Jut wanted to piggy back on Queenie’s excellent article last night to really hammer home a critical point:
The Javier district court ruled directly that the use of third-party web session replay technology DOES constitute wiretapping under CIPA.
And, unfortunately, this is one of the best reasoned and most thorough analyses to date on the issue.
The analytic framework applied by the Court is the precise framework the Czar has laid out repeatedly for analyzing the issue–and is, therefore, the undoubtedly correct one.
Here is how the court framed the issue:
Two basic principles of Section 631 liability are undisputed. First, if a third party listens in on a conversation between the participants (even if one participant consents to the presence of that third party), then the third party is liable under the second prong (and the participant is often liable under the fourth prong). Ribas v. Clark, 38 Cal. 3d 355, 361–62 (1985); see also Revitch v. New Moosejaw, LLC, No. 18-CV-06827-VC, 2019 WL 5485330, at *2 (N.D. Cal. Oct. 23, 2019) (extending liability under the fourth prong of Section 631 to website that employed a software similar to TrustedForm). Second, a party to a conversation can record it without the other party’s knowledge without incurring Section 631 liability. Rogers v. Ulrich, 52 Cal. App. 3d 894, 899 (1975).
I completely agree. The issue, then, is whether web session recording is closer to a “tape recorder” or closer to an “interloper listening in.”
And the Court tees it up just right:
Thus, the Court must decide whether ActiveProspect is more akin to the tape recorder in Rogers, held by Assurance, or the friend in Ribas (in which case, Assurance is the wife who allowed ActiveProspect to listen in). See Yoon v. Lululemon USA, Inc., 549 F. Supp. 3d 1073, 1081 (C.D. Cal. 2021) (“The question thus becomes, in analogue terms: is Quantum Metric a tape recorder held by Lululemon, or is it an eavesdropper standing outside the door?”).
But then the Court unnailed it.
Rather then recognize that the web session recording is nothing more than a device producing a data set for replay–just like a tape recorded–the Court errantly determined web session replay was akin to someone listening in live. (It just isn’t though).
As is usually the case when a court gets something this big this wrong, the Defendants had a bit to do with it. According to the Court, the defendants only mustered two real rejoinders:
First, Defendants contend that the ubiquity of third-party tools like ActiveProspect’s software “would force websites to either expressly disclose” the presence of those tools, or “create those tools in-house.” …. Second, Defendants argue that “Plaintiff would have no claim if Assurance had created the TrustedForm software itself.”
Eesh. Those are just bad arguments and the Court correctly brushed them aside. On the ubiquity point the answer is–so what? And on the “no claim” point the answer is, still–so what?
The better argument, of course, would be to focus on the limited functionality and usage capabilities of the technology at issue. And that argument really just could not be brought at the pleadings stage because the Plaintiff alleged:
ActiveProspect monitors, analyzes, and stores information about visits to Assurance’s websites, and that Active Prospect can use that information for other purposes, even if Javier has not alleged that they have done so in this case.
And that is the critical allegation that underpins the entire case. Because Plaintiff alleges a real-time monitoring of information by a third-party, the CIPA (eavesdropping) limitations have been triggered.
But notice, if Plaintiff cannot PROVE this actually takes place–and I don’t think it does–then the case would evaporate, even under the Javier court’s reasoning.
Since there is $5,000.00 per web visit at stake here, this is a VERY big deal. We’ll keep monitoring it. And I will be discussing tomorrow form the stage at LGW!