Most companies want to know about the visitors to their websites. It helps them convert web visitors into customers and improve website performance. But what was once considered routine is now under legal scrutiny.
An increasing number of website visitors now claim this data collection occurs without consent and violates certain privacy laws. In response, businesses contend that this is how the internet works – the internet and access to the websites has been “free” because data collection allows them to target their advertising more efficiently. This tension is now playing out in the courts in class actions under old and new laws alike.
California CIPA Claims
There has been a surge of “wiretapping” litigation arising from the decades-old California Invasion of Privacy Act (CIPA), found at Cal. Penal Code §§ 630 et seq. CIPA allows for a private right of action, injunctive relief and up to $5,000 per violation or treble damages, whichever is greater. It was enacted in 1967 to prevent wiretapping and other unauthorized recording or tracking of rotary-dial phone calls, but plaintiffs are now seeking to apply CIPA to data collection from web visitors. These plaintiffs allege that by collecting IP addresses and other information from visitors, businesses are violating CIPA.
Offending Data Capture Under CIPA
Online-behavior advertising involves sharing browsing behavior with ad networks for delivery of targeted advertising to the consumer on other sites. Alleged trackers come in various forms: software developer kits (SDKs) that ease the sharing of visitor data, pixels that send information to third-party servers, cookies that attach to a device, and a variety of website analytics tools. Add to that mix the explosion of AI-driven solutions and new “fingerprinting” methods for targeting consumers, and the list of offending technologies will continue to grow.
Theories of CIPA Claims
Under a CIPA § 631(a) “wiretapping” theory, one may not intentionally intercept communications in transit without consent. Wiretapping plaintiffs must plead and show that (1) the visitor’s interaction with the website is a “communication,” (2) a third party intercepts the communication during transmission, and (3) does so without consent or a court order. Under California Penal Code at §§ 638.50(d) and (e), one cannot capture certain information about a web visit without consent or a court order.
A “trap and trace device” captures incoming call information (i.e., caller ID) and a “pen register” captures outgoing identifiers (i.e., a list of outgoing phone numbers). In a digital context, this information is akin to metadata – again, information about communications. The line between the two theories is often blurred. Some courts find nearly all captured data to be “communications,” while others limit wiretapping claims to communications like text typed into search boxes, online forms or chats. Finally, a CIPA claim may arise under CIPA § 632.7 from the recording of a phone conversation where all have not consented.
A Common CIPA Demand
A serial pro se litigant named Vivek Shah has been sending out demand letters to registered agents for service for companies across the nation. They look like lawsuits – each packet contains a cover letter seeking “Informal Dispute Resolution” of “your violation of the California Invasion of Privacy Act (CIPA), Cal. Penal Code § 631(a),” along with a draft complaint to be filed in the Los Angeles Superior Court if the matter remains unresolved. Exhibit A to the draft complaint will contain screenshots of his use of a networking tool showing the website’s capture of his name, “VIVEK,” which he had typed in the search box on the site. At present, we have not found that Mr. Shah has filed any of the threatened suits in that state court, but he may start soon.
The Current CIPA Litigation Landscape
These CIPA cases are starting to make their way up to courts of appeal, but there is no reliably predictable outcome in absence of precedent. Just recently, the judge in the Camplisson v. Adidas case allowed the case to move forward, rejecting the defendant adidas’ motion to dismiss. Some trial courts find that the statute does not apply to what is perceived as normal website functions, while others are unwilling to dismiss such claims without discovery and further proceedings.
No Legislative Solution Anytime Soon
The California Legislature meets in two-year sessions and any relief for businesses under CIPA may be a year away. Lawmakers considered SB 690, a bill that would allow businesses to use common web tracking technologies for “the processing of personal information that . . . is performed to further a business purpose,” so long as they comply with the opt-out requirements of the California Consumer Privacy Act (CCPA). The bill stalled, but if passed, the earliest it would be effective is 2027.
Next Steps: Mitigating CIPA Risk
A sound consent mechanism and appropriate privacy policy disclosure, coupled with class action waivers in terms of service, are the best defenses. A robust defense can be mounted with cookie banners that explain all the types of tracking mechanisms and do not allow them to be triggered until after the visitor has made a banner choice (i.e., Accept / Manage / Reject). Similarly, California and Minnesota privacy regulators are requiring businesses to recognize and adhere to consumer use of the Global Privacy Control, a browser selection that signals rejection of cookies and other trackers. A number of other states are also requiring such treatment of GPC signals, making GPC compliance essential. In addition to obtaining consent, a company will benefit from a self-audit with tools like those used by claimants. Coordination with website technology, legal and marketing service providers is a must.
If you have questions about CIPA and its risks for your business, please contact Tedrick Housh, Chiara Portner, Megan Miller, or your regular Lathrop GPM attorney.