Consent Via “Clickwrap” Defeats Privacy Claims–Javier v. Assurance

Javier got a life insurance quote from Assurance. It appears this page contained javascript served from a vendor named ActiveProspect (via a service called “TrustedForm”), which tracks each user on Assurance’s site and records the users’ keystrokes. For Assurance, these recordings provide confirmation that each user consented to its phone calls–which helps rebut TCPA claims. Assurance’s fears were well-founded. Javier brought a TCPA claim for unwanted phone calls from Assurance…but he then pivoted to a lawsuit over the ActiveProspect tracking/recording when he discovered that.

Assurance’s site included this screen display:

(Screenshot note: you see the hatted-A, which is normally an indicator of some formatting problem with the page. This suggests that the page didn’t load properly or this isn’t an authentic screenshot of what Javier saw. The court doesn’t address this defect with the screenshot, but I would have wanted to know more if I had been the judge).

Assurance took the position that the linked privacy policy adequately disclosed its conduct, and thus Javier consented to it and negated the privacy claims. Javier challenged it in 3 ways:

Retroactive Consent. Javier claimed that ActiveProspect’s tracking started before he purportedly consented, so his consent came too late. The court responds:

the Court has found no case addressing retroactive consent in the privacy context. However, outside of privacy law, California courts frequently uphold retroactive consent as valid…The privacy policy here is phrased in present tense—“we collect” data when “you use our Services,” not “we will collect”—and thus gives fair notice that Javier consents to actions that may have already taken place.

The court adds in a footnote: “The data collection here occurred mere minutes and seconds before Javier gave consent during a single website visit. The Court does not address facts not before it, such as where data was collected months or weeks before.”

I’m not sure if this issue has been addressed in the literature. If not, writing about retroactive privacy consent sounds like a good paper topic. There are other scenarios to address. Could Assurance/ActiveProspect have cured the lack of consent if they immediately flushed the tracked data at the session end if Javier hadn’t asked to view his quote? Would a cookiewall or similar pop-up notification have provided sufficient consent to permit tracking immediately?

Insufficient Notice. The court says that the privacy policy constituted a “clickwrap.” This seems to be a misnomer, because typically now a clickwrap requires a second click. Assurance’s process is closer to the abysmal “sign-in-wrap” term. I’m OK with the misnomer because I think Assurance’s formation process here should be legally indistinguishable from the two-click “clickwrap.” Javier unsuccessfully challenged the UI of Assurance’s clickthrough:

the webpage on which Javier provided consent was uncluttered, with only a few entry fields followed by the disclosure on a single page; the text placed hyperlinks in a different color to indicate their selectability; and there were no additional features, such as a dark background or additional links having different formatting, that would have obscured the notice….Viewed holistically, the clean and uncluttered page by which Javier affirmatively consented, while having full ability and immediate opportunity to read the privacy policy, shows that he had sufficient notice

Privacy Policy Terms. Javier claimed the privacy policy disclosures didn’t adequately disclose the specific tracking method. The court responds:

The policy clearly indicates that Assurance tracks activity on its website and may use third party vendors to do so. The policy as a whole is only two pages long, which means that none of the terms are buried or obscured. That the privacy policy also discusses other types of tracking, such as data collection for purposes of personalization, does not detract from its plain disclosures elsewhere

This ruling does not address the situation where a prospective customer visits the site but never clicks through the screenshot above. It appears Assurance and its vendor will still track and record the user, but the user won’t have consented via the “clickwrap,” but also wouldn’t receive any unsolicited phone calls because the user didn’t enter a phone number. What happens in that case? I wonder if Article III standing would pose a barrier there.

Case citation: Javier v. Assurance IQ, LLC, 2021 WL 940319 (N.D. Cal. March 9, 2021)