When we speak to clients about online privacy issues, they almost always mention the CCPA – California’s Consumer Privacy Act that regulates the collection and use of personal data. But unless they have already faced a lawsuit, pre-suit demand, or arbitration demand, our clients rarely mention the other four-letter California statute that has been the source of significant litigation over the past few years. And that’s CIPA – California’s Invasion of Privacy Act.
This may be old news for in-house and outside counsel who are well versed in data privacy issues, but almost all of the clients we talk to have never heard of CIPA before a claim is made. Accordingly, the goal of this article is to address in simple terms what these CIPA claims are, what risk they pose, and how companies can protect themselves.
CIPA is not new – it’s California’s eavesdropping statute and it has been on the books in the state since the 1960s. But creative plaintiffs’ lawyers have worked diligently in recent years to get CIPA applied in the online context and have had enough success that these cases can sometimes at least get past the dismissal stage. Focusing on web pixels and other tracking technologies, the plaintiffs’ bar first targeted large cyber companies like Facebook/Meta and Google, arguing that when their technologies were deployed on websites, these companies were “eavesdropping” on communications between a website visitor and the website. More recently, plaintiffs are going after the companies operating the websites, alleging that by deploying pixels that send information to companies like Meta, these companies are aiding and abetting the eavesdropping, thereby violating CIPA and entitling the plaintiff (and often a putative class) to statutory damages of up to $5,000 per violation. There are various defenses available to these sorts of claims, but many of the lawyers bringing these cases are willing to settle on an individual basis for less than the cost to get through the dismissal stage, meaning most cases end with a payment to the plaintiffs and no opportunity to defeat these claims on the merits.
Because these technologies are pervasive and quite useful from a marketing standpoint, many executives and corporate counsel are completely unaware that their companies are even using these technologies. Clients are sometimes adamant that these technologies are not in use, only to find out that they are. Indeed, sometimes these pixels are firing even if the marketing team is not using the data.
Clients also commonly ask why their privacy policies and cookie pop-ups are not enough to avoid legal demands. The answer has to do with how the pixels work. Pixels are different from cookies and often are launched the moment a visitor arrives on the website. Thus, the plaintiffs argue that the visitors have no actual notice of the collection practices or any opportunity to opt out (or even leave the site) because the data is already gone by the time they read the privacy policy.
So, what can companies do to mitigate CIPA risk?
1. Make sure you understand the technologies on your website. Web developers (internal or external) and marketing professionals often embed and use these sorts of tracking pixels on company websites without a second thought. Corporate counsel and risk managers need to make sure they understand what technologies are on company websites and how they are being used. And if they are there and not being used, get them removed.
2. Make sure you know what information is collected. Many providers brush off concerns by saying the data they collect is “anonymized.” Plaintiffs’ lawyers often disagree. Complaints and pre-litigation demands often allege that things like Facebook IDs, device IDs, and IP addresses are personal information for CIPA purposes.
3. Implement notice before the pixels launch. If you are using tracking pixels that collect any information that could be considered “personal,” implement a means of notice that occurs before the pixels fire. There are various ways to accomplish this, depending on how the website is built, but some possibilities include a full-screen pop-up before the home page, holding all pixels until someone navigates to a secondary page, or holding pixels until someone interacts with the cookie pop-up.
4. Consider geofencing. Because CIPA is a California statute, some companies have chosen to geofence traffic coming from California IP addresses and turn off pixels just for that state.
This should be a focus for all companies, not just companies specifically focused on data – claims have been pursued against companies of all types and sizes. And until a defendant is able to achieve a precedential ruling in one of these cases, plaintiffs’ lawyers are going to continue pursuing these claims.
[View source.]
