533 F.Supp.3d 823
N.D. Cal.2021Background
- Noom, a web-based weight-loss service, embeds FullStory’s "session replay" code on its site to capture user interactions (keystrokes, clicks, scrolling) and store them on FullStory’s cloud servers for client-side playback and analysis.
- Plaintiffs (California residents) allege FullStory recorded PII and PHI (height, weight, medical/diet info, email, IP, geolocation) when they visited Noom and that Noom aided/abetted FullStory’s unlawful interception.
- Plaintiffs brought a putative California class action asserting: (1) CIPA §631(a) wiretapping; (2) CIPA §635(a) sale/possession of eavesdropping device; and (3) invasion of privacy under the California Constitution; they also sought injunctive relief.
- Defendants moved to dismiss arguing (a) FullStory is a service-provider/party to the communication (not a third‑party eavesdropper), (b) much of the data alleged is non‑content (not protected), and (c) FullStory lacks forum‑related contacts for specific jurisdiction.
- The court distinguished situations where independent third parties intercepted and monetized site data (e.g., data brokers or Facebook tracking) from a vendor that provides tools for a site to record its own user sessions; it found plaintiffs failed to plausibly plead third‑party eavesdropping.
- Holding: the court dismissed the complaint (with leave to amend) because plaintiffs did not plausibly plead wiretapping by FullStory and therefore lacked standing for some claims and failed to meet their prima facie burden for specific personal jurisdiction; one plaintiff’s injunctive‑relief claim was dismissed with prejudice.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Whether FullStory is a third‑party eavesdropper under CIPA §631(a) | FullStory’s session‑replay captured communications; it was not a party and thus unlawfully intercepted users’ communications | FullStory is a vendor/service provider that enables Noom to record its own site sessions and therefore is a party, not an eavesdropper | Court: Plaintiffs failed to plausibly allege FullStory was a third‑party eavesdropper; dismissal (leave to amend) |
| Whether alleged data (IP, timestamps, browser, geolocation) is protected “content” under CIPA | Plaintiffs treat many recorded interactions as content | Defendants: IP, timestamps, browser/OS, geolocation are non‑content metadata and not protected | Court: Dismissed claims to the extent they rely on non‑content data; plaintiffs may replead content distinctions |
| Whether plaintiffs have a private right of action/Article III standing for §635(a) (device sale/possession) | Plaintiffs claim FullStory’s code/functionality is an eavesdropping device and they were injured by its use | Defendants: No eavesdropping occurred, so no injury or private right eventuated; thus no standing | Court: Because plaintiffs did not plausibly allege eavesdropping, they lack the injury needed for a private right action and Article III standing; claim dismissed |
| Whether the court has specific personal jurisdiction over FullStory | Jurisdiction arises from FullStory’s alleged wiretapping of Californians visiting Noom | FullStory: merely a vendor providing services to Noom; it lacks forum‑related conduct to satisfy Calder/Cal. effects test | Court: Plaintiffs failed to make a prima facie showing of purposeful‑direction tied to forum; no specific jurisdiction established |
Key Cases Cited
- Ribas v. Clark, 38 Cal.3d 355 (1985) (surreptitious listening by a third party may violate state wiretap law; a party to a communication may record it)
- Rogers v. Ulrich, 52 Cal. App. 3d 894 (1975) (party to a communication may record it; contrast with third‑party eavesdropping)
- In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589 (9th Cir. 2020) (distinguishes tracking/third‑party collection from a party’s recording of its own communications for privacy‑claim purposes)
- In re Zynga Privacy Litig., 750 F.3d 1098 (9th Cir. 2014) (definition of “content” vs. non‑content metadata under wiretap law)
- United States v. Reed, 575 F.3d 900 (9th Cir. 2009) (geolocation and call‑detail records are non‑content for wiretap purposes)
- Calder v. Jones, 465 U.S. 783 (1984) (Calder effects test for purposeful direction in specific‑jurisdiction analysis)
- Hill v. Nat’l Collegiate Athletic Ass’n, 7 Cal.4th 1 (1994) (framework for the California constitutional invasion‑of‑privacy claim)
- Hernandez v. Hillsides, Inc., 47 Cal.4th 272 (2009) (elements and standards for constitutional privacy claims)