California Courts Continue to Cool on CIPA Allegations

As we have blogged about in the past, federal district courts have seen a tidal wave of putative class actions by website users claiming violations of the California Invasion of Privacy Act (CIPA), Cal. Penal Code § 630, et seq.  These lawsuits focus on the alleged unlawful use of website tracking technologies, such as cookies, pixels, tags, and beacons, to collect and use personal information of people who visit these websites without their consent. The deluge of lawsuits has prompted courts to scrutinize CIPA claims more rigorously.

As a recent example, in Smith v. Yeti Coolers, LLC, the Northern District of California dismissed with prejudice a putative class action challenging Yeti’s use of technology supplied by third-party payment processor, Adyen, to process customer purchases on its website. The lawsuit claimed that Adyen incorporated Yeti customers’ financial information into its fraud-prevention system, which it then marketed to merchants without customers’ consent. The plaintiff brought claims for violations of CIPA § 631 (anti-wiretapping) and § 632 (anti-eavesdropping) and for invasion of privacy under California’s Constitution. The court initially dismissed the complaint without prejudice because it did not “‘sufficiently allege [Yeti’s] knowledge of Adyen’s allegedly wrongful conduct or Defendant’s intent to assist Adyen in that conduct.’” The plaintiff’s Second Amended Complaint (SAC) fared no better.

First, the court held that the plaintiff failed to sufficiently allege that Yeti unlawfully aided and abetted Adyen’s willful violation of CIPA § 631(a). Conclusory allegations that Yeti was “‘aware of the purposes for which Adyen collects consumers’ sensitive information’” because it knew about and benefited from Adyen’s fraud prevention services, and that Yeti “‘assist[ed] Adyen in intercepting and indefinitely storing this sensitive information,’” were insufficient to state a viable claim of derivative liability against Yeti. Indeed, absent allegations “about what Adyen communicated to [Yeti] about how its fraud prevention services operate or about how customer information is stored and incorporated in Adyen’s software,” the court held that “no plausible inference can be drawn that [Yeti] knowingly aided or assisted Adyen, in violation of § 631(a).”

Second, the court similarly held that the plaintiff failed to state a viable claim for derivative liability against Yeti under CIPA § 632. Once again, the SAC did “not allege sufficient facts to support a plausible inference that [Yeti] had knowledge of Adyen’s unlawful conduct, nor d[id] it sufficiently allege that [Yeti] acted with the requisite intent to substantially aid such conduct.”

Third, the court dismissed the plaintiff’s claim for invasion of privacy under the California Constitution because the plaintiff failed to cure the deficiency in its earlier complaint by alleging that Yeti’s “conduct was so egregious as to constitute a ‘serious invasion of privacy.’” “The use of an outside payment processor, without more,” the court observed, “would not be such an invasion, absent [Yeti’s] awareness that Adyen was using the information for additional unauthorized purposes.” Because the SAC did no more than plead in wholly conclusory fashion that Yeti knew the information it allowed Ayden to intercept from Yeti’s website would be indefinitely stored and incorporated into Adyen’s fraud prevention services, the SAC still did “not support a plausible inference that Defendant was aware of Adyen’s allegedly unlawful conduct.”

This decision confirms that a plaintiff alleging CIPA “aiding and abetting” violations must plausibly allege scienter, not simply that a third party received customer information.