Judge Bruce G. Iwasaki, Case Number: 23STCV26294, Date: 2024-01-05 Tentative Ruling

Tentative Ruling: The Demurrer to the Complaint is sustained with leave to amend.

The Complaint alleges that Plaintiff Anne Heiting (Plaintiff) accessed the website of Defendant Design Holdings, Inc. (Defendant). Thereafter, Design Holdings allegedly invaded Plaintiff’s right to privacy without her consent by aiding a third-party company, Salesforce, to secretly eavesdrop, record, and harvest data from Plaintiff’s interaction with Design Holdings’ chat box on its website. The Complaint alleges causes of action for (1.) Violations of the California Invasion of Privacy Act (CIPA), and (2.) Violations of the California Unauthorized Access to Computer Data Act (CDAFA).

On October 24, 2023, Defendant demurred to the Complaint. Plaintiff filed an opposition to the demurrer.

Defendant’s request for judicial notice of Exhibits A-B is denied. The request for judicial notice of Exhibit A is irrelevant. The request for judicial notice of Defendant’s Privacy Policy is not a proper basis for judicial notice; Defendant selectively quotes City of Pomona v. Superior Court (2001) 89 Cal.App.4th 793, omitting critical portions. The case states in full: “Where written documents are the foundation of an action and are attached to the complaint and incorporated therein by reference, they become a part of the complaint and may be considered on demurrer.” (Id. at 800.) Here, the Privacy Policy was not attached to the Complaint or even referred to in the Complaint.

A demurrer is an objection to a pleading, the grounds for which are apparent from either the face of the complaint or a matter of which the court may take judicial notice. (Code Civ. Proc. § 430.30, subd. (a); see also Blank v. Kirwan (1985) 39 Cal.3d 311, 318.) The purpose of a demurrer is to challenge the sufficiency of a pleading “by raising questions of law.” (Postley v. Harvey (1984) 153 Cal.App.3d 280, 286.) “In the construction of a pleading, for the purpose of determining its effect, its allegations must be liberally construed, with a view to substantial justice between the parties.” (Code Civ. Proc. § 452.) The court “ ‘ “treat[s] the demurrer as admitting all material facts properly pleaded, but not contentions, deductions or conclusions of fact or law . . . .” ’ ” (Berkley v. Dowds (2007) 152 Cal.App.4th 518, 525.) In applying these standards, the court liberally construes the complaint to determine whether a cause of action has been stated. (Picton v. Anderson Union High School Dist. (1996) 50 Cal.App.4th 726, 733.)

First Cause of Action – Violations of the California Invasion of Privacy Act (Penal Code section 631, subdivision (a):

Defendant argues the first cause of action fails to allege facts sufficient to state a claim.

Penal Code section 631(a) provides that a person who does any of the following has acted in violation of California’s Invasion of Privacy Act (CIPA):

“Any person who, by means of any machine, instrument, or contrivance, or in any other manner, [i] intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephone communication system, or [ii] who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or [iii] who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or [iv] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above.”

Here, the Complaint alleges that Plaintiff was browsing Defendant’s website, www.danishdesignstore.com, and interacted with a chat box on the site. (Compl., ¶ 8.) The Complaint further alleges that Defendant recorded Plaintiff’s conversation and paid a third-party company, Salesforce.com (Salesforce), to eavesdrop in real time, harvest and commoditize Plaintiff’s personal information through her interaction with a chat box. (Compl., ¶¶ 9-10, 13.) Plaintiff alleges that Design Holdings’ failure to disclose its use of Salesforce as a service provider violates CIPA, because “Design Holdings did not obtain Plaintiff’s express or implied consent to wiretap or allow third parties to eavesdrop on visitor conversations.” (Compl., ¶¶ 14, 13-20.)

Defendant argues these allegations fail as matter of law. The statue has four clauses; the first three clauses are premised on direct liability while the last is premised on derivative—or aiding and abetting—liability.

With respect to the first three clauses, Plaintiff’s claims of liability fail against Defendant under the “party exception” rule.

CIPA contains an exemption from liability for a person who was a “party” to a communication. (Ribas v. Clark (1985) 38 Cal.3d 355, 359; Warden v. Kahn (1979) 99 Cal.App.3d 805, 811 [“[S]ection 631 ... has been held to apply only to eavesdropping by a third party and not to recording by a participant to a conversation.”].)

Here, the Complaint alleges that that “[d]uring a browsing session” on Design Holdings’ website she “utilized the chat box feature” and she “was not informed that her conversations were being recorded and exploited for commercial surveillance purposes without her consent.” (Compl., ¶ 8.)

Defendant argues that none of the of the direct liability clauses of Section 631 apply here because Defendant cannot eavesdrop on its own conversation. Further, Plaintiff’s Opposition does not contend that direct liability applies.

Defendant argues that the derivative liability for “aiding and abetting” also does not apply. Specifically, it maintains that (a) Plaintiff fails to allege an underlying CIPA violation; (b) Plaintiff’s allegations show that Salesforce was a third-party tool that was utilized by Design Holdings as a mere extension of its own operations; and (c) Plaintiff fails to allege Design Holdings knew of (or specifically intended to aid) Salesforce’s alleged plan to violate CIPA. (Dem., 14:28-15:3.)

With respect to the second argument, the allegations show that Salesforce was a third-party tool that was utilized by Design Holdings as a mere extension of its own operations.

Numerous courts that have held that the statute requires plaintiffs to allege facts indicating that the third party is recording the customers’ information “for some use or potential future use beyond simply supplying this information back to Defendant.” (Cody v. Boscov's, Inc. (C.D. Cal. 2023) 658 F.Supp.3d 779, 782 [dismissing with leave to amend claim for aiding wiretapping where Plaintiff's only allegation related to the software providers was that they “harvest valuable data from such [customer] communications for the benefit of their clients like Defendant”].) “One is not considered a third-party eavesdropper when they merely provide a tool that allows another party to record and analyze its own data.” (Nora Gutierrez v. Converse Inc. (C.D. Cal., Oct. 27, 2023, No. 223CV06547RGKMAR) 2023 WL 8939221, at *3.)[1]

Here, the Complaint alleges that “Design Holdings collects a wide range of personal information from website users and consumers, including personal identifiers, device information, browser information, operating system information, location details; such as GPS address and IP address, and may deduce additional demographic details like gender and age; various details about website usage such as date and time the user accessed the website; social media information, inferences and other information.” (Compl., ¶ 11.) The Complaint alleges that SalesForce “shares the data it collects and stores with Design Holdings who adds the data to the existing profiles it has surreptitiously collected from its users.” (Compl., ¶ 11.)

This allegation does not indicate that that SalesForce was recording the information for its own benefit, but rather for use by Design Holdings.

The Complaint also continues by alleging SalesForce “stores it for its own purposes.” (Compl., ¶ 10.) However, this allegation is entirely conclusory and lacking in any ultimate facts. (See e.g., Cody v. Boscov's, Inc. (C.D. Cal. 2023) 658 F.Supp.3d 779, 782–783 [“Here, Plaintiff's sole relevant allegation that Webex and Customer use the code embedded in the chat program to “harvest valuable data from such [customer] communications for the benefit of their clients like Defendant” [Dkt. 12 at ¶ 11] is too vague and conclusory to meet this standard.”]; see also Byars v. Hot Topic, Inc. (C.D. Cal. 2023) 656 F.Supp.3d 1051, 1067.)

Thus, the Complaint fails to demonstrate that Defendant used third-party vendor, SalesForce, as a “third-party eavesdropper;” rather, the allegations show nothing more than Defendant using SalesForce in aid of Defendant’s business and not for some other purpose, which makes the third-party an “extension” of Defendant's website. (Byars v. Hot Topic, Inc. (C.D. Cal. 2023) 656 F.Supp.3d 1051, 1068.)

Second Cause of Action – Violations of the California Unauthorized Access to Computer Data Act (Penal Code section 6520, subdivision (e):

Defendant also argues the second cause of action fails to allege facts sufficient to state a claim.

The Comprehensive Computer Data Access and Fraud Act (CDAFA) imposes liability on a person who “[k]nowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.” (Pen. Code, § 502, subd. (c)(2).)

Defendant argues that the Complaint fails because it alleges neither that it acted without permission, nor that Plaintiff suffered any damages.

A party is liable under the CDAFA only if it accesses computer data without permission. (Pen. Code, § 502, subd. (c)(2).) Although the CDAFA does not define the term “without permission,” courts have interpreted the term to require the defendant to act “in a manner that overcomes technical or code-based barriers.” (Nora Gutierrez v. Converse Inc. (C.D. Cal., Oct. 27, 2023, No. 223CV06547RGKMAR) 2023 WL 8939221, at *4 [citing In re iPhone Application Litig. (N.D. Cal., Sept. 20, 2011, No. 11-MD-02250-LHK) 2011 WL 4403963, at *12 and New Show Studios LLC v. Needle (C.D. Cal., June 30, 2014, No. 2:14-CV-01250-CAS) 2014 WL 2988271, at *7].) Therefore, “the mere fact that a plaintiff does not consent to an action does not create liability under the CDAFA.” (Nora Gutierrez v. Converse Inc. (C.D. Cal., Oct. 27, 2023, No. 223CV06547RGKMAR) 2023 WL 8939221, at *4.)

For example, in In re Facebook Privacy Litigation, the district court dismissed a CDAFA cause of action against a website operator for “nonconsensual transmissions” of user data from the operator’s website to third parties because, based on the pleadings, “there were clearly no technical barriers blocking [d]efendant from accessing its own website.” (In re Facebook Privacy Litigation (N.D. Cal. 2011) 791 F.Supp.2d 705, 716.)

Here, Plaintiff only alleges that “[P]laintiff was not informed that her conversations were being recorded and exploited for commercial surveillance purposes without her consent.” (Compl., ¶ 8.) The Complaint alleges that “Design Holdings fails to inform its website users that their communications are being monitored and stored using an ‘event listener.’” (Compl., ¶ 10.) As discussed above, these allegations are insufficient to demonstrate that Defendant’s alleged access of Plaintiff’s data lacked Plaintiff’s consent, as defined under the statute.

Defendant also argues that Plaintiff failed to allege any damage. Under the CDAFA, the plaintiff must suffer a “cognizable loss.” (Pratt v. Higgins (N.D. Cal., July 17, 2023, No. 22-CV-04228-HSG) 2023 WL 4564551, at *9.) “In the context of a § 502 violation, ‘loss’ has been defined to encompass costs related to fixing a computer, lost revenue, or other consequential damages incurred due to an interruption of computer services.” (Ibid.)

The Opposition fails to point to any specific allegations in the Complaint demonstrating a cognizable loss suffered as result of the purported violation of the CDAFA. Thus, the demurrer to this cause of action is also sustained.

The demurrer is sustained as to the first and second causes of action. Plaintiff shall have leave to amend. The amended complaint shall be served and filed on or before February 5, 2024.

[1] Admittedly, as argued by Plaintiff, this determination is generally a question of fact. (Yoon v. Lululemon USA, Inc. (C.D. Cal. 2021) 549 F.Supp.3d 1073, 1081.) Nonetheless, adequate facts must still be alleged to state a claim.

Judge Bruce G. Iwasaki

Department 58