Greetings CIPAWorld!

I’m back, ready to drive you through the latest scoop on all things privacy and compliance. Have you ever wondered who might be listening when you use a website’s chat feature? A recent development in Rodriguez v. Ford Motor Co., No. 3:23-cv-00598-RBM-JLB, 2024 U.S. Dist. LEXIS 218685 (S.D. Cal. Dec. 3, 2024) brings that question into sharp focus. Earlier this year, the Southern District of California dismissed claims in the First Amended Complaint, finding that allegations under the California Invasion of Privacy Act (“CIPA”) were too thin to proceed (a point I highlighted in my previous blog regarding Google). Fast forward to December: the Second Amended Complaint presented a stronger case, and the Court has now shifted gears—dismissing some claims but allowing key allegations of unauthorized eavesdropping and aiding and abetting under CIPA Section 631(a) to move forward. This decision forces Ford to respond by December 17, 2024 and underscores a critical issue I’ve emphasized repeatedly in my CIPA blog posts: how companies manage digital privacy and the role of third-party software providers.

The case began when Plaintiff visited Ford’s website and had what she thought was a straightforward chat with a customer service representative. What she didn’t know—and what would later become the center of the matter—was that a third-party company called “LivePerson” was allegedly monitoring and recording these conversations without her knowledge.

Before we dive in even more deeply, it’s important to note that this case isn’t just about chat features—it’s part of a broader reckoning over how digital platforms collect, process, and monetize user data. With consumers (myself included) increasingly concerned about privacy and lawmakers introducing stricter regulations, companies must align their practices with emerging legal norms.

So, what’s at issue here? Yes, you guessed it. CIPA, specifically Section 631(a), a law, as we all know, that was initially designed to prevent telephone wiretapping, has now become a battleground in cases seen repeatedly. As noted in Heiting v. Taro Pharms. USA, Inc., 709 F. Supp. 3d 1007, 2023 WL 9319049, at *2 (C.D. Cal. 2023), courts must navigate between two seminal cases that frame the recent jurisprudence on Section 631: Ribas v. Clark, 38 Cal. 3d 355, 212 Cal. Rptr. 143, 696 P.2d 637 (1985), and Rogers v. Ulrich, 52 Cal. App. 3d 894, 125 Cal. Rptr. 306 (1975).

This key question has created a significant split among district courts in California. One line of cases, led by Graham v. Noom, Inc., 533 F. Supp. 3d 823 (N.D. Cal. 2021) holds that software vendors are “extensions” of the websites that employ them, and thus not third parties under the statute. Conversely, the opposing view—exemplified by Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891 (N.D. Cal. 2023)—holds that software providers can be third parties within Section 631’s meaning, focusing on their capability to use the information rather than actual use.

In siding with the Javier approach, LivePerson’s extensive capabilities mainly influenced the Rodriguez Court. Why is this so? Well, the Court found it significant that LivePerson monitors an average of 2.6 billion visitor sessions per month across its customers’ websites and combines this data with other behavioral information to build one of the world’s most extensive customer datasets. Just think about that for a moment. 2.6 BILLION VISITOR SESSIONS… PER MONTH. Wow. As emphasized in D’Angelo v. Penny OpCo, LLC, Case No. 23-cv-0981-BAS-DDL, 2023 U.S. Dist. LEXIS 191054, 2023 WL 7006793, at *7 (S.D. Cal. Oct. 24, 2023), the mere capability of using collected data for other purposes could trigger liability—regardless of whether that capability is ever exercised.

In addition, the Court found compelling evidence that Ford was aware of these capabilities. Here, Plaintiff successfully alleged that Ford was made aware of LivePerson’s data use and the risk of prohibiting legislation and, therefore, knew LivePerson’s conduct constituted a breach of some duty. This knowledge formed the basis for allowing the aiding and abetting claims to proceed.

The Court noted that companies cannot hide behind third-party vendors to evade liability. When outsourcing customer service technology, businesses must account for their partners’ data practices and the potential for improper use of consumer information.

What is more, some courts have suggested that determining whether software acts more like a tape recorder or an eavesdropper requires factual investigation. As noted in Kauffman v. Papa John’s Int’l, Inc., Case No. 22-cv-1492-L-MSB, 2024 U.S. Dist. LEXIS 7873, 2024 WL 171363, at *7 (S.D. Cal. Jan. 12, 2024), “Whether [the software provider] acts akin to a tape recorder or whether its actions are closer to ‘an eavesdropper standing outside the door’ is a question of fact which is better answered after discovery into the technical context of the case.”

This uncertainty creates additional complexity for businesses operating in the Ninth Circuit, especially given the potential liability under state statutes like CIPA continues to grow. Compliance is key here.

As always,

Keep it legal, keep it smart, and stay ahead of the game.

Talk soon!