Love et al v. Ladder Financial, Inc. et al
Filing
78
Order by Judge Vince Chhabria granting 61 Motion to Dismiss.(vclc3, COURT STAFF) (Filed on 5/8/2024)
UNITED STATES DISTRICT COURT
NORTHERN DISTRICT OF CALIFORNIA
ZONOBIA LOVE, et al.,
Case No. 23-cv-04234-VC
Plaintiffs,
ORDER GRANTING MOTION TO
DISMISS
v.
LADDER FINANCIAL, INC.,
Re: Dkt. No. 61
Defendant.
Ladder’s motion to dismiss is granted. This ruling assumes the reader is familiar with the
facts, the applicable legal standards, and the arguments made by both parties.
CIPA. Ladder operates a website that provides insurance quotes to potential customers.
To obtain a quote, the user enters various information, including basic personal identifying
information (e.g., name, zip code) and sensitive health information (e.g., prescription medication
use, medical conditions, use of illegal drugs). Ladder allegedly uses FullStory’s Digital
Experience Intelligence tools to track how consumers interact with its website. One particular
function is the focal point of the plaintiffs’ complaint: Session Replay. Allegedly, FullStory
captures a user’s entire site visit, allowing Ladder to replay every keystroke and click. The
plaintiffs allege that these replays include the personal and sensitive information entered into the
form.1
The plaintiffs allege that Ladder violated CIPA by aiding and abetting FullStory’s direct
Ladder contests this allegation, noting that FullStory’s privacy policy requires its customers to
prevent sensitive information from being recorded and that FullStory offers a feature that masks
text elements by default. There is no need to reach the question of whether the plaintiffs have
satisfactorily alleged that Ladder has enabled FullStory’s tools to capture the sensitive form
entries. As explained below, even if that allegation has been made, there would still be no CIPA
claim.
1
violation of CIPA. There are two direct violations asserted—the second and third clauses of §
631(a)—but neither is successfully alleged. Thus, aiding-and-abetting claim must be dismissed.
The second clause makes it a violation when a person “willfully and without the consent
of all parties to the communication . . . reads, or attempts to read, or to learn the contents or
meaning of any message, report, or communication while the same is in transit.” Of the various
website interactions that are allegedly tracked by FullStory’s tools, only the form entries would
qualify as the “contents or meaning” of a communication. See Katz-Lacabe v. Oracle America,
Inc., 668 F. Supp. 3d 928, 944–45 (N.D. Cal. 2023); see also In re Zynga Privacy Litigation, 750
F.3d 1098, 1106 (9th Cir. 2014) (interpreting the word “contents” in a similar statute to mean the
“intended message conveyed”).
But the plaintiffs have not alleged that FullStory itself ever “reads, attempts to read, or to
learn” the content of the form entries. The plaintiffs have only alleged that FullStory provides a
tool that allows Ladder to record, track, and analyze the interactions that users have with its own
site. See Graham v. Noom, Inc., 533 F. Supp. 3d 823, 832–33 (N.D. Cal. 2021); see also
Williams v. DDR Media, LLC, No. 22-cv-03789-SI, 2023 WL 5352896, *3–4 (N.D. Cal. Aug.
18, 2023); Williams v. What If Holdings, LLC, No. C 22-03780 WHA, 2022 WL 17869275, at *3
(N.D. Cal. Dec. 22, 2022). But see, e.g., Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891, 898
(N.D. Cal. 2023).
The plaintiffs’ allegation that comes the closest draws on FullStory’s Privacy Policy. The
plaintiffs cite FullStory’s acknowledgement that it uses information collected from users of its
customer websites for certain purposes, such as security, legal compliance, and service
improvement. Additionally, FullStory states that it “may use and share information in an
aggregated and de-identified manner at [its] discretion, including for research, analysis,
modeling, marketing, and improvement of our Services.”2 But none of that makes it plausible
2
The Complaint quotes selectively from the Privacy Policy, at times misconstruing what the
policy says. For example, the complaint asserts that FullStory uses the personal identifying
information and personal health information of Ladder website users to “grow its business.” But
that language about growing its business is only included in the portion of the policy about
2
that FullStory is accessing or reading the personal identifying information or sensitive health
information entered into the form. There is no coherent story of how or why FullStory would
learn such granular information about users of one if its customers’ sites—information that has
nothing to do with its alleged service or stated uses of consumer data. Merely quoting these lines
from the policy and then making broad assertions about use is not enough to state a claim under
the second clause of § 631(a).
The claim under the third clause fails for similar reasons. The third clause makes it a
violation when a person “uses, or attempts to use, in any manner, or for any purpose, or to
communicate in any way, any information so obtained.” The third clause references the second
clause. If someone violates CIPA by learning the contents of a communication in a proscribed
manner, then someone who uses or shares the ill-gotten contents of that communication also
violates CIPA. But, as discussed, there is no plausible allegation that FullStory learned what the
users wrote in the insurance quote forms. Similarly, there is no plausible allegation that FullStory
uses the personal information in those forms. Thus, the plaintiffs have failed to sufficiently allege
that FullStory violated the third clause of § 631(a).
Invasion of privacy. The invasion of privacy claim is dismissed because Ladder’s alleged
conduct is not an intrusion that would be “highly offensive to a reasonable person,” or “an
exceptional kind of prying into another’s private affairs.” McClung v. AddShopper, Inc., No. 23cv-01996-VC, 2024 WL 189006, *4 (N.D. Cal. Jan. 17, 2024). Some of the information entered
into the form is certainly the kind of private, sensitive information that could give rise to an
invasion of privacy claim if disclosed or misused. But all that has been plausibly alleged is that
FullStory records and stores for Ladder’s own use information that users have voluntarily shared
information collected from FullStory’s website customers—it is not included in the separate,
subsequent portion about the information collected from the users of the websites of FullStory’s
customers. As another example, the complaint quotes from the section about user information
that FullStory uses that information for “research, analysis, modeling, marketing, and
improvement of our services.” But the complaint leaves out the preceding clause, which specifies
that the information is used “in an aggregated or de-identified manner.” Since the Privacy Policy
can properly be incorporated by reference, this ruling looks to the language itself in the proper
context—rather than the selective quotes.
3
with Ladder. That is not the kind of privacy intrusion that California’s constitution bars.
***
It is not clear how the plaintiffs could amend their complaint to address the flaws with
their claims. But, out of an abundance of caution, dismissal is with leave to amend. Any
amended complaint is due within 21 days.
IT IS SO ORDERED.
Dated: May 8, 2024
______________________________________
VINCE CHHABRIA
United States District Judge
4
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?