Privacy lawsuits filed in California have been a hot topic of discussion in the privacy space. And for good reason: In the past few years, hundreds of lawsuits have been filed in California against businesses nationwide alleging violations of the California Invasion of Privacy Act (“CIPA”). Although the legal theories for these lawsuits have evolved over time, they all challenge online practices that have become increasingly common for businesses.
In this blog, we discuss CIPA and how it has become the vehicle for so many privacy lawsuits, what CIPA demand letters and lawsuits can look like, and ways to minimize the risk of being targeted by a CIPA claim. The information provided in this post does not, and is not intended to, constitute legal advice. All information and content herein are provided for general informational purposes only.
Table of Contents
What is CIPA?
CIPA is the California Invasion of Privacy Act. It is a California law, found in the Penal Code, that was enacted in 1967, long before the Internet, websites, and social media existed. CIPA was passed to curb unlawful wiretapping and other surveillance devices, like pen registers, on telephone lines. As explained below, a pen register records the telephone numbers dialed from a telephone line (i.e., the outgoing telephone numbers).
How have CIPA lawsuits evolved over time?
CIPA claims started to gain popularity only a few years ago. The first of the modern CIPA lawsuits typically focused on web technology called “session replay,” which allows a website operator to obtain analytical information about a user’s keystrokes and mouse movements. The complaints would oftentimes allege that this technology on the defendant’s website was an unlawful “wiretap” because it (1) intercepted the plaintiff’s connection with the website and (2) “recorded” the user’s keystrokes and mouse movements on the webpage.
The next wave of CIPA litigation focused on websites that use chatbots. The complaints alleged that the chatbots were effectively unlawful wiretaps because they intercepted the user’s communications with the website operator. Plaintiffs typically claimed that their communications with a chatbot on a website were communications with the website operator that the chatbot vendor “wiretapped.”
Today, most CIPA lawsuits rely on a different theory. They focus on “pixels” and “web beacons,” which are types of software that the website operator or a third party can use to collect certain information about users for purposes like marketing and analytics. Rather than claim a website employs a wiretap, the complaints allege that the pixels and web beacons are unlawful “pen registers” or “trap and trace devices.” While a pen register records the telephone numbers dialed from a telephone line, a trap and trace device works the other way around: it records the telephone numbers of the calls dialed into a particular telephone line.
Plaintiffs typically allege that, under CIPA, a pixel or web beacon that collects a website user’s IP address on a website amounts to a pen register or trap and trace device. TikTok and Meta pixels are commonly at the center of these complaints: plaintiffs will claim a website has a social media pixel that, once a user visits the website, will collect and send that user’s information to the third-party social media company where it can be used to identify the user.
The latest iteration of these pixel and web beacon lawsuits has focused on search queries made on websites. Plaintiffs will oftentimes allege that when they enter a search query on a website, the website operator sends that search information to third parties via a pixel to identify the user in violation of CIPA. The third party then allegedly causes targeted advertisements to be sent to the user.
What do CIPA lawsuits generally look like?
These CIPA lawsuits can vary in form, but usually the process begins with the plaintiff and the plaintiff’s law firm sending the website operator a demand letter. The demand letter will typically allege that the plaintiff visited the company’s website, the lawyer investigated the company and its website, and based on that analysis they believe the company is violating CIPA. The letter will often threaten to file a lawsuit unless the company agrees to fix the alleged violation and pay a settlement amount.
If the company does not respond to the letter or a settlement is not ultimately reached, the plaintiff’s law firm will then file a complaint in court. The complaint initiates a lawsuit and will usually elaborate on the allegations and claims made in the demand letter. Once filed, the lawsuit will proceed to a final determination (like a dismissal or a jury verdict) unless the parties reach a settlement.
What types of businesses are receiving these CIPA demand letters?
Businesses of all kinds, sizes, industries, and locations are receiving these demand letters. For example, they’ve been sent to a small business selling trinkets online, a multi-million dollar cosmetics company, a one-man digital marketing firm, and a clinical therapist for children with learning disabilities. Some of these companies are based in California, while many others are from other states or overseas. Some are consumer facing, while others are B2B.
What types of law firms are sending CIPA demand letters and filing CIPA lawsuits?
For the most part, a couple of law firms account for the vast majority of these CIPA demand letters and lawsuits. Their letters and complaints are usually copied and pasted so they can be used over and over against a wide variety of businesses. It is common to see the same template forms and documents used repeatedly (the only difference being the name of the defendant business).
The popularity of these lawsuits appears to have attracted newcomers. We are seeing more law firms and people make CIPA allegations and file privacy lawsuits in California even though most of their experience is in other areas of law.
What proactive measures can a business take to minimize the risk of receiving a CIPA demand letter?
There are several things a company can do to minimize the risk of being sued under CIPA. The most obvious is understand what exactly is happening on the company’s website:
- What information is being collected and how is it being collected? Is the company or a third party collecting this information? What is being done with this information?
- Is all of this being disclosed to people visiting the website? How and when is it being disclosed? Is information being collected before the disclosure is made?
- What do the company’s policies about data collection and privacy say about this? Is the company complying with its own policies?
The company should consider whether it is necessary or even worthwhile to collect and track some of this information. The company should also assess whether it should be more transparent about tracking technologies on its website, and whether it should use an opt-in mechanism for tracking technologies.
What happens if you receive a CIPA demand letter or a CIPA lawsuit is filed?
Don’t ignore a demand letter or complaint. This can unnecessarily escalate the situation and, in the case of a complaint, result in the loss of certain rights. Instead, if you receive a CIPA demand letter or complaint, it is important to consult and retain counsel experienced in this field.
With counsel’s guidance, a business can evaluate the allegations and claims. This will be critical to determine how to proceed (i.e., whether to explore potential settlement or prepare for litigation).
It is also important to move expeditiously. A slow response to a demand letter risks the plaintiff filing a lawsuit before the company has had a chance to respond. And once a lawsuit is filed, there are strict statutory deadlines that dictate when a defendant has to respond. Delay can result in the company inadvertently missing these critical deadlines.
How do you help businesses defend against CIPA letters and lawsuits?
We work with our clients to understand their risks and potential exposure. Do the allegations and claims appear to be frivolous and unsupported? Or are there things on the company’s website or privacy policy that suggest the company may have difficulty defending against a CIPA claim? Is there reason to believe another plaintiff or plaintiff’s law firm may make similar allegations and claims against the company in the future?
We also work with our clients to understand their goals. Is it to resolve this case through a settlement as quickly as possible? Do they want to go the distance and litigate this through trial? Or do something in between those options?
The answers to these questions will help formulate and execute a defense strategy that is targeted, efficient, and cost effective.
* * * For more information about responding to a CIPA demand letter or lawsuit, Jason Kelly can be reached by email at jason@annagueymccann.com and through LinkedIn at www.linkedin.com/in/jasonykelly.