Judge: Thomas D. Long, Case: 23STCV15919, Date: 2024-10-31 Tentative Ruling

Case Number: 23STCV15919    Hearing Date: October 31, 2024    Dept: 48

SUPERIOR COURT OF THE STATE OF CALIFORNIA

FOR THE COUNTY OF LOS ANGELES - CENTRAL DISTRICT

On July 3, 2023, Plaintiff Brittney Ramirez filed this action against Defendant Deckers Outdoor Corporation.  The Complaint alleges violations of (1) California Invasion of Privacy Act (“Section 631”), and (2) California Unauthorized Access to Computer Data Act (“Section 502”).

On February 15, 2024, Defendant filed a demurrer.

DISCUSSION

A demurrer for sufficiency tests whether the complaint states a cause of action.  (Hahn v. Mirda (2007) 147 Cal.App.4th 740, 747.)  When considering demurrers, courts read the allegations liberally and in context, accepting the alleged facts as true.  (Nolte v. Cedars-Sinai Medical Center (2015) 236 Cal.App.4th 1401, 1406.)

Plaintiff alleges that Defendant’s website contains code that intercepts the inquiries that consumers believe are being sent directly to Defendant and diverts them to non-party Gladly.  (Complaint ¶ 9.)  Gladly gains access to users’ information and stores it for its own purposes, without Defendant informing its website users.  (Complaint ¶¶ 10-12.)  Gladly also shares the data it collects and stores with Defendant, who adds the data to the existing profiles it has surreptitiously collected from its users.  (Complaint ¶ 11.)  Plaintiff alleges that “Defendant secretly records those conversations and pays third parties to eavesdrop on them in real time to be ‘targets’ for non descript mercantile campaigns.”  (Complaint ¶ 12.)

A.        Plaintiff Does Not Allege a Claim Under Penal Code Section 631.

The California Invasion of Privacy Act sets forth four manners through which a person may have unlawfully engaged in wiretapping: (1) “by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system”; (2) “who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state”; (3) “uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained”; or (4) “aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section.”  (Pen. Code, § 631, subd. (a).)

            1.         Plaintiff Cannot Allege a Claim Under the First Clause.

Plaintiff alleges that Defendant permitted Gladly to record and eavesdrop upon Plaintiff’s communications through its website.  (Complaint ¶¶ 17-19.)  “[C]ourts have repeatedly found that [the first] clause applies only to eavesdropping on ‘telegraph and telephone’ wires, lines, cables, or instruments, and not to any eavesdropping that is alleged to have occurred as to communications over the internet.”  (Heiting v. Taro Pharmaceuticals USA, Inc. (C.D. Cal. 2023) 709 F.Supp.3d 1007, 1014 (Heiting).)  “[B]ecause Plaintiff alleges interception of a chat communication on Defendant’s website, instead of over the phone, Plaintiff cannot state a claim under the first clause of section 631(a).”  (Ibid.)

Plaintiff argues that the first clause does apply to the internet, citing Javier v. Assurance IQ, LLC (9th Cir., May 31, 2022, No. 21-16351) 2022 WL 1744107 and that court’s statement that “[t]hough written in terms of wiretapping, Section 631(a) applies to Internet communications.”  (Opposition at p. 4.)  The Javier court’s next sentence is, “It makes liable anyone who ‘reads, or attempts to read, or to learn the contents’ of a communication ‘without the consent of all parties to the communication.’”  This is language from the second clause of Section 631, subdivision (a), not the first clause.

In sum, Plaintiff cannot allege a CIPA claim based on the first clause.

            2.         Plaintiff Does Not Sufficiently Allege a Claim Under the Second Clause.

Defendant argues that the party exception applies here.  (Demurrer at pp. 12-14.)  A party to the communication is exempt from liability under CIPA.  (Williams v. What If Holdings, LLC (N.D. Cal., Dec. 22, 2022, No. C 22-03780 WHA) 2022 WL 17869275, at *3.)  “[The] relevant inquiry here is whether a website owner’s usage of third-party recordation software can be considered equivalent to having hired a third party to record.  That inquiry thus determines whether or not the software provider can be considered a third party in the first place for purposes of a Section 631(a) analysis. . . . [A] key distinction is whether or not the alleged third-party software provider aggregates or otherwise processes the recorded information, which might suggest that the software vendor independently ‘uses’ the gathered data in some way.”  (Ibid.)

Plaintiff alleges that after Gladly gains access to users’ information, “it stores it for its own purposes.”  (Complaint ¶ 10.)  At the pleading stage, this is sufficient to allege that Gladly (and not only Defendant) obtained or stored the intercepted information for its own uses, and Defendant aided Gladly’s interception.

Defendant argues that Plaintiff does not allege interception while in transit.  (Demurrer at pp. 14-15.)  “Alleging that the defendant[] intercepted a communication in real time is insufficient, without specific facts about what was intercepted and when or how the interception took place.”  (Valenzuela v. Super Bright LEDs Inc. (C.D. Cal., Nov. 27, 2023, No. EDCV2301148JAKSPX) 2023 WL 8424472, at *10.)  Plaintiff alleges that Defendant’s code “intercepts the inquiries that consumers believe are being sent directly to [Defendant] and diverts them to gladly.com,” and Defendant “pays third parties to eavesdrop on them in real time.”  (Complaint ¶¶ 9, 12.)  “Plaintiff has not added any additional factual details to make clear when the interception occurred.  Merely parroting the statutory requirement that it occurred in transit is insufficient.”  (Heiting, supra, 709 F.Supp.3d at p. 1019.)

Defendant argues that Plaintiff does not allege that the contents of her communication were intercepted.  (Demurrer at pp. 15-16.)  Plaintiff alleges that Defendant “collects a wide range of personal information from website users and consumers, including personal identifiers, unique device identifiers, persistent identifiers and may deduce additional demographic details like gender; transaction details; precise location details, including GPS data, IP addresses; various details about website usage, such as links clicked, page views, searches, time spent, and interactions with others; inferences, social media interactions and other information.”  (Complaint ¶ 11.)  “Within the past year, Plaintiff used the chat box feature on [Defendant’s] site, however, Defendant did not inform Plaintiff that Defendant was not communicating with Deckers at all.”  (Complaint ¶ 13.)  The Court cannot assume what the contents of any communications were when the Complaint generally alleges collection of personal information, but it does not allege that Defendant in fact collected this data and does not allege any substantive communications by Plaintiff that she believes were intercepted.  (Heiting, supra, 709 F.Supp.3d at p. 1018.)

Plaintiff insufficiently alleges a CIPA claim based on the second clause.

3.         Plaintiff Does Not Allege a Claim Under the Third Clause.

“A violation under the third clause of § 631(a) is contingent upon a finding of a violation of the first or second clause of § 631(a).”  (Swarts v. Home Depot, Inc. (N.D. Cal. 2023) 689 F.Supp.3d 732, 744.)  Plaintiff does not sufficiently allege a violation of the first or second clauses, so she does not allege a claim under the third clause.  (See Demurrer at p. 16.)

The demurrer to the first cause of action is SUSTAINED.

B.        Plaintiff Does Not Allege a Claim Under Penal Code Section 502.

Section 502 imposes liability on a person who “(1) Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data”; or “(2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network,” among other things.  (Pen. Code, § 502, subd. (c).)

Defendant argues that Plaintiff does not allege that Defendant acted “without permission.”  (Demurrer at pp. 16-18.)  “Without permission” means “accessing or using a computer, computer network, or website in a manner that overcomes technical or code-based barriers.”  (Facebook, Inc. v. Power Ventures, Inc. (N.D. Cal., July 20, 2010, No. C 08-05780 JW) 2010 WL 3291750, at *11.)  Plaintiff alleges that Defendant “exceeded the scope of its authorization from Plaintiff,” and “no authorization was provided by Plaintiff at all and no authorization for the data collection by means of using a chat box is ever requested or given.”  (Complaint ¶¶ 23-24.)  This does not allege that Defendant acted “without permission” under Section 502.

Defendant argues that Plaintiff does not allege that Defendant used data inappropriately.  (Demurrer at pp. 18-19.)  The phrase “or otherwise uses” in Section 502 is narrowly construed “to refer to uses that involve data alteration, damage, deletion, and destruction.”  (Ticketmaster L.L.C. v. Prestige Entertainment West, Inc. (C.D. Cal. 2018) 315 F.Supp.3d 1147, 1175, fn. 5.)  Plaintiff alleges only that Defendant allowed Gladly to use information about her IP address, geolocation, and browser history.  (Complaint ¶ 26.)  This does not allege a prohibited use.

Finally, Defendant argues that Plaintiff does not allege that she was damaged.  (Demurrer at pp. 19-20.)  “[T]he owner or lessee of the computer, computer system, computer network, computer program, or data who suffers damage or loss by reason of a violation of any of the provisions of subdivision (c) may bring a civil action against the violator for compensatory damages and injunctive relief or other equitable relief.”  (Pen. Code, § 502, subd. (e)(1).)  “[T]he CDAFA’s private right of action contemplates some damage to the computer system, network, program, or data contained on that computer, as opposed to data generated by a plaintiff while engaging with a defendant’s website.”  (Heiting, supra, 709 F.Supp.3d at p. 1021.)  Plaintiff does not allege any harm other than Defendant allowing Gladly to collect her data.  (Complaint ¶ 26.)

The demurrer to the second cause of action is SUSTAINED.

CONCLUSION

The demurrer is SUSTAINED with 30 days’ leave to amend.

Moving party to give notice.

Parties who intend to submit on this tentative must send an email to the Court at SMCDEPT48@lacourt.org indicating intention to submit.  If all parties in the case submit on the tentative ruling, no appearances before the Court are required unless a companion hearing (for example, a Case Management Conference) is also on calendar.

         Dated this 31st day of October 2024