Lacoste USA Inc. has landed on the receiving end of a newly amended complaint accusing it of “secretly enabl[ing] and allow[ing] a third-party spyware company to eavesdrop on the private conversations of everyone who communicates through” the artificial intelligence (“AI”)-driven chat feature on its website. According to the lawsuit that she filed with a California federal court on March 3, Annette Cody claims that by making use of AI chatbot Heyday, which “secretly harvests data for the transcripts [and] shares the private data with other companies … without obtaining visitor consent,” Lacoste is not only profiting from “targeted marketing campaigns using [that] private chat data” but it is also violating the California Invasion of Privacy Act (“CIPA”).
In the complaint, Cody asserts that Lacoste “has covertly embedded code into its chat feature that enables and allows” Heyday by Hootsuite (“Hootsuite”) to “secretly intercept in real time, eavesdrop upon, and store transcripts of [its] chat communications with unsuspecting website visitors,” which it then shares with various companies, including Facebook. The scheme works like this, according to Cody: “First, [Lacoste] allows Hootsuite to secretly intercept, store, harvest, and exploit its chat transcripts with customers. Second, Hootsuite provides the chat transcripts to Meta. Third, Meta identifies user interests by harvesting the chat data provided by Hootsuite. Fourth, Meta’s subsidiaries like Facebook and WhatsApp sell advertising space to companies that wish to take advantage of ‘targeted advertising’ opportunities created by harvesting data from the chat transcripts. Fifth and finally, the unsuspecting chat user is bombarded with targeted advertising.”
The problem, per Cody, is that Lacoste “neither informs visitors” of its alleged practice of enabling Hootesuite – which is not named as a defendant – “to intercept, record, and eavesdrop upon private chat conversations with customers” and to “harvest valuable data from those chat transcripts and share it with Meta,” nor does it “obtains [visitors’] consent to these intrusions.” Moreover, she asserts that Lacoste’s actions are “not incidental to the act of facilitating e-commerce, nor are they undertaken in the ordinary course of business.” Instead, such “eavesdropping” is “contrary to industry norms and the legitimate expectations of consumers.”
With the foregoing in mind and given that CIPA “prohibits both wiretapping and eavesdropping of electronic communications without the consent of all parties to the communication,” Cody alleges that Lacoste is on the hook for violating the state privacy statute, namely, sections 631 and 632.7, and is seeking certification of her proposed class action, injunctive relief, and monetary damages.
(As for Hootsuite, Cody does not name the company behind the “Conversational AI” bot as a defendant in the lawsuit, asserting, instead, that “Hootsuite’s manipulation, monetization, use of, and exploitation of the data it is able to gather through the chat feature in real time makes it more than a mere ‘extension’ of [Lacoste].” This appears to be in line with decisions in the Graham v. Noom, Inc., Johnson v. Blue Nile, Inc., and Yale v. Clicktale, Inc. cases, in which the courts “determined, consistent with the spirit and intent of the law, to prevent third party intrusion into private communications, that the third party service provider ‘is an extension of’ the website operator, and thus, neither an unlawful interloper, nor the principle in an unlawful aiding and abetting scheme,” Bryan Cave’s Daniel Rockey and Merrit Jones noted last fall.)
THE BIGGER PICTURE: CIPA was originally enacted as a prohibition against wiretapping, eavesdropping, and recording private confidential conversations, per Shook, Hardy & Bacon’s Jennifer McLoone and Rachel Straus, who stated in a recent note that “in the past few years, plaintiff firms have filed dozens of cases trying to stretch CIPA to use it as a vehicle to sue software developers and businesses for using ‘session replay’ software to monitor consumer interactions with websites (a very common practice).” McLoone and Straus point to the Ninth Circuit’s decision in Javier v Assurance IQ – in which the appeals court held that s. 631(a) of the CIPA “require[s] the prior consent of all parties to a communication” – as prompting “a new wave of class action lawsuits in California based on new wiretapping theories.”
Reflecting on the Ninth Circuit’s decision in Javier, Katten Muchin Rosenman’s Christina Grigorian and Trisha Sircar asserted that the “implications are significant with respect to website operators’ collection of customer information in California.” Although certain obligations already existed in California law with respect to the collection of consumer information, they noted that the Javier ruling “is certain to entice the plaintiffs’ bar to allege violations of the CIPA in instances where a website operator does not obtain prior express consent from a website user before collecting information about such user.”
And in fact, “Since the Javier decision was decided there have been hundreds of demand letters sent and cases filed alleging CIPA violations based on the chat feature,” per McLoone and Straus. (Many of the same plaintiffs firms involved in the “session replay” software cases now appear to be focusing their efforts on AI chatbot-centric CIPA cases in a similar manner, and the Lacoste lawsuit appears to be no exception.) They note that they are “seeing an uptick in cases outside of California, including recent ones filed against clients in Florida, Missouri, Massachusetts, and Pennsylvania, alleging violations of both federal and state wiretap statutes.”
As for the viability of AI chatbot cases: “Many of the same defenses that were successful against the session replay cases should defeat claims targeting chatbots,” according to a note from Norton Fulbright’s Jeffrey Brian Margulies and Eva Yang. “A variety of defenses – including consent, agency, the party exception, and jurisdictional challenges – have proven largely successful at keeping these claims at bay.” For example, they state that in dismissing claims alleged under CIPA s. 631(a), the U.S. District Court for the Northern District of California recognized in Graham v. Noom, Inc. “that the session-replay vendor merely provided a tool for the online business ‘to record and analyze its own data in aid of [the company’s own] business.’ The court, thus, aptly concluded, ‘There is no equivalent of a wiretap here, which supports the conclusion that [the session-replay vendor] is not a third-party eavesdropper.'”
A rep for Lacoste told TFL, “Like over a hundred other companies that simply offer a convenient option to chat with a customer service representative through our website, Lacoste was served with the same cookie-cutter lawsuit that the courts are beginning to routinely dismiss. We are confident that Lacoste will similarly prevail against these manufactured claims.”
The case is Cody v. Lacoste USA, Inc. et al., 8:23-cv-00235 (C.D. Cal.)
Share
