Collecting data from a California customer’s use of the chat feature on your website without first obtaining the customer’s permission may constitute a violation of Section 631(a) of the California Invasion of Privacy Act (“CIPA”).
Under the CIPA, it is illegal to record conversations unless everyone involved in the conversation consents first. In response to a violation of the CIPA, a California customer can bring a private cause of action. Recently, a number of class action lawsuits have been filed under the CIPA related to allegations that website operators are recording and sharing information gathered without permission from California customers who use the websites’ chat features. The plaintiffs in these cases allege that websites are embedding third party code into their websites that allows third parties to intercept or eavesdrop on customer’s webchats.
The impetus for these suits is the Ninth Circuit’s recent decision in Javier v. Assurance IQ, LLC, No. 21-16351, 2022 WL 1744107 (9th Cir. May 31, 2022). In that decision, the Ninth Circuit held that obtaining user consent after collecting the customer’s personal information did not defeat wiretapping claims under the CIPA. Even though the issues in Javier did not involve the collection of information through a website’s chat feature, the plaintiffs in these webchat class actions argue that the holding in Javier requires website operators to obtain customer permission before recording or sharing information obtained through the website’s chat function. Plaintiffs’ lawsuits also include claims that web operators’ use of session replay software, which record the keystrokes, mouse clicks, and data entry of every visitor interaction on the website, also constitute violations of the CIPA.
Courts throughout the country are split on whether this type of data constitutes wiretapping. What is clear is that the law of data privacy is constantly evolving.