Page 3
Ninth Circuit:
Plaintiff Asserting Violation of Privacy Act Must Allege More Than Simple Visit to Site
Opinion Says Plaintiff Must Plead That She Made Some Communications That Could Have Been Intercepted by Challenged Tracking Software to State Claim for Violation of California Law
By a MetNews Staff Writer
The Ninth U.S. Circuit Court of Appeals held yesterday that a plaintiff who filed a class action complaint against Bloomingdales.com LLC over its alleged use of third-party tracking software failed to state a claim under California privacy laws where she did not allege that the retailer surveilled and shared any information beyond the fact that she simply visited the website.
In a memorandum opinion signed by Circuit Judge Michelle T. Friedland, Senior Circuit Judge Marsha S. Berzon, and District Court Judge Matthew F. Kennelly of the Northern District of Illinois, sitting by designation, the court found that the plaintiff failed to allege that any “contents” of her communications were intercepted, as required for a violation, where she did not claim to have signed in or made purchases on the site.
Plaintiff Amanda Daghaly filed the complaint, on Jan. 24, 2023, in the U.S. District Court for the Southern District of California against the retailer and “any related entities,” asserting claims under the California Invasion of Privacy Act (“CIPA”), a series of statutes enacted in 1994 to protect unwanted intrusion into private conversations.
Allegations in Complaint
Daghaly asserts that Bloomingdales violated Penal Code §631(a), which prohibits the reading, learning, or use of the “contents or meaning of any message, report, or communication” without consent. CIPA allows for civil penalties and a private right of action for violations of the statutory scheme.
The operative complaint alleges:
“Defendants use recent developments in technology to surreptitiously record visitors to its website using JavaScript software code that continuously wiretap Internet users’ keystrokes, mouse movements, clicks, webpage locator data, and/or other electronic communications….These scripts are placed on a website or app and are responsible for recording the user’s actions (the ‘Session Replay Code’). When a user visits www.bloomingdales.com, the Session Replay Code begins recording their interactions for storage in video form on a server for playback, including by third parties….
“….Because session replay records every action a user takes on a website, it can also record sensitive information such as login credentials and personal information entered into forms. Defendants’ use of Session Replay Code is therefore an unusual and highly offensive form of monitoring and wiretapping sensitive personal data, including data not intended to be shared with third parties….
“….Defendants also use code developed by Meta Platforms, Inc….This code is known as Meta Pixel and records users’ activity on sites all around the Internet and transmits logs of that activity back to Meta….”
In June 2023, the defendant filed a motion to dismiss, arguing that the court lacks personal jurisdiction over the Ohio company, which has its principal place of business in New York, as the plaintiff has failed to establish that the retailer purposefully directed its activities at California or that her claims arise out of any such actions.
Bloomingdales also asserted that the complaint failed to state a claim, pointing out that the retailer disclosed the challenged practices in its publicly available privacy policy.
On Oct. 6, 2023, Senior District Court Judge James Lorenz dismissed, with leave to amend, on jurisdiction grounds. He wrote:
“The claims here arise solely out of Plaintiff’s browsing of Defendant’s website and Defendant’s use of session replay code….[T]he physical sale of merchandise in California…does not underlie, or even relate to, Plaintiff’s claim of digital eavesdropping. Plaintiff has thus failed to show any connection between Defendant’s forum-related contacts and the harm she suffered.”
Lorenz expressed “skepticism” that any amendment could “cure the jurisdictional deficiencies” and judgment was entered, at the plaintiff’s request, on Nov. 9, 2023.
Ninth Circuit View
Berzon, Friedland, and Kennelly noted that the Legislature intended, in enacting CIPA, to protect “historical privacy rights” which have “long been actionable at common law” and that the act “thus ‘’codif[ies] a substantive right to privacy, the violation of which gives rise to a concrete injury sufficient to confer standing.’ ”
Looking to the allegations in the complaint, they said:
“Daghaly makes general allegations about how Bloomingdales.com intercepts website visitors’ communications and monitors their actions….She also alleges that the information collected is transmitted to third parties. But Daghaly’s allegations about her own interactions with the Bloomingdales.com website are sparse. She alleges only that she ‘visited’ and ‘accessed’ the website. She states that she was ‘subjected to the interception of her Website Communications,’ but she does not allege that she herself actually made any communications that could have been intercepted once she had accessed the website. She does not assert, for example, that she made a purchase, entered text, or took any actions other than simply opening the webpage and then closing it.”
The jurists continued:
“[The plaintiff] points to no authority suggesting that the fact that she visited Bloomingdales.com (as opposed to information she might have entered while using the website) constitutes ‘contents’ of a communication within the meaning of CIPA Section 631….Even inferring from Daghaly’s complaint that the fact of her visit to the Bloomingdales.com website was ‘transmitted to one or more third parties,’ that transmission cannot without more provide the basis for a Section 631 claim.”
They concluded:
“Daghaly has thus failed to ‘clearly allege facts demonstrating’ that she ‘suffered an injury in fact that is concrete, particularized, and actual or imminent.’….We therefore affirm the district court’s dismissal of Daghaly’s complaint. Our affirmance is based solely on Daghaly’s failure to establish standing; we have not considered whether the district court properly determined that it lacked personal jurisdiction over Bloomingdales.com.”
Personal Jurisdiction
Noting that “[t]he district court dismissed the complaint for lack of personal jurisdiction rather than lack of standing,” they remarked:
“[The court] did not consider whether to allow amendment so as to plausibly allege standing. We therefore vacate the district court’s entry of final judgment and remand with instructions that the district court grant leave to amend….If Daghaly can establish standing after amendment, the district court can consider anew whether specific personal jurisdiction can be established….”
The court noted that the determination of personal jurisdiction may be informed by the upcoming decision in Briskin v. Shopify, for which en banc rehearing was ordered in May.
In 2023, the three-judge panel in Briskin held that the plaintiff failed to allege facts to support personal jurisdiction in his complaint against Shopify, a nationwide web-based payment processing service. They found that the fact that the plaintiff was physically present in his home state of California when he used Shopify’s services did not establish jurisdiction where the defendant did not expressly aim its challenged conduct toward California.
The case is Daghaly v. Bloomingdales.com LLC, 23-4122.
Copyright 2024, Metropolitan News Company