How the California Invasion of Privacy Act Affects Website Tracking Lawsuits

While the rise of comprehensive state privacy laws has taken center stage in US news, another issue threatens to affect companies with websites accessed by California consumers: an influx of lawsuits and arbitration demands under the California Invasion of Privacy Act (CIPA).

All types of companies, big or small, that operate websites targeting California consumers have recently faced the potential of being sued or taken to arbitration. Unfortunately, these situations frequently evolve into actual lawsuits and arbitration proceedings. It's important to recognize that CIPA permits statutory damages of $5,000 for each violation, which can represent a significant financial concern for companies, particularly when these claims are made on behalf of a group.

The California Consumer Privacy Act (CCPA) established broad privacy rights for U.S. consumers. More than a dozen states have enacted similar comprehensive privacy laws. Most of these laws, including California’s, do not offer a private right of action for violations, except in cases of data breaches under the CCPA. Critics argue that without a private right of action, these laws lack effective enforcement mechanisms to ensure compliance. Plaintiff attorneys in California have investigated alternative legal strategies.

One involves invoking the CIPA, a criminal statute enacted in 1967 to prevent eavesdropping on telephone calls. This resembles cases filed in Massachusetts and other states with extensive eavesdropping laws designed to prevent the recording of phone conversations. A crucial issue is whether companies’ cookies and other website tracking technologies violate individuals’ privacy rights.

The CIPA cases focus on the alleged unlawful use of website tracking technologies to collect and use the personal information of website visitors. They center around a few key arguments.

Website tracking technologies are considered unlawful pen registers. Plaintiffs argue that these tracking technologies record a user’s interactions with websites, which constitutes the use of a pen register or trap and trace device. These technologies collect information, such as IP addresses, when users visit or leave a website, thereby documenting dialing, routing, addressing, or signaling information transmitted from a device, without capturing the content of the communication. Plaintiffs claim that they represent illegal pen registers under the CIPA.

Using tracking technologies without consent violates users’ right to privacy. Under California law, a pen register or trap-and-trace device is prohibited without a court order or explicit consent from the tracked person. Plaintiffs say websites that deploy tracking technologies without obtaining consent violate the CIPA.

In a frequently cited case, the court denied the defendant’s motion to dismiss. It rejected the argument that a privacy company’s surreptitiously embedded software was not a pen register. The court stated that software which identifies consumers, collects data, and correlates that information through unique fingerprinting constitutes a process through which a pen register can be utilized. This case is still pending and has not yet established a definitive precedent on these legal points.

An essential point in the case is that the data in question was not collected directly through the website but rather through software deployed on third-party websites. Users who visited these websites were unaware of the software’s presence, which distinguishes them from those involving direct website tracking. This distinction implies that recent claims against website operators may not be comparable.

Some companies have settled CIPA claims rather than litigate them. However, settling with one claimant does not shield a company from subsequent similar claims. It could have the unintended consequence of inviting future lawsuits. For those litigating, preliminary rulings have been mixed, and no claim has been fully litigated to final judgment.

A key difference in the decisions to date is how they treat consent. The argument is that voluntarily visiting a website implies consent to website tracking technologies, even if such technologies are pen registers.

Defendants face potentially contradictory rulings on two critical issues: (1) whether internet tracking tools qualify as pen registers and (2) whether visiting a website is consent for the collection of user information

What To Do

As courts grapple with whether website tracking technologies are pen registers and whether visiting a website implies consent for data collection, companies should review their technology and compliance practices.

Many state laws specify rules about the notices that companies must display on their websites, how they can use consumers’ information, and how that information can be shared with third parties. Companies should ensure that their websites and privacy policies adhere to the various states’ data protection laws.

Beyond legal compliance, companies should evaluate their transparency regarding website tracking technologies. Does the privacy notice provide comprehensive information about cookies and tracking technologies, including which types are utilized and how users can block or opt-out?

Companies should consider deploying an opt-in mechanism for tracking technologies. One key consideration is whether visiting a website constitutes consent for data collection. By asking for explicit consent, companies could create an affirmative defense against allegations that an unlawful pen register was deployed, as consent is an exception to the prohibition on using pen registers.