THOMSON REUTERS
Westlaw Today
Enter to open, tab to navigate, enter to select
Using chatbots or AI on your website? Risks and recommendations
2023 PRINDBRF 0173
• Practitioner Insights Commentaries
• April 6, 2023
(April 6, 2023) - Hannah E. Brown, Timothy Branson and Miles Scully of Gordon Rees Scully Mansukhani survey the emerging area of class-action litigation against companies accused of illegal wiretapping through the use of chatbots.
If your company uses chatbots for customer service or other customer interactions, you are the new favorite target for class action attorneys. This article discusses this emerging area of litigation, analyzes credible defenses to such claims, and provides bulletproof recommendations to avoid liability.
With the growth of online shopping, companies have struggled to keep up with the increased number of web-based interactions with consumers, including questions about the company or its products, or requesting assistance with transactions. In response to this increased demand, many companies have begun to use artificially intelligent "chatbots" on their websites.
If you engage in online shopping or browsing, you have likely encountered a chatbot. A chatbot is a computer program designed to simulate real human communication and uses artificial intelligence to understand consumer questions and provide automated responses.1
From the company's point of view, consumer questions like "where is my order" or "how can I change my shipping address?" can easily be answered by an automated bot and save costs on the use of live representatives.
Use of these chatbots, however, can be problematic — and not only because they are disfavored by the majority of consumers.2 Specifically, chatbots can expose the company to litigation if the chatbot conversations are recorded, or if the information obtained in those conversations is shared with third parties.
In fact, there has been a recent wave of litigation where plaintiffs, in both individual and class action contexts, have brought claims against companies alleging that their use of chatbots is illegal wiretapping. As one example, and as recently summarized by Judge Jesus G. Bernal from the Central District of California in an order in a case brought by a serial plaintiff:
Plaintiff, and his counsel, ... are serial litigants bringing numerous "cookie cutter" lawsuits under [the California Invasion of Privacy Act] against various businesses that operate websites. [Counsel] appears to have filed over 60 (and likely more) of these virtually identical lawsuits in the last year, with more seemingly filed every week. [Counsel] appears to work with multiple "tester" plaintiffs to drum up these lawsuits, though [Plaintiff] may be the primary one.3
This article provides information on the legal background behind these claims and other similar claims, as well as recommendations as to how a company can protect itself if it chooses to record any portion of a user's experience on its website.
Legal background
A violation of the Federal Wiretap Act occurs where any person "intentionally intercepts ... any wire, oral, or electronic communication" or "intentionally discloses" or "uses" the contents of any such communication while "knowing or having reason to know that the information was obtained through the [unlawful] interception."4
States have adopted similar statutes. California, for example, enacted California Invasion of Privacy Act (CIPA) in 1967.
CIPA has three main sections, making it unlawful to:
(1) tap, or make any unauthorized connection with any telegraph or telephone wire, line, cable or instrument, including the wire, line, cable or instrument of any internal telephonic communication system; or
(2) read, attempt to read, or learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable; or
(3) use, or attempt to use, in any manner, or for any purpose, any information so obtained, or aid, agree with, employ, or conspire with any person to unlawfully do, or permit, or cause to be done any of the acts or things mentioned.5
Notably, section 631 is not limited to phone lines, but also applies to "new technologies," including the internet and electronic communications.6
The statute provides for damages in the amount of $2,500 per violation or $10,000 per violation for repeat offenders, or even potential jail time.7 CIPA section 632 similarly "prohibits ... a party ... from recording [a] conversation without first informing all parties to the conversation that the conversation is being recorded."8 In sum, CIPA prohibits wiretapping, eavesdropping, and recording communications without the consent of all parties.
And importantly, a consumer can allege a CIPA violation even without alleging any harm beyond the invasion of their privacy rights.9
Common allegations under the Wiretap Act and CIPA
In recently filed privacy violation lawsuits, plaintiffs have primarily focused on two specific practices: (1) the company uses what is called a "session replay" program to capture a video of the website user's every move; and/or (2) the company (or hired third party) creates a transcript of the written conversation between the user and the automated chatbot.
The case that appears to have triggered the onslaught of this type of litigation is a case entitled Javier v. Assurance IQ, LLC.10 There, plaintiff Javier alleged that when he visited the website of defendant Assurance, Assurance used a product which "captured in real time every second of his interaction with [the website] and created a video recording of that interaction." This is commonly referred to "session replay" software.
The district court determined that Javier could not form a privacy claim because he had retroactively consented to the recording.
The Ninth Circuit disagreed, however, finding that: (1) "Though written in terms of wiretapping, Section 631(a) applies to Internet communications," and (b) plaintiff had alleged sufficient facts to plausibly state a claim that defendant recorded his communications without his valid express prior consent, and therefore could be a violation under Section 631(a).
Companies — like Assurance, allegedly — use session replay software to record a user's actions with the website, tracking the user's clicks, views, and actions. The company can learn, for example, what screen caused the user to change their mind about purchasing a product. Was it that the consumer needed a different but unavailable size? Was it that the company added a shipping fee?
The company can then recalibrate and possibly change prices, sizes, or shipping costs to recoup those lost sales in the future. Or, a company could use said recorded video to later prove that the user clicked and viewed the company's privacy policy or arbitration policy, to support a motion to compel arbitration.
Alternatively, like in the Licea cases mentioned above, a company can come under fire for creating a transcript of a user's conversation with a chatbot, or by allowing a third party to "eavesdrop" on the conversation and/or record and save the conversation.
The defendants in these lawsuits could be recording these transcripts simply for internal quality control purposes, or could be doing so to obtain information to sell it to outside third parties. Either way, it can lead to issues.
Possible defenses
If a company is sued for a CIPA violation, it should first determine under which clause of CIPA the claim arises, so that it may analyze the appropriate defense(s). First, if the plaintiff raises a claim for wiretapping (section 631(a), clause 1), at least one court has held this clause applies "only to communications over telephones and not through the internet."11 The second clause of 631(a), however, can apply to communications over the internet.12
However, there are other available defenses to a claim under the second CIPA clause. The second clause of 631(a) and the federal Wiretap Act require "that messages be intercepted while in transit."13 The information shared by the consumer, for example, may not be acquired while it is in electronic storage, but instead must be intercepted in real time.14
Next, a company may be able to raise a defense depending on what is alleged to have been recorded. Under both CIPA and the Wiretap Act, the "contents" of the message must be captured. In contrast, the capturing of "record information" such as "'the "name,' 'address,' and 'subscriber number or identity' of 'a subscriber to or customer of such service' is not a violation."15
However, the distinction between the prohibited "contents" and the permitted "record information" is not black and white. Whether information is "content" or "record information" can depend on a variety of things, such as "the manner in which the information is generated, as information that would otherwise be considered 'record information' … may be 'contents' of a communication where the user communicates with a website by entering his information into a form provided by the website."16
Another defense to these types of allegations is the "party" defense. The Wiretap Act provides that a person may record a conversation in which he or she is a party.17 Similarly, CIPA section 631 applies "only to eavesdropping by a third party and not to recording by a participant to a conversation."18 This certainly makes sense — you cannot eavesdrop on a conversation in which you are present.
However, this "party" defense does not save the company in all situations. First, the defense does not apply to a privacy violation allegation under 632, and second, a party to a conversation can be held vicariously liable under section 631(a) if plaintiff pleads a third party is doing the eavesdropping. Section 631(a) holds a party may be held vicariously liable for aiding and abetting another or permitting the acts prohibited in the remainder of the statute.
Finally, the clearer and possibly easiest defense is consent.
What can you do to protect yourself? Get consent
If your company is recording a user's experience on your website, it is vital that you get consent. 18 U.S.C. § 2511(2)(c) exempts interceptions where the party "has given prior consent" and California Penal Code §§ 631(a) and 632(a) prohibit wiretapping and eavesdropping "without the consent of all parties to the communication." Consent "may be either explicit or implied, but it must be actual."19 It is the company's burden to prove consent, so it is important that you do so correctly.20
Consent must be clear, unequivocal, and must occur before you or anyone else reviews or intercepts communication or user activity. Receiving the user's consent after the recording begins is not good enough.21
Instead, consent is required before anything is recorded. This can be done by clearly detailing in your privacy policy that the user's interactions on the website will be recorded or transcribed. The placement and visibility of that privacy policy is vital. "[C]ourts will not enforce agreements where the terms are buried at the bottom of the page or tucked away in obscure corners of the website, especially when such scrolling is not required to use the site."22
"Similarly, courts decline to enforce agreements where the terms are available only if users scroll to a different screen, complete a multiple-step process of clicking non-obvious links, or parse through confusing or distracting content and advertisements. Even where the terms are accessible via a conspicuous hyperlink in close proximity to a button necessary to the function of the website, courts have declined to enforce such agreements."23
Instead, there must be evidence that the user had actual notice of the relevant term and acknowledged it.24 For example, you could present a hyperlink of the website privacy policy to the user, and require the user review and consent to these terms before the user interacts with the chatbot.
Similarly, if you wish to record the user's experience on your website, ensure that the user cannot get to the point of recording without confirming they agree to be recorded.
To that end, it is also useful to include a clear and binding arbitration agreement (including a waiver of the right to bring a class action) in your website terms of use. This must be done through an enforceable clickwrap contract.
A user agrees to arbitrate any future disputes if the evidence shows the user is provided with an opportunity to review the arbitration provision and — this is vital — affirmatively acknowledges (usually by checking a box or clicking a button) that they agree.
The arbitration agreement should be clear and visible no matter how the website is accessed, reference the rules of the arbitration venue you choose, and can even delegate the issue of arbitrability to the arbitrator. It should also be broad enough to ensure it encompasses any dispute between the user and the company.
It is important to take simple steps to avoid the expensive and litigious lawsuits as detailed above. If you are interested in ensuring you are using an enforceable clickwrap agreement that allows you to record website users with their consent, or if you have been sued for a violation of privacy laws, please contact us. Gordon Rees Scully Mansukhani regularly counsels clients seeking to comply with privacy laws and defends clients in suits similar to those mentioned above.
Notes
1 See What is a chatbot?, IBM, http://bit.ly/3M9EHuM (last visited March 31, 2023).
2 See Gil Press, AI Stats News: 86% of Consumers Prefer Humans to Chatbots, Forbes (Oct 2, 2019), http://bit.ly/403vEQ7 (reporting "86% of consumers prefer to interact with a human agent; 71% said they would be less likely to use a brand if it didn't have human customer service representatives available; [and] only 30% believe that chatbots and virtual assistants make it easier to address customer service issues").
3 Licea v. Caraway Home Inc., 22-cv-01791, (C.D. Cal. Feb. 9, 2023).
4 18 U.S.C. §§ 2511(1)(a), (c)-(d).
5 Cal. Penal Code § 631(a) (emphasis added).
6 See Matera v. Google Inc., at *21 (N.D. Cal Aug. 12, 2016) (finding CIPA is to be construed with the interpretation that provides the greatest privacy protection, and therefore applies to email).
7 Cal. Penal Code § 631(a).
8 Cal. Penal Code § 632 (emphasis added).
9 See Osgood v. Main Streat Mktg., LLC, , at *7 (S.D. Cal. Jan. 13, 2017).
10 No. 21-16351, , at *1 (9th Cir. May 31, 2022)
11 Licea v. Am. Eagle Outfitters, Inc., , at *4 (C.D. Cal. Mar. 7, 2023) (citing cases).
12 In re Google Inc., , at *20 (N.D. Cal. Sept. 26, 2013) ("the Legislature intended the two clauses to apply to different types of communications.").
13 Am. Eagle Outfitters, Inc., , at *8.
14 Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 878 (9th Cir. 2002).
15 Graf v. Zynga Game Network, Inc., 750 F.3d 1098, 1107 (9th Cir. 2014).
16 Saleh v. Nike, Inc., 562 F. Supp. 3d 503, 517 (C.D. Cal. 2021).
17 18 U.S.C. § 2511(2)(c), (d).
18 Warden v. Kahn, 99 Cal. App. 3d 805 (1979); Graham v. Noom, Inc., 533 F. Supp. 3d 823, 831 (N.D. Cal. 2021) (holding that "a party to a communication can record it (and is not eavesdropping when it does)".)
19 In re Google, Inc., , at *12 (N.D. Cal. Sept. 26, 2013).
20 See Matera v. Google Inc., , at *17 (N.D. Cal. Sept. 23, 2016).
21 See Javier, , at *1.
22 Wilson v. Huuuge, Inc., 944 F.3d 1212, 1220-21 (9th Cir. 2019).
23 Id.
24 Swift v. Zynga Game Network, Inc., 805 F. Supp. 2d 904, 912 (N.D. Cal. 2011) ("Because Plaintiff was provided with an opportunity to review the terms of service in the form of a hyperlink immediately under the 'I accept' button and she admittedly clicked 'Accept," ... a binding contract was created[.]").
Hannah E. Brown is senior counsel in Gordon Rees Scully Mansukhani's San Diego office. She focuses her practice on intellectual property and commercial litigation and can be reached at [email protected]. Timothy Branson is a litigation partner in the firm's Southern California offices. He defends corporate clients against class-action cases and complex business disputes in both state and federal courts. He can be reached at [email protected]. Miles Scully is a partner in the firm. He represents public and private companies in litigation and regularly advises senior executives, boards of directors, and other clients on risk-mitigation strategies. Also based in the firm's Southern California offices, he can be reached at [email protected].
)
Hannah E. Brown)
Timothy Branson)
Miles Scully| End of Document | © 2024 Thomson Reuters. No claim to original U.S. Government Works. |