Class Action Issue
In a recent decision addressing privacy claims arising from the electronic tracking of a customer’s online behavioral activity, a federal district court’s analysis highlighted the significance of a comprehensive privacy notice in establishing a customer’s consent to the collection of personal identifying information (“PII”).
The electronic tracking of a customer’s actions while visiting a business’ website has given rise to lawsuits under wiretap and electronic surveillance statutes. This is one of those lawsuits.
The Complaint was filed against two defendants – one was a gift merchant who sells pet products by way of its website and the other one was a third-party vendor who allegedly collected data on the merchant’s website. The merchant was incorporated in Pennsylvania. The vendor was an Ohio company that tracks Internet Protocol (“IP”) addresses of visitors on its customers’ websites to collect commercially valuable information, such as names and mailing addresses. The vendor stores that data on a server in Ohio.
The merchant had contracted with the vendor to collect data from traffic on its website. The merchant had a Privacy Statement/Notice (“Privacy Notice”) disclaiming user tracking on its website; however, the Privacy Notice did not disclose the vendor’s identity or the methods used for collecting user data.
The plaintiff claimed that the vendor intercepted her PII – her name, home address and email address – as she browsed the merchant’s website for pet products. She further alleged that the vendor recorded and relayed her every keystroke and mouse click to its server. In addition, the plaintiff alleged that the vendor collected her PII even though she never hit the “submit” button to make a purchase.
The plaintiff, on her own behalf and as a class representative, filed a Complaint asserting two claims: (1) a violation of Pennsylvania’s wiretapping statute (“PA wiretapping statute”), and (2) an invasion of privacy (intrusion upon seclusion). Both defendants filed a Rule 12(b)(6) Motion to Dismiss.
District Court’s Waterfall Analysis of Plaintiff’s Privacy-Based Claims
After determining the threshold issue of subject matter jurisdiction under CAFA, the court undertook to analyze whether the complained of conduct was subject to the PA wiretapping statute. In that regard, the court examined the statute’s application to out-of-state conduct, as the vendor was located in Ohio. The court noted that several PA courts had refused to extend the PA wiretapping statute to out-of-state conduct. Ultimately, the court decided that it would follow those PA courts that had declined to extend the PA wiretapping statute to out-of-state conduct.
As a result, the next issue considered by the court was where the actionable conduct occurred. Noting that it is easy in cases involving telephone calls to determine where the conduct occurred (by plotting the location of the parties to a call), determining where the intercept of interstate data traffic and storage occurred is not as straightforward. Because 12(b)(6) Motions were before the court, the pleadings did not contain the factual and technical background necessary to determine where the allegedly actionable conduct occurred. The court explained that a factual record needed to be developed on certain key points before it could determine whether the PA wiretapping statute applied:
(1) Did the conduct occur in PA, where the merchant is located and where the plaintiff viewed the website? OR
(2) Did it occur in Ohio where the vendor and its servers were located?
Next, the court turned its focus to the substantive arguments made by the defendant for the dismissal of the plaintiff’s claims. While the court had decided to deny the Motion to Dismiss as to Count I to allow for the building of a factual record on the extraterritorial application of the PA wiretapping statute, the court nonetheless examined some of the substantive defenses to provide guidance as to questions that may be presented on later dispositive motions. First, with regard to the defendants’ arguments that the merchant’s servers and the vendor’s code were not “devices” under the PA wiretapping statute, the court focused on the definitions contained in the statute. While the definitions of “device” and “electronic communications” contained in the statute were broad, they were not limitless. Determining whether the interplay between the defendants’ servers and the vendor’s code qualifies as a “device” or “apparatus” under the statute requires a fact-intensive inquiry that implicates novel questions, as framed by the court. The court made clear that, to prevail on a claim under the PA wiretapping statute, it was the plaintiff’s burden to prove that the allegedly actionable conduct falls under the purview of the statute. Finally, the court noted that the discovery process would allow the parties an opportunity to develop a factual record that contextualizes the conduct at issue in light of the statutory language.
With respect to the defendants’ arguments that mutual consent barred the plaintiff’s claims, the court declined to address (at the motion to dismiss stage) the argument that the act of sending an electronic communication over the internet implied consent to it being recorded. Here, the plaintiff made no allegations in the Complaint about her actual or constructive knowledge of the Privacy Statement. On the defendants’ side, there was no indication that the Privacy Notice informed the plaintiff, as an online customer, that her keystrokes, navigation and/or other personal information were being collected in real-time by a third-party using embedded code. As a result, the court concluded that it could not determine if the defendants provided the plaintiff with actual or inquiry notice without a more developed factual record.
For their last argument supporting the requested dismissal of the PA wiretapping claim, the defendants contended that they did not “intercept” the contents of any communication. For several reasons, the court determined it was not proper to rule on whether the plaintiff’s “clicks” and keystrokes while visiting the website constituted “content” under the PA wiretapping statute. The court stated that it would be better equipped to rule on that issue after a record is developed that places the claimed conduct into context in relation to the specific scope and application of the PA wiretapping statute.
Count II of the plaintiff’s Complaint asserted a common law intrusion upon seclusion claim against the defendants. Section 652 of the Second Restatement’s definition of intrusion upon seclusion applied to the claim. The defendants raised two arguments in support of their requested dismissal of that claim: (1) They lacked the requisite intent to commit intrusion upon seclusion, and (2) their conduct was not highly objectionable to a reasonable person. In performing its analysis, the court noted that there are numerous decisions from state and federal courts examining claims under § 652 of the Restatement where courts determined that, as pled, a complaint failed to allege sufficiently objectionable conduct to allow a claim to stand.
Ultimately, the court determined that the act of collecting the plaintiff’s keystrokes, mouse clicks, and PII was not the type of highly offensive act that support an intrusion upon seclusion claim under the Restatement. In connection with that determination, the court stated “[c]onsumers may be troubled that their trip to an electronic marketplace may feature surveillance of their every behavior that is far more intrusive than a trip to the local mall, and that the data garnered from even causal browsing may be used by retailers—and others—for marketing or more sinister purposes. But even well-founded concern is not enough to give rise to tort liability. Such liability requires conduct that may outrage or cause mental suffering, shame or humiliation to a person of ordinary sensibilities.”
Class Action Solutions observations – In considering potential measures to reduce a company’s exposure to a class action asserting privacy-related claims, don’t overlook the benefit of implementing a comprehensive privacy statement on your website. Where a privacy statement discloses certain tracking of a consumer’s activity on a website, a consent defense may carry the day. However, be aware that, even where a privacy statement discloses some specific kind of tracking, a company may still be potentially liable for other forms of tracking that the privacy statement does not disclose. As a result, it seems prudent to subject a website’s privacy statement to a critical eye analysis and update on a regular basis.
A copy of the decision can be accessed here.