As businesses increasingly rely on chatbots and third-party tracking tools to enhance used experience on their websites, they also face heightened scrutiny under privacy laws. The recent case of Valenzuela v. Kroger outlines the challenges businesses may face when utilizing these technologies, particularly as it relates to claims alleging unauthorized data collection.

In this case a California federal court granted Kroger's motion to dismiss a proposed class action alleging violations of California's wiretapping statute, Section 631(a) of the Penal Code. Plaintiff Valenzuela claimed that Kroger unlawfully intercepted and recorded online chat communications by using software provided by Emplifi, a third-party service. She argued that this violated the fourth prong of Section 631(a), which prohibits unauthorized eavesdropping on electronic communications.

Kroger sought dismissal of Valenzuela's Second Amended Complaint, contending that her allegations failed to plausibly establish a violation of the statute. The court agreed, finding that Valenzuela's claims were not sufficient to meet the legal standard required to proceed. As a result, the court dismissed the case without leave to amend.

Court Found Valenzuela's Allegations Insufficient to Establish Kroger's Liability Under California's Wiretapping Statute

In dismissing Valenzuela's claim against Kroger, the court analyzed California Penal Code section 631(a), which prohibits:

  1.  Intentionally tapping into, connecting to, or intercepting a telegraph or telephone line, cable, or communication system without authorization, whether through physical, electrical, or acoustic, or other means.
  2.  Unlawfully reading, attempting to read, or learning the contents of any message, report, or communication while it is being transmitted or received, without the consent of all parties involved.
  3. Using, attempting to use, or sharing any information that was unlawfully obtained through unauthorized interception or access.
  4.  Assisting, employing, or conspiring with someone else to commit any of the above actions, or to knowingly allow them to happen.

After losing several other motions to dismiss in favor of Kroger, in the second amended complaint Valenzuela argued that Kroger aided and abetted third-party software provider Emplifi in unlawfully intercepting chat communications on Kroger's website.

The court had previously ruled that for Valenzuela's claim to be plausible, she needed to allege facts showing that Kroger either knew Emplifi's conduct was unlawful or engaged in conduct that constituted a breach of duty. The second amended complaint attempted to address these deficiencies by asserting that Emplifi profited from intercepting and recording chat conversations, allowing Meta to mine user data. Valenzuela alleged that Kroger should have known about Emplifi's data-sharing practices because it enabled the software to be deployed quickly and at low cost.

However, the court rejected this reasoning, finding it implausible to infer that Kroger's awareness of Emplifi's efficiency equated to knowledge of wrongdoing. The court also dismissed Valenzuela's reliance on Emplifi's marketing claims, which emphasized that its chatbot mimicked a company's branding and could integrate with Facebook Messenger. The court noted that simply offering an opt-in feature for personalized notifications did not demonstrate unauthorized eavesdropping. Similarly, Emplifi's claim that chatbot data could be used to improve future bots did not support Valenzuela's assertion that user data was improperly harvested.

Valenzuela cited other court decisions to support her argument that Kroger's knowledge was not required to establish liability. See Revitch v. New Moosejaw, LLC, No. 18-CV-06827-VC, 2019 WL 5485330. However, the court found these cases unpersuasive. Instead, it sided with the ruling in Rodriguez v. Ford Motor Co., No. 3:23-CV-00598-RBM-JLB. 2024 WL 4957566, which clearly required knowledge or intent on the part of the business to qualify as aiding and abetting under section 631(a).

Thus, the court found Valenzuela's additional allegations insufficient to overcome the deficiencies identified in prior rulings. Given her repeated inability to present a plausible claim, the court dismissed the case without prejudice.

Key Takeaways for Businesses

Valenzuela v. Kroger provides valuable insights for businesses integrating chatbots or third-party tracking tools into their websites. The decision highlights critical factors courts may consider in assessing liability, particularly section 631(a). To mitigate legal exposure, businesses can employ proactive steps to ensure compliance with privacy laws. Some key takeaways from this decision include:

  • Businesses should be cognizant and aware of the activities of third parties whose services it employs. Liability may hinge on a company's knowledge, including what it should have reasonably learned from a vendor's documentation, marketing materials, or public statements.
  • In order to succeed in a case, plaintiffs must present detailed, fact-based claims demonstrating that a company knowingly participated in or enable unauthorized data collection.
  • Businesses should thoroughly vet third-party software providers to understand their data handling and sharing policies.
  • Businesses should consider agreements that require compliance with privacy laws and include indemnification provisions for potential violations.

The cyber law attorneys at WSHB are well-versed in the intricacies of this developing area of law. Should you have any questions or require further information, please do not hesitate to reach out to a member of our team.

By using this site, you agree to our updated Privacy Policy.