Home décor company Lulu & Georgia was sued for CIPA violations, and now the Los Angeles County Superior Court has issued an important pre-trial ruling in favor of the Plaintiff. The civil suit alleges that Lulu and Georgia violated the Trap and Trace Law in the California Invasion of Privacy Act (CIPA) by collecting personal information from visitors to the company’s website and then unlawfully sharing the data with TikTok. The case could proceed to trial after the court overruled the Defendant’s attempt to challenge the sufficiency of the pleading. This was a significant courtroom victory for the California consumer protection attorneys at Tauler Smith LLP, who are representing the Plaintiff.
To learn more about the data privacy lawsuit against Lulu & Georgia, keep reading.
Lulu and Georgia Accused of Sharing Customer Data Without Consent
The Defendant in the lawsuit, Lula and Georgia, is a nationwide home décor company based in Los Angeles, CA. The company designs and curates the interiors for residential homes. The Lulu & Georgia website sells furniture, rugs, lamps & lighting, bedding & pillows, and other home furnishings.
The Plaintiff is a California resident who visited the Lulu and Georgia website. The Plaintiff alleges that Lulu & Georgia collected customers’ personal information and then sent it to social media company TikTok without permission.
Lawsuit: Lulu & Georgia Secretly Shared Customers’ Personal Information with TikTok
Lulu and Georgia allegedly entered into an agreement with TikTok to install TikTok Software on the home décor company’s website. This tracking software was allegedly used to identify website visitors via a “fingerprinting” process that harvests as much data as possible from users.
According to the lawsuit, the personal information collected by Lulu and Georgia from website visitors included:
- Name
- Date of birth
- Address
- Device and browser information
- Location and geographic information
- Referral tracking data
- URL tracking data
After the Lulu & Georgia website collected personal information from site visitors, the data was then allegedly sent to TikTok “for the purposes of fingerprinting and de-anonymization.”
Lawsuit: Lulu and Georgia Violated the California Invasion of Privacy Act
The lawsuit against Lulu and Georgia was filed under the California Trap & Trace Law, which is part of the California Invasion of Privacy Act (CIPA) and is codified at Cal. Penal Code section 638.51.
CIPA prohibits anyone from installing or using a trap and trace device without a court order. The statute defines a “trap and trace device” as a device or process that captures incoming electronic impulses that identify the source of a wire or electronic communication without identifying the contents of the communication.
There are limited exceptions that may allow a provider of an electronic communication service to use a trap & trace device:
- It is necessary for the operation or maintenance of the electronic communication service.
- It protects the rights or property of the entity providing the electronic communication service.
- It protects users of the electronic communication service from abuse of service.
- It protects the provider of the electronic communication service against fraudulent, unlawful, or abusive use of service.
- The user of the electronic communication service has consented to the trap and trace device.
Los Angeles Superior Court Rules Against Lulu & Georgia in Demurrer Hearing
The case, Santoro v. Lulu & Georgia, Inc., is being heard in the Superior Court of California, County of Los Angeles. Lulu and Georgia attempted to get the case dismissed before trial by filing a demurrer motion, which tested whether the complaint stated facts sufficient to constitute a cause of action.
The court listened to arguments from both sides and then ruled in favor of the Plaintiff: the demurrer was overruled, which means the case can potentially proceed to trial.
Defendant’s First Argument Rejected by Court
First, the Defendant argued that the Plaintiff did not allege that any of his personal information was harvested by Lulu and Georgia. The court quickly dispensed with this argument because the Plaintiff did, in fact, sufficiently allege that his personal data was collected by the TikTok Software on the home décor company’s website. Moreover, this data collection allegedly happened the moment the Plaintiff visited the site, without any real chance for him to opt out of it.
Defendant’s Second Argument Rejected by Court
Second, the Defendant argued that California’s Trap & Trace Law only applies to telephone communications, not online communications or websites. However, the court pointed to the plain language of the CIPA to show that the definition of “electronic communications” in the statute is clearly not limited to telephone communications. In its ruling, the court noted that the CIPA defines “electronic communication” quite broadly to include “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature…by a wire, radio, electromagnetic, photoelectric, or photo-optical system.”
Beyond that, other courts have repeatedly found that website communications are covered by the CIPA.
Defendant’s Third Argument Rejected by Court
Third, the Defendant argued that the TikTok Software installed on the Lulu and Georgia website is not a trap and trace device because it merely collected “content” information from customers who entered their name, address, and other personal details into a website form. The Defendant said that this should exempt them from liability under the CIPA because the law only prohibits tracking software that identifies the source of a communication, not the contents of a communication.
But the court stated that the Plaintiff adequately alleged that the TikTok Software embedded on the Lulu & Georgia website captures site visitors’ identifying information, which would make it a trap and trace device as defined by CIPA. Furthermore, the court observed that the Defendant’s interpretation of the statute would effectively render the data privacy law meaningless: companies would be able to collect any and all information from website visitors without consequence.
Defendant’s Fourth Argument Rejected by Court
Fourth, the Defendant argued that they should be exempt from liability under the CIPA because Lulu & Georgia is a provider of an electronic communication service. Once again, the court rejected the Defendant’s argument because the purpose of installing TikTok Software on the home décor company’s website is not limited to the operation, maintenance, or testing of the site. As a result, the statutory exemption to liability under the CIPA would not apply in this case.
CIPA Gives California Consumers a Private Right of Action to Sue for Data Privacy Violations
Importantly, CIPA Section 637.2 creates a private right of action for anyone who is injured by a violation of the statute. The L.A. County Superior Court observed that a plaintiff can sufficiently state a cause of action for a CIPA violation by clearly alleging two things:
- The Defendant installed or used a trap and trace device without first obtaining a court order.
- The Plaintiff suffered an injury because of the CIPA violation.
In its ruling rejecting the demurrer, the court found that the Plaintiff did sufficiently allege that Lulu & Georgia installed TikTok Software on its website for the purpose of collecting user data to identify the source of incoming electronic pulses – and that the home décor company did this without legal permission.
Contact the California Data Privacy Lawyers at Tauler Smith LLP
Do you live in California? Did you visit a website that uses tracking software to collect your personal data? Then you may be eligible to bring a claim to receive financial compensation. The California data privacy lawyers at Tauler Smith LLP successfully represent plaintiffs in consumer protection lawsuits. We can help you explore your legal options.
