Hartley thrown out: Good news for permission, bad news for spammers
Since December 2023, nationwide, around a dozen class action lawsuits have been filed in federal district courts alleging violations of the same Arizona statute.1 At least two cases (Hartley and Mills) have motions to dismiss with Hartley the first to be decided. This post will examine Hartley and its implications.23
What are these cases alleging?
These cases allege that various retailers have violated an Arizona law intended to fight pretexting.4 The allegation is that open tracking pixels (called “spy pixels” in the complaints that I’ve read) violate the law’s provision that makes it unlawful for a person to “[k]nowingly procure . . . [a] communication service record” of any Arizona resident “without the authorization of the customer . . . .” Ariz. Rev. Stat. Ann. § 44-1376.01. The statute defines “communication service record” as including “subscriber information” like a person’s “name, . . . electronic account identification and associated screen names . . . or access logs,” as well as “records of the path of an electronic communication between the point of origin and the point of delivery and the nature of the communication service provided, such as . . . electronic mail . . . or other service features.” Ariz. Rev. Stat. Ann. § 44-1376(1).
The cases allege that the data obtained from tracking pixels constitutes a “communication service record” and requires the recipient’s consent to generate. In other words, receiving the data directly from the email’s recipient is “procuring” a record according to the plaintiffs.
What happened in Hartley?
Tomi Hartley, an Arizona resident, sued Urban Outfitters in Pennsylvania (where it is headquartered), claiming that her privacy rights were violated when Urban Outfitters found out when (or whether) she opened their commercial emails.5 Urban Outfitters filed a motion to dismiss the case on two grounds:
- The court did not have jurisdiction over the case because Ms. Hartley does not have standing to prosecute the suit because her damages were not “concrete.”6
- Even if she has standing and everything she said is true, she did not state a claim to which the court could grant relief.
The district court judge agreed with the first and dismissed the case without considering the second. Thus, the case has been dismissed, although the judge is giving the plaintiff 21 days to file a new complaint that fixes the problems that caused the dismissal.
What does this mean for email marketing?
In my opinion, the key paragraph in the court’s opinion is this one:
As a matter of law, the Court concludes that digital records reflecting merely the dates and times at which Plaintiff opened promotional emails she signed up to receive, and the length of time she spent reading them, are not sufficiently personal to support a concrete injury. Like a users’ keystrokes and mouse clicks upon voluntarily visiting a retailers’ website, these details are entitled to less privacy protection by virtue of Plaintiff’s decision to opt into receiving and reading the emails.
Memorandum Opinion, Hartley v. Urban Outfitters, Inc., No. 2:23-cv-04891 (E.D. Penn. 07/17/2024), ECF No. 17, at 13. (Cleaned up, emphasis added).
In this case, the judge found it significant that Urban Outfitters got consent before emailing her. Her consent changed the game regarding the level of protection the retailer was entitled to in the case. This is made more apparent when looking back at the court’s consideration of a parallel to the Telephone Consumers Protection Act (TCPA), which the plaintiff used to try to bolster the idea that a legislature is allowed to legislatively create causes of action for things that were not previously considered harmful. Here’s how the judge differentiated a TCPA case from this case:
The Third Circuit’s decision in Susinno v. Work Out World Inc. is instructive. In Susinno, the court considered … a claim under the Telephone Consumer Protection Act (“TCPA”) based on a single, unsolicited call from a fitness company resulting in a prerecorded, one-minute promotional offer left on a consumer’s voicemail. The court acknowledged that a single call would likely not be “highly offensive to a reasonable person,” and therefore not actionable at common law. Nevertheless, the court concluded that a concrete injury had been alleged because Congress, by enacting the TCPA, elevated a harm “‘previously inadequate in law,’ [that] was of the same character of previously existing ‘legally cognizable injuries.’” Critically, however, the robocall in Susinno was unsolicited. The relationship in that case—between an unwelcome advertiser and a consumer who wanted to be left alone—is materially distinguishable from Plaintiff’s relationship with Defendant here, as she not only opted in to receiving emails from Defendant by joining its subscriber list, but continued to consume its promotional materials by regularly opening them.
Id. at 11. (Cleaned up, emphasis added).
This shows how essential consent is. Commercial emailers who get permission to add recipients to their lists are better protected from legal exposure than emailers who do not. I believe judges in the other cases will find this judge’s reasoning persuasive, and I expect to see more of these dismissals in the coming months.
Email Service Providers (ESPs)
Most reputable ESPs have contractual terms requiring customers to obtain consent from recipients before sending them messages. This best practice is providing the retailer with protection in this case. It is also helpful to know that retailers are not the only parties being sued in these suits.7
ESPs who don’t enforce consent requirements are doing their customers a disservice. Further, proving that they enforce consent requirements may insulate ESPs from allegations that they are involved in violations of the Arizona law more than they would be by merely pointing to contractual terms requiring customers to “abide by all applicable laws and regulations.”
“Cold email”
The other side of this is “cold email.” It is, by definition, sent without the recipient’s consent. If Ms. Hartley had sued a company that had added her to its list without her consent, then the judge’s analysis in the comparison to the TCPA would have been entirely different. The entire case would have swung the other way, and the concreteness standard would have been met here, just as it was in the Susinno case that the judge was comparing it to.
The lesson to be learned here is that sending commercial email without consent has at least the possibility of contributing to liability under certain circumstances. Sending “cold” emails and doing things like tracking opens may result in liability under this Arizona statute.
Conclusion
Hartley underscores the importance of obtaining consent in email marketing. Consent helps protect marketers from legal challenges and aligns with best practices in data privacy. Companies should ensure robust consent mechanisms are in place to minimize legal risks and maintain trust with their customers.
Footnotes
- Tag: ‘email’ by MickC – CourtListener.com (2024) CourtListener. Available at: https://www.courtlistener.com/tags/MickC/email/ (last visited Jul 23, 2024). ↩︎
- While I am a licenced attorney in the state of Texas, this post is not, and should not be construed to be, legal advice. Everything here is for informational purposes only and not to provide legal advice. You should contact a competent attorney in your jurisdiction for advice concerning any particular issue or problem. Nothing here should be construed to form an attorney-client relationship. ↩︎
- I previously did a couple of YouTube videos on this topic. A long one examining the entire opinion at https://youtu.be/qzQjUJFai7M and a shorter one with my thoughts on the case’s implications at https://youtu.be/v3sMNPLHg24. ↩︎
- Arizona Telephone, Utility and Communication Service Records Act (2006) A.R.S. § 44-1376, et seq. Available at: https://www.azleg.gov/viewdocument/?docName=https://www.azleg.gov/ars/44/01376.htm (last visited Jul 23, 2024). ↩︎
- Hartley v. Urban Outfitters, Inc., No. 2:23-cv-04891 (E.D. Penn.) Available at: https://www.courtlistener.com/docket/68080447/hartley-v-urban-outfitters-inc/ (last visited Jul 23, 2024). ↩︎
- See generally, Aishani Gupta, What Is a “Concrete and Particularized” Injury for Article III Standing? | Subscript Law, (May 5, 2021), https://subscriptlaw.com/standing-concrete-particularized-injury/ (last visited Jul 23, 2024). ↩︎
- E.g.: Dominguez v. Lowe’s Companies, Inc., No. 2:24-cv-01030 (D. Ariz.) (suing Salesforce.com, Inc.). Available at: https://www.courtlistener.com/docket/68504489/dominguez-v-lowes-companies-incorporated/ (last visited Jul 23, 2024) and Carbajal v. Home Depot Inc., No. 2:24-cv-00730 (D. Ariz.) (suing Validity, Inc.). Available at: https://www.courtlistener.com/docket/68401689/carbajal-v-home-depot-incorporated/ (last visited Jul 23, 2024). ↩︎
- Introducing: Arcana - 22 November 2024
- Help me see if there is a need for that I can fill - 23 September 2024
- Verkada: Data Protection Issues - 19 September 2024