Hazel v. Prudential Financial, Inc. ( 2023 )


Menu:
  • 1 2 3 4 5 6 7 8 IN THE UNITED STATES DISTRICT COURT 9 FOR THE NORTHERN DISTRICT OF CALIFORNIA 10 11 TYRONE HAZEL, et al., Case No. 22-cv-07465-CRB 12 Plaintiffs, ORDER GRANTING IN PART AND 13 v. DENYING IN PART MOTION TO DISMISS 14 PRUDENTIAL FINANCIAL, INC., et al., 15 Defendants. 16 Plaintiffs Tyrone Hazel, Roxane Evans, Valerie Torres, and Rhonda Hyman allege 17 that Prudential Financial employed a software provider, ActiveProspect (together, 18 “Defendants”) to collect their information without their consent as they sought a life 19 insurance quote. See Am. Compl. (dkt. 18). Plaintiffs bring claims for violations of 20 Section 631 of the California Invasion of Privacy Act (“CIPA”), Invasion of Privacy under 21 the California Constitution, and the California Unfair Competition Law (“UCL”). Id. 22 ¶¶ 89–121. 23 This action is just the latest in a long line of cases challenging the use of third-party 24 software to record website visitors’ activity without their knowledge, including 25 ActiveProspect’s “TrustedForm” software in particular.1 In a related case, Javier v. 26 27 1 See, e.g., Javier v. Assurance IQ, LLC, No. 20-CV-02860-CRB, 2023 WL 114225 (N.D. Cal. 1 Assurance IQ, the Court held that the plaintiff had plausibly pleaded that ActiveProspect 2 was a third-party eavesdropper within the meaning of Section 631(a). Javier v. Assurance 3 IQ, LLC, No. 20-CV-02860-CRB, 2023 WL 114225, at *3–6 (N.D. Cal. Jan. 5, 2023). 4 That order, however, did not address Defendants’ primary argument for dismissal of the 5 Section 631(a) claim here: That Plaintiffs fail to plead that their communications on 6 Prudential’s website were intercepted “in transit.” Mot. (dkt. 21) at 6–9. 7 Finding this matter suitable for resolution without oral argument pursuant to Civil 8 Local Rule 7-1(b), as explained below, the Court DENIES Defendants’ motion as to 9 Plaintiffs’ Section 631(a) and Invasion of Privacy claims, and GRANTS Defendants’ 10 motion as to Plaintiffs’ UCL claim. 11 I. BACKGROUND 12 Prudential runs an online platform for users to seek life insurance quotes. Am. 13 Compl. ¶ 1. A user enters information about their demographics, family situation, and 14 medical history, and then clicks “Continue, I Agree,” which signals that the user has 15 “received Prudential’s Privacy Notice,” which they can review by clicking a link on that 16 same page. Id. ¶¶ 43, 45. Prudential’s privacy notice states that it “may share your 17 personal information, including information about your transactions and experiences, 18 among Prudential companies and with other non-Prudential companies who perform 19 services for us or on our behalf, for our everyday business purposes.” Id. ¶ 46. 20 Prudential partners with ActiveProspect to provide software for its website. Id. 21 ¶ 36. ActiveProspect makes a software product called “TrustedForm,” a “lead certification 22 product” that helps businesses authenticate user interactions with a website and document 23 user consent. Id. ¶ 24. Specifically, TrustedForm is a piece of code that can be pasted into 24 a webpage to record “keystrokes, mouse clicks, data entry, and other electronic 25 communications of visitors to websites,” id. ¶ 28, and “begins the moment a user accesses 26 or interacts with” that webpage. Id. ¶ 29. As a result, a website owner has a record of a 27 users’ entire interaction on its webform, which is hosted on ActiveProspect’s servers. Id. 1 Plaintiffs each visited Prudential’s website between March 2022 and January 2023. 2 Id. ¶¶ 57, 61, 65, 69. They entered the requested information, including medical 3 information, to obtain a life insurance quote. Id. ¶¶ 59, 63, 67, 71. Plaintiffs assert that 4 they did not know, as they filled out the webform on Prudential’s website, that their 5 information was also being “intercepted” by ActiveProspect. Id. ¶¶ 60, 64, 68, 72. 6 II. LEGAL STANDARD 7 Under Rule 12(b)(6) of the Federal Rules of Civil Procedure, a complaint may be 8 dismissed for failure to state a claim for which relief may be granted. Fed. R. Civ. P. 9 12(b)(6). Rule 12(b)(6) applies when a complaint lacks either a “cognizable legal theory” 10 or “sufficient facts alleged” under such a theory. Godecke v. Kinetic Concepts, Inc., 937 11 F.3d 1201, 1208 (9th Cir. 2019). Whether a complaint contains sufficient factual 12 allegations depends on whether it pleads enough facts to “state a claim to relief that is 13 plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. 14 v. Twombly, 550 U.S. 544, 570 (2007)). A claim is plausible “when the plaintiff pleads 15 factual content that allows the court to draw the reasonable inference that the defendant is 16 liable for the misconduct alleged.” Id. at 678. When evaluating a motion to dismiss, the 17 Court “must presume all factual allegations of the complaint to be true and draw all 18 reasonable inferences in favor of the nonmoving party.” Usher v. City of Los Angeles, 19 828 F.2d 556, 561 (9th Cir. 1987). However, it is “not bound to accept as true a legal 20 conclusion couched as a factual allegation.” Papasan v. Allain, 478 U.S. 265, 286 (1986); 21 Clegg v. Cult Awareness Network, 18 F.3d 752, 754–55 (9th Cir. 1994). 22 III. DISCUSSION 23 The Court addresses the Plaintiffs’ claims in the following order: First, their claim 24 under Section 631(a) of CIPA; second, their claim for invasion of privacy under the 25 California Constitution; and finally, their claim under the unlawful and unfair prongs of the 26 UCL. 27 A. Section 631(a) 1 First, Plaintiffs fail to plausibly plead that their communications were intercepted “in 2 transit”; and second, they fail to plausibly plead that ActiveProspect was a third-party 3 eavesdropper. 4 1. “In Transit” 5 To bring a claim under the second prong of Section 631(a), a plaintiff must plead 6 that another person “willfully and without the consent of all parties to the communication, 7 or in any unauthorized manner, reads, or attempts to read, or to learn the contents or 8 meaning of any message, report, or communication while the same is in transit or passing 9 over any wire, line, or cable, or is being sent from, or received at any place within this 10 state.” Cal. Penal Code § 631(a) (emphasis added). 11 Courts often look to the federal Wiretap Act, which prohibits the unauthorized 12 “intercept[tion]” of an “electronic communication,” to interpret the “in transit” prong of 13 Section 631(a). See, e.g., Licea v. Cinmar, LLC, No. CV 22-6454-MWF (JEM), 2023 WL 14 2415592, at *9 (C.D. Cal. Mar. 7, 2023); cf. In re Facebook, Inc. Internet Tracking Litig., 15 956 F.3d 589, 606–07 (9th Cir. 2020) (applying the same caselaw to interpret the “party 16 exception” to the federal Wiretap Act and Section 631). Under the Wiretap Act, courts 17 define “interception” narrowly: for data to be “intercepted,” “it must be acquired during 18 transmission, not while it is in electronic storage.” Konop v. Hawaiian Airlines, Inc., 302 19 F.3d 868, 878 (9th Cir. 2002); see also NovelPoster v. Javitch Canfield Grp., 140 F. Supp. 20 3d 938, 951–954 (N.D. Cal. 2014) (applying Konop to dismiss Wiretap Act and CIPA 21 claims). Thus, “any ‘interception under the meaning of the statute must occur during 22 transmission of the communication.” NovelPoster, 140 F. Supp. 3d at 953 (citing Konop, 23 302 F.3d at 878); see also Mastel v. Miniclip SA, 549 F. Supp. 3d 1129, 1137 (E.D. Cal. 24 2021) (“[T]he crucial question under § 631(a)’s second clause is whether [plaintiff] has 25 plausibly alleged that [defendant] read one of his communications while it was still in 26 transit, i.e., before it reached its intended recipient.”). 27 Plaintiffs allege that ActiveProspect’s software “records consumer interactions with 1 software onto their webforms, websites can “surreptitiously observe and record visitors’ 2 keystrokes, mouse clicks, and other electronic communications,” beginning from the 3 moment a user accesses the webpage, through TrustedForm’s “VideoReplay” feature. 4 Id. ¶¶ 3, 25, 29. This “data collection occurs in real time,” when “the verification server 5 [ActiveProspect] collects information about the visitor and the lead generator [Prudential] 6 during the communication session.” Id. ¶ 30. Once a user is moving through the 7 webform, ActiveProspect’s server “begins to monitor the webpage for any changes,” that 8 is, any mouse movements, mouse clicks, scrolling, or data entry. Id. ¶ 31. These 9 VideoReplay files are then stored on ActiveProspect servers. Id. ¶ 33. 10 Plaintiffs’ allegations are far more specific than the conclusory allegations regularly 11 held to fail to plead an interception “in transit” under CIPA and the Wiretap Act. See, e.g., 12 Rosenow v. Facebook, Inc., No. 19-CV-1297-WQH-MDD, 2020 WL 1984062, at *7 (S.D. 13 Cal. Apr. 27, 2020) (pleading only that “Yahoo knowingly used an algorithm to intercept 14 and scan Plaintiff’s incoming chat messages for content during transit before placing them 15 in electronic storage” was conclusory); Rodriguez v. Google LLC, No. 20-CV-04688-RS, 16 2022 WL 214552, at *2 (N.D. Cal. Jan. 25, 2022) (“Using the word ‘intercept’ repeatedly 17 is simply not enough without the addition of specific facts that make it plausible Google is 18 intercepting their data in transit.”); Valenzuela v. Keurig Green Mountain, Inc., No. 22- 19 CV-09042-JSC, 2023 WL 3707181, at *5 (N.D. Cal. May 24, 2023) (holding that 20 allegations that do “little more than restate the pleading requirement of real time 21 interception” do not state a claim under CIPA). 22 Further, neither of the two documents Defendants point to—ActiveProspect’s 23 TrustedForm patent nor the article on ActiveProspect’s community forum—squarely 24 contradict Plaintiffs’ allegations.2 Defendants point to Figure 1 of the patent, which shows 25 26 2 The Court incorporates by reference ActiveProspect’s TrustedForm patent, which is quoted extensively in the amended complaint, and the article on ActiveProspect’s community forum titled 27 “Active Prospect’s Session Replay,” which forms the basis of Plaintiffs’ allegation that ActiveProspect’s “recording” begins “the moment a user accesses or interacts with a webpage 1 the visitor (i.e., Plaintiffs), with an arrow pointing to the lead generator (i.e., Prudential) 2 and two arrows from the lead generator to the verification server (i.e., ActiveProspect) and 3 a lead buyer (i.e., a third party who may be interested in offering Plaintiffs a life insurance 4 quote). See RJN Ex. 1 at 2. But the patent also states that that Figure 1 “illustrates a 5 simplified block diagram of a communication system that may be utilized according to an 6 embodiment of the present disclosure,” in other words, it cannot be relied upon to show 7 that, as a matter of law, a user’s information is always stored with the lead generator before 8 it is transferred on to the verification server. Id. at 9; see also id. (stating that the figures 9 are “by way of illustration only” and the “invention may, however, be embodied in many 10 different forms and should not be construed as limited to the embodiments set forth 11 herein”). Therefore, whether the process by which ActiveProspect’s server becomes 12 “aware” of the user filling out the webform and begins “monitoring the web page for any 13 changes” happens while the user’s communication with the website is “in transit” or in 14 storage under Section 631(a) cannot be answered as a matter of law by reference to the 15 patent alone. Am. Compl. ¶ 31 (quoting RJN Ex. 1). And though the forum article does 16 not state that recording of the customer’s activity on the website hosting TrustedForm 17 begins “the moment a user accesses or interacts with a webpage using TrustedForm,” Id. 18 ¶ 29, it does state that Trusted Form “records” a user’s “interact[ions] with the webpage” 19 such as when they “enter text into fields, change drop-downs, click on buttons, or move[] 20 the mouse,” and the “lead generator” (i.e., Prudential) “can control when TrustedForm . . . 21 begins recording a consumer’s interaction with a web page.” Reply RJN Ex. A. 22 Presumably, then, Prudential could have set TrustedForm to begin recording Plaintiffs’ 23 movements the moment they began using the webform, as Plaintiffs allege. 24 In sum, neither of these documents squarely contradict Plaintiffs’ otherwise 25 26 reference “prevents plaintiffs from selecting only portions of documents that support their claims, 27 while omitting portions of those very documents that weaken—or doom—their claims.” Khoja, 899 F.3d at 1002. By citing portions of the patent and website and seeking to shield the rest from 1 plausible allegation that TrustedForm recorded their actions on Prudential’s website before 2 their information was stored by Prudential. Whether that information was intercepted by 3 TrustedForm before it was stored by Prudential as Plaintiffs allege, or vice versa, is a 4 question for summary judgment. 5 2. Third-Party Eavesdropper 6 As in Javier, Defendants again argue that ActiveProspect is not a third-party 7 eavesdropper to the Plaintiffs’ communications with Prudential. Recognizing that 8 Defendants primarily make this argument to preserve it for appeal because the Court 9 discussed it at length (and disagreed) in Javier, the Court addresses this argument briefly 10 for the sake of a full record. 11 Defendants contend that the question that must be asked to determine whether 12 ActiveProspect is a third party is “whether it undertook the alleged recording of the data on 13 its own or on Prudential’s behalf.” Reply (dkt. 24) at 6. But, as the Court articulated in 14 Javier, the concern is not on whose behalf the recording is undertaken, but whether the 15 recorder is capable of using the recording for other ends. Javier, 2023 WL 114225, at *6. 16 That is the difference between the tape recorder in Rogers and the eavesdropping friend in 17 Ribas, and that is why ActiveProspect’s TrustedForm software is not, as a matter of law, 18 more akin to the former than the latter. Id.; Am. Compl. ¶ 35.3 19 Because both of Defendants’ arguments for dismissal of the Section 631(a) claim 20 fail, their motion is denied as to that claim. 21 B. Invasion of Privacy 22 To state a claim for invasion of privacy under the California Constitution, Plaintiffs 23 must plead (1) a legally protected privacy interest, (2) a reasonable expectation for privacy, 24 and (3) that the intrusion is so serious as to amount to an egregious breach of the social 25 26 3 Defendants also argue that because ActiveProspect’s standard form End User License Agreement would only allow ActiveProspect “to use aggregate data” for other purposes, it thus could not use 27 “Plaintiffs’ individual information for its own benefit.” Reply at 7 (quoting Am. Compl. ¶ 35 (emphasis added)). But just because ActiveProspect may be able to use Plaintiffs’ information in 1 norms. Facebook Tracking, 956 F.3d at 601 (citing Hernandez v. Hillsides, 47 Cal.4th 2 272, 287 (2009)). Defendants argue only that Plaintiffs fail to meet the third prong. 3 To plead that the intrusion represented an “egregious breach of the social norms,” 4 courts consider whether a defendant’s actions were “highly offensive to a reasonable 5 person.” Id. at 606 (quoting Hernandez, 47 Cal.4th at 287). This requires a “holistic 6 consideration of factors such as the likelihood of serious harm to the victim, the degree and 7 setting of the intrusion, the intruder’s motives and objectives, and whether countervailing 8 interests or social norms render the intrusion inoffensive.” Id. This inquiry also “focuses 9 on the degree to which the intrusion is unacceptable as a matter of public policy.” Id. 10 Plaintiffs allege that ActiveProspect’s VideoReplay feature records a website 11 visitor’s “keystrokes, mouse clicks, and data entry,” as well as the amount of time spent on 12 the website and the geographic location of the visitor. Am. Compl. ¶ 28. This monitoring 13 can begin “the moment a user accesses or interacts with a webpage,” before the user has 14 the opportunity to review the website’s privacy notice. Id. ¶¶ 29, 45–48. When filling out 15 the form to get a life insurance quote on Prudential’s website, Plaintiffs entered their 16 medical information, including their height and weight, their medical conditions (including 17 mental and psychological conditions), and treatment history, including their use of 18 prescription medications. Id. ¶¶ 39, 43. 19 The Court cannot conclude, as a matter of law, that ActiveProspect’s collection of 20 this sensitive information would not be “highly offensive to a reasonable person.” 21 Defendants point to a line of cases that hold that collection and disclosure of routine 22 commercial information is not a “highly offensive” intrusion of privacy. See, e.g., Low v. 23 LinkedIn Corp., 900 F. Supp. 2d 1010, 1025 (N.D. Cal. 2012); Hammerling v. Google 24 LLC, 615 F. Supp. 3d 1069, 1090 (N.D. Cal. 2022). But the information collected in those 25 cases—primarily a user’s browsing history and related data—is far less personal than the 26 Plaintiffs’ self-assessment of their medical history in Prudential’s webform. See Am. 27 Compl. ¶¶ 39, 43; see also Katz-Lacabe v. Oracle Am., Inc., No. 22-CV-04792-RS, 2023 1 collected “sensitive health and personal safety information,” from plaintiffs were sufficient 2 to plead a “highly offensive” intrusion). 3 Of course, as Defendants point out, Plaintiffs “voluntarily provided” their health 4 information so they could obtain a life insurance quote. And they did—to Prudential. But 5 they did not agree to be monitored by ActiveProspect as they moved through Prudential’s 6 webform, before they even had the opportunity to review Prudential’s privacy notice. 7 Courts consider surreptitious monitoring a critical factor in deciding whether a plaintiff has 8 plausibly pleaded that an intrusion is “highly offensive.” See Facebook Tracking, 956 9 F.3d at 606 (pointing to “allegations of surreptitious data collection” as a key reason why 10 the plaintiffs’ allegations should survive a motion to dismiss). 11 Finally, Defendants point to a line of cases reasoning that a highly offensive 12 intrusion cannot occur where a plaintiff does not plead a similarly highly offensive use of 13 the information, such as selling the plaintiffs’ personal data. Folgelstrom v. Lamps Plus, 14 Inc., 195 Cal. App. 4th 986, 993 (2011), as modified (June 7, 2011); Sunbelt Rentals, Inc. 15 v. Victor, 43 F. Supp. 3d 1026, 1036 (N.D. Cal. 2014); Mitchell v. Reg’l Serv. Corp., No. 16 C 13-04212 JSW, 2014 WL 12607809, at *5 (N.D. Cal. Apr. 23, 2014). The Court notes 17 that it could be argued that ActiveProspect’s use of Plaintiffs’ data to “certify” them as 18 “leads” for buyers does, in fact, exceed Plaintiffs’ reasonable expectations of what their 19 information would be used for. See, e.g., Am. Compl. ¶¶ 24, 36–37. But even if it is a 20 close question whether such use is highly offensive or mere “routine commercial 21 behavior,” the Court is mindful of the Ninth Circuit’s instruction that whether an intrusion 22 is highly offensive is not typically a question that should be resolved at the pleading stage. 23 See Facebook Tracking, 956 F.3d at 606; Katz-Lacabe, 2023 WL 2838118, at *8. 24 Accordingly, Plaintiffs’ claim for invasion of privacy survives Defendants’ motion. 25 C. UCL 26 Finally, Defendants argue that Plaintiffs fail to state a UCL claim because they fail 27 to demonstrate UCL standing. The Court agrees. 1 from Article III standing.” See, e.g., Mastel, 549 F. Supp. 3d at 1144. To demonstrate 2 UCL standing, a plaintiff “must establish that they (1) suffered an injury in fact and (2) lost 3 money or property as a result of the unfair competition.” Birdsong v. Apple, Inc., 590 F.3d 4 955, 959 (9th Cir. 2009) (citing Cal. Bus. & Prof. Code § 17204); see also Ehret v. Uber 5 Techs., Inc., 68 F. Supp. 3d 1121, 1132 (N.D. Cal. Sept. 17, 2014) (“[A] federal plaintiff’s 6 [Article III] injury in fact may be intangible and need not involve lost money or property . . 7 . a UCL plaintiff’s ‘injury in fact’ [must] specifically involve lost money or property.” 8 (internal quotation marks omitted)). 9 Plaintiffs allege that they shared personal data with Prudential that ActiveProspect 10 intercepted without their knowledge or consent; that ActiveProspect made money off of 11 their data; and that their data is a valuable commodity. See Am. Compl. ¶¶ 3–4, 36–37, 12 56. But just because Plaintiffs’ data is valuable in the abstract, and because 13 ActiveProspect might have made money from it, does not mean that Plaintiffs have “lost 14 money or property” as a result. See, e.g., Hart v. TWC Prod. & Tech. LLC, 526 F. Supp. 15 3d 592, 603 (N.D. Cal. 2021); Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1040 (N.D. 16 Cal. 2019) (“That the information has external value, but no economic value to plaintiff, 17 cannot serve to establish that plaintiff has personally lost money or property.”); In re 18 Facebook, Inc., Consumer Priv. User Profile Litig., 402 F. Supp. 3d 767, 804 (N.D. Cal. 19 2019) (“Facebook may have gained money through its sharing or use of the plaintiffs' 20 information, but that’s different from saying the plaintiffs lost money.”). Plaintiffs’ 21 argument to the contrary relies on cases holding that tracking and collection of data is an 22 injury sufficient to confer Article III standing. See, e.g., Facebook Tracking, 956 F.3d at 23 600. Of course, as many courts have pointed out, a plaintiff may have Article III standing 24 but nevertheless fail to demonstrate UCL standing. See Ehret, 68 F. Supp. 3d at 1132 25 (remarking that “standing under the UCL is far narrower than traditional standing 26 requirements”). As a result, Plaintiffs’ UCL claim is dismissed.4 27 IV. CONCLUSION For the foregoing reasons, the Court DENIES Defendants’ motion as to Plaintiffs’ 2 Section 631 and invasion of privacy claims and GRANTS Defendants’ motion as to 3 Plaintiffs’ UCL claims. 4 IT IS SO ORDERED. 5 = i Dated: June 9, 2023 6 CHARLES R. BREYER 7 United States District Judge 8 9 10 11 12 E 13 (| 15 16 5 17 5 18 19 20 21 22 23 24 25 26 27 28

Document Info

Docket Number: 3:22-cv-07465

Filed Date: 6/9/2023

Precedential Status: Precedential

Modified Date: 6/20/2024