On July 28, the U.S. District Court for the Northern District of California granted in part and refused in part a request from an online payment processor to dismiss the collective complaints regarding several alleged violations of various state privacy and wiretapping laws and related claims. The plaintiffs alleged that the defendant “was secretly following[ed], collect[ed], and store[ed] personal data and web activity of merchant website visitors[s]And created software code that allows merchants to integrate the company’s payment platform into merchant applications. The complaint alleged that most consumers shopping online were unaware that their transactions were being processed by the defendant and instead thought they were communicating directly with merchants. Specifically, the defendant allegedly (i) obtained or stored sensitive information from consumers (such as financial information, location, IP addresses and purchase information); (ii) correlated all payments made by consumers across the defendant’s payment processing platform and delivered much of it to other merchant customers without notifying consumers; and (iii) installed cookies on consumers’ computers and mobile devices to track purchasing behavior on the defendant’s payment network. This allowed merchants to see a consumer’s purchase history of all transactions processed by the defendant and get a risk score at the transaction level of the defendant.
The court dismissed in part the plaintiffs’ claims under the California Unfair Competition Act (UCL) and the California Consumer Protection Act (CCPA), in part because the CCPA “has no rights to ‘private action’ and ‘consumers cannot use the CCPA as the basis for a private right of action under any law. The court also dismissed the UCL plaintiffs ‘fraud component, but allowed the plaintiffs’ unfair competition under the UCL.