Price v. Carnival Corporation

• Court: District Court, S.D. California
• Decided: January 19, 2024
• Docket: 3:23-cv-00236
• Status: Unknown

Opinion

1 2 3 4 5 6 7 8 UNITED STATES DISTRICT COURT 9 SOUTHERN DISTRICT OF CALIFORNIA 10 11 INDIA PRICE, ERICA MIKULSKY, Case No.: 23-cv-236-GPC-MSB MARILYN HERNANDEZ, DANIEL 12 RUBRIDGE, and ARIEL OLIVER, ORDER GRANTING IN PART AND 13 individually, and on behalf of all others DENYING IN PART DEFENDANT’S similarly situated, MOTION TO DISMISS 14

Plaintiffs, 15 [ECF No. 23] v. 16 CARNIVAL CORPORATION, 17 Defendant. 18

19 Pending before the Court is Defendant Carnival’s Motion to Dismiss Plaintiffs’ 20 First Amended Complaint. A hearing was held on January 12, 2024. For the reasons 21 stated below, the motion is GRANTED IN PART AND DENIED IN PART. 22 BACKGROUND 23 Carnival, “the world’s largest leisure travel company,” maintains a website at 24 carnival.com where users may browse and book cruises. On carnival.com, no action goes 25 unnoticed. Every click is counted, every keystroke is collected, and every cursor 26 movement is catalogued. Carnival explains that this constant surveillance “improve[s]” 27 1 the user experience, ECF No. 23 (“Motion to Dismiss” or “MTD”) at 12,1 but Plaintiffs 2 prefer to browse in privacy, and bring suit alleging that Carnival has violated federal 3 wiretap and hacking laws and seven state analogues. 4 Plaintiffs allege that Carnival enlists third-party companies to embed recording 5 software, often referred to as “Session Replay Code,” on Carnival’s website. ECF No. 22 6 (“First Amended Complaint” or “FAC”) at ¶¶ 1, 67. One such party is Microsoft. Id. at ¶ 7 51. Microsoft calls its Session Replay Code, “Clarity,” and embeds Clarity on Carnival’s 8 “website, either by directly hard-coding the code on the website or through a third-party 9 platform . . . .” Id. at ¶ 59. When a user visits the website, Clarity is “deploy[ed]” onto 10 the user’s browser. Id. at ¶ 50. There, it collects information about the user’s system, 11 including their device, browser, operating system, and location, as well as “all mouse 12 movements, clicks, scrolls, zooms, window resizes, keystrokes, text entry (even if 13 deleted), and numerous other forms of a user’s navigation and interaction through the 14 website.” Id. at ¶¶ 31, 53. Clarity transmits the collected information to Microsoft’s 15 server in “hyper-frequent logs” which are “often just milliseconds apart.” Id. at ¶¶ 31, 16 72. 17 After recording the user’s information, Microsoft “analyze[s]” it. Id. at ¶ 2 (“Both 18 Carnival and the Session Replay Providers access and analyze the video replay of the 19 user’s behavior on the website.”). Microsoft provides Carnival with a reenactment of the 20 user’s visit, akin to “a video replay,” id. at ¶ 2, and uses Clarity to create “detailed 21 heatmaps” for Carnival, “that provide information about which elements of a website 22 have high user engagement,” id. at ¶ 55. Clarity’s most powerful function, however, is 23 its ability to expose a user’s browsing on other sites. See id. at ¶ 42. Clarity attaches a 24 “specific user ID,” or a “fingerprint,” to a visitor’s profile based upon their unique 25

26 1 Page citations refer to CM/ECF pagination. 27 1 “combination of computer and browser settings, screen configuration, and other 2 detectable information.” Id. at ¶¶ 41, 53. Carnival accesses these fingerprints, which are 3 collected across every site that Clarity is deployed on, and uses them to link a user’s 4 session to “web browsing across other websites previously visited, including on websites 5 where the user had intended to remain anonymous.” Id. at ¶¶ 41–42, 190, 220. Plaintiffs 6 allege that Carnival uses Microsoft’s services to create “unique IDS and profiles” for 7 each of its users, id. at ¶ 70, “de-anonymizing” its users’ internet browsing, id. at ¶¶ 190, 8 220.2 9 Plaintiffs complain that as a result of this practice, Carnival intercepts Plaintiffs’ 10 personal information,3 including their “passport number, driver’s license number, date of 11 birth, home address, phone number, email address and/or payment information,” id. at 11, 12 and uses that information to trace users’ browsing history on other sites in violation of the 13 Federal Wiretap Act, 18 U.S.C. § 2510, et seq., the Computer Fraud and Abuse Act, 18 14 U.S.C. §1030, the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code § 630, 15 et seq., the Maryland Wiretapping and Electronic Surveillance Act, Md. Code Ann., Cts. 16 & Jud. Proc. § 10-401, et seq., the Massachusetts Wiretap Act, Mass. Gen. Laws ch. 272, 17 §99, the Pennsylvania Wiretapping and Electronic Surveillance Control Act, 18 Pa. Cons. 18 19

20 2 Plaintiffs allege that Carnival makes similar use of “other Session Replay Code through 21 various Session Replay Providers,” including a company known as ContentSquare. Id. at 22 ¶¶ 63–64. 3 Because Plaintiffs have made more than general allegations that their personal data was 23 intercepted, the Court concludes that Plaintiffs “have made sufficient allegations to create 24 a question of fact as to whether there is sufficiently personal information to support [Article III] standing.” See James v. Walt Disney Co., No. 23CV02500EMCEMC, 2023 25 WL 7392285, at *6 (N.D. Cal. Nov. 8, 2023); see also Steel Co. v. Citizens for Better 26 Env't, 523 U.S. 83, 94 (1998) (holding that standing is a “question the court is bound to ask and answer for itself, even when not otherwise suggested”). 27 1 Stat. § 5701 et seq., and each of the aforementioned states’ common-law prohibitions on 2 invasion of privacy. 3 LEGAL STANDARD 4 On a motion to dismiss under Rule 12(b)(6), the Court takes as true all well- 5 pleaded factual allegations set forth in the complaint and construes them in the light most 6 favorable to the Plaintiffs. Benavidez v. Cnty. of San Diego, 993 F.3d 1134, 1158 (9th 7 Cir. 2021). To survive a motion to dismiss, “a complaint must contain sufficient factual 8 matter, accepted as true, to ‘state a claim to relief that is plausible on its face.” Ashcroft 9 v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 10 570 (2007)). 11 ANALYSIS 12 1. Wiretap Claims 13 i) Party to the Communication Exception 14 To plead a plausible claim under the Federal Wiretap Act, Plaintiffs’ complaint 15 must demonstrate that Carnival (1) without consent (2) intentionally intercepted the (3) 16 contents of a communication (4) using a device. See 18 U.S.C. §2511. Carnival submits 17 that, as an initial matter, its surveillance scheme escapes the purview of federal and state 18 wiretap laws because Plaintiffs intended to communicate with Carnival.4 See 18 U.S.C. § 19

20 21 4 The federal and state wiretap laws are treated as largely analogous. MTD at 16; see, e.g., Pena v. GameStop, Inc., 2023 WL 3170047, at *3 (S.D. Cal. 2023) (“‘The analysis 22 for a violation of CIPA [Cal. Penal Code § 631] is the same as that under the federal 23 Wiretap Act.’”); Com. v. Blystone, 519 Pa. 450, 464-65 (1988) (“[T]he Pennsylvania wiretapping statute is based on its federal counterpart, Title III of the Omnibus Crime 24 Control and Safe Streets Act of 1968, 18 U.S.C. §§ 2510–2016.”); Davis v. State, 43 25 A.3d 1044, 1051 (Md. 2012) (“[I]t is clear through both legislative history and case precedent that the federal wiretap statute … served as the guiding light for the Maryland 26 Act; therefore, we read the acts in pari materia.”); Com. v. Vitello, 367 Mass. 224, 251 27 (1975) (“[I]n substance the requirements of the Massachusetts statute are the same as 1 2511(2)(d) (“It shall not be unlawful . . . for a person . . . to intercept a[n] electronic 2 communication where such person is a party to the communication.”).5 Wiretapping 3 requires a third party to the communication. See Tanner v. Acushnet Co., 2023 WL 4 8152104, at *4 (C.D. Cal. Nov. 20, 2023). “That alone,” Carnival insists, ends Plaintiffs’ 5 wiretap claims. ECF No. 26 (“Carnival Reply”) at 12. 6 But Carnival’s surveillance scheme employs third parties, like Microsoft. See 7 MTD at 28 (“Carnival . . . procured third-party Session Replay Providers . . . .”). While 8 some courts have construed software providers as “extensions” of the websites that 9 employ them where the software “merely function[s] as a tape recorder,” courts decline 10 to adopt this construction where the software performs more than the ordinary function of 11 a tape recorder. Acushnet, 2023 WL 8152104, at *4 (quoting Javier v. Assurance IQ, 12 LLC, 649 F. Supp. 3d 891, 898 (N.D. Cal. 2023)). Software providers exceed the 13 “ordinary function of a tape recorder” where, for instance, they “capture[], store[], and 14 interpret[] real-time data.” Yoon v. Lululemon USA, Inc., 549 F. Supp. 3d 1073, 1081 15 (C.D. Cal. 2021). Here, Plaintiffs allege that Clarity processes Plaintiffs’ data to generate 16 analytics, including heatmaps of user engagement and unique IDS and profiles containing 17 their browsing history on other websites. FAC at ¶¶ 42, 55 (“Clarity also uses the 18 information captured to create detailed heatmaps of a website . . . .”). Plaintiffs allege 19 that Carnival makes active use of those capabilities. See, e.g., id. at ¶ 101 (“Carnival’s 20 subsequent use of data, in a manner for which it lacked permission, namely associating 21 the data with user’s pre-existing online activity and using it to advertise . . . violated . . . 22

23 those of Title III [the Federal Wiretap Act], as the legislative history of Title III shows 24 that they should be.”). 25 5 Plaintiffs conceded at oral argument that the “party to the communication” exception 26 would apply if Carnival recorded user communications without the assistance of a third party. 27 1 the Wiretap Act.”). Because generating heatmaps and fingerprinting unique browser 2 profiles extends beyond the function of a tape recorder, the “party to the communication” 3 exception does not prevent Carnival from being “held liable under [] federal and state 4 wiretapping statutes for directing, aiding and/or abetting its Session Replay Provider[, 5 Microsoft,] to integrate Session Replay Code into its website.” ECF No. 25 (“Plaintiffs’ 6 Opposition”) at 14.6 7 ii) Consent 8 Carnival next argues that Plaintiffs consented to recording by (1) the “very act of 9 sending a communication over the internet and by (2) constructively assenting to the 10 terms of Carnival’s Privacy Policy. The Court considers these arguments in turn. 11 Citing Commonwealth v. Proetto, A.2d 823, 829 (Pa. Super. 2001), Carnival 12 argues that Plaintiffs’ “very act of sending a communication over the Internet” to 13 Carnival constituted express consent to Carnival’s surveillance scheme—its simultaneous 14 transmission of Plaintiffs’ communications to a third party for collection and processing, 15 tagging of Plaintiffs’ browser profiles, and tracing of their visits on carnival.com to visits 16 on other websites.7 See MTD at 18. Proetto stands for the common-sense premise that 17 an individual that sends a message over the internet, like an individual leaving a message 18 on an answering machine, is “aware of the fact that messages are received in a recorded 19 format . . . and can be downloaded or printed by the party receiving the message” and “if 20 21 22 6 As discussed below, the Court dismisses one of Plaintiffs’ claims with leave to amend. 23 That leave extends to the entire complaint, and Plaintiffs may plead facts further describing how Clarity processes the collected data. 24 7 Plaintiffs argue that Carnival may not raise the issue of consent at the motion to dismiss 25 stage, see Plaintiffs’ Opposition at 8 n.4, but “[c]onsideration of consent is appropriate on 26 a motion to dismiss where [as here] lack of consent is an element of the claim.” Silver v. Stripe Inc., 2021 WL 3191752, at *2 (N.D. Cal. 2021). 27 1 not deleted by the receiver, will remain on the receiver’s system.” Id. at 830 (emphasis 2 added). Relying upon the answering machine analogy, the Proetto court concluded that 3 defendant had expressly consented to the fifteen-year-old complainant’s decision, to save 4 the email and chat-room messages that defendant had sent to her, and report them to the 5 police department. Id. 6 Proetto did not discuss simultaneous interception by a third party, because the 7 communication at issue occurred without a third-party eavesdropper. The complainant 8 “received the communication[s] and later disclosed th[ose] communication[s] to 9 Detective Morris.” Id. at 829 (emphasis added). Moreover, peppered through Proetto’s 10 analysis of consent is the court’s emphasis that consent is given—not to anyone who 11 happens upon the communication—but to “the receiver.” Id. at 829–30. Nowhere does 12 Proetto discuss consent to a third party. That absence is critical, here, where Carnival 13 must demonstrate that Plaintiffs’ consent extends not just to the receiver, Carnival, but 14 also to third-party Session Replay Providers, like Microsoft. 15 In an attempt to bridge this gap, Carnival cites to Farst v. AutoZone, Inc., 2023 WL 16 7179807, at *4 (M.D. Pa. 2023). There, the court dismissed plaintiff’s Session Replay 17 Code claims in the context of online shopping, reasoning that shopping is a public 18 activity and that use of the internet to shop does not change that. Id. (citing Cook v. 19 GameStop, Inc., 2023 WL 5529772, at *4 (W.D. Pa. Aug. 28, 2023) and Massie v. Gen. 20 Motors LLC, 2022 WL 534468, at *5 (D. Del. Feb. 17, 2022)). But Farst, and the cases 21 it cites, center their reasoning on the plaintiffs’ failure to plead that defendants had 22 intercepted personal information or something beyond mere “shopping preferences.” See 23 Farst, 2023 WL 7179807, at *5 (“Farst does not aver AutoZone disclosed his home 24 address, credit card, bank account, social security number, or any other information that 25 could potentially be used to identify him”); Cook, 2023 WL 5529772, at *4 (“Ms. Cook 26 did not enter any personally identifying information at any point during her interaction. 27 1 Not her name. Not her address. Not her credit card information. Nothing that could 2 connect her browsing activity to her.”); Massie, 2022 WL 534468 at *5 (“Each of 3 Plaintiffs’ cited cases involves the collection and disclosure of personal information. 4 Here, Plaintiffs do not allege that any of their information collected by the Session 5 Replay software was personal or private . . . .”). Farst distinguished its holding, from 6 cases recognizing an internet privacy interest, based upon “[t]he type of data collected in 7 those cases,” which included “plaintiffs’ genders, birthdates, IP addresses, browser 8 settings, and unique device identifiers.” 2023 WL 7179807, at *4. This is the exact 9 information that Plaintiffs allege Carnival captured. See, e.g., FAC at ¶ 35. Indeed, the 10 court in Farst granted plaintiff leave to amend, noting that “[m]any of the deficiencies 11 identified herein with respect to the concreteness of Farst’s asserted injury are factual and 12 thus potentially curable.” 2023 WL 7179807, at *6. Plaintiffs’ pleading here possesses 13 what Farst’s pleading lacked: concrete assertions that Carnival intercepted personal 14 information. Accordingly, Carnival’s citation to Farst only weakens its position. The 15 Court concludes that Plaintiffs’ internet communications to Carnival did not constitute 16 consent to recording by third parties, especially where Plaintiffs have adequately plead 17 the interception of sensitive, personal information including their passport numbers and 18 credit cards. See In re Facebook Inc. Internet Tracking Litig., 956 F.3d 589, 600–03 (9th 19 Cir. 2020). 20 Carnival’s second argument is that it provided Plaintiffs notice of Carnival’s 21 recording policy via a “Cookie Policy” banner displayed at the bottom of Carnival’s 22 website, and that Plaintiffs constructively assented to the terms of that policy through 23 their continued use of the site. But Plaintiffs allege that the website does not put 24 Plaintiffs on notice of recording, and that “users can interact with Carnival’s website 25 without ever reviewing or agreeing to the terms of any purported privacy policy Carnival 26 27 1 may have.” FAC at ¶ 70. At this stage, where the Court must take as true the Plaintiffs’ 2 well-pleaded factual allegations, Carnival’s consent defense appears premature. 3 Carnival disputes this, noting that the Court need not accept as true “any 4 allegations that are contradicted by matters . . . incorporated by reference in a complaint.” 5 MTD at 14–15. Carnival observes that the website is incorporated into Plaintiffs’ 6 complaint by reference, and invites the Court to consider several screenshots. MTD at 13 7 n.1; see also Knievel v. ESPN, 393 F.3d 1068, 1076 (9th Cir. 2005) (holding that internet 8 pages are incorporated by reference where “plaintiff’s claim depends on the contents of a 9 document”).8 Carnival argues that the screenshots demonstrate that the Cookie Policy 10 banner “immediately overlays the bottom of the visitor’s browser window” and “persists 11 at the bottom of the carnival.com website as a visitor navigates the site, even if they click 12 through different pages.” MTD at 14–15.9 But a screenshot without additional 13 information cannot demonstrate that a banner appears “immediately” or that it “persists” 14 throughout a user’s visit. Screenshots capture only a moment in time and cannot reflect 15 Carnival’s temporal assertions. 16 Furthermore, Carnival’s screenshots, which Carnival acknowledges may not be 17 accurate representations of what Plaintiffs viewed, MTD at 14 n.2, do not demonstrate 18 that Plaintiffs were on notice of Carnival’s recording policy. Carnival attempts to 19 provide notice of its recording policy with a banner located at the bottom of a user’s 20 screen, otherwise known as browsewrap, “a notice that—by merely using the services of, 21 obtaining information from, or initiating applications within the website—the user is 22 23

24 25 8 Plaintiffs do not object, and the Court incorporates the screenshots by reference. 26 9 Carnival insisted at oral argument that the Court may not independently visit Carnival’s website to verify these assertions. 27 1 || agreeing to and is bound by the site’s terms of service.” Nguyen v. Barnes & Noble Inc., 2 || 763 F.3d 1171, 1176 (9th Cir. 2014). Pictured below, is one of Carnival’s screenshots. 3 4 UPDATE hide acvizory Ge) 5 = Mamivat m® 6 =f) =e a1 |B) 8 ee eee 4 sataee | Paee a 7 ab hee

8 | | a | | J cmicery aL, vee 9 a -perosirs “PARA | $Bf) «:

10 ii ELLOOO ‘ INCLUDING OUR NEWEST SHIP! 11 Ne | a □□ ka - 13 fue □□□□□□□□□□□□□□□□□□□□□ *'Y' SAIL TO ¥ 14 15 | SAIL FROM ¥ | 16 DATES ‘ii i 1 8 “Tames, Fac and Pvt Bxperecs mega from $69.19 io S04.14, and are demand on a per quot hats for all Gunes aoeerchng to the Rinatary, 19 20 21

33 te Eeae □□ ea eee adn Genes re eaih seem belo Pe lat. | 8] bel te er, 3 24 =——

26 hilpsveww.camivel com | Wa 27 10 28 23-cv-236-GPC-MSB

1 ECF No. 18-2 at 2. The “Cookie Policy” banner informs users that Carnival “use[s] 2 cookies to personalize content and ads, to provide social media features and to analyze 3 [Carnival’s] traffic.” Id. The banner includes a hyperlink, that users may click to view 4 Carnival’s privacy policy. Id. 5 “[W]here, as here, there is no evidence that the website user had actual knowledge 6 of the agreement, the validity of the browsewrap agreement turns on whether the website 7 puts a reasonably prudent user on inquiry notice of the terms of the contract.” Nguyen, 8 763 F.3d at 1177 (citing Specht v. Netscape Commc'ns Corp., 306 F.3d 17, 30–31 (2d 9 Cir. 2002). “Whether a user has inquiry notice of a browsewrap agreement, in turn, 10 depends on the design and content of the website and the agreement’s webpage. Id. 11 (citing Be In, Inc. v. Google Inc., 2013 WL 5568706, at *6 (N.D. Cal. Oct. 9, 2013)). 12 Courts have declined to enforce browsewrap agreements where notice is hidden at the 13 bottom of a page, see In re Zappos.com, Inc. Customer Data Sec. Breach Litig., 893 F. 14 Supp. 2d 1058, 1064 (D. Nev. 2012), appears in small print, see Pollstar v. Gigmania, 15 Ltd., 170 F. Supp. 2d 974, 981 (E.D. Cal. 2000), or is only visible to users if they have 16 scrolled down to the next screen, Specht, 306 F.3d at 23. 17 Here, the Cookie Policy banner, is visible to a user without scrolling. However, 18 the text of the banner is smaller than the rest of the bold, large typeface found on 19 Carnival’s homepage, the notice is placed far below the relevant buttons that a user may 20 click, the blue of the banner matches the blue of other web panels, and the white text of 21 the banner blends in with the website’s white background. Additionally, Carnival has not 22 demonstrated that the banner appears immediately or that the banner persists for the 23 entirety of a user’s visits. Taken together, these facts do not demonstrate that a 24 “reasonably prudent user [would be] on inquiry notice of the terms of [Carnival’s Privacy 25 Policy].” Ngyuen, 763 F.3d at 1177. A user may be distracted by the large red buttons 26 inviting them to “SHOP NOW” or “SEARCH CRUISES” and never view the slim 27 1 banner across the bottom of their screen. A user may click one of these large, red buttons 2 before the Cookie Policy banner appears, and the banner may fail to appear on 3 subsequent pages. Whether because of the notice’s small text, inconspicuous color 4 scheme, or potential failure to appear, a reasonably prudent user would not “necessarily 5 have known or learned of the existence of [Carnival’s privacy] agreement prior to acting . 6 . . .” See Specht, 305 F.3d at 30. Accordingly, the Court credits Plaintiffs’ allegations 7 and concludes that at this stage, Plaintiffs have sufficiently alleged that interception of 8 their communications occurred without their consent.10 9 iii) Interception 10 To demonstrate interception, Plaintiffs must allege that their communications were 11 “acquired during transmission, not while [they were] in electronic storage.” Konop v. 12 Hawaiian Airlines, Inc., 302 F.3d 868, 878 (9th Cir. 2002). In other words, the collection 13 without consent of Plaintiffs’ information must occur contemporaneously with its 14 ordinary transmission. Plaintiffs allege: 15 68. During visits by Plaintiffs to www.carnival.com and its subpages, Plaintiffs 16 browsed for cruise packages and different destinations. Plaintiffs communicated 17 with Carnival’s website by using their mouse to hover and click on certain links and items, and inputting personal information and information about potential trips 18 they were researching or planning. All of this information – both record data and 19 the content of each Plaintiff’s Website Communications -- was intercepted by the Session Replay Code and sent to the Session Replay Provider during those visits. 20

21 69. The Session Replay Code immediately and instantaneously captured Plaintiffs’ Website Communications for the entire duration of their visits. Indeed, through 22

23 24 10 In their amended complaint, Plaintiffs may choose to further detail Plaintiffs’ experiences with Carnival’s cookie policy banner. Plaintiffs may take this opportunity to 25 supplement their description of the cookie banner, including as to whether the banner 26 consistently loads, whether the banner follows the user as they navigate the website, and whether the banner appears for subsequent users of a shared computer. 27 1 Carnival’s deployment of Session Replay Code, Plaintiffs’ Website Communications were automatically and secretly intercepted while using 2 Carnival’s website. 3 See FAC at ¶ 68. 4 Plaintiffs also allege that Session Replay Code, implanted in their browser, 5 captured their actions at hyper-frequent intervals, often just milliseconds apart, and then 6 communicated those actions at hyper-frequent intervals to Session Replay Provider 7 servers. See id. at ¶¶ 31, 72. Thus, Plaintiffs submit, they have alleged sufficient facts to 8 demonstrate that “transmission of a website user’s Website Communications . . . happens 9 contemporaneously in real-time.” FAC at ¶ 31. 10 At oral argument, Carnival emphasized that the internet is not magic and relied 11 heavily upon its contention that content is “packetized” and electronically stored, but 12 much of the technical detail counsel relied upon is not found in the pleadings. 11 13 Drawing all reasonable inferences in favor of Plaintiffs, the Court finds that Plaintiffs 14 have plausibly alleged that interception occurs contemporaneously with transmission. At 15 this stage, the Court finds that it may reasonably infer that at least some transmission and 16 interception occurred contemporaneously, within the same span of milliseconds. See 17 James v. Walt Disney Co., No. 2023 WL 7392285, at *14–15 (N.D. Cal. Nov. 8, 2023); 18 Campbell v. Facebook Inc., 77 F. Supp. 3d 836, 841 (N.D. Cal. 2014). 19 iv) Contents 20 21 22 23

24 11 During oral arguments, both sides discussed transmission in terms of “packets.” That 25 term is not found in the pleadings. Thus, Plaintiffs may find it prudent in their amended 26 complaint to further detail how Plaintiffs’ actions are transmitted to Carnival’s website and detail the timelines of transmission and interception. 27 1 The wiretapping laws at issue apply only where a defendant “acqui[res] . . . the 2 contents of any wire, electronic or oral communication.” 18 U.S.C. 2510(4).12 3 “Contents” means “information concerning the substance, purport, or meaning of [a] 4 communication.” 18 U.S.C. § 2510(8). Carnival emphasizes that “content” does not 5 include “record information,” such as the “‘name,’ ‘address,’ and ‘subscriber number or 6 identity’ of a subscriber or customer,” when such information is merely “generated in the 7 course of the communication.” In re Zynga Privacy Litig., 750 F.3d at 1107; MTD at 24. 8 But record information may constitute “contents” where “the record is the subject of a 9 communication . . . .” Id. 10 The Ninth Circuit approved the First Circuit’s decision in In re Pharmatrak, 329 11 F.3d 9, 15, 18–19 (1st Cir. 2003), where the First Circuit held that defendant had 12 “intercepted the content of the sign-up information customers provided to pharmaceutical 13 websites, which included their ‘names, addresses, telephone numbers, [and] email 14 addresses . . .’ and provided this information to third parties.” See id. (“[T]he First 15 Circuit correctly concluded that the defendant was disclosing the contents of a 16 communication.”). The Ninth Circuit reasoned that “[b]ecause the users had 17 communicated with the website by entering their personal medical information into a 18 form provided by the website, the First Circuit correctly concluded that the defendant was 19 disclosing the contents of a communication.” Id. Here, Plaintiffs have alleged that “[t]he 20 data and information intercepted by the Session Replay Code . . . includ[es], inter alia, 21 Plaintiffs’ location, intent to travel, dates of travel, travel locations as well as other 22 23 12 MTD at 14 n.7; 18 Pa. Stat. § 5702 (requiring the “acquisition of the contents of any 24 wire, electronic or oral communication”); Md. Code Ann., Cts. & Jud. Proc. § 10-401(10) 25 (same); Mass. Gen. Laws Ann. ch. 272, § 99(B)(4) (requiring the acquisition of “the contents of any wire or oral communication”); Cal. Penal Code § 631 (making it unlawful 26 to “read[], or attempt[] to read, or to learn the contents or meaning of any message, 27 report, or communication”). 1 personal data requested to book travel plans such as passport number, driver’s license 2 number, date of birth, home address, phone number, email address and/or payment 3 information.” FAC at ¶ 35.13 Just as in Pharmatrak, this information was “entered into 4 an information field or text box” provided by Carnival’s website. FAC at ¶ 1. The Court 5 finds that Plaintiffs have alleged the capture of personally identifiable information that is 6 the subject of the communication, and thus Plaintiffs have sufficiently alleged the 7 interception of “contents.” 8 v) Device 9 The wiretapping laws at issue apply where interception is accomplished “through 10 the use of any electronic, mechanical, or other device.” 18 U.S.C. 2510(4).14 Plaintiffs 11 allege that “Plaintiffs’ and Class members’ browsers and computing device and 12 Defendant’s webservers, website, and the Session Replay Code Defendant deployed are 13 all ‘devices’ for the purposes of the Wiretap Act.” FAC at ¶ 92. Carnival contends that 14 Plaintiffs’ wiretapping claims are all premised on Carnival’s use of “Session Replay 15 Code”, computer code, which does not constitute a “device” within the meaning of the 16 wiretap laws. MTD at 18. According to Carnvial, if “device” is interpreted to require a 17

18 13 At oral argument, Carnival suggested that credit card information is not “contents” 19 because such information may be obtained by a federal prosecutor under 18 U.S.C. § 20 2703. But Carnival is not a “governmental entity” and has not been issued a “warrant” by a “court of competent jurisdiction.” See id. Thus, even to the extent that 18 U.S.C. § 21 2703 would have any application to the instant case, the Court finds Carnival’s argument 22 unpersuasive. 23 14 This is true of the Federal law, along with Pennsylvania’s, Maryland’s, and Massachusetts’s. See MTD at 26; 18 Pa. Stat. § 5702 (requiring the “acquisition of [a] 24 communication through the use of any electronic, mechanical or other device” (emphasis 25 added)); Md. Code Ann., Cts. & Jud. Proc. § 10-401(3) (same); Mass. Gen. Laws Ann. ch. 272, § 99(B)(4) (requiring acquisition “through the use of any intercepting device” 26 (emphasis added)). California’s wiretapping law does not include the device limitation, 27 and so is not affected by this section of the order. 1 physical object, “Carnival’s use of computer code [would] not constitute a ‘device’ 2 within the meaning of the wiretap laws . . . .” MTD at 29. However, this perspective is 3 overly circumscribed because it views the computer code in a vacuum, separate and apart 4 from the computer that executes it. See James v. Walt Disney Co., No. 2023 WL 5 7392285, at *13 (N.D. Cal. Nov. 8, 2023) (“It is artificial to claim that software must be 6 viewed in isolation from the computing device on which it runs and with which it is 7 inseparable in regard to the challenged conduct.”). After all, software is no more than “a 8 set of instructions, known as code, that directs a computer to perform specified functions 9 or operations.” Fantasy Sports Prop v. Sportsline.com, 287 F.3d 1108, 1118 (Fed. Cir. 10 2002) (emphasis added); see also Google LLC v. Oracle Am., Inc., 141 S. Ct. 1183, 1191- 11 92 (2021) (“But how do you as the programmer tell the computer which of the 12 implementing code programs it should choose, i.e., which task it should carry out?”). All 13 software, regardless of the language it is written in or the complexity of its function, 14 requires hardware to execute it. See TiVo, Inc. v. EchoStar Commc'ns Corp., 516 F.3d 15 1290, 1309 (Fed. Cir. 2008) (“As an initial matter, software alone cannot extract data 16 from a physical device; it can only control hardware that extracts data.”). As Carnival 17 reminded this Court at oral argument, the internet is not magic. Like a recipe without a 18 chef, or sheet music without a musician, software cannot function—much less collect and 19 transmit data at hyper-frequent intervals to a third party—without hardware to run it. 20 Because a computer that executes software is undoubtedly a physical device, the motion 21 to dismiss fails on these grounds as well.15 22 In conclusion, the Court DENIES Carnival’s Motion to Dismiss as it relates to the 23 wiretap claims. 24

25 26 15 Plaintiffs may choose to supplement existing allegations with additional facts describing the use of a server or webserver to execute Session Replay Code. 27 1 2. Invasion of Privacy Claims 2 To state an invasion of privacy claim, Plaintiffs must allege “conduct by the 3 defendant that amounts to a serious invasion of [a] protected privacy interest.” MTD at 4 31 (quoting In re Google Assistant Privacy Litig., 457 F. Supp. 3d 797, 829 (N.D. Cal. 5 2020)).16 The invasion must be “‘highly offensive’ or ‘serious.’” In re Google Assistant 6 Privacy Litig., 457 F. Supp. 3d at 830. “Courts have repeatedly found the surreptitious 7 recording of a plaintiffs’ conversations or activity to constitute an actionable intrusion.” 8 Id. Furthermore, under California law, determining whether an intrusion is highly 9 offensive often “cannot be conducted at the motion to dismiss stage where, as here, there 10 are open factual questions regarding ‘the likelihood of serious harm to the victim, the 11 degree and setting of the intrusion, the intruder’s motives and objectives, and whether 12 countervailing interests or social norms render the intrusion inoffensive.’” Id. (quoting In 13 re Facebook Inc. Internet Tracking Litig., 956 F.3d 589, 606 (9th Cir. 2020)); see also 14 Tanner v. Acushnet Co., 2023 WL 8152104, at *7 (C.D. Cal. Nov. 20, 2023) (“[C]ourts 15 must be reluctant to reach a conclusion at the pleading stage about how offensive or 16 serious the privacy intrusion is.”); Revitch v. New Moosejaw, LLC, 2019 WL 5485330, at 17 *3 (N.D. Cal. Oct. 23, 2019) (same); D'Angelo v. Penny OpCo, LLC, 2023 WL 7006793, 18 at *11 (S.D. Cal. Oct. 24, 2023) (same). However, the same is not true under 19 Pennsylvania law. See Boring v. Google Inc., 362 F. App'x 273, 279 (3d Cir. 2010). 20 21

22 16 The four states’ treatment of privacy claims is largely the same. See MTD at 31 n.11; 23 Popa v. Harriet Carter Gifts, Inc., 426 F. Supp. 3d 108, 122 (W.D. Pa. 2019); 24 Branyan v. Sw. Airlines Co., 105 F. Supp. 3d 120, 126 (D. Mass. 2015) (“[T]o prevail on a claim alleging an invasion of privacy, a plaintiff must prove that there was … 25 an unreasonable, substantial or serious interference with his privacy.”); see also 26 Demo v. Kirksey, 2018 WL 5994995, at *3 (D. Md. 2018) (“Maryland and Pennsylvania have adopted the same definition for intrusion upon seclusion.”). 27 1 Thus, the Court undertakes the analysis and concludes that Plaintiffs have alleged facts 2 sufficient to establish a serious invasion of a protected privacy interest. 3 Carnival’s position relies on In re Google Assistant Privacy Litig., 457 F. Supp. 3d 4 at 830, for the proposition that data collection is “nothing more than . . . ‘routine 5 commercial behavior,” and that a defendant engaging in such behavior “does not commit 6 an invasion of privacy.” MTD at 32. But the court in In re Google Assistant Privacy 7 Litig., specifically rejected this argument, finding “[n]onetheless,” that “a reasonable 8 person could find Defendants’ alleged conduct to be ‘highly offensive.’” Id. Carnival 9 further submits that its actions cannot be “highly offensive” because “even collection of 10 ‘plaintiff’s HIV status’” does not constitute “highly offensive” behavior. MTD at 31 11 (quoting McNemar v. The Disney Store, Inc., 91 F.3d 610, 622 (3d. Cir. 1996)). This is, 12 of course, a gross oversimplification of McNemar. McNemar held that plaintiff did not 13 state a claim for invasion of privacy where his store manager, in an attempt to be 14 supportive, asked him whether he was HIV-positive. 91 F.3d at 622. The court noted 15 that this was hardly coercive, “let alone ‘highly offensive to a reasonable person.’” Id. 16 The court further held that a store manager’s disclosure of plaintiff’s HIV-positive status 17 to plaintiff’s friend, who already knew he was HIV-positive, was “not sufficient to state a 18 prima facie case of invasion of privacy for publicity given to private facts.” Id. Neither 19 of these holdings bear any relevance to the present case. 20 Courts addressing cookie-enabled surveillance schemes dismiss invasion of 21 privacy claims where plaintiffs allege nothing more than the collection of “keystrokes, 22 mouse clicks, and [personally identifiable information].” See Popa v. Harriet Carter 23 Gifts, Inc., 426 F. Supp. 3d 108, 122 (W.D. Pa. 2019); see also Williams v. DDR Media, 24 LLC, 2023 WL 5352896, at *6 (N.D. Cal. Aug. 18, 2023); Farst, 2023 WL 7179807, at 25 *4. But courts decline to dismiss invasion of privacy claims where plaintiffs allege that 26 the intercepted information is used to compile a user’s browsing history across other 27 1 websites. See Revitch, 2019 WL 5485330, at *3 (finding that intrusion “which allegedly 2 allowed NaviStone to associate Revitch’s browsing habits with his identity, is a highly 3 offensive breach of norms”); Griffith v. TikTok, Inc., 2023 WL 7107262, at *6 (C.D. Cal. 4 Oct. 6, 2023) (holding that because “the Tiktok [software development kit] allows 5 Defendants to assemble extensive profiles containing individuals’ browsing histories 6 across numerous websites . . . the Court cannot conclude at the pleading stage that the 7 alleged privacy intrusion is not serious”); cf. Williams, 2023 WL 5352896 at *6 8 (contrasting plaintiffs’ allegations with allegations in Facebook Internet Tracking, 956 9 F.3d at 596, where “plaintiffs alleged Facebook captured . . . plaintiffs’ internet activity 10 and turned it into detailed ‘personal profiles’”); Farst, 2023 WL 7179807, at *4 11 (contrasting plaintiff’s allegations with cases where defendants “compiled users’ internet- 12 wide search histories, create[ing] detailed user profiles”). This case falls into the latter 13 category, as Plaintiffs have alleged that Carnival used the intercepted information to 14 “back-reference all of [a] user’s web browsing across other websites previously visited, 15 including on websites where the user had intended to remain anonymous.” FAC at ¶ 42. 16 Accordingly, the Court finds that Plaintiffs have sufficiently pleaded their invasion of 17 privacy claims. 18 3. Computer Fraud and Abuse Act (“CFAA”) 19 To state a claim under the CFAA, Plaintiffs must plead facts showing that Carnival 20 “intentionally acesse[d] a computer without authorization or exceed[ed its] authorized 21 access, and thereby obtain[ed] … information from [the] protected computer.” 18 U.S.C. 22 § 1030(a)(2)(C). Plaintiffs must also demonstrate that they suffered “damage or loss” 23 under one of the factors set forth in § 1030(c)(4)(A)(i)(I)–(V). Plaintiffs attempt to 24 invoke two of these factors, FAC at ¶¶ 107–08, contending that Defendants’ conduct 25 caused “loss to 1 or more persons during any 1-year period . . . aggregating at least 26 27 1 $5,000 in value,” and constituted “a threat to public health or safety,” see 18 U.S.C. § 2 || 1030(c)(4)(A)G@)(D, (IV). 3 But Plaintiffs’ allegations of damage or loss are entirely conclusory. The 4 complaint “merely parrots the language of the statute without providing any factual 5 allegations.” James v. Veros Credit, LLC, 2019 WL 13102877, at *2 (S.D. Cal. 2019). 6 || To the extent Plaintiffs suggest that Carnival’s interception “deprive[d Plaintiffs] of the 7 ||economic value of their own information,” Plaintiffs’ Opposition at 22, Plaintiffs fail to 8 ||‘‘plausibly allege that they intended to sell their non-disclosed personal information to 9 ||someone else. Nor, in any event, do they plausibly allege that someone else would have 10 || bought it as a stand-alone product.” Jn re Facebook, Inc., Consumer Privacy User 11 || Profile Litig., 402 F. Supp. 3d 767, 784 (N.D. Cal. 2019). And to the extent Plaintiffs 12 suggest that Carnival’s actions pose a threat to public health or safety because of “identity 13 || theft and online scams,” they have failed to allege facts demonstrating the threat is 14 || anything more than speculation. See id.; see also Dahlia v. Rodriguez, 735 F.3d 1060, 15 || 1076 (9th Cir. 2013) (holding that court may “reject, as implausible, allegations that are 16 || too speculative to warrant further factual development.”). 17 The Court dismisses Plaintiffs’ CFAA claim with leave to amend, to the extent that 18 || Plaintiffs may do so in good faith. 19 CONCLUSION 20 The Court GRANTS IN PART AND DENIES IN PART Carnival’s Motion to 21 ||Dismiss. Plaintiffs’ CFAA claim is dismissed with leave to amend. The Court declines 22 ||to dismiss Plaintiffs’ wiretap and invasion of privacy claims. 23 IT IS SO ORDERED. 24 Dated: January 19, 2024 72 + 25 Hon. athe Coke 26 United States District Judge 27 50 28 23-cv-236-GPC-MSB