Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
3rd Circuit overturns decision in WESCA suit
On August 16, the U.S. Court of Appeals for the Third Circuit overturned a district court’s decision in a Wiretapping and Electronic Surveillance Control Act (WESCA) suit against a retailer and third-party marketing company (collectively, “defendants”). According to the opinion, the plaintiff searched the retailer’s website while the “browser simultaneously communicated” with both the retailer and a third-party marketing service. The messages to the third party marketing service alerted it to how the plaintiff was interacting with the website, including which pages she visited, when she filled in an email address, and when she added an item to her cart. The plaintiff filed suit against the defendants for using a software that used a code that placed “cookies on the user’s browser so that her activity on the webpage had an associated visitor ID,” and “told the user’s browser to begin sending information to [the third party marketing service] as she navigated through the website, such as communicating that the user had clicked the ‘add to cart’ button or tabbed out of a form field,” in violation of WESCA. The district court dismissed the common law claim and subsequently granted summary judgment to the defendants on the WESCA claim, finding that the defendants were exempt from liability as direct parties to the electronic communications.
District Court: Online payment processor must face data collection class action claims
On July 28, the U.S. District Court for the Northern District of California granted in part and denied in part an online payment processor’s motion to dismiss class claims concerning several alleged violations of various state privacy and wiretapping laws and related claims. The plaintiffs alleged that the defendant “secretly track[ed], collect[ed], and stor[ed] the personal data and web activity of visitors to merchants’ website[s],” and created a software code allowing merchants to integrate the company’s payment platform into merchants’ applications. The complaint alleged that most consumers making online purchases were unaware that their transactions were processed by the defendant and instead believed to be communicating directly with the merchants. Specifically, the defendant allegedly (i) obtained or stored consumers’ sensitive information (such as financial information, location, IP addresses, and purchasing information); (ii) correlated all payments consumers made across the defendant’s entire payment processing platform and provided much of it to other merchant clients without informing the consumers; and (iii) installed cookies on consumers’ computers and mobile devices to track purchasing behavior across the defendant’s payment network. This allowed merchants to see a consumer’s purchasing history of all transactions processed by the defendant and obtain a transaction-level risk score from the defendant.
The court dismissed in part the plaintiffs’ claims under California’s Unfair Competition Law (UCL) and California Consumer Privacy Act (CCPA), in part because the CCPA “has no private right of action” and “consumers may not use the CCPA as a basis for a private right of action under any statute.” The court also dismissed the plaintiffs’ fraud prong of the UCL, but allowed the plaintiffs’ unfair competition prong under the UCL to proceed.