Class Actions Based on Third-Party Website Monitoring Technology Are on the Rise
Recently we have seen a slew of class action filings under the California Invasion of Privacy Act (CIPA). CIPA is an older privacy law, associated with eavesdropping and wire fraud, not to be confused with the California Consumer Privacy Act that became effective in 2020.
These recent CIPA claims rely on technological innovations that businesses appear to be using to improve internet analytics and tracking on their websites. There is a common fact pattern. The main defendant hires a technology company to track what website visitors are doing on the main defendant’s site. The technology platform runs its software in the website background to record users’ keystrokes, mouse clicks, and other site interactions. The platform allows its customers, like the main defendant, to replay a session of a user’s interaction, obtain details about the visitor (such as location, device, referral source), or potentially send targeted advertising.
Plaintiffs claim that the third-party platform’s recording constitutes an illegal wiretap. By hiring the technology platform, the main defendant allegedly aided and abetted this illegal activity. CIPA defines a wiretapping as “by means of any machine, instrument, contrivance, or in any other manner,” a party who:
(1) “intentionally taps, or makes any unauthorized connection” with a telephone wire, line cable, or instrument; or
(2) “willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or learn the contents or meaning of any message, report, or communication” while it is passing over any wire, line or cable or is being sent from or received at any place in the state; or
(3) “uses, or attempts to use … or to communicate in any way, any information so obtained”; or
(4) aids or conspires with someone to do any of 1, 2, or 3.
Defendants can also be liable for manufacturing, selling, and possessing eavesdropping devices. Courts have found that these rules are not limited to phone lines, but can also govern new technologies.
If these plaintiffs are successful, the penalties can be stiff. CIPA permits $5,000 in statutory damages per violation or three times the amount of actual damages, whichever is greater. Targets of these cases assert a variety of defenses such as a consent to recording or reviewing the information, the statute of limitations, and constitutional problems (like the impropriety of excessive fines). They also attempt to pick apart the statutory requirements. For example, that the technology platform was a direct party to the communications and couldn’t therefore eavesdrop, the technology does not fit within the statutory definition, and the defendants did not intercept or read the contents of any transmitted information.
A comprehensive privacy policy or affirmative consent seems to be the easiest way to defeat these claims, but they are not unbreachable walls. Companies should review their data collection procedures and their agreements with website visitors.
If you have any questions, contact your Payne & Fears attorney.