The California Invasion of Privacy Act (CIPA) is having a moment, not necessarily in a good way. We’re lucky to have Stacy Boven with us to help us better understand this new flavor of class action litigation. Stacy is based in Nixon Peabody’s San Francisco office. She’s a member of the firm’s Cybersecurity & Privacy practice and leads Nixon Peabody’s California CIPA litigation team.
Watch this episode of A Little Privacy, Please!® on the California Invasion of Privacy Act (CIPA)
Tell us about the California Invasion of Privacy Act.
We are seeing a flood of litigation under CIPA, the California Invasion of Privacy Act. CIPA is a bigger statute, but I want to talk specifically about the wiretapping statute. What we’re seeing in California right now is all of these companies with public websites who did their data due diligence, they dotted the I’s, they crossed the T’s with their privacy policies in their terms of service, are suddenly getting hit with these lawsuits claiming that they are liable for aiding wiretapping.
Now, what do you think about when you hear wiretapping? I think about a guy in an unmarked white van with big headphones on trying to listen to a conversation across the street. That’s not what’s happening with websites. So, it’s a strange surprise for these companies who don’t understand why they are on the wrong end of a civil lawsuit.
And if this sounds confusing, it’s because it is.
But let me back up and explain what CIPA is. It’s a very old statute put on the books to protect Californians against wiretapping. Back when telephones were connected with wires, it prohibited tapping a phone wire, trying to learn the contents of a message sent through a wire, or assisting someone in these illegal eavesdropping activities.
We now see plaintiffs trying this new creative application of CIPA to claim that using third-party technology on a website violates the California Invasion of Privacy Act.
Why are we seeing an increase in CIPA litigation now?
People have never been more concerned about data privacy. Some of this has to do with what we see in the headlines, including talk about generative AI. Consumers are also noticing signs that they have data, through targeted ads for example, and are wondering who can access this data. So data privacy is very much part of the zeitgeist at a time when data has never moved more quickly.
Then, the Ninth Circuit cracked open the door with an unpublished decision that was meant to address a very specific, narrow issue on consent under CIPA. That decision had language in it saying that the wiretapping section of CIPA applies to internet communications, opening the door for this kind of litigation.
And I want to back up and explain what plaintiffs are claiming here. The argument goes like this: The website user goes to a website and fills out information in a form, communicates with a chatbot, or maybe just clicks around on the site. Plaintiffs are claiming that activity is a communication. Almost every website uses third-party software to improve the functionality of their website—whether it’s adding in a chat feature or using third-party software to manage their data through session replay or pixels—the use of this third-party software is what plaintiffs are pointing to as eavesdropping. They’re saying the third-party software is the eavesdropper, eavesdropping on the website users’ communication on the site. And then the plaintiffs are turning around and suing the website who paid for the software, and saying, well, you’re aiding eavesdropping and that violates the law.
Who is at risk of getting caught in CIPA litigation, and what is that risk?
Because the use of third-party software in websites is so ubiquitous, any company that’s doing business in California with a publicly facing website is at risk of civil litigation. In terms of the risk, it’s expensive litigation. CIPA claims carry a statutory penalty of $5,000 per occurrence.
If you get hit with a class action litigation on behalf of every user who has been to your website in the last year, you’re looking at damages claims in the millions.
How can companies protect themselves against CIPA violations?
Companies have got to get their data house in order.
I know that everyone has heard this a lot, we say it to our clients early and often, but you have to make sure that your privacy policies, your cookie consent banners, your terms of service are all current. You need to be accurate, and they need to not just comply with California and federal law, but they need to be formatted in a manner that’s going to protect your company against this new CIPA litigation.
What does that mean? Take, for example, websites in Europe. Almost uniformly, if you go to a European website, before you can interact with that website, you’re going to see a grayed-out screen and a cookie consent policy that the user has to interact with. Users have to affirmatively select yes or no on cookies and get data usage notifications. That doesn’t happen as much in the US, but you’re certainly more protected the more communication there is with the website user. There’s a big difference between a banner that requires affirmative consent from the user as opposed to a tiny link in the bottom of your website.
What’s important here is transparency. Making sure that you have transparent communication with your website users about the data you’re collecting and how you are using that data is critical. In order to have transparent communication, you need to understand what you are doing with your data.
That sounds simple, but it’s really not. Technology is developing so fast these days. There’s new and interesting tools that companies can use to work with data. You really have to understand what you are doing with data, how you’re collecting it, where it’s going, what safeguards you put in place for when it’s stored, who can access it internally and externally, and whether and how you use it.
Once you know those basic facts, you can have transparent communication and ensure that your disclosures and your privacy policies accurately communicate that to website users.