Amid little clarity from courts, wiretap claims targeting the use of data analytics tools on websites are becoming increasingly common. Timothy J. Toohey and Alexis S. Anderson, from Greenberg Glusker Fields Claman & Machtinger LLP, discuss the background of such claims under the California Invasion of Privacy Act (CIPA) and provide best practices for staying compliant to avoid costly litigation.
CIPA
California's notoriously litigious environment has recently seen an outbreak of litigation arising from a seemingly unlikely source - CIPA, which is codified in the California Penal Code §§630-338.55 et seq. At first blush, CIPA would appear to be an unlikely avenue for lawsuits by plaintiffs against companies because it makes wiretapping a criminal offense subject to fines and imprisonment. But the private right of action afforded by this 1967 law - which was passed in the era of landline phones - and the applicability of the law's provisions to new technology has led to a tremendous increase in CIPA claims, particularly against online businesses using widely available third-party technologies on their websites.
CIPA claims
One reason for the outbreak of CIPA claims is the inventiveness of plaintiffs' attorneys seeking to formulate privacy-based claims. The landmark California privacy law, the California Consumer Privacy Act (CCPA), only affords a limited private right of action to sue companies. §1798.150 of the CCPA limits the private right of action to data breaches involving non-encrypted, non-redacted personal information. Moreover, the scope of such personal information that can give rise to a claim is further limited to traditional PII (and not the expanded scope of personal information under the CCPA), and such actions can only be based on the failure of a business to implement and maintain 'reasonable security procedures and practices.' Although plaintiffs have attempted to broaden the scope of such actions, they clearly cannot encompass lawsuits seeking to redress the violation of the full range of rights afforded to consumers under the CCPA for which there is no private right of action. For example, there is no private right of action for violations of the prohibitions against not providing an opt-out mechanism for the selling or sharing of personal information.
CIPA-based claims have leaped into the breach. Business use of a wide array of data-gathering and web analytic tools has been the target of such claims, which can arise either as standalone lawsuits or arbitrations or as purported class action claims. Both California State and Federal courts addressing the issues of these lawsuits have reached a striking variety of conclusions as to whether plaintiffs may bring CIPA claims in the context of technologies, such as tracking pixels, web beacons, and cookies, that are often provided to businesses by third-party service providers.
The risk from CIPA claims can run from paying a 'nuisance value' settlement to a plaintiff to arbitration procedures brought by numerous claimants seeking to exact leverage through piling filing fees on a defendant. Businesses who seek to fight CIPA claims on the merits also face significant risks because the inconsistent positions taken by California State and Federal courts may prevent a quick exit at the pleading stage. Online businesses must therefore be aware of the risks of CIPA claims and be diligent in reducing the risk of these claims arising from their use of third-party technology.
CIPA encompasses laws governing surveillance, law enforcement tools, the recording of phone conversations, and wiretapping. Although CIPA does not reference such technology, plaintiffs are increasingly using provisions within CIPA to sue website owners who use data-metric analytic and consumer communications technology on their websites, including chatbots, session replay, pixels, and cookies.
The most common CIPA claim is under the anti-wiretapping provision, §631(a), which prohibits conduct when a person or entity 'willfully and without consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit' or who 'uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained.'
Although CIPA arose before its widespread use, some courts have held that §631(a) applies to internet communications (as opposed to telephone or mobile communications). One theory is that if a third party providing data collection or analytics tools receives user communications with a website, it is 'intercepting' communications between the website and customers, and thus wiretapping those communications. Under California law, the website owner is not directly liable for wiretapping, since it is a party to the conversation and cannot wiretap its own conversation, but the website owner can be held liable for aiding and abetting wiretapping by a third-party technology provider.
In addition to criminal penalties, the civil penalties for violating CIPA are $5,000 per violation, which provides an incentive to plaintiffs bringing potential class actions.
Plaintiffs are also using §632.7 of the CIPA, which prohibits the interception and recording of conversations in which at least one party was using a cordless or cellular phone, as a basis for lawsuits.
Some plaintiffs have also argued that the use of a chatbot that maintains a record of discussions with customers violates the two-party consent law if the customer was using a smartphone to conduct the chat. Most (but not all) courts have rejected this theory on the grounds that using a phone's internet functions is not the type of phone use at issue in §632.7 of the CIPA - see, for example, Arisha Byars v. Hot Topic, Inc. et al. (C.D. Cal. 2023) (finding 'Defendant's computer equipment, which connected with Plaintiff's smartphone to transmit and receive Plaintiff's chat communications' was outside the scope of §632.7).
Finally, §638.51 of the CIPA, passed in 2015, punishes providers of electronic or wire communication services that install or use a pen register or a trap and trace device without first obtaining consent. There is scant case law on this theory and no indication of whether it will gain mainstream traction.
How courts approach CIPA §631 claims
Businesses wishing to combat CIPA claims are confronted by a contradictory authority that makes it challenging to obtain quick dismissal of a complaint at the pleading stage. New authority arises almost every month and it is not likely there will be clear appellate guidance on the horizon.
Two lines of authority have emerged to deal with claims brought under §631 of the CIPA, depending on the 'direct party' exception and when a service provider reads or allegedly reads substantive content contained in communications while in transit.
The 'direct party' exception
If a third-party technology provider does not have the right to make independent use of the communications it records, it is a mere tool of the website operator and is protected by the 'direct party' exception. Under California law, a party cannot be held liable for wiretapping a conversation to which it was a party. This is the 'direct party' exception. Some courts have found that if a service provider is limited to using data exclusively for the website owner and does not independently exploit it, the provider is an extension of the website owner and is thus shielded from liability under the direct party exception.
The concept is similar to agency; the technology provider serves as a mere extension of a direct party to the discussion. The technology provider loses that protection if it goes beyond its service to the website owner and exploits data for its own purposes - see Balletto v. American Honda Motor Co. (N.D. Cal., 2023) where the case was dismissed because there was no inference that the third-party service provider could use communications for its own purposes when it simply ran a chat API from its servers to transcribe Honda's website communications in real time. In these cases, the service provider is protected because it is essentially acting as an extension of the website and the business. The Swarts v. The Home Depot, Inc. (N.D. Cal., 2023) case was dismissed in part because while the third-party provider recorded, accessed, and analyzed chats to provide Home Depot customer data metrics, the plaintiff did not allege the provider could use the data for any purpose besides relaying it to The Home Depot.
Since the emergence of the recent trend of §631 of the CIPA litigation, this approach has gained some traction. However, there is no appellate authority that has adopted this approach and its adoption is not universal.
Reading or allegedly reading content contained in communications while in transit
Regardless of independent use of the recorded communications, a third-party service provider violates §631 of the CIPA if the plaintiff plausibly alleges the provider read or attempted to read substantive content contained in the communications, while those communications were in transit.
Under this interpretation of §631 of the CIPA, the courts have focused not on the purpose for which the third-party service provider used the data, but rather on the more technical question of whether the provider intercepted and reviewed substantive personal information in communications it received either before or simultaneously with the website provider. See, for example, D'Angelo v. J.C. Penney (S.D. Cal., 2023). This case survived a motion to dismiss because the plaintiff sufficiently alleged that the third-party service provider read user messages when it duplicated chat conversations as they occurred, receiving the messages either before or simultaneously with JC Penney.
In this line of authority, courts often consider whether:
- the third-party service provider read or attempted to read the communications;
- substantive and confidential content was being communicated; and
- the communications were intercepted on their way to the website owner, and thus 'tapped.'
While some courts have adopted this mode of analysis, it is more difficult to reconcile with the realities of e-commerce given the vast number of sites that use third-party service providers. Indeed, one of the difficulties with counseling and handling CIPA claims is the difficulty of reconciling a statute that arose in the era of wiretapping landline phones with the use of technology on websites that seeks to provide owners with analytics and functionality for consumers using the website. There is a substantial disjunct between wiretapping a telephone call and a third party viewing the information of a user of a website that was facilitated by a third-party service provider. Although public policy concerns arise from the use of the CIPA in this context, without either appellate guidance or legislative action to restrict such claims, businesses must navigate uncertain waters.
CIPA compliance best practices
Given the uncertainty of the legal landscape, the first line of defense for businesses is to carefully scrutinize contracts with their website technology service providers in order to understand and regulate how they will use any data collected. As the website owner is shielded from direct liability under the direct party exception, its liability depends upon the doctrines of vicarious liability, such as aiding and abetting and conspiracy. The ability of a business to point to contracts and internal controls that require data collection and use to comply with the CIPA will greatly aid in the website owner's defense of a CIPA claim.
Additionally, where feasible, websites should conspicuously disclose to users that third-party software is being used on the site and obtain consent from them regarding the website's data practices. This is not always practicable, but in applications such as a chatbot or in conjunction with consent to use cookies, it may be feasible for a website to obtain consent. Where consent is sought, it is best to have the user click a button consenting to the data collection, or at the very least include a language warning that if a user continues to use the site and/or chat, that further usage constitutes consent.
Businesses should be aware that consent cannot be retroactive, so the earlier consent is sought and obtained the stronger the defense will be. Again, the disclosure must be conspicuous to constitute inquiry notice and while courts may consider whether consent was implied, such a defense may be fact-intensive and difficult to establish at the motion to dismiss stage.
If practicable, a website owner should try to ensure that communications reach the website's servers first, before being copied by third-party service providers. This eliminates the chance for a communication to be intercepted in transit. Similarly, if it is feasible (and recognizing that it is not feasible for certain businesses), businesses should limit what providers are permitted to collect and record to non-substantive 'record information' and not to the substance of the communication.
Originally published by OneTrust DataGuidance
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.