Website cookie banner was not enough for cruise line to sink federal wiretap lawsuit

cookie banner

Plaintiffs sued Carnival Cruise Line because they were upset about how much information carnival.com collected when they visited the site. “On carnival.com, no action goes unnoticed. Every click is counted, every keystroke is collected, and every cursor movement is catalogued.”

The claims centered around Carnival’s use of Clarity – a Microsoft session replay software that was deployed onto the user’s browser to collect a wide variety of information about the user’s system and browsing behavior. That collection was not limited to information from carnival.com. Clarity allegedly assigned each user a specific id that it used to associate and aggregate browsing behavior across all Clarity-enabled websites.

Plaintiffs asserted several claims, including one under the federal Electronic Communications Privacy Act (18 U.S.C. 2510 et seq.) (“ECPA”). They complained that Carnival intercepted Plaintiffs’ personal information, including their passport number, driver’s license number, date of birth, home address, phone number, email address and payment information, and used that information to trace users’ browsing history on other sites.

Carnival moved to dismiss for failure to state a claim under the ECPA. The court denied the motion.

No “party to the communication” exception

Carnival argued that the “party to the communication” exception of the ECPA absolved it of liability. 18 U.S.C. 2511(2)(d) provides that “[i]t shall not be unlawful … for a person … to intercept a[n] electronic communication where such person is a party to the communication.” But plaintiffs asserted that Microsoft, as the provider of the session replay code software, was a third party to the communication of the browsing information. Courts sometimes find third parties to be merely “extensions” of a website when such third parties’ services “merely function as a tape recorder.” But in this case, citing to Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891 (N.D. Cal. 2023), the court declined to find that Clarity had such limited functionality. The main problem for Carnival was that Clarity did more than just serve as a “tape recorder” – it used data to generate analytics such as heatmaps of user engagement and profiles of browsing history on other sites.

No consent for third party interception

Carnival also argued that the ECPA claim should be dismissed because plaintiffs had consented to the interception of their information. The court rejected this argument.

Carnival’s first argued that by merely sending a communication over the internet, plaintiffs expressed their consent. It cited to a 2001 Pennsylvania decision called Commonwealth v. Proetto, a criminal case in which that court found that a defendant accused of improperly soliciting a 15-year-old girl online could not claim that the girl’s decision to print out the defendant’s chat communication violated defendant’s right of privacy. In other words, the Pretto case stands for the notion that when one sends something over the internet, he or she loses control, from a privacy standpoint, over what the recipient will do with that information. The court distinguished the Proetto case, however, noting that it did not cover third-party interception, focusing instead on direct communication between two parties, and emphasizing that consent is given specifically to the receiver, not any incidental third party. This distinction was crucial in the present case, as Carnival needed to demonstrate that plaintiffs consented not just to Carnival, but also to third-party session replay providers – such as Microsoft in providing Clarity – involved in data collection.

So Carnival cited to Farst v. AutoZone, Inc., 2023 WL 7179807 (M.D. Pa. 2023) wherein the court dismissed similar claims in the context of online shopping, deeming it a public activity with no expectation of privacy in browsing habits. The court distinguished the Farst case, however, by noting that it did not focus not on the collection of sensitive information like this case did. In the current case, plaintiffs had made concrete allegations regarding the interception of sensitive information (e.g., driver’s license number, date of birth, home address).

Carnival’s second argument for plaintiffs’ consent to its recording policy hinged on a “Cookie Policy” banner on its website, suggesting that continued use of the site provided consent to the policy. Plaintiffs countered this by asserting that the website did not adequately notify users of this recording, and interaction with the site was possible without reviewing or agreeing to any privacy policy. The court observed that in assessing the validity of such “browsewrap” agreements, it should consider whether a website provides sufficient notice to a reasonably prudent user about the terms of the contract. In this case, the Cookie Policy banner was less noticeable due to its smaller text, inconspicuous color scheme, and placement away from key user interaction points, like large “SHOP NOW” or “SEARCH CRUISES” buttons. There was also no evidence that the banner appeared immediately or remained visible throughout a user’s visit. Consequently, the court found that – based on the facts alleged – a reasonably prudent user would not be adequately informed of the terms, siding with plaintiffs’ claim that they did not consent to the interception of their communications.

Rejection of Carnival’s other ECPA arguments

In denying the motion to dismiss the ECPA claims, the court rejected Carnival’s remaining arguments as well.

The court found that based on the facts alleged in the complaint, it was plausible to believe that the transmission of the information was contemporaneous, thereby qualifying as an “interception” under the statute.

It found that the information transmitted was not merely “record information” but that information such as an intent to travel, dates and locations were actual “contents” of the alleged communications.

And it rejected Carnival’s argument that the offending session replay code comprising Clarity was not a “device” prohibited by the statute. Carnival contended that it did not meet the definition of a “device” in the context of wiretapping laws, arguing that a “device” should be a physical object. The court held that that the combination of software and hardware involved in this case fell under the ambit of “device” as contemplated by the statute.

Price v. Carnival Corporation, 2024 WL 221437 (S.D. Cal., January 19, 2024)

See also:

Beauty and the Biometrics: Federal court in Illinois tosses biometric data case brought against cosmetics giant

biometric privacy

A federal judge recently dismissed a class action lawsuit against The Estée Lauder Companies and one of its affiliates. This case involved allegations that these entities violated the Illinois Biometric Information Privacy Act (BIPA).

Background of the Case

Plaintiffs represented a proposed class and accused defendants of three distinct violations of BIPA. The dispute centered on the use of a virtual try-on tool that one of defendants had licensed to Estée Lauder which enabled customers to virtually test cosmetic products on brand websites. Plaintiffs claimed that they were not adequately informed about the capture and use of their biometric data, including facial mapping and facial geometry. They argued that there was a failure to provide clear consent and privacy policies regarding biometric data.

What BIPA Says

The law governs private entities’ collection, use, and storage of biometric identifiers and information. Plaintiffs contended that defendants did not comply with these requirements, specifically in failing to obtain written consent and establishing proper retention and destruction policies for biometric data.

What the Court Said

The court’s decision to dismiss the case hinged on plaintiffs’ inability to demonstrate that defendants used the biometric data in a manner that could identify individuals. The court referenced similar cases where allegations were dismissed due to the lack of plausible claims connecting biometric data collection with the capability to identify individuals.

The court found that plaintiffs did not provide sufficient factual allegations to establish that defendants could identify individuals using the facial scans. It compared other cases where claims were either dismissed or upheld based on the presence or absence of plausible allegations of identification capability. The case was dismissed without prejudice, meaning plaintiffs were given the opportunity to file an amended complaint by a specified date.

What It Means

This decision highlights the importance of clear legal standards for biometric data usage and the challenges plaintiffs face in proving violations under BIPA. It also underscores the need for companies to be transparent and compliant with privacy laws when implementing innovative technologies.

Castelaz v. The Estee Lauder Companies, Inc. et al., 2024 WL 136872 (N.D. Illinois, January 10, 2024)

See also:

Is storing protected information on an unencrypted server a disclosure of that information?

unencrypted server disclosure

Back in the 1990s, Congress recognized that stalkers were aided in their crimes by using victims’ driver’s license information, and states were selling driver’s license information to marketers. So Congress passed the Driver’s Privacy Protection Act, 18 U.S.C. § 2721, et seq. (the “DPPA”). This statute makes it unlawful for any person to knowingly disclose personal information from a motor vehicle record for any use other than certain uses that the statute permits.

Defendant had more than 27 million Texas driver’s license records that it stored on an external unencrypted server. In 2020, it announced that a third party had accessed the records without authorization. As expected, the class action lawyers jumped on board and sued under the DPPA.

The lower court dismissed the DPPA claim in response to defendant’s motion to dismiss for failure to state a claim. Plaintiffs sought review with the Fifth Circuit Court of Appeals. On appeal, the court affirmed the dismissal.

It held that plaintiffs failed to plausibly allege that storing the data on an unencrypted server amounted to a “disclosure”. More specifically, although plaintiffs argued that defendants had placed the information on a server that was readily accessible to the public, that assertion was nowhere in the complaint, nor was it supported by the facts alleged in the complaint.

In finding there to be no disclosure, the court observed that the storage of the data, as alleged, did not make it visible to a digital “passer-by”. This made the case different from Senne v. Village of Palatine, Ill.,695 F.3d 597 (7th Cir. 2012), in which a police officer disclosed information by putting a traffic ticket on a windshield, which any passer-by could see. The court also looked to Enslin v. Coca-Cola Co., 136 F. Supp. 3d 654 (E.D. Pa. 2015), in which that court held there to be no disclosure under the DPPA when someone stole an unencrypted laptop containing information protected under the statute.

Allen v. Vertafore, Inc., No. 21-20404 (5th Cir., March 11, 2022)

Employer did not violate employee’s privacy by accessing personal laptop

Sitton v. Print Direction, Inc., — S.E.2d —, 2011 WL 4469712 (Ga.App. September 28, 2011)

A Georgia court held that an employee using a personal laptop to conduct business for a competitor did not have an invasion of privacy claim when his employer busted him at work using the laptop to send email.

Plaintiff-employee worked for a printing company. His wife also owned a printing business. On the side, plaintiff would broker printing jobs, sending them to his wife’s company. He would bring his own laptop to work and use that to conduct business for his wife’s company while at work for his employer.

One day, the boss came into plaintiff’s office (apparently when plaintiff was not in the room) and saw that the computer screen on plaintiff’s computer showed a non-work related email account, with messages concerning the brokering of print jobs to the wife’s company. The boss printed out the email messages.

Plaintiff sued, claiming, among other things, common law invasion of privacy and violation of a provision of the Georgia Computer Systems Protection Act. The case went to trial, and plaintiff lost. In fact, he ended up having to pay almost $40,000 to his employer on counterclaims for breach of loyalty. Plaintiff sought review of the trial court’s decision. On appeal, the court affirmed.

The appellate court affirmed the trial court’s finding that the boss’s access to plaintiff’s computer did not constitute common law invasion of privacy based upon an intrusion upon plaintiff’s seclusion or solitude, or into his private affairs. The court held that the boss’s activity was “reasonable in light of the situation” because:

  • He was acting in order to obtain evidence in connection with an investigation of improper employee behavior,
  • The company’s interests were at stake, and
  • He had “every reason” to suspect that plaintiff was conducting a competing business on the side, as in fact he was.

To bolster this holding, the court cited from a Georgia Supreme Court case that said, “[T]here are some shocks, inconveniences and annoyances which members of society in the nature of things must absorb without the right of redress.”

Court dismisses class action against MySpace for violation of the Stored Communications Act

Hubbard v. MySpace, 2011 WL 2149456 (S.D.N.Y. June 1, 2011)

Plaintiff, who sued on behalf himself and others similarly situated, claimed that MySpace improperly turned over account information and private messages to law enforcement, even though there was a search warrant. Plaintiff claimed this violated the Stored Communications Act, 18 USC 2701 et seq.

MySpace moved to dismiss. The court granted the motion.

The version of the Stored Communications Act in effect at the time of the alleged wrongful disclosure in this case provided that a search warrant seeking the information must issue from a federal court “with jurisdiction over the offense under investigation,” or be “an equivalent State warrant.”

Plaintiff argued that the warrant sent to MySpace was not sufficient under the SCA (and should have been ignored) because (1) the state magistrate did not have jurisdiction to hear the felony that the cops were investigating plaintiff for, and (2) the magistrate did not have the power to issue search warrants across state lines.

The court rejected both of these arguments. In determining the warrant to be “an equivalent State warrant,” it looked to the way federal magistrates issue warrants in SCA cases. It held that the phrase “jurisdiction over the offense under investigation” refers to the power to issue warrants, not to the power to ultimately try the case. And the court looked to the legislative history around the Patriot Act amendments to conclude that SCA investigations give magistrate judges special powers to direct search warrants across state lines, because having to require cooperation with the courts in which an ISP actually exists might allow enough time for a terrorist to get away or strike again.

This case is worth noting for the wide scope the court establishes for valid search warrants under the SCA. It is also worth noting that the SCA has since been amended to make the scope more clearly this broad. 

Lawsuit against state officials for privacy violation moves forward

Welch v. Theodorides-Bustle, — F.Supp.2d —, 2010 WL 22365 (N.D. Fla., January 5, 2010)

Plaintiff sued the Florida Department of Highway Safety and Motor Vehicles and a number of state officials for violation of the federal Driver’s Privacy Protection Act, 18 USC §2721-25. Plaintiff claimed that the defendants turned over a large amount of protected personal information to a private party, and that that party then further disclosed the information to another entity that published the information on the web.

Florida driver

As a result, the personal information of a number of Florida drivers became available for viewing online by anyone.

The defendants moved to dismiss the suit for failure to state a claim. The court denied the motion.

There is an exception to the Driver’s Privacy Protection Act’s prohibition on disclosure of personal information when the disclosure is made by a government agency “in carrying out [the agency’s] functions.” The defendants did not deny that their conduct would violate the Act, but argued that the exception applied. The defendants essentially argued that the mere fact that the disclosure was made by a governmental entity made the disclosure to be automatically carried out in connection with that agency’s function.

The court rejected this ipse dixit assertion, holding that disclosure by a government agency being treated as automatically protected would accordingly make any violation of the Act by the government impossible.

Similarly, the court rejected the defendants’ argument that language in the contract with the entity to which the information had been provided rendered the disclosure proper. The receiving entity promised to use the information only for a proper purpose. But the self-serving recitals in that agreement, without specifying in detail what a proper purpose would be, would not bind third parties.

Alligator car photo courtesy Flickr user jeffdhartman under this Creative Commons license.

Scroll to top