1 2 3 4 5 6 7 8 9 UNITED STATES DISTRICT COURT 10 NORTHERN DISTRICT OF CALIFORNIA 11 San Francisco Division 12 SUSAN JOHNSON, individually and on Case No. 20-cv-08183-LB behalf of all others similarly situated, 13 Plaintiff, ORDER GRANTING MOTION TO 14 DISMISS v. 15 Re: ECF No. 37 BLUE NILE, INC., et al., 16 Defendants. 17 18 INTRODUCTION 19 Blue Nile sells jewelry online through its website. It uses FullStory’s software (called “session 20 replay”) to record what visitors are doing on the Blue Nile website, such as their keystrokes, mouse 21 clicks, and page scrolling, thereby allowing a full picture of the user’s website interactions. 22 The plaintiff — on behalf of a putative California class — claims that FullStory is illegally 23 wiretapping her communications with Blue Nile (and Blue Nile is aiding and abetting that 24 eavesdropping) in violation of California’s Invasion of Privacy Act (CIPA). The defendants moved to 25 dismiss the claims, in part on the ground that FullStory — as Blue Nile’s vendor for analyzing its 26 website traffic — was a party to the communication (and not an eavesdropper). The defendants also 27 contend that the court lacks personal jurisdiction because there is no forum-related conduct. 1 The plaintiff does not plausibly plead that FullStory eavesdropped on her communications with 2 Blue Nile and pleads only that FullStory is Blue Nile’s vendor for software services. She thus does 3 not meet her prima facie burden to establish specific jurisdiction over the defendants, and she does 4 not plausibly plead wiretapping in violation of California law. 5 6 STATEMENT 7 The next sections describe how FullStory’s software works, how the plaintiff used Blue Nile’s 8 website (and what information FullStory’s software captured), and the case’s procedural history. 9 10 1. FullStory’s Software 11 FullStory is a Delaware corporation headquartered in Atlanta, Georgia.1 It provides software to 12 its clients (including Blue Nile) to capture and analyze data so that the clients can see how visitors 13 to their websites are using the sites.2 The clients put FullStory’s code on their websites to capture 14 the data, and then they can review the data, which is stored in the cloud on FullStory’s servers.3 15 The software records visitor data such as keystrokes, mouse clicks, and page scrolling. Through a 16 function called Session Replay, FullStory’s clients can see a “playback” of any visitor’s session. If 17 the visitor is still on the site, the clients can see the session live.4 18 19 2. The Plaintiff’s Use of Blue Nile’s Website 20 The plaintiff is a resident of California, and Blue Nile is a Delaware company headquartered in 21 Seattle, Washington.5 Between January and May 2020, the plaintiff visited Blue Nile’s website on a 22 monthly basis to browse its jewelry selection but did not buy anything. FullStory’s Session Replay 23 24 1 First Am. Compl. (FAC) – ECF No. 34 at 3 (¶ 8). Citations refer to material in the Electronic Case 25 File (ECF); pinpoint citations are to the ECF-generated page numbers at the top of documents. 26 2 Id. at 6–7 (¶¶ 25–28). 3 Id. at 3 (¶ 9), 10 (¶ 41), 16 (¶ 72). 27 4 Id. at 6–7 (¶¶ 26–28), 8 (¶ 31). 1 function “created a video capturing each of Plaintiff’s keystrokes and mouse clicks on the website . 2 . . [and] also captured the date and time of the visit, the duration of the visit, Plaintiff’s IP address, 3 her location at the time of the visit, her browser type, and the operating system on her device.”6 4 “When users access [] [Blue Nile’s] Website and make a purchase, they enter their PII 5 [personally identifiable information],” and FullStory’s software “captures these electronic 6 communications . . . [e]ven if users do not complete the form” for the purchase. The captured PII 7 includes — in addition to the information in the last paragraph — the user’s payment card 8 information such as card number, expiration code, and CVV security code.7 9 10 3. Relevant Procedural History 11 The plaintiff’s amended complaint has three claims: (1) wiretapping, in violation of Cal. Penal 12 Code § 631(a); (2) the sale of eavesdropping software, in violation of Cal. Penal Code § 635(a); 13 and (3) invasion of privacy under California’s Constitution.8 The plaintiff withdrew claim three.9 14 The putative class is “all California residents who visited [Blue Nile’s] Website, and whose 15 electronic communications were intercepted or recorded by FullStory.”10 The case is related to 16 Graham v. Noom, Inc., No. 3:20-cv-06903-LB (N.D. Cal.) and raises the same issues.11 All parties 17 consented to magistrate jurisdiction.12 The parties do not dispute that there is subject-matter 18 jurisdiction under the Class Action Fairness Act, 28 U.S.C. § 1332(d)(2)(A).13 The defendants 19 moved to dismiss the case.14 The court held a hearing on April 8, 2021. 20 21
22 6 Id. at 10–11 (¶¶ 44–45). 23 7 Id. at 11 (¶¶ 47–48). 8 Id. at 14-18 (¶¶ 65–93). 24 9 Opp’n – ECF No. 39 at 9 n.1. 25 10 FAC – ECF No. 34 at 13 (¶ 58). 26 11 Order – ECF No. 34 (relating cases). 12 Consents – ECF Nos. 29–31. 27 13 FAC – ECF No. 34 at 34 (¶ 11). 1 ANALYSIS 2 The reasoning in Graham v. Noom controls here: (1) for the section 631(a) claim, the plaintiff 3 does not plausibly plead FullStory’s wiretapping, and Blue Nile thus is not liable as an aider and 4 abettor; (2) there is no section 635(a) claim because there is no wiretapping; and (3) there is no 5 personal jurisdiction over FullStory or Blue Nile. 6 7 1. Section 631(a) Claim 8 First, for the reasons stated in Graham v. Noom, FullStory is not a third-party eavesdropper. 9 As a result, Blue Nile is not liable for aiding and abetting FullStory’s wrongdoing because there is 10 no wrongdoing.15 11 Second, the plaintiff predicates her claim in part on information — such as IP addresses, 12 locations, browser types, and operating systems — that is not content.16 The plaintiff does not 13 meaningfully dispute that this information is not content but contends that other website 14 interactions are content.17 For the reasons in Noom, the court dismisses the claim to the extent that 15 it is predicated on non-content information.18 In any amended complaint, the plaintiff can 16 delineate content from non-content records. 17 Third, the defendants contend that Blue Nile’s privacy policy discloses the possibility of data 18 collection and analysis.19 The plaintiff counters — as her counsel did in Noom — that she could 19 not consent to wiretapping that happened when she accessed the website and before she could read 20 the policy, notice was insufficient, and the policy in any event did not disclose wiretapping.20 21 The privacy policy discloses that Blue Nile may collect user data such as (1) information 22 gathered through cookies and other tracking technology, (2) device and browser information, (3) 23
24 15 Graham v. Noom, Inc., No. 3:20-cv-06903-LB, Order – ECF No. 51 at 6–9. 25 16 Mot. – ECF No. 37 at 19–20; Reply – ECF No. 41 at 12–14. 26 17 Opp’n – ECF No. 39 at 17–20. 18 Graham v. Noom, No. 3:20-cv-06903-LB, Order – ECF No. 51 at 9–10. 27 19 Mot. – ECF No. 37 at 24–26. 1 information gathered through web server logs, and (4) general location information.
Free access — add to your briefcase to read the full text and ask questions with AI
1 2 3 4 5 6 7 8 9 UNITED STATES DISTRICT COURT 10 NORTHERN DISTRICT OF CALIFORNIA 11 San Francisco Division 12 SUSAN JOHNSON, individually and on Case No. 20-cv-08183-LB behalf of all others similarly situated, 13 Plaintiff, ORDER GRANTING MOTION TO 14 DISMISS v. 15 Re: ECF No. 37 BLUE NILE, INC., et al., 16 Defendants. 17 18 INTRODUCTION 19 Blue Nile sells jewelry online through its website. It uses FullStory’s software (called “session 20 replay”) to record what visitors are doing on the Blue Nile website, such as their keystrokes, mouse 21 clicks, and page scrolling, thereby allowing a full picture of the user’s website interactions. 22 The plaintiff — on behalf of a putative California class — claims that FullStory is illegally 23 wiretapping her communications with Blue Nile (and Blue Nile is aiding and abetting that 24 eavesdropping) in violation of California’s Invasion of Privacy Act (CIPA). The defendants moved to 25 dismiss the claims, in part on the ground that FullStory — as Blue Nile’s vendor for analyzing its 26 website traffic — was a party to the communication (and not an eavesdropper). The defendants also 27 contend that the court lacks personal jurisdiction because there is no forum-related conduct. 1 The plaintiff does not plausibly plead that FullStory eavesdropped on her communications with 2 Blue Nile and pleads only that FullStory is Blue Nile’s vendor for software services. She thus does 3 not meet her prima facie burden to establish specific jurisdiction over the defendants, and she does 4 not plausibly plead wiretapping in violation of California law. 5 6 STATEMENT 7 The next sections describe how FullStory’s software works, how the plaintiff used Blue Nile’s 8 website (and what information FullStory’s software captured), and the case’s procedural history. 9 10 1. FullStory’s Software 11 FullStory is a Delaware corporation headquartered in Atlanta, Georgia.1 It provides software to 12 its clients (including Blue Nile) to capture and analyze data so that the clients can see how visitors 13 to their websites are using the sites.2 The clients put FullStory’s code on their websites to capture 14 the data, and then they can review the data, which is stored in the cloud on FullStory’s servers.3 15 The software records visitor data such as keystrokes, mouse clicks, and page scrolling. Through a 16 function called Session Replay, FullStory’s clients can see a “playback” of any visitor’s session. If 17 the visitor is still on the site, the clients can see the session live.4 18 19 2. The Plaintiff’s Use of Blue Nile’s Website 20 The plaintiff is a resident of California, and Blue Nile is a Delaware company headquartered in 21 Seattle, Washington.5 Between January and May 2020, the plaintiff visited Blue Nile’s website on a 22 monthly basis to browse its jewelry selection but did not buy anything. FullStory’s Session Replay 23 24 1 First Am. Compl. (FAC) – ECF No. 34 at 3 (¶ 8). Citations refer to material in the Electronic Case 25 File (ECF); pinpoint citations are to the ECF-generated page numbers at the top of documents. 26 2 Id. at 6–7 (¶¶ 25–28). 3 Id. at 3 (¶ 9), 10 (¶ 41), 16 (¶ 72). 27 4 Id. at 6–7 (¶¶ 26–28), 8 (¶ 31). 1 function “created a video capturing each of Plaintiff’s keystrokes and mouse clicks on the website . 2 . . [and] also captured the date and time of the visit, the duration of the visit, Plaintiff’s IP address, 3 her location at the time of the visit, her browser type, and the operating system on her device.”6 4 “When users access [] [Blue Nile’s] Website and make a purchase, they enter their PII 5 [personally identifiable information],” and FullStory’s software “captures these electronic 6 communications . . . [e]ven if users do not complete the form” for the purchase. The captured PII 7 includes — in addition to the information in the last paragraph — the user’s payment card 8 information such as card number, expiration code, and CVV security code.7 9 10 3. Relevant Procedural History 11 The plaintiff’s amended complaint has three claims: (1) wiretapping, in violation of Cal. Penal 12 Code § 631(a); (2) the sale of eavesdropping software, in violation of Cal. Penal Code § 635(a); 13 and (3) invasion of privacy under California’s Constitution.8 The plaintiff withdrew claim three.9 14 The putative class is “all California residents who visited [Blue Nile’s] Website, and whose 15 electronic communications were intercepted or recorded by FullStory.”10 The case is related to 16 Graham v. Noom, Inc., No. 3:20-cv-06903-LB (N.D. Cal.) and raises the same issues.11 All parties 17 consented to magistrate jurisdiction.12 The parties do not dispute that there is subject-matter 18 jurisdiction under the Class Action Fairness Act, 28 U.S.C. § 1332(d)(2)(A).13 The defendants 19 moved to dismiss the case.14 The court held a hearing on April 8, 2021. 20 21
22 6 Id. at 10–11 (¶¶ 44–45). 23 7 Id. at 11 (¶¶ 47–48). 8 Id. at 14-18 (¶¶ 65–93). 24 9 Opp’n – ECF No. 39 at 9 n.1. 25 10 FAC – ECF No. 34 at 13 (¶ 58). 26 11 Order – ECF No. 34 (relating cases). 12 Consents – ECF Nos. 29–31. 27 13 FAC – ECF No. 34 at 34 (¶ 11). 1 ANALYSIS 2 The reasoning in Graham v. Noom controls here: (1) for the section 631(a) claim, the plaintiff 3 does not plausibly plead FullStory’s wiretapping, and Blue Nile thus is not liable as an aider and 4 abettor; (2) there is no section 635(a) claim because there is no wiretapping; and (3) there is no 5 personal jurisdiction over FullStory or Blue Nile. 6 7 1. Section 631(a) Claim 8 First, for the reasons stated in Graham v. Noom, FullStory is not a third-party eavesdropper. 9 As a result, Blue Nile is not liable for aiding and abetting FullStory’s wrongdoing because there is 10 no wrongdoing.15 11 Second, the plaintiff predicates her claim in part on information — such as IP addresses, 12 locations, browser types, and operating systems — that is not content.16 The plaintiff does not 13 meaningfully dispute that this information is not content but contends that other website 14 interactions are content.17 For the reasons in Noom, the court dismisses the claim to the extent that 15 it is predicated on non-content information.18 In any amended complaint, the plaintiff can 16 delineate content from non-content records. 17 Third, the defendants contend that Blue Nile’s privacy policy discloses the possibility of data 18 collection and analysis.19 The plaintiff counters — as her counsel did in Noom — that she could 19 not consent to wiretapping that happened when she accessed the website and before she could read 20 the policy, notice was insufficient, and the policy in any event did not disclose wiretapping.20 21 The privacy policy discloses that Blue Nile may collect user data such as (1) information 22 gathered through cookies and other tracking technology, (2) device and browser information, (3) 23
24 15 Graham v. Noom, Inc., No. 3:20-cv-06903-LB, Order – ECF No. 51 at 6–9. 25 16 Mot. – ECF No. 37 at 19–20; Reply – ECF No. 41 at 12–14. 26 17 Opp’n – ECF No. 39 at 17–20. 18 Graham v. Noom, No. 3:20-cv-06903-LB, Order – ECF No. 51 at 9–10. 27 19 Mot. – ECF No. 37 at 24–26. 1 information gathered through web server logs, and (4) general location information. It says that 2 Blue Nile may share the data with “[s]ite optimization service providers” and “[m]arketing service 3 providers.” Blue Nile uses the collected data to, among other things, “optimize the performance of 4 the site,” “understand [] customer demographics, preferences, interest, and behavior,” and 5 “improve marketing and promotional efforts, and overall customer experience.”21 6 As in Noom, the parties FullStory’s main argument is that to be liable, its acts must be 7 surreptitious, and given the policy’s disclosures, the plaintiff did not plausibly plead its surreptitious 8 acts.22 The plaintiff mainly argues traditional principles of consent (although she also contends that 9 the policy does not disclose wiretapping).23 FullStory counters that it never argued traditional 10 consent.24 As in Noom, the parties’ arguments about consent do not permit resolution of the issue. As 11 to the adequacy of the privacy policy’s disclosures, FullStory made a practical argument but did not 12 cite any cases involving privacy policies to support the argument. (Perhaps there are none.) Given the 13 court’s holding that there is no wiretapping, the issues — consent and the policy’s alleged failure to 14 disclose wiretapping — are moot. On this round of motions, the privacy policy is not a separate 15 ground to dismiss the claim.25 16 17 2. Section 635(a) Claim 18 For the reasons stated in Noom¸ the plaintiff does not have a private right of action and lacks 19 Article III standing for the section 635(a) claim.26 As in Noom, given the lack of a private right of 20 21 22
23 21 Privacy Policy, Ex. A to Zhang Decl. – ECF No. 37-2 at 3–4. The court considers the privacy policy 24 under the incorporation-by-reference doctrine. Knievel v. ESPN, 393 F.3d 1068, 1076 (9th Cir. 2005); FAC – ECF No. 34 at 11–13 (¶¶ 50–56) (citing privacy policy). 25 22 Mot. – ECF No. 37 at 24–26; Reply – ECF No. 41 at 18–19. 26 23 Opp’n – ECF No. 39 at 24–26. 24 Reply – ECF No. 41 at 19. 27 25 Graham v. Noom, Inc., No. 3:20-cv-06903-LB, Order – ECF No. 51 at 10–11. 1 action or Article III standing, the court does not address the defendants’ other arguments about 2 viability of the section 635(a) claim.27 3 4 3. Personal Jurisdiction 5 For the reasons stated in Noom, there is no specific personal jurisdiction over FullStory. The 6 allegations in the complaint establish only that FullStory is Blue Nile’s vendor, and a vendor’s 7 selling a software-services product to Blue Nile — even if Blue Nile had substantial business here 8 and the vendor knew it — does not establish specific personal jurisdiction over the vendor.28 The 9 plaintiff does not contest this point. She alleges that (1) “Defendants knew that a significant 10 number of Californians would visit Blue Nile’s website, because they form a significant portion of 11 Blue Nile’s customer base,” and (2) “[b]y intercepting the transmissions of Blue Nile website 12 users, Defendants targeted their wrongful conduct at customers, some of whom Defendants knew, 13 at least constructively, were residents of California.”29 Her basis for jurisdiction is the wiretapping 14 of these customers.30 Because she did not plausibly plead FullStory’s wiretapping, she did not 15 plead specific personal jurisdiction over FullStory. 16 The analysis regarding Blue Nile is slightly different. Unlike FullStory, who is merely a vendor, 17 Blue Nile sells goods to California customers. If it were committing a tort like wiretapping, its acts 18 might be purposefully directed toward California customers and establish specific personal 19 jurisdiction over it. S.D. v. Hytto Ltd., No. 18-cv-00688-JSW, 2019 WL 8333519, at *4 (N.D. Cal. 20 May 15, 2019); cf. ThermoLife Int’l, LLC v. NetNutri.com LLC, 813 F. App’x 316, 318 (9th Cir. 21 2020) (the plaintiff “cannot establish specific personal jurisdiction through nonspecific, nationwide 22 sales”).31 Wiretapping is the only ground that the plaintiff asserts to support specific personal 23
24 27 Id. at 12–13. 25 28 Id. at 16. The court ordinarily addresses jurisdiction as a threshold issue. But because there are two defendants and fact allegations about the defendants’ relationship that make it easier to address the 26 Rule 12(b)(6) challenge to the claims first, the court addresses jurisdiction second. 29 FAC – ECF No. 34 at 4 (¶ 14). 27 30 Opp’n – ECF No. 39 at 10. 1 || jurisdiction over Blue Nile.*? Because Blue Nile did not aid or abet any wiretapping, there is no tor 2 || establishing jurisdiction here. 3 CONCLUSION 4 The court dismisses the complaint with leave to amend within 21 days (except that it dismisses 5 || the plaintiff's withdrawn claim three with prejudice). Any amended complaint must attach a 6 || blackline comparison between the current complaint and the amended complaint. 7 IT IS SO ORDERED. EC 8 Dated: April 8, 2021 Li LAUREL BEELER 9 United States Magistrate Judge 10 1]
Oo Z 18 19 20 21 22 23 24 25 26 27 28 || 71d.