United States: Best Practices For Apps & Websites To Avoid Claims Under The California Invasion Of Privacy Act (CIPA)

Amid little clarity from courts, wiretap claims targeting the use of data analytics tools are becoming increasingly common. Here are ways to stay compliant and avoid costly litigation.

Doing business online has never been easier thanks to an almost limitless array of data-gathering tools at companies' disposal. But as these technologies have become ubiquitous, their use has become the target of consumer arbitrations and class action claims based on wiretapping statutes that were passed long before online business existed, including the California Invasion of Privacy Act (CIPA). Online businesses must therefore be diligent to reduce the risk of these claims arising from their use of third-party technology to gather data on customer interactions.

In recent years, plaintiff firms have besieged online businesses using wiretapping laws like CIPA. Unlike modern data privacy laws, these older wiretapping laws allow users to sue online operators who use third-party tools and services to collect user data without the user's knowledge. Courts have been inconsistent in applying wiretapping laws to the use of these tools, but following these best practices should reduce the risks posed by these increasingly common lawsuits:

• Consent:Obtain users' express consent to data collection and use where possible.
• Contracts: Ensure all provider agreements specifically state that the provider will collect the user data solely to fulfill its obligations to the site and will not share the data with other third parties nor exploit the data for its own use.
• Route the Data Through You: Do not allow providers to receive user data directly—intercepting it before it reaches you, the intended recipient. Instead, route it through your business' systems/servers first.
• Limit the Content Recorded: Dismissal is more likely if your provider only records basic information (name, location) rather than interactions exposing more personal details.

Below, we further explore useful insights from the outcomes of recent CIPA cases.

What to Know About the California Invasion of Privacy Act

CIPA includes a suite of privacy-related laws governing surveillance, law enforcement tools, the recording of phone conversations, and wiretapping. With increasing frequency, plaintiffs are using provisions within CIPA to sue website owners who use data-metric and consumer communications technology on their websites, including chatbots, session replay, pixels, and cookies.

The most common CIPA claim is under the wiretapping provision, Section 631(a), which punishes a person who "willfully and without consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit" or who "uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained."

CIPA class actions proliferated after cases holding that CIPA 631(a) applies to internet communications. Plaintiffs argue that if a third-party providing data collection or analytics tools receives user communications with a website, it is "intercepting" communications between the website and customers, and thus wiretapping those communications. Under California law the website owner is not directly liable for wiretapping, since it is a party to the conversation and one cannot wiretap one's own conversation, but the website owner can be held liable for aiding and abetting wiretapping by a third-party technology provider.

The civil penalties for violating CIPA are $5,000 per violation. There are additional criminal penalties. The full text of CIPA, Cal. Penal Code §§ 630 et seq., is available here.

CIPA 631 is not the only CIPA claim to be aware of—plaintiffs are also utilizing CIPA Section 632.7, which prohibits the interception and recording of conversations in which at least one party was using a cordless or cellular phone.

Some plaintiffs have argued that the use of a chatbot that maintains a record of discussions with customers violates the two-party consent law if the customer was using a smartphone to conduct the chat. Most (but not all) courts have rejected this theory on the grounds that using a phone's internet functions is not the type of phone use at issue in Section 632.7. See Hot Topic, Inc., 656 F.Supp.3d 1051, 1071 (C.D. Cal. 2023) (finding "Defendant's computer equipment, which connected with Plaintiff's smart phone to transmit and receive Plaintiff's chat communications" was outside the scope of CIPA 632.7).

Finally, CIPA Section 638.51, passed in 2015, punishes providers of electronic or wire communication services that install or use a pen register or a trap and trace device without first obtaining consent. There is scant case law on this theory and no indication of whether it will gain mainstream traction.

How Courts Approach CIPA 631 Claims:

Two lines of authority have emerged to deal with claims brought under CIPA Section 631:

1. If a third-party technology provider does not have the right to make independent use of the communications it records, it is a mere tool of the website operator and is protected by the "direct party" exception.

Under California law, a party cannot be held liable for wiretapping a conversation to which it was a party. This is the "direct party" exception. Under this first interpretation of Section 631, if a technology provider is limited to using data exclusively for the website owner and does not independently exploit it, the provider falls under the umbrella of the website owner and thus is shielded from liability under the party exception.

The concept is similar to agency—the technology provider serves as a mere extension of a direct party to the discussion. The technology provider loses that protection if it goes beyond its service to the website owner and exploits data for its own purposes. See, American Honda Motor Co., 2023 WL 7026931, 3 (N.D. Cal., Case No. 23-cv-01017-JSW, 2023) (dismissed because there was no inference that Salesforce could use communications for its own purposes when it simply ran a chat API from its servers to transcribe Honda's website communications in real-time). In these cases, the provider is protected because it is essentially acting as an extension of the website. Home Depot, 2023 WL 5615453, 7-8 (N.D. Cal., Case No. 23-cv-0995-JST, 2023) (dismissed in part because while Liveperson recorded, accessed, and analyzed chats to provide Home Depot customer data metrics, plaintiff did not allege Liveperson could use the data for any purpose besides relaying it to Home Depot).

Since the emergence of the recent trend of Section 631 litigation, this approach has been gaining steam and is a pragmatic method for reconciling the needs of modern e-commerce practices with the text of CIPA 631.

2. Regardless of independent use of the recorded communications, a provider violates Section 631 if the plaintiff proves the provider read or attempted to read non-record content¹ contained in the communications, while those communications were in transit.

Under this interpretation of section 631, the focus is not on the purpose for which the technology provider used the data, but rather on the more technical question of whether the technology provider intercepted and reviewed personal information in communications it received either before or simultaneously with the website provider. See J.C. Penney, 2023 WL 7006793, 8 (S.D. Cal., Case No. 23-cv-0981-BAS-DDL, 2023) (survived dismissal because plaintiff sufficiently plead Vergic read user messages when it duplicated chat conversations as they occurred, receiving the messages either before or simultaneously with JC Penney).

In this line of authority, courts often consider (1) whether the Provider read or attempted to read the communications, (2) whether substantive and confidential content was being communicated, and (3) whether the communications were intercepted en route to the website owner, and thus "tapped."

While some courts have adopted this mode of analysis, it is more difficult to reconcile with the realities of e-commerce given the vast number of sites that use data collection software providers and the difficulty of conforming that use to the confines of this legal approach.

Compliance Best Practices:

The first line of defense is to carefully scrutinize contracts with technology service providers in order to understand and regulate how they will use any data collected. Because the website owner is always shielded from direct liability under the direct party exception, its liability will come down to doctrines of vicarious liability, such as aiding and abetting and conspiracy. In that case, the ability to point to contracts and internal controls that require data collection and use to comply with CIPA will greatly aid in the website owner's defense.

Additionally, where feasible, a website should obtain consent to the website's data practices from users by conspicuously disclosing to them that third-party software is being used on the site. This is not always feasible, but in applications such as a chatbot or in conjunction with a consent to use cookies, it may be feasible to obtain consent. Where consent is sought, it is best to have the user click a button consenting to the data collection, or at the very least include language warning that if they continue using the site and/or chat, that further usage constitutes consent.

Be aware that consent cannot be retroactive, so the earlier consent is sought and obtained the stronger the defense will be. Again, the disclosure must be conspicuous to constitute inquiry notice and while courts consider implied consent, it can be difficult to establish at the motion to dismiss stage.

In jurisdictions that do not adopt an agency-like approach to the direct party exception, when possible deploy provider software to receive information from the website, not from the user. Ensuring the communications reach the website's servers first, before being copied by providers, eliminates the chance for it to be intercepted in-transit. Similarly, if it is feasible (and recognizing that it is not feasible for certain businesses), limit what providers are permitted to collect and record to non-substantive "record information."

Other Wiretap Laws to Be Aware Of:

Website owners need not only fear lawsuits in California courts but also federal and other state courts with similar wiretap laws. Much of CIPA 631 mirrors the federal Electronic Communications Privacy Act of 1986 (18 U.S.C. §§ 2510-2523) and all 50 states have laws governing the use of electronic surveillance and wiretapping.

Lawsuits are most common in states that, like California, require the consent of all parties to a communication before it can be recorded. These states include Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington. The majority of non-CIPA wiretap claims are brought under the Pennsylvania Wiretapping and Electronic Surveillance Control Act (18 Pa.C.S. §§ 5701-5726), which does not have a party exception, Massachusetts' Mass. Gen. Laws Ch. 272, § 99, Illinois' 720 ILCS 5/14-1 et seq., or Washington's Wash. Rev. Code Ann. § 9.73.030, all of which can be avoided with conspicuous notice of the recording.

Preparation Now Can Prevent an Expensive Headache Later

Lawsuits under CIPA are increasingly prevalent, and it is unclear whether their proliferation will slow any time soon. Privacy is a real concern among web users, so it is important to comply with CIPA not only to avoid the expense of litigation but also to acknowledge website users' interests.

The safest route is to make changes to company websites so they are less likely to be targeted by plaintiffs' lawyers. Greenberg Glusker can advise you on how to structure your user interface to establish sufficient consent to provider recordings. And if you do end up facing a CIPA-related lawsuit, Greenberg Glusker's consumer claim defense attorneys can assist in investigating, responding to, and resolving claims under CIPA.

Footnote

1. Record information consists of simple identification and geolocation information. There is no consistent definition of non-record content, but recording all of a user's words and text typed (even if not fully entered), search terms, content viewed, and all other information related to a visit is often considered to include non-record content.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.