Chatbot data for AI improvement leads to wiretapping lawsuit

July 18, 2024

On July 5, 2024, a federal trial court judge ruled that a class action plaintiff’s claim against Peloton for aiding and abetting wiretapping survived a 12(b)(6) motion to dismiss.  The basis for the claim was Peloton’s use of a third-party AI chatbot on its website, where the plaintiff claimed that the chatbot recorded and used the conversations to improve the AI and its services.  Note that the chatbot maker, Drift.com, Inc., is NOT a named defendant in the class action.  Jones v. Peloton Interactive, Inc., Case no. 23-cv-1082-L-BGS, 2024 WL 3315989 (S.D. Cal. July 5, 2024).

Our readers may know that Peloton exercise bicycles offer a screen that users can not only use to display videos but also to interact with trainers and with other users.  Users can also interact with a chatbot.  The plaintiff claimed that Drift runs the chat service from Drift’s own servers, but consumers interact with that service on Peloton’s website, so, the plaintiff claimed, it appeared that consumers were only communicating with a Peloton representative.  In other words, according to the plaintiff, Drift was intercepting the communications between the consumer and Peloton, in violation of California’s wiretapping/eavesdropping law.

That law has four parts, and includes both civil and criminal penalties.  Section 631(a) of California Penal Code prohibits anyone from intentionally tapping or making “any unauthorized connection” with any telephone wire or internal telephonic communication system.  The law also prohibits three additional types of conduct by anyone

[2] who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or

[3] who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or

[4] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section

[court formatted for clarity]

The plaintiff claimed that Peloton violated subsection [4], which meant that the plaintiff had to show that Drift violated subsection [2] and/or [3] in order to maintain the aiding and abetting claim against Peloton.

Peloton’s defense was that, if Peloton merely used the Drift tools for its own benefit, there was no eavesdropping/wiretapping because Peloton itself was a party to the communication.  The plaintiff countered:  “Drift functions as a third-party eavesdropper because it uses the intercepted data for its own purposes including to improve the technological function and capabilities of its patented AI software assets for the exclusive purpose of increasing the value of Drift's shareholders equity in the company."  The court agreed with the plaintiff.

The court found, the plaintiff had sufficiently alleged that Drift's software surreptitiously intercepted the data entered by Peloton's customers through the embedded chatbot API and used "the data for their own benefit and not for the sole benefit of the party to the communication [Peloton]." Therefore, Drift functioned as a third-party eavesdropper within the meaning of section 631(a).

Turning to the statute’s subsections, the court ruled with respect to subsection [2}, that the plaintiff “has sufficiently alleged a claim under clause two because she asserts that Drift uses intercepted communications to improve its SaaS platform, including its proprietary machine learning software, which yields a monetary benefit to Drift.”  The court found the same rationale applied to subsection [3]. 

Because the court ruled that the plaintiff met the standards to show a violation of subsections [2} and [3}, the court denied Peloton’s motion to dismiss the plaintiff’s claim that Peloton violated subsection [4] by aiding and abetting Drift.

Lessons Learned

If you have any contracts with vendors that allow the vendor to use your data for “product or service improvement” or “for our internal uses” or “to train our AI,” consider:

  1. What data will the vendor’s technology have access to?
  2. Do you have the right/consent to provide that data to the vendor?  For the vendor to use that data for the vendor’s own purposes and financial gain?
  3. Would you be using the vendor technology on a public-facing website or app?
  4. If the vendor is the victim of a security incident, how will you explain to your customers that their data was affected?