Love et al v. Ladder Financial, Inc. et al

Filing 78

Order by Judge Vince Chhabria granting 61 Motion to Dismiss.(vclc3, COURT STAFF) (Filed on 5/8/2024)

Download PDF
UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA ZONOBIA LOVE, et al., Case No. 23-cv-04234-VC Plaintiffs, ORDER GRANTING MOTION TO DISMISS v. LADDER FINANCIAL, INC., Re: Dkt. No. 61 Defendant. Ladder’s motion to dismiss is granted. This ruling assumes the reader is familiar with the facts, the applicable legal standards, and the arguments made by both parties. CIPA. Ladder operates a website that provides insurance quotes to potential customers. To obtain a quote, the user enters various information, including basic personal identifying information (e.g., name, zip code) and sensitive health information (e.g., prescription medication use, medical conditions, use of illegal drugs). Ladder allegedly uses FullStory’s Digital Experience Intelligence tools to track how consumers interact with its website. One particular function is the focal point of the plaintiffs’ complaint: Session Replay. Allegedly, FullStory captures a user’s entire site visit, allowing Ladder to replay every keystroke and click. The plaintiffs allege that these replays include the personal and sensitive information entered into the form.1 The plaintiffs allege that Ladder violated CIPA by aiding and abetting FullStory’s direct Ladder contests this allegation, noting that FullStory’s privacy policy requires its customers to prevent sensitive information from being recorded and that FullStory offers a feature that masks text elements by default. There is no need to reach the question of whether the plaintiffs have satisfactorily alleged that Ladder has enabled FullStory’s tools to capture the sensitive form entries. As explained below, even if that allegation has been made, there would still be no CIPA claim. 1 violation of CIPA. There are two direct violations asserted—the second and third clauses of § 631(a)—but neither is successfully alleged. Thus, aiding-and-abetting claim must be dismissed. The second clause makes it a violation when a person “willfully and without the consent of all parties to the communication . . . reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit.” Of the various website interactions that are allegedly tracked by FullStory’s tools, only the form entries would qualify as the “contents or meaning” of a communication. See Katz-Lacabe v. Oracle America, Inc., 668 F. Supp. 3d 928, 944–45 (N.D. Cal. 2023); see also In re Zynga Privacy Litigation, 750 F.3d 1098, 1106 (9th Cir. 2014) (interpreting the word “contents” in a similar statute to mean the “intended message conveyed”). But the plaintiffs have not alleged that FullStory itself ever “reads, attempts to read, or to learn” the content of the form entries. The plaintiffs have only alleged that FullStory provides a tool that allows Ladder to record, track, and analyze the interactions that users have with its own site. See Graham v. Noom, Inc., 533 F. Supp. 3d 823, 832–33 (N.D. Cal. 2021); see also Williams v. DDR Media, LLC, No. 22-cv-03789-SI, 2023 WL 5352896, *3–4 (N.D. Cal. Aug. 18, 2023); Williams v. What If Holdings, LLC, No. C 22-03780 WHA, 2022 WL 17869275, at *3 (N.D. Cal. Dec. 22, 2022). But see, e.g., Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891, 898 (N.D. Cal. 2023). The plaintiffs’ allegation that comes the closest draws on FullStory’s Privacy Policy. The plaintiffs cite FullStory’s acknowledgement that it uses information collected from users of its customer websites for certain purposes, such as security, legal compliance, and service improvement. Additionally, FullStory states that it “may use and share information in an aggregated and de-identified manner at [its] discretion, including for research, analysis, modeling, marketing, and improvement of our Services.”2 But none of that makes it plausible 2 The Complaint quotes selectively from the Privacy Policy, at times misconstruing what the policy says. For example, the complaint asserts that FullStory uses the personal identifying information and personal health information of Ladder website users to “grow its business.” But that language about growing its business is only included in the portion of the policy about 2 that FullStory is accessing or reading the personal identifying information or sensitive health information entered into the form. There is no coherent story of how or why FullStory would learn such granular information about users of one if its customers’ sites—information that has nothing to do with its alleged service or stated uses of consumer data. Merely quoting these lines from the policy and then making broad assertions about use is not enough to state a claim under the second clause of § 631(a). The claim under the third clause fails for similar reasons. The third clause makes it a violation when a person “uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained.” The third clause references the second clause. If someone violates CIPA by learning the contents of a communication in a proscribed manner, then someone who uses or shares the ill-gotten contents of that communication also violates CIPA. But, as discussed, there is no plausible allegation that FullStory learned what the users wrote in the insurance quote forms. Similarly, there is no plausible allegation that FullStory uses the personal information in those forms. Thus, the plaintiffs have failed to sufficiently allege that FullStory violated the third clause of § 631(a). Invasion of privacy. The invasion of privacy claim is dismissed because Ladder’s alleged conduct is not an intrusion that would be “highly offensive to a reasonable person,” or “an exceptional kind of prying into another’s private affairs.” McClung v. AddShopper, Inc., No. 23cv-01996-VC, 2024 WL 189006, *4 (N.D. Cal. Jan. 17, 2024). Some of the information entered into the form is certainly the kind of private, sensitive information that could give rise to an invasion of privacy claim if disclosed or misused. But all that has been plausibly alleged is that FullStory records and stores for Ladder’s own use information that users have voluntarily shared information collected from FullStory’s website customers—it is not included in the separate, subsequent portion about the information collected from the users of the websites of FullStory’s customers. As another example, the complaint quotes from the section about user information that FullStory uses that information for “research, analysis, modeling, marketing, and improvement of our services.” But the complaint leaves out the preceding clause, which specifies that the information is used “in an aggregated or de-identified manner.” Since the Privacy Policy can properly be incorporated by reference, this ruling looks to the language itself in the proper context—rather than the selective quotes. 3 with Ladder. That is not the kind of privacy intrusion that California’s constitution bars. *** It is not clear how the plaintiffs could amend their complaint to address the flaws with their claims. But, out of an abundance of caution, dismissal is with leave to amend. Any amended complaint is due within 21 days. IT IS SO ORDERED. Dated: May 8, 2024 ______________________________________ VINCE CHHABRIA United States District Judge 4

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.

Why Is My Information Online?