A recent decision from the Northern District of California on a motion to dismiss examined consent and other key privacy issues.  The putative class action claimed that payment processing company Stripe Inc. collected and used personal information from visitors to merchant partners’ websites in violation of various privacy laws, including the California Invasion of Privacy Act, Florida Security of Communications Act, and Washington’s wiretap law.

Stripe moved to dismiss based on plaintiffs’ consent to the challenged collection and uses, among other grounds.  On July 28, 2021, Judge Yvonne Gonzalez Rogers partially granted and partially denied Stripe’s motion.

The court first found that the privacy policy at issue constituted an enforceable “sign-in wrap” agreement because the merchant’s page displayed a “conspicuous and obvious” hyperlink and required users to agree to the policy when placing orders.  That policy disclosed that “partners” like Stripe “may” collect and use plaintiffs’ personal information, so the court concluded that plaintiffs had consented to Stripe’s data collection and dismissed their wiretap claims.  The decision is important in acknowledging that a third-party vendor (here, Stripe) can rely upon a commercial customer’s disclosure to its users to establish consent to the third party’s activities.

The court declined, however, to find at the pleading stage that plaintiffs also consented to Stripe’s alleged dissemination of their personal information to other third parties, such as Stripe’s own merchants and other customers.  On that basis, the court allowed plaintiffs’ privacy claims to proceed under the California constitution, common law, and the “unfair” prong of California’s Unfair Competition Law.