Last month, a district court in the Northern District of California delivered a fatal blow to the Javier saga, dismissing his claim with prejudice. Javier v. Assurance IQ, LLC, No. 20-CV-02860-CRB, 2023 WL 3933070 (N.D. Cal. June 9, 2023). As we previously reported, the court's holding concludes a drawn-out dispute on a website operator's and software provider's liability under the California Invasion of Privacy Act ("CIPA") relating to the website's use of session replay software. The court dismissed the plaintiff's claims for a fifth time, this time without granting leave to amend.

A brief overview: session replay software captures certain aspects of a user's interactions on web applications (mouse movements, clicks, typing, etc.) along with underlying contextual user data to help website operators enhance users' experiences. Accordingly, session replay software allows a website operator to recreate (or "replay") a visitor's journey on a web site or within a mobile application or web application. Rather than focusing on user activity after leaving a particular website, session replay software concerns how a user interacts with a specific website.

In Javier, the Plaintiff, Florentino Javier, brought claims under Section 631 of CIPA against a website operator, AssuranceIQ, and the maker of session replay software, ActiveProspect. Section 631 of CIPA provides for liability against third-party eavesdroppers and those that abet eavesdropping when one party to a communication has not consented to the eavesdropping. AssuranceIQ used data analytics to connect consumers with personalized insurance plans based on their particular needs and budgets. Once a person had entered the preliminary basic information, he or she was prompted to click a "View My Quote" button. On the bottom of that web page was a notice, including a hyperlink, stating, "By clicking 'View My Quote' I indicate my intent to agree to th[e] website's Privacy Policy." The Privacy Policy, in turn, stated that Assurance IQ would collect the content and personal information of individuals who sought quotes, which could include personal and family health information, and information about how the user viewed content or engaged with the website.

The district court previously dismissed the Plaintiff's complaint, but it was revived by the Ninth Circuit and remanded to the district court to address three defenses: (1) whether plaintiff gave "implied consent", (2) whether the software provider is a "third party" under CIPA (as opposed to an extension of the website operator); and (3) whether the statute of limitations had run.

Subsequently, in January of this year, the district court dismissed the complaint as being barred by the statute of limitations. The court, however, rejected the Defendants' argument that plaintiff impliedly consented to session reply "the moment he arrived at [AssuranceIQ's] website" and began filling out the webform, finding that there was no evidence that the plaintiff consented to the third party's collection of information. The court additionally denied Defendants' motion on the grounds that ActiveProspect was not a "third party," but left open the question whether the "ubiquity of services like ActiveProspect on the internet effectively renders it party" to the communication such that the defendant would not have been an unannounced third party. The court finally found that plaintiff's claims were barred by the statute of limitations on the grounds that his 14-month delay in filing the complaint after he visited the website barred his claims. However, the court ultimately allowed plaintiff the amend his complaint to bolster his allegations as to the "delayed discovery doctrine" such that the limitations period would not have begun to run until he discovered the collection of his data and communications, because such collection activities were "surreptitiously" concealed.

Following plaintiff's further amendment, the court finally dismissed the complaint on the grounds that the amended allegations did not suffice to invoke the delayed discovery doctrine, and thus, the claims were barred by the statute of limitations. Plaintiff asserted three arguments: (1) that because he now only pleaded a wiretapping claim against ActiveProspect (the session replay software provider), he would have had no reason to know about its involvement in collecting his information until April 2020, when he first received the recording of his website visit; (2) AssuranceIQ's webform did not put him on constructive notice of the Privacy Policy; (3) even if it did, it did not disclose ActiveProspect's wiretapping.

The court rejected the first argument, as AssuranceIQ's webform informed plaintiff that it and third parties may use his information for purposes other than providing him with an insurance quote, and that third parties may "assist" AssuranceIQ with "monitoring and analyzing Site activity."

The court additionally found that the webform put the plaintiff on notice of AssuranceIQ's privacy policy. The court found that plaintiff's reliance on Berman v. Freedom Financial Network, 30 F. 4th 849 (9th Cir. 2022) was unavailing. In Berman, the Ninth Circuit held that a "clickwrap" agreement is enforceable where "(1) the website provides reasonably conspicuous notice of the terms to which the consumer will be bound; and (2) the consumer takes some action, such as clicking a button or checking a box, that unambiguously manifests his or her assent to those terms." Id. at 856. The Berman court concluded that the agreement at issue failed this standard, as the hyperlink to the allegedly consented-to terms "was printed in a tiny gray font considerably smaller than the font used in the surrounding website elements . . . barely legible to the naked eye." Id. at 856-57. The court further noted that the webform did not indicate that by clicking the "Continue" button, the user would be manifesting their assent to the hyperlinked terms. The Javier court held that AssuranceIQ's webform was distinguishable, as the "clickwrap" agreement on the website legibly stated that by clicking "View My Quote," users "provide[] [their] electronic signature as an indication of [their] intent to agree to this website's Privacy Policy [and] Terms of Service[.]" The court held that this language sufficient to put the plaintiff on notice of the policy, "even if he chose not to read it."

The court further found that the privacy policy sufficiently put the plaintiff on inquiry notice of the alleged wiretapping activity. It was unpersuaded by the plaintiff's (creative) argument that the privacy policy's use of the present-tense did not put him on notice that the information he provided in the "past" (i.e., minutes prior) would be covered by the privacy policy, including the challenged wiretapping actvitiy. The court noted that in reading the language of the policy as a whole, plaintiff's interpretation that it was not meant to cover information plaintiff provided to AssuranceIQ was "absurd." The website (1) described the information collected; (2) stated that the privacy policy applied during all "use" of the website; (3) indicated that AssuranceIQ may learn information about users when they request information about its services; (4) stated that AssuranceIQ "may collect" various information; and (5) stated that AssuranceIQ "may use third party vendors to assist" with the services it provides, including "monitoring and analyzing Site activity." Taking these disclosures together, the court held that "the only reasonable interpretation of the policy is that such 'monitoring and analyzing' may occur before, during, and after the user reviews the privacy policy at the end of the webform."

Finally, the court held that the privacy policy put plaintiff on inquiry notice of his wiretapping claim because it informed him that by clicking "View My Quote," AssuranceIQ informed plaintiff that his data may be used for others purposes and shared with third parties. Thus, he was on inquiry notice of his claims, even if he didn't know of the third party's identity or the full extent of the wiretapping. "At that point a reasonable investigation would have easily revealed (and eventually did reveal) those additional facts supporting [plaintiff's] wiretapping claims."

Accordingly, the court held that plaintiff failed to plead facts sufficient to invoke the delayed discovery doctrine, warranting dismissal of his claims without leave to amend under the statute of limitations. Thus, concludes the Javier saga with an important takeaway: a sufficiently detailed privacy policy contained in a valid clickwrap agreement can put consumers on inquiry notice that information they share with a website operator may be shared with third parties, beginning the running of the limitations period. Drafting an accurate and comprehensive privacy policy that is reasonably conspicuous is key.

While Javier has come to a close, CIPA cases are far from dead. Privacy World will keep you posted on further developments.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.