AI Case Brief
Generate an AI-powered case brief with:
đKey Facts
âïžLegal Issues
đCourt Holding
đĄReasoning
đŻSignificance
Estimated cost: $0.10â$0.50 per brief, depending on opinion length and retries
Full Opinion
1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 LORETTA WILLIAMS, Case No. 22-cv-03789-SI 8 Plaintiff, ORDER GRANTING DEFENDANT JORNAYAâS MOTION FOR 9 v. SUMMARY JUDGMENT AND GRANTING ADMINISTRATIVE 10 DDR MEDIA, LLC, et al., MOTION TO SEAL; SEALED ADDENDUM ATTACHED TO ORDER 11 Defendants. Re: Dkt. Nos. 90, 99 12 13 On September 20, 2024, the Court held a hearing on defendant Jornayaâs motion for 14 summary judgment. For the reasons set forth below, the Court GRANTS the motion for summary 15 judgment. The Court also GRANTS the unopposed motion to file under seal at Dkt. No. 99. 16 17 BACKGROUND 18 On June 27, 2022, plaintiff Loretta Williams filed this putative class action lawsuit against 19 defendants DDR Media LLC and Lead Intelligence Inc. d/b/a Jornaya (âJornayaâ). Williams claims 20 that defendants violated her privacy when she visited DDR Mediaâs website, snappyrent2own.com, 21 because her keystrokes were recorded by a computer code embedded on the website through a 22 Jornaya software product called âTCPA Guardian.â Williams alleges that defendants recorded her 23 personal information and that the recording constitutes wiretapping in violation of California law. 24 According to Jornayaâs Chief Technology Officer Manny Wald, TCPA Guardian âis 25 designed to help companies comply with the Telephone Consumer Protection Act, or TCPA, which 26 restricts how companies contact consumers using autodialing technology without prior consent.â 27 February 2024 Wald Decl. ¶ 4. Wald states, The TCPA Guardian service is based on a JavaScript, called LeadiD Create. For a 1 website owner who places LeadiD Create on its website, each time a visitor visits that website, the script generates a unique numerical referenceâcalled a LeadiDâ 2 and collects information regarding (1) the website itself; (2) the consent and/or disclosure that was present on the website at the time of the visit; and (3) certain of 3 the visitorâs actions on the website, associating that information with the LeadiD. Specifically, the script captures visitor interactions with fields on the page as well as 4 the pageâs visual characteristics and associated labels. This includes any TCPA or other disclosure language present on the website (i.e., seeking the visitorâs consent 5 to receive autodialed calls) as well as the visitorâs act of checking a box near that language (which would indicate his or her consent). Information regarding that 6 interaction would then be assigned to the LeadiD unique to that particular visit. 7 Id. ¶ 5; see also Harlow Decl. Ex. C (Response to Interrogatory No. 1, explaining how TCPA 8 Guardian functions with the âLeadiD Create JavaScriptâ and stating, inter alia, âWhen a visitor 9 navigates to a page where the script is installed, the script loads and creates a unique LeadiD token 10 that is stored on Jornayaâs servers. As a visitor continues their journey through the lead funnel 11 where the script is implemented, the script witnesses the visitorâs interactions and collects data 12 related to their navigationâincluding the information about the webpage itself, the consent and/or 13 disclosure that was present on the page at the time of the visit, and certain of the visitorâs interactions 14 with fields or elements on the pageâand links it with the same LeadiD token.â). 15 On or around December 10, 2021, Williams visited DDR Mediaâs website, 16 snappyrent2own.com. Williams claims that during her visit, TCPA Guardian captured her strokes, 17 clicks and other interactions on the website, including her name, email address, and phone number. 18 Williams alleges that TCPA Guardian is an âeavesdropping software,â and that by using that 19 software, defendants âintentionally tapped the lines of communicationâ between Williams and DDR 20 Mediaâs website. Second Amend. Compl. (âSACâ) ¶ 49. 21 The second amended complaint alleges a single cause of action under California Penal Code 22 § 631(a), the California Invasion of Privacy Act (âCIPAâ). That statute penalizes: 23 Any person who, by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether 24 physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or 25 instrument of any internal telephonic communication system, 26 or 27 who willfully and without the consent of all parties to the communication, or in any any wire, line, or cable, or is being sent from, or received at any place within this 1 state; 2 or 3 who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, 4 or 5 who aids, agrees with, employs, or conspires with any person or persons to 6 unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section[.] 7 Cal. Penal Code § 631(a) (line breaks added). Williams claims that Jornaya has violated the second 8 prong of the statute because âby using TCPA Guardian, Jornaya willfully and without the consent 9 of all parties to the communication, or in any unauthorized manner, read or attempted to read or 10 learn the contents or meaning of electronic communications of Plaintiff and alleged Class Members, 11 while the electronic communications were in transit or passing over any wire, line or cable or were 12 being sent from or received at any place within California.â SAC ¶ 51. Williams alleges that DDR 13 Media is liable under the fourth prong of CIPA because it âpartneredâ with Jornaya to conduct the 14 illegal wiretapping. Id. ¶ 52. 15 During several rounds of motions to dismiss the complaint, Jornaya argued, inter alia, that 16 it did not âread, or attempt to read, or to learnâ the contents of any communications because when 17 data is transmitted from websites to Jornayaâs servers through TCPA Guardian, that data is 18 automatically âhashedâ and no personally identifiable data or communications are stored on 19 Jornayaâs servers. The Court directed the parties to engage in targeted discovery regarding how 20 TCPA Guardian functions and whether Jornaya âreads, or attempts to read, or to learnâ the contents 21 or meaning of electronic communications. The parties engaged in that discovery, and Jornaya has 22 now filed a motion for summary judgment on that issue. 23 24 LEGAL STANDARD 25 Summary judgment is proper if the pleadings, the discovery and disclosure materials on file, 26 and any affidavits show that there is no genuine dispute as to any material fact and that the movant 27 is entitled to judgment as a matter of law. See Fed. R. Civ. P. 56(a). The moving party bears the 1 initial burden of demonstrating the absence of a genuine issue of material fact. Celotex Corp. v. 2 Catrett, 477 U.S. 317, 323 (1986). The moving party, however, has no burden to disprove matters 3 on which the non-moving party will have the burden of proof at trial. The moving party need only 4 demonstrate to the Court that there is an absence of evidence to support the non-moving partyâs 5 case. Id. at 325. 6 Once the moving party has met its burden, the burden shifts to the non-moving party to 7 âdesignate âspecific facts showing that there is a genuine issue for trial.ââ Id. at 324 (quoting then 8 Fed. R. Civ. P. 56(e)). To carry this burden, the non-moving party must âdo more than simply show 9 that there is some metaphysical doubt as to the material facts.â Matsushita Elec. Indus. Co., Ltd. v. 10 Zenith Radio Corp., 475 U.S. 574, 586 (1986). âThe mere existence of a scintilla of evidence . . . 11 will be insufficient; there must be evidence on which the jury could reasonably find for the [non- 12 moving party].â Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 252 (1986). 13 In deciding a summary judgment motion, the Court must view the evidence in the light most 14 favorable to the non-moving party and draw all justifiable inferences in its favor. Id. at 255. 15 âCredibility determinations, the weighing of the evidence, and the drawing of legitimate inferences 16 from the facts are jury functions, not those of a judge . . . ruling on a motion for summary judgment 17 . . . .â Id. However, conclusory, speculative testimony in affidavits and moving papers is insufficient 18 to raise genuine issues of fact and defeat summary judgment. Thornhill Publâg Co., Inc. v. Gen. 19 Tel. & Elec. Corp., 594 F.2d 730, 738 (9th Cir. 1979). The evidence the parties present must be 20 admissible. Fed. R. Civ. P. 56(c)). 21 22 DISCUSSION 23 Jornaya contends that it does not read, attempt to read, or to learn the contents of any of the 24 information input by a visitor to a website that uses TCPA Guardian because all data entered by the 25 user, such as a name, is immediately âhashedâ as soon as it is transmitted from the website to 26 Jornayaâs servers. Harlow Decl. Ex. C at 4-6 (Response to Interrogatory Nos. 1, 3). Jornayaâs CTO 27 Wald explains the hashing process as follows: 8. As is relevant here, hashing is a process that applies an algorithm to a string of 1 characters of any length to create a fixed-size output made up of a new string of numbers and letters such as 72a40ac74b7a2472826f306f02e508fc.1. This output is 2 called a âhash codeâ or simply a âhashâ. Although the hash code itself is technically purely numeric, it is often represented in hexadecimal notation, which uses both 3 numerals 0-9 and letters A-F to represent numbers 0 through 15. 4 10. The size of the hash code, i.e., the number of characters, does not depend on the size or number of characters of the input. That is what is meant by creating a hash 5 code of âfixed-sizedâ output. For instance, the length of a hash code from the input of a single word would be the same as the length of a hash code from the input of an 6 entire dictionary. No matter the input, the output always involves the same number of hexadecimal characters. One therefore cannot deduce the length of the original 7 starting of characters by the length of its hash code. 8 12. The exact same input that is hashed using the same hashing algorithm will produce the same hash code every time. Conversely, any difference in the input will 9 produce a different hash. This means that âsupercalifragilisticexpialidociousâ will produce the same hash code each time âsupercalifragilisticexpialidociousâ is typed 10 in, but â1â and â1.0â will produce entirely different hashes, as will âMain St.â and âMain Streetâ, or âSamuel Adamsâ and âSamuel adamsâ. . . . 11 13. One of the core benefits of hashing is the ability to validate that two inputs are 12 exactly the same, without having to read, learn, or know what the inputs themselves are. By observing that two hash codes are the same, one can confirm that the two 13 underlying inputs that resulted in those hash codes were the same. In other words, if two hash codes match, then the data that was hashed to create those hash codes is 14 also exactly the same. Moreover, and importantly, unlike encryption that can be decoded with a key, hashing is what is referred to as a âone-wayâ cryptographic 15 function. There is no âkeyâ that can unlock the hash, nor is there a second algorithm that can be applied to turn the hash code back into the data that originally went into 16 the algorithm. In this way, it is more protective than encryption. Thus, hashing allows you to confirm that the data you have is the data hashed, without âun-hashingâ 17 or âreversingâ the hash code. 18 16. TCPA Guardian is most often used by âlead-sellersâ and âlead-buyers.â A âleadsellerâ usually is a company that operates a website that might offer to provide 19 information about a certain product or service (e.g., a mortgage), generating engagement from website visitors. In a typical scenario, the visitor interested in that 20 product or service provides certain information about themselves to the lead-seller on the website in order to receive more information about the products or services 21 advertised. If the lead-seller places the LeadiD Create script on its website, a LeadiD will be generated from the visit, and the hash code of the information provided by 22 the website visitor to the lead-seller is stored by TCPA Guardian and associated with that LeadiD. The lead-seller then sells or provides the LeadiD and certain 23 information provided by the visitor to a âlead-buyer,â which is often the company that offers the actual product or service (e.g., the bank or a broker for mortgages). 24 The lead-buyer uses TCPA Guardian to validate information about the individual who visited the lead-sellerâs website, particularly whether the website obtained 25 consent from the visitor to communicate with him or her. 26 17. TCPA Guardian works as follows: The lead-buyer submits the LeadiD to Jornayaâs TCPA Guardian, along with the hash code for the information it obtained 27 from the lead-seller (e.g., the visitorâs name and telephone number). Jornayaâs LeadiDâi.e., the hash code for the information that was originally collected when 1 the individual visited the lead-sellerâs website. Much like how password hashes are verified, if the hash codes match, then the lead is verified: the data provided by the 2 lead-buyer and the original data collected by the lead-seller are the same. If not, then there is no match. By using a LeadiD as the identifier and storing the hashâand 3 only the hashâof a website visitorâs input, Jornaya can allow lead-buyers to confirm that the data they bought from the lead-seller is indeed the data that a website visitor 4 originally provided to the lead-seller, without Jornaya actually keeping, reading, or learning the original data. 5 18. This is also why a TCPA Guardian Compliance Report displays asterisks in the 6 place of the visitorâs inputs: Jornaya does not store any of those inputs, including personally identifiable data, and cannot apply any method to reverse the hashes to 7 read the original inputs. 8 Wald Decl. ¶¶ 8-18. At his deposition, Wald testified that Jornaya automatically performs the 9 hashing of user-inputted data as soon as the data transmitted from the website reaches Jornayaâs 10 servers, and âonce the hashing algorithm is applied,â the âoriginal data is discardedâ and âis not 11 usedâ for âany purpose.â Harlow Decl. Ex. A at 27-30 (Wald Depo.). The entire process âoccurs 12 within milliseconds.â Id. at 27. Wald explained that â[t]he data is received by the server and it is 13 only stored in volatile memory, a RAM, for milliseconds before it is quickly overwritten by other 14 processes, other data, and never stored on any persistent medium.â Id. at 28-29. 15 Williams does not dispute Jornayaâs evidence regarding how the hashing process works. 16 Instead, Williams contends that Jornaya reads, attempts to read, or learns the contents of 17 communications because when Jornaya hashes data, Jornaya first âprocesses and evaluatesâ that 18 data by performing select formatting adjustments to the data. Williams cites Waldâs deposition 19 testimony in which he describes how the input is âprocessedâ and âevaluated.â See Wald Depo. at 20 25-26.1 Williams argues that a jury could reasonably conclude that this initial step of processing 21 and evaluating the input data constitutes âreadingâ or âattempting to readâ or âlearningâ the contents 22 of the data. Williams also emphasizes that the California Supreme Court has consistently held that 23 CIPA is to be interpreted broadly. See Ribas v. Clark, 38 Cal. 3d 355, 359 (1985) (âIn enacting 24 [CIPA], the Legislature declared in broad terms its intent to protect the right of privacy of the people 25 of this state from what it perceived as a serious threat to the free exercise of personal liberties that 26 27 1 The parties have agreed that portions of Waldâs deposition testimony in which he explains 1 cannot be tolerated in a free and civilized society. This philosophy appears to lie at the heart of 2 virtually all the decisions construing the Privacy Act.â) (internal citations and quotations omitted). 3 Jornaya argues that in order to âreadâ or âlearn the contentsâ of a communication under 4 CIPA, there must be some action to interpret or understand the communicationâs substantive 5 meaning. Jornaya contends that the undisputed evidence shows that its automated hashing process 6 does not and could not seek to interpret or understand any of the data, and instead that the algorithm 7 makes certain formatting adjustments to the data and then irreversibly transforms it into an 8 incomprehensible alphanumeric string called a hash, all within milliseconds. Jornaya argues that 9 the entire process takes place without the need or capacity for Jornaya to decipher the substantive 10 meaning of the data. 11 Jornaya asserts that because CIPA does not provide its own definition of âread,â the Court 12 must apply the wordâs ordinary meaning. See DeGeorge v. U.S. Dist. Court, 219 F.3d 930, 936 (9th 13 Cir. 2000) (âIf the statute uses a term which it does not define, the court gives that term its ordinary 14 meaning.â). Jornaya cites dictionary definitions of âread,â such as the Oxford English Dictionary 15 definition of âread,â as âto look over or scan ⊠with understanding of what is meant by the letters 16 or signs.â Oxford English Dictionary, read, https://www.oed.com/dictionary/read_v?tab=meaning_ 17 and_use#26820196 (emphasis added). Jornaya also argues that its interpretation of âreadâ as 18 requiring gaining some understanding of the communicationâs substance is consistent with CIPAâs 19 history and purpose of protecting privacy rights. See In re Facebook, Inc. Internet Tracking Litig., 20 956 F.3d 589, 598 (9th Cir. 2020) (â[T]he legislative history and statutory text demonstrate that . . . 21 the California legislature intended to protect . . . historical privacy rights when they passed the . . . 22 CIPA.â); see also Javier v. Assurance IQ, LLC, No. 21-16351, 2022 WL 1744107, at *2 (9th Cir. 23 May 31, 2022) (âSection 631 was meant to âcodi[fy] the common law tort of invasion of privacy.â) 24 (Bumatay, J., concurring). 25 The Court concludes that the phrase âreads, or attempts to read, or to learn the contents or 26 meaning of any message, report, or communicationâ in CIPA requires some effort at understanding 27 the substantive meaning of the message, report or communication, and that the evidence shows that 1 information that is input on websites hosting that software. The evidence shows that the data 2 Jornaya receives is automatically subjected to an algorithm that transforms the data into an 3 incomprehensible âhashâ that has no inherent substantive meaning, and that Jornaya does not retain 4 the original unhashed data in its servers. The Court is not persuaded by Williamsâ argument that 5 the initial step of the hashing process, during which the original data is formatted in a particular 6 way, constitutes âreadingâ under CIPA. The alteration of the data is an automatic, almost 7 instantaneous step in the hashing process, and does not involve any attempt by Jornaya to understand 8 the substantive meaning of the data. 9 Williams contends that DâAngelo v. Penny OpCo, LLC, No. 23-CV-0981-BAS-DDL, 2023 10 WL 7006793 (S.D. Cal. Oct. 24, 2023), supports her position that Jornayaâs software âreadâ the 11 information that she input on the www.snappyrent2own.com website. In DâAngelo, the plaintiffs 12 alleged that JC Penny violated CIPA by permitting a third party, Vergic, to run a chat service on JC 13 Penneyâs website. The plaintiffs alleged that when a consumer chatted with a JC Penney customer 14 service representative via the website chat feature, each message was first routed through Vergicâs 15 server, where Vergic would âanalyze, interpret, and collect customer-support agent interactions in 16 real time to create live transcripts of communications as they occur.â Id. at *1. The district court 17 denied the defendantâs motion to dismiss the complaint, finding that the plaintiffs had sufficiently 18 alleged that JC Penny allowed Vergic âto contemporaneously duplicate their chat conversations 19 with Defendant as they occurred, thereby reading themâ and that the plaintiffs had plausibly alleged 20 that JC Penney had violated the second clause of CIPA âby aiding and abetting Vergic, in allowing 21 Vergic to âlisten inâ on chats between Website users and customer service representatives.â Id. at 22 *8-9. 23 Williamsâ reliance on DâAngelo v. Penny OpCo is unavailing. Unlike Vergic, which 24 allegedly analyzed and interpreted the chat communications to create live transcripts of the 25 communications as they occurred, here the undisputed evidence shows that Jornaya immediately 26 and automatically hashes the input data upon receipt and does not analyze, interpret, or save the 27 original inputted information. See Gutierrez v. Converse Inc., __ F. Supp. 3d __, 2024 WL 3511648, 1 Salesforce, which provided software to enable chat feature on Converseâs website and stored chats 2 on Salesforceâs servers through password-protected customer dashboard, did not read or attempt to 3 read the chats because the âuncontroverted evidence establishes messages sent through Defendantâs 4 chat feature are encrypted while in transitâ and there was no evidence that Salesforce could or did 5 read or attempt to read chats while accessing customer dashboard); cf. Valenzuela v. Nationwide 6 Mut. Ins. Co., 686 F. Supp. 3d 969, 977 (C.D. Cal. 2023) (holding the plaintiff plausibly alleged that 7 third party Akamai read, or attempted to read or to learn the contents of plaintiffâs chat on 8 Nationwideâs website where the plaintiff âalleged that Akamaiâs business model is to harvest data 9 from communicationsâ and âAkamaiâs business model appears to rely on intercepting all or nearly 10 all messages for mass data analysis.â); see also Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891, 11 900 (N.D. Cal. 2023) (holding the plaintiff alleged violation of second prong of § 631 by âplead[ing] 12 that ActiveProspect monitors, analyzes, and stores information about visits to Assuranceâs websites, 13 and that Active Prospect can use that information for other purposesâ). 14 Williams also provides the following analogy to argue that Jornaya has âread, attempted to 15 read, or learnedâ the contents of communications: 16 Perhaps an analogy on this point is a hypothetical scenario of a person receiving a letter in the mail addressed to someone else. The person opens the letter, which is 17 written in English, andâgoing one word at a timeâconverts the letter to all uppercase Pig Latin. The person then throws the original letter in the trash can and 18 places the Pig Latin translation in a drawer. The fact that the person only retained the Pig Latin version of the letter does not mean that it didnât read or learn the 19 contents of the original English letter, if in no other way than in the process of converting the letter into Pig Latin. Applied here, Jornaya intercepted and 20 transmitted to its server Williamsâ communications with DDRâs website in its raw form (the English letter), âprocessedâ, âevaluated,â and âalteredâ it into Pig Latin 21 (the hash code), discarded the original content, and retained the hash. This does not mean that it did not read or learn the contents of the communication. In fact, the 22 opposite is true. It read or learned the content of the communication if at no other point than when it was hashing it. 23 Oppân at 11. 24 Williamsâ analogy is inapt. Under that example, the human translator is reading each word 25 and converting each word into a different, albeit nonsensical, word. As Jornaya argues, it may be 26 true that as a matter of human cognition that when a person translates words from one language to 27 another, the person is also interpreting and understanding the wordsâ meaning. However, based on 1 the Wald declaration and deposition testimony, Jornayaâs hashing software automatically and 2 almost instantaneously converts the input data into the hashed data based upon an algorithm. Based 3 upon this record, the Court concludes that TCPA Guardian did not âread, attempt to read, or learnâ 4 || the contents or message of any communication that Williams input on DDR Mediaâs website. As 5 such, the Court does not reach Jornayaâs other arguments in favor of summary judgment. 6 7 CONCLUSION 8 For the foregoing reasons, the Court GRANTS Jornayaâs motion for summary judgment. 9 || Because Williams claimed that DDR Media was liable because it partnered with Jornaya in violating 10 || CIPA, the Court also grants summary judgment in favor of DDR Media. 11 12 IT IS SO ORDERED. 14 Dated: November 20, 2024 AN ILLSTON 15 United States District Judge 16 18 19 20 21 22 23 24 25 26 27 28
Case Information
- Court
- N.D. Cal.
- Decision Date
- November 20, 2024
- Status
- Precedential