Crowley v. Cybersource

Citation: Crowley v. Cybersource Corp., 166 F.Supp.2d 1263 (N.D. Cal. 2001)(full-text).

Factual Background
Amazon is an online merchant that sells books, CDs, and personal electronics devices over the Internet. Amazon uses CyberSource to verify the identity of persons making credit card purchases on its website. When a person makes a purchase on Amazon's site, that person transmits his name, address, telephone number, e-mail address, and credit card information to Amazon. Amazon transmits this information to CyberSource. CyberSource transmits the information to Amazon's bank and to the credit card association, which in turn routes the information to the customer's bank. The customer's bank responds to the credit card association, informing it that the transaction either has or has not been authorized, and that response is routed to CyberSource. If the transaction has not been authorized, CyberSource notifies Amazon, which cancels the transaction. If the transaction has been authorized, CyberSource notifies Amazon, which proceeds with the transaction, and the customer's bank approves a transfer of funds to Amazon's bank.

Plaintiff Crowley asserts that Amazon sends CyberSource far more information about Plaintiff and the members of the Class than is necessary to obtain authorization for the proposed purchase. He alleges that Amazon sends CyberSource "the Internet user's name, address, phone number, email address and even a description of the type of product being purchased." CyberSource allegedly uses the information as follows:

"Defendant CyberSource stores this personally identifiable and confidential information about Plaintiff and the Class Members, without their knowledge or consent, for at least six months for the purpose of creating and maintaining personal profiles on Plaintiff and the Class. Crowley further asserts that CyberSource, through its affiliations with entities such as amazing.com is able to and does compile historical records on Plaintiff and members of the class, including but not limited to, name, email address, address, phone number, credit card numbers, description of the product purchased and the amount of money expended on online purchases. This profile includes information regarding purchases made 'at any of the websites of Internet merchants with whom CyberSource has a similar relationship to that which it has with Amazon.'"

Prior to August 31, 2000, Amazon posted a Privacy Policy that stated that it was committed to protecting its customer’s privacy and used the information it collected to process orders and to provide a more personalized shopping experience.

Trial Court Proceedings
This was a putative class action brought pursuant to the federal Wiretap Act ("Wiretap Act"), 18 U.S.C. §§2510-22, and the Electronic Communications Privacy Act (ECPA), 18 U.S.C. §§2701-09, by plaintiff Daragh Crowley ("Crowley") against defendants CyberSource Corporation ("CyberSource") and Amazon.com Inc. ("Amazon").

Based on this course of conduct, Crowley alleged the following causes of action: (1) interception and disclosure of wire, oral, or electronic communications in violation of the Wiretap Act, against both defendants; (2) violations of the ECPA, against Amazon; (3) unjust enrichment, against both defendants; (4) invasion of privacy, against both defendants; (5) negligence, against both defendants; (6) fraud by concealment, against both defendants; and (7) breach of contract, against Amazon.

Both Amazon and CyberSource filed motions to dismiss, challenging each of the causes of action in the amended complaint pursuant to Rule 12(b)(6) of the Federal Rules of Civil Procedure. Additionally, Amazon challenges venue, pursuant to Rule 12(b)(3) of the Federal Rules of Civil Procedure, asserting that a forum selection clause in a contract between it and purported class members provides that proper venue for this action lies in the State of Washington.

The trial court declined to dismiss for improper venue because the forum selection clause included in the merchant's participation agreement was not incorporated into the privacy policy, which was the subject of the purchaser's claims.

The Wiretap Act claims were dismissed because the merchant had not intercepted a communication between it and the purchaser when it received the purchaser's electronic purchase request. The ECPA claim failed because the online merchant's receipt of e-mails from the purchaser did not make it an electronic communication service provider. Moreover, the complaint's allegations did not demonstrate that the merchant had accessed the purchaser's computer given that the merchant had received a voluntary transmission of information from the purchaser. Finally, the merchant's access to its own systems was not limited under the ECPA.

The trial court declined to exercise jurisdiction over the remaining state claims given that the claims raised novel and complex issues regarding the applicability of state tort law to Internet commerce.