Jurgens v. Build.Com, Inc.

RHONDA JURGENS, Plaintiff, v. BUILD.COM, INC., Defendant.

Case No. 4:17-cv-00783-AGF

UNITED STATES DISTRICT COURT EASTERN DISTRICT OF MISSOURI EASTERN DIVISION

November 13, 2017

MEMORANDUM AND ORDER

This putative class action arises out of Defendant Build.com, Inc.'s alleged interception of its online customers' names, addresses, telephone numbers, and credit card information (defined in the complaint, collectively, as "Credit Card Details"), and disclosure of those details to unrelated third parties, without the customers' consent. The matter is now before the Court on Defendant's motion (ECF No. 24) to dismiss the second amended complaint of named Plaintiff Rhonda Jurgens with prejudice, for failure to state a claim and lack of standing. For the following reasons, the Court will grant Defendant's motion.

BACKGROUND

On or about March 29, 2014, Plaintiff used a computer to visit Defendant's website, on which consumers could purchase home improvement merchandise. On the website, Plaintiff selected kitchen plumbing hardware and added it to her online shopping cart, for a purchase price totaling $703.53. When Plaintiff clicked a button to begin the check-out process, the website displayed a payment page, including a payment form asking Plaintiff to enter her Credit Card Details. The payment page also included a button to "Review Order."

According to the second amended complaint, the following then transpired:

16. Plaintiff entered her Credit Card Details on the Payment Page. As she did so, with each keystroke that appeared on her monitor display, her changes were transmitted to a file in her browser referred to as the "DOM" (Document Object Model)—an internal browser capture of the real-time state of an active web page—in this case, the Payment Page, the payment form on it, and the payment data Plaintiff entered on it.

17. The DOM is a transient storage file, incidental to the receipt and sending of web communications.

B. Defendant's Interception of Plaintiff's Credit Card Details

18. While Plaintiff entered her Credit Card Details on Defendant's Page, as described above, it was not her intent to communicate with Defendant or any other party; rather, it was her intent to fill in the payment data in the payment form requested by Defendant, for transmittal to Defendant if and when she chose to click the button to confirm her purchase intent.

19. Plaintiff's entry of Credit Card Details was an electronic communication to temporary browser storage, as described above, but not to Defendant, and Defendant did not have consent or the right in any way to intercept her Credit Card Details . . . .

ECF No. 22 ¶¶ 16-19.

Plaintiff alleges that Defendant intercepted her Credit Card Details "through the use of electronic devices known as JavaScripts (computer commands) transmitted to Plaintiff's computer via the Internet from Defendant's computer facilities." Id. ¶ 21. These JavaScripts "were downloaded and executed on her computer because of Defendant's explicit instructions, built into its Payment Page," and Defendant interceptedPlaintiff's Credit Card Details while those details "were temporarily stored in Plaintiff's browser, before transmission over the Internet." Id. ¶¶ 29, 39.

Plaintiff further alleges that "by operation of those same scripts," Defendant disclosed Plaintiff's credit card information to six or more third parties. Id. ¶¶ 24, 26. These third parties were "providers of services such as image and video advertising, user tracking and profiling, and tracking of user mouse movements and clicks—none of which is necessary to process payments." Id. ¶ 22. Plaintiff alleges that, for "other third parties, Defendant coded its Payment Page to restrict scripts . . . [such that] Defendant did not use the scripts to access Plaintiff's Credit Card Details in the DOM or disclose them to the third party." Id. ¶ 25. Plaintiff points to this "differential treatment" as evidence that "Defendant engaged in interception and disclosure of Credit Card Details in the DOM with knowledge and intent." Id.

According to Plaintiff, unrestricted JavaScripts are prone to privacy and security breaches, and because of these risks, such scripts are in violation of payment card industry standards and are not used by more security-conscious online retailers. In support of these allegations, Plaintiff cites news articles dated in 2011 and 2014. Id. ¶ 33 n.5. Plaintiff also states that the source of her information in this regard is her "counsel's investigation." Id. ¶ 34.

Although Plaintiff accessed Defendant's website and made her purchases on March 29, 2014, she did not file suit until December 30, 2016.¹ Plaintiff alleges that she"did not have the technical knowledge or reasonable means to detect the [unrestricted JavaScripts] that Defendant executed on her computer" and to "understand[] their implications for privacy [and] security," and that she only learned of this violation "through the investigation of her counsel in August 2016." Id. ¶¶ 47, 48.

Plaintiff's second amended complaint asserts three claims: (1) Violations of the Wiretap Act, as amended by the Electronic Communications Privacy Act of 1986 ("ECPA") 18 U.S.C. § 2511(1)(a) (Interception); (2) Violations of the Wiretap Act, 18 U.S.C. § 2511(1)(c) (Disclosure); and (3) Common-Law Unjust Enrichment. Plaintiff seeks injunctive relief, the maximum allowable statutory damages, punitive damages, and attorneys' fees.

Plaintiff brings this action on her own on behalf and on behalf of two proposed classes: (1) a "Wiretap Act Class" encompassing "[a]ll individuals in the United States who used payment cards to purchase merchandise on the www.build.com website during the Wiretap Act Class Period," defined as "two years preceding the date of filing of the Original Petition in this matter and extending to the date [of class certification]"; and (2) a "Missouri Class" encompassing "[a]ll individual Missouri citizens aged 18 years and over who used payment cards to purchase merchandise on the www.build.com website during the Missouri Class Period . . . where such merchandise was primarily for personal,family, or household uses," with the Missouri Class Period defined as "five years preceding the date of filing of the Original Petition in this matter and extending to the date of [class certification]." Id. ¶¶ 58-59.

ARGUMENTS OF THE PARTIES

Defendant argues that Plaintiff fails to state a claim for violation of the Wiretap Act (Counts 1 and 2) because Plaintiff has not alleged any interception of an electronic communication. Defendant argues that, accepting Plaintiff's allegations as true, Plaintiff's Credit Card Details were acquired by Defendant from storage in Plaintiff's computer, rather than, as required by the Wiretap Act, as part of an electronic communication that Plaintiff was transmitting beyond her own computer.

Alternatively, Defendant argues that to the extent Plaintiff implies that the communication of her Credit Card Details was not complete when it reached the storage in her computer, Plaintiff still fails to state a claim because the intended recipient of the communication was Defendant. Defendant notes that there is no private cause of action under the Wiretap Act against a person who is a party to the communication.

Defendant further argues that Plaintiff's Wiretap Act claim is untimely under the Wiretap Act's two-year statute of limitations, which runs from the date on which the plaintiff had a reasonable opportunity to discover the alleged violation. Defendant contends that Plaintiff had a reasonable opportunity to discover the alleged violation when she accessed Defendant's payment page to purchase merchandise more than two years before filing suit.

With respect to the unjust enrichment claim (Count 3), Defendant argues that Plaintiff has failed to plead an injury-in-fact to give her standing. Defendant also contends that Plaintiff fails to state a claim because she has not identified a benefit she conferred on Defendant that would be unjust for Defendant to retain.

In response, Plaintiff argues that she has sufficiently alleged that Defendant intercepted her electronic communications at a time prior to the time Defendant became a party to those communications, which is enough to state a claim under the Wiretap Act. Specifically, Plaintiff points to her allegations that Defendant, using the unrestricted JavaScripts and without Plaintiff's consent, "recorded [Plaintiff's] keystrokes in a transient browser storage area used for receiving and sending web communications from the currently active web page." ECF No. 30 at 3. Plaintiff argues that the interception was contemporaneous with the transmission of the communications, that the communications were being made using a system affecting interstate commerce (the Internet), and that Defendant was not a party to the communications at the moment of interception because Plaintiff had not yet designated Defendant to process her payment. Plaintiff contends that "[t]here is also nothing in the statute that requires Plaintiff to identify the other parties, if any, to her communications." Id. at 11.

Plaintiff also argues that her Wiretap Act claims are not time-barred because she filed suit less than two years from the time she had a reasonable opportunity to discover the violation. Plaintiff contends, as she did in her complaint, that she first learned of Defendant's conduct through her attorney's investigation in August 2016, and that she lacked the technical knowledge or skill to discover the violation on her own.

With respect to her unjust enrichment claim, Plaintiff argues that she has sufficiently pled an injury in fact for purposes of standing, as well as facts in support of each element of an unjust enrichment claim, by alleging that part of the $703.53 she paid for the merchandise (which merchandise Plaintiff acknowledges she received in full) should have been, but was not, spent on adequate data security measures.

In reply, Defend...