A New Twist on Keystroke Monitoring Lawsuits – What Businesses Need to Know About Chatbots | Brownstein Hyatt Farber Schreck

In recent weeks, several class action lawsuits have been filed in California against various companies, including Tiffany & Co., Dollar Shave Club, Goodyear Tires, MAC Cosmetics and Michael Kors USA, making the startling allegation that the companies are engaging in illegal wiretapping of on line communication with consumers. The complaints – all filed by the same attorney – allege that the defendants covertly deploy “keystroke monitoring” software that is used to intercept, monitor and record communications with visitors to their websites. Plaintiffs assert, on behalf of themselves and putative class members, that by doing so, Defendants violated the California Invasion of Privacy Act (Cal. Penal Code Section 631).

The complaints mainly relate to consumer communications with sophisticated “chatbots” that impersonate a human being in a “convincing” way. According to the complaints, chatbots not only encourage consumers to share their personal information, but record and store the entire conversation without the consumer’s knowledge or permission. Thus, any company that uses chatbots is a potential target of these class action lawsuits.

Section 631(a) of the California Penal Code imposes liability on any entity that engages in conduct prohibited by that section, i.e. “by means of any machine, instrument, device or other way ” :

(1) “intentionally taps or makes any unauthorized connection, whether physically, electrically, acoustically, by induction or otherwise, with any telegraph or telephone wire, line, cable or instrument, including wire, line , cable or instrument of any internal telephone communication system”, or

(2) “willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads or attempts to read, or learn the contents or meaning of any message, report or communication while it is in transit or passing over any wire, line, or cable, or is sent or received at any place in such condition” or

(3) “use or attempt to use, in any way or for any purpose, or communicate in any way, any information so obtained, or which aids, agrees with, employs or conspires with one or more persons to unlawfully do, permit or cause to be done any of the acts or things mentioned above in this section.”

As noted in the recent Ninth Circuit decision in Javier v Insurance IQ, LLC“[t]Although written in terms of wiretapping, Section 631(a) applies to Internet communications [and] holds liable anyone who “reads, or attempts to read or learn from” the contents of a communication “without the consent of all parties to the communication”. 31, 2022). In Javierplaintiffs alleged that one of the defendants operated an insurance website that used the other defendant’s software to “record user interactions with the website and create a unique certificate for each user certifying that the ‘user has agreed to be contacted’ with marketing communications. Identifier. The California federal district court had dismissed the case, finding that the plaintiff “had retroactively consented to the conduct at issue by agreeing to [the defendant’s] Privacy Policy, and that retroactive consent is valid under Section 631(a)”. Identifier. The Ninth Circuit overturned on the grounds that it believed “the Supreme Court of California would interpret Section 631(a) to require that the prior consent of all parties to a communication”. Identifier. to 2 (emphasis added). On remand, the defendants recently decided to dismiss issues not decided by the Ninth Circuit, including whether the plaintiff had given implied consent to the data collection. Either way, website operators should consult their legal counsel before deploying technology that captures online consumer consent to marketing communications, which has become ubiquitous in the telemarketing space.

While Section 631(a) is criminal law, California law allows alleged victims to bring a civil action. Specifically, under Section 637.2 of the Penal Code, any person who has been injured by a violation of Section 631 (among other sections of the code) may bring an action against the person who committed the violation to enjoin or restrain such violation, as well as recover damages. the greater of $5,000 per violation or three times the amount of actual damages, if any, suffered by the plaintiff. In particular, it is not necessary that the plaintiff has suffered or is threatened with suffering actual damages. In addition to these remedies, the plaintiffs in these recently filed actions are also seeking recovery of their attorneys’ fees and expenses, as well as punitive damages.

Although these recent deposits in California seem based on a new theory, they are not. For example, following the Ninth Circuit’s decision in the In re Facebook Internet Tracking Litigationwhich adopted the reasoning of the First and Seventh Circuits that “the simultaneous and unknown duplication and communication of GET requests does not excuse a defendant from liability under the [federal and state wiretap statutes’] party exception”, many lawsuits have been filed on this basis. Davis vs. Facebook, Inc.956 F.3d 589, 608 (2020).

Indeed, similar cases have been filed in Florida and recently dismissed. Specifically, in March 2021, two plaintiffs filed separate lawsuits against Whirlpool Corporation, alleging that the company unlawfully intercepted website visitor information using “session replay” technology. In these cases, the federal judge found that the state’s wiretapping law does not apply to the company’s use of marketing analytics software to capture browsing histories, personal interests or similar data. Cardoso vs. Whirlpool Corp.., Case No. 21-CV-60784-WPD, 09/15/21 and Connor v. Whirlpool Corp., Case No. 21-CV-14180-WPD, 09/15/21 (]SD Florida) Case (SD Florida). Similarly, in September 2021, another federal court judge in Florida dismissed a class action lawsuit against Costco when the court determined that mouse clicks, page views, scrolling movements and other actions did not convey content or communication. [Goldstein v. Costco Wholesale Corp., Case No. 21-CV-80601-RAR]Case No. 9:21-cv-80601 ([9/9/21] SD Florida).

However, in the most recent California filings, the plaintiffs attempt to circumvent the case law against them, focusing specifically on their communications with the defendants companies’ chatbots. While it is unclear whether these plaintiffs will ultimately succeed, it is clear that this area of ​​the law remains up in the air, inviting further litigation.

Additionally, companies should be concerned about how such claims may affect their environmental social governance (“ESG”) efforts and subsequent reputation. MSCI, a leader in ESG efforts of rating companies, lists privacy and data security as key issues considered.

How best to avoid liability? Just as businesses must inform consumers of their privacy rights, businesses must also inform consumers of how their interactions with “chatbots” or their actions on the website will be recorded and how the data will be used, and they must seek consent to such uses before involving the consumer in the technology. California law already requires disclosure of communication with a bot, including the prohibition against misleading a consumer about the artificial nature of the bot. Cal. Bus. & Profs. Code Section 17940. Most companies using bots to interact with consumers have already adapted to these requirements. Carefully written, this same information can also use friendly language to ensure everyone understands that communications with the bot, or even clicks and keystrokes on a website, will be recorded and analyzed to improve customer service. .