Opinion
22-cv-05827-DMR
05-28-2024
DANA TURNER, et al., Plaintiffs, v. NUANCE COMMUNICATIONS, INC., Defendant.
ORDER RE: DKT. NO. 49
DONNA M. RYU CHIEF MAGISTRATE JUDGE
This action began with two separately-filed putative class actions in which three named plaintiffs alleged that Defendant Nuance Communications, Inc. (“Nuance”) violated the California Invasion of Privacy Act (“CIPA”). The court consolidated the matters on May 31, 2023 and Plaintiffs subsequently filed a consolidated amended class action complaint. [Docket No. 34 (“CFAC”).] Nuance moves to dismiss the CFAC for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6). [Docket No. 49 (“Mot.”).] The court held a hearing on April 11, 2024. For the following reasons, the motion is granted in part and denied in part.
I. FACTUAL BACKGROUND
Plaintiffs make the following allegations in the CFAC, all of which are taken as true for purposes of the motion to dismiss. Nuance “markets and provides an artificial intelligence software-as-a-service that allows businesses to authenticate their customers' identities with their voice,” called “Gatekeeper.” CFAC ¶ 1. Gatekeeper is a voice recognition software which “records a consumer's voice, creates a biometric voice print of the caller, and then examines that voiceprint to determine whether the caller is a potential fraudster in future calls, and-above all- to determine whether the caller is telling the truth when identifying themselves and attempting to gain access to their customer account.” Id. at ¶ 4. Businesses can license Gatekeeper and integrate it into their call centers to verify callers' identities. Id. at ¶¶ 5, 27.
When reviewing a motion to dismiss for failure to state a claim, the court must “accept as true all of the factual allegations contained in the complaint.” Erickson v. Pardus, 551 U.S. 89, 94 (2007) (per curiam) (citation omitted).
Nuance's marketing describes its Gatekeeper product as an “AI Risk Engine” which uses “[d]eep neural networks” to “analyze biometric, non-biometric, and other available data to make intelligent authentication and fraud risk assessments.” Id. at ¶ 31. Plaintiffs allege that Nuance “analyzes ‘more than 1,000 characteristics' of a person's unique voice, such as the sound of a person's voice, how they talk, what they say, their pattern of speech, word choice, grammar, and syntax.” Id. at ¶ 2. Nuance can “authenticat[e] individuals by the way they talk . . . and flag[] potential bad actors in as quick as half a second.” Id. at ¶ 28. Nuance's technology works by creating a voice print for each consumer derived from a recording and examination of the consumer's voice, enrolling those voice prints into a database, and then comparing the voice characteristics of later callers against its saved voice prints. Id. at ¶ 29. A voice print serves as an audible “fingerprint” which can “directly identify an individual.” Id. at ¶ 22. Plaintiffs allege that, by “segment[ing]” and “cluster[ing]” voices and metadata from prior callers, “Nuance turns individuals' personal biometric data into a product offering for corporate clients.” Id. at ¶ 30. Plaintiffs assert that Nuance has “amassed a massive database” of individuals' voice prints and retains that biometric data for “a significant period of time.” Id. at ¶¶ 32-33.
Plaintiffs claim that Nuance creates voice prints without the consumer's “knowledge or express written consent.” Id. at ¶ 37. Nuance's software “seamlessly incorporates into its customers' call centers, without adequate notice (or any at all) that Nuance . . . is even involved in the call.” Id. Plaintiffs allege that Nuance “listens to the consumer's voice quietly in the background of a call, and in such a way that consumers will likely be entirely unaware they are unknowingly interacting with a third-party company.” Id. at ¶ 3.
According to Plaintiffs, Nuance's voice recognition service exposes customers to significant risks. For example, Plaintiffs state that voices are highly personal and can reveal sensitive information about an individual's mental state and behaviors. Id. at ¶ 6. They also aver that artificial intelligence is “extremely susceptible to racial and gender bias,” and that voice examination technology has been known to mistakenly classify legitimate customers as fraudsters based on their voice, locking them out of their accounts and finances. Id. at ¶¶ 34-35. In addition, they allege that Nuance's system can be “easily fooled” by fraudsters, such as by using a free online AI voice cloning service with an audio recording of a person's voice. Id. at ¶ 36.
Plaintiff Turner called Chase's customer support call center on numerous occasions, including most recently in October 2022. Id. at ¶ 44. Turner alleges that she reasonably expected her conversation with Chase to be confidential because Chase was a banking entity, “which naturally involves the discussion of confidential information,” and because Turner spoke to Chase on her personal telephone and not in the direct presence of others. Id. at ¶ 45. During the call with Chase, Turner was asked to make various “yes” or “no” statements in order to respond to questions Chase asked her, or to otherwise provide additional information to Chase. Id. at ¶ 46. Unbeknownst to Turner, her call was recorded by Nuance's technology, which created a voice print for Turner and automatically enrolled her voice print in Nuance's biometric voice print database. Id. at ¶¶ 47-48. Turner asserts that she did not give her consent, written or otherwise, to “allow Nuance to wiretap her confidential communications with Chase.” Id. at ¶ 50-51.
Plaintiffs Smith and Youshei allege similar facts. They both called Chase's customer support call center multiple times during the past three years. Id. at ¶¶ 54, 63. They allege that they reasonably expected their conversations with Chase to be confidential. Id. at ¶¶ 55, 64. However, their calls were recorded by Gatekeeper, which created a voice print for each Plaintiff and automatically enrolled the voice prints in Nuance's biometric voice print database. Id. at ¶¶ 57, 66. Neither Nuance nor Chase disclosed to Plaintiffs that their voices were being recorded or analyzed by Nuance to make a voice print, nor that their voice prints were being enrolled in Nuance's voice print database. Id. at ¶¶ 59, 68. Plaintiffs Smith and Youshei allege that they did not consent to Nuance “collect[ing] [their] voice print[s] and to examine, record, wiretap, or analyze [their] voice[s] for any purpose whatsoever.” Id. at ¶¶ 60, 69.
Plaintiffs assert that Nuance violated Cal. Penal Code §§ 631(a), 632(a), and 637.3. They seek to represent a statewide class of similarly situated individuals, defined as: “All residents of the State of California who had their voice prints, voice stress patterns, or other elements of their conversation recorded and examined by Nuance without first obtaining prior written consent.” CFAC ¶ 72. Plaintiffs seek declarative relief, injunctive relief, and damages. Id. at 10.
II. PROCEDURAL BACKGROUND
Turner brought a putative class action on October 6, 2022. [Docket No. 1.] Turner filed a first amended class action complaint on January 9, 2023. [Docket No. 19.] Smith and Youshei also brought a putative class action, which the court related to Turner's case on March 30, 2023. [Docket No. 27.] The cases were subsequently consolidated on May 31, 2023. [Docket No. 33.] Plaintiffs filed the CFAC on June 14, 2023. Nuance now moves to dismiss the CFAC.
III. LEGAL STANDARD
A motion to dismiss under Rule 12(b)(6) tests the legal sufficiency of the claims alleged in the complaint. See Parks Sch. of Bus., Inc. v. Symington, 51 F.3d 1480, 1484 (9th Cir. 1995). When reviewing a motion to dismiss for failure to state a claim, the court must “accept as true all of the factual allegations contained in the complaint,” Erickson, 551 U.S. at 94 (2007) (citation omitted), and may dismiss a claim “only where there is no cognizable legal theory” or there is an absence of “sufficient factual matter to state a facially plausible claim to relief.” Shroyer v. New Cingular Wireless Servs., Inc., 622 F.3d 1035, 1041 (9th Cir. 2010) (citing Ashcroft v. Iqbal, 556 U.S. 662, 677-78 (2009); Navarro v. Block, 250 F.3d 729, 732 (9th Cir. 2001)) (quotation marks omitted). A claim has facial plausibility when a plaintiff “pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678 (citation omitted). In other words, the facts alleged must demonstrate “more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do.” Bell Atl. Corp. v. Twombly, 550 U.S. 554, 555 (2007) (citing Papasan v. Allain, 478 U.S. 265, 286 (1986)); see Lee v. City of L.A., 250 F.3d 668, 679 (9th Cir. 2001), overruled on other grounds by Galbraith v. Cty. of Santa Clara, 307 F.3d 1119 (9th Cir. 2002).
As a general rule, a court may not consider “any material beyond the pleadings” when ruling on a Rule 12(b)(6) motion. Lee, 250 F.3d at 688 (citation and quotation marks omitted). However, “a court may take judicial notice of ‘matters of public record,'” id. at 689 (citing Mack v. S. Bay Beer Distrib., 798 F.2d 1279, 1282 (9th Cir. 1986)), and may also consider “documents whose contents are alleged in a complaint and whose authenticity no party questions, but which are not physically attached to the pleading,” without converting a motion to dismiss under Rule 12(b)(6) into a motion for summary judgment. Branch v. Tunnell, 14 F.3d 449, 454 (9th Cir. 1994), overruled on other grounds by Galbraith, 307 F.3d at 1125-26. The court need not accept as true allegations that contradict facts which may be judicially noticed. See Mullis v. U.S. Bankr. Court, 828 F.2d 1385, 1388 (9th Cir. 1987).
IV. DISCUSSION
California enacted CIPA in 1967 “to replace prior laws that permitted recording of telephone conversations when one party consents.” Lopez v. Apple, Inc., 519 F.Supp.3d 672, 688 (N.D. Cal. 2021) (citing Flanagan v. Flanagan, 27 Cal.4th 766, 768 (2002)). The Legislature was responding to concerns “that advances in science and technology have led to the development of new devices and techniques for the purpose of eavesdropping upon private communications.” Cal. Penal Code § 630. “The Legislature thus enacted CIPA ‘to protect the right of privacy of the people of' California from what it perceived as ‘a serious threat to the free exercise of personal liberties [that] cannot be tolerated in a free and civilized society.' . . . This philosophy lies ‘at the heart of virtually all decisions construing [CIPA].'” Lopez, 519 F.Supp.3d at 688 (quoting Ribas v. Clark, 38 Cal.3d 355, 359 (1985)).
Plaintiffs bring claims under three sections of CIPA: Cal. Penal Code §§ 631(a), 632(a), and 637.3.
Section 631 is titled “Wiretapping.” Section 631(a) contains four clauses which impose liability for “distinct and mutually independent patterns of conduct.” Tavernetti v. Superior Ct., 22 Cal.3d 187, 192 (1978). The first three clauses are at issue here. They impose liability on any person who:
(1) intentionally taps, or makes any unauthorized connection . . . with any telegraph or telephone wire, line, cable, or instrument,
(2) or who willfully and without the consent of all parties to the communication . . . reads, or attempts to read, or to learn the contents or meaning of any message . . . while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state;
(3) or who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained.Cal. Penal Code § 631(a) (line breaks and subdivisions added). To make out a section 631 claim, plaintiffs must sufficiently allege that they did not consent to the defendant's conduct. See Silver v. Stripe Inc., No. 4:20-CV-08196-YGR, 2021 WL 3191752, at *3 (N.D. Cal. July 28, 2021) (finding that consent is appropriate to consider on a motion to dismiss CIPA claims). In addition, plaintiffs must show that the defendant was a third party who was not a participant in the communication. See Rogers v. Ulrich, 52 Cal.App.3d 894, 900 (1975) (finding that only third parties can be liable under section 631). Plaintiffs assert that they have stated a claim under each of the first three clauses of section 631(a).
The fourth clause, which imposes liability on any person who “aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section,” is not at issue here. Cal. Penal Code § 631(a).
Section 632 is titled “Eavesdropping on or recording confidential communications.” It imposes liability on any person who “intentionally and without the consent of all parties to a confidential communication, uses an electronic amplifying or recording device to eavesdrop upon or record the confidential communication.” Cal. Penal Code § 632(a). The three elements of a section 632(a) claim are: “(1) an electronic recording of (or eavesdropping on); (2) a ‘confidential' communication; and (3) all parties did not consent.” Weiner v. ARS Nat. Servs., Inc., 887 F.Supp.2d 1029, 1032 (S.D. Cal. 2012) (citing Flanagan v. Flanagan, 27 Cal.4th 766, 774-76 (2002)). The statute imposes liability for either eavesdropping or recording; Plaintiffs assert a claim under both prongs.
Plaintiffs also assert a claim under section 637.3. The statute reads: “No person or entity in this state shall use any system which examines or records . . . voice prints or other voice stress patterns of another person to determine the truth or falsity of statements made by such other person without his or her express written consent given in advance of the examination or recordation.” Cal. Penal Code § 637.3. Plaintiffs assert that Nuance (1) examined or recorded Plaintiffs' voice prints, (2) without their prior written consent, (3) in order to determine the truth or falsity of statements made by Plaintiffs.
Nuance moves to dismiss all of Plaintiffs' claims by arguing that Plaintiffs gave prior written consent to be recorded in their phone calls with Chase. Nuance also moves to dismiss the section 631 claims and the eavesdropping prong of the section 632 claim because Nuance argues that it is not an eavesdropping third party subject to CIPA. Specific to the second and third clauses of section 631, Nuance argues that Plaintiffs failed to allege that Nuance intercepted the “content or meaning” of any purported communication, or that it “used” any purportedly intercepted information for any purpose other than providing the information to Chase. See Cal. Penal Code § 631(a). Lastly, Nuance asserts that Plaintiffs' section 637.3 claim fails because Nuance's technology does not determine the truth or falsity of statements made.
A. Consent
To make out a claim under sections 631(a) and 632(a), Plaintiffs must allege that Nuance's conduct was without Plaintiffs' consent. See Silver, 2021 WL 3191752, at *3; Weiner, 887 F.Supp.2d at 1032. To state a section 637.3 claim, Plaintiffs must allege the lack of “express written consent.” See Cal. Penal Code § 637.3(a).
Plaintiffs assert that “[n]either Nuance nor Chase disclosed” to Plaintiffs that their voices were being “recorded or analyzed by Nuance to make a voice print . . . for the purposes of determining the truth or falsity of [Plaintiffs'] statements. Likewise, [Plaintiffs] did not give [their] consent, written or otherwise, to either Nuance or Chase to allow Nuance to wiretap [their] confidential communications with Chase.” CFAC ¶¶ 50, 59, 68. Nuance contends that Plaintiffs provided express written consent. Mot. 4. It requests that the court take judicial notice of eight exhibits which it asserts demonstrate Plaintiffs' consent, contradicting Plaintiffs' allegations in the CFAC. [Docket No. 50 (Request for Judicial Notice, “RJN”); 50-1 (Deck Decl., July 17, 2023) Exs. A-E; 50-2 (Moore Decl., July 18, 2023) Exs. A-C.] Plaintiffs do not dispute the authenticity of the documents, instead arguing that the language of the documents is too ambiguous to constitute consent to Nuance's conduct. Opp'n 7.
A district court generally may not consider any material beyond the pleadings in ruling on a Rule 12(b)(6) motion. Branch, 14 F.3d at 453. If “matters outside the pleading are presented to and not excluded by the court,” the court must treat the motion as a Rule 56 motion for summary judgment. See Fed.R.Civ.P. 12(d). “A court may, however, consider certain materials- documents attached to the complaint, documents incorporated by reference in the complaint, or matters of judicial notice-without converting the motion to dismiss into a motion for summary judgment.” United States v. Ritchie, 342 F.3d 903, 908 (9th Cir. 2003). “Both of these procedures permit district courts to consider materials outside a complaint, but each does so for different reasons and in different ways.” Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 998 (9th Cir. 2018). The Ninth Circuit has cautioned courts about the appropriate use of judicial notice and the incorporation by reference doctrine when ruling on Rule 12(b)(6) motions:
The overuse and improper application of judicial notice and the incorporation-by-reference doctrine . . . can lead to unintended and harmful results. Defendants face an alluring temptation to pile on numerous documents to their motions to dismiss to undermine the complaint, and hopefully dismiss the case at an early stage. Yet the unscrupulous use of extrinsic documents to resolve competing theories against the complaint risks premature dismissals of plausible claims that may turn out to be valid after discovery.... If defendants are permitted to present their own version of the facts at the pleading stage-and district courts accept those facts as uncontroverted and true-it becomes near impossible for even the most aggrieved plaintiff to demonstrate a sufficiently “plausible” claim for relief. Such undermining of the usual pleading burdens is not the purpose of judicial notice or the incorporation-by-reference doctrine.Id. (internal citations omitted).
Federal Rule of Evidence 201 governs judicial notice. Under Rule 201, a court may take judicial notice of “an adjudicative fact if it is ‘not subject to reasonable dispute.'” Id. at 999 (quoting Fed.R.Evid. 201(b)). A fact is “not subject to reasonable dispute” if it is “generally known,” or “can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned.” Fed.R.Evid. 201(b). While a court may take judicial notice of matters of public record without converting a motion to dismiss into a motion for summary judgment, it may not take judicial notice of disputed facts stated in public records. Lee, 250 F.3d at 690. “Just because [a] document itself is susceptible to judicial notice does not mean that every assertion of fact within that document is judicially noticeable for its truth.” Khoja, 899 F.3d at 999. If a court takes judicial notice of a document, it must identify the specific fact or facts it is noticing from the document. Id.
In contrast, the incorporation by reference doctrine is “a judicially-created doctrine that treats certain documents as though they are part of the complaint itself.” Id. at 1002. This is to prevent “plaintiffs from selecting only portions of documents that support their claims, while omitting portions that weaken-or doom-their claims.” Id. Incorporation by reference is appropriate “if the plaintiff refers extensively to the document or the document forms the basis of the plaintiff's claim.” Id. at 1002 (quoting Ritchie, 342 F.3d at 907). However, if a document “merely creates a defense to the well-pled allegations in the complaint, then that document did not necessarily form the basis of the complaint.” Id. Further, “the mere mention of the existence of a document is insufficient to incorporate the contents of a document.” Id. (quoting Coto Settlement v. Eisenberg, 593 F.3d 1031, 1038 (9th Cir. 2010)). The Ninth Circuit has instructed that “the doctrine is not a tool for defendants to short-circuit the resolution of a well-pleaded claim.” Id. Thus, “while a court may assume [an incorporated document's] contents are true for purposes of a motion to dismiss under Rule 12(b)(6) . . . it is improper to assume the truth of an incorporated document if such assumptions only serve to dispute facts stated in a well-pleaded complaint.” Id.; see also id. at 1014 (“The incorporation-by-reference doctrine does not override the fundamental rule that courts must interpret the allegations and factual disputes in favor of the plaintiff at the pleading stage.”).
According to Nuance's RJN, Exhibits A-C to the Declaration of Laura Deck are iterations of the Deposit Account Agreement (“DAA”) which were in effect when Plaintiffs opened their accounts with Chase Bank. Deck Decl. ¶¶ 2-7. Exhibits D-E are iterations of the DAA which were in effect when Plaintiffs filed their class action lawsuits. Id. at ¶¶ 12-13. Some versions of the DAAs include the language: “We may record and/or monitor any of our telephone conversations with you....We may use your voice to verify your identity.” Id. Exs. A, D and E § VI.C. All of the DAAs also include a Privacy Notice, which states that Chase “can share your personal information” “[f]or our everyday business purposes-such as to process your transactions [and] maintain your account(s)[.]” Id. Exs. A-E at Privacy Notice at 1. Exhibit A to the Declaration of Christopher Moore is a copy of the Personal Electronic Signature Card digitally signed by Plaintiff Turner when she opened an account with Chase Bank. Moore Decl. ¶ 7. It states that Turner “read and agree[d] to the . . . Deposit Account Agreement.” Id. Ex. A at 1. Exhibits B-C are copies of the Personal Signature Cards signed by Plaintiffs Youshei and Smith when they opened accounts with Chase Bank. Id. at ¶¶ 8-9. The signature cards state that they “acknowledge[d] receipt of the Bank's Deposit Account Agreement . . . and agree[d] to be bound by the terms and conditions contained therein as amended from time to time.” Id. Exs. B-C at 1. The copies of the DAA and the signature cards were taken from Chase's records. Deck Decl. ¶ 1; Moore Decl. ¶ 2.
Nuance argues that the exhibits are incorporated by reference because lack of consent forms the basis of their CIPA claims. See Garcia v. Enter. Holdings, Inc., 78 F.Supp.3d 1125, 1136 (N.D. Cal. 2015) (finding that lack of consent is an express element of a CIPA claim). In Garcia, the court took judicial notice of the defendant Zimride's Terms of Service and Privacy Policy because the plaintiff's claim “necessarily depend[ed] on the application of Zimride's policies-which relate directly to the issue of consent.” Id. Nuance argues that, likewise, Plaintiffs' claims depend on the contents of the DAA.
Garcia was decided before Khoja clarified the proper standard for judicial notice and is not binding on this court. Under Khoja, there are only “rare instances when assessing the sufficiency of a claim” requires the incorporation of materials that the complaint did not reference at all, such as a defamation claim where the plaintiff did not include the context of the allegedly defamatory publication. Khoja, 899 F.3d at 1002 (citing Knievel v. ESPN, 393 F.3d 1068 (9th Cir. 2005)). This case is not one of those “rare instances” because it is possible to assess the sufficiency of Plaintiffs' claims on the face of the complaint. See id. Plaintiffs clearly alleged that they were not aware and did not consent to Nuance's software recording and examining their voices. CFAC ¶¶ 50-51, 59-60, 68-69. Plaintiffs did not rely on the DAA for any of their claims. Nuance cites to several cases which find that lack of consent is an element of a CIPA claim, but none of these cases hold that it is appropriate to incorporate documents to find consent when the documents were not even mentioned in the complaint. See, e.g., Silver, 2021 WL 3191752, at *4; Smith v. Facebook, Inc., 262 F.Supp.3d 943, 955 (N.D. Cal. 2017). Incorporation of the DAA is not appropriate in this instance.
Alternatively, Nuance argues that its exhibits are subject to judicial notice because the current version of the DAA appears on a publicly available website. The court is not persuaded that just because the latest version of a document is publicly available, all prior versions of the document are judicially noticeable. To the contrary, Nuance admits that the DAA has been revised multiple times over the years, so the current version of the DAA may not be the same as the version Plaintiffs allegedly read. Cf. Hammerling v. Google LLC, No. 21-CV-09004-CRB, 2022 WL 17365255, at *4 (N.D. Cal. Dec. 1, 2022), aff'd, No. 22-17024, 2024 WL 937247 (9th Cir. Mar. 5, 2024) (declining to take judicial notice of the most recent privacy policy of the defendant because it may be different from the version read by plaintiffs).
Even if the court could take judicial notice of the DAA, there is a factual dispute over whether the DAA sufficiently notified Plaintiffs of Nuance's conduct. A court can find consent on a motion to dismiss if the disclosures “‘explicitly notify' users of the practice at issue....The disclosures must have only one plausible interpretation for a finding of consent.” Calhoun v. Google LLC, 526 F.Supp.3d 605, 620 (N.D. Cal. 2021) (quoting In re Google, Inc., 2013 WL 5423918, at *12 (N.D. Cal. Sept. 26, 2013)). Plaintiffs argue that the language of the DAA only discloses that Chase, not third parties, may record consumers' voices. Opp'n 8. Plaintiffs also contend that the language in the Privacy Policy does not notify consumers that their live phone conversations may be intercepted by third parties to create voice prints. Opp'n 8-11. This is a factual dispute which is not appropriate for resolution at the pleadings stage. See In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F.Supp.3d 767, 789 (N.D. Cal. 2019) (“[I]f the contract language at issue is reasonably susceptible to more than one interpretation, with one of those interpretations suggesting consent and another belying it, the Court cannot decide the consent issue in [the defendant's] favor at the motion to dismiss stage.”); McCoy v. Alphabet, Inc., No. 20-CV-05427-SVK, 2021 WL 405816, at *6 (N.D. Cal. Feb. 2, 2021) (declining to find consent on a motion to dismiss because defendant did not disclose how it used plaintiffs' data with the sufficient “level of specificity”).
In a CIPA case, it is unclear whether it is ultimately the defendant's or the plaintiff's burden to prove the issue of consent. See Brown v. Google LLC, No. 4:20-CV-3664-YGR, 2023 WL 5029899, at *7 (N.D. Cal. Aug. 7, 2023) (finding that consent is a defense which the defendant must prove); contra In re Google Assistant Priv. Litig., 457 F.Supp.3d 797, 828 (N.D. Cal. 2020) (finding that the plaintiff has the burden to prove lack of consent). It is not necessary for the court to resolve this issue in adjudicating this motion.
The court denies Nuance's request for judicial notice and denies the motion to dismiss on the issue of consent.
B. “Third Party” Under Sections 631 and 632
Participants in a conversation cannot be held liable for unauthorized wiretapping under section 631; only a third party who intercepts that conversation is culpable. See Rogers, 52 Cal.App.3d at 900 (“It is never a secret to one party to a conversation that the other party is listening to the conversation; only a third party can listen secretly to a private conversation.”). For the same reason, a party cannot “eavesdrop” on their own conversation under the first prong of section 632.Only a third party can do that. See Thomasson v. GC Servs. Ltd. P'ship, 321 Fed.Appx. 557, 559 (9th Cir. 2008) (finding that the defendant was not liable for monitoring the defendant's own phone call with plaintiffs under the eavesdropping prong of section 632).
Section 632 makes it illegal to either “eavesdrop upon or record” confidential communications. Cal. Penal Code § 632(a) (emphasis added). The third party doctrine applies to “eavesdropping,” but not “recording.” See, e.g., Kearney v. Salomon Smith Barney, Inc., 39 Cal.4th 95, 119 (2006) (finding that a defendant can be liable under section 632 for recording its own conversation with plaintiff if plaintiff did not consent to the recording). At the April 11, 2024 hearing, Nuance acknowledged this point and clarified that it is only challenging Plaintiffs' section 632 claim under the eavesdropping and not the recording prong.
To make out their claims under section 631 and the first prong of section 632, Plaintiffs must allege that Nuance was a third party intercepting Plaintiffs' conversations with Chase. Nuance argues that Plaintiffs have failed to meet this burden because Nuance only provided a tool that Chase used for its own purposes. Mot. 9. According to Nuance, its voice recognition software is “merely an extension of” Chase, so Nuance did not intercept Plaintiffs' conversations as a third party. Id. at 9-10. Plaintiffs argue that Nuance does more than offer a tool-it actively offers and conducts an eavesdropping service as an independent third party. Opp'n 17.
Two seminal California Supreme Court cases delineate when a defendant is a third party and when a defendant merely provides a tool to a participant in the conversation. In Ribas, the court found that third-party liability is triggered when there is an “unannounced second auditor” to a conversation, such as when a participant invites a third person to simultaneously “listen on an extension telephone” to a conversation with an unknowing participant. Ribas v. Clark, 38 Cal.3d 355, 358-361 (1985). By contrast, in Rogers, the court found that third-party liability is not triggered if a participant uses a “tape recorder jack . . . installed on [the] telephone by the telephone company” to record a phone conversation and later play it back to a third party. Rogers, 52 Cal.App.3d at 897-99. Therefore, the question before the court is whether Nuance's artificial intelligence software is more like the “unannounced second auditor” in Ribas, or the “tape recorder” in Rogers. Put differently, “the question boils down to whether [Nuance] was an independent third party hired to eavesdrop on [Chase's] communications, or whether [Nuance's] software was merely a tool that [Chase] used to record its own communications with plaintiff.” See Williams v. What If Holdings, LLC, No. C 22-03780 WHA, 2022 WL 17869275, at *3 (N.D. Cal. Dec. 22, 2022).
Nuance argues that it is not a third party because the alleged artificial intelligence software does not capture communications for Nuance's own uses, but only to facilitate Chase's purposes. Mot. 10. Nuance cites Graham v. Noom, Inc., which found that third-party liability was not triggered where a software-as-a-service (“SaaS”) provider captured a client website's visitor data, hosted the data on the SaaS provider's servers, and allowed the client to review that data. 533 F.Supp.3d 823, 832 (N.D. Cal. 2021). In Graham, the defendant FullStory developed a software which could record a website visitor's data such as “keystrokes, mouse clicks, and page scrolling.” Id. at 828. Clients could put FullStory's code on their websites, and then see a “playback” of how each visitor was using its website. Id. Visitors' data was stored in the cloud on FullStory's servers. Id. The Graham court found that FullStory was not a third party under section 631 because it was only a “vendor” that “provide[d] a tool . . . that allow[ed] [a client] to record and analyze its own data in aid of [the client's] business.” Id. at 832-33. Key to the court's decision was its finding that “there are no allegations here that FullStory intercepted and used the data itself. Instead, as a service provider, FullStory is an extension of [the client].” Id. Nuance argues that, likewise, Plaintiffs do not allege that Nuance used the intercepted data for its own purposes.
Plaintiffs make two counter-arguments: (1) Graham is distinguishable on its facts, and (2) Graham incorrectly interpreted the statute because a SaaS provider does not have to use the intercepted data for its own purposes to qualify as a third party. Opp'n 18-20. As to the first point, Plaintiffs argue that the SaaS provider in Graham was more like a tape recorder because it was only capable of capturing and storing data for the client's review. See Graham, 533 F.Supp.3d at 832-33. In contrast, Nuance is not like a tape recorder because it uses captured data to conduct sophisticated biometric analyses, such as creating voice prints and authenticating customers. CFAC ¶¶ 28-31. For this reason alone, Plaintiffs argue that Graham does not apply.
To support the second point, Plaintiffs cite Saleh v. Nike, Inc., 562 F.Supp.3d 503, 520 (C.D. Cal. 2021) and Javier v. Assurance IQ, LLC, 649 F.Supp.3d 891, 900 (N.D. Cal. 2023), which both found that the statutory language of section 631(a) does not require the SaaS provider to use the intercepted information for its own purposes in order to be a third party. Instead, a plaintiff only needs to plead that the SaaS provider has “the capability to use its record of the interaction for any other purpose” independently of its client. Javier, 649 F.Supp.3d at 900 (emphasis in original). If the SaaS provider can monitor, analyze, and store information and can use that information for independent purposes, then it has capabilities “beyond the ordinary function of a tape recorder,” so it is a third party. Id. (quoting Yoon v. Lululemon USA, Inc., 549 F.Supp.3d 1073, 1081 (C.D. Cal. 2021)).
There is a split in the Ninth Circuit on the standard used to define a third party. On this issue, Javier is instructive. Judge Breyer identified two problems with including the defendant's actual use of the intercepted data as a necessary element to prove that the defendant is a third party. Javier, 649 F.Supp.3d at 900. The first is that “use” is already an element of the third clause of section 631, which penalizes anyone “who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information” obtained by unauthorized wiretapping. Cal. Penal Code § 631(a). Therefore, “reading a use requirement” into all three clauses would “add requirements that are not present (and swallow the third [clause] in the process).” Javier, 649 F.Supp.3d at 900 . The California Supreme Court has emphasized that the three clauses of Cal. Penal Code § 631(a) are “three distinct and mutually independent patterns of conduct,” which supports Judge Breyer's reasoning and conclusion. See Tavernetti, 22 Cal.3d at 192.
Second, the California Supreme Court in Ribas did not consider the alleged eavesdropper's intentions or how they used the information they obtained. Javier, 649 F.Supp.3d at 900 (citing Ribas, 38 Cal.3d at 360-61). “Instead, [the Ribas court] emphasized the privacy concerns at issue with having an ‘unannounced second auditor' listening in on the call, when Section 631 concerns ‘the right to control the nature and extent of the firsthand dissemination of [their] statements.'” Id. (quoting Ribas, 38 Cal.3d at 360-61). Following this reasoning, Judge Breyer found only two ways that a SaaS provider like Nuance may fall under the party exception: “(1) If [Nuance] does not have the capability to use its record of the interaction for any other purpose (just as a tape recorder has no independent capability to divulge the recording for any other purpose but that of its owner); or (2) the ubiquity of services like [Nuance] effectively renders it party to the ‘firsthand dissemination' of [Plaintiffs'] information to [Chase].” See id. (citing Ribas, 38 Cal.3d at 36061).
The court is persuaded by the reasoning in Javier, tracking a growing number of district courts which have reached the same conclusion. See, e.g., Balletto v. Am. Honda Motor Co., No. 23-CV-01017-JSW, 2023 WL 7026931, at *2 (N.D. Cal. Oct. 24, 2023); Yockey v. Salesforce, Inc., No. 22-CV-09067-JST, --- F.Supp.3d ---, 2023 WL 5519323, at *5 (N.D. Cal. Aug. 25, 2023); Valenzuela v. Super Bright LEDs Inc., No. EDCV2301148JAKSPX, 2023 WL 8424472, at *7 (C.D. Cal. Nov. 27, 2023); Rodriguez v. Ford Motor Co., No. 323CV00598RBMJLB, ---F.Supp.3d ---, 2024 WL 1223485, at *13 (S.D. Cal. Mar. 21, 2024).
Nuance does not contend that its services are ubiquitous. The question therefore turns on whether Nuance had the “capability” to use the recorded phone conversations for its own purposes. See Javier, 649 F.Supp.3d at 900. “To ask a plaintiff to plead with great particularity exactly what a third-party software company is capable of doing with data gathered from defendant's website sets the pleading bar too high....However, a plaintiff still must have at least pled some non-conclusory factual allegations to support the use capabilities of the third-party software company involved.” Heiting v. Taro Pharms. USA, Inc., No. 2:23-CV-08002-SPG-E, ---F.Supp.3d ---, 2023 WL 9319049, at *4 (C.D. Cal. Dec. 26, 2023). The Balletto cases provide helpful guidance on sufficient pleading of capability. In Balletto I, the court granted the defendant's motion to dismiss because the plaintiff failed to show that the SaaS provider, Salesforce, was a third party. 2023 WL 7026931, at *1-2. The plaintiff's complaint alleged that Salesforce “analyze[d] customer-support agent interactions in real time to create live transcripts of” chat communications on the client's website. Id. at *1. The court found that this did not support a reasonable inference that Salesforce was capable of using the communications for any purpose other than furnishing them to the client. Id. at *3. After amendment, the court in Balletto II allowed the complaint to go forward. Balletto v. Am. Honda Motor Co., No. 23-CV-01017-JSW, 2024 WL 589090, at *3 (N.D. Cal. Feb. 13, 2024). The plaintiff added allegations that Salesforce “intercepts . . . communications and sends those communications to its Einstein data intelligence platform.... Salesforce then has the capability to use the information contained in chats ‘to (i) improve Salesforce's own products and services; (ii) develop new Salesforce products and services; and (iii) analyze Chat communications to assist with customer service interactions and data analytics.'” Id. at *1 (citation omitted). This was sufficient to show that Salesforce was a third party. Id. at *3.
Plaintiffs have sufficiently alleged that Nuance is capable of using intercepted data for purposes other than furnishing the data back to the client. The CFAC states that Nuance turns recordings of consumers' voices into “voice print[s],” enrolls those voice prints into a database of voice prints, and then compares the voice characteristics of later callers against its saved voice prints. CFAC ¶ 29. Plaintiffs allege that Nuance developed an “AI Risk Engine” which uses “[d]eep neural networks” to “analyze” consumers' voices and “make intelligent authentication and fraud risk assessments.” Id. at ¶ 31. Plaintiffs also assert that Nuance has “amassed a massive database” of voice prints, including a “watchlist” of “known fraudsters,” and retains the voice prints for “a significant period of time.” Id. at ¶¶ 32-34. Based on these allegations, the court may reasonably infer that at the very least, Nuance can use consumers' voice prints to improve its own products and services-for example, to improve the accuracy of its authentication software for uses beyond benefiting Chase. This is sufficient to show that Nuance is capable of creating, recording, and retaining biometric data for purposes other than sending the data back to Chase.
In fact, at the hearing, Plaintiffs stated that they can amend their complaint to more directly allege that Nuance uses its Chase voice print database for other clients. They should do so, as the court now grants them leave to amend the CFAC for other purposes discussed below.
Plaintiffs have adequately alleged that Nuance is an independent third party. Nuance's motion to dismiss Plaintiffs' claims under section 631 and the eavesdropping prong of section 632 based on the third-party doctrine is denied.
C. Failure to State a Claim Under Section 631
Nuance argues that Plaintiffs have failed to state a claim under the second and third clauses of section 631. The second clause of the statute prohibits “[willfully] attempting to learn the contents or meaning of a communication in transit over a wire.” Tavernetti, 22 Cal.3d at 192 (citing Cal. Penal Code § 631(a)). The third clause prohibits “attempting to use or communicate information obtained as a result of” violating the first two clauses of the statute. Id. According to Nuance, Plaintiffs' claim under the second clause fails because Plaintiffs did not allege that Nuance learned the “contents or meaning” of communications. Mot. 13. Nuance argues that Plaintiffs' claim under the third clause fails because Plaintiffs did not plead that Nuance “used” the allegedly intercepted recordings. Id. at 15.
1. Contents or Meaning
In order to state a claim under the second clause of section 631, Plaintiffs must identify the “contents” of the communications that Nuance allegedly intercepted. See Brodsky v. Apple Inc., 445 F.Supp.3d 110, 127 (N.D. Cal. 2020). The term “contents” is defined as “any information concerning the substance, purport, or meaning of that communication.” Id. (quoting 18 U.S.C. § 2510). “Contents” refers to “the intended message conveyed by the communication,” as opposed to “record information regarding the characteristics of the message that is generated in the course of the communication.” In re Zynga Priv. Litig., 750 F.3d 1098, 1106 (9th Cir. 2014). For example, text messages qualify as contents. Brodsky, 445 F.Supp.3d at 127 (citing In re Carrier IQ, Inc., 78 F.Supp.3d 1051, 1083 (N.D. Cal. 2015)). The “source, destination, duration, and time of a call” are not considered contents. United States v. Reed, 575 F.3d 900, 916 (9th Cir. 2009).
This definition is drawn from the Wiretap Act, the “federal counterpart” of CIPA. Bradley v. Google, Inc., No . C 06-05289 WHA, 2006 WL 3798134, at *6 (N.D. Cal. Dec. 22, 2006). The analysis for a violation under the Wiretap Act is the same as that under CIPA. Id.
Nuance argues that its software only analyzes the “characteristics” of the allegedly intercepted communications, namely the speaker's identity. Mot. 14. This ignores Plaintiffs' allegations that Nuance authenticates consumers by analyzing the substance of their conversations with Chase, including “word choice, grammar, syntax, and other elements across messaging and transcribed voice interactions.” CFAC ¶ 30. Nuance's challenge fails because this is clearly content, not just “characteristics” of communications. In the simplest terms, Plaintiffs allege that Nuance identifies speakers by analyzing “[w]hat they say.” CFAC ¶ 31.
2. Use of Information
In order to establish a claim under the third clause of section 631, Plaintiffs must allege that Nuance “uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way,” the information it obtains by violating the first two clauses. Cal. Penal Code § 631(a). Nuance argues that Plaintiffs' claim under the third clause fails because Nuance does not use the allegedly intercepted data “for any purpose outside of furnishing it to customers like Chase to support the customers' fraud detection efforts.” Mot. 15. Plaintiffs argue that creating voice prints and analyzing the voice prints to identify fraud is itself a “use” that triggers CIPA liability. Opp'n 22.
Nuance appears to conflate “use” under the third clause of section 631 with “use” or “capability of use” under the third-party analysis discussed above. Nuance cites Licea v. Old Navy, LLC, which followed the Graham line of cases to find that the SaaS provider was not a third party because it did not “record[] . . . customers' information for its independent use.” 669 F.Supp.3d 941, 946-47 (C.D. Cal. 2023). As noted above, this court does not follow Graham. Moreover, Licea is not helpful because it dismissed the section 631 claims based on the third-party analysis and did not reach “use” under the third clause. Nuance also cites cases following Javier which dismissed the section 631 claims because the SaaS provider was not a third party. See, e.g., Rodriguez, 2024 WL 1223485, at *13 (finding that the plaintiff did not adequately allege that the SaaS provider had “the capability of using the [intercepted] data for its own purposes and benefit”). But these cases also did not reach the third clause of 631. In other words, Nuance's cases are inapposite. The third-party analysis discussed above is distinct from the analysis of the third clause of section 631; nowhere does Nuance explain why it is appropriate to inject considerations from the third-party doctrine into the third clause of section 631.
To the contrary, the statutory language prohibits the use of intercepted communications “in any manner, or for any purpose.” Cal. Penal Code § 631(a). The statute does not contain the limiting language Nuance wants to read into it-i.e., that the statute prohibits use, except if the purpose of the use is to benefit a party to the communication. A broad reading of “use” is supported by the case law. For example, in Valenzuela v. Nationwide Mut. Ins. Co., the court joined the Javier line of cases in finding that the SaaS provider was a third party even if it did not use the data for its own independent purposes. No. 222CV06177MEMFSK, --- F.Supp.3d ---, 2023 WL 5266033, at *7 (C.D. Cal. Aug. 14, 2023). Separately, the court considered use under the third clause of section 631. Id. at *6. The court found that the plaintiff met her burden to show use because she alleged that the SaaS provider harvested data as part of its business model, even if such data was only harvested for the client's benefit. Id. at *6. In other words, data harvesting is a “use” under section 631, and “any purpose” includes for the sole benefit of the client. See id. The third prong of section 631 does not require a use independent of the client.
Nuance does not dispute that Plaintiffs have alleged that Nuance “uses its recordings of customers' voices to create voice prints, which Nuance then uses to assess whether customers are who they purport to be and sends real-time alerts to Chase to confirm the identities of customers.” [Docket No. 53 (Reply) 13.] Nuance's only argument is that the alleged uses were for the benefit of Chase, not Nuance. Id. But “[n]othing more is required” to show use under the third clause of section 631. See Valenzuela, 2023 WL 5266033, at *6.
Nuance's motion to dismiss Plaintiffs' section 631 claim on these grounds is denied.
D. Failure to State a Claim Under Section 637.3
Section 637.3 prohibits the examining or recording of “voice prints or other voice stress patterns . . . to determine the truth or falsity of statements made.” Cal. Penal Code § 637.3(a). Plaintiffs allege that Gatekeeper “ascertain[s] the truth or falsity of statements that consumers make during their telephone conversations with call centers,” such as consumers' “assertions regarding their respective identities” and “various ‘yes' or ‘no' statements in order to respond to questions.” CFAC ¶¶ 40, 46. Nuance argues that Plaintiffs have only alleged that Gatekeeper functions as a means of identification, not as a lie detector. Mot. 21.
There are very few cases about the application of section 637.3 to emerging technology like Gatekeeper, but Balanzar v. Fidelity Brokerage Services, LLC is directly on point. 654 F.Supp.3d 1075 (S.D. Cal. 2023). In Balanzar, the defendant's voice authentication technology “create[d] a ‘biometric voice print' of a caller, which [was] saved and used to verify the caller's identity . . . [t]hrough natural conversation.” Id. at 1078. The court held that such technology was “nothing more than a biometric passcode and [was] not a lie detector.” Id. at 1086. Likewise, Plaintiffs have alleged that Gatekeeper uses biometric voice prints to verify a caller's identity “by the way they talk, text and type . . . flagging potential bad actors in as quick as half a second.” CFAC ¶ 28. Plaintiffs attempt to distinguish Balanzar by arguing that, when a customer calls Chase for the first time, they are asked a series of “yes” or “no” questions to identify themselves, and Nuance analyzes those statements for their truth when authenticating the customer. Opp'n 24. These allegations are vague and conclusory. Rather, the pleadings suggest that Gatekeeper uses general conversation to create an audible “fingerprint,” which is then used to directly identify an individual. CFAC ¶ 22. This is similar to the “biometric passcode” in Balanzar. See Balanzar, 654 F.Supp.3d at 1086.
Plaintiffs urge the court to extend section 637.3 to include biometric voice authentication as a “new generation[] of lie detector[].” Opp'n 23. This stretches beyond the plain meaning of section 637.3, which is limited to technology used “to determine the truth or falsity of statements made.” Cal. Penal Code § 637.3(a). The allegations in the CFAC do not lead to a reasonable inference that Gatekeeper determines the truth or falsity of any specific statements; only that Gatekeeper “compare[s] the voice characteristics of later callers against their saved voice prints” to identify a caller. CFAC ¶ 29.
At the hearing, Plaintiffs stated that they can amend their complaint to plead specific statements the truth or falsity of which Nuance determined using Plaintiffs' voice prints. Therefore, Plaintiffs' claim under section 637.3 is dismissed with leave to amend the CFAC to address the deficiencies identified in this order.
V. CONCLUSION
Defendant's motion to dismiss Plaintiffs' claims under CIPA sections 631 and 632 is denied. Defendant's motion to dismiss Plaintiffs' claim under section 637.3 is granted with leave to amend. As discussed in footnote 5, Plaintiffs shall also amend the CFAC to more specifically allege that Nuance uses its Chase database of voice prints for other clients. The amended complaint is due on June 18, 2024.
IT IS SO ORDERED.