A federal court has dismissed a proposed class action lawsuit against an omnichannel marketing company (NaviStone) and three online retailers, holding that the companies’ alleged use of omnichannel marketing technologies did not result in a cognizable injury under New York’s deceptive acts and practices laws and did not violate the federal Wiretap Act or the Stored Communications Act (“SCA”). The ruling is welcome news for providers and users of omnichannel marketing, which is (in simple terms) when data collected across different types of devices and platforms is combined to facilitate marketing to users across display, email, direct mail, and “addressable” television campaigns. For instance, an offline purchase might trigger delivery of an email offer, or an online web visit might trigger delivery of a discount coupon sent to a home mailbox.
Background of Complaint
NaviStone provides omnichannel marketing services, using website visits to trigger marketing offers through other channels. Specifically, according to the complaint, NaviStone’s software helps retailers “identify who visits their websites” by using code “to scan website visitors’ computers for information that can be used for de-anonymization, as well as to observe their keystrokes, mouse clicks, and communications with the e-commerce retailers’ websites.” Thus, according to the complaint, “NaviStone de-anonymizes website users and updates its database with the users’ current browsing activities and PII.” Class action plaintiffs sued NaviStone in December 2017, alleging claims under the Wiretap Act and the SCA, and state law claims under New York consumer protection laws.
The Court’s Ruling
The court dismissed all claims against all defendants, finding that NaviStone’s data tools did not cause a cognizable injury under New York’s deceptive acts and practices laws and did not violate the Wiretap Act or SCA.
State Law: Deceptive Practices. The court held that the plaintiffs’ allegations did not support a legally cognizable harm, only a “general invasion of privacy ‘through the exposure of personal and private information.’” The court reasoned that, regardless of alleged “de-anonymization”, there wasn’t an allegation “that any ‘expos[ed]’ information was particularly sensitive” or that information was “expos[ed] for any reason other than marketing.” In finding that there was no quantifiable injury, the court relied on precedent that said that collection of non-sensitive information (e.g., email addresses), spamming, and collection of browser history do not, without more, result in actual injury.
Federal Law: Wiretap Act and SCA. The Wiretap Act claim failed because of the statute’s one-party consent requirement, and the retailers, as recipients of the data, were parties to and consented to the interception of the communications in question. The court also found that an exception to the one party consent rule—applicable where electronic communications are intentionally intercepted for the purpose of committing a criminal or tortious act—was inapplicable, as the purpose here was marketing, not commission of a crime or tort. The court also joined other courts in holding that no private right of action exists under 18 U.S.C. § 2512, which makes it a crime to intentionally “manufacture[], assemble[], possess[], or sell[] any electronic . . . device” if one knows or should know that the device will likely be used to surreptitiously intercept electronic communications.
The SCA claims failed because the alleged communications were stored on plaintiff’s personal device, and communications stored on personal devices are not considered to be held in “electronic storage” under the statute.
Key Take-Aways
- Breaking Down Distinctions Between “PII” and “non-PII.” For purposes of consumer protection laws, the court didn’t distinguish the privacy implications of NaviStone’s alleged data “de-anonymization” techniques from other marketing models that use more conventional cookies or browsing data. Rather, the court relied on cases involving conventional display and email marketing. This continues a trend to minimize distinctions between “personal information” and “non-personal information”—a trend seemingly supported by the GDPR, the FTC, commentators, and (pending more interpretation) the recently enacted California Consumer Privacy Act.
- Importance of Transparency and Opt-Out Choices. Although it dismissed the complaint and rejected claims of consumer harm, the court found the allegations to be “unsettling” and “disturbing.” These observations were not based on a full record (only the bare allegations in the complaint), but the adjectives used—as well as the plaintiffs’ allegation that one retailer’s privacy policy was false or misleading—serve as reminders that companies using and combining data tools must control their privacy narrative through credible notice and choice methods, including by describing their practices clearly, and providing easy ways for consumers to opt-out.
- Wiretap Act and SCA Claims Fail Again. Finally, the decision adds to a long line of cases rejecting attempts to convert ordinary electronic marketing interactions (such as those involving cookies, email marketing, or similar technologies) into violations of federal wiretap or computer trespass law.