- Womble Bond Dickinson attorneys examine state privacy claims
- Defendants should look for consent, terms of use, jurisdiction
The plaintiffs' bar is leveraging old wiretapping statutes to go after significant statutory damages as state privacy laws expand the definition of "personal information" to include back-end data collected by website tracking technology.
Whether responding to individual claims or class actions, companies and their legal advisers should take prompt action to map out the best approach based on their unique website, vendor contracts, and technology at issue.
In M.G. v. Therapymatch, a federal judge in California allowed plaintiff's claims under the California Invasion of Privacy Act and California Consumer Privacy Act to proceed against Therapymatch, a clearinghouse for mental-health services doing business as Headway. The company is accused of unlawfully intercepting personal information by using online tracking tools and of disclosing that information to Google.
This and similar cases prove that courts will allow CCPA claims to survive past the pleadings stage when a plaintiff alleges a company disclosed personal information without consent by failing to maintain reasonable security practices. This argument is rooted in the CCPA language granting California consumers a private right of action which isn't, in fact, limited to a stereotypical data breach—or at least not according to California courts.
After the pleading stage, it's up to a defendant to prove that the disclosure of information through online tracking technologies was in line with reasonable security procedures and practices under the CCPA or that the data involved wasn't "personal information" as defined under the data breach statute.
CIPA, meanwhile, allows statutory penalties of $5,000 per violation, or three times actual damages, whichever is greater. CIPA claims often look uniform and cookie-cutter, but business responses aren't, and investigations are fact intensive.
When faced with such claims, companies should:
Look for consent. Identify the business's relationship with the plaintiff (customer, intentional website visitor, other). Based on the relationship, determine when and how the business may have obtained consent for tracking. Did the plaintiff affirmatively acknowledge and accept the terms of use and privacy policy? Did the website include a functioning cookie banner with a link to the privacy policy? These questions aren't exhaustive but demonstrate essential fact-specific inquiries.
Review the terms of use. Do they include an enforceable arbitration clause and class action waiver? Arbitration typically provides for a private and expeditious manner of litigation. However, businesses pay the lion's share of arbitration fees, including upfront filing fees. Plaintiffs can leverage the upfront expense through mass arbitration filings. Some arbitration forums have developed rules to mitigate the burden of mass arbitration on businesses, but the rules differ across providers.
Consider whether the court has personal jurisdiction. This is when arbitration isn't an option. Case law on this defense is developing. For example, the US Court of Appeals for the Ninth Circuit is reviewing en banc an earlier decision that a district court lacked personal jurisdiction over privacy claims (including tracking technology) against Shopify.
Evaluate applicable contract language. Does the agreement include limitations on how personal information received by the online tracking technology vendor can be used? Restrictive contract language can shape an argument that the technology vendor is an extension of the business itself and not a third party to the communication or recording.
Consider flow of data and functionality of the technology. While not particularly helpful at the pleading stage, this goes to the heart of a case. What the plaintiff alleges may not be true. Expert opinions will be pivotal in defending on the merits, but an upfront evaluation helps shape a business's overall strategy on early resolution versus continued litigation.
Companies also should continue monitoring the space and implement risk-mitigation strategies. While there is an entire suite of such strategies, the following provide a reasonable foundation:
- Consider notice and consent strategies (as feasible or as required by privacy laws), including those specific to use and disclosure of personal information through online tracking technologies
- Remove descriptive headers and tags that could disclose personal information to third-party tracking tools
- Audit online tracking technologies and remove any tools not used or not crucial to the business
- Examine functionality and disclosures related to chatbots, session replays, and similar tools carefully
- Review terms of use to incorporate key provisions to reduce risk, such as limitation of liability, and arbitration
- Negotiate contractual restrictions and protections with third-party tracking vendors
- Update the company's privacy notice on an ongoing basis to accurately describe the personal information collected, used, and disclosed through tracking technologies
As privacy issues stay in the forefront for consumers and regulators, these privacy claims aren't going away any time soon. While the plaintiffs' bar creatively extends the applicability of (relatively) new and old privacy laws, companies can implement measures to reduce the likelihood of such claims brought against them or to have a better chance at the claims being dismissed in the early stages of litigation.
The case is M.G. v. Therapymatch, Inc., 2024 BL 324212, N.D. Cal., 23-cv-04422-AMO, 9/16/24.
Originally published by Bloomberg Law
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
