Plaintiffs sued Carnival Cruise Line because they were upset about how much information carnival.com collected when they visited the site. “On carnival.com, no action goes unnoticed. Every click is counted, every keystroke is collected, and every cursor movement is catalogued.”
The claims centered around Carnival’s use of Clarity – a Microsoft session replay software that was deployed onto the user’s browser to collect a wide variety of information about the user’s system and browsing behavior. That collection was not limited to information from carnival.com. Clarity allegedly assigned each user a specific id that it used to associate and aggregate browsing behavior across all Clarity-enabled websites.
Plaintiffs asserted several claims, including one under the federal Electronic Communications Privacy Act (18 U.S.C. 2510 et seq.) (“ECPA”). They complained that Carnival intercepted Plaintiffs’ personal information, including their passport number, driver’s license number, date of birth, home address, phone number, email address and payment information, and used that information to trace users’ browsing history on other sites.
Carnival moved to dismiss for failure to state a claim under the ECPA. The court denied the motion.
No “party to the communication” exception
Carnival argued that the “party to the communication” exception of the ECPA absolved it of liability. 18 U.S.C. 2511(2)(d) provides that “[i]t shall not be unlawful … for a person … to intercept a[n] electronic communication where such person is a party to the communication.” But plaintiffs asserted that Microsoft, as the provider of the session replay code software, was a third party to the communication of the browsing information. Courts sometimes find third parties to be merely “extensions” of a website when such third parties’ services “merely function as a tape recorder.” But in this case, citing to Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891 (N.D. Cal. 2023), the court declined to find that Clarity had such limited functionality. The main problem for Carnival was that Clarity did more than just serve as a “tape recorder” – it used data to generate analytics such as heatmaps of user engagement and profiles of browsing history on other sites.
No consent for third party interception
Carnival also argued that the ECPA claim should be dismissed because plaintiffs had consented to the interception of their information. The court rejected this argument.
Carnival’s first argued that by merely sending a communication over the internet, plaintiffs expressed their consent. It cited to a 2001 Pennsylvania decision called Commonwealth v. Proetto, a criminal case in which that court found that a defendant accused of improperly soliciting a 15-year-old girl online could not claim that the girl’s decision to print out the defendant’s chat communication violated defendant’s right of privacy. In other words, the Pretto case stands for the notion that when one sends something over the internet, he or she loses control, from a privacy standpoint, over what the recipient will do with that information. The court distinguished the Proetto case, however, noting that it did not cover third-party interception, focusing instead on direct communication between two parties, and emphasizing that consent is given specifically to the receiver, not any incidental third party. This distinction was crucial in the present case, as Carnival needed to demonstrate that plaintiffs consented not just to Carnival, but also to third-party session replay providers – such as Microsoft in providing Clarity – involved in data collection.
So Carnival cited to Farst v. AutoZone, Inc., 2023 WL 7179807 (M.D. Pa. 2023) wherein the court dismissed similar claims in the context of online shopping, deeming it a public activity with no expectation of privacy in browsing habits. The court distinguished the Farst case, however, by noting that it did not focus not on the collection of sensitive information like this case did. In the current case, plaintiffs had made concrete allegations regarding the interception of sensitive information (e.g., driver’s license number, date of birth, home address).
Carnival’s second argument for plaintiffs’ consent to its recording policy hinged on a “Cookie Policy” banner on its website, suggesting that continued use of the site provided consent to the policy. Plaintiffs countered this by asserting that the website did not adequately notify users of this recording, and interaction with the site was possible without reviewing or agreeing to any privacy policy. The court observed that in assessing the validity of such “browsewrap” agreements, it should consider whether a website provides sufficient notice to a reasonably prudent user about the terms of the contract. In this case, the Cookie Policy banner was less noticeable due to its smaller text, inconspicuous color scheme, and placement away from key user interaction points, like large “SHOP NOW” or “SEARCH CRUISES” buttons. There was also no evidence that the banner appeared immediately or remained visible throughout a user’s visit. Consequently, the court found that – based on the facts alleged – a reasonably prudent user would not be adequately informed of the terms, siding with plaintiffs’ claim that they did not consent to the interception of their communications.
Rejection of Carnival’s other ECPA arguments
In denying the motion to dismiss the ECPA claims, the court rejected Carnival’s remaining arguments as well.
The court found that based on the facts alleged in the complaint, it was plausible to believe that the transmission of the information was contemporaneous, thereby qualifying as an “interception” under the statute.
It found that the information transmitted was not merely “record information” but that information such as an intent to travel, dates and locations were actual “contents” of the alleged communications.
And it rejected Carnival’s argument that the offending session replay code comprising Clarity was not a “device” prohibited by the statute. Carnival contended that it did not meet the definition of a “device” in the context of wiretapping laws, arguing that a “device” should be a physical object. The court held that that the combination of software and hardware involved in this case fell under the ambit of “device” as contemplated by the statute.
Price v. Carnival Corporation, 2024 WL 221437 (S.D. Cal., January 19, 2024)
See also: