Carnival Must Defend Class Action Over Microsoft Data Sharing

International cruise operator Carnival Corp. must face a proposed class action alleging it used tracking software to collect personal information and share it with Microsoft Corp. and other third parties in violation of wiretap and privacy laws, a federal court ruled.

The plaintiffs’ wiretap and invasion of privacy claims can proceed, Judge Gonzalo P. Curiel of the US District Court for the Southern District of California said Jan. 19. Curiel dismissed their claim under the Computer Fraud and Abuse Act, finding they failed to make adequate allegations of damage or loss as required under the statute.

Plaintiffs India Price, Erica Mikulsky, and three others alleged in a consolidated complaint that Carnival and the third parties used so-called “session-replay” software code to piece together visitor interactions on the Carnival website, including information provided in forms and text boxes, and to combine the data with information collected from visitors’ interactions with other websites.

These practices violated the federal Wiretap Act, the California Invasion of Privacy Act, the Computer Fraud and Abuse Act, and state wiretap laws in Maryland, Massachusetts, and Pennsylvania, the plaintiffs alleged.

Microsoft isn’t a party to the lawsuit.

Carnival didn’t qualify for a liability exemption under wiretap laws as a party to the communication because its surveillance software helped analyze the collected data rather than acting as mere tape recorders, the judge said.

Under the Wiretap Act, the judge recognized that the information contained contents of communications and the software qualified as a “device” that acquired the information during transmission rather than while it was in electronic storage.

Curiel also disagreed with Carnival’s attempt to challenge the lawsuit’s invasion of privacy claim with the argument that the data collection was routine commercial behavior on the internet. Curiel found that the alleged collection of information concerning visitors’ web-browsing habits across other websites, including those where they wished to remain anonymous, was sufficient to state the claim.

Carnival had also tried to argue that it provided notice of its information collection practices in a banner at the bottom of its website, but Curiel said the defense that users consented by the mere act of communicating over the internet and by constructively assenting to the terms of its privacy policy fell short.

Given the privacy notice’s small text, inconspicuous color scheme, and potential failure to display on the website, a “reasonably prudent user” wouldn’t necessarily have known of the existence of the policy before taking action on the site, the judge said.

Hausfeld LLP, Freed Kanner London & Millen LLC, Lynch Carpenter LLP, The Murray Law Firm, Scott & Scott Attorneys at Law LLP, and Zimmerman Reed LLP represent the plaintiffs and the proposed class.

Orrick, Herrington & Sutcliffe LLP represent Carnival.

The case is Price v. Carnival Corp., S.D. Cal., No. 3:23-cv-00236, 1/19/24.