffs filed separate lawsuits against Whirlpool Corporation, alleging that the company unlawfully intercepted website visitor information using “session replay” technology. In these cases, the federal judge found that the state’s wiretapping law does not apply to the company’s use of marketing analytics software to capture browsing histories, personal interests or similar data. Cardoso vs. Whirlpool Corp.., Case No. 21-CV-60784-WPD, 09/15/21 and Connor v. Whirlpool Corp., Case No. 21-CV-14180-WPD, 09/15/21 (]SD Florida) Case (SD Florida). Similarly, in September 2021, another federal court judge in Florida dismissed a class action lawsuit against Costco when the court determined that mouse clicks, page views, scrolling movements and other actions did not convey content or communication. [Goldstein v. Costco Wholesale Corp., Case No. 21-CV-80601-RAR]Case No. 9:21-cv-80601 ([9/9/21] SD Florida).
However, in the most recent California filings, the plaintiffs attempt to circumvent the case law against them, focusing specifically on their communications with the defendants companies’ chatbots. While it is unclear whether these plaintiffs will ultimately succeed, it is clear that this area of the law remains up in the air, inviting further litigation.
Additionally, companies should be concerned about how such claims may affect their environmental social governance (“ESG”) efforts and subsequent reputation. MSCI, a leader in ESG efforts of rating companies, lists privacy and data security as key issues considered.
How best to avoid liability? Just as businesses must inform consumers of their privacy rights, businesses must also inform consumers of how their interactions with “chatbots” or their actions on the website will be recorded and how the data will be used, and they must seek consent to such uses before involving the consumer in the technology. California law already requires disclosure of communication with a bot, including the prohibition against misleading a consumer about the artificial nature of the bot. Cal. Bus. & Profs. Code Section 17940. Most companies using bots to interact with consumers have already adapted to these requirements. Carefully written, this same information can also use friendly language to ensure everyone understands that communications with the bot, or even clicks and keystrokes on a website, will be recorded and analyzed to improve customer service. .