CHAT BOTS AND COOKIES AND PIXELS, OH MY!

Please share:

VOLUME 1, 2024, PRIVACY LAW SECTION JOURNAL

Written by Jennifer M. Oliver*

While more U.S. states are introducing and enacting new privacy legislation, plaintiffs are increasingly turning to laws that have been on the books for 50 or more years to pursue individual and class action privacy litigation against companies using software vendors to analyze web traffic or ad tracking technology, such as Meta Platforms Inc.’s Pixel tracking tool.

These session replay software, third party chat features, and pixels are commonplace on consumer facing websites. But now plaintiffs are alleging that when these tools capture browsing data and share it with third parties, for example software providers and social media companies, the companies utilizing them violate state wiretap acts—notably in Florida, Illinois, Pennsylvania, and, perhaps most commonly, California. Several district court decisions allowing these claims to proceed past the pleading stage on a theory of aiding and abetting against a website owner, allowing a third party to facilitate its chat function, has emboldened class action attorneys in California.[1]

California courts have seen a significant uptick in putative class actions under Section 631 of California’s “wiretapping” statute.[2] There, plaintiffs claim that where a third-party provider of chat, session replay, or Pixel functionality has simultaneous, real-time access to website “communications,” without the website user’s knowledge or consent, the website operator is “aiding and abetting” the third-party vendor’s Section 631 violation.

And a review of class actions on the public dockets reveals only the tip of the iceberg: there are many more individual private arbitrations being filed against companies with arbitration clauses contained in their website term and conditions as well. Because a putative plaintiff need only visit a public facing website to bring a claim, it is relatively easy for plaintiffs’ firms to amass a large number of individual arbitration claimants. While may companies believe that mandatory arbitration clauses and class action waivers are protecting them from costly class action litigation in court, when dozens or even hundreds of individual claims are filed, the cost of filing fees alone can compound and exceed in court litigation. For example, cases with only a single $5,000 violation, represent a significant percentage of the value of each individual claim.

CHAT AND SESSION—REPLAY CASES

Chat and session replay software were the first wave of suits in California courts. Chat bots are familiar to most internet users, many consumer-facing website use a thirdparty chat provider to enable the feature on their site and allows consumers to chat in real time with consumer service representatives. But where a third party has access to those chants, and consumers do not consent to that access, plaintiffs will allege that a wiretap has occurred. Session-replay software allows website operators to record mouse movements, keystrokes, and search information inputted into websites, as well as pages and content viewed.

In this way, session-replay software allows a website operator to “replay” a visitor’s journey on a website or within a mobile or web application. Rather than focusing on user activity after leaving a particular website, session-replay software focuses on how a user interacts with a specific website. Marketing departments use this data to better understand the users’ experiences and gain visibility into the bugs, errors, or confusing moments they may encounter.

Again, if the session replay vendor has access to the session repay data, plaintiffs will allege that a wiretap has occurred.

One key consideration is whether any involved session replay vendor or service provider is limited by agreement (or otherwise) to using the website activity data only to analyze the website’s functionality for the company’s benefit, rather than for the provider’s own independent purposes. There is at least some good news for website operators on this front: at least one court has held that session-replay technology cannot form the basis of a California Invasion of Privacy Act (CIPA) claim because a service provider does not use the data for its own purposes; it is an extension of the website provider, and a party cannot “tap its own wire.”[3]

However, even where there are such terms favorable to defendants, they can be challenging to introduce at the motion to dismiss stage where defendants are limited to the four corners of the pleadings.

But, on the other hand, in Saleh v. Nike, Inc.,[4] the court found that where a third-party software provider has simultaneous, real-time access to a customer’s website communications, without the customer’s consent, that third-party vendor cannot avail itself of the rule that parties to a communication cannot also be wiretappers under CIPA. Although that logic would seem to implicate the vendor as the “wiretapper” and not the website operator, the Saleh court went on to find that the website operator “aided and abetted” the violation, creating a real risk for website operators embedding chat software to communicate with California customers.[5]

META PIXEL CASES

Perhaps the most popular brand of wiretapping cases as of late are those involving use of the Meta Pixel tracking tool. The Meta Pixel is free code, courtesy of Meta, that can be used on a company’s website to track user activity. Used by companies for targeted advertising, the code transmits certain information about a user’s interaction with a website that uses the Pixel to Meta, including the HTTP headers, pixel-specific data (Pixel ID and cookie), and other information based on company configuration.

Here, plaintiffs allege that the Pixel shares browsing data with Facebook and Facebook is a third party wiretapper collecting this data for its own gain. This distinguishes these cases from the chat and wiretapping cases because, in those cases, it is easier to argue that the software provider is a vendor acting on behalf of the defendant and not really a third party wiretapping any sort of communication for its own purposes or gain.

Perhaps the most watched Meta Pixel privacy lawsuit is In re Meta Pixel Healthcare Litigation,[6] a putative class action against Meta for allowing sensitive health data to be sent to Meta from healthcare providers’ websites, including patient portals, without consent. In September of 2023 the federal judge in that case denied Meta’s motion to dismiss many of its claims, including wiretap allegations.

The November 1, 2023 approval of a $13,000,000 classwide in Hodges v. GoodRX Holdings, Inc.,[7] is also notable. There plaintiffs alleged that use of various pixels and SDKs (software development kits) on GoodRX’s website violated state and federal wiretapping statutes, consumer protection laws, and common law privacy rights by intercepting user data and sharing it with vendors without users’ consent.

VIDEO PRIVACY PROTECTION ACT OF 1988 (VPPA)

In cases where the defendant uses on demand streaming content on their website and viewership data is shared with Facebook, plaintiffs will also allege a violation of the Video Privacy Protection Act of 1988 (VPPA) by use of the Meta Pixel. The VPPA is a federal law that prohibits videotape service providers from “knowingly disclos[ing], to any person, personally identifiable information concerning any consumer of such provider . . .” Under the VPPA, “personally identifiable information” is defined as “includ[ing] information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” According to the VPPA, a “video services provider” is defined as “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials . . .” which has been interpreted in court cases as extending to websites streaming online video. States followed by enacting their own versions of the federal law, some of which expanded protected materials.

These lawsuits allege that companies that stream online video content on their websites and use the Meta Pixel violated the VPPA by transmitting personally identifiable information about a user to Meta. Earlier lawsuits filed focused on companies whose business significantly involved video content (e.g., Patreon).

Some courts have dismissed these VPPA Meta Pixel cases already while others have allowed them to survive the motion to dismiss stage. Ambrose v. Boston Globe Media Partners LLC, a case in federal court in the District of Massachusetts, was one of the earliest VPPA Meta Pixel class action lawsuits filed. In September 2022, the case survived the defendant’s motion to dismiss as the judge ruled that the plaintiff had stated a viable claim, although the court may later determine that the website does not transfer the plaintiff’s personally identifiable information to Meta as alleged.

Martin v. Meredith Corp. was a Meta Pixel case filed in the Southern District of New York alleging the media company, which operates various websites including People.com, violated the VPPA. The court dismissed the case on the grounds that the “version of the Facebook Pixel used on People.com sends only the Facebook ID and the name of the webpage that a user accessed” and thus it did not send personally identifiable information under the definition of the statute (i.e., information about whether an individual “requested or obtained specific video materials or services.”)

COMMON LAW AND OTHER STATUTORY CLAIMS

In many of these cases, plaintiffs are also often asserting common law invasion of privacy violation claims. The cases generally assert that plaintiffs had a legitimate expectation of privacy regarding their private information, an expectation that the defendant would not disclose this information to third parties without their consent.

Other statutory claims have started to appear in these complaints as well, almost always secondary to a CIPA claim. For example, in some cases plaintiffs allege violation of Cal. Pen. Code 638.51, which regulates the use of a “pen register” or “trap and track device.” Other complaints allege violation of the California Consumer Data Access and Fraud Act (“CDAFA”), Cal. Pen. Code § 502, which is “an anti-hacking statute intended to prohibit the unauthorized use of any computer system for improper or illegitimate purpose.”[8]

In the healthcare context, these cases also typically allege violation of the California Medical Information Act, which states that “[a]ny provider of health care, health care service plan, pharmaceutical company, or contractor who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall be subject to . . . remedies and penalties . . .”[9]

DEFENSES

Defendants have numerous defenses at their disposal when attempting to defeat these claims. For example, defendants often argue that the plaintiff lacks standing because plaintiff visited the website as a purported “tester,” or ignored the landing page banner notifying users of the involved technologies and/or linking to the online privacy policy. Article II Standing can also be leveraged, but in cases where plaintiffs filed in state court and defendants choose to remove to federal court, defendants will waive the right to that defense.

Companies often argue that they are exempt from liability as a party to the communication.[10] This argument is useful in session replay cases in which the session replay technology merely recorded and stored users’ interactions with the site. It is less helpful in cases where plaintiffs can plausibly allege that a third party used the collected data for its own means.

To form a cause of action under Section 631(a), a communication must be intercepted “in transit” between the user’s device and the website server. Because online communications are nearly instantaneous, defendants can argue that the challenged access to the communication did not occur “in transit.” However not all courts have found this compelling.[11]

Intent can be another useful defense for defendants in these cases; under CIPA § 631 a plaintiff must allege that a defendant “intentionally tap[ped] . . . any . . . wire, line, cable, or instrument” to state a claim under the first prong, or that defendant “willfully . . . read[], or attempt[ed] to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit” to state a claim under the second prong.[12]

Also, Section 631(a) only prohibits the interception of the “contents” of communications. Courts have construed “contents” as limited to information constituting the intended message, as opposed to “record” information, such as keystrokes, mouse movements, and similar interactions typically stored via session replay technology. In re iPhone Application Litig., “‘[C]ontents’ refers to the intended message conveyed by the communication, and does not include record information regarding the characteristics of the message that is generated in the course of the communication.”[13]

And finally, defendants without significant California presence should be sure to assert personal jurisdiction defenses and may also wish to avail themselves of caselaw finding that the California Penal Code does not apply extraterritorial.[14]

MITIGATION

Mitigating the risk of these claims can be straightforward as long as there is an appetite for additional safeguards and the mitigating measures are implemented correctly. For example, explicit consent is a complete bar to these claims. In some cases, defendants can argue content, especially, for example, where plaintiffs agreed to Meta’s terms and conditions and enabled cookies to allow Meta to collect their data.

Defendants will argue that “consent may be express or may be implied in fact from the surrounding circumstances indicating that the party to the call knowingly agreed to the surveillance.”[15] “[A] party’s awareness that he or she is being recorded may establish that the party impliedly consented to the recording.”[16] But often plaintiffs will argue that these consents were not explicit enough or did not exist at all.

Forcing consumers to select their cookie preferences by affirmatively clicking “accept cookies,” “decline all nonessential cookies,” or “select cookies” as part of a well-worded cookie disclosure banner at the outset of a browsing session can mitigate this risk. Consumers should not be allowed to bypass the cookie banner without making a selection, and any pixels or software should not be allowed to fire until a selection is affirmatively made. However, it is important to consult with counsel to ensure that the disclosure is clear and that the user’s instructions are honored lest the company can find itself in an even worse position for making an inadvertent misrepresentation regarding collection of data.

CONCLUSION

These cases show no signs of slowing down soon, and private plaintiffs aren’t the only adversary to fear. The FTC has also pursued cases against companies in certain sectors for using these technologies without proper consumer consent.[17] While the law may ultimately develop in defendants’ favor, companies should consider mitigating risk now.

  • An experienced commercial litigator, Jennifer Oliver focuses her practice on complex litigation, with a specialty in website and privacy matters, defending consumer class actions, and consumer law compliance counseling. Jennifer has played active roles in several high-profile jury trials, serving as lead counsel in complex mediations, and arguing before courts at both the trial and appellate levels. She especially enjoys assisting her clients in navigating and avoiding consumer and privacy litigation.
  1. See, e.g., Augustine v. Lenovo (United States), Inc., No. 22-cv-2027-L-AHG,2023 U.S. Dist. LEXIS 134595(S.D. CA, August 2, 2023); Yockey v. Salesforce, Inc., No. 22-cv-09067-JST, 2023 U.S. Dist. LEXIS 150262 (N.D. CA, August 25, 2023); Wright v. Ulta Salon, No. 22-cv- 1954-BAS-BLM,2023 U.S. Dist. LEXIS 159774 (S.D. CA, September 8, 2023)
  2. California Invasion of Privacy Act (CIPA), California Penal Code Sections 630 et seq
  3. See, e.g., Graham v. Noom, Inc., 533 F. Supp. 3d 823, 831 (N.D. Cal. 2021).
  4. 562 F. Supp. 3d 503 (C.D. Cal. 2021).
  5. Id. at 520-21.
  6. Case No. 3:22-cv-3580-WHO-VKD (N.D Cal. 2023).
  7. Case No. 1:23-cv-24128-BB (S.D Fla. 2023).
  8. Custom Packaging Supply, Inc. v. Phillips, Case No. 2:15-CV- 04584-ODW-AGR, 2015 WL 8334793, at *4 (C.D. Cal. Dec. 7, 2015).
  9. Cal. Civ. Code § 56.101.
  10. See, e.g., Graham v. Noom, Inc., 533 F. Supp. 823, 829 (N.D. Cal. 2021).
  11. See, e.g., Wright v. Ulta Salon, No. 22-cv-1954-BASBLM, 2023 U.S. Dist. LEXIS 159774 (S.D. Cal. Sept. 8, 2023).
  12. Cal. Pen. Code § 631 (emphasis added).
  13. 844 F. Supp. 2d 1040, 1061 (N.D. Cal. 2012); See also, In re Zynga Privacy Litig., 750 F. 3d 1098, 1107 (9th Cir. 2014).
  14. M Seven Sys. Ltd. v. Leap Wireless Int’l Inc., 2013 WL 12072526, at *3 (S.D. Cal. June 26, 2013); Hammerling v. Google LLC, No. 21-cv-09004-CRB, 2022 WL 17365255, at *11 (N.D. Cal. Dec. 1, 2022) (dismissing plaintiff’s CIPA claim because plaintiff failed to allege that the data in question was intercepted in California).
  15. Nei Contracting & Eng’g, Inc. v. Hanson Aggregates Pac. Sw., Inc., No. 12-CV-01685-BAS (JLB), 2016 WL 4886933, at *3 (S.D. Cal. Sept. 15, 2016) (quoting United States v. Van Poyck, 77 F.3d 285, 292 (9th Cir. 1996)).
  16. Moledina v. Marriott Int’l, Inc., No. 2:22-cv-03059-SPGJPR, 2022 WL 16630276, at *7 (C.D. Cal. Oct. 17, 2022).
  17. See, e.g., In the Matter of BetterHelp ($7.8 million settlement for partial refunds to customers); United States v. GoodRx ($1.5 million settlement and behavioral remedies).