A recent wave of demand letters is causing significant legal risk for any business with a website with routine tracking technologies.
We have written in the past about plaintiffs’ attorneys demanding significant sums of money from companies by attempting to apply old non-technology laws like the Video Privacy Protection Act (“VPPA”) to modern internet technologies. We are now seeing a significant uptick in demand letters based on the California Invasion of Privacy Act (“CIPA”), an old wiretapping law being applied to modern technologies like website data collection in which a third party is involved. In addition to mandating the way websites disclose and collect a user’s information, CIPA also provides for a private right of action that is now being leveraged by plaintiffs’ firms and pro se litigants to quickly make money.
The classic CIPA demand letter includes threatened litigation based on a claim that the target’s website violates CIPA when the website uses third-party tracking tools (e.g., Meta Pixel, Google Analytics, session replay scripts) to collect and transmit users’ browser data to a third-party tracking tool. The claim typically alleges that the website captures a user’s activity on a website (e.g., clicks, searches, form fills) through the use of a third-party tracking tool that amounts to the third-party “eavesdropping” on such user’s browser activity, thus violating CIPA’s all-party consent rule. The financial exposure for these claims is $5,000 per violation, plus attorneys’ fees where available, which can add up quickly. Unfortunately, litigating these claims is often more expensive than settling.
Unfortunately, many website owners don’t understand or monitor the technical structure that underpins the attractive content on their website. The cookies and JavaScript associated with a website can change overnight when new versions of the website are pushed out. Analytics and marketing tools are easy to deploy, and most companies don’t consider the possible privacy- and CIPA-related ramifications. Any modification to a website requires attention to, and understanding of, the impact on the collection of browser data, how such collection must be properly configured and potential privacy implications.
The law in this area is inconsistent and developing, and the courts are calling for legislative assistance. The California legislature proposed two bills this past session attempting to clarify CIPA applicability and provide immunity for businesses using online tracking technologies for a “commercial business purpose”. Unfortunately, neither bill made it out of committee, which leaves a patchwork of decisions and no consistent guidelines for companies to follow. In the meantime, we recommend taking the following proactive steps to protect your company from CIPA demand letters:
- Know your technology. Whether programming is handled in-house or by a third-party vendor, ask questions about what data is collected and shared and with whom.
- Do not collect data without consent. Any data collection without consent is risky. Understand the risk and potential liability of collecting data without consent, particularly with regard to marketing and advertising tracking tools. A symmetrical cookie banner can be helpful in collecting consent before collecting browser data.
- Do not share data with a third party without consent. At least one California court has held that consent cannot be retroactive. Do not change your data collection practices and disclosures and apply those changes to data previously collected without obtaining explicit consent.
- Undertake ongoing cookie banner audits to avoid false positives. A false positive is when a visitor selects “deny all” in the cookie banner, the choice is ignored and data is collected. Companies should audit cookie banner functionality on a regular basis and across browsers.
- Work with your data privacy lawyers. Update your policies and work through your technology solutions with experienced counsel for accuracy, transparency and compliance.
