Silver et al v. Stripe, Inc.

COMPLAINT (with jury demand) against Stripe, Inc. (Filing fee $ 400, receipt number 0971-15221869). Filed by Victoria Waters, Jasen Silver, Patricia Tysinger, Jill Lienhard, Alaina Jones. Modified on 11/24/2020

Northern District of California, cand-3:2020-cv-08196

Current View

Full Text

5 1 GUTRIDE SAFIER LLP 2 Seth A. Safier (State Bar No. 197427) 3 Todd Kennedy (State Bar No. 250267) 4 100 Pine Street, Suite 1250 5 San Francisco, California 94111 Telephone: (415) 639-9090 6 Facsimile: (415) 449-6469 Attorneys for Plaintiffs 7 8 UNITED STATES DISTRICT COURT 9 FOR THE NORTHERN DISTRICT OF CALIFORNIA 10 SAN FRANCISCO DIVISION 11 Jasen Silver; Jill Lienhard; Case No. _______________ 12 Patricia Tysinger; Victoria Waters; and Alaina Jones, on behalf of 13 themselves and those similarly Class Action Complaint situated, 14 Plaintiffs, Jury Trial Demanded 15 v. 16 Stripe, Inc., 17 Defendant. 18 19 20 21 22 23 24 25 26 5 1 Plaintiffs Jasen Silver, Jill Lienhard, Patricia Tysinger, Victoria Waters, 2 and Alaina Jones bring this action on behalf of themselves and all others similarly 3 situated against Stripe, Inc. Plaintiffs' allegations against Stripe are based upon 4 information and belief and upon investigation of Plaintiffs' counsel, except for 5 allegations specifically pertaining to Plaintiffs, which are based upon Plaintiffs' 6 personal knowledge. 7 Introduction 8 1. Stripe is one of the largest online payment processors in the world, with 9 millions of corporate customers of all sizes. Many of Stripe's customers are 10 merchants who operate popular websites and mobile applications, such as 11 Instacart. 12 2. Stripe achieved commercial success by creating software code designed 13 to enable merchants to easily integrate Stripe's payment platform into their 14 applications. To that end, Stripe provides comprehensive documentation to its 15 customers, describing how to integrate payment forms into their websites and 16 applications using the Stripe code. 17 3. One of Stripe's most popular offerings is Stripe Elements. When a 18 merchant successfully integrates the Stripe software code into a website or mobile 19 application, consumers who desire to pay for a product or service are presented 20 with Stripe Elements payment forms created by Stripe and rendered by the user's 21 browser or mobile application executing the Stripe code. The payment forms 22 require the consumer to provide a variety of sensitive information, such as name 23 and address, telephone number, email address, and, of course, complete credit 24 card information. 25 4. Although consumers using merchants' websites and mobile 26 Class Action Complaint, p. 1 5 1 applications reasonably expect that they are communicating directly with the 2 merchant, Stripe's software code is designed to enable Stripe's computer network 3 to intercept those communications and redirect them to Stripe's computer 4 network. Stripe, however, designed Elements to omit all Stripe branding from its 5 payment forms. Accordingly, the consumer has no idea that Stripe is involved in 6 the transaction in any way, let alone that Stripe will be obtaining, storing, and 7 evaluating the consumer's sensitive communications and information. 8 5. But Stripe goes far beyond collecting consumers' sensitive payment 9 information. Stripe also collects and indefinitely stores sensitive information such 10 as: 11 • the consumer's IP address; 12 • the geolocation of the consumer and his or her device; 13 • the name of the consumer's bank or card issuer; 14 • whether or not the consumer had sufficient funds for the transaction; 15 • other processing codes returned by the consumer's bank, such "do not 16 honor" codes or those relating to stolen cards; and 17 • whether the consumer later disputes the charge. 18 6. The Stripe code also surreptitiously installs tracking cookies on 19 consumers' computers and mobile devices, so that Stripe can track their 20 purchasing behavior across its vast merchant network. 21 7. Stripe does not use consumers' private information simply for the 22 purposes of processing the payments in question. Instead, Stripe indefinitely 23 stores the information, correlates all payments from the consumer made across its 24 entire platform, and then—without informing the consumer—provides much of it 25 to its other merchants. For example, once a consumer has submitted a payment 26 Class Action Complaint, p. 2 5 1 using Instacart, any of Stripe's millions of other merchant customers will then be 2 able to access the consumer's private information pertaining to that payment, as 3 well as any other payment that Stripe processed for that consumer. 4 8. For example, Stripe creates a "Risk Insights" profile for each 5 consumer, and provides it to any of its customers who deal with that consumer: 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 Class Action Complaint, p. 3 5 Figure 1: Stripe Radar Dashboard (consumer identifying information blurred) 1 2 9. In addition to providing this private information to its merchant 3 customers, Stripe also uses it to assess the risk of financial transactions the 4 consumer attempts to make in the future. Specifically, Stripe uses the information 5 to assign a Risk Score to each of the consumer's transactions, so that those 6 transactions can be accepted or rejected by Stripe or its merchants. 7 10. At no time does Stripe inform consumers who use its Elements 8 payment forms: (i) that Stripe will intercept communications that consumers 9 believe are being sent exclusively to merchants; (ii) that its software code is 10 causing their devices to connect to Stripe's computer servers; (iii) that Stripe is 11 placing tracking cookies on consumers' computers; (iv) that its software code is 12 rendering the payment forms that are displayed to consumers; (v) that the 13 sensitive information in the payment forms will be sent to Stripe; (vi) that 14 sensitive information not expressly inputted by the consumer—such as IP address, 15 operating system, and geolocation data—will also be collected from the consumer 16 by Stripe; (vii) that Stripe will indefinitely store that sensitive information; (viii) 17 that Stripe will use consumers' information to assign Risk Scores to consumers, 18 which could subsequently be communicated to other merchants and used to deny 19 consumers' future payment attempts; (ix) that Stripe will track consumers' 20 behavior across millions of website and mobile applications; and (x) that Stripe 21 will make consumers' sensitive information available to any of its millions of 22 customers who will accept payment—or who have already accepted payment— 23 from those consumers. 24 Parties 25 11. Plaintiff Jasen Silver is, and was at all relevant times, an individual and 26 Class Action Complaint, p. 4 5 1 resident of California. Mr. Silver currently resides in San Jose, California. 2 12. Plaintiff Jill Lienhard is, and was at all relevant times, an individual 3 and resident of California. Ms. Lienhard currently resides in Arroyo Grande, 4 California. 5 13. Plaintiff Patricia Tysinger is, and was at all relevant times, an 6 individual and resident of Florida. Ms. Tysinger currently resides in Lehigh 7 Acres, Florida. 8 14. Plaintiff Victoria Waters is, and was at all relevant times, an individual 9 and resident of Washington. Ms. Waters currently resides in Seattle, Washington. 10 15. Plaintiff Alaina Jones is, and was at all relevant times, an individual 11 and resident of Utah. Ms. Jones currently resides in Orem, Utah. 12 16. Defendant Stripe, Inc. is a Delaware limited liability company with its 13 principal place of business in San Francisco, California. 14 Jurisdiction and Venue 15 17. This Court has subject matter jurisdiction over this action pursuant to 16 the Class Action Fairness Act, 28 U.S.C. Section 1332(d)(2)(A) because: (i) there 17 are 100 or more class members, and (ii) there is an aggregate amount in 18 controversy exceeding $5,000,000, exclusive of interest and costs. 19 18. This Court has supplemental jurisdiction over any state law claims 20 pursuant to 28 U.S.C. Section 1367. 21 19. The injuries, damages and/or harm upon which this action is based 22 occurred or arose out of activities engaged in by Stripe within, affecting, and 23 emanating from the State of California. Stripe regularly conducts and/or solicits 24 business in, engages in other persistent courses of conduct in, and/or derives 25 substantial revenue from products provided to persons in the State of California. 26 Class Action Complaint, p. 5 5 1 Stripe has engaged, and continues to engage, in substantial and continuous 2 business practices in the State of California. 3 20. Venue is proper in this District pursuant to 28 U.S.C. Section 4 1391(b)(2) because a substantial part of the events or omissions giving rise to the 5 claims occurred in the state of California, including within this District. 6 21. Plaintiffs accordingly allege that jurisdiction and venue are proper in 7 this Court. 8 Substantive Allegations 9 10 A. Stripe Surreptitiously Intercepts Consumers' Communications and Collects their Private Information When They Make Online 11 Payments to Merchants. 12 22. Stripe Elements is Stripe's premier payment processing offering. The 13 product is designed to enable merchants to avoid the technical difficulties 14 associated with developing and deploying their own payment forms into their 15 websites and mobile applications. Merchants can simply integrate the Stripe 16 software code into their websites and applications to enable Stripe to display 17 payment forms to consumers. Stripe handles the collection and validation of the 18 consumer's payment information, as well as processing the payment. 19 23. To integrate Stripe Elements into its website, a merchant must include a 20 link to "Stripe.js"—a software module developed by Stripe and hosted at Stripe's 21 computer network—in the code of the merchant's website. This link, which is 22 invisible to the consumer, causes the consumer's browser to load and execute the 23 Stripe.js code. The Stripe.js code includes code for the execution and 24 customization of Stripe Elements, as well as code that, as explained in more detail 25 below, enables Stripe to intercept communications that consumers reasonably 26 believe will be sent directly to the merchant. To integrate payment forms into Class Action Complaint, p. 6 5 1 mobile device applications, merchants use the Stripe Development Kits 2 ("SDKs"), which includes the code that enables Stripe to intercept 3 communications that consumers reasonably believe will be sent directly to the 4 merchant. 5 24. Stripe Elements enables merchants to customize certain aspects of the 6 payment forms, to match the look and feel of their websites and applications. 7 Stripe's documentation states: "Elements are completely customizable. You can 8 style Elements to match the look and feel of your site, providing a seamless 9 checkout experience for your customers." ( 10 25. This customizability enables Stripe to present payment forms to 11 consumers in such a way that consumers have no way to discern that Stripe is 12 involved in the transaction. To the consumer, the Stripe Elements payment forms 13 appear to be generated by the merchant itself. 14 26. For example, consumers who order groceries on Instacart's website are 15 presented with the following Stripe Elements payment form: 16 17 18 19 20 21 22 23 24 25 26 Class Action Complaint, p. 7 5 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Figure 2: Instacart Checkout Page 19 20 27. In the above figure, the input elements corresponding to "Card 21 Number," "Expiration," "CVC", "Billing Address", and "Zip code" are Stripe 22 Elements, generated by Stripe's software code and rendered by the consumer's 23 browser. To the user, however, it appears that these input elements are generated 24 and provided by Instacart. Although it could easily do so, Stripe never causes its 25 name or logo—or any other disclosure regarding its involvement—to be displayed 26 to the consumer. Class Action Complaint, p. 8 5 1 28. Only a person with technical know