Hazel et al v. Prudential Financial, Inc. et al

Filing 97

ORDER by Judge Charles R. Breyer granting 66 Motion to Certify Class; finding as moot 89 Motion to Exclude Expert Report of Nancy Mathiowetz. (crblc2, COURT STAFF) (Filed on 11/26/2024)

Download PDF
1 2 3 4 5 IN THE UNITED STATES DISTRICT COURT 6 FOR THE NORTHERN DISTRICT OF CALIFORNIA 7 8 VALERIE TORRES, et al., Plaintiffs, 9 ORDER GRANTING CLASS CERTIFICATION v. 10 11 United States District Court Northern District of California Case No. 22-cv-7465-CRB 12 PRUDENTIAL FINANCIAL, INC., ACTIVEPROSPECT, INC., and ASSURANCE IQ, LLC, 13 Defendants. 14 Lead Plaintiffs Valerie Torres and Rhonda Hyman bring this consumer privacy 15 class action against Defendants Prudential Financial, Inc., ActiveProspect, Inc., and 16 Assurance IQ, LLC. Plaintiffs allege that ActiveProspect intercepted and recorded without 17 consent their real-time interactions with a form on Prudential’s website in violation of the 18 California Invasion of Privacy Act, and that Prudential and Assurance aided in this 19 violation. Plaintiffs now move for certification of a class defined as follows: 20 22 All natural persons who, while in California, visited Prudential.com, provided personal information on Prudential’s form to receive a quote for life insurance, and for whom a TrustedForm Certificate URL associated with that website visit was generated from November 23, 2021 to December 13, 2022. 23 Plaintiffs also move to appoint themselves as class representatives and Girard Sharp LLP 24 as class counsel. Id. The Court finds the matter suitable for resolution without oral 25 argument pursuant to Local Civil Rule 7-1(b) and GRANTS Plaintiffs’ motion.1 21 26 27 28 1 After the parties finished briefing class certification, Defendants filed a motion for summary judgement. They ask the Court to resolve that motion before class certification. See MSJ (dkt. 93) at 2. But Plaintiffs’ claims in this case are not so obviously “meritless” that it would be wasteful to certify a class at this time, so the Court resolves the motions in United States District Court Northern District of California 1 I. BACKGROUND 2 A. 3 The Court described the facts giving rise to this lawsuit in its order on Defendants’ 4 motion to dismiss, see MTD Order (dkt. 29), available at 2023 WL 3933073, and repeats 5 here only those facts necessary to resolve the motion at hand. Factual History 6 During the class period, Prudential and its wholly owned subsidiary, Assurance, 7 designed and operated a form on Prudential’s website that individuals could fill out to 8 obtain a life insurance quote. Am. Compl. (dkt. 18) ¶ 1; Opp. (dkt. 81) at 2. The form 9 prompted users to enter information about their demographics, family situation, and 10 medical history. Am. Compl. ¶¶ 45–46. Prudential and Assurance added ActiveProspect’s 11 TrustedForm script to the source code, enabling ActiveProspect to intercept and record 12 users’ real-time interactions with the form. Rafferty Dep. Tr. (dkt. 66-6) at 112:21–113:8. 13 TrustedForm functions as follows: When a user navigates to the first page of the 14 form, TrustedForm issues a unique identifier—the “Certificate URL”—for that user and 15 “initiate[s] a series of more than one hundred [] requests” to send data from the user’s web 16 browser to ActiveProspect’s server. Id. at 105:24–106:7; Shafiq Rpt. (dkt. 66-3) ¶ 22. 17 TrustedForm allows ActiveProspect to collect information about users, including: 18 • User metadata, such as the user’s public IP address. Shafiq Rpt. ¶¶ 23, 51; 19 20 ActiveProspect Sept. 20, 2023 Blog Post (dkt. 81-19) at 2. • The user’s “real-time interactions” with the form, including keystrokes, mouse 21 movements and clicks, and data inputs.2 Shafiq Rpt. ¶¶ 16, 31–32, TrustedForm 22 End Use License Agreement (dkt. 66-9) at 2. 23 ActiveProspect uses the data it collects to recreate a visual “session replay” (resembling a 24 25 26 27 28 the order it received them. Contra Cavanagh v. Humboldt County, No. C 97-4190 CRB, 1999 WL 96017, at *2 (N.D. Cal. Feb. 22, 1999). 2 Prudential’s form asked for—and TrustedForm therefore captured—the following information about the person seeking life insurance: gender; marital status; date of birth; height and weight; employment status; whether the person has children; and health and medical information, including whether the person has been treated for anxiety, depression, bipolar disorder, heart or circulatory disorders, cancer, respiratory disorders, chronic pain, and various other medical conditions. Shafiq Rpt. ¶ 39. 2 1 video recording) of the user’s real-time interaction with the form. Shafiq Rpt. ¶¶ 45, 48. It 2 then issues a “TrustedForm Certificate” containing the collected information and session 3 replay for each user that interacts with the form. Id. ¶¶ 45–47. Prudential and Assurance 4 can access a particular user’s “TrustedForm Certificate” using the “Certificate URL” 5 associated with that user. Id. ¶ 77; Rafferty Dep. Tr. at 105:24–06:18. Between March 2022 and January 2023, Plaintiffs visited the form on Prudential’s United States District Court Northern District of California 6 7 website and entered the requested information to obtain a life insurance quote. Am. 8 Compl. ¶¶ 65, 69. Prudential did not expressly disclose to Plaintiffs that a third party was 9 recording their interactions with the form until Plaintiffs had completed the form and 10 clicked “Get an instant quote.” Id. ¶ 74. Only then were Plaintiffs provided with a link to 11 Prudential’s privacy policies and required to accept its terms to obtain a quote. Id. ¶¶ 45– 12 46, 74–76. Plaintiffs assert that at the time they filled out the form, they were not aware of 13 and did not consent to ActiveProspect’s interception and collection of their information, 14 including keystrokes, mouse clicks, and data inputs. Id. ¶¶ 64, 68, 72; Hyman Dep. Tr. 15 (dkt. 81-4) at 206:1–206:20; Hyman Decl. (dkt. 66-23) ¶ 4; Torres Decl. (dkt. 66-24) ¶ 4. Plaintiffs allege that Defendants violated section 631(a) of CIPA, which makes 16 17 liable anyone who “willfully and without the consent of all parties to the communication 18 … reads or attempts to read, or to learn the contents or meaning of any … communication 19 while the same is in transit over any wire, line, or cable, or is being sent from, or received 20 at any place within [California] … or who aids … any person” with the same conduct. 21 They now seek to certify a class under Federal Rule of Civil Procedure 23(b)(3). 22 II. STANDING 23 A. 24 Before considering Plaintiffs’ motion for class certification, the Court must 25 determine whether Plaintiffs have standing under Article III. See Spokeo, Inc. v. Robins, 26 578 U.S. 330, 338, n.6 (2016) (“named plaintiffs who represent a class ‘must … show that 27 they personally have been injured’”) (citation omitted); see also Easter v. Am. W. Fin., 381 28 F.3d 948, 962 (9th Cir. 2004) (“The district court correctly addressed the issue of standing Legal Standard 3 United States District Court Northern District of California 1 before … the issue of class certification.”). Plaintiffs must show “(i) that [they] suffered 2 an injury in fact that is concrete, particularized, and actual or imminent; (ii) that the injury 3 was likely caused by the defendant, and (iii) that the injury would likely be redressed by 4 judicial relief.” TransUnion LLC v. Ramirez, 594 U.S. 413, 423 (2021) (citation omitted). 5 Where, as here, the Court is faced with an intangible harm caused by a statutory 6 violation, it must determine whether the statutory provision at issue is a “bare procedural 7 protection”—in which case Plaintiffs must link a violation to a concrete harm to establish 8 standing—or is instead “a substantive right,” the violation of which is a de facto injury that 9 is itself enough to show harm. Campbell v. Facebook, Inc., 951 F.3d 1106, 1117 (9th Cir. 10 2020) (first quoting Spokeo, 578 U.S. at 341–42, and then citing Eichenberger v. ESPN, 11 Inc., 876 F.3d 979, 983–84 (9th Cir. 2017)). 12 B. 13 In Campbell, the Ninth Circuit held that the CIPA provision at issue here— 14 California Penal Code section 631(a)—implicates a “substantive right,” the violation of 15 which is enough to cause concrete and particularized harms and give rise to Article III 16 standing. Id. at 1118–19. The panel reasoned that section 631(a) was closely related to the 17 common law tort of unreasonable intrusion upon seclusion, which traditionally extended to 18 provide a remedy for wiretapping and the opening of private mail. Id. at 1112. It also 19 explained that section 631(a) reflected the “legislature’s judgement about the importance 20 of the privacy interests violated when communications are intercepted” and concern about 21 “the use of new technology to ‘eavesdrop[] upon private communications.’” See id. at 22 1118 (citation omitted). Plaintiffs’ allegations are substantially the same as those in 23 Campbell. Discussion 24 Furthermore, because Campbell held that the interception of communications 25 without consent is itself an Article III injury, id. at 1118–19, Plaintiffs do not need to show 26 that they had input their own private information (as opposed to someone else’s) in the 27 form or that the data Defendants allegedly collected was put to any improper use. Of 28 course, if such allegations are substantiated, that might subject Defendants to additional 4 United States District Court Northern District of California 1 liability. See In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 599, 601 (9th 2 Cir. 2020) (listing other potentially viable statutory and common-law claims). But for 3 standing purposes, all that Plaintiffs must allege is that Defendants “collect[ed] the 4 contents of users’ individual private messages … without [Plaintiffs’] consent.” Campbell, 5 951 F.3d at 1119. “[H]ow the collected data was later used is irrelevant.” Id. Plaintiffs’ 6 allegations are thus sufficient to establish their standing under Article III. 7 III. CLASS CERTIFICATION 8 A. 9 Rule 23, which governs class actions, requires that plaintiffs meet the requirements Legal Standard 10 of Rule 23(a), as well as one of three possible requirements under Rule 23(b). Amchem 11 Prods., Inc. v. Windsor, 521 U.S. 591, 615 (1997). Rule 23(a) requires (1) that “the class 12 is so numerous that joinder of all members is impracticable,” (2) that “there are questions 13 of law or fact common to the class,” (3) that “the claims or defenses of the representative 14 parties are typical of the claims or defenses of the class,” and (4) that “the representative 15 parties will fairly and adequately protect the interests of the class.” Plaintiffs must 16 establish these elements by a preponderance of the evidence. Olean Wholesale Grocery 17 Coop., Inc. v. Bumble Bee Foods LLC, 31 F.4th 651, 664–65 (9th Cir. 2022) (en banc). 18 Plaintiffs seek certification under Rule 23(b)(3), which requires additionally that 19 “the questions of law or fact common to class members predominate over any questions 20 affecting only individual members” and that “a class action [be] superior to other available 21 methods for fairly and efficiently adjudicating the controversy.” To establish that 22 certification is appropriate, plaintiffs may use any admissible evidence. Id. at 665. The 23 Court may evaluate the merits of Plaintiffs’ case, but only to the extent “that they are 24 relevant to determining whether the Rule 23 prerequisites for class certification are 25 satisfied.” Amgen, Inc. v. Conn. Ret. Plans. & Tr. Funds, 568 U.S. 455, 466 (2013). 26 B. 27 Defendants do not appear to contest that Plaintiffs satisfy the Rule 23(a) 28 requirements—numerosity, typicality, typicality, and adequacy—or the Rule 23(b)(3) Discussion 5 United States District Court Northern District of California 1 requirement of superiority.3 Rather, Defendants argue that common questions do not 2 predominate over three allegedly individualized inquiries: (1) whether class members 3 impliedly consented to ActiveProspect’s real-time interception of their information, 4 (2) whether purported class members are in fact eligible class members, and (3) whether 5 the alleged interception occurred in California. Opp. at 1–2. 6 “The predominance inquiry ‘asks whether the common, aggregation-enabling, 7 issues in the case are more prevalent or important than the non-common, aggregation- 8 defeating, individual issues.’” Tyson Foods, Inc. v. Bouaphakeo, 577 U.S. 442, 543 9 (2016) (citation omitted). A common question “must be of such a nature that it is capable 10 of class wide resolution—which means that the determination of its truth or falsity will 11 resolve an issue that is central to the validity of each one of the claims in one stroke.” 12 Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338, 350 (2011). Individual questions, 13 meanwhile, require “members of a proposed class … to present evidence that varies from 14 member to member.” Olean Wholesale Grocery, 31 F.4th at 663 (citation omitted). 15 “Considering whether ‘questions of law or fact common to class members 16 predominate’ begins, of course, with the elements of the underlying cause of action.” 17 Erica P. John Fund, Inc. v. Halliburton Co., 563 U.S. 804, 809 (2011) (quoting Fed. R. 18 Civ. P. 23(b)(3)). Under CIPA, Plaintiffs must show that ActiveProspect (1) willfully 19 (2) and without Plaintiffs’ consent (3) read or attempted to read or learn the contents of 20 their communications (4) while the communications were being sent from, received in, or 21 in transit or passing over any wire, line or cable in California. Id. Plaintiffs identify, and Defendants do not appear to dispute, the existence of several 22 23 common questions, such as: 24 • Whether ActiveProspect acted willfully. Mot. to Certify Class (dkt. 66) at 9. 25 • Whether the information that users provided to obtain a life insurance quote 26 was “content” as covered by CIPA. Id.; see also Katz-Lacabe v. Oracle Am., 27 28 Neither do Defendants contest the portion of Plaintiffs’ motion where Plaintiffs seek to appoint themselves as class representatives and Girard Sharp LLP as class counsel. 6 3 1 Inc., 668 F. Supp. 3d 928, 944 (N.D. Cal. 2023) (“content” under CIPA 2 “refers to the intended message conveyed by the communication,” not 3 “information about the characteristics of the message” (citation omitted)). 4 • Whether the information was intercepted while it was “in transit.” Mot. to Certify Class at 10. 5 • Whether Prudential and Assurance aided ActiveProspect’s alleged violation. 6 Id. at 12. 7 • Classwide damages. See Cal. Penal Code § 637.2(a)(1) (providing statutory 8 damages of $5,000 per violation). 9 Defendants dispute, however, that common proof can be used to show: 10 • Whether class members consented to ActiveProspect’s alleged interception United States District Court Northern District of California 11 of their communications. Opp. at 1. 12 13 • Whether a class member filled out Prudential’s form. Id. at 2. (Defendants 14 say this is relevant to show that the class member was injured. Id. at 12.) 15 • Whether ActiveProspect intercepted class members’ communications while 16 they were “in transit or passing over any wire, line, or cable, … sent from, or 17 received at any place within [California].” Id. at 2; see Cal. Penal Code 18 § 631(a). 19 1. Defendants contend that individualized questions regarding each class member’s 20 21 consent defeats predominance.4 Opp. at 6. “[C]onsent ‘can be express or implied.’” Calhoun v. Google, LLC, 113 F.4th 1141, 22 23 Implied Consent 1147 (9th Cir. 2024) (cleaned up) (citations omitted). Defendants do not dispute that, 24 25 26 27 28 4 At the outset, the parties dispute who has the burden of proving or disproving consent. Compare Opp. at 6, with Reply (dkt. 90) at 4 n.1. Courts in this District hold that the defendant must prove consent. E.g., Brown v. Google LLC, 685 F. Supp. 3d 909, 926, n.13 (N.D. Cal. 2023). Regardless, who bears the burden of proof is a common question and is irrelevant to class certification. See Adams v. Ins. Co. of N. Am., 436 F. Supp. 2d 356, 360–61 (S.D. W. Va. 2006) (recognizing that “the applicable burden of proof” is a common question). 7 United States District Court Northern District of California 1 during the class period, they did not obtain prior express consent from users for the 2 challenged data collection. See Renz Dep. Tr. (dkt. 64-8) at 157:4-22. Rather, they focus 3 on the question of implied consent. See Opp. 6–7. To establish implied consent, “the 4 circumstances, considered as a whole, [must] demonstrate that a reasonable person [would 5 have] understood that [the] action[s] would be carried out” and that they proceeded to 6 expose themselves to the actions anyways. Calhoun, 113 F.4th at 1147 (citation omitted). 7 It is important to recognize, however, that “what a ‘reasonable user’ of a service would 8 understand they were consenting to” is “not what a technical expert would.” Id. at 1149. 9 “Consent is only effective if the person alleging harm consented ‘to the particular conduct, 10 or substantially the same conduct.’” Id. at 1147 (cleaned up) (citation omitted). 11 Defendants contend that four sources of information would have given notice of the 12 challenged conduct: (1) Assurance’s privacy policy; (2) Prudential’s privacy policies; (3) a 13 consumer survey conducted by their expert, Dr. Mathiowtz; and (4) third-party material, 14 including news articles about session replay software and legal advertisements. Opp. at 8– 15 11. And they assert that the inquiry into whether each class member was exposed to any of 16 these sources is an individualized one that undermines predominance. Id. 17 Assurance’s Privacy Policy. Defendants first argue that class members who had 18 previously used a “substantially similar” form on Assurance’s website and assented to 19 Assurance’s privacy policy were likely aware of ActiveProspect’s interception of their data 20 on Prudential’s form. Id. at 8–9. In support of their argument, Defendants point to this 21 Court’s orders regarding a motion to dismiss in Javier v. Assurance IQ, LLC. See 649 F. 22 Supp. 3d 891, 896–97 (N.D. Cal. 2023) (granting motion to dismiss); No. 20-CV-02860- 23 CRB, 2023 WL 3933070 (N.D. Cal. June 9, 2023) (granting motion to dismiss amended 24 complaint). Those orders do not support Defendants’ position here. 25 In Javier, the plaintiff sued Assurance and ActiveProspect (two of the same 26 defendants as here) under section 631(a) for similar conduct as Plaintiffs allege here. 649 27 F. Supp. 3d at 894–95. The plaintiff, however, filed his lawsuit fifteen months after he 28 visited Assurance’s website—three months too late under CIPA’s statute of limitations. 8 United States District Court Northern District of California 1 Id. at 901. He tried to invoke the delayed discovery doctrine, which would have required 2 him to allege that he could not have known about the alleged CIPA violation until a later 3 date within the limitations period. Id. But this Court rejected his argument, explaining 4 that Assurance’s privacy policy (which the plaintiff had accepted the terms of during his 5 visit to Assurance’s website) put him on “inquiry notice” that his information had been 6 collected, even if he did not know the details of the collection (including exactly who 7 collected his data) at that time. Id. at 902. 8 Defendants fail to explain why the standard for inquiry notice for statute-of- 9 limitations purposes should be applied to determine if Plaintiffs actually consented to the 10 interception of their communications. To the contrary, Javier clearly states that the two 11 standards are different. This Court expressly rejected the defendants’ contention that the 12 plaintiff had impliedly consented to ActiveProspect’s collection of his information using 13 TrustedForm—essentially the same contention that the same defendants make in this case. 14 649 F. Supp. 3d at 896–97. This Court explained that there was no evidence that Javier 15 had notice of ActiveProspect’s collection of his data until he agreed to Assurance’s privacy 16 policy. Id. at 896. And this Court declined to find implied consent on the theory (which 17 Defendants seem to advance a version of here) that the plaintiff’s mere use of a website to 18 obtain an insurance quote is enough to show that he impliedly consented to the monitoring 19 of his information. Id. at 897. 20 Defendants’ argument that any potential class members in this case who filled out a 21 form on Assurance’s website impliedly consented to monitoring by ActiveProspect given 22 their prior awareness of Assurance’s privacy policy is too strained to defeat predominance. 23 See Rodriguez v. Google LLC, No. 20-CV-04688-RS, 2024 WL 38302, at * 9 (N.D. Cal. 24 Jan. 3, 2024) (the “relevant question” as to consent inquiry under CIPA concerns website 25 operator’s disclosures about its data collection practices, not third-party disclosures about 26 operator’s practices); see also Calhoun, 113 F.4th at 1147 (“[C]ircumstances, considered as 27 a whole,” must “demonstrate that a reasonable person would have understood that an 28 action would be carried out so that their acquiescence demonstrates knowing 9 United States District Court Northern District of California 1 authorization.” (citation omitted)). 2 Prudential’s Privacy Policies. Prudential argues that its privacy policies, which 3 were accessible through a hyperlink in the footer of every page of its website, provided 4 notice of the challenged data practice, thus raising an individualized question as to which 5 class members read the disclosures before filling out the form. Opp. at 8; Prudential 6 Privacy Notice (dkt. 66-16), Prudential CCPA Disclosure (dkt. 66-17). Plaintiffs identify a 7 threshold problem with that argument—they challenge whether the privacy policies 8 provided notice of the challenged practice at all. Mot. to Certify Class at 5. They assert 9 that that is a common question, as Prudential’s privacy policy remained the same during 10 the class period. Id. (citing Renz Dep. Tr. at 261:3–20). 11 The Court agrees with Plaintiffs that Prudential’s Privacy Notice and its CCPA 12 Disclosure likely would not put a reasonable person on explicit notice of ActiveProspect’s 13 real-time interception of their every interaction, keystroke by keystroke, with Prudential’s 14 form. Prudential’s Privacy Notice describes various types of personal information that 15 Prudential collects when users fill out its form, including “medical information for 16 insurance applications” and “information gathered from your internet or network activity.” 17 Prudential Privacy Notice at 2. But a reasonable person would probably not expect 18 collected information to include their every keystroke—including information that a user 19 enters and then deletes prior submitting the form, which neither the website operator nor 20 any third party would ever see but for real-time tracking. 5 See Yockey v. Salesforce, Inc., 21 22 23 24 25 26 27 28 5 Indeed, news articles that Defendants themselves cite indicate that people generally do not expect the extent of data collection that session replay technology enables. E.g., Louise Marsakis, Over 400 of the World’s Most Popular Websites Record Your Every Keystroke, Princeton Researchers Find, Vice (Nov. 20, 2017), https://perma.cc/BFP6NRQZ (noting that while “[m]ost people who’ve spent time on the internet have some understanding that many websites log their visits and keep record of what pages they’ve looked at,” session replay technology enables “online tracking [that] is far more invasive than most users understand.” (emphasis added)); Steven Englehardt, No Boundaries: Exfiltration of Personal Data by Session-Replay Scripts, Freedom to Tinker (Nov. 15, 2017), https://perma.cc/5ZTB-7M2E (“You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. … However the extent of data collected … far exceeds user expectations; text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any indication to the user.”); Sidney Fussell, The Analysts Recording Your Screen 10 1 688 F.Supp.3d 962, 977 (N.D. Cal. 2023) (privacy policy disclosing that the defendant 2 could “share [customers’] personal information … with third parties” did not disclose third 3 party’s “word-for-word” recording of all chat messages sent to the defendant’s customer 4 service agent “while [customers] type[d] them”). United States District Court Northern District of California 5 Prudential’s Privacy Notice states that it “may share your personal information … 6 among Prudential companies and with other non-Prudential companies who perform 7 services for us or on our behalf, for our everyday business purposes, such as providing 8 services to you, [and] administering your account or policy.” Prudential Privacy Notice at 9 2 (emphasis added). And Prudential’s CCPA Disclosure states that it “collect[s], use[s], 10 and disclose[s]” personal information relating to California residents. Prudential CCPA 11 Disclosure at 3 (emphasis added). Neither of these disclosures is likely to lead a 12 reasonable user to expect that a third party itself collects their personal information in real 13 time, however; they instead suggest that Prudential shares that information so third parties 14 can “perform services for [Prudential] or on [Prudential’s] behalf.” Prudential Privacy 15 Notice at 2; see also Prudential CCPA Disclosure at 5 (describing categories of user 16 personal information disclosed to third-party service providers). 17 In any case, Plaintiffs are correct that the issue of how a reasonable user would 18 understand Prudential’s privacy policies is a common one that can be resolved with class- 19 wide proof. See Amgen, 568 U.S. at 466; Calhoun, 113 F.4th at 1148; Frasco v. Flo 20 Health, Inc., No. 21-CV-00757-JD, 2024 WL 4280933, *2 (N.D. Cal. Sept. 23, 2024) (jury 21 can resolve factual disputes as to “scope of plaintiffs’ consent to sharing data”). If a 22 factfinder determines that a reasonable user would understand Prudential’s privacy policies 23 in such a way that those policies confer consent, the Court can then evaluate whether the 24 effort required to ascertain which class members read the privacy policies would defeat 25 predominance. See Officers for Just. v. Civil Serv. Comm’n, 688 F.2d 615, 633 (9th Cir. 26 27 28 Say It’s for Your Own Good, The Atlantic (Feb. 12, 2019), https://perma.cc/6785-LLZ9 (“[I]nherent to the session replay is the idea that customers are most valuable when they don’t know they’re being watched.”). 11 United States District Court Northern District of California 1 1982) (“[A] district court’s order respecting class status is not final or irrevocable, but 2 rather, it is inherently tentative.” (citations omitted)). 3 Dr. Mathiowtz’s Survey. Defendants next argue that Dr. Mathiowtz’s survey 4 raises individualized questions about whether “class members knew about the alleged 5 interceptions and nevertheless used the [form].” Opp. at 11. The survey results suggest 6 that there is variation among consumers’ expectations about whether a third-party software 7 collects information on a website that provides life insurance quotes. Mathiowetz Rpt. 8 (dkt. 81-8) at 7. But these results say nothing about whether class members were likely to 9 have explicit notice about the specific data collection at issue here, see Calhoun, 113 F.4th 10 at 1147, or whether they knew that it was likely to occur, see United States v. Staves, 383 11 F.3d 977, 981 (9th Cir. 2004) (in the context of cellphone monitoring, “the circumstances 12 must indicate that a party to the communication knew that interception was likely and 13 agreed to the monitoring” (citation omitted)); In re Google Inc., No. 13-MD-02430-LHK, 14 2013 WL 5423918, at *12 (N.D. Cal. Sept. 26, 2013) (“That [a] person communicating 15 knows that [an] interceptor has the capacity to monitor the communication is insufficient 16 to establish implied consent.”). Accordingly, Dr. Mathiowtz’s survey is not determinative 17 for purposes of this motion.6 18 Third-Party Materials. Defendants next argue that the issue of consent defeats 19 predominance because third-party materials, such as news articles and advertisements, 20 could have informed class members about the challenged data interceptions at issue here 21 before they filled out Prudential’s form. Opp. at 9. They specifically identify the 22 following materials: 23 • News articles about how session replay technology works generally and its 24 use on various “popular” and “major” consumer-facing websites such as 25 Facebook, Papa John’s, Bank of America, and Walgreens. See Opp. Ex. 20 26 (dkt. 81-21) at 6, 19–22, 41, 51–52 (collecting news articles). None of these 27 28 The pending motion to strike Dr. Mathiowtz’s report (dkt 89) is therefore moot. This does not preclude Plaintiffs from raising future Daubert challenges as to Dr. Mathiowtz. 12 6 United States District Court Northern District of California 1 articles discuss the technology’s use on consumer-facing insurance websites, 2 nor do they mention Prudential, Assurance, or ActiveProspect. 3 • A law firm advertisement stating: “If you used Prudential’s website to get a 4 life insurance quote, you may be entitled to compensation due to a possible 5 privacy violation.” Don Bivens PLLC Advertisement (dkt. 81-20). 6 • Coverage and analysis of the Javier case on legal blogs and news websites. 7 See Eric Goldman, Consent Via “Clickwrap” Defeats Privacy Claims— 8 Javier v. Assurance, Tech. & Mktg. L. Blog (Mar. 14, 2021), 9 https://perma.cc/A57V-YS2Q. 10 • A November 30, 2022 article on a website called “Life Annuity Specialist” 11 about the instant case. See Opp. Ex. 11 (dkt. 81-12). The article states that 12 “[Prudential’s] use of third-party software to record prospective buyers’ 13 website activity violates California privacy laws.” Id. 14 To be sure, the “factfinder, in determining whether class members impliedly 15 consented to the alleged conduct[,] would have to determine the sources of information to 16 which each was exposed.” Brown v. Google, LLC, No. 20-CV-3664-YGR, 2022 WL 17 17961497, at *19 (N.D. Cal. Dec. 12, 2022). But once again there is a threshold common 18 question whether any of the sources provided notice of the challenged conduct in the first 19 place. Here, only one of Defendants’ sources—the Life Annuity Specialist article—could 20 be capable of providing the kind of notice required to establish consent, and that article 21 was published just a few weeks before the end of the class period. The news articles and 22 law firm advertisements, in contrast, are too general to give explicit notice to the particular 23 conduct at issue here, either because they discuss session replay technology in different 24 contexts or because they do not disclose Prudential’s relationship with Assurance and 25 ActiveProspect. See Calhoun, 113 F.4th at 1147; accord Campbell v. Facebook, Inc., 315 26 F.R.D. 250, 266 (N.D. Cal. 2016) (news source that did not disclose specific conduct at 27 issue incapable of giving notice). 28 Therefore, none of these sources create an individualized implied-consent inquiry 13 1 that would predominate over common questions or threaten to make adjudication 2 unmanageable. To the extent that the Life Annuity Specialist article provides sufficient 3 notice to establish implied consent, the Court can later refine the class period to exclude 4 any class members that might have seen the article. See Olean Wholesale Grocery, 31 5 F.4th at 670, n.14 (“[T]he problem of a potentially ‘over-inclusive’ class ‘can and often 6 should be solved by refining the class definition rather than by flatly denying class 7 certification on that basis.’” (citation omitted)). 8 United States District Court Northern District of California 9 2. Identification of Class Members Defendants next argue that Plaintiffs’ proposed method for identifying injured class 10 members—by reference to Assurance’s database of inputs in the Prudential form—is 11 flawed because at least some class members filled out the Prudential form on behalf of 12 others. Opp. at 1. So, Defendants assert, the database can only be used to identify 13 individuals on whose behalf class members filled out the form, which may or may not be 14 the same person who actually filled out the form. Id. at 2. Defendants characterize this as 15 an individualized inquiry into class members’ standing under CIPA. Id. Plaintiffs counter 16 that Defendants mischaracterize the standing inquiry and that “identifying class members 17 is not grounds for denying class certification.” Reply at 12–14. 18 As part of the predominance inquiry, “a court must consider whether the possible 19 presence of uninjured class members means that [a] class definition is fatally overbroad.” 20 Olean Wholesale Grocery, 31 F.4th at 669, n.14. This would be the case if, for instance, 21 the class includes “a great number of members who for some reason could not have been 22 harmed by the defendant’s allegedly unlawful conduct.” Id. (citation omitted) (emphasis 23 added); see also Moore v. Apple, 309 F.R.D. 532, 534 (N.D. Cal. 2015) (denying 24 certification of a class that included individuals who, based on the class definition, “could 25 not have been injured by Defendant’s allegedly wrongful conduct”) (emphasis in original). 26 Defendants do not actually argue that the proposed class is overbroad, though; they seem 27 to instead contend that “there is [no] administratively feasible way to determine who is in 28 the class.” See Briseno v. ConAgra Foods, Inc., 844 F.3d 1121, 1125 (9th Cir. 2017). Yet 14 United States District Court Northern District of California 1 there is no feasibility requirement in the Ninth Circuit. Id. (declining to require plaintiffs 2 to “propose [a] way to identify class members and [] prove that an administratively 3 feasible method exists [to do so]” at the class certification stage). 4 Moreover, Plaintiffs contend that they can identify class members using 5 Assurance’s database. They point out that one of the Plaintiffs filled out a form for a life 6 insurance quote on behalf of her herself (on Prudential’s website) and her father (on 7 Assurance’s website) and provided her own e-mail address and phone number in both 8 forms. Reply at 13 (citing Jornaya Guardian TCPA Rpt. (dkt. 81-17), and Hyman Dep. Tr. 9 (dkt. 91-6) at 92:10–15). Defendants were able to cross-reference her contact information 10 to identify which form she submitted on behalf of her father. Id. In addition to this cross- 11 reference method, the Court can require class members to present an affidavit that a 12 submission was theirs. See Kellman v. Spokeo, Inc., No. 21-CV-08976-WHO, 2024 WL 13 2788418 (N.D. Cal. May 29, 2024) (whether class members’ names and addresses matched 14 ones in online profile could be established via affidavit (citing Briseno, 844 F.3d at 1132)). 15 Plaintiffs have shown that Defendants’ records are “capable of showing” which 16 individuals filled out the Prudential form and had their communication intercepted; that is 17 “all that [is] necessary at the certification stage.” See Olean Wholesale Grocery, 31 F.4th 18 at 680–81 (emphasis in original). 19 3. Location of Interception 20 Next, Defendants argue that Assurance’s database, which collects the IP addresses 21 of users who submitted the Prudential form, is not enough to show that communications 22 were intercepted in California because some class members could have used a virtual 23 private network (VPN) to obscure their IP address.7 Opp. at 13 (citing Polish Decl. 24 (dkt. 81-24) ¶¶ 9, 11–17). As support, Defendants rely on Dr. Mathiowtz’s consumer 25 survey regarding the prevalence of VPN use as well as Dr. Polish’s expert opinion 26 27 28 Dr. Polish explains how VPNs work: “[W]hen an Internet user connects to the Internet using a VPN, the user’s network traffic appears as though it is emerging from the VPN generated location instead of the user’s actual physical location.” Polish Decl. ¶ 14. 15 7 1 United States District Court Northern District of California 2 discussing how VPNs work. See Mathiowetz Rpt. ¶¶ 46–48; Polish Decl. As a threshold matter, Defendants frame the location inquiry too narrowly. CIPA is 3 not just concerned with whether communications were sent from a place in California; it 4 also covers communications intercepted while “in transit or passing over any wire, line, or 5 cable” in California or “received at any place” in California. See Cal. Penal Code 6 § 631(a). But in any case, neither Dr. Mathiowtz’s survey or Dr. Polish’s report leads the 7 Court to conclude that the question whether interception occurred in California is more 8 prevalent or important than the other, common issues in this case. See Tyson Foods, 577 9 U.S. at 543. Dr. Mathiowtz’s survey results indicate that only 17.7% of those surveyed 10 (consumers living in California in 2022 who had shopped online for a life insurance quote 11 since January 2022) “always” or “sometimes” used a VPN when using the Internet for 12 personal use. Mathiowetz Rpt., tbl. 1, ¶¶ 30, 48. And Dr. Polish opines simply that “[a]n 13 Internet user’s IP address is not necessarily a reliable indicator of that individual’s 14 geographic location.” Polish Decl. ¶¶ 9, 13. Neither expert’s testimony actually quantifies 15 the number of potential class members who use a VPN to access life insurance websites or 16 whose VPN would locate them in a different state. 17 Plaintiffs additionally contend that Assurance’s database could easily be used to 18 identify any potential class members who used a VPN by cross-referencing a class 19 member’s ZIP code with their IP address. Reply at 14. Where the data points indicate 20 different locations, class members may be required to attest via affidavit to their location at 21 the time they filled out the form. See Zaklit v. Nationstar Mortg. LLC, 22 No. 515CV2190CASKKX, 2017 WL 3174901, at *9 (C.D. Cal. July 24, 2017) (for 23 purposes of CIPA, “it is ‘more likely than not that a person with a California area code 24 [was] located in California”). Because this method is capable of identifying class members 25 who filled out the form while in California, the issue of location does not defeat 26 predominance. 27 28 16 1 2 3 4 5 6 7 IV. CONCLUSION For the foregoing reasons, the Court CERTIFIES the following class in this action: All natural persons who, while in California, visited Prudential.com, provided personal information on Prudential’s form to receive a quote for life insurance, and for whom a TrustedForm Certificate URL associated with that website visit was generated from November 23, 2021 to December 13, 2022. The Court also APPOINTS Girard Sharp LLP as class counsel and Valerie Torres and Rhonda Hyman as class representatives. 8 IT IS SO ORDERED. 9 Dated: November 26, 2024 CHARLES R. BREYER United States District Judge 10 United States District Court Northern District of California 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 17

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?