Cases Provide Headwinds for Plaintiffs in Website Tracking Claims, Lawyers Say
Several court decisions in California have benefited the plaintiffs as they pursue website tracker litigation, according to two recent attorney blogs.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Troutman Amin lawyer Tori Guidry discussed how a federal court ruled favorably for the plaintiffs, whose attorney used the crime-tort exception to overtake the party exception in Smith v. Rack Room Shoes.
In a Monday blog post, Guidry noted the plaintiffs in Smith alleged that Rack Room used embedded code from third parties, "including Meta and Attentive ... intercept[ed] their communications and personally identifiable information [PII] without their consent and transmit[ted] it to ... third parties."
Previously, the court found the footwear store's privacy policy failed to inform consumers that third parties could collect their PII for commercial purposes. However, Rack Room argued that the party exception negated the claim. Under the party exception, the shoe company held that since it had communicated with online visitors and it consented to the interception of data, there was no crime.
However, the court found that the plaintiffs plausibly alleged that the crime-tort exception negates the party exception because interception of the data was done “for the purpose of committing [a] ... criminal or tortious act.” For Guidry, the key question was "whether the defendant had an independent prohibited purpose beyond the act of interception itself."
The tortious purpose was Rack Room's intent to disclose customer PII for targeted advertising, which directly contradicted its privacy policy, Guidry added. "This subsequent use, the court reasoned, constituted a further invasion of privacy, satisfying the requirement for an independent tortious act."
Accordingly, the case will move ahead, "which continues the trend of courts allowing these website tracker cases to move past the pleading stage," Guidry concluded.
Similarly, a Hogan Lovells blog post mentioned additional federal cases that "emboldened" plaintiffs' attorneys "with a potential new tool to wield in the ongoing wave of litigation targeting businesses for their use of routine website technologies." The cases expand what counts as data breach litigation and widens the scope of the private right of action under the California Consumer Privacy Act (CCPA).
In M.G. v. Therapymatch, the plaintiff brought a CCPA claim, contending an analytics tool on an online platform transmitted visitors' browsing information to a third party. The U.S. District Court for Northern California noted that "courts 'have let CCPA claims survive a motion to dismiss where a plaintiff alleges that defendants disclosed plaintiff’s personal information without his consent due to the business’s failure to maintain reasonable security practices,'” and allowed the case to continue.
The same district court "permitted a CCPA claim to proceed" in In re BetterHelp, said the Hogan Lovells lawyers, "after finding that plaintiff’s information was disclosed 'because BetterHelp affirmatively allowed the tracking software on its websites -- which can reasonably be argued was not an appropriate security procedure or practice, given the nature of the information.'”
While other courts may disagree with these interpretations, the Hogan Lovells lawyers said "businesses are well-advised to proactively mitigate the risk of website privacy claims more generally." Maintaining an inventory of website technologies, reviewing their configurations, enhancing privacy disclosures and reviewing and updating vendor contracts are actions that businesses can take, they said.