Healthline CCPA Settlement

Healthline Pays $1.55M for CCPA Violations

/in /by

Healthline CCPA Settlement

The world’s most popular health & wellness website recently made headlines after being accused of violating California’s consumer privacy laws: Healthline Pays $1.55M for CCPA Violations. Healthline was accused of violating the California Consumer Privacy Act (CCPA), and the $1.55 million fine represents the largest monetary penalty ever issued for a CCPA violation. The settlement followed an investigation by the California Department of Justice which determined that Healthline invaded the privacy of consumers by (1) using online tracking technology to harvest data from visitors to the healthline.com website, and (2) failing to allow consumers to opt out of targeted advertising.

To learn more about the Healthline CCPA settlement, keep reading this blog.

Healthline.com Is a Popular Website That Provides Health & Wellness Articles

Healthline Media LLC operates the healthline.com website, which is marketed as a source for “medical information and health advice you can trust.” The website ranks as one of the top 40 most-visited websites globally, and it reportedly gets 6.5 million monthly visitors in California alone.

The Healthline.com website includes articles and blogs with information about nutrition, physical health conditions & treatments, mental health topics, and general health & wellness guidance. These articles may be available to the public for free – but they still come at a cost to consumers.

How Does Healthline Make Money?

Healthline generates substantial revenues from advertisements that appear next to the free articles. When these ads are targeted at a particular user, they can be even more profitable. That is why the personal data that Healthline was accused of unlawfully collecting from individuals became such an issue: the consumer information being harvested and shared by the company was extremely valuable.

California Department of Justice Investigates Healthline for CCPA Violations

The investigation into Healthline’s alleged consumer privacy violations was conducted by the California Department of Justice. Investigators determined that Healthline failed to give consumers the ability to opt out of targeted advertising, which is a violation of the California Consumer Privacy Act (CCPA). Additionally, investigators found that Healthline shared consumers’ sensitive personal data without any of the online privacy protections mandated by the statute.

Healthline Accused of Violating California Consumer Privacy Act (CCPA)

The California Department of Justice complaint filed against Healthline accused the company of multiple violations of the CCPA:

  1. Failing to Offer Functioning Opt-Outs: The complaint against Healthline alleged that the company kept selling users’ personal information even after the users had opted out of data sharing on the website. This is a direct violation of the CCPA because the law explicitly allows consumers to opt out of the sale or sharing of their data for targeted advertising.
  2. Violating the CCPA’s “Purpose” Limitation: The CCPA states that personal information collected for one purpose cannot later be used for a completely different purpose. But that is exactly what happened with Healthline: the company allegedly disclosed health-related data for targeted advertising purposes by sharing article titles that suggested consumers were diagnosed with specific medical conditions.
  3. Selling or Sharing Personal Data Without Restrictions: Healthline’s contracts with third parties allegedly grant those companies broad use of consumers’ personal data “for any purpose.” This is a violation of the CCPA, which requires companies to ensure that advertising contracts contain privacy protections for users’ data. It is Healthline’s responsibility to ensure that third-party companies comply with the law.

Healthline Accused of Violating California’s Unfair Competition Law (UCL)

The complaint against Healthline also alleged that the company violated California’s Unfair Competition Law (UCL) by “deceiving consumers about privacy practices.” The UCL explicitly prohibits companies from engaging in deceptive business practices. Healthline allegedly violated this guiding principle of the consumer protection law by failing to disable tracking cookies from the website’s “consent banner” even after a user unchecked a box on the banner.

California AG: Healthline Used Online Trackers to Harvest Consumer Data

One of the problems with the Healthline website is that it uses online trackers such as cookies and pixels. This means that anytime a person views an article on the website, their personal data may be collected and then shared with third parties.

According to the California Attorney General’s Office, the trackers used by Healthline “run invisibly in the background in the first milliseconds when a webpage loads.” Investigators found that Healthline was using dozens of these online trackers to harvest consumer data.

California AG: Healthline Failed to Honor Consumer Opt-Out Requests for Targeted Advertising

The California Consumer Privacy Act (CCPA) mandates that companies must give consumers the opportunity to opt out of having their personal information shared for the purpose of targeted marketing.

Although the Healthline website included an opt-out feature, the company was accused of failing to honor user requests to prevent targeted advertisements. The California Attorney General reportedly tested the Healthline website by attempting to opt out of targeted ads, but the site did not allow him to do so. According to the complaint filed against Healthline, the website continued to share users’ personal data even after the opt-out request was submitted.

The Healthline site gives users three options to opt out of data sharing:

  1. A “Do Not Sell or Share My Personal Information” button.
  2. An Opt-Out Preference Signal.
  3. A “cookie banner” that manages privacy settings on the site.

California authorities said that even utilizing all three opt-out options failed to stop Healthline from sharing users’ personal data. After a “triple opt-out,” investigators still found that 118 cookies related to third-party advertisers were accessed and transmitted.

Healthline Shared Consumers’ Health Data with Third Parties

Authorities also determined that Healthline improperly shared users’ personal data with third parties. This invasion of privacy is particularly harmful in the context of the Healthline website because the data often contains information about serious medical conditions that the consumer might suffer from.

The personal data shared by Healthline with third-party companies reportedly included information about which articles the user accessed on the website. Considering the nature of the healthline.com site, this kind of information can be extremely sensitive: some of the data shared with third parties included article titles like “Newly Diagnosed with HIV?” and “The Ultimate Guide to MS for the Newly Diagnosed.”

This information could be used by data brokers to create individual consumer profiles with sensitive health information. In fact, one type of targeted advertisement strategy allegedly utilized by Healthline is known as “cross-context behavioral advertising.” This involves a company collecting a user’s online activity and history to create a profile, and then later accessing that profile to determine exactly which kinds of advertisements are likely to interest the user. For example, one investigator viewed a Healthline article about Crohn’s disease and later received targeted advertisements about a medication to treat the illness.

Settlement: Healthline Ordered to Pay $1.55 Million Fine for California Consumer Privacy Violations

Healthline ultimately reached a settlement with the California Department of Justice and agreed to pay $1.55 million in civil penalties. This is the single-largest penalty in the history of the California Consumer Privacy Act (CCPA).

Another prominent part of the settlement is injunctive relief for victims of Healthline’s violations. The injunctions include:

  • Healthline must ensure that any opt-out mechanisms on the company’s website are functional and will process user requests to opt out of the sharing of personal data.
  • Healthline is prohibited from selling or sharing any personal data that would indicate that the user accessed a “Diagnosed Medical Condition Article.”
  • Healthline must disclose that they are using consumers’ sensitive personal information, and they must give consumers the ability to limit how their data is used.
  • Healthline must comply with the CCPA going forward. This means that the company has to provide notice that they are sharing consumers’ personal information with third parties.
  • Healthline must implement a compliance program that audits third-party contracts and maintains accurate website disclosures. The company will also be required to submit annual reports to the Office of the California Attorney General, and those reports should indicate whether Healthline is actually processing consumers’ opt-out requests.

Consequences of Healthline Settlement

California Attorney General Rob Bonta issued a statement announcing the Healthline settlement. Bonta highlighted the importance of the California Consumer Privacy Act (CCPA) and pointed to the “critical privacy rights” that residents are granted by the law. Bonta added that “California continues to lead the nation in enforcing our robust privacy protection law, and businesses that collect consumer data must honor consumers’ privacy rights.”

The Healthline settlement could also have far-reaching consequences for how health information is treated by the California Privacy Protection Agency. That’s because sensitive health data may face heightened scrutiny going forward when it comes to protecting consumers against data breaches and unauthorized data sharing. This is especially likely when the health information is shared for the purposes of targeted advertising.

Other California Consumer Privacy Lawsuits Against Healthline

Despite the settlement, Healthline is still the defendant in multiple lawsuits for violations of the California Invasion of Privacy Act (CIPA). Healthline has been sued in federal court (class action lawsuit) and in California state court (individual claim), with the plaintiffs in both cases alleging that the company unlawfully used tracking technology on its website.

Contact the Los Angeles Data Privacy Attorneys at Tauler Smith LLP

Are you a California resident who visited the Healthline.com website or any other website? Then it’s possible that you were the victim of a data privacy violation that exposed your sensitive personal information. The Los Angeles consumer protection lawyers at Tauler Smith LLP represent plaintiffs in both state and federal court. We can help you protect your personal information against data breaches and get you financial compensation.

Call 310-590-3927 or send us an email.

Data Brokers and CCPA

Study: Data Brokers Don’t Comply with CCPA

/in /by

Data Brokers and CCPA

UC Irvine researchers conducted a comprehensive study into California data brokers and the extent to which they break state consumer privacy laws, including the California Consumer Privacy Act (CCPA). Legal observers and consumer protection advocates were alarmed by the chief finding of the study: data brokers don’t comply with CCPA requirements. In fact, researchers found that data brokers are guilty of “rampant noncompliance” with California digital privacy laws, with nearly half of all data brokers failing to reply to consumer data requests.

To learn more about the UC Irvine study of data brokers & California’s consumer privacy laws, keep reading this blog.

What Are Data Brokers?

What is a data broker? Data brokers are companies that acquire personal information of millions of people and then sell that data to third-party companies. The California Data Broker Registration law defines a “data broker” as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The last part of the definition is important because it highlights a unique aspect of data brokers: they collect data from people who have never used their services.

One of the largest data brokers in the world is LiveRamp, which operates a “data collaboration platform” that gives other companies access to consumer data. According to Gene Tsudik, a co-author of the UC Irvine study, data brokers and the companies that do business with them are primarily interested in using the consumer data they collect to pinpoint personal details about consumers, “such as purchasing behavior, financial status, and health conditions.” The data brokers then attempt to monetize this data by selling it to third parties without the consent of the individuals.

CCPA Requires Data Brokers to Respond to Consumer Requests

As set forth by the California Consumer Privacy Act (CCPA), data brokers must respond in a timely manner to consumer requests related to data collection: they must reply within 10 business days to confirm receipt of the request, and then provide an answer to the request within 45 calendar days (with the option to extend the deadline by another 45 days). If the data broker has in fact collected the consumer’s personal data, then the company must provide that information in detail. If the data broker has not collected and/or does not possess any personal information about the consumer, then the company must declare so in writing.

The California Data Broker Registration law requires every data broker that does business in the state to register annually with the California Privacy Protection Agency (CPPA). The state also maintains a Data Broker Registry, which helps with compliance because the California Privacy Protection Agency can use the registry to identify offenders and enforce the law.

“People Search” Websites

One major source of identity theft and fraud is “people search” websites. These sites offer the personal information of consumers to the public for free, with additional information typically available for a fee. The information offered on these websites often comes from data brokers.

UC Irvine Study Examines Data Broker Compliance with California Consumer Privacy Laws

The title of the UC Irvine study is: “Consumer Beware! Exploring Data Brokers’ CCPA Compliance.” The study’s authors are Elina van Kempen, Isita Bagayatkar, Chloe Georgiou, and Gene Tsudik. Funding for the study came from the National Science Foundation, which is an independent federal agency that issues grant money to U.S. colleges and universities for research.

The study was conducted by a team of computer scientists who investigated every data broker registered in California. At the time of the study, there were a total of 543 data brokers doing business in the state. This was the most comprehensive study of data broker behavior ever conducted because it evaluated all data brokers registered in California. By contrast, previous studies only examined a small sample size of 20 people-search websites.

Study Conclusion: California Data Brokers Violate CCPA by Failing to Respond to Consumer Requests

UC Irvine researchers discovered that approximately 50% of data brokers doing business in California are violating the California Consumer Privacy Act (CCPA) by failing to respond to legitime consumer requests.

Gene Tsudik, a computer science professor at UC Irvine and one of the co-authors of the study, emphasized the legal and ethical concerns raised by data brokers’ “rampant noncompliance” with invasion of privacy laws. According to Tsudik, data brokers operating in California are taking advantage of consumers by monetizing their personal information and then selling the data to third parties, including other companies, individuals, and even governments. Tsudik noted that these types of transactions “can open the door to malicious actors, giving them access to consumers’ personal information to mount identity theft, fraud, or phishing activities.”

What Is the Identity Verification Process for Consumer Data Requests?

The purported reason that data brokers must verify a consumer’s identity before releasing any personal information is to prevent data breaches by unauthorized parties. But the identity verification process can be extremely difficult for consumers. The UC Irvine study’s authors referred to it as “Kafkaesque,” questioning how a consumer can possibly prove their identity to a company that might not even have their personal information. Moreover, how can a consumer verify the truthfulness of a data broker who claims that they did not collect any personal information about the consumer?

Data Brokers Request Sensitive Personal Information from Consumers

Worse than the non-responses to consumer requests about personal data were the responses from data brokers that actually requested even more information from the consumer. The study concluded that data brokers are violating the spirit of the CCPA by forcing consumers to “jump through hoops” and “surrender personal data” just to exercise their privacy rights.

For example, several data brokers asked for extremely sensitive information that included the consumer’s legal name, mailing address, driver’s license number, and Social Security number. This was ostensibly for the purpose of “verifying” the consumer’s identity, but it is still alarming that consumers looking to exercise their data access rights under the CCPA are instead asked to incur greater privacy risks by exposing even more personal information to potentially unscrupulous data brokers.

Additionally, researchers observed that “an impersonator could easily receive another consumer’s personal information.” This means that the identity verification process used by data brokers could result in data breaches that harm consumers.

California Consumer Privacy Act (CCPA) Grants Data Access Rights to Consumers

The California Consumer Privacy Act (CCPA) was enacted in 2018. The statute was amended by the California Privacy Rights Act (CPRA) in 2020. Basically, the CCPA gives California residents the legal right to control the personal data that is collected by businesses, including data brokers. The statute specifically requires California businesses to give consumers an opportunity to opt out of the collection and/or sharing of their personal data. Additionally, the law stipulates that companies must respond promptly to any inquiries from consumers about data collection, including requests to delete personal data.

CCPA Consumer Requests

Elina van Kempen, the lead author of the UC Irvine data broker study, noted that researchers looked closely at six (6) aspects of the CCPA consumer request process:

  1. What burden does the consumer have in submitting the CCPA request?
  2. How difficult is it for the data broker to verify the consumer’s identity before answering the request?
  3. How long is the response time for a data broker to answer a consumer request?
  4. How adequate is the data broker’s response?
  5. Was any additional personal information requested?
  6. Are there any other privacy issues implicated by the consumer request?

The study’s authors acknowledged that it can be difficult for consumers to submit a CCPA request in the first place because there is not one standardized way of doing so: different data brokers have different submission processes and require various kinds of information from the consumer. The UC Irvine research team had to deal with multi-step submission forms that necessitated follow-ups, broken links in website privacy policies that made it impossible to initiate a request, and untrained data broker employees and other staff who made it difficult to even start the complicated process.

Call the Los Angeles Data Privacy Lawyers at Tauler Smith LLP

California law stipulates that data brokers that collect and sell consumers’ personal information are required to respond to any consumer requests about the data collected, as well as requests to delete the data. If your personal information was unlawfully shared with a data broker or any other third party, you may have a valid legal claim for financial compensation.

The Los Angeles consumer protection attorneys at Tauler Smith LLP can help you. Call 310-590-3927 or email us today.

Google App Data Privacy Verdict

Jury: Google Secretly Collected User Data on Cellphone Apps

/in /by

Google App Data Privacy Verdict

An important data privacy case recently concluded with a shocking verdict by the jury: Google secretly collected user data on cellphone apps. As a result, Google must now pay $425 million to affected consumers. The lawsuit, Rodriguez v. Google LLC, was filed in federal court and alleged that Google violated the privacy rights of millions of cellphone users in the United States who thought that their online activity was private. According to the plaintiffs, Google collected and saved information about users’ activities on third-party apps despite the fact that the users had opted out of being tracked. The verdict and significant damages award send a strong message to tech companies that they will not be allowed to steal customer data.

To learn more about the Google data privacy case, keep reading.

Google Sued for Violating California Invasion of Privacy Laws

The Google app data class action lawsuit was filed in the U.S. District Court for the Northern District of California. Prior to trial, the U.S. District Court judge certified the class of roughly 98 million Google users. According to the court, the eligible class action plaintiffs accessed apps through Google on 174 million devices over the eight-year period covering the lawsuit.

The plaintiffs brought three (3) claims in the class action:

  1. Invasion of Privacy
  2. Intrusion Upon Seclusion
  3. Violation of the California Computer Data Access and Fraud Act (CDAFA)

Google Accused of Improperly Collecting and Selling Consumer Data

Google was accused of misrepresenting the data privacy options available to smartphone users by secretly collecting, saving, and then using their data. This happened while the cellphone users assumed their online activity was private.

According to the civil suit, individuals who accessed Google on their phones and other mobile devices believed their search histories were confidential when the “Web and App Activity” setting was activated. These privacy controls were supposed to prevent Google from tracking user activity. Instead, Google allegedly continued to collect data on users even after they opted to shield their activity and personal information.

Targeted Advertisements

The data improperly collected by Google was allegedly used to create targeted ads for individual users. According to the plaintiffs in the case, this information was extremely valuable and resulted in Google generating billions of dollars in profits.

Sold Consumer Data to Third Parties

Google was also accused of selling users’ personal data to third parties. This allegedly included the browsing history and activity data of mobile app users.

Scope: Millions of Consumers Affected

The class action lawsuit alleged that even users who did not use Google-branded apps were still affected by the privacy breach. That’s because Google is omnipresent online: the tech company allegedly tracks online communications “by covertly integrating Google’s tracking software into the products of other companies.” In other words, it was virtually impossible for most consumers to avoid being spied on and tracked by Google while using a mobile device.

Google Accused of Harvesting User Data from Third-Party Apps

Google allegedly harvested user data from third-party apps. The third-party apps had embedded Google software code, which is how Google was allegedly able to continue spying on users. These apps relied on Google Analytics to get around the “private” setting and access user data even after users thought they had opted out of sharing their data. According to the plaintiffs, some of those third-party apps included Facebook, Instagram, Uber, Lyft, Venmo, Alibaba, and Amazon.

Defense: Google Claimed Users Were Not Harmed by Unauthorized Data Collection

One of Google’s defenses for its actions was that the user data collected by the company was “nonpersonal and pseudonymous,” so affected users didn’t suffer any real harm from the unauthorized collection because the data could not be exploited to identify any individual users. Google also claimed that the data it collected from users was “stored in segregated, secured, and encrypted locations.”

The jury disagreed with Google and ruled against the tech giant.

Verdict: Federal Court Says Google Violated California Data Privacy Laws

The data privacy case was adjudicated in the United States District Court for the Northern District of California. The trial lasted three weeks, culminating in a jury deliberation that took two full days. When the jury reached a verdict, the outcome was not good for Google.

The jury found that Google violated California data privacy laws by intercepting data from nearly 100 million cellphone users who specifically instructed Google not to track their app activity. The jury also ordered the tech company to pay $425 million in penalties and fines.

Responses to Verdict

Despite the verdict, Google maintained that its actions were legal and denied any wrongdoing. Google released a statement indicating that the tech company planned to file an appeal.

The plaintiffs’ lawyers framed the ruling as a huge victory for consumers because it will “send a message to the tech industry that Americans will not sit idly by as their information is collected and monetized against their will.”

Google Ordered to Pay $425 Million for Violating Consumer Privacy Rights

The lawsuit was filed as a class action, which meant that the potential damages award was massive: the plaintiffs were seeking $30 billion in damages. The jury ultimately ordered Google to pay $425 million to affected users, with instructions to divide the money among the plaintiffs as follows:

  • $247 million for class members with Android devices.
  • $178 million for class members with non-Android devices.

The jury said that Google violated users’ privacy rights but did not act “with malice.” As a result, plaintiffs in the class action were not eligible for punitive damages. The punitive damages were meant to deter Google from misleading consumers and violating their privacy rights in the future.

Google’s stated intention to appeal the verdict means that members of the class who are eligible for financial compensation might not receive a payout for a while.

Google Settled Other Lawsuits Alleging Digital Privacy Violations

This was not the first time Google has been accused of violating both federal and state privacy laws. Earlier this year, the company reached a settlement with Texas prosecutors and agreed to pay approximately $1.4 billion for digital privacy violations.

And in 2024, Google was also accused of tracking users who believed they were browsing the web privately via the search engine’s “incognito” mode. To settle that $5 billion lawsuit, Google agreed to destroy billions of data records of users.

Contact the Los Angeles Data Privacy Attorneys at Tauler Smith LLP

California has the strongest consumer privacy laws in the country. This means that if you are a California resident who used an app or website that collected your data without permission, you may be eligible to file a lawsuit to receive financial compensation.

The Los Angeles consumer protection lawyers at Tauler Smith LLP represent plaintiffs in data privacy lawsuits. Call 310-590-3927 or send an email to discuss your legal options.

Flo Health Data Deletion

Data Deletion on the Flo Health App

/in /by

Flo Health Data Deletion

Flo Health, the owner and operator of the popular Flo Period & Ovulation Tracker app, was sued in federal court for allegedly sharing users’ personal health data with Meta (Facebook) and Google. Although Flo Health settled the class action lawsuit, the case still went to trial with Meta named as a defendant – and a jury issued a precedent-setting verdict against the social media parent company. Additionally, since Flo remains one of the most downloaded personal health apps in the United States, there are still concerns about user data being exposed to tech companies, data brokers, and others. That’s why it’s important to understand the steps needed for account deactivation and data deletion.

To learn more about how to safeguard your personal health data against privacy breaches on the Flo Health app, keep reading.

Flo Period Tracker App Captured Personal Health Data of Millions of American Women

Women’s health tech is more popular than ever, with millions of women in California and throughout the U.S. using apps, smartphones, and wearable technology to track their periods and fertility. As a result, this industry has become big business for companies that look to target users with online advertisements. According to media reports, women’s health startup companies have received more than $5 billion in investments in the last few years.

The Flo Health fertility-tracking app was reportedly “the first mobile application to make use of artificial intelligence to accurately predict reproductive cycles.” For many years, the Flo has been the #1 women’s health app accessed on U.S. mobile phones. Today, it is one of the most popular health & wellness apps in the world, with more than 38 million monthly users and nearly 200 million downloads. Anyone who has downloaded, used, or otherwise accessed the Flo Health app should be extremely careful about what kind of personal information they reveal. If necessary, users may want to submit a data deletion request to ensure that their information is wiped from the app.

Software Development Kit (SDK) Code Secretly Embedded on Flo Health App

The SDK code – or Software Development Kit code – embedded on the Flo Health app makes it easier to build apps and track user analytics.

Flo Health allegedly used the SDK code to access and then share – without consent – extremely sensitive health information about the app’s users, including:

  • Menstrual cycles
  • Pregnancy due dates
  • Sexual activity
  • Masturbation habits
  • Contraceptives used
  • Mental health
  • Other general health symptoms

This intimate health information shared with Meta, Google, and others gave those third-party companies valuable information about Flo Health’s users that could be used to create targeted advertisements.

Flo Health Privacy Policy

Flo Health told the users of its period-tracking app that their personal data would not be shared with third parties unless the user explicitly consented to the sharing. However, according to the class action lawsuit, users’ sensitive health information was shared with third parties like Meta and Google. Moreover, the lawsuit alleged that Flo Health’s terms of service did not place any restrictions on how third parties like Meta and Google could use the data shared with them.

If you used the Flo Cycle & Period Tracker app for any reason, it’s possible that your sensitive health information was exposed to third parties. One proactive step you can take to protect your data against further privacy breaches is to email Flo Health and submit a Data Deletion Request, which is referenced in the Privacy Policy.

Flo Health Sued in California Federal Court for Allegedly Sharing Customer Data with Meta and Google

Flo Health was sued in the U.S. District Court for the Northern District of California. The company was accused of quietly collecting users’ health information – such as menstrual cycle dates and pregnancy details – and then sharing the data with giant tech companies like Meta and Google.

The lawsuit, filed by a class of women who used the Flo app, alleged that Flo Health embedded software to eavesdrop on users and intercept their personal identifying information. Flo Health then allegedly shared that information with third parties like Meta, Google, and other tech & analytics companies. Flo Health and Google reached settlement agreements before the trial verdict, leaving Meta as the only defendant in the case.

No Consent

Meta and Google allegedly used the data shared by Flo Health to compile detailed individual profiles. This would then make it easier for the tech companies to create targeted advertising campaigns aimed at Flo Health’s users. However, users of the Flo period-tracking app did not consent to the harvesting of their personal health information, nor did they consent to the sharing of this data with third parties like Meta and Google.

Jury Verdict: Meta Liable for Damages in Flo Health Data Privacy Lawsuit

The trial in federal court culminated with a jury finding that Meta intentionally eavesdropped on Flo Health’s users and unlawfully recorded users’ protected health information without consent. Specifically, the jury declared that Meta violated multiple state consumer privacy laws, including the California Invasion of Privacy Act (CIPA) and the California Confidentiality of Medical Information Act (CMIA). When damages in the case are calculated, it’s possible that Meta will be subject to statutory penalties totaling $200 billion.

The ruling against Meta could have broader consequences for tech firms operating in the health industry going forward. Website operators, tech firms, digital advertisers, and any other companies that collect users’ personal data may now feel compelled to set boundaries when it comes to data harvesting. This is especially likely in the consumer health industry: health data companies will need to be extremely careful about how they collect users’ data. Without affirmative consent from customers, the owners and operators of health apps and websites could be subject to legal action.

Another lesson to be learned from the Flo Health data privacy case is that it might not be sufficient for companies to simply scrub user data after collection. That’s because the mere fact that data was collected in the first place could be enough to expose the operators of apps and websites to liability. Even if you submitted a data deletion request with Flo Health, it’s possible that your personal health information was already shared with data brokers and other third parties.

FTC Settlement: Flo Health Agreed to Keep Users’ Data Confidential

The class action lawsuit against Flo Health and Meta coincided with a government action brought by the Federal Trade Commission (FTC). Like the civil suit, the FTC lawsuit accused Flo Health of sharing users’ health information with marketing and analytics firms, including Facebook and Google. This allegedly happened despite promises by Flo Health that user information would remain confidential.

Flo Health ultimately settled the FTC action, with the women’s reproductive health company agreeing to instruct third-party companies to destroy any user health data that was unlawfully obtained via the menstrual tracking app.

California Consumer Privacy Act (CCPA) and Data Deletion Requests on the Flo Health App

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives consumers the right to delete their data after it has been collected. Compliance with these statutes is enforced by the California Privacy Protection Agency.

Data Deletion Requests

Anyone who created an account with Flo Health or who otherwise used the Flo app should consider exercising their privacy rights and submitting a data-deletion request. The Flo Health Privacy Policy provides users with details on how to request erasure of their accounts and all associated data.

As a California resident, you have a right to send a data deletion request and protect your personal information. You should be able to change the settings in the Flo Health app to deactivate your account. But you may need to take further action to delete your information entirely. To address privacy concerns about any data you’ve already shared on the app, you can email Flo Health customer support directly at support@flo.health. California consumer privacy laws, as well as the app’s terms of service, require Flo Health to fully erase your personal data from their backup systems upon request.

Contact the Los Angeles Consumer Protection Attorneys at Tauler Smith LLP

Did you download a health app on your mobile phone in California? If so, it’s possible that your personal health data was unlawfully shared with third parties. The good news is that California has some of the strongest consumer protection laws in the country. The Los Angeles consumer protection lawyers at Tauler Smith LLP represent victims of digital privacy violations. We can help you protect your data and get financial compensation for any data breaches that have already occurred.

Call 310-590-3927 or email us.

Meta Data Privacy Jury Verdict

Jury: Meta Violated California Consumer Privacy Laws

/in /by

Meta Data Privacy Jury Verdict

A high-profile trial about data privacy violations by Facebook parent company Meta concluded with a shocking verdict from the jury: Meta violated California’s consumer privacy laws. The lawsuit concerned allegations that Meta unlawfully collected the personal health data of users of the Flo Ovulation & Period Tracker app. Women who use the app are encouraged to enter private details about their health, including sexual activity, birth control, and menstrual cycles. The California jury found that Meta eavesdropped on women as they entered data on the Flo Health app. The precedent-setting judgment could have serious financial consequences for Meta, in addition to shaping the future of data collection in the consumer health industry.

To learn more about the recent data privacy jury verdict against Meta, keep reading this blog.

Lawsuit: Meta Unlawfully Accessed Personal Health Data of Flo Health App Users

Meta Platforms, Inc. is the parent company of popular social media platform Facebook, as well as Instagram and WhatsApp. Meta entered into a partnership with Flo Health, which owns and operates the Flo Cycle & Period Tracker app. According to the class action lawsuit, the app has more than 38 million active monthly users and has been downloaded 180 million times, consistently ranking as the top period-tracking app and the most downloaded health app in the United States.

Software Development Kits (SDKs)

Flo Health’s app used software development kits (SDKs), which is a code commonly utilized by developers for analytics. This code is what allegedly enabled Meta to access the personal information of Flo Health’s users through custom logs.

According to the lawsuit against Meta, the SDK used by Flo Health included 12 “custom app events” that allowed the social media company to gain valuable information about users’ personal health information. Examples of this code cited by the lawsuit included “R_SELECT_LAST PERIOD_DATE” and “R_SELECT_CYCLE_LENGTH.”

When someone first downloads the Flo Health app, they are instructed to provide personal health information by filling out a survey. The questions in this survey ask for extremely intimate details about the users: periods, menstrual cycles, pregnancy due dates, etc. As users continue to access the app, they are encouraged to provide even more information about their health, such as sexual activity, masturbation habits, physical health symptoms, and mental health. This information is supposed to help Flo Health offer user-specific health advice.

Flo Health Privacy Policy

The Flo Health Privacy Policy promised users that the company would only share data that was relevant to the app’s services, operation, and development. The Privacy Policy even underscored the company’s supposed commitment to protecting users’ privacy rights: “Users are trusting us with intimate personal information, and we are committed to keeping that trust.”

Meta, Google, and Flo Health Named as Defendants in Consumer Privacy Class Action Lawsuit

Multiple class action lawsuits were brought against Flo Health, Meta, Google, AppsFlyer (ad analytics company), and Flurry (analytics company owned by Yahoo!) alleging violations of California digital privacy laws. Eventually, those lawsuits were consolidated into one class action: Frasco v. Flo Health.

Most of the companies avoided trial by reaching settlements with the plaintiffs. The lawsuit against Flo Health was settled just before the jury issued its verdict, leaving Meta as the only remaining defendant.

Jury Verdict: Meta Violated the California Invasion of Privacy Act (CIPA)

The plaintiffs in the class action against Meta (Facebook) alleged that the social media company intercepted the intimate health data of people who used the Flo Health app – and that Meta did this without consent. The lawsuit further alleged that Meta eavesdropped on users of Flo Health to record highly sensitive personal information, such as menstruation cycles, pregnancy data, and other protected health information.

Specifically, Meta was accused of violating the California Invasion of Privacy Act (CIPA) by intentionally recording the sensitive health information of millions of women.

Trial & Verdict

The trial took place in the U.S. District Court for the Northern District of California. The jury found that the plaintiffs had a reasonable expectation of privacy when they used the Flo app, including a reasonable expectation that their health information would not be shared with others. Significantly, the jury ruled that Meta violated the California Invasion of Privacy Act (CIPA) by unlawfully harvesting personal health data from users of the Flo Health app without permission.

At the conclusion of the trial, the jury was asked three questions:

  1. Did the plaintiffs prove that Meta intentionally eavesdropped on and/or recorded their conversations by using an electronic device?
  2. Did the plaintiffs prove that Flo Health users had a reasonable expectation that their conversations were not being overheard and/or recorded?
  3. Did Meta have the consent of all parties to the conversations to eavesdrop on and/or record them?

The jury unanimously agreed that the plaintiffs proved, by a preponderance of evidence, that Meta did intentionally eavesdrop on user conversations.

The jury also unanimously agreed that the plaintiffs proved, by a preponderance of evidence, that users of the Flo Health fertility-tracking app had a reasonable expectation that their conversations on the app would not be spied on.

Finally, the jury unanimously agreed that Meta failed to get the consent of Flo Health app users to eavesdrop on their conversations.

Is Meta Liable for $200 Billion in Damages for California Privacy Law Violations?

Although the jury decision against Meta was rendered, the total amount of damages in this case has not yet been determined. Since the plaintiffs stated that there are 38 million class members whose data may have been breached by Meta, the damages could add up to nearly $200 billion. That’s because the California Invasion of Privacy Act (CIPA) imposes penalties of $5,000 for each violation of the statute.

The damages could be even higher because the California Confidentiality of Medical Information Act (CMIA) also imposes statutory penalties of $1,000 per violation.

Additionally, given the scope and scale of the alleged data privacy violations by Meta, the damages could have ramifications for how medical marketers, data brokers, and tech companies use privacy tracking technology in the future.

Data Privacy Verdict Against Meta/Facebook Could Affect Tech & Healthcare Industries

The Meta data privacy verdict could cause alarm bells to ring for tech companies that harvest user data without permission. After the verdict, the plaintiffs’ attorneys issued a statement criticizing Meta and other companies for “covertly profiting from users’ most intimate information.” The attorneys also emphasized the importance of consumers’ fundamental right to privacy, “especially when it comes to sensitive health data.”

Experts predict that health care companies may see the jury decision as a warning to be more careful about how patient health information is collected and who is given access to that information. That’s because the Meta class action jury verdict is a reminder of just how stringent California’s privacy laws are and how difficult it can be for companies to comply with those laws. Going forward, health companies with websites, apps, and other platforms may need to take a closer look at how their websites and products are designed.

Call the Los Angeles Consumer Protection Attorneys at Tauler Smith LLP

If you are a California resident who used an app or website that collected your personal health information, your data might have been exposed. Both state and federal consumer privacy laws may give you a right to bring legal action for compensatory damages. The Los Angeles consumer protection lawyers at Tauler Smith LLP have extensive experience representing plaintiffs in data privacy lawsuits, and we can help you.

Call 310-590-3927 or email us today.

Flo Health Data Privacy Lawsuit

Flo Health Settles Data Privacy Lawsuit

/in /by

Flo Health Data Privacy Lawsuit

In major legal news, Flo Health settles data privacy lawsuit accusing the company of violating California’s consumer privacy laws. The class action lawsuit alleged that Flo Health collected the highly personal health information of millions of women who used the company’s period-tracking app and then unlawfully shared that data with Meta (Facebook), Google, and other tech companies. The harvesting of users’ protected healthcare information is seen as particularly invasive because the data often includes intimate details about a person’s health and sexuality. Before the jury issued a verdict in the case, however, Flo Health reached a settlement with the plaintiffs. The settlement, as well as the subsequent jury verdict against Meta, is likely to have significant consequences for the health industry and for consumer health data privacy.

To learn more about the invasion of privacy lawsuit against Flo Health, keep reading.

Flo Health Accused of Capturing User Data Without Permission

Flo Health, Inc. is the company behind the Flo Cycle & Period Tracker app, the world’s leading period and ovulation tracker. The app was launched in 2016, and it allowed users to track their periods and pregnancies: users would input personal data about their menstrual cycles, pregnancy due dates, and other related information. According to the CEO of Flo Health, one out of every four U.S. women uses the Flo Health app. Additionally, it has been reported that Flo Health recently raised $200 million in Series C funding to grow its brand. That investment imputes a valuation of more than $1 billion for the company.

The software used by Flo Health allegedly captured data anytime a user opened the fertility-tracking app. The software would also allegedly log every action taken by users on the app.

Survey Questions

When users accessed the Flo Ovulation & Period Tracker app, they filled out a survey. Some of the intrusive survey questions included:

  • When was your last period?
  • How often do you have sex?
  • Do you masturbate?
  • Do you get yeast infections?

Data Sharing

Flo Health allegedly embedded software on its app to harvest and then share user responses with third parties. Importantly, this was not supposed to include “information regarding users’ menstruation cycles, pregnancy, symptoms, and other information entered by users.”

According to the lawsuit against Flo Health, users of the app provided intimate health information because they believed the company’s assurances that their data would remain confidential.

Flo Health Privacy Policy Promised Not to Share Users’ Personal Information

The breach of data privacy allegedly happened despite written statements by Flo Health promising users that their sensitive health information would remain private. Although Flo Health claimed to disclose the use of tracking code in its Privacy Policy and Terms of Service, the class action plaintiffs alleged that the disclosure was insufficient.

Moreover, Flo Health allegedly assured users in its Privacy Policy disclosures that their personal information from the app would only be shared when doing so was absolutely necessary to provide a service on the app. Instead, users’ sensitive health information was allegedly shared with third parties who had no restriction on how they might use the data.

Lawsuit: Flo Health Violated California Privacy Laws by Sharing Customer Data with Meta/Facebook and Google

Flo Health was sued in a class action lawsuit accusing the company of unlawfully sharing consumers’ personal health data with third parties. The plaintiffs in Frasco v. Flo Health were a class of women who used the Flo Health app and alleged that their sensitive health data was collected and revealed without consent.

The lawsuit, filed in the U.S. District Court for the Northern District of California, also named Meta (Facebook), Google, and Flurry as defendants. The main statutory basis for the class action lawsuit was the California Invasion of Privacy Act (CIPA). The lawsuit also alleged violations of California’s Confidentiality of Medical Information Act (CMIA).

Flo Health Avoids Trial by Settling Data Privacy Class Action

Google and Flurry avoided trial by reaching settlements early on. Flo Health also reached a settlement just days before a verdict in the trial. The terms of the settlement were confidential, with Flo Health making no admission of wrongdoing. The lawsuit against Meta proceeded to trial, with a jury ultimately ruling against Meta.

The claims against Flo Health included alleged violations of California’s stringent privacy laws, including the California Invasion of Privacy Act (CIPA). If the case had gone to trial, Flo Health would have faced billions of dollars in potential damages because of statutory penalties and punitive damages. In fact, before Flo Health settled the lawsuit, the company said that the potential damages if they lost would be “mind-boggling.”

What Is the Future of Health Data Privacy After the Flo Health Lawsuit Settlement?

The outcome of the Flo Health case could have an effect on other industries because it is now clear that sensitive data may be subject to heightened privacy requirements. Although Flo Health is not technically a medical provider that must comply with HIPAA regulations on protected health information, the jury in the Meta trial still found that the type of personal information Flo Health collected and shared did constitute “sensitive healthcare data.”

Additionally, legal observers believe that the Flo Health & Meta jury verdict could put companies on notice that they need to exercise extreme caution when partnering with a third party on an app or website.

FTC Charges Against Flo Health for Fraudulent Misrepresentations About Customers’ Privacy Rights

The recent class action lawsuit against Flo Health was not the first time the company has faced legal action due to allegations of violating consumers’ privacy rights. In 2019, the Wall Street Journal published a report detailing possible data privacy violations by Flo Health. This prompted the U.S. Federal Trade Commission (FTC) to begin an investigation. The FTC later brought charges against Flo Health for making fraudulent misrepresentations about how they would protect users’ privacy rights.

In 2021, Flo Health reached a settlement agreement with the FTC.

Call the Los Angeles Consumer Protection Lawyers at Tauler Smith LLP

Are you a California resident who revealed personal health information while using an app or website? It’s possible that you were the victim of a data privacy violation that could entitle you to financial compensation. The legal team at Tauler Smith LLP can help you. Our skilled California consumer protection attorneys are familiar with digital privacy laws at both the federal and state levels, and we have considerable experience representing plaintiffs in these cases.

Call 310-590-3927 or send an email today to discuss your legal options.

Electronic Communications Privacy Act

Electronic Communications Privacy Act (ECPA)

/in /by

Electronic Communications Privacy Act

The Electronic Communications Privacy Act (ECPA) is a federal law enacted in the mid-1980s just as cell phones, the internet, and other digital technologies were becoming prevalent throughout the United States. Many Americans began to use email, prompting lawmakers to put stringent privacy protections in place for those types of communications. Today, data privacy concerns remain a major concern in industries where customer records shared online typically involve sensitive material, including the financial and healthcare industries. The need for strong internet privacy protections like those provided by the ECPA and by California’s privacy laws is greater than ever as more and more third-party companies and data brokers use website data to profile users and create targeted advertising strategies. An ECPA lawsuit is often the best way for consumers to protect their data and hold companies liable for digital privacy breaches.

Legislative History of the Electronic Communications Privacy Act (ECPA)

The U.S. Congress passed the Electronic Communications Privacy Act (ECPA) in 1986 for the purpose of:

  1. Expanding the scope of the prohibition against government wiretaps from just telephone calls to also include computer transmissions.
  2. Adding new prohibitions against access to stored electronic communications.
  3. Adding provisions addressing the tracing of telephone calls via pen registers and trap & trace devices.

The ECPA amended the Omnibus Crime Control and Safe Streets Act of 1968, which was intended to limit government access to private electronic communications. The older law explicitly dealt with telephone calls, while the ECPA extended those privacy protections to more modern forms of electronic communication like the internet.

Since its passage, the ECPA has been amended by several other laws, including the USA PATRIOT Act (increasing government surveillance authority in the wake of 9/11) and the FISA Amendments Act (allowing for government surveillance of non-U.S. citizens who pose terrorism threats).

What Is the Electronic Communications Privacy Act?

The Electronic Communications Privacy Act (ECPA) protects privacy rights in electronic communications, with “electronic communications” defined broadly to include telephone calls, emails, text messages, social media posts, and website communications.

The statute consists of three provisions:

  • Title I: The Federal Wiretap Act
  • Title II: The Stored Communications Act (SCA)
  • Title III: The Pen Register Act

Title I: Federal Wiretap Act

Title I of the ECPA is known as the Federal Wiretap Act, which protects certain electronic communications against interception via wiretapping while in transit. The statute specifically prohibits the interception, use, or disclosure of real-time electronic communications without the consent of at least one of the parties involved.

Importantly, the Federal Wiretap Act only applies to electronic data that is intercepted in real time as it is being transmitted. In other words, Title I protects against live surveillance.

Title II: Stored Communications Act

Title II of the ECPA is the Stored Communications Act (SCA), which protects data held in electronic storage by third-party service providers. (E.g., emails stored on computer servers or files on a cloud drive.)

When a person, company, or other entity gains access to stored electronic data such as emails on a server, it may constitute a Title II privacy violation. For example, employers cannot access and then read employees’ personal emails without notice, consent, or a court order.

Title III: Pen Register Act

Title III of the ECPA is also known as the Pen Register Act. This part of the statute prohibits the use of pen registers and trap & trace devices to capture and record dialing, routing, addressing, and signaling information – unless a court order has been issued to allow for the recording of the information. Title III created clear restrictions on how and when anyone can use a pen register or trap and trace device to trace telephone and other communications.

While Title I protects the content of electronic communications, Title III places limits on metadata about electronic communications. This matters because metadata – such as cell phone traffic, call logs, and IP addresses – can still reveal highly sensitive information about a communication and raise privacy concerns.

Employee Privacy Rights Protected Under the ECPA

The Electronic Communications Privacy Act (ECPA) enhanced the protections for employee privacy rights that already existed under the Omnibus Crime Control and Safe Streets Act, which placed restrictions on employers who monitor employee phone calls. The ECPA added workplace privacy protections for electronic communications and cell phone communications by prohibiting employers from secretly monitoring their employees’ personal emails or phone calls without consent.

However, there has been some criticism of the ECPA for making it too easy for employers to monitor employee communications in the workplace. Courts have found that employers simply need to provide notice to the employee via an employment contract that their work emails will be monitored, and then the employer can access all electronic communications. Another avenue for employers to monitor worker emails under the ECPA is to have a supervisor report that the worker’s activity is suspicious and their actions are not in the best interest of the company; again, this would allow the employer to monitor the employee’s emails.

ECPA Lawsuits: Companies Can Be Sued for Secretly Collecting Personal Data Online

Consumer privacy litigation, particularly in the category of data privacy, has been on the rise in recent years, with millions of consumers learning that their personal information was secretly collected online and then shared with unscrupulous data brokers. That’s why the Electronic Communications Privacy Act (ECPA) has become a vital tool in the fight to protect consumers against invasions of privacy on the internet.

The ECPA explicitly prohibits different entities – government, companies, individuals – from intercepting a person’s online data without consent. The federal statute may serve as the basis for liability in a civil suit or class action when the unlawful interception affected interstate commerce. In other words, when the sender of the communication is located in one state and the party intercepting the communication is located in another state, the victim of an invasion of privacy may bring an ECPA lawsuit in federal court.

Exceptions to ECPA Liability

There are several exceptions to ECPA liability that allow law enforcement agencies, private companies, and other entities to legally intercept electronic communications in certain contexts:

  • Consent: Since the ECPA is a single-consent law, it is legal under the statute to intercept a communication as long as at least one party has consented to the interception.
  • Service Providers: A telecoms company or internet service provider may be allowed to access an electronic communication if doing so is in the normal course of their business and necessary to manage their service. (E.g., email providers may scan users’ messages for spam.)
  • Law Enforcement: Police and other law enforcement agencies can intercept electronic communications after obtaining a court order, warrant, or subpoena. They may also be allowed to access data in an emergency situation.
  • Employers: Employers may be allowed to monitor employee communications in the workplace if it is for a legitimate business purpose and the employee has been informed of the monitoring in advance.

What Are the Penalties for Violations of the ECPA?

Violators of the Electronic Communications Privacy Act (ECPA) are subject to both criminal and civil penalties.

Criminal Penalties

A criminal conviction under the federal data privacy law can result in fines of $250,000 for individuals and $500,000 for organizations. Moreover, these fines can be imposed for each ECPA violation. Beyond that, extreme cases may result in the offending party being sentenced to up to five (5) years in prison.

Civil Damages

Victims of an ECPA violation may bring a civil suit and pursue statutory damages: up to $1,000 for each violation or the actual damages, whichever amount is greater. Additionally, it may be possible to recover punitive damages in certain cases, as well as compensation for legal fees.

Class Action Lawsuits

Many ECPA claims are filed as class action lawsuits, with hundreds or even thousands of plaintiffs affected by the same unlawful data collection practices of the defendant. These class actions often result in multi-million-dollar settlements or similarly high damages awards at trial.

Call the Los Angeles Consumer Protection Lawyers at Tauler Smith LLP

The Los Angeles consumer protection attorneys at Tauler Smith LLP represent plaintiffs in both federal and California state courtrooms. We know what it takes to win an ECPA lawsuit because we’ve helped countless clients secure favorable outcomes to their data privacy cases.

Call 310-590-3927 or send an email to schedule a free consultation.

Federal Wiretap Act

What Is the Federal Wiretap Act?

/in /by

Federal Wiretap Act

The explosion of e-commerce websites, internet marketing, and AI technology has raised serious concerns about the privacy of consumers online. Increasingly, courts in California and elsewhere are relying on the Federal Wiretap Act to ensure that consumers’ sensitive personal information remains confidential. What is the Federal Wiretap Act? The federal data privacy law broadly protects consumer data by placing clear limits on how the government and private businesses can go about collecting information about website visitors. The law also gives individuals a private right of action to sue in federal court, which has led to a rise in class action consumer privacy lawsuits. Consumers who visited websites that unlawfully intercepted their personal data may be eligible to join one of these class actions and receive financial compensation.

To learn more about the Federal Wiretap Act, keep reading this blog.

The Federal Wiretap Act Protects Consumer Data Privacy

The Federal Wiretap Act is contained in Title I of the Electronic Communications Privacy Act (ECPA) and codified at 18 U.S.C. § 2510. The wiretapping law was passed by the U.S. Congress in 1986, with the primary intent of the statute being to extend previously enacted restrictions on government wiretaps of telephone calls to other types of electronic data transmissions by computer.

As a federal statute, the wiretap law applies to interstate or international communications. For example, a consumer may bring a Federal Wiretap Act claim when they use the internet from a California IP address to visit a website operated in another state.

Federal Wiretap Law Prohibits the Interception of Personal Communications Without Consent

The Federal Wiretap Act prohibits law enforcement agencies, businesses, and individuals from intercepting a person’s communications without their consent. The law explicitly prohibits the interception, use, or disclosure of a communication. The key term that is often disputed in civil proceedings is “intercept,” which the statute defines as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.”

One of the most common ways that a company violates the Federal Wiretap Act is by using online trackers to spy on website visitors and collect data. The personal information unlawfully collected by companies on their websites is often extremely sensitive in nature: it can include confidential medical data, financial information, and other highly personal information about website visitors.

The Federal Wiretap Act Protects Real-Time Communications

The Federal Wiretap Act’s digital privacy protections apply to wire communications, oral communications, and electronic communications. Importantly, the law protects these types of communications while they are in transit. This places a limitation on the law because plaintiffs must show that their information was intercepted and/or read in real time.

Courts will typically examine whether the online communication was collected before, during, or after it was sent. If a company read or learned the contents of a communication while it was in transit, then the action qualifies as an “interception” under the federal wiretap law and exposes the offending party to liability.

Plaintiffs in Federal Wiretap Act claims must be able to allege that their data was collected contemporaneously with the transmission of that data to a third-party’s server. For example, a plaintiff who provides personal medical information on a health website would need to show that the information was intercepted via tracking software as soon as it was input.

The Federal Wiretap Act Protects Internet Communications

Courts have interpreted the Federal Wiretap Act to apply to both internet communications and telephone communications. Although the wiretap law was originally meant to limit the ability of the government to intercept and monitor telephone calls, it is now basically settled law that these kinds of privacy statutes also protect online communications. For example, the federal wiretap law is understood to apply in many different contexts, including when companies embed trackers on their websites. This is significant because the internet era has witnessed the steady proliferation of website cookies, scripts, and pixels that track users’ activity and collect their personal information.

Email Communications

The question of whether the Federal Wiretap Act applies to email messages has been disputed in court. That’s because the statute protects electronic communications only while they are in transit, while practically all emails are put in temporary storage on the way to their final destination. However, courts have ruled that emails must be protected under the Electronic Communications Privacy Act (ECPA) because otherwise the added safeguards of the wiretap law would be meaningless.

Victims of Online Surveillance Have a Private Right of Action to Sue in Federal Court

Although the Federal Wiretap Act was initially passed as a criminal statute to limit government surveillance, the law does provide individuals with a private right of action in civil court.

The Federal Wiretap Act gives consumers the right to bring a civil suit and pursue monetary damages for data privacy breaches. When a company violates federal wiretap laws by unlawfully collecting the personal information of website visitors, the company may be subject to both criminal and civil penalties.

Are There Exceptions to Liability Under the Federal Wiretap Act?

The Federal Wiretap Act has a single-party consent exception to liability. When one of the parties to the communication consents to the interception, then the collection of data is lawful. For instance, if a company consents to the use of tracking code on its website to collect customer data, that could be enough for the one-party consent rule to initially preclude liability under the federal statute.

Crime-Tort Exception

However, even when the single-party consent exception applies, it is still possible for a plaintiff to successfully bring a Federal Wiretap Act claim if the crime-tort exception also applies. The crime-tort exception stipulates that a party may be liable under the wiretap law when they intercepted and/or shared customer data “for the purpose of committing any criminal or tortious act.”

California Invasion of Privacy Act (CIPA): State Law Protects Consumers Against Online Data Collection

The Federal Wiretap Act was actually a model for California’s main consumer privacy law: the California Invasion of Privacy Act (CIPA). The CIPA imposes even stronger data privacy protections than the Federal Wiretap Act, and this is particularly true with respect to consumer data. That’s why many California consumers choose to file invasion of privacy lawsuits under the CIPA. In fact, the CIPA is often the basis for class action lawsuits against companies that unlawfully collect and share consumer data online.

The Federal Wiretap Act can work in tandem with the CIPA and other California state privacy laws to create dual compliance obligations for companies that operate websites. Plaintiffs may file both CIPA claims and ECPA claims together, resulting in enhanced penalties for defendants and additional compensation for victims.

Two-Party Consent

One of the ways in which the California Invasion of Privacy Act (CIPA) is more robust than the Federal Wiretap Act is that the CIPA is a two-party consent law. This means that it is illegal for anyone to record a conversation without the consent of all parties to that conversation. This is true for many different types of conversations, including telephone calls, in-person conversations, and electronic or online communications.

CIPA Penalties & Damages

Like the federal wiretap law, California’s Invasion of Privacy Act (CIPA) imposes both criminal and civil penalties on offenders. The criminal penalties include fines of up to $10,000 for each violation, depending on the severity of the offense. The civil penalties include statutory damages of $5,000 per violation and actual damages for any financial losses suffered by the victim.

Contact the Los Angeles Consumer Protection Attorneys at Tauler Smith LLP

Did you visit a website that may have unlawfully collected and shared your personal information? Under federal law, you may be able to file a civil suit and get financial compensation. The California consumer protection lawyers at Tauler Smith LLP represent plaintiffs in both state and federal courts. Our legal team is highly skilled in consumer privacy litigation, and we have helped numerous clients win favorable settlements and verdicts in these cases.

Call 310-590-3927 or email us to find out how we can help you.

LiveRamp Consumer Privacy Class Action

Invasion of Privacy Lawsuit Against LiveRamp

/in /by

LiveRamp Consumer Privacy Class Action

LiveRamp, one of the largest data brokers in the world, was sued for invading the privacy of consumers – and now a federal court has ruled that the case can move forward. The invasion of privacy lawsuit against LiveRamp, Riganian v. LiveRamp Holdings, Inc., was filed as a class action in the U.S. District Court for the California Northern District. The plaintiffs are California consumers who accused LiveRamp of unlawfully collecting consumer information both online and offline and then selling that information to third parties for marketing purposes. These actions would constitute violations of both federal wiretap laws and California consumer privacy laws, so the stakes are extremely high for LiveRamp and other data brokers who allegedly collect and share consumer data without consent.

To learn more about the consumer privacy class action lawsuit against LiveRamp, keep reading this blog.

LiveRamp Accused of Collecting and Selling Consumer Data to Third Parties Without Consent

LiveRamp Holdings, Inc. (also known as LiveRamp, Inc.) is primarily a data onboarding company that provides other businesses with access to consumer data for marketing purposes. LiveRamp promotes itself as “the data collaboration platform of choice for the world’s most innovate companies.” Some of LiveRamp’s high-profile clients include Disney, CVS, Sam’s Club, L’Oreal, LinkedIn, Pinterest, KitchenAid, NBCUniversal, and McDonald’s.

LiveRamp is a registered “data broker” in California. Cal. Civ. Code § 1798.99.80 defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”

Riganian v. LiveRamp Holdings, Inc. was filed in the United States District Court, Northern District of California. The class action lawsuit alleges that LiveRamp has built its business around facilitating a “commercial surveillance ecosystem” that involves collecting detailed information about consumers’ identities and the places where they may be found online. The plaintiffs specifically allege that LiveRamp tracked, compiled, and analyzed vast quantities of their personal, online, and offline activities to build detailed “identity profiles” on them for sale to third parties. Alarmingly, all of this information was allegedly collected by LiveRamp even though the plaintiffs never directly interacted with the company.

How Does LiveRamp Collect Personal Information from U.S. Consumers?

According to the civil suit, LiveRamp’s data collection process involves three steps:

  1. LiveRamp collects and purchases massive amounts of personal information from countless sources both offline and online.
  2. LiveRamp synchronizes the aggregated data about a consumer into a single “identity profile,” with the consumer being slapped with a unique RampID profile that tracks them across online devices and even offline.
  3. LiveRamp operates a Data Marketplace ecosystem where advertisers and data brokers can buy and sell information compiled in the RampID Profiles.

The personal information that LiveRamp allegedly collects includes consumers’ names, addresses, phone numbers, digital identifies, and device identifiers.

Widespread Data Collection

The scope and scale of LiveRamp’s data collection business cannot be understated: the company allegedly maintains the largest and most accurate people-based identity graph in the world, with detailed personal information on 700 million consumers. According to LiveRamp, this includes the identities of more than 250 million consumers in the United States. Beyond that, LiveRamp claims that its access to partner websites allows the company to connect to over 92% of all U.S. consumer time spent online.

Moreover, LiveRamp’s surveillance is pervasive, tracking users over time even as they move to different residences or change names due to marriage or divorce.

LiveRamp’s Data Collection Sources

LiveRamp is able to acquire so much data about massive amounts of Americans through both its own surveillance technologies and partnerships with hundreds of third parties.

The LiveRamp data collection sources include:

  • Internet “cookies” that are placed on users’ devices to track their web browsing activity.
  • Tracking pixels that automatically capture users’ website browsing history.
  • JavaScript code that allows LiveRamp to detect users’ personal information through “event listeners.”
  • AbiliTec system that constructs user IDs from hundreds of sources containing identifiers such as names, phone numbers, postal addresses, Social Security numbers, and driver’s license records.

RampID Profiles

Once LiveRamp has identified consumers and their online behavior, it builds a unique “RampID” profile for each individual. These profiles are maintained and updated in real time as users visit different websites, apps, and even physical stores. This means that LiveRamp maintains “highly detailed, continuously updated dossiers on hundreds of millions of people.”

LiveRamp’s Data Marketplace

LiveRamp also operates a “Data Marketplace,” which is a central exchange where LiveRamp and its clients sell or share access to the personal information of hundreds of millions of U.S. consumers. LiveRamp uses an “Attribute Enrichment” feature that allegedly allows any of the company’s third-party clients to provide an individual’s name, address, or email and get related “segment” information about the person, including health conditions, financial status, and religious affiliations.

The U.S. District Court observed that much of the data available in LiveRamp’s Data Marketplace can be described as “sensitive,” including information about health conditions, financial vulnerability, religious affiliation, and sexual orientation. The class action complaint states that LiveRamp’s clients are able to buy and sell groups of consumer IDs associated with “people with cancer, union members, Muslims, Jewish people, African Americans, poor people, payday loan prospects, online gamblers, and unemployed individuals who were seen at clinics and hospitals.” LiveRamp also allegedly targets women who are pregnant so that the company can sell their data on the marketplace.

Lawsuit: LiveRamp Collects Personal Data of Hundreds of Millions of Consumers Without Consent

According to the digital privacy lawsuit, none of the hundreds of millions of people who LiveRamp profiles ever have the opportunity to meaningfully consent to this pervasive surveillance. That’s because it is simply not possible to anticipate the ways in which LiveRamp compiles their personal information and shares it with third parties. Moreover, it is impossible for consumers to know in advance which third parties their personal information will be shared with, nor what those third parties will do with that information.

Federal Court: Invasion of Privacy Lawsuit Against LiveRamp May Proceed

One of the plaintiffs in the class action suit alleged that LiveRamp collected her personal information when she interacted with the CVS pharmacy website. Another plaintiff alleged that LiveRamp tracked her activity on healthline.com, CVS.com, Health.usnews.com, Patient.info, ABCnews.go.com, and Showtime.com. The personal information allegedly intercepted by LiveRamp included the precise pages visited, articles read, products viewed, and searches queried.

The plaintiffs in the class action asserted multiple claims for relief under both privacy and wiretap theories:

  • Invasion of Privacy under the California Constitution.
  • Violation of the Federal Wiretap Act.
  • Violations of the California Invasion of Privacy Act (CIPA).

LiveRamp filed a motion to dismiss, seeking to get the suit thrown out before trial. However, the U.S. District Court ruled against the motion to dismiss, meaning that the case can proceed.

Class Action: LiveRamp Violated the California Constitution by Tracking Consumers Online

The elements of an invasion of privacy claim under the California Constitution are:

  1. The Plaintiff has a reasonable expectation of privacy.
  2. The Defendant intruded upon the Plaintiff’s privacy, and the intrusion was highly offensive.

The U.S. District Court for the California Northern District said that it found “unpersuasive” LiveRamp’s contention that the company publicly discloses its data collection practices. The court pointed to the fact that the plaintiffs were not aware of LiveRamp’s conduct at all. This means that any supposed disclosures by LiveRamp would have no effect on consumers’ reasonable expectations of privacy when they visit websites.

The court also stated that LiveRamp’s alleged tracking of user activity across thousands of websites would be sufficient for a claim that LiveRamp unlawfully intruded into the privacy of consumers. The court noted the plaintiffs’ allegation that LiveRamp compiled consumer data from websites and then sold that data to third parties without the consumers’ knowledge or consent. Since this data was often “sensitive” in nature, consumers would have a reasonable expectation of privacy in the information.

The federal court ruled that the plaintiff adequately alleged that LiveRamp gained unwanted access to consumer data in violation of both the California Constitution and social norms.

Court: LiveRamp May Have Violated the Federal Wiretap Act

The Federal Wiretap Act, contained in the Electronic Communications Privacy Act (ECPA), is codified at 18 U.S.C.§ 2511. The federal statute provides for civil penalties against anyone who “intentionally intercepts or endeavors to intercept any wire, oral, or electronic communication.”

In its pre-trial motion to dismiss, LiveRamp argued that the Federal Wiretap Act claim should be thrown out because LiveRamp’s tracking pixel only operates on the websites of clients who have consented to it. Since the federal law is a one-party consent statute, this would ordinarily be the end of the case. However, there is an exception to the single-party consent rule – the “crime-tort exception” – which stipulates that even with consent, it is still a violation of the wiretap law if the defendant intercepted communications for the purpose of committing a criminal or tortious act.

The U.S. District Court agreed with the plaintiffs, stating that the crime-tort exception would apply if LiveRamp commercially exploited unlawfully obtained information from consumers. The court further said that “if Plaintiffs ultimately prove that LiveRamp unlawfully intercepted, packaged, and sold personal information without consent at scale, that conduct will not be excused on the grounds that LiveRamp acted in pursuit of profit.”

The court concluded its analysis by stating that the plaintiffs in the class action will be allowed to move forward with their Federal Wiretap Act claim against LiveRamp.

California Invasion of Privacy Act Claims Against LiveRamp

The plaintiffs in the class action against LiveRamp also asserted claims based on violations of § 631(a) and § 638.51 of the California Invasion of Privacy Act (CIPA).

California’s strong consumer protection laws include the CIPA, which prohibits businesses from wiretapping customers’ communications without consent. Violations of the statute could subject offenders to both criminal and civil penalties.

CIPA § 631(a) – Real-Time Interception

Section 631(a) of the CIPA allows a consumer to recover damages when a company “willfully and without consent of all parties to a communication, attempts to read or learn the contents of the communication while it is in transit.”

The court found that the plaintiffs plausibly alleged that LiveRamp violated the CIPA by reading the personal information the data broker intercepts on websites while that information is in transit. The court noted the allegation that LiveRamp engaged in both the real-time interception of consumer data and the contemporaneous reading of that data. That’s because LiveRamp’s “event listeners” intercept communications while they are in transit, and LiveRamp’s “identity graph” then connects the data into an identity profile that is updated in real time.

CIPA § 638.51 – Pen Register Violation

Section 638.51 of the California Invasion of Privacy Act (CIPA) prohibits companies from using a “pen register” without a court order. The class action alleges that LiveRamp violated the CIPA by using code, scripts, and trackers to record identifying information on users’ devices, including IP addresses and electronic device identification numbers.

In its motion to dismiss, LiveRamp tried to argue that only telephones – not websites – qualify as pen registers under the statute. The court disagreed strongly with this argument.

The CIPA defines a pen register broadly as “a device or process that records dialing, routing, addressing, or signaling information transmitted by an instrument.” The court noted that this definition does not mention telephones at all. By contrast, other sections of the CIPA do mention telephones. This means that the drafters of the statute clearly intended for pen registers to include more than just telephones.

Additionally, federal courts have established clear precedent that pen registers include telephones and other data collection tools, such as internet browser trackers and computer software that identifies consumers through “fingerprinting.”

Once again, the California North District Court agreed with the plaintiffs. The court’s ruling means that the class action against LiveRamp survived the motion to dismiss and can now proceed.

Call the Los Angeles Consumer Protection Lawyers at Tauler Smith LLP

Do you believe that your personal information was unlawfully collected online? The Los Angeles consumer protection attorneys at Tauler Smith LLP can help you file a civil suit for financial compensation. Our experienced legal team represents plaintiffs in both federal and California state courts.

Call 310-590-3927 or send an email to discuss your possible legal claim.

Rack Room Shoes Wiretap Lawsuit

Did Rack Room Shoes Violate Federal Wiretap Law?

/in /by

Rack Room Shoes Wiretap Lawsuit

A federal court in California recently issued a key ruling in an important, potentially precedent-setting case, and court observers and legal experts are now asking: Did Rack Room Shoes violate federal wiretap law? The pre-trial ruling, issued by the U.S. District Court for the California Northern District, might have implications for the future of consumer privacy laws nationwide. The case, Smith v. Rack Room Shoes, Inc., could also result in severe consequences for a number of companies, including Meta, Attentive, and Rack Room Shoes. That’s because the companies have been accused of collaborating to collect and share the personal data of online customers in violation of the Federal Wiretap Act.

To find out about this important consumer privacy case and what it could mean for consumer privacy litigants, keep reading.

Rack Room Shoes, Meta, and Attentive Named in Federal Wiretap Lawsuit

Rack Room Shoes, Inc. is a national footwear chain that operates under both the Rack Room Shoes brand and the Off Broadway Shoe Warehouse brand. The chain sells shoes for men, woman, and children both online and in brick-and-mortar stores throughout the United States.

Meta Platforms, Inc. is a global technology company best known for owning and operating major social media platforms such as Facebook, Instagram, and WhatsApp. Meta is one of the largest public companies in the world, with its subsidiary Facebook reporting more than three (3) billion users. The tech company has previously been accused of collecting users’ biometric data without consent.

Attentive is a prominent mobile messaging & email platform. The company provides personalized SMS and email marketing to e-commerce brands that want to automate communications with customers. Attentive markets itself as an AI-powered platform that uses advanced artificial intelligence to capture, store, and activate users’ data.

Smith v. Rack Room Shoes, Inc. is being heard in the United States District Court, Northern District of California. All three companies – Rack Room Shoes, Meta, and Attentive – were named in the digital privacy claim, even though only Rack Room Shoes was named as a Defendant.

Rack Room Shoes Accused of Intercepting Customer Communications Online

Rack Room Shoes has been accused of permitting tech giants Meta, Attentive, and other companies to intercept the communications of visitors to the Rack Room Shoes e-commerce store. This unauthorized surveillance was allegedly done via trackers that Rack Room Shoes embedded on its website.

Perhaps most concerning for California consumers is the allegation that Rack Room Shoes essentially spied on website visitors and then collected their personal information without the users’ knowledge or consent.

Embedded Website Tracking Code

According to the class action suit, Rack Room Shoes embedded the code of third-party companies Meta and Attentive on its website. This code allegedly intercepts the personally identifiable communications of anyone who visits the website, and then the code directs the person’s browser to send a message to Meta or Attentive. Rack Room Shoes allegedly incorporates the data into consumer profiles provided by Meta, Attentive, and other third-party data brokers. These consumer profiles are used by Rack Room Shoes to guide its targeted advertisements. Significantly, these actions would be contrary to commitments in the Rack Room Shoes website privacy policy.

Meta, Attentive, and Data Broker Companies Accused of Collecting and Sharing Customer Data

Meta and Attentive are referenced throughout the class action complaint against Rack Room Shoes. That’s because it is Meta and Attentive tracking code and “scripts” that are allegedly utilized by the Rack Room Shoes website to collect consumer information such as customers’ names, email addresses, phone numbers, and even their online shopping behavior.

Meta Pixel Code

According to the lawsuit, one of the website tracking codes embedded on the Rack Room Shoes site is known as Meta Pixel. This code will allegedly track a site visitor’s communications and then secretly send messages to Meta with the visitor’s personal information, including:

  • The visitor’s search queries.
  • The name of any webpage visited.
  • The name of any button clicked by the site user.
  • Items placed in the user’s online cart.
  • Hashed values corresponding to the visitor’s name, address, phone number, and email.

Additionally, if the person who visits the Rack Room Shoes website happens to have a Facebook profile, the embedded Meta Pixel code will also allegedly send messages containing the person’s Facebook ID.

Attentive Tag Code

Another tracking tool allegedly embedded on the Rack Room Shoes website is known as Attentive Tag. This code allegedly tracks user activity on the site and sends messages to Attentive containing the user’s personal data, including:

  • The full URL string visited.
  • Any products purchased.
  • The user’s unencrypted phone number and email.

Data Broker Companies

The lawsuit against Rack Room Shoes also alleges that the popular shoe chain has similar “data collection” and “data sharing” arrangements with several other third-party companies beyond Meta and Attentive, including data brokers trying to sell personal information obtained from intercepted communications online.

Lawsuit: Rack Room Shoes Violated the Federal Wiretap Act

The plaintiffs filed a class action lawsuit against Rack Room Shoes in the United States District Court for the Northern District of California. The complaint specifically alleges that Rack Room Shoes “knowingly uses intercepted communications” for website visitors for the company’s own commercial purposes, including to “run targeted advertisements.” These actions would constitute serious violations of the Federal Wiretap Act.

The plaintiffs asked the federal court for equitable relief because they suffered harm from the unlawful collection and sharing of their data. The complaint provides support for the contention that their personally identifiable browsing activity has significant financial worth. That’s because this is an era in which browser history data and other personal information obtained online can be extremely valuable to data brokers and other entities that are looking to profit through personalized marketing.

Court Denies Motion to Dismiss: Federal Wiretap Suit Against Rack Room Shoes Can Move Forward

The Rack Room Shoes litigation has already seen multiple pre-trial rulings because the Defendant filed two motions to dismiss the privacy claims.

First Motion to Dismiss

The first motion to dismiss was denied because the federal court found that the plaintiffs “adequately alleged that Rack Room’s privacy policy failed to disclose that a third party may collect, store, and analyze a visitor’s browsing and purchase history in a way that is personally identifiable or that a third party could use that data for its own commercial purposes.” Therefore, said the court, the data collection was plausibly done without consent of website visitors.

Additionally, the court found that the plaintiffs stated valid claims for violations of California consumer privacy laws, including invasion of privacy under both the California Constitution and the California Invasion of Privacy Act (CIPA).

Second Motion to Dismiss

The U.S. District Court heard arguments from both sides before ruling against the Defendant’s motion to dismiss with respect to alleged violations of two statutes: the California Comprehensive Computer Data and Access Fraud Act (CDAFA) and the Federal Wiretap Act.

Although the court granted the motion to dismiss with respect to the California Unfair Competition Law (UCL) and the Consumers Legal Remedies Act (CLRA), the pre-trial ruling was still a major win for the plaintiffs because it means the class action against Rack Room Shoes can proceed on the two most significant claims: alleged violations of California’s computer data fraud law and the federal wiretap law.

Court: Rack Room Shoes May Have Violated the CDAFA

The California Comprehensive Computer Data and Access Fraud Act (CDAFA) is a state law that provides broad protection against the unauthorized use or taking of a person’s data online. As set forth by Cal. Penal Code § 502(c)(2), a person who “knowingly accesses and without permission takes, copies, or makes use of any data from a computer” violates the statute. Section 502(e)(1) further states that any “owner of a computer who suffers damage or loss by reason of a violation of the CDAFA may bring a civil action against the violator.”

In its order declaring that the wiretapping lawsuit against Rack Room Shoes may proceed, the court noted that the plaintiffs had sufficiently alleged that they suffered economic injury because Rack Room Shoes caused Meta, Attentive, and data broker companies to unjustly profit from the personal information and online activity of website visitors.

The court also noted the plaintiffs’ allegation that Rack Room Shoes used customer profiles that integrated the customers’ personally identifiable browsing history, and this allowed the company to run targeted marketing campaigns. (Moreover, Rack Room Shoes told customers in its website Privacy Policy that it would not collect this type of information.)

CDAFA Damages

The class action lawsuit against Rack Room Shoes seeks damages through disgorgement, which is specifically allowed under the CDAFA. Disgorgement is a civil remedy that requires a wrongdoer to give up any profits earned from illegal actions.

The California federal court found that the plaintiffs in the class action plausibly pleaded that they suffered the type of compensable damages that may be recovered in a CDAFA claim. The court noted that online consumers have a stake in any profits derived unjustly from their personal data. The court concluded its discussion of CDAFA damages by stating that the plaintiffs were damaged simply by not having received a share of the allegedly unjust profits generated from their data, regardless of whether there was any direct financial harm. As support for this point, the court quoted the California State Legislature’s discussion of the statutory purpose of the CDAFA: “The legislature found that the protection of lawfully created computer data is vital to the protection of the privacy of individuals.”

Court: Plausible Allegation That Rack Room Shoes Violated the Federal Wiretap Act

The Federal Wiretap Act is part of the Electronic Communications Privacy Act (ECPA). The statute, codified at 18 U.S.C.§ 2511, creates both criminal and civil liability for anyone who intentionally intercepts any wire or electronic communication, as well as for anyone who intentionally uses content knowing that the information was obtained through interception. Anyone whose wire or electronic communication is intercepted, disclosed, or intentionally used in violation of the Federal Wiretap Act may be eligible to file a civil action and recover damages from the person or entity who committed the offense.

The statute defines “intercept” as “the acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” In its pre-trial ruling against the motion to dismiss, the U.S. District Court found that the plaintiffs “plausibly alleged that Rack Room intentionally used intercepted communications in violation of the Federal Wiretap Act.”

Exceptions to Federal Wiretap Act

The Federal Wiretap Act does provide a limited exemption from liability – known as the “party exception” – when the person who intercepted the communication was a party to the communication. However, the limitation on this exception – known as the “crime-tort exception” – is that it does not apply when the interception was “for the purpose of committing any criminal or tortious act.”

In this case, Rack Room Shoes was both a party to the communications and consented to the interception. As such, the party exception to the wiretap law would seemingly be triggered.

However, the court found that the crime-tort exception also applies here, which means that the alleged interception of customer data is still unlawful. In its pre-trial ruling, the court stated that the plaintiffs adequately alleged that Rack Room Shoes “played an active role in the use of embedded code to intercept customers’ electronic communications” because the company customized and deployed the code. Moreover, the court noted that these data collection practices were not clearly disclosed in the company’s privacy policy. As such, said the court, Rack Room Shoes’ alleged tortious purpose in intercepting website visitors’ communications is enough to satisfy the crime-tort exception and expose Rack Room Shoes to liability under the Federal Wiretap Act.

Contact the Los Angeles Consumer Protection Attorneys at Tauler Smith LLP

The Los Angeles consumer protection lawyers at Tauler Smith LLP represent plaintiffs in invasion of privacy cases, including California CIPA claims and federal wiretapping lawsuits. If you believe that your personal information was collected online without your consent, you may be eligible to bring a claim for monetary compensation.

Call 310-590-3927 or email us to learn more.