If you do not know what a pixel is, you may have a problem and should read on. This article will explain the recent trend of “pixel litigation” and suggest some ways to help companies avoid liability and avoid becoming entangled in the web of class action litigation.
While it takes various forms in each case, plaintiffs are generally complaining about the use of plug-ins to track individual users’ internet activity. Most of these actions are filed in California federal courts pursuant to California state criminal law on eavesdropping, but some are filed based on other states’ similar laws. The prevalent claim in these types of cases is based on violations of California’s criminal Invasion of Privacy Act, Cal. Pen. Code §§ 631 & 632 (CIPA). Various related claims en vogue include California’s Computer Data Access and Fraud Act, Cal. Pen. Code § 502 (CDAFA), the U.S. Wiretap Act, 18 U.S.C. § 2510, et seq., as well as Illinois, Maryland, and Pennsylvania wiretapping and eavesdropping statutes and related state law claims of invasion of privacy, breach of contract, and the like.
Generally speaking, a “pixel” is used for tracking user behavior and collecting data about the users’ interactions with website content. A “plug-in” is a computer program that extends the functionality of an existing program, such as an internet browser. A related term with which many readers likely are familiar is a “cookie,” which is a small amount of data created by the website a user visits and saved by the user’s web browser.
Some alleged violations of California’s eavesdropping statute, CIPA, are based on plug-ins that send users’ personal data – such as name, address, browsing history, web server used, and other details (depending on the type of website the user visited) – not only to the website that the user chose to visit, but also, and unbeknownst to the user, to another third party website. That third party, in turn, uses the personal data it received for advertising, selling to other third parties, and other purposes of which the user may not know. See In re Facebook, Inc. Internet Tracking Litigation, 956 F.3d 589, 596 (9th Cir. 2020).
Other alleged violations of CIPA are based on a tool that Meta developed called the “Meta Pixel.” Third-party web developers can install Meta Pixels on their websites. The Meta Pixel contains small amounts of JavaScript code that loads a library of functions that developers can use to track actions users take on their sites. These user actions are logged and sent to Meta, where developers can use and analyze the data. Meta then attempts to match the data to one of its users. The data collected through the Meta Pixel, as well as matched with data Meta already has on users, can be used for advertising activity. See In re Meta Pixel Tax Filing Cases, 2024 WL 1251350, 22-cv-07557-PCP, at *1-2 (Mar. 25, 2024).
Yet another variety of claims under CIPA involves websites’ use of chat features to engage in, record, and transcribe conversations with users. Plaintiffs allege that the third-party providers of the chat feature eavesdrop on the conversations between the users and the specific websites visited. See Byars v. Hot Topic, Inc., 656 F. Supp. 3d 1051 (C.D. Cal. 2023).
Pursuant to CIPA, the California Supreme Court has construed the statute as having three distinct and independent patterns of conduct: (1) intentional wiretapping, (2) willfully attempting to learn the contents or meaning of a communication in transit over a wire, and (3) attempting to use or communicate information obtained as a result of engaging in either of the previous two activities. Federal courts in California interpret the scope and meaning of CIPA in varying ways. This has caused plaintiffs’ lawyers to take advantage of the uncertainty in the state of the law by filing “tester” cases – plaintiffs repeatedly trying to find purported legal violations of various and sundry websites nationwide to assert claims under CIPA and other similar laws.
As to courts’ conflicting holdings, for example, in a California federal case from 2023, the court found that CIPA § 632.7 only applies to communications involving two telephones, and a chat feature on a website is not a telephone – even if it was accessed by the plaintiff’s cell phone device. However, in the same California federal district approximately two weeks earlier, another judge found that CIPA applies to internet communications. There are numerous other examples of inconsistent interpretations of CIPA, which leave website owners in a state of uncertainty and the law in flux.
Conclusion
Thus, if confronted with claims alleging violations of CIPA, website owners should investigate the particular facts in their situations and compare those facts with the specific facts in the existing published case law. There may be differences in the types of pixels the websites used, the level of sensitivity of personal information collected and shared, and the forms of notice and consent given by the users.
As proactive measures to try to avoid becoming a target of litigation, website owners should consider including a link to their privacy policy in their website cookie banner, whereby the prospective user may affirmatively consent to the privacy policy. While not required under U.S. data privacy laws, this type of control may dissuade tester plaintiffs from pursuing your business for alleged legal violations.
[View source.]
