Case Information
UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA TAYLOR SMITH, Case No. 24-cv-01703-RFL Plaintiff, ORDER GRANTING MOTION TO
v. DISMISS WITH LEAVE TO AMEND Re: Dkt. No. 23 YETI COOLERS, LLC, Defendant.
Plaintiff Taylor Smith alleges that Defendant YETI Coolers, LLC uses a third-party payment processor, Adyen, to process customer purchases on its website, and that Adyen incorporates customers’ financial information into its fraud prevention system, which it then markets to merchants without customers’ consent. Plaintiff alleges that this constitutes an interception of their sensitive information by Adyen with Defendant’s assistance and invades their privacy. Plaintiff now brings this putative class action under the California Invasion of Privacy Act, for violations of California Penal Code §§ 631(a) and 632, and under California’s Constitution, for invasion of privacy. Defendant’s motion to dismiss is GRANTED WITH LEAVE TO AMEND , for the reasons further detailed below. The operative complaint does not sufficiently allege Defendant’s knowledge of Adyen’s allegedly wrongful conduct or Defendant’s intent to assist Adyen in that conduct. Because it is not clear whether Plaintiff could cure this defect through amendment, the dismissal is with leave to amend.
I. ALLEGATIONS OF FIRST AMENDED COMPLAINT
Defendant owns and operates the YETI website, www.yeti.com, which sells YETI-brand products for purchase. To facilitate the payment process, Defendant engaged a third-party company, Adyen. Defendant integrated Adyen’s online payment processing platform into its website “for the purported purpose of processing consumer purchases” and “protect[ing] Defendant from fraudulent transactions.” (Dkt. No. 21 (“First Amended Complaint” or “FAC) ¶¶ 24, 34.)
But according to Plaintiff, these are not the only services that Adyen provides. Rather, Adyen “intercepts and indefinitely stores consumers’ [personally identifiable information] and financial information into its fraud prevention network,” which Adyen uses to provide additional risk management services to merchants. ( Id. ¶¶ 25-26.) By accessing Adyen’s network, merchants are able to “gain valuable insights into consumers’ purchasing history by tracking and recording consumers’ purchases across devices and networks.” ( Id. ¶ 30.) Plaintiff further alleges that nowhere on Defendant’s website is there information to alert consumers that a third party is involved in payment processing and that their sensitive information is being “shared with and indefinitely stored by a third party.” ( ¶¶ 35-37.) And according to Plaintiff, nor have consumers consented to the disclosure of this information. ( Id . ¶ 42.)
Plaintiff alleges that this conduct amounts to the illegal recording of confidential communications, in violation of Sections 631(a) and 632 of the California Invasion of Privacy Act, and an illegal invasion of privacy under the California Constitution. And, according to Plaintiff, because Defendant has “assist[ed] Adyen in intercepting and indefinitely storing this sensitive information” by integrating Adyen’s platform into its website, Defendant is culpable for its facilitation of this process. ( Id . ¶ 39.)
II. LEGAL STANDARD
Federal Rule of Civil Procedure 8(a)(2) requires a complaint to include “a short and plain
statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). A
complaint that fails to meet this standard may be dismissed pursuant to Rule 12(b)(6).
See
Fed.
R. Civ. P. 12(b)(6). To overcome a Rule 12(b)(6) motion to dismiss after the Supreme Court’s
decisions in
Ashcroft v. Iqbal
,
The court “accept[s] factual allegations in the complaint as true and construe[s] the
pleadings in the light most favorable to the nonmoving party.”
Manzarek v. St. Paul Fire &
Marine Ins. Co.
,
III. DISCUSSION
A. California Penal Code Section 631(a)
To plead a violation of § 631(a), Plaintiff must allege sufficient facts to show that Defendant either (1) engaged in intentional wiretapping; (2) willfully read “the contents or meaning” of a communication without consent; (3) attempted to use or communicate information obtained as a result of engaging in the previous two activities; or (4) aided another in any of the previous three activities. Cal. Penal Code § 631(a). Plaintiff’s theory is that Defendant is liable under the fourth clause of § 631(a) because Defendant “aided, agreed with, and conspired with Adyen to track and intercept Plaintiff’s and Class Members’ internet communications while accessing www.yeti.com.” (FAC ¶ 55.) Although Plaintiff alleges a sufficient basis for Adyen’s liability, the First Amended Complaint as currently pled does not allege sufficient facts to hold Defendant derivatively liable for Adyen’s conduct.
1. Adyen’s Alleged Violation of Section 631(a) To establish Defendant’s derivative liability under the fourth clause of § 631(a), Plaintiff must first show that Adyen engaged in conduct prohibited by the first, second, or third clause. Plaintiff sufficiently alleged that Adyen’s conduct violated both the second and third clauses of § 631(a). Either violation is sufficient as the predicate for Defendant’s derivative liability.
The second clause of § 631(a) has three requirements: (1) the “absence of consent” of all
parties to the communication; (2) eavesdropping by a third-party nonparticipant to the
communication; and (3) an interception of the communication “while in transit.”
Valenzuela v.
Keurig Green Mountain, Inc.
,
Starting with the third-party nonparticipant requirement, Adyen’s status as a nonparty to
the communication turns on whether Adyen’s conduct was “sufficiently independent” from
Defendant to be considered a distinct party.
Licea v. Cinmar, LLC
,
Plaintiff also sufficiently alleges that she did not consent to Adyen’s eavesdropping.
Defendant argues that its Terms and Privacy Policy “expressly disclosed to Plaintiff and other
YETI users that the information she provided at payment checkout would be shared with third-
party service providers (like Adyen).” (Dkt. No. 23-1 at 11.)
[1]
But under California law,
consumers must have actually or constructively consented to be bound by these contractual
terms.
Allen v. Shutterfly, Inc.
, No. 20-cv-02448,
Most internet contracts are “clickwrap” agreements or “browsewrap” agreements.
Allen
,
Defendant’s inclusion of the pop-up banner does not constitute a clickwrap agreement. The pop-up banner may be reasonably conspicuous to satisfy the first requirement of the test articulated in Oberstein . However, Defendant’s pop-up banner does not require individuals to click an “I agree” button, nor does it include any language to imply that by proceeding to use the website, users reasonably consent to Defendant’s terms and conditions of use. Therefore, the pop-up banner cannot be treated as a traditional clickwrap agreement that renders the website’s terms and conditions of use enforceable against Plaintiff or other users.
Nor do the pop-up banner or link on the Defendant’s homepage suffice to provide the
requisite “constructive assent” for a browsewrap agreement.
Nguyen v. Barnes & Noble Inc.
,
Accordingly, Plaintiff has sufficiently alleged that Adyen’s conduct violated the second clause of § 631(a). Moreover, for the same reasons explained above, Plaintiff has also sufficiently alleged a separate basis for derivative liability: that Adyen’s conduct violated the third clause of § 631(a). As a result of engaging in the above-described conduct, Adyen also allegedly used the information it collected “to monetize and market [their] services to Defendant and other merchants within Adyen’s network.” (FAC ¶ 8.) Defendant does not separately contest this point, beyond the arguments addressed above.
2. Defendant’s Liability for Adyen’s Alleged Violation of § 631(a)
Although Plaintiff has sufficiently alleged a basis to believe that Adyen violated the
second and third clauses of § 631(a), Plaintiff has not adequately alleged a basis for Defendant’s
derivative liability. Plaintiff has not plausibly alleged that Defendant aided, agreed with,
employed, or conspired with Adyen “to unlawfully do, or permit, or cause to be done any of the
acts” that Adyen undertook in violation of § 631(a). The parties disagree about the requirements
to allege liability under this clause. According to Defendant, the fourth clause imputes a scienter
requirement, which mirrors the requirements for establishing conspiracy or accomplice liability.
In this view, Plaintiff must allege that Defendant acted with “specific intent to commit the
unlawful acts” or with “knowledge of ‘the unlawful purpose and inten[t] to help [Adyen]
accomplish that purpose.’” (Dkt. No. 23-1 at 14 (citing
People v. Swain
,
The statute does not necessarily incorporate the common law requirement for aiding and
abetting simply because it contemplates liability where an individual or entity provides “aid.”
See Cousin
,
However, other language in § 631(a)’s fourth clause does require some level of knowledge and intent. That clause prohibits a defendant from aiding, agreeing with, or employing a third party “ to unlawfully do, or permit, or cause” the third party to act in violation of the wiretapping statute. Cal. Pen. Code § 631(a) (emphasis added). That language indicates that the defendant must be acting with the third party in order to have the third party perform acts that violate the statute. At the very least, that requires both knowledge of the conduct that will violate the statute and a purpose of aiding, agreeing with, or employing the third party to commit those acts. By its plain terms, that statutory language does not cover, for example, a defendant who properly and lawfully provides information or access to a third party without any knowledge or intent that the third party will use the information in a manner that violates the statute. Such a defendant has not aided, agreed with, or employed the third party to perform acts that violate the wiretapping statute.
Plaintiff fails to allege facts sufficient to show the requisite knowledge and intent. In her complaint, Plaintiff alleges that Defendant was “aware of the purposes for which Adyen collects consumers’ sensitive information because Defendant is knowledgeable of and benefitting from Adyen’s fraud prevention services.” (FAC ¶ 41.) Plaintiff also alleges that Defendant “assists Adyen in intercepting and indefinitely storing this sensitive information.” ( Id. ¶ 39.) Those conclusory allegations do not contain sufficient facts for the Court to draw a plausible inference that Defendant knowingly agreed with or employed Adyen to engage in conduct that violated the wiretapping statute. Without further information, the Court cannot plausibly infer from Defendant’s use of Adyen’s fraud prevention services alone that Defendant knew that Adyen’s services were based on its allegedly illegal interception and storing of financial information, collected during Adyen’s online processing of customers’ purchases. Plaintiff alleges that Adyen’s fraud detection software uses “network-wide insights” that include attributes based on email, card information, and delivery address, but does not indicate how Defendant would know those “insights” came from Adyen’s processing of payments from Defendant’s website. ( ¶ 28.) Accordingly, the motion to dismiss this claim is granted.
B. California Penal Code Section 632
To state a claim under § 632, Plaintiff must show there was (1) an electronic recording of
(2) a confidential communication and (3) all parties did not consent.
Turner v. Nuance
Commc’ns, Inc.
, No. 22-cv-05827,
First, Plaintiff has plausibly alleged that the communications were confidential. A
communication is confidential under § 632 if a party “has an objectively reasonable expectation
that the conversation is not being overheard or recorded.”
Flanagan v. Flanagan
,
Second, for the reasons provided above, Plaintiff plausibly alleged that she did not consent to the recording. The analysis under § 632 is identical to the analysis under § 631(a). Neither Defendant’s pop-up banner nor its link on its homepage render the Privacy Policy or Terms of Use enforceable against Plaintiff. Although these terms and conditions of use may have been conspicuously displayed, Plaintiff did not manifest her assent either through clicking an “I agree” button or by affirmatively using the website after being told that such use would constitute assent to those terms. Therefore, the third element is also met.
However, Plaintiff again has not alleged sufficient facts to support a plausible inference
of derivative liability. Unlike the fourth clause of California Penal Code § 631(a), the text of
Penal Code § 632 does not expressly provide for derivative liability. However, under Penal
Code § 31, “[a]ll persons concerned in the commission of a crime . . . or [who] aid and abet in its
commission . . . are principals in any crime so committed.”
See Vera v. O’Keefe
, 791 F. Supp.
2d 959, 963 (S.D. Cal. 2011). In applying this principle to civil lawsuits for violations of Penal
Code § 632, courts have imputed the civil liability standard for aiding and abetting to determine
the scope of derivative liability. At common law, a person aids and abets the commission of a
crime when they “(a) know the other’s conduct constitutes a breach of duty and give substantial
assistance or encouragement to the other to so act or (b) give substantial assistance to the other in
accomplishing a tortious result and the person’s own conduct, separately considered, constitutes
a breach of duty to the third person.”
Esparza
,
C. Invasion of Privacy Under the California Constitution
“The California Constitution sets a ‘high bar’ for establishing an invasion of privacy
claim.”
In re Yahoo Mail Litigation
,
Defendant does not appear to dispute that Plaintiff has a legally protected privacy interest
in her personally identifiable and financial information. Under the California Constitution, an
individual has a legally protected privacy interest in “precluding the dissemination or misuse of
sensitive and confidential information.” at 856. “A particular class of information is private
when well-established social norms recognize the need to maximize individual control over its
dissemination and use.”
Id.
Courts have recognized that individuals retain a privacy interest in
their personally identifiable information, including their name, address, and phone number.
See,
e.g.
,
Padron v. Lara
, No. 1:16-cv-00549,
However, despite the collection of Plaintiff’s personally identifiable and financial
information, Defendant argues that Plaintiff has no reasonable expectation of privacy “as to
YETI’s
fully disclosed
sharing with its payment processor, Adyen, of the information Plaintiff
included in the ‘form fields’ for her purchase.” (Dkt. No. 23-1 at 18 (emphasis added).) But
“[w]hether a party has a reasonable expectation of privacy is a context-specific inquiry that
should not be adjudicated as a matter of law unless the undisputed material facts show no
reasonable expectation of privacy.”
Padron
,
Defendant argues that “consumers do not have a reasonable expectation of privacy over
their commercial activity on the Internet.” (Dkt. No. 23-1 at 18.) And, indeed, courts have
recognized that consumers do not always retain a reasonable expectation of privacy in their
information once that information is voluntarily disclosed during the course of ordinary online
commercial activity.
See, e.g.
,
D’Angelo v. Penny OpCo, LLC
, No. 23-cv-0981, 2023 WL
7006793, at *11 (S.D. Cal. Oct. 24, 2023) (finding no reasonable expectation of privacy in online
chats with customer service representative);
Saleh v. Nike, Inc.
,
In terms of the third element, Plaintiff fails to plausibly allege facts from which the Court
could plausibly infer that Defendant’s conduct is so egregious as to constitute a “serious invasion
of privacy.” Courts recognize that the offensiveness of the conduct typically cannot be resolved
at the pleading stage, as this is also a fact-specific inquiry.
See, e.g.
,
In re Google Location Hist.
Litig.
,
* * *
For the reasons described above, Defendant’s motion to dismiss is GRANTED as to all claims. Since the Court cannot conclude that amendment would be futile, dismissal is granted with leave to amend. If Plaintiff wishes to file a Second Amended Complaint correcting the deficiencies identified above, counsel shall do so within 21 days of the date of this Order . The Second Amended Complaint may not add new claims or parties, or otherwise change the allegations except to correct the identified deficiencies, absent leave of the Court or stipulation by the parties pursuant to Federal Rule of Civil Procedure 15. If no Second Amended Complaint is filed by that date, the First Amended Complaint will remain dismissed, judgment will be entered in favor of Defendants, and the case will be closed.
IT IS SO ORDERED.
Dated: October 21, 2024
RITA F. LIN United States District Judge
Notes
[1] Citations to page numbers refer to the ECF pagination.
[2] Defendant filed a Request for Judicial Notice and Incorporation by Reference of its Privacy Policy (Exhibit A of the Declaration of Hannah Tucker), a screenshot of its cookie banner that appears on the bottom of Defendant’s home page (Exhibit B of the Declaration of Hannah Tucker), and its Terms and Conditions of Use (Exhibit C of the Declaration of Hannah Tucker). (Dkt. No. 23-6.) These documents are incorporated by reference because Plaintiff’s complaint makes allegations regarding the existence and content of the Privacy Policy and Terms. (FAC ¶¶ 35-37.)