Judge: Robert B. Broadbelt, Case: 23STCV22583, Date: 2024-05-30 Tentative Ruling

Case Number: 23STCV22583    Hearing Date: May 30, 2024    Dept: 53

Superior Court of California

County of Los Angeles – Central District

Department 53

MOVING PARTY:                 Defendant Valvoline, Inc.      

RESPONDING PARTY:       Plaintiff Anne Heiting

Demurrer to Complaint

The court considered the moving, opposition, and reply papers filed in connection with this demurrer.

DISCUSSION

Plaintiff Anne Heiting (“Plaintiff”) filed the Complaint in this action against defendant Valvoline, Inc. (“Defendant”) on September 19, 2023, alleging two causes of action against Defendant for (1) violations of the California Invasion of Privacy Act (Cal. Pen. Code, § 631), and (2) violations of the California Unauthorized Access to Computer Data Act (Cal. Pen. Code, § 502(e)).

Defendant now moves the court for an order sustaining its demurrer to each cause of action alleged in Plaintiff’s Complaint.

The court overrules Defendant’s demurrer to the first cause of action for violations of the California Invasion of Privacy Act (Cal. Pen. Code, § 631) (“CIPA”) because it states facts sufficient to constitute a cause of action.  (Code Civ. Proc., § 430.10, subd. (e).)

“Subdivision (a) of [Penal Code] section 631 prescribes criminal penalties for three distinct and mutually independent patterns of conduct: intentional wiretapping, willfully attempting to learn the contents or meaning of a communication in transit over a wire, and attempting to use or communicate information obtained as a result of engaging in either of the previous two activities.”  (Tavernetti v. Superior Court (1978) 22 Cal.3d 187, 192.)  This statute states, in relevant part, the following:  “Any person who, by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection . . . , or who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned in this section, is punishable by a fine” or imprisonment.  (Pen. Code, § 631, subd. (a).)

The court finds that Plaintiff has pleaded facts establishing that Defendant violated Penal Code section 631, subdivision (a), by pleading facts showing that Defendant “aid[ed]  . . . or conspire[d] with” InContact “to unlawfully do, or permit, or cause to be done” the use of information read or learned “without the consent of all parties to the communication” “while the same [was] in transit or passing over any wire, line, or cable, or [was] being sent from, or received at any place within” California.  (Pen. Code, § 631, subd. (a).)

First, Plaintiff has alleged that Defendant pays third parties, including InContact, to eavesdrop on conversations taking place on Defendant’s chat box feature.  (Compl., ¶ 13.)  The court finds that this is sufficient to allege that Defendant was aiding or conspiring with InContact to engage in the allegedly wrongful acts alleged in the Complaint. 

Second, Plaintiff has alleged that (1) the code on Defendant’s website embeds content from InContact, thereby redirecting Defendant’s consumers from Defendant to InContact’s website (Compl., ¶ 9); (2) InContact stores the information obtained through this process for its own purposes (Compl., ¶ 10); and        (3) Defendant pays third parties (i.e., InContact) “to eavesdrop on [consumers] in real time to be ‘targets’ for non-descript mercantile campaigns” (Compl., ¶ 12).  Although Defendant contends that Plaintiff has not alleged facts establishing that Plaintiff’s communications were obtained while they were in transit, the court disagrees.  The court finds that the allegations set forth above, including the allegation that Defendant paid InContact to eavesdrop on its consumers “in real time” (Compl., ¶ 12 [emphasis added]), establish that Plaintiff’s communications were obtained “while the same [were] in transit” within the meaning of the CIPA.  (Pen. Code, § 631, subd. (a).)    

Third, the court finds that Defendant has not met its burden to show that, when accepting all the allegations pleaded as true, it cannot be liable under this statute because it, and by extension, InContact, were parties to the communications.

The CIPA “contain[s] an exemption from liability for a person who is a ‘party’ to the communication, whether acting under the color of law or not.”[1]  (In re Facebook, Inc. Internet Tracking Litigation (9th Cir. 2020) 956 F.3d 589, 607 (“In re Facebook”).)  There are “two general avenues of decision” in interpreting this exception.  (Javier v. Assurance IQ, LLC (N.D. Cal. 2023) 649 F.Supp.3d 891, 898.)  “The first set of cases holds that software providers . . . are third parties within the meaning of Section 631[,]” while “[t]he second set of cases . . . holds that software vendors . . . are ‘extension[s]’ of the websites that employ them, and thus not third parties within the meaning of the statute.”  (Id. at p. 899.)  Defendant contends that the court should apply the reasoning set forth in the second set of cases to the circumstances here, arguing that “Defendant hired inContact as a tool to record and analyze data to support [Defendant’s] business” and InContact has only shared information from Defendant’s website to Defendant.  (Demurrer, pp. 14:25-28, 15:2-3.)

Even if the court were to follow the reasoning set forth in the second set of cases, the court finds that Defendant has not shown that the facts pleaded in Plaintiff’s Complaint allege that InContact is merely an extension of Defendant within the meaning of those cases.  The court acknowledges that Plaintiff has alleged that “InContact also shares the data it collects and stores with [Defendant] who adds the data to the existing profiles it has surreptitiously collected from its users[,]” (Compl., ¶ 11), and therefore may operate similarly to the vendors determined to be extensions of a party to the subject communications in the second set of cases.  (See, e.g., Graham v. Noom (N.D. Cal. 2021) 533 F.Supp.3d 823, 832 [finding that, because “FullStory is a vendor that provides a software services that captures its clients’ data, hosts it on FullStory’s servers, and allows the clients to analyze their data[,]” and because there were “no allegations here that FullStory intercepted and used the data itself[,]” FullStory was an extension of Noom and merely provided a tool to allow Noom to record and analyze its own data in the aid of Noom’s business].)  However, Plaintiff has also alleged—and therefore the court has accepted as true—that “[o]nce InContact gains access to the user’s information, it stores it for its own purposes” (Compl., ¶ 10 [emphasis added]).  Thus, Plaintiff has not alleged that InContact solely operates as a “tool” allowing Defendant to analyze and record its own data in the course of its business.  (Graham, supra, 533 F.Supp. at p. 832.)  The court therefore finds that Defendant has not shown, for the purposes of this demurrer, that the party exemption applies.

The court sustains Defendant’s demurrer to the second cause of action for violations of the California Unauthorized Access to Computer Data Act (Cal. Pen. Code, § 502(e)) because it does not state facts sufficient to constitute a cause of action since Plaintiff did not allege facts establishing that she has suffered damage or loss because of the alleged violation of Penal Code section 502, subdivision (c).  (Code Civ. Proc., § 430.10, subd. (e); Pen. Code, § 502, subd. (e)(1) [the owner of a computer or data “who suffers damage or loss by reason of a violation of any of the provisions of subdivision (c) may bring a civil action against the violator for compensatory damages and injunctive relief or other equitable relief”] [emphasis added]; Esparza v. Kohl’s, Inc. (S.D. Cal. 2024) ___ F. Supp.3d ___, 2024 WL 1152732, *7 [“To bring a private cause of action under section 502, which is otherwise a criminal statute, a plaintiff must plead that he ‘suffers damage or loss’ due to the criminal violation”].)

ORDER

The court overrules defendant Valvoline, Inc.’s demurrer to plaintiff Anne Heiting’s first cause of action for violations of the California Invasion of Privacy Act (Cal. Pen. Code, § 631).

The court sustains defendant Valvoline, Inc.’s demurrer to plaintiff Anne Heiting’s second cause of action for violations of the California Unauthorized Access to Computer Data Act (Cal. Pen. Code, § 502(e)).

            The court grants plaintiff Anne Heiting 20 days leave to file a First Amended Complaint that cures the defects in the second cause of action set forth in this ruling.

            The court orders defendant Valvoline, Inc. to give notice of this ruling.

IT IS SO ORDERED.

DATED:  May 30, 2024

_____________________________

Robert B. Broadbelt III

Judge of the Superior Court