Privacy Lawls with Donata
Ep.16 | CIPA: The 30-year-old privacy law getting businesses sued today (Guest: Jason Kelly)
Now, businesses big and small (even 1-person businesses) are being sued across the United States by attorneys looking to take advantage of the confusion.
Our guest, today is Jason Kelly. Jason is a Partner at Annaguey McCann, a litigation law firm in Los Angeles, who uses his experience in complex commercial disputes to help companies resolve disruptive lawsuits and find pragmatic solutions aligned with their goals. Jason litigates individual cases and class actions involving claims of fraud, anticompetitive behavior, and more. This year, the Los Angeles Business Journal recognized him as a Leader of Influence for Litigators & Trial Attorneys; and the Daily Journal named him as one of the “Top Artificial Intelligence Attorneys.” Jason is also a Certified Information Privacy Professional and Artificial Intelligence Governance Professional. He has helped clients respond to and litigate claims of CIPA violations.
Show Transcript
Hello, and welcome to Episode 16 of Privacy Lawls, where I, Donata Stroink-Skillrud, speak with amazing privacy professionals, and we have some laughs along the way as well. This podcast is brought to you by Termageddon, an auto updating privacy policy generator. Today, I’ll be speaking with Jason Kelly about one of the hottest topics in privacy, businesses being sued for website tracking under the California Invasion of Privacy Act.
Jason is a partner at Annaguey McCann and a litigator that uses his experience in complex commercial disputes to help companies of all sizes resolve destructive lawsuits and find pragmatic solutions aligned with their goals. Jason litigates claims of fraud, breach of contract, anti competitive behavior, and more.
Jason is also a certified information privacy professional and has helped clients respond to and litigate claims of SIPA violations. So Jason, thank you so much for joining me today. What made you interested in representing businesses and privacy disputes? [00:01:00] Well, thank you for having me. It’s a pleasure to be here.
My, my interest in representing privacy businesses rather than privacy disputes really just kind of Gradually changed over time. My background is working as a general civil litigation attorney. You know, just being a generalist. But I have a lot of friends and family who who work in tech and you know, they’ve been talking about privacy and data issues.
And, you know, especially back when GDPR was, you know, first coming out. So it’s always been something that’s been interesting to me. And it’s an exciting area of law just because it is so cutting edge. There’s a lot of new issues, new laws. Developing right now, like it’s just all over the US and internationally.
So it’s a really exciting time to be in this space. It is a really fun field because like you said, there’s something always happening. There’s really no shortage of things to be reading or looking into, which I think makes it kind of fun. I mean, you know, there’s other areas where the law has been settled for for a really long time.
And it’s kind of [00:02:00] litigating and relitigating the same issues and the same laws. So this is a lot more interesting than that, I think. Yeah, it definitely is. I mean, I think you’re right. Like we’re used to reading these cases and having this doctrine that’s been around for hundreds of years or, you know, cases where you’re you’re citing and saying, well, you know, the Supreme Court decided 95 years ago, you know, this or that.
But today it’s almost feels like watching Tell a novella or like a soap opera where it’s just this thing’s happening over here and they’re threatening this and then, you know, they didn’t meet the deadline. So this new regulation is not going to go into effect. Oh, but look, you know, maybe Congress is going to get its act together.
We’re going to have all this change. Oh, wait, that’s not going to happen. And every day it’s just these new alerts come in and you’re just kind of like you’re trying to keep up with it. But it’s also like sometimes it’s noise and then Okay. Yeah, it’s just, it’s fascinating. And I find myself just reading a bunch of these like alerts and updates and, you know [00:03:00] notices that pop up.
So it’s, it’s definitely different compared to other areas of law. Yeah, absolutely. So you initially started in business litigation do matters like antitrust and fraud. How did you start representing businesses and privacy disputes? And do you have any advice for other attorneys who want to pivot into privacy?
Yeah, my, my pivot into privacy was a pretty gradual process. I started out at a large firm and I’ve worked at a number of different firms where, you know, we’re doing a lot of these like contracts or fraud or like antitrust cases and class actions. And I really enjoyed it. It was exciting. It’s, it’s, you know, it’s fun as, as a litigator.
But privacy litigation was something that I was interested in. And I think there were two things that kind of helped me you. Pivot into that and one was just like my interest. Like I mentioned before, just trying to keep up with what’s going on and being curious about what’s happening and how this tech is applying to, you know, to all of us.
And what does that [00:04:00] mean from a legal standpoint? And then the other thing was I started working at a firm where I had an opportunity to you. To explore that area of law, rather than just being told, you know, we don’t have a practice group that does that. We’re not interested in you trying to develop anything like that.
You know, just keep doing what we’re doing now. So, you know, it having that opportunity to explore that having people that you work with who are supportive of that, I think is massive and I think that would just be my, my biggest piece of advice is, you know, if it’s something that you’re interested in, you know, whether it’s your company time or your, your personal time, like be curious and like make an effort to learn about these things, like find out what’s happening, whether it’s at a firm business or a government agency just, just try to go out there and learn more and put yourself in a position where they’ll have those opportunities.
And it might take a little bit of time and that’s fine, but you know if it’s really something you’re interested in, like pursue it. Yeah, it’s, it’s really interesting because, you know, great example of this, when I went to law [00:05:00] school, there were no privacy law classes. That was not a thing. Neither were cyber security courses, but now a lot more law schools are offering those courses for law students who are interested in these areas.
And I think it’s the same way with law firms, right? It’s something that law firms haven’t necessarily thought about this, You know for a long time, but it’s definitely coming up as a question that clients ask about you know, that lawyers are interested in. So I think we’re going to see more and more law firms have privacy law departments.
Yeah, and I think before you would see a lot of, you know, emphasis on compliance. And then if there were, you know, litigation issues, you know, it’d be focused on like a data breach. Those were kind of like the big umbrellas or big kind of like buckets that people would fall into if they’re in litigation, but it’s changing.
And now you, you have a lot of people who are moving into the space cause they’re interested. And there, I think there will be more opportunities. And so, you know, the big thing is just, Sue those opportunities and keep your eyes open cause they’re out there. [00:06:00] Absolutely. So we see more and more businesses getting sued for privacy violations, which is a relatively new development.
Do you find education to big, to be a big part of your work? How do you educate your clients on why they’re being sued? Yeah. Education’s massive. It’s, it’s a real big thing. And I think. A big part of it is just the fact that the types of companies that are now being targeted you know a lot of times they’re not companies that have a history of litigation or have these massive in house legal departments I mean even finding a lot of times the people i’m talking to like they’re small businesses that have you know, one two, maybe three employees and They’ve never had to deal with legal issues besides maybe like, you know, drafting or entering into a contract.
So, a big part of my process is really just teaching them about what litigation is, what litigation in California is like, and how the whole process works. Like, one of the first questions I’ll ask is, I’ll typically [00:07:00] ask is just have you, have you dealt with the lawsuit before besides like, you know, a jaywalking ticket or, you know, I got into a car accident when I was 16 because knowing their, their history and, and their, their litigation background will help me, you know, provide a better service and give them context as to what’s happening here in California.
This area of law and, you know, why they got this letter or this lawsuit that was filed. You know, one of the things I’ll also tell them is just give them context about the fact that they’ve essentially been caught up in a massive way of litigation and it’s hitting a lot of different people all at once.
And it’s not like you know, this business did something specifically wrong and that’s why they’re being targeted. So you know, it’s that education, but it’s also just. Learning from them trying to learn about what their goals are. And so that we can find, you know, the most sufficient way of resolving this dispute, these allegations.
That’s very true. I mean, we’ve heard of businesses getting [00:08:00] sued under SIPA and get on a call with them and they’re like, but everybody uses the Metapixel. Why are they going after me? And. You know, I, I’m a small business and I don’t have this much money. Wouldn’t they go after somebody who has more money?
And I think you’re right that this is just a wave of litigation that everybody’s getting so caught up with. But if you’ve never been experienced in litigation you know, it definitely feels scary and it’s a lot different, you know, as a lawyer, you know, you do have stakes in it. You have a client that you have to represent, but it’s a lot different when you’re the one being sued versus when you’re defending someone from a lawsuit.
Right. Yeah, absolutely. That’s, that’s absolutely what’s going on. And that’s like, that’s the way that you’ve got to talk to these people to kind of just let them know, you know, what’s happening, what’s happening to them, how they fit into like the bigger picture of what’s happening. One of the responses I’ll get oftentimes is, well, I checked this, this law firm that sent me that, And I checked their system and they’re using this pixel and they’re using that [00:09:00] pixel and I think they’re doing the exact same thing I’m doing.
So I you know, like that, that’s the initial reaction is just like, I’m not doing anything different or wrong. And I’m certainly not doing anything maliciously. So why am I getting picked on? And, you know, Why am I being threatened with this legal action? Yeah, absolutely. So today we’re going to be talking about the California invasion of privacy act, which is a pretty old privacy law.
Can you tell us a little bit of why this law was passed? Yeah. So SIPA California invasion of privacy act is, it’s an old law. It goes all the way back to the cold at war era. It was enacted in 1967. You know, long, long before the internet existed, it was primarily focused on telephone technology and communications.
So SIPA is unique in the sense that it’s a penal code statute. It’s part of California’s penal code. Like basically our criminal law here. And it was intended to protect Californians by stopping illegal [00:10:00] eavesdropping. And wiretapping on private communications and phone calls. It’s a statute that has over time been amended.
One amendment that will be, you know, kind of the focus of a lot of our discussion, I think today is this 2015 amendment that came through on a bill called AB number nine 29. It was passed and enacted in the law and it’s now part of the penal code. It’s section 638. 51 and it’s a provision that prohibits the installation or use of a thing called a pen register or a trap and trace device unless certain statutory requirements are satisfied.
So SIPA talks about communications between a resident of California and another party. So what are some examples of A communication with a resident of California. Yeah, traditionally, like I said, this is an old statute. You think back to like the 1960s, 70s the communications that they were [00:11:00] focused on were primarily just phone calls.
Like we’re talking like old school landlines. But in the latest wave of SIPA litigation, what you’re seeing is an expansion of that. And then they’re trying to, these plaintiffs are trying to expand the communications from just a phone call to a web browser or device. Accessing a website. That’s the communication is accessing a website versus calling another person.
This is pretty random, but thinking about landlines, it makes me think of phone parties where back in the day, you know, people would just have one landline. One connection for the entire town, and then they would take turns making calls and then people could eavesdrop on those calls. So it’s really making me think of that, of way, way, way, way, way back in history when an entire town had one phone line and everybody could listen in.
But apparently we’re not talking about that anymore. [00:12:00] Yeah, no, it reminds me of, you know, back, you know, like I’m thinking like middle school and high school, you know, you would talk on the phone with your friend, but you would also go grab the other phones in the house to make sure, you know, your little brother or your little sister doesn’t like get on the phone and start making like, you know, screaming noises in the phone or your parents don’t eavesdrop on your, you know, call with your friend.
And so I remember, you know, yeah, Seeing my brother, for instance, like talking on the phone and just holding like the other wireless phones in the house, like in his hand, just to make sure that I don’t mess with them kind of thing. But yeah, that’s, it’s, it’s like that, but it’s, it’s not, it’s like that, but not.
So I think with this amendment, now we’re talking about pen registers and, and trap and trace devices. What are those? So pen registers and trap and trace devices, they have a common definition, In SIPA, the California legislature actually gave them statutory definitions, meaning like there’s an actual definition in law [00:13:00] for these two things.
And so, you know, for for the lawyers out there, it’s penal code section 648 50 subdivision B and C. But basically, a pen register, or It’s like a mechanical device that would actually record the numbers dial from a telephone but it doesn’t overhear the, the communications or what’s actually in that call.
So if you think about, like, I always think about you know, like 1960s movies, like spy movies or law enforcement movies, and you’ve got the phone line of like, The like the mobster and the police want to find out who’s this mobster calling or who’s calling this mobster What they would actually do is put a device on that line So that they could see What calls were being made to and from that from that line?
So unlike a wire tap, which lets you listen into the conversation that’s actually happening, like the contents of those communications, a pen register and the same thing for a trap and trace device, they would let you know [00:14:00] what phone numbers had called that number. And then, like, what numbers that phone number had called out to so a trap and trace device records the originating telephone numbers of the calls dialed into that person, whereas a pen register would show what phone numbers were being called from that that line.
Do you remember in the early 2000s and 2010s, you would get your phone bill and it would show you every single number that you’ve called? Yeah, that was fun. Yeah, I exactly. And you could see everyone and you know, I remember being like on a family plan and then like, you know, you’re all sharing minutes and you know, it’s like, what?
You’re spending all our minutes, you know, Jason, like, what are you doing? You know, we’re gonna charge you extra or, you know, we’re gonna have to change our plan because I can see how many times you’re calling your girlfriend kind of thing, like in the middle of the night sort of thing. Yeah. And they could also see the time.
So they’d be like, well, you told me that you were going to sleep, but you were, you sent 200 text messages. And [00:15:00] I remember parents being just absolutely flabbergasted by the amount of text messages that you could send. And looking back on it now, it wasn’t saying like, how could you spend that amount of text messages to anyone?
I could never do that. Like I could never do that again. I don’t think that’s possible. Well, what, what makes it even more like kind of mind boggling is the fact that you remember those phones, like to like send certain letters, you had to press the button multiple times. So it wasn’t like a keyboard or, you know, like, so you’re just like doing that nonstop, just, you know, glued to it and sending out, you know, SMS texts to your friends emojis and all that.
Yeah. But it’s, it’s, it’s like that it, it shows like, you know, what calls were made and how long those calls were. And, you know, like I said, it doesn’t show the. The contents of the communication, but a pen register and a trap and trace device, which show you who’s calling you and who you’re calling. Yeah, absolutely.
So SIPA, it has a private right of [00:16:00] action. Can you tell us like, why is that significant and what type of damages can be awarded under SIPA? Yeah. So private right of action is just a legal term for a person can sue for that violation. Which is again, kind of unique. For SIPA because SIPA is in the penal code.
So it’s a penal code statute, meaning it’s criminal and typically only the government can prosecute a criminal violation. But SIPA has a unique provision in it that allows for a private right of action for certain types of claims. So a person doesn’t have to report it to the police and hope that like the district attorney, for instance, prosecute something.
They can hire a civil litigator And file a civil lawsuit for certain violations of SIPA. So under SIPA, a private litigant is entitled to 5, 000 per violation, or if they actually suffer damages, what they can do is they can treble those damages, meaning [00:17:00] they get three times the amount of the damages.
One thing that’s outside of SIPA, but that you’re seeing built into these SIPA lawsuits that are being filed in these demand letters, is a request or a demand for punitive damages, which are damages that are extra, and they’re intended not to compensate the victim or the plaintiff for the injury they, you know, they suffered, but they’re sums of money that are intended to actually punish the defendant.
So you’ll see that in these cases, the plaintiff will allege that the business acted with oppression and malice. By allegedly, allegedly installing the pen register and trap and trace device and that they knowingly violated, violated SIPA. So because it was malicious, you know, they, the defendant should be punished even more.
And so that’s, that’s being added on as a potential damage. Very interesting. So we kind of talked about phones and, and landlines and people [00:18:00] kind of, you know, eavesdropping on those calls, but. You know, how and why is this old privacy law being applied to modern websites? Yeah, it’s, it’s a creative move on these plaintiffs part.
And what they’ve been able to do is take this old statute, this old law involving an old technology, and they’ve been able to file lawsuits, threatened to file lawsuits. And, you know, in some cases get judges to agree that this old statute could apply to. The internet and essentially they’ve been alleging that pixels or web beacons that companies use on their website that show the IP address of, you know, whoever is accessing the website that those are effectively pen registers or trap and trace devices and that they therefore violate SIPA.
And that a plaintiff is entitled to 5, 000 in statutory damages for each [00:19:00] violation. So it’s just a really, an expansion that, you know, effectively could reach every single interaction that takes place on the internet. Yeah, are there like certain types of websites that are getting sued or is it kind of all over the map?
It’s, it’s really all over the map. It’s, it’s surprising and striking how much how broad the group is. So you’re seeing it hit these types of demands and these types of lawsuits hit every industry. You got marketing companies, entertainment companies companies that work in e commerce or fintech and banking.
I just recently spoke to someone who works in a H. R. Recruiting company. And you know, they’re getting these types of demands and letters and it’s it’s you know, Massive companies like some of the biggest names that you’ll see you see a lot of these sort of like vc backed tech companies that are also being hit but then there’s also these random small businesses that have these very, you know, small websites [00:20:00] that are that aren’t doing, you know, these massive sales and they’ve maybe got one or two employees.
So In the past week for instance I’ve spoken to people in London, New York, Florida, San Francisco, and Charlotte, who have either received a letter. Or just recently got sued for a SIPA violation. It’s interesting because the first time I heard about these lawsuits they were coming after kind of healthcare adjacent companies.
So companies that are not hospitals or medical providers, but that do provide some kind of medical type of service. And initially I was like, okay, that makes sense. You know, you don’t want people who are collecting data on your health to be sharing that data with Facebook, for example, right. With the Facebook and then it kind of exploded from there, you know, it went from something that kind of made sense from a privacy perspective to, Hey, I’m selling just trinkets and I’m [00:21:00] getting sued, you know?
So it’s very interesting to see this progression. Yeah. It’s, it’s almost. I mean, it’s kind of surprising. It’s one of those things where if you weren’t watching it, you know, happen in real time, week after week and seeing the types of businesses that are getting hit, you might not believe it, but sometimes you’ll see, like, there’s almost like a theme at times, like, you’ll see, like, a week where certain businesses are getting hit and you’re like, okay, like, that was their week to go after those, like, online apps.
And then like two weeks later, you’ll notice that a bunch of companies that are in this other space are being hit with these types of lawsuits. And so it’s, it’s just, like you said, it’s, it’s really exploded and it’s, it’s all over the place. I wonder if they have a hat full of papers that say industry, and then they pull from the hat and that’s the industry they see that week.
I actually was thinking about that. And I, I was able to confirm, no, I’m kidding that it wasn’t a hat, but it was a giant wheel. There’s an old school [00:22:00] wheel. I like that. I like that a lot. So, are there certain types of website features that are leading to claims of violations of SIPA? Yeah so, I mean, we’ve been talking mostly about SIPA in the context of pen registers and tramp and trace devices.
That’s really kind of become the The thing today but if you were to go back about a year, year and a half ago, the SIPA cases were really focused on an entirely different issue and they were primarily focused on chatbots and what these plaintiffs would argue is that you know, I went on your website and I use the chatbot feature.
And I thought I was communicating with you and I essentially was communicating with you, but my communication was essentially eavesdropped. It was like, you know, someone was listening in and the person listening in was the chatbot in the company that, you know, the vendor that provides the chatbot services.
And so [00:23:00] I didn’t realize that my communication with you, you know, Website company was going to be eavesdropped by this chatbot vendor. And so that was a violation of SIPA. And so you would see claims against the website operator saying you were involved with the the eavesdrop either directly or you were aiding and abetting.
So, webs, you know, kind of going back to your question, the websites that were getting hit the most were ones that had chatbot features. But the tension now is like again, moving towards pen registers and trap and trace devices. And so you’re actually seeing that certain pixels or what beacons are getting hit.
Or getting a lot more attention. The one that really stands out a lot is tick tock. If there’s a tick tock pixel, that’s, that’s, you know, really at the center of a lot of these letters and these complaints, but also, you know, pixels related to meta are are getting, you know, hit. Very interesting.
And how many of these lawsuits do you see? I mean, I know you track this stuff every day. And it, [00:24:00] you know, from our perspective, it seems like a lot, but it would be nice to have some kind of more concrete numbers if you have them as to how many of these lawsuits are getting filed. Yeah, it’s, it’s a lot.
I mean, it’s a lot and it’s growing. If we were talking about a year, you know, two years ago, I’d say you’d see complaints coming in every day. Right. In federal court and state court in california in la you’d see probably, you know, maybe two or three lawsuits filed and those are just the ones that get filed So that means that maybe a letter went out beforehand a settlement wasn’t reached And so this is actually like escalated to a full blown like lawsuit that’s gone up substantially Like in LA alone right now, you’ll see dozens of lawsuits filed each week It’s pretty common to see on a given day anywhere from five to ten complaints filed by a variety of different firms Another change related to that that has happened is, you know, about a year ago, [00:25:00] maybe a year and a half ago, you’d see a division, certain firms would tend to file in federal court and other ones would file in state court.
Now the vast majority are filed in California state court. And so when these complaints come in, You’ll see that some defendants try to remove them to federal court It’s a procedure that you can use where you say that this case that’s in state court it should be in federal court or can be in federal court because the federal court has jurisdiction and certain Attorneys certain parties think that you know, they’d rather be in one court than another and so you know They these defendants these businesses will try to remove a case to federal court Those efforts have Generally, like more often than not, or very much more often than not failed, and so they’ll go to federal court.
The federal court will look at it and say, like, no, we don’t have jurisdiction over this. You need to go back at the state court. So yeah, just more lawsuits, primarily in state [00:26:00] court, and there are more players now. About a year ago, there had been one Two firms that were involved with this they were filing.
They were doing all all the filings Now i’d say they do the vast majority of the filings But i’m like now seeing like, you know, five six firms that are involved you know one complaint I saw filed. I think it was a week or two ago was unfamiliar with the firm I looked them up and it’s a plaintiff’s employment firm.
They’re all employment lawyers But now they’re suddenly getting into this game and they’re, you know, cool privacy lawyers. So I, I don’t know if it’s one of those things where, you know we may just be seeing like more and more of these jabronis kind of like getting in to this, this type of work.
Yeah. I mean, it’s, it’s a lucrative. area, right? Because all you have to do is send some demand letters. Hopefully most of the people pay, you get paid. You know, hopefully most of the time you [00:27:00] don’t even have to go to court at all. It’s kind of a, I mean, relatively easy paycheck for a lawyer, isn’t it?
Yeah, I mean, it’s, you could call it an easy paycheck for a lawyer. I know a lot of people would call it, you know, something like a shakedown or they feel like it’s a shakedown. But yeah, I mean, you, you just, you see more people moving into the space. And I think as this grows, you know, that, that’s something that you might expect.
Keep happening. Absolutely. So before a lawsuit is filed you know, so many businesses have received demand letters saying that they’re violating SIPA you know, what are these letters look like and what are they demanding? Yeah, they’re lawyers would call them pre litigation demand letters or pre litigation settlement letters.
They’re typically in this context, I’m actually looking at one right now that was sent to a client. They’re typically pretty short, two or three pages. They have a lot of kind of boilerplate language in there. I spoke to someone who is in house at a marketing company who received one of these letters, and she said, Yeah, [00:28:00] we got this letter, and it looked like a scam.
So we just ignored it. And then, you know, fast forward a few months later, and suddenly we got sued. But generally, the the structure of these letters are pretty similar. They’ll say something like, we represent, you know, this And based on our investigation of your website, we think that you’re violating SIPA.
They’ll emphasize how important privacy is and how, you know, violations of privacy laws should be punished. And so, you know, we. Investigated your website and we see that you’re using A certain type of pixel or a certain type of a web beacon that collects information Sometimes they won’t even say that they’ll just be very general and say there is a pixel or web beacon that we think is doing, you know, this or collecting that But they won’t actually give you any specifics other times You’ll see like a screenshot in the letter and then they’ll say something like, you know, each violation is worth five thousand dollars You And we think there are several violations and, [00:29:00] you know, we might sue you on behalf of our client or we might turn this into a class action.
You know, you’re going to be on the hook for a lot of money and, you know, you really did a bad thing. But all that said, you know, we’re open to settling with you. And so sometimes the letter will say how much they’re willing to settle for other times. It’ll be silent They’ll just say something the effect of you know, get back to us by x date If you don’t then then we’ll suit you and so that’s typically the letter that you’ll get.
Sometimes it’s by email. Sometimes it’s by the actual stale mail but those are the letters that are going out there to these businesses It almost seems like some of these letters may be based on templates. Oh, yeah, I they they they are They they will have a different name, you know who the who the letter is being sent to but you can You can tell which firm sent which letters and you can just put them next to each other and see it’s just the same thing recycled over and over.
That [00:30:00] seems really crazy to me. I mean, to be sending out that amount of demand letters and requesting that amount of money and using templated letters and reusing the same thing over and over again and suing small businesses that are not collecting like sensitive data. I don’t know. That seems kind of wrong to me.
It’s it’s extreme. i’ll say that i’ll put it nicely i’ll say it’s extreme but the the crazier part for me is that’s the letter like what you’re talking about is just the letters The same approach is used for the actual complaints that are filed. So you’ll look at complaints You know, if you, if a given week, you’ll look at a complaint that was filed against all these companies and you’ll see that it’s exactly the same, same allegations, same images, same structure, everything.
It’s just the name of the defendant has changed and there was actually I think it was last year there was a federal judge involving SIPA. And that called out a [00:31:00] plaintiff’s firm and said that I’m looking at this and you’re using very generic language and it’s very clear that you’re copying and pasting the exact same thing and just filing it against dozens and dozens of different businesses.
And you’re using the same four or five plaintiffs over and over. So they. You know, they’ll do that in the letters, but they’ll also do it in the filings with the court. Wait, so they use the same plaintiffs over and over again? So, if you get a demand letter, and you can see who, you know, they’re allegedly representing, if you Google that person and like the name of the attorney, oftentimes they’ll see so many other lawsuits that were filed by the same plaintiff’s firm on behalf of the same individual over and over and over.
That’s that’s insane. So when a business gets this letter, do they just pay the requested amount? You know, I know some people may be tempted to ignore the letter. What happens if the business ignores the letter? So the [00:32:00] vast majority of businesses, I do think End up paying something to to resolve the case, whether that’s the amount that’s requested, or they’re able to negotiate down and get something that you know, a lower amount, something that’s that’s more palatable.
That’s another thing, but I think the vast majority of businesses, when they get these. They’re not happy. They don’t think they did anything wrong But they’ll come to a business decision and realize like paying the money getting this thing done and not having this escalate into a lawsuit makes the most sense but sometimes you’ll see people who they ignore the letter Or they just don’t want to respond.
Or they hope that it will go away. They’ll, they’ll do that. And, you know, they, they, they, they take their chances. I’ve seen instances where a letter was ignored and then a lawsuit filed shortly thereafter. And then I’ve talked to people who they got a letter, they ignored it. And then it was like months later and they were kind of thinking, you know, this, this.
Plaintiff’s firm is like [00:33:00] gone away. They forgotten about me. I’m not a big player. And then they get surprised when the lawsuit’s actually been filed. So that’s, that’s a risk. It’s interesting. So for people who do want to, you know, fight the lawsuit, what’s the average approximate cost of this? It’s.
Litigation, unfortunately, is expensive defending a simple lawsuit really is no different a lawsuit like this can easily, you know, the defense cost could easily go into the six figures you know, especially when you’re talking about cases filed in Los Angeles Superior Court. The court’s just, there’s a lot of filings going in, the judges are overworked, there’s a huge backlog the state recently announced that they’re cutting the budget of the courts again.
And so, you know, you’ll have a lawsuit that gets filed, and it may take years for the case to ultimately, you know, reach the end and just filing a motion and trying to get in [00:34:00] front of a judge, you have judges who aren’t You know, they don’t have a hearing date available for two, three, six months. So you get your papers you file them and then you just wait for a really long time so even an initial challenge like something called a motion to dismiss or demur with the supporting papers to Say that a complaint is, you know, legally not viable.
It should be kicked out before any type of discovery or exchange of evidence takes place like that can easily get into the 20 to 30, 000 range. And then the other thing, too, is if you’re, if your arguments are accepted, you know, the court finds that, yeah, you know your motion dismiss is granted. There’s also the possibility that the court will say to the plaintiff, well, you know, Do you want to try again?
Do you want to fix your complaint and add more allegations or more specific information or do something to show that your case is viable? And almost always the plaintiff will say [00:35:00] yes. And so then a new complaint, an amended complaint will be filed. And then you’ll go through that again. So it can take a long time and be very costly.
Yeah, that definitely explains why a lot of businesses do end up settling with this, even though they don’t agree to agree with what’s been alleged because, you know, it’s really expensive to fight a lawsuit, but then it also doesn’t seem like there’s any true consensus in the courts either as to whether these lawsuits should be allowed to proceed or not.
Is that right? Yeah. I mean, you know, going back a year and a half ago, This didn’t exist like these types of cases this case this violate the alleged violation of SIPA related to pen registers and track and trace devices No one filed a lawsuit. Based on it. And so now it’s become this thing That’s just all over the place.
And so these complaints are coming in and judges are [00:36:00] having to Decide this stuff for the first time And to figure out whether you know This is legally viable or it’s not and one of the things that’s been Interesting, but actually quite frustrating is just seeing judges reach contradictory or inconsistent decisions based on again, a copy and pasted complaint.
So, for example in March, there was a case that was filed by one of these firms. It was a more or less a copied and pasted complaint and the defendant filed a motion to dismiss or demur. Trying to say this case, you know, this shouldn’t go forward. The alleged violation, the law, SIPA, it all concerns telephones and landlines, and it doesn’t involve internet communications and IP addresses.
And the court agreed with the defendant. The court said that SIPA is limited to telephonic devices, including cellular phones. But not internet [00:37:00] connected devices with the unique IP address. And the court went through this long analysis and it’s looked at the fact that all the legislative updates and commentary was talking about a time when we were dealing with cordless and cellular phones not interface, internet based communications.
That was March 2024 in Los Angeles Superior Court. The next month, three weeks later, in April, in Los Angeles Superior Court with a different judge, the court denied the defendant’s efforts to try to get the case dismissed. And said that the SIPA statute, generally, you know, it, it was written in a way where it could apply to IP addresses and website traffic.
And so at this point, you know, the judge is not comfortable with just dismissing the case and he’s going to let the case go forward. And in that order, the entire analysis was limited to just two short paragraphs. So. You have these inconsistent, you [00:38:00] know, contradictory sort of rulings, and you’ve got it also not only in L.
A. Superior Court, but in other state courts in California, and then you also have federal courts in California that are reaching similar or different types of results, and the fact that also you’ve got Defendants who are making similar, but different arguments. And so maybe one argument that was really persuasive to one judge, you’ll notice that in another case the defendant really didn’t make that argument or didn’t make it well.
And so then the judge didn’t, you know, latch onto that. But it’s, it’s just very fluid at this point. And it’s giving, I think some of these plaintiffs, a lot of courage and other people who are interested in filing these lawsuits, courage to think that. You know, there’s something there that they can essentially weaponize This law and use it against all sorts of, you know, companies that have websites.
I think it’s, it’s really wild that you can get two different judges in the same court [00:39:00] decide the same issue in two different ways. I can’t imagine how frustrating that is. And, you know, in terms of putting things in a more persuasive way, you know, maybe the defense should Follow the plaintiffs and copy and paste.
I don’t know. No, you’re you’re right. It is really frustrating and I mean it’s especially frustrating when you’re talking to some of these businesses and they’re They’re saying we care about privacy. We don’t want to do something wrong We try to do what’s right, but right now we’re having trouble understanding in california What is right?
Like what are we allowed to do? And give us some, you know, give us some guidance, give us some clarity so that we can do what we need to do. And that’s, I think the most. Troubling part because they’re, they’re not trying to skirt the law. They’re trying to understand what the law is and comply with it.
Yeah. And, and I mean, no offense to anybody listening to this, who’s from California, but that’s kind of the California way [00:40:00] is we’ll pass a bunch of laws We’ll enforce some of them, not enforce others. And if you want any guidance, well, here’s some comments from a public comment period that have nothing what to do with compliant with, with complying with the final text of the law.
I mean, we’ve seen that time and time again, where regulations conflict with a text of the law. The FAQs make no sense, or there’s no, no resources really to help businesses understand how to comply. And then everybody’s upset that the business is not complying. Well, if you’re not explaining how to comply, what is the business supposed to do exactly?
Yeah. I mean, I, I get the frustration and what’s interesting is, you know, you’re talking about more, I think in the regulatory compliance area where you have you know, agencies that are supposed to be specialized in certain areas of law. And try to, you know, regulate certain industries, but here what we have is just a law that was written in the 1960s and then amended [00:41:00] by the california legislature and they you know have Some records in the legislative history showing what the law is intended to do what we want this law to accomplish why we’re passing this law They passed the law And then it just sits there.
And then now you’ve got courts, you know, you’ve got judges who they’re dealing with a breach of contrast case here, they’re dealing with a lemon law case here, and now they’ve got a sip a case here, and then they’ll take lunch, and then they’ve got a civil rights action, you know, in the afternoon, and they’ve got a real estate dispute, like it’s, that’s what we’re kind of dealing with.
And so it’s, yeah. It can be extremely understandably frustrating for, for businesses who are getting caught up in this. Do you think that, you know, these demand letters and lawsuits will stop anytime soon? No, I don’t. I, I, I don’t. I don’t think they’ll be slowing down anytime soon. They’re, they’re picking up.
And last I checked, websites on the internet. And [00:42:00] so there are a lot of websites who can be targeted. In these types of you know letters and these lawsuits We’re just seeing more and more of this and the fact that you know, we’re seeing more and more firms get involved with this makes me think that it’s going to become more common place and You know, we have a client for instance who they’re dealing with one plaintiff’s firm and then they’re getting a letter from another one so You know, so it’s it’s not even a matter of like you have to deal with at one time It’s that the same businesses could be hit multiple times from different firms representing different people at the same time.
So unless we get more courts To come to a clear, you know consistent sort of set of decisions that and specifically ones, you know that say that This law doesn’t apply to IP addresses or internet communications or website use. I think you’re going to see more of this. The only other potential [00:43:00] x factor is the california legislature getting involved in Amending the law like passing an amendment to the law making it really clear that it does or doesn’t apply But absent something like that, it’s just going to be, you know, fought through the judicial system.
Yeah. Because it’s a, it’s a money making thing now. I mean, for businesses that haven’t been sued yet, haven’t gotten the demand letter, is there anything that they can do to minimize the risk of getting sued? Yeah, I think it comes back to just responsible data policies and practices. You know, knowing what’s on your website, knowing what you know, people visiting are consenting to what type of data are you collecting?
How are you collecting it? What are you doing with it? Is your you know, is your privacy notice, you know, accurate, comprehensive, and does it actually reflect what you’re actually doing on your website? I think those are, you know, general things that can. Be done proactively to try to [00:44:00] minimize the likelihood that you’re going to be hit with the lawsuit.
And then also like I talked a little bit about chat bots. You know, if you have a chat bot, like you, you might be hit with a simple violation related to a wiretapping claim. So if you have that, you know, you may want to assess Thanks. Do we need that? Do we want that? I think those are really the things you can do, but at the same time, you just have to be aware that you, you may just kind of get pulled into this.
And so it’s not just a matter of as long as I have my ducks in a row and I’m doing what I think is right. Like, I can never be sued. Like, That’s, that’s not necessarily true. Yeah. I think we see a lot of businesses who, you know, maybe five years ago, they were running ads on Facebook and they have them at a pixel installed.
They ran the ads. Maybe the ads weren’t as fruitful as they thought they were. And they’ve kept this pixel on the site, even though they’re never going to run ads again. You know, remove stuff like that from your website because number one, it’s not benefiting you or your business in any way, and number two, it’s [00:45:00] putting you at risk.
Yeah, 100%. I mean, you should know, you know, it’s just what privacy by design, data minimization, those types of, you know, basic principles, just knowing what you’re collecting, what you’re doing. Do you really need it? If you don’t, like, don’t have it relatedly. And it’s, it’s a little bit different. But another thing to consider is Insurance.
A lot of companies are getting insurance that could extend beyond just the data breach and could extend to alleged violations of SIPA. So that’s another thing that I know a lot of people in the space are are looking at more closely. What about like obtaining the consent of a user from California before tracking them?
Yeah, that’s that’s another thing that they should really consider doing. And that’s something that I I think. It’ll minimize or it’ll decrease the risk of being sued but you’ll oftentimes see people who who have those types of banner ads, banner banners on they’re still getting a letter or they’re still [00:46:00] getting sued And what can be difficult is that you know, whether that banner worked and worked properly and was always in place and all that sort of stuff can sometimes be considered what we call a question of fact.
Which means that ultimately a judge or a jury after discovery would have to determine whether you know, consent was proper. And so it could result in a situation where, you know, as a business, you, you think you’re doing what’s right, you get sued, and it’s only after litigating it. For a while that you, you know, you prevail and again, you know, going back to what we talked about before, sometimes it’ll just be a matter of like, we think we did everything right, but it’s cheaper and more effective to just settle and get out of this now, rather than, you know, try to get to a point where we’re arguing about or proving that our the consent was, you know, actually obtained properly.
Yeah, I think it also depends on the banner design that you have or the company that you use because there’s a [00:47:00] lot of them out There that are like we’re tracking you with cookies and we’re assuming that’s okay So they fire them out of pixel without consent and then the user can opt out Which wouldn’t be applicable under sipa because under sipa it can fire only after the user has consented yeah, and that and that’s that’s those types of questions of like how long has has You That banner worked or what kind of banner do you have?
That’s when you get into, like I said, questions of fact, and that’s when you’re really litigating issues and fighting over the evidence versus trying to resolve a dispute, you know, in the earliest phases of the case. Yeah, so if a business wants to speak to you about retaining your services for help with a SIPA demand letter or SIPA lawsuit, where can they reach you?
Yeah they can find me online my email jason at anegwaymccann. com. I’m also on LinkedIn, linkedin. com slash I N Jason Y. Kelly. You also could just Google me [00:48:00] Jason middle initial Y Kelly that’s the easiest way to get ahold of me. Awesome. Well, Jason, thank you so much for taking the time to speak with me today about the California invasion of privacy act.
To our listeners, please make sure to subscribe to our podcast so that you don’t miss the next episode.