Opinion
Case No. 20-cv-08183-LB
04-08-2021
SUSAN JOHNSON, individually and on behalf of all others similarly situated, Plaintiff, v. BLUE NILE, INC., et al., Defendants.
ORDER GRANTING MOTION TO DISMISS
Re: ECF No. 37
INTRODUCTION
Blue Nile sells jewelry online through its website. It uses FullStory's software (called "session replay") to record what visitors are doing on the Blue Nile website, such as their keystrokes, mouse clicks, and page scrolling, thereby allowing a full picture of the user's website interactions.
The plaintiff — on behalf of a putative California class — claims that FullStory is illegally wiretapping her communications with Blue Nile (and Blue Nile is aiding and abetting that eavesdropping) in violation of California's Invasion of Privacy Act (CIPA). The defendants moved to dismiss the claims, in part on the ground that FullStory — as Blue Nile's vendor for analyzing its website traffic — was a party to the communication (and not an eavesdropper). The defendants also contend that the court lacks personal jurisdiction because there is no forum-related conduct.
The plaintiff does not plausibly plead that FullStory eavesdropped on her communications with Blue Nile and pleads only that FullStory is Blue Nile's vendor for software services. She thus does not meet her prima facie burden to establish specific jurisdiction over the defendants, and she does not plausibly plead wiretapping in violation of California law.
STATEMENT
The next sections describe how FullStory's software works, how the plaintiff used Blue Nile's website (and what information FullStory's software captured), and the case's procedural history.
1. FullStory's Software
FullStory is a Delaware corporation headquartered in Atlanta, Georgia. It provides software to its clients (including Blue Nile) to capture and analyze data so that the clients can see how visitors to their websites are using the sites. The clients put FullStory's code on their websites to capture the data, and then they can review the data, which is stored in the cloud on FullStory's servers. The software records visitor data such as keystrokes, mouse clicks, and page scrolling. Through a function called Session Replay, FullStory's clients can see a "playback" of any visitor's session. If the visitor is still on the site, the clients can see the session live.
First Am. Compl. (FAC) - ECF No. 34 at 3 (¶ 8). Citations refer to material in the Electronic Case File (ECF); pinpoint citations are to the ECF-generated page numbers at the top of documents.
Id. at 6-7 (¶¶ 25-28).
Id. at 3 (¶ 9), 10 (¶ 41), 16 (¶ 72).
Id. at 6-7 (¶¶ 26-28), 8 (¶ 31).
2. The Plaintiff's Use of Blue Nile's Website
The plaintiff is a resident of California, and Blue Nile is a Delaware company headquartered in Seattle, Washington. Between January and May 2020, the plaintiff visited Blue Nile's website on a monthly basis to browse its jewelry selection but did not buy anything. FullStory's Session Replay function "created a video capturing each of Plaintiff's keystrokes and mouse clicks on the website . . . [and] also captured the date and time of the visit, the duration of the visit, Plaintiff's IP address, her location at the time of the visit, her browser type, and the operating system on her device."
Id. at 2-3 (¶ 4), 3 (¶ 5).
Id. at 10-11 (¶¶ 44-45).
"When users access [] [Blue Nile's] Website and make a purchase, they enter their PII [personally identifiable information]," and FullStory's software "captures these electronic communications . . . [e]ven if users do not complete the form" for the purchase. The captured PII includes — in addition to the information in the last paragraph — the user's payment card information such as card number, expiration code, and CVV security code.
Id. at 11 (¶¶ 47-48).
3. Relevant Procedural History
The plaintiff's amended complaint has three claims: (1) wiretapping, in violation of Cal. Penal Code § 631(a); (2) the sale of eavesdropping software, in violation of Cal. Penal Code § 635(a); and (3) invasion of privacy under California's Constitution. The plaintiff withdrew claim three. The putative class is "all California residents who visited [Blue Nile's] Website, and whose electronic communications were intercepted or recorded by FullStory." The case is related to Graham v. Noom, Inc., No. 3:20-cv-06903-LB (N.D. Cal.) and raises the same issues. All parties consented to magistrate jurisdiction. The parties do not dispute that there is subject-matter jurisdiction under the Class Action Fairness Act, 28 U.S.C. § 1332(d)(2)(A). The defendants moved to dismiss the case. The court held a hearing on April 8, 2021.
Id. at 14-18 (¶¶ 65-93).
Opp'n - ECF No. 39 at 9 n.1.
FAC - ECF No. 34 at 13 (¶ 58).
Order - ECF No. 34 (relating cases).
Consents - ECF Nos. 29-31.
FAC - ECF No. 34 at 34 (¶ 11).
Mot. - ECF No. 37.
ANALYSIS
The reasoning in Graham v. Noom controls here: (1) for the section 631(a) claim, the plaintiff does not plausibly plead FullStory's wiretapping, and Blue Nile thus is not liable as an aider and abettor; (2) there is no section 635(a) claim because there is no wiretapping; and (3) there is no personal jurisdiction over FullStory or Blue Nile.
1. Section 631(a) Claim
First, for the reasons stated in Graham v. Noom, FullStory is not a third-party eavesdropper. As a result, Blue Nile is not liable for aiding and abetting FullStory's wrongdoing because there is no wrongdoing.
Graham v. Noom, Inc., No. 3:20-cv-06903-LB, Order - ECF No. 51 at 6-9.
Second, the plaintiff predicates her claim in part on information — such as IP addresses, locations, browser types, and operating systems — that is not content. The plaintiff does not meaningfully dispute that this information is not content but contends that other website interactions are content. For the reasons in Noom, the court dismisses the claim to the extent that it is predicated on non-content information. In any amended complaint, the plaintiff can delineate content from non-content records.
Mot. - ECF No. 37 at 19-20; Reply - ECF No. 41 at 12-14.
Opp'n - ECF No. 39 at 17-20.
Graham v. Noom, No. 3:20-cv-06903-LB, Order - ECF No. 51 at 9-10.
Third, the defendants contend that Blue Nile's privacy policy discloses the possibility of data collection and analysis. The plaintiff counters — as her counsel did in Noom — that she could not consent to wiretapping that happened when she accessed the website and before she could read the policy, notice was insufficient, and the policy in any event did not disclose wiretapping.
Mot. - ECF No. 37 at 24-26.
Opp'n - ECF No. 39 at 24-29.
The privacy policy discloses that Blue Nile may collect user data such as (1) information gathered through cookies and other tracking technology, (2) device and browser information, (3) information gathered through web server logs, and (4) general location information. It says that Blue Nile may share the data with "[s]ite optimization service providers" and "[m]arketing service providers." Blue Nile uses the collected data to, among other things, "optimize the performance of the site," "understand [] customer demographics, preferences, interest, and behavior," and "improve marketing and promotional efforts, and overall customer experience."
Privacy Policy, Ex. A to Zhang Decl. - ECF No. 37-2 at 3-4. The court considers the privacy policy under the incorporation-by-reference doctrine. Knievel v. ESPN, 393 F.3d 1068, 1076 (9th Cir. 2005); FAC - ECF No. 34 at 11-13 (¶¶ 50-56) (citing privacy policy).
As in Noom, the parties FullStory's main argument is that to be liable, its acts must be surreptitious, and given the policy's disclosures, the plaintiff did not plausibly plead its surreptitious acts. The plaintiff mainly argues traditional principles of consent (although she also contends that the policy does not disclose wiretapping). FullStory counters that it never argued traditional consent. As in Noom, the parties' arguments about consent do not permit resolution of the issue. As to the adequacy of the privacy policy's disclosures, FullStory made a practical argument but did not cite any cases involving privacy policies to support the argument. (Perhaps there are none.) Given the court's holding that there is no wiretapping, the issues — consent and the policy's alleged failure to disclose wiretapping — are moot. On this round of motions, the privacy policy is not a separate ground to dismiss the claim.
Mot. - ECF No. 37 at 24-26; Reply - ECF No. 41 at 18-19.
Opp'n - ECF No. 39 at 24-26.
Reply - ECF No. 41 at 19.
Graham v. Noom, Inc., No. 3:20-cv-06903-LB, Order - ECF No. 51 at 10-11.
2. Section 635(a) Claim
For the reasons stated in Noom, the plaintiff does not have a private right of action and lacks Article III standing for the section 635(a) claim. As in Noom, given the lack of a private right of action or Article III standing, the court does not address the defendants' other arguments about viability of the section 635(a) claim.
Id. at 12.
Id. at 12-13.
3. Personal Jurisdiction
For the reasons stated in Noom, there is no specific personal jurisdiction over FullStory. The allegations in the complaint establish only that FullStory is Blue Nile's vendor, and a vendor's selling a software-services product to Blue Nile — even if Blue Nile had substantial business here and the vendor knew it — does not establish specific personal jurisdiction over the vendor. The plaintiff does not contest this point. She alleges that (1) "Defendants knew that a significant number of Californians would visit Blue Nile's website, because they form a significant portion of Blue Nile's customer base," and (2) "[b]y intercepting the transmissions of Blue Nile website users, Defendants targeted their wrongful conduct at customers, some of whom Defendants knew, at least constructively, were residents of California." Her basis for jurisdiction is the wiretapping of these customers. Because she did not plausibly plead FullStory's wiretapping, she did not plead specific personal jurisdiction over FullStory.
Id. at 16. The court ordinarily addresses jurisdiction as a threshold issue. But because there are two defendants and fact allegations about the defendants' relationship that make it easier to address the Rule 12(b)(6) challenge to the claims first, the court addresses jurisdiction second.
FAC - ECF No. 34 at 4 (¶ 14).
Opp'n - ECF No. 39 at 10.
The analysis regarding Blue Nile is slightly different. Unlike FullStory, who is merely a vendor, Blue Nile sells goods to California customers. If it were committing a tort like wiretapping, its acts might be purposefully directed toward California customers and establish specific personal jurisdiction over it. S.D. v. Hytto Ltd., No. 18-cv-00688-JSW, 2019 WL 8333519, at *4 (N.D. Cal. May 15, 2019); cf. ThermoLife Int'l, LLC v. NetNutri.com LLC, 813 F. App'x 316, 318 (9th Cir. 2020) (the plaintiff "cannot establish specific personal jurisdiction through nonspecific, nationwide sales"). Wiretapping is the only ground that the plaintiff asserts to support specific personal jurisdiction over Blue Nile. Because Blue Nile did not aid or abet any wiretapping, there is no tort establishing jurisdiction here.
Id. (making this point).
Id. --------
CONCLUSION
The court dismisses the complaint with leave to amend within 21 days (except that it dismisses the plaintiff's withdrawn claim three with prejudice). Any amended complaint must attach a blackline comparison between the current complaint and the amended complaint.
IT IS SO ORDERED.
Dated: April 8, 2021
/s/_________
LAUREL BEELER
United States Magistrate Judge