Strike Three – Lack of Scienter Dooms CIPA Class Action Claiming Website Owner Aided and Abetted Chat Bot Software Provider’s Alleged Eavesdropping

In Valenzuela v. The Kroger Co., the District Court for the Central District of California granted, for the third and last time, defendant’s motion to dismiss a class action lawsuit claiming that The Kroger Co. violated  section 631(a) of the California Invasion of Privacy Act (CIPA) by allowing third-party software (provided by Emplifi) to be embedded on its website to record consumers’ communications with the website’s chat function. The only issue before the court was whether the amended complaint plausibly alleged liability under prong four of CIPA 631(a)—“that Kroger aided and abetted Emplifi’s eavesdropping on Kroger’s website users’ chats.”

In its previous ruling, the court held that merely using embedded software to archive communications, like with a tape recorder, would not give rise to a statutory violation.  Instead, to state a claim under prong four of CIPA 631(a) there must be plausible allegations explaining how Kroger knew that Emplifi engaged in conduct constituting a breach of duty, e.g. by sharing users’ data with third parties, or how Kroger itself engaged in conduct that constituted a breach of duty. Because prong four of CIPA 631(a) does not contain an explicit scienter requirement, the court applied California common law of aiding and abetting, under which aiding and abetting liability for an intentional tort can be imposed only if the person “(a) knows the other’s conduct constitutes a breach of duty and gives substantial assistance or encouragement to the other to so act or (b) gives substantial assistance to the other in accomplishing a tortious result and the person’s own conduct, separately considered, constitutes a breach of duty to the third person.”

Plaintiff’s third attempt to plead scienter failed. First, the court explained that it could not plausibly infer “that because Emplifi could ‘quickly and cheaply’ deploy the bot, Kroger should have known Emplifi harvested user data.” Second, that Emplifi advertised to customers such as Kroger that the bot “mimics the look and feel of the customer’s own brand” so that users believe they are interacting with the customer did not equate to knowledge on the part of Kroger that Emplifi breached a duty toward users. Third, though the complaint alleged that Emplifi advertised that its chat bot services shared data from chat conversations with Facebook Messenger, the documents relied upon for this assertion “flatly controvert[ed] such a characterization.”

Finally, the district court rejected plaintiff’s argument that there is no scienter requirement at all under the fourth prong of section 631(a), finding “more persuasive [various] rulings that impose a scienter requirement on the statute, consistent with California law when a statute lacks an explicit scienter requirement.”

State and federal courts continue to be flooded with website-related claims for violations of CIPA 631(a).  Though there is generally a presumption against extraterritorial application of state law, determining the “place of the wrong” will often depend on the complaint’s allegations and the technologies employed.  As these and other CIPA-related issues remain unsettled, even companies with little-to-no California presence will continue to be hauled into California courts to defend no-injury CIPA website class actions, at least until appellate courts provide much needed guidance.