District court: company faces class action lawsuits over data collection



On July 28, the U.S. District Court for the Northern District of California granted in part and refused in part a request from an online payment processor to dismiss the collective complaints regarding several alleged violations of various state privacy and wiretapping laws and related claims. The plaintiffs alleged that the defendant “was secretly following[ed], collect[ed], and store[ed] personal data and web activity of merchant website visitors[s]And created software code that allows merchants to integrate the company’s payment platform into merchant applications. The complaint alleged that most consumers shopping online were unaware that their transactions were being processed by the defendant and instead thought they were communicating directly with merchants. Specifically, the defendant allegedly (i) obtained or stored sensitive information from consumers (such as financial information, location, IP addresses and purchase information); (ii) correlated all payments made by consumers across the defendant’s payment processing platform and delivered much of it to other merchant customers without notifying consumers; and (iii) installed cookies on consumers’ computers and mobile devices to track purchasing behavior on the defendant’s payment network. This allowed merchants to see a consumer’s purchase history of all transactions processed by the defendant and get a risk score at the transaction level of the defendant.

The court dismissed the motion to dismiss the allegations of invasion of privacy and intrusion by the plaintiffs under the California Constitution and at common law, finding that the plaintiffs sufficiently alleged that the plaintiffs had failed. consented to the disclosure by the defendant of their information to its merchants and customers. The court could not find that the plaintiffs had no reasonable expectation of privacy because the wording of the defendant’s privacy policy limited the sharing of information with third parties to assist in prevention or prevention. fraud detection or processing services only.

In dismissing the wiretapping allegations, the court looked at the “signature” agreement presented to consumers on the purchase payment page, which required the plaintiffs to agree to the defendant’s terms of service and privacy policy. every time they place an order. While complainants argued that the privacy policy “does not provide sufficient notice that [the defendant] would collect the information he made “, the court noted that the policy contained provisions revealing that third parties like the defendant” may obtain not only credit card data, but also “identifiers, demographic information, business information, relevant order information, internet activity, geolocation data, sensory information and inferences ”, and that partners may also“ use various technologies ”to“ collect information about [consumer] online activity over time and across different websites or online services. Among other things, the court found that the disclosures were binding on consumers, even though they were provided by the defendant and not by the traders.

The court dismissed in part the plaintiffs’ claims under the California Unfair Competition Act (UCL) and the California Consumer Protection Act (CCPA), in part because the CCPA “has no rights to ‘private action’ and ‘consumers cannot use the CCPA as the basis for a private right of action under any law. The court also dismissed the UCL plaintiffs ‘fraud component, but allowed the plaintiffs’ unfair competition under the UCL.



Comments are closed.