Hot CIPA Summer: Internet “Wiretapping” Claims Are Heating Up in California–Here’s Why They Shouldn’t Be
All right so I have been bombarded with questions about Javier over the last 10 days or so. Everyone wants the Czar’s take. So let me give it to you.
First, here is California Penal Code Section 631–the bringer of weird wiretap claims– in all of its unedited glory:
Any person who, by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable by a fine not exceeding two thousand five hundred dollars ($2,500), or by imprisonment in the county jail not exceeding one year, or by imprisonment pursuant to subdivision (h) of Section 1170 , or by both a fine and imprisonment in the county jail or pursuant to subdivision (h) of Section 1170 . If the person has previously been convicted of a violation of this section or Section 632 , 632.5 , 632.6 , 632.7 , or 636 , he or she is punishable by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the county jail not exceeding one year, or by imprisonment pursuant to subdivision (h) of Section 1170 , or by both that fine and imprisonment.
What a mess.
Read it fast and it seems to only apply to physical wiretapping. Read it slowly and it still seems that way.
But read it like a Ninth Circuit Court of Appeals panel and it applies to recording of information regarding events taking place on websites. And I’m struggling with that.
Javier says the statute applies to Active Prospect because “[Section 631] makes liable anyone who ‘reads, or attempts to read, or to learn the contents’ of a communication ‘without the consent of all parties to the communication.”
I see those words in there in the mishmash above. Here they are re-printed with emphasis:
Any person who… willfully and without the consent of all parties to the communication, … attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state… is [in trouble.]
So this is where I struggle.
In the first place, a website visit isn’t a communication in my mind. Its an interaction with a bunch of servers with a human being on one end and a computer responding by either supplying or storing stuff on the other. I guess you can call that a sort of communication (the word is defined as “the imparting or exchanging of information or news” so I guess this counts) but I never think of time spent on a website as “communication.” But perhaps that’s just me.
Getting past that, I am lost how Active Prospect is attempting to “read” or “learn the contents or meaning” of the communication when it records certain pieces of data being supplied by the consumer. As a reminder, Active Propsect’s Trusted Form simply records an interaction as it is taking place on a website at the behest of the website owner. This is done for the purpose of assisting the website owner to prove what took place during the web session; e.g. that a webform submission was made or that a disclosure was accepted by the consumer.
In the first place, the word “store” or “record” do not appear in this portion of 631, although those words feature prominently in 632 and other portions of the California Privacy Act. Instead 631 is focused on the literal realtime act of understanding the content of information being transferred in a communication. So if Active Prospect had agents truly listening in to the “communication”–i.e. watching the website visit–then I could see 631 being tripped. But merely storing information is not “read[ing]” or “learn[ing]”–its storing. There’s no computational assessment taking place. So nothing is being read or learned. So that should be the end of the case.
But no one seems to even be talking about that issue. Everyone seems to have leapt over it.
Yet we have one more hurdle here–and its a real stunner that no one has jumped on this yet.
The final supremely interesting question in my mind is this: when and where is the “wiretap” taking place? The statute says that the tap must take place either during transmission or as the transmission is being sent or received. And, critically, the place of the tap has to be in California.
In the Active Prospect scenario it is pretty clear that the “wiretap” is not taking place where the information is being sent–AP is not residing on the Plaintiff’s computer system like a cookie. Nor, it seems to me, is it taking place during transmission–AP is not a “backbone” internet service provider capable of tracking the contents of signals travelling underseas cables, satellite transmissions, etc. Instead, AP’s conduct is taking place where the data is received–here when Assurance receives the transmission.
But where is the receipt taking place?
I don’t know this first hand, but I suspect the transmissions at issue were received nowhere and everywhere at the same time–i.e. in cloud data centers.
Importantly, unlike Section 632–that looks at the location of where the recorded party resides after Kearny— Section 631 does not look at the location of the recorded party. Instead, it is focused solely on where the wiretap takes place. So unless Plaintiff can prove that the servers housing the AP java script that enabled the “reading and learning” at issue here was somehow physically located within California, this feels like a dead stick to me.
Interesting, as far as I can tell none of these issues were raised yet (and perhaps properly so since we are only at the pleadings stage in this case.)
Instead the big issues raised to date were: i) whether Plaintiff’s consent to be recorded after the recording was taking place is a viable defense (district court said yes, appellate court said no–that’s the real thrust of Javier); ii) whether Plaintiff impliedly consented to be recorded (no real discussion on this one yet–and I like it because it could be a class killer); and iii) whether or not AP was a third-party.
This last question is an odd one.
When you read the long and laborious wording of Cal Penal Code Section 631 you don’t see the phrase “third party.” Indeed, all you see if the words “all parties”–suggesting that if either party to a website “communication” records it without the other’s consent it (somehow) constitutes wiretapping.
Now that wouldn’t make sense, of course, because “reading” or “learning” the content of a communication is literally all the recipient of a communication can do with it. So every communication (i.e. every website visit) would have a sender (the consumer) and a wiretapper (the website operator) if California’s Rule 631 were read the way Javier reads it.
Mercifully, the California Supreme Court and other California appellate courts have–probably–rejected this assertion, albeit in the context of cases decided before the internet existed. E.g. Warden v. Kahn, 99 Cal.App.3d 805, 160 Cal. Rptr. 471, 475 (1979) (“[S]ection 631 … has been held to apply only to eavesdropping by a third party and not to recording by a participant to a conversation.”).
Relying on the old “parties to a communication can’t wiretap themselves” line of cases a website operator should be perfectly free to record transmission of “communications”–i.e. information regarding website visits–without risk of violating CIPA. But after Javier I really wish this line of cases was better developed and, you know, more applicable to the internet. (This is one of those examples where the expansion of substantive provisions by the courts may end up outrunning the common-sense exceptions that existed back when the substantive provisions were very narrow; see also the last 20 years of TCPA jurisprudence.)
And one other really important thing to keep in mind. California’s famous call recording statute– Section 632– is limited to confidential communications. Its wiretapping statute- Section 631– is not. So any old communication can be wiretapped.
Getting back to the point–AP is arguing it was not a third party, but rather an agent of Assurance for purposes of recoding the web session at issue. And if Assurance can record its own web session without it being wiretapping, then AP can do it for it–or so the argument goes.
The problem for AP–and TrustedForm users everywhere–is this case called Revitch v. New Moosejaw, LLC, No. 18-cv-06827-VC, 2019 WL 5485330, at *1 (N.D. Cal. Oct. 23, 2019).
In Moosejaw Moosejaw imbedded NaviStone’s code in its website, enabling NaviStone — “an online marketing company and data broker that deals in U.S. consumer data” — to collect visitor data such as keystrokes, mouse clicks, and page scrolling. NaviStone captured the data, de-anonymized it, and matched it with other databases, thereby creating marketing databases of identified website visitors. The district court held that the allegations plausibly pleaded a section 631(a) claim that NaviStone was a third-party eavesdropper. It rejected NaviStone’s contention that it received the communications directly and therefore was a party to them: “it cannot be that anyone who receives a direct signal escapes liability by becoming a party to the communication. Someone who presses up against a door to listen to a conversation is no less an eavesdropper just because the sound waves from the next room reach his ears directly.”
Respectfully, the Moosejaw court is bad at analogies. Navistone wasn’t listening in from outside. It was seated at the table while consumers blabbed on and on with Moosejaw about their outdoor apparel needs (again, treating website visits as communications which I am still struggling with.) But at the end of the day the Moosejaw court held that Navistone wiretapped at that Moosejaw helped it do it. (Oh yeah, even though you can’t wiretap yourself if you let someone else wiretap you then you can be liable for aiding and abetting the wiretap–so Assurance can (theoretically) be liable for AP wiretapping, even though it could not have been directly sued for it. Fun right?)
On the other hand is the case of Graham v FullStory 20-cv-06903 Dkt. 51 (N.D. Cal. April 8, 2021). In Graham the Court held that a third-party that essentially gained access to the Defendant’s servers for the purpose of helping it to process and preserve data was not wiretapping:
Noom is a vendor that provides a software service that captures its clients’ data, hosts it on FullStory’s servers, and allows the clients to analyze their data. Unlike NaviStone’s and Facebook’s aggregation of data for resale, there are no allegations here that FullStory intercepted and used the data itself. Instead, as a service provider, FullStory is an extension of Noom. It provides a tool — like the tape recorder in Rogers — that allows Noom to record and analyze its own data in aid of Noom’s business.22 See 52 Cal. App. 3d at 897–99. It is not a third-party eavesdropper.
So is AP more like the tape recorder in Graham (that allowed only the website owner to keep records) or the tape recorder in Moosejaw (that monetized and sold those records)?
If we are being intellectually honest the resulting use of the data shouldn’t matter at all. The statute prohibits “reading” or “learning”–not the use of information “read” or “learned.” So a tape recorder is a tape recorder. And either the use of a tape recorder by the website owner is eavesdropping, or it isn’t. And it isn’t. If the recorded data is then sold without permission that might be a problem–but the problem it is isn’t wiretapping.
But let’s lean into the Graham/Moosejaw dichotomy for a moment.
For my money a TrustedForm that is used for no reason other than to confirm that a TCPA consent was given is a Graham scenario pure and true. TF serves a critical business record retention function and a critical evidentiary record keeping function. That’s it. And while Plaintiffs’ counsel are almost certainly hoping the lower court will follow Moosejaw, I just don’t see that happening here. AP is not selling off any data to enhance marketing efforts by third-parties.
Don’t get me wrong– I still struggle with the “third party” argument out of the gate. Feels like a square peg round hole argument given the other more significant interpretive issues I raised at the outset of this analysis–but to the extent AP is driving toward applying Graham as a shield, I think semantics will matter less than the facts: AP is a good company helping other good companies to do good (consumer-friendly) things. It is not stealing or compiling consumer information to sell for profit. If it were, things might be different. But it isn’t. So it (and other users of AP’s TrustedForm product) DESERVE TO WIN.
(Reminder: Deserve to Win is a TM property of the Troutman Firm, –and I even have this cool video to prove it–thanks)
So in conclusion:
Any attempt to apply 631 to website visits does violence to the words of the statute as well as common sense–but that hasn’t stopped courts from doing it so far. And they’ll probably keep doing it–so watch out.;
I think AP will eventually win this thing because Graham applies the proper analysis and because this 631 fad is going to fizzle once Defendants actually start laying out the absurdity here;
In the meantime website operators are probably safe to record information about their own traffic–a line of cases from the 70s and 80s says that’s ok (but capturing consent to do so is safest!);
DO NOT ever use any sort of third party to secretly monitor traffic on your website, record keystrokes, and then attempt to monetize non-anonymized data–such as passwords or credit card numbers or purchasing decisions captured by a third party. That is trouble under CIPA (and preventing that conduct is why the Ninth Circuit ruled the way it did in Javier). If you plan to do that capture consent BEFORE you do it;
The Plaintiff’s bar shouldn’t be so bullish on these website CIPA cases as they’re professing to be. Sure the defense bar hasn’t really found its footing here yet–we’ve seen that before–but they will. And when they do, these data analytic/web session recording cases are dead–even if cookie and non-consented data transfer cases continue to gain steam.
Happy Monday TCPAWorld!