Greetings CIPAWorld!
I’m back with the latest scoop to lead you all into a fantastic Thanksgiving Holiday.
The United States District Court for the Northern District of California has issued a significant ruling in Williams v. DDR Media, L.L.C., No. 22-cv-03789-SI, 2024 U.S. Dist. LEXIS 211342 (N.D. Cal. Nov. 20, 2024), granting summary judgment to defendants in a closely watched privacy case.
The dispute began when Loretta Williams visited snappyrent2own.com on December 10, 2021, where her interactions were processed by TCPA Guardian, a software product developed by Jornaya to help companies comply with the Telephone Consumer Protection Act (“TCPA”). TCPA Guardian is specifically ‘designed to help companies comply with the Telephone Consumer Protection Act, which restricts how companies contact consumers using autodialing technology without prior consent.’ This critical detail helps explain why the hashing process is necessary and legitimate.
In fact, this case was previously covered by the one and only Baroness located here. So, I’m excited to share this update.
The case has evolved substantially since its initial filing. Williams originally filed suit against DDR Media and Jornaya, alleging violations of the California Invasion of Privacy Act (“CIPA”), Penal Code § 631(a), Invasion of Privacy under the California Constitution, and California’s Unfair Competition Law. After several rounds of motions and amendments, Williams filed a Second Amended Complaint focusing specifically on her claim under Penal Code § 631(a), part of CIPA. She alleged that TCPA Guardian captured her keystrokes, clicks, and other interactions, including her name, email address, and phone number, constituting wiretapping under CIPA.
Williams alleged that TCPA Guardian captured her keystrokes, clicks, and personal information, including her name, email address, and phone number, constituting wiretapping under CIPA. CIPA Section 631(a) prohibits the unauthorized “reading,” “attempting to read,” or “learning” of the contents of communications while they are in transit.
Here, the judicial analysis relied heavily on detailed testimony from Jornaya’s Chief Technology Officer, Manny Wald, regarding the technical functionality of TCPA Guardian. Let’s get technical for a minute for clarity. According to Wald, TCPA Guardian uses LeadiD Create, a JavaScript that generates a unique numerical reference for each website visit and collects basic data about the website itself, including consent disclosures and user interactions. This information is associated with the unique LeadiD. The hashing process creates a fixed-size output regardless of the input size, meaning the hash code from a single word would be the same length as one from an entire dictionary. As Wald explained, identical inputs always produce the same hash code, while even minor differences like ‘Main St.’ versus ‘Main Street’ create entirely different hashes. This verifies data matches without needing to read or understand the original content. Importantly, Wald explained that the collected data is immediately subjected to a one-way cryptographic hashing algorithm that transforms the input into a fixed-size alphanumeric string. This hashing process is automatic, irreversible, and occurs within milliseconds, with the original data being stored only temporarily in volatile memory before being overwritten.
A crucial aspect of TCPA Guardian’s functionality is how it operates in the lead marketplace. Lead sellers operate websites offering information about products or services and collecting visitor information. When a lead buyer later purchases this information, they can use TCPA Guardian to verify that the data matches what was originally collected, particularly regarding consent to receive communications, without Jornaya ever accessing the original data.
Whew, okay, now that we get the technical aspect out of the way, let’s dig into the Court’s analysis and reasoning.
First, Judge Illston evaluated whether hashing constitutes “reading” or “learning” the contents of communications under CIPA. Because the statute does not define “reading,” the Court applied its ordinary meaning as outlined in DeGeorge v. U.S. Dist. Court, 219 F.3d 930, 936 (9th Cir. 2000) and the Oxford English Dictionary, which requires “understanding what is meant by the letters or signs.” The Court’s analysis was informed by Davis v. Facebook, Inc. (In re Facebook Inc. Internet Tracking Litig.), 956 F.3d 589, 598 (9th Cir. 2020), which emphasized that CIPA was meant to protect historical privacy rights, and Javier v. Assur. IQ, L.L.C., No. 21-16351, 2022 WL 1744107 (9th Cir. May 31, 2022), which noted that Section 631 codified the common law tort of invasion of privacy.
The Court found that TCPA Guardian’s hashing process involves no comprehension or interpretation of the original data and is, therefore, not “reading” under CIPA. This conclusion aligned with similar rulings, such as Gutierrez v. Converse Inc., 2024 WL 3511648 (C.D. Cal. July 12, 2024), where the Court granted summary judgment for a defendant when the third-party vendor’s encryption of chat messages did not involve substantive interpretation.
The Court emphasized that hashing serves as a verification tool for data integrity rather than a method of accessing or understanding content. This critical distinction set TCPA Guardian apart from cases where vendors actively intercepted and analyzed user data.
As a countering measure, Williams attempted to argue that the hashing process itself constitutes “reading,” likening it to translating a letter into Pig Latin. The Court dismissed this analogy, explaining that while human translation involves understanding the meaning of words, TCPA Guardian’s hashing process is purely algorithmic and lacks the capacity for comprehension. Expanding further, the Court further distinguished this case from D’Angelo v. Penny OpCo, LLC, 2023 WL 7006793 (S.D. Cal. Oct. 24, 2023), where third-party software actively analyzed communications to create live transcripts, and Valenzuela v. Nationwide Mut. Ins. Co., 686 F. Supp. 3d 969 (C.D. Cal. 2023), where the vendor’s business model relied on intercepting data for mass analysis. Conversely, TCPA Guardian facilitates hashed comparisons between lead sellers and buyers without accessing or interpreting the original data.
The Court also relied on California precedent emphasizing CIPA’s broad interpretation, including Ribas v. Clark, 38 Cal. 3d 355, 359 (1985), highlighting the Legislature’s intent to safeguard privacy rights. However, it concluded that the automated hashing process lacked the human or machine effort to interpret or learn the contents of communications, distinguishing it from the conduct CIPA aims to regulate.
With this in mind, the Court ultimately ruled that “Jornaya is more akin to a tape recorder vendor than an eavesdropper,” reinforcing its prior dismissal of Williams’ claims under the UCL and the California Constitution. As noted in our earlier blog, the Court found that Defendant’s use of hashed data was “benign” and posed no serious invasion of privacy.
So what’s the key takeaway? Well, this is big for anyone involved in the telecommunications space and those using automated data processing tools. By clarifying that purely algorithmic processes without content interpretation fall outside CIPA’s reach, the Court has provided essential guidance for compliance in California. This is particularly significant for lead buyers, lead sellers, and the broader lead generation industry, where verifying consent and data integrity is crucial. Businesses that employ hashing technology can now operate with greater confidence, knowing that such safeguards do not constitute “reading” or “learning” under privacy laws. THIS IS HUGE.
Wishing you all a Happy Thanksgiving to you and your loved ones.
As always,
Keep it legal, keep it smart, and stay ahead of the game.
Talk soon!
This post was originally published on here
