Privacy Lawsuit Based on Website Tracking by Service Provider Trimmed

This is a lawsuit against Nike and its service provider (FullStory), which provides Nike with “session replay” functionality for its website. FullStory’s software allows Nike to capture information regarding website visitors: (1) mouse clicks, (2) keystrokes, (3) payment card information, (4) IP address, (5) location, and (6) browser type and OS.

On behalf of a putative class, the plaintiffs asserted privacy claims—including for wiretapping—under California law. The court dismisses FullStory, a Georgia-based corporation, for lack of personal jurisdiction. It dismisses all but one of the claims against Nike.

As an initial matter, the court says that Nike’s privacy policy does not undermine plaintiff’s claims. The operative policy was not fully authenticated or property presented to the court, and the court declines to consider it.

CIPA Claim: There’s a distinction between the “contents” of a communication (which trigger a claim) and “record information.” Nike argued that the communications at issue were in the latter category. The court disagrees:

Plaintiff argues these communications do not constitute “record information” as a matter of law and dismissal is not warranted. The court agrees. Here, the FAC alleges FullStory captures mouse movements, clicks, typing, scrolling, swiping, tapping, keystrokes, geographic location, IP addresses, and data entry. Plaintiff alleges FullStory records these and other details alongside “a video capturing each of Plaintiff’s keystrokes and mouse clicks on the website.” According to the FAC, FullStory’s software allows for the recording and “pixel-perfect playback” of all in-browser interactions, which includes any “content” information Plaintiff sent to Nike. Although not all of this information may constitute the “contents” of a communication under the federal Wiretap Act, Plaintiff has met his burden to allege facts plausibly showing Defendants recorded Plaintiff’s content communications with Nike by recording, among other things, keystrokes and a video of Plaintiff’s interactions with Nike’s website.

However, the plaintiff’s victory is pyrrhic as to this claim. The court concludes that Nike was a party to the communications and therefore can’t be held liable for direct infringement.

While the court dismisses the claim for direct liability against Nike, it declines to dismiss the claim against Nike for “aiding or enabling” FullStory’s wiretapping. The key question according to the court was whether FullStory is a party to the communication or an outsider. The court says FullStory does not become a participant to the conversation by virtue of having recorded it. While the case would be different if the communication were disclosed to FullStory after-the-fact, the fact that FullStory gained contemporaneous knowledge makes it a third party.

Defendants argued that because the data was only shared with Nike (a participant), plaintiff’s allegations “would criminalize ubiquitous functions of websites,” but the court is not persuaded.

Claim Based on Possession Sale or Manufacture of Eavesdropping Device: Section 635 of the California Penal Code prohibits the sale, possession, manufacture, sale (etc.) of an eavesdropping “device.” The complaint only alleges that Nike “possessed” FullStory’s code and did not sell or further distribute it. Citing TransUnion, the court says that this claim fails for Article III standing. While the result may be different in state court, the court says it’s bound by Article III standing limitations.

Invasion of Privacy Under the California Constitution:  The court rejects this claim:

Courts [are] hesitant to extend the tort of invasion of privacy to the routine collection of personally identifiable information as part of electronic communications.

In order to state a claim, the plaintiff must show that the defendant collected “intimate or sensitive” information or “disregarded consumers’ privacy choices.”

___

The dispute is reminiscent of In re: Pharmatrak from 20 years ago, and other website tracking/data leakage cases, such as those against Zynga and Facebook. It’s interesting to note that here, the third party was able to obtain access to payment information, but that doesn’t seem to have caught the court’s attention.

It doesn’t appear that plaintiff asserted a claim under the CCPA, by way of California’s unfair competition statute. That’s telling, and perhaps speaks to the limited effectiveness of this claim, to the extent courts even recognize it as viable.

It’s interesting that FullStory was dismissed on jurisdictional grounds and the claims directly asserted against Nike were also dismissed. It leaves only a derivative claim against Nike for the collection of information by FullStory. I wonder if that changes the operative standards for what plaintiff has to show and what this means for discovery of communications between FullStory and Nike.

Note: Defendants have sought a stay pending resolution of Susan Johnson v. Blue Nile, Inc. (pending in the Ninth Circuit), or alternatively for leave to appeal the ruling.

Case citation: Saleh v. Nike, Inc., et al., 2:20-cv-09581-FLA (RAOx) [pdf]

Related posts:

Judge Koh Puts the Kibosh on LinkedIn Referral ID Class Action — Low v. LinkedIn

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

A Look at the Commercial Privacy Bill of Rights Act of 2011

Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media

Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou

Another Lawsuit over Flash Cookies Fails — Bose v. Interclick

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]