Amid little clarity from courts, wiretap claims
targeting the use of data analytics tools are becoming increasingly
common. Here are ways to stay compliant and avoid costly
litigation.
Doing business online has never been easier thanks to an almost
limitless array of data-gathering tools at companies’ disposal.
But as these technologies have become ubiquitous, their use has
become the target of consumer arbitrations and class action claims
based on wiretapping statutes that were passed long before online
business existed, including the California Invasion of Privacy Act
(CIPA). Online businesses must therefore be diligent to reduce the
risk of these claims arising from their use of third-party
technology to gather data on customer interactions.
In recent years, plaintiff firms have besieged online businesses
using wiretapping laws like CIPA. Unlike modern data privacy laws,
these older wiretapping laws allow users to sue online operators
who use third-party tools and services to collect user data without
the user’s knowledge. Courts have been inconsistent in applying
wiretapping laws to the use of these tools, but following these
best practices should reduce the risks posed by these increasingly
common lawsuits:
- Consent:Obtain users’ express consent to
data collection and use where possible. - Contracts: Ensure all provider agreements
specifically state that the provider will collect the user data
solely to fulfill its obligations to the site and will not share
the data with other third parties nor exploit the data for its own
use. - Route the Data Through You: Do not allow
providers to receive user data directly—intercepting it
before it reaches you, the intended recipient. Instead, route it
through your business’ systems/servers first. - Limit the Content Recorded: Dismissal is more
likely if your provider only records basic information (name,
location) rather than interactions exposing more personal
details.
Below, we further explore useful insights from the outcomes of
recent CIPA cases.
What to Know About the California Invasion of Privacy Act
CIPA includes a suite of privacy-related laws governing
surveillance, law enforcement tools, the recording of phone
conversations, and wiretapping. With increasing frequency,
plaintiffs are using provisions within CIPA to sue website owners
who use data-metric and consumer communications technology on their
websites, including chatbots, session replay, pixels, and
cookies.
The most common CIPA claim is under the wiretapping
provision, Section 631(a), which punishes a person who
“willfully and without consent of all parties to the
communication, or in any unauthorized manner, reads, or attempts to
read, or to learn the contents or meaning of any message, report,
or communication while the same is in transit” or who
“uses, or attempts to use, in any manner, or for any purpose,
or to communicate in any way, any information so
obtained.”
CIPA class actions proliferated after cases holding that CIPA
631(a) applies to internet communications. Plaintiffs argue that if
a third-party providing data collection or analytics tools receives
user communications with a website, it is “intercepting”
communications between the website and customers, and thus
wiretapping those communications. Under California law the website
owner is not directly liable for wiretapping, since it is a party
to the conversation and one cannot wiretap one’s own
conversation, but the website owner can be held liable for aiding
and abetting wiretapping by a third-party technology provider.
The civil penalties for violating CIPA are $5,000 per violation.
There are additional criminal penalties. The full text of CIPA,
Cal. Penal Code §§ 630 et seq., is available here.
CIPA 631 is not the only CIPA claim to be aware
of—plaintiffs are also utilizing CIPA Section 632.7,
which prohibits the interception and recording of conversations in
which at least one party was using a cordless or cellular
phone.
Some plaintiffs have argued that the use of a chatbot that
maintains a record of discussions with customers violates the
two-party consent law if the customer was using a smartphone to
conduct the chat. Most (but not all) courts have rejected this
theory on the grounds that using a phone’s internet functions
is not the type of phone use at issue in Section 632.7. See Hot
Topic, Inc., 656 F.Supp.3d 1051, 1071 (C.D. Cal. 2023)
(finding “Defendant’s computer equipment, which connected
with Plaintiff’s smart phone to transmit and receive
Plaintiff’s chat communications” was outside the scope of
CIPA 632.7).
Finally, CIPA Section 638.51, passed in 2015,
punishes providers of electronic or wire communication services
that install or use a pen register or a trap and trace device
without first obtaining consent. There is scant case law on this
theory and no indication of whether it will gain mainstream
traction.
How Courts Approach CIPA 631 Claims:
Two lines of authority have emerged to deal with claims brought
under CIPA Section 631:
1. If a third-party technology provider does not have
the right to make independent use of the communications it records,
it is a mere tool of the website operator and is protected by the
“direct party” exception.
Under California law, a party cannot be held liable for
wiretapping a conversation to which it was a party. This is the
“direct party” exception. Under this first interpretation
of Section 631, if a technology provider is limited to using data
exclusively for the website owner and does not independently
exploit it, the provider falls under the umbrella of the website
owner and thus is shielded from liability under the party
exception.
The concept is similar to agency—the technology provider
serves as a mere extension of a direct party to the discussion. The
technology provider loses that protection if it goes beyond its
service to the website owner and exploits data for its own
purposes. See, American Honda Motor Co., 2023 WL 7026931,
3 (N.D. Cal., Case No. 23-cv-01017-JSW, 2023) (dismissed because
there was no inference that Salesforce could use communications for
its own purposes when it simply ran a chat API from its servers to
transcribe Honda’s website communications in real-time). In
these cases, the provider is protected because it is essentially
acting as an extension of the website. Home Depot, 2023 WL
5615453, 7-8 (N.D. Cal., Case No. 23-cv-0995-JST, 2023) (dismissed
in part because while Liveperson recorded, accessed, and analyzed
chats to provide Home Depot customer data metrics, plaintiff did
not allege Liveperson could use the data for any purpose besides
relaying it to Home Depot).
Since the emergence of the recent trend of Section 631
litigation, this approach has been gaining steam and is a pragmatic
method for reconciling the needs of modern e-commerce practices
with the text of CIPA 631.
2. Regardless of independent use of the recorded
communications, a provider violates Section 631 if the plaintiff
proves the provider read or attempted to read non-record
content1 contained in the communications, while those
communications were in transit.
Under this interpretation of section 631, the focus is not on
the purpose for which the technology provider used the data, but
rather on the more technical question of whether the technology
provider intercepted and reviewed personal information in
communications it received either before or simultaneously with the
website provider. See J.C. Penney, 2023 WL 7006793, 8
(S.D. Cal., Case No. 23-cv-0981-BAS-DDL, 2023) (survived dismissal
because plaintiff sufficiently plead Vergic read user messages when
it duplicated chat conversations as they occurred, receiving the
messages either before or simultaneously with JC Penney).
In this line of authority, courts often consider (1) whether the
Provider read or attempted to read the communications, (2)
whether substantive and confidential content was being
communicated, and (3) whether the communications were intercepted
en route to the website owner, and thus
“tapped.“
While some courts have adopted this mode of analysis, it is more
difficult to reconcile with the realities of e-commerce given the
vast number of sites that use data collection software providers
and the difficulty of conforming that use to the confines of this
legal approach.
Compliance Best Practices:
The first line of defense is to carefully scrutinize contracts
with technology service providers in order to understand and
regulate how they will use any data collected. Because the website
owner is always shielded from direct liability under the direct
party exception, its liability will come down to doctrines of
vicarious liability, such as aiding and abetting and conspiracy. In
that case, the ability to point to contracts and internal controls
that require data collection and use to comply with CIPA will
greatly aid in the website owner’s defense.
Additionally, where feasible, a website should obtain consent to
the website’s data practices from users by conspicuously
disclosing to them that third-party software is being used on the
site. This is not always feasible, but in applications such as a
chatbot or in conjunction with a consent to use cookies, it may be
feasible to obtain consent. Where consent is sought, it is best to
have the user click a button consenting to the data collection, or
at the very least include language warning that if they continue
using the site and/or chat, that further usage constitutes
consent.
Be aware that consent cannot be retroactive, so the earlier
consent is sought and obtained the stronger the defense will be.
Again, the disclosure must be conspicuous to constitute inquiry
notice and while courts consider implied consent, it can be
difficult to establish at the motion to dismiss stage.
In jurisdictions that do not adopt an agency-like approach to
the direct party exception, when possible deploy provider software
to receive information from the website, not from the user.
Ensuring the communications reach the website’s servers
first, before being copied by providers, eliminates the
chance for it to be intercepted in-transit. Similarly, if it is
feasible (and recognizing that it is not feasible for certain
businesses), limit what providers are permitted to collect and
record to non-substantive “record information.”
Other Wiretap Laws to Be Aware Of:
Website owners need not only fear lawsuits in California courts
but also federal and other state courts with similar wiretap laws.
Much of CIPA 631 mirrors the federal Electronic Communications
Privacy Act of 1986 (18 U.S.C. §§ 2510-2523) and all 50
states have laws governing the use of electronic surveillance and
wiretapping.
Lawsuits are most common in states that, like California,
require the consent of all parties to a communication before it can
be recorded. These states include Connecticut, Florida, Illinois,
Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire,
Pennsylvania, and Washington. The majority of non-CIPA wiretap
claims are brought under the Pennsylvania Wiretapping and
Electronic Surveillance Control Act (18 Pa.C.S. §§ 5701-5726), which does
not have a party exception, Massachusetts’ Mass. Gen. Laws Ch. 272, § 99,
Illinois’ 720 ILCS 5/14-1 et seq., or Washington’s
Wash. Rev. Code Ann. § 9.73.030, all of
which can be avoided with conspicuous notice of the recording.
Preparation Now Can Prevent an Expensive Headache Later
Lawsuits under CIPA are increasingly prevalent, and it is
unclear whether their proliferation will slow any time soon.
Privacy is a real concern among web users, so it is important to
comply with CIPA not only to avoid the expense of litigation but
also to acknowledge website users’ interests.
The safest route is to make changes to company websites so they
are less likely to be targeted by plaintiffs’ lawyers.
Greenberg Glusker can advise you on how to structure your user
interface to establish sufficient consent to provider recordings.
And if you do end up facing a CIPA-related lawsuit, Greenberg
Glusker’s consumer claim defense attorneys can assist in
investigating, responding to, and resolving claims under CIPA.
Footnote
1. Record information consists of simple identification
and geolocation information. There is no consistent definition of
non-record content, but recording all of a user’s words and
text typed (even if not fully entered), search terms, content
viewed, and all other information related to a visit is often
considered to include non-record content.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
#Practices #Apps #Websites #Avoid #Claims #California #Invasion #Privacy #Act #CIPA #Privacy #Protection
