By Jennifer Ruehr, Sam Castic, and Felicity Slater
There has been a recent uptick in class action litigation brought under the California Invasion of Privacy Act (“CIPA”) (Cal. Penal Code §§ 630 et seq). Recent litigation has focused on three sections of CIPA. First, CIPA section 631(a) prohibits the interception of an in-transit communication to learn the contents of the communication (“wiretapping”) unless all parties to that communication consent. Second, CIPA section 632(a) likewise requires all-party consent for use of an “amplifying or recording device to eavesdrop or record the [] communication.” Third, and more recently, courts have allowed cases to proceed under CIPA section 638.51, which prohibits the installation or use of a “pen register” without a court order.
Under CIPA 631(a) and 632(a), website operators can be held liable for violations arising from their use of cookies and other online trackers, especially where trackers are used to offer live chat or session replay on the site, or where information is collected that could be used to infer details about the individual (such as the URL to the website or location). The scope of potential liability under CIPA 638.51 is more uncertain, as these claims are just beginning to be brought. However, at least one Southern District of California court has allowed a plaintiff’s claim that defendant’s Software Development Kit (“SDK”), falls within CIPA § 638.51’s definition of a “pen register” to survive a Motion to Dismiss. In this case, the SDK allegedly collected app user location data without consent.
Each of these sections of CIPA provide for statutory fines of up to $2,500 per violation; sections 631 and 632 in addition permit fines of up to $10,000 per violation for repeat violations.
Much of the litigation in this area has centered around one of three issues:
whether data collected by an online tracker constitute “contents of communication.” For example, some California district courts have found that the “contents of a communication” include the date and time a plaintiff visits a website, duration of the visit, IP address, or location at the time of the visit (such as approximate location based on IP address, browser type, and device operating system);
whether entities have provided adequate notice of the data collection, including data collection via a technology vendor and specific types of recording or collection, taking place on their website such that plaintiffs continued use of the site constitutes their implied consent to this data collection; and
whether the technology vendors who allegedly accessed user “communications” indeed accessed those communications for their own use (as an eavesdropper to a conversation would) or solely provided technology services to the website operator (e.g. merely acted like a tape recorder to store those communications on behalf of an organization).
While these cases are largely still pending trial (or rapidly being settled), there are steps your organization can take to defend against these lawsuits:
Ensure that your organization’s privacy notice sufficiently describes what trackers you are using on your website, how you are using them, what data they collect, who may have access to that data, and how users can opt out of this data collection.
Confirm that your organization has agreements in place with your technology providers that detail limitations on how the provider can access and use collected data.
If you use live chat, make sure to add a privacy notice within each live chat session that takes place on your website.
If you implement session replay or other recording technologies, configure them to minimize or eliminate their collection of individually identifiable information. This can be accomplished by implementing features to block the collection of or to blur form data and other personal data provided by users; limiting the pages on which recording technologies are used; and reviewing with vendors what options, such as opt-outs, may be available to users.
Consider implementing a cookie banner on your website – and if you do, tailor it for the unique risks CIPA litigation poses, including informing the website visitor of the collection or recording of information and providers used, and to obtain consent. Note, the user interface design is also important. In one recent case, a court permitted the plaintiff’s case to survive a motion to dismiss because the court found the font size, contrast, and location of the banner problematic.
If a cookie banner is used, consider configuring it to suppress riskier trackers until consent is provided, especially in jurisdictions like California that require all-party consent. Riskier trackers may be ones that transmit communication contents, infer sensitive data via URL page visits or IP address location, or involve data transmissions to vendors that have the right to use the data for their own purposes.
Implement processes to regularly monitor what trackers are on your website, including why they are there and for what purposes.
Remove any trackers that are no longer driving business value. It’s not uncommon for third-party trackers to remain after a relationship or pilot with a technology vendor ends, or after marketing priorities change.
Implement or validate review and classification protocols for adding new trackers to your website, including to address necessary contract terms, interoperability with any cookie banner and user choices offered, and for alignment with your organization’s privacy notice and opt-outs.
Govern and monitor what data types are being transmitted by the trackers used. Implement policies and procedures to limit data transmitted to the minimum necessary; have a perspective on which ones are more likely to involve transmission of “contents of a communication.”
As claims brought under CIPA continue to advance new theories under an old law to target companies for commonplace website and app activities, the steps above can help to reduce your organization's potential exposure to CIPA claims and to provide defenses to claims brought against your organization.
Jennifer Ruehr, Partner with Hintze Law and Chair of the Employment Privacy Group and Co-Chair of the Cybersecurity & Breach Response Group, counsels retail, technology and e-commerce clients on global privacy, cyber-security, and related data technology and transactional matters.
Sam Castic is a Partner with Hintze Law with 15 years of global privacy and cybersecurity experience. Sam counsels e-commerce, fintech, technology, telecom, social media, retail, and advertising clients from early-stage startups to the biggest global companies.
Felicity Slater is an Associate at Hintze Law PLLC. Felicity has experience with global data protection issues, including data breach notification laws, privacy impact assessments, GDPR, and privacy statements.
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized boutique privacy firm that provides counseling exclusively on global AI & data protection. Its attorneys and privacy analysts support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of AI, privacy & data security.