A recent noteworthy decision from a federal court in California provides helpful guidance for companies deploying chatbots and other types of tracking technology on their websites, but at the same time highlights the nuances and high wire act of safely collecting consumer information versus stepping over the line.

In Valenzuela v. The Kroger Co., the U.S. District Court for the Central District of California dismissed a proposed class action filed against the grocery chain Kroger, finding that the plaintiff did not have a viable argument under the California Invasion of Privacy Act (CIPA). Because plaintiffs’ attorneys have recently been using CIPA to bring cases against a large number of companies, this decision is potentially an important decision in privacy jurisprudence. However, the narrowness of the decision leaves open other paths for plaintiffs and demonstrates the need for companies to carefully and thoughtfully assess what online tracking they conduct in order to minimize their risk of class action litigation.

The plaintiff in the case alleged Kroger, through a third-party vendor called Emplifi, unlawfully intercepted and recorded chat-based conversations between customers and Kroger’s website (i.e., communications with a “chatbot” on the website). The central claim was that Kroger “aided and abetted” Emplifi’s allegedly wrongful conduct of allowing Meta Platforms Inc. to mine data collected through Emplifi’s chatbots (including the one deployed on Kroger’s website) to gather information about user interests and target ads to those users on Meta’s social media platforms like Facebook and Instagram.

More specifically, the case was brought under Section 631(a) of CIPA which prohibits, among other things, any person from:

1. Tapping or making unauthorized connections with a telegraph or telephone line;
2. Willfully and without consent reading the contents of communications in transit;
3. Using information obtained via such interception; or
4. “Aiding, agreeing with, employing or conspiring with” any person to commit these acts.¹

After a lengthy procedural back-and-forth, the Court allowed the plaintiff to proceed only under the “aiding and abetting” theory (the fourth prong). In its ruling, the Court emphasized that to hold Kroger liable under the fourth prong, the plaintiff needed to demonstrate that Kroger knew—or plausibly should have known—of Emplifi’s alleged unlawful eavesdropping or otherwise acted with knowledge or intent to facilitate it. The plaintiff pointed to the vendor’s marketing materials and the cost and ease with which the chatbot was installed on the Kroger website, arguing that Kroger must have known Emplifi was intercepting conversations without customers’ consent. The Court rejected this argument, holding “[i]t is not a plausible inference that because Emplifi could 'quickly and cheaply' deploy the bot, Kroger should have known Emplifi harvested user data.”

The Court ruled that because there was not a plausible allegation that Kroger had actual or constructive knowledge of the alleged unlawful sharing of chatbot communications with social media companies, Kroger could not be held liable for “aiding and abetting” the third parties’ alleged violation of CIPA.

What the Kroger Ruling Means for Businesses

Although this decision was made at the district court level and does not have a precedential effect, the Court’s reasoning provides a roadmap of what companies should be aware of when considering integrating chatbots or other large language model enabled third-party technologies onto their websites. Of note, this case focused on section 631(a) of CIPA only, and did not involve section 638.51(a), which prohibits the installation of “pen registers” or “tap and trace” devices without appropriate approvals and which plaintiffs are regularly claiming apply to website tracking software. As a result, even if the rationale from the Kroger decision is extended to other cases by other courts, companies will continue to face the risks associated with claims brought 638.51(a). Nonetheless, there are valuable lessons to be learned from the Kroger decision and other recent court decisions:

• “Knowledge” of a third party’s actions is a key to a company’s liability. This includes constructive knowledge, that a company could gain from the third-party’s documentation and marketing communications as to the capabilities of their products.
• Courts will require specific, fact-based allegations showing a company’s awareness and intent regarding any purported interception of communications.
• Plaintiffs with more robust support for allegations of unauthorized data collection may have more success bringing similar claims.

Additionally, and as always, litigation defense is costly and even a successful defense can be a burden on a company. Even though Kroger won in this case, it took almost three years of litigation expenses to obtain that victory. Taking proactive steps to assess website tracking tool deployment can lower the risk of litigation in the first place and avoid these costs:

• Ensuring that proper notice is given to, and appropriate consent is obtained from, website visitors
• When onboarding third-party software providers, businesses should conduct thorough due diligence on data collection and sharing practices.
• Contractual provisions should clarify that any data recording or sharing be done in compliance with all applicable laws, and that providers will indemnify the business if violations arise.

Footnotes 

[1] The plaintiff in this matter also sought to bring a claim under §632.7 of CIPA (illegal interception of cellular communications for individuals who used the chatbot from their internet-enabled smartphones). That claim was dismissed with prejudice in March of 2024 with the Court finding that section of CIPA only applies to communications between two or more cellular phones and not between a cellular phone and a website.