InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
3rd Circuit overturns decision in WESCA suit
On August 16, the U.S. Court of Appeals for the Third Circuit overturned a district court’s decision in a Wiretapping and Electronic Surveillance Control Act (WESCA) suit against a retailer and third-party marketing company (collectively, “defendants”). According to the opinion, the plaintiff searched the retailer’s website while the “browser simultaneously communicated” with both the retailer and a third-party marketing service. The messages to the third party marketing service alerted it to how the plaintiff was interacting with the website, including which pages she visited, when she filled in an email address, and when she added an item to her cart. The plaintiff filed suit against the defendants for using a software that used a code that placed “cookies on the user’s browser so that her activity on the webpage had an associated visitor ID,” and “told the user’s browser to begin sending information to [the third party marketing service] as she navigated through the website, such as communicating that the user had clicked the ‘add to cart’ button or tabbed out of a form field,” in violation of WESCA. The district court dismissed the common law claim and subsequently granted summary judgment to the defendants on the WESCA claim, finding that the defendants were exempt from liability as direct parties to the electronic communications.
The 3rd Circuit reversed and remanded, stating that the district court “never addressed whether [the retailer] posted a privacy policy and, if so, whether that policy sufficiently alerted [the plaintiff] that her communications were being sent to a third-party company.” The appellate court further disagreed “with the District Court’s holding that [the third party marketing company] is exempt from liability because it was a direct party to [the plaintiff’s] communications and that interception only occurred at the site of [the third party marketing company] servers in Virginia.”
District Court: Online payment processor must face data collection class action claims
On July 28, the U.S. District Court for the Northern District of California granted in part and denied in part an online payment processor’s motion to dismiss class claims concerning several alleged violations of various state privacy and wiretapping laws and related claims. The plaintiffs alleged that the defendant “secretly track[ed], collect[ed], and stor[ed] the personal data and web activity of visitors to merchants’ website[s],” and created a software code allowing merchants to integrate the company’s payment platform into merchants’ applications. The complaint alleged that most consumers making online purchases were unaware that their transactions were processed by the defendant and instead believed to be communicating directly with the merchants. Specifically, the defendant allegedly (i) obtained or stored consumers’ sensitive information (such as financial information, location, IP addresses, and purchasing information); (ii) correlated all payments consumers made across the defendant’s entire payment processing platform and provided much of it to other merchant clients without informing the consumers; and (iii) installed cookies on consumers’ computers and mobile devices to track purchasing behavior across the defendant’s payment network. This allowed merchants to see a consumer’s purchasing history of all transactions processed by the defendant and obtain a transaction-level risk score from the defendant.
The court denied the motion to dismiss as to plaintiffs’ claims of invasion of privacy and intrusion under California’s Constitution and common law, finding that the plaintiffs have sufficiently alleged the plaintiffs did not consent to the defendant’s disclosure of their information to its merchants and customers. The court was precluded from finding that plaintiffs had no reasonable expectation of privacy because the language in the defendant’s privacy policy limited the sharing to information with third parties to assist with the prevention or detection of fraud or for processing services only.
In dismissing the wiretap claims, the court reviewed the “sign-in wrap” agreement presented to consumers at the purchase checkout page, which required plaintiffs to agree to the defendant’s terms of service and privacy policy whenever they placed an order. While the plaintiffs argued that the privacy policy “does not provide sufficient notice that [the defendant] would collect the information that it did,” the court pointed out that the policy contained provisions disclosing that third parties like the defendant “may obtain not only credit card data, but also ‘identifiers, demographic information, commercial information, relevant order information, internet activity, geolocation data, sensory information, and inferences,’” and that partners may also “use various technologies’ to ‘collect information about [consumer] online activity over time and across different websites or online services.’” Among other things, the court reasoned that the disclosures were binding on the consumers, even though they were provided by the defendant and not the merchants.
The court dismissed in part the plaintiffs’ claims under California’s Unfair Competition Law (UCL) and California Consumer Privacy Act (CCPA), in part because the CCPA “has no private right of action” and “consumers may not use the CCPA as a basis for a private right of action under any statute.” The court also dismissed the plaintiffs’ fraud prong of the UCL, but allowed the plaintiffs’ unfair competition prong under the UCL to proceed.