As an onslaught of recent class actions allege, companies may be liable for eavesdropping and wiretapping based on the use of common analytics software on their platforms.

For instance, in California, plaintiffs have filed hundreds of lawsuits against a broad range of businesses, alleging that using common online software or technologies like chatbots and cookies on their websites without express consumer consent constitutes unlawful eavesdropping or wiretapping under the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code §§ 630, et seq. This 1967 law, enacted in the era of rotary telephones, is now being used to challenge the use of common third-party software that aids businesses in analyzing consumer activity and engagement with their websites. Because CIPA provides for statutory damages of $5,000 per violation, companies run the risk of significant exposure if CIPA claims are ultimately successful.

California courts have diverged in their approach to these CIPA cases: Courts following Graham v. Noom, 533 F. Supp. 3d 823 (N.D. Cal. 2021) and its progeny have required plaintiffs to plausibly allege that the third-party software (e.g., chatbot) provider uses purportedly intercepted information for its own purpose to support claims that the third-party provider is an unlawful eavesdropper. By contrast, courts relying on Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891 (N.D. Cal. 2023) and related cases merely require plaintiffs to claim that the software provider has the capability for such use. The California Supreme Court has yet to decide the issue.

Across the country, the Massachusetts Supreme Court is poised to rule on whether the use of analytics software to collect website browsing activity constitutes eavesdropping under the Massachusetts Wiretap Act. The court recently heard oral argument in Vita v. New England Baptist Hospital, et al., Case No. SJC-13542, in which the plaintiff alleged that multiple companies unlawfully eavesdropped on her communications when she browsed the websites of several hospitals that used such software without obtaining consumer consent. Like California courts, the Massachusetts justices appeared particularly concerned that the hospitals could “sell” purportedly intercepted information to advertisers or otherwise profit from such information without the consent of the website visitors. A decision from the court is forthcoming.

Ultimately, state legislatures may need to weigh in on whether decades-old wiretap laws apply to modern communications technology. Until then, companies would be wise to provide explicit disclosures and obtain express consent when utilizing analytics software on their consumer-facing platforms.

This article is available in the Jenner & Block Japan Newsletter. / この記事はJenner & Blockニュースレターに掲載されています。

[View source.]