Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Court rules software service provider did not eavesdrop when capturing website data for retailer

Privacy/Cyber Risk & Data Security Courts Third-Party Class Action State Issues California

Privacy, Cyber Risk & Data Security

On April 15, the U.S. District Court for the Northern District of California dismissed class claims alleging a software-services provider for a clothing retailer wiretapped consumers’ communication with the retailer in violation of California’s Invasion of Privacy Act and the California Constitution. The software at issue was sold to the service provider’s clients to capture and analyze data so companies can see how website visitors use their sites. The plaintiff alleged that during a visit to one of the retailer’s websites, the defendant’s software captured information including when she visited, the length of her visit, her IP address and location, browser type, and the operating system on her device. The plaintiff further claimed that, in addition to the aforementioned information, the software also captured personally identifiable information such as email, shipping addresses, and payment-card information. The defendant moved to dismiss, which was granted by the court. In dismissing the action, the court referenced its dismissal of virtually identical claims against another software-services provider and ruled that the defendant’s recording of activities such as keystrokes, mouse clicks, and page scrolling does not amount to wiretapping. “[The defendant] is not a third-party eavesdropper,” the court wrote, “[i]t is a vendor that provides a software service that allows its clients to monitor their website traffic.” Moreover, the court determined that information—“such as IP addresses, locations, browser types, and operating systems”—is not “content” under the plaintiff’s Section 631(a) claim.