chevron-down Created with Sketch Beta.

Business Law Today

August 2024

California’s Invasion of Privacy Act: A New Frontier for Website Tracking Litigation

Jacqueline Wade Cooney, Damon D Eisenbrey, and Chesley S McLeod

Summary

  • Rising Legal Risks for Companies: Companies with websites accessed by California consumers are increasingly facing lawsuits and arbitration demands under the California Invasion of Privacy Act (CIPA), which imposes potential statutory damages of $5,000 per violation.
  • Plaintiffs’ Theory of Liability: Plaintiffs’ attorneys are leveraging the decades-old CIPA to circumvent the limitations of newer privacy laws, alleging that using website tracking technologies without obtaining user consent infringes on privacy rights.
  • Mixed Judicial Outcomes: Early court decisions, such as those in Licea v. Hickory Farms and Levings v. Choice Hotels, have produced mixed results, indicating ongoing legal uncertainty regarding whether tracking tools constitute unlawful “pen registers” and if website visits inherently imply user consent.
  • Proactive Compliance Measures for Businesses: To mitigate risks, businesses should ensure compliance with state privacy laws, enhance transparency regarding the use of tracking technologies, consider implementing opt-in mechanisms for users, and remain vigilant against potential legal threats related to CIPA claims.
California’s Invasion of Privacy Act: A New Frontier for Website Tracking Litigation
iStock.com/Art Wager

Jump to:

While the recent proliferation of comprehensive privacy laws enacted by at least eighteen states has dominated the news in the US, another development threatens to further impact companies operating websites accessed by California consumers—the recent wave of lawsuits and arbitration demands under the California Invasion of Privacy Act (CIPA).

Both large and small companies that operate websites California consumers visit have been receiving letters threatening litigation or arbitration. In many instances, these threats have materialized into actual lawsuits (including putative class actions) and arbitration proceedings. The CIPA allows for statutory damages of $5,000 per violation, which could pose significant financial risk to companies where claims of alleged violations are asserted on behalf of a class.

Why Are These Claims Being Filed Now?

The California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA), pioneered broad privacy rights for consumers in the United States. Following California’s lead, more than a dozen states have enacted similar comprehensive privacy laws. However, most of these state laws, including California’s, do not provide a private right of action for violations except for data breaches under the CCPA. Critics argue that without a private right of action, these laws lack the necessary enforcement mechanisms to ensure compliance. In response, plaintiffs’ attorneys in California have sought alternative legal strategies.

One such strategy involves invoking the CIPA, a decades-old criminal statute enacted in 1967 to prevent eavesdropping on telephone calls. This approach represents a novel attempt to bypass the limitations of the CCPA by leveraging a law designed for different circumstances, thus giving it a modern application in the digital age. A significant issue underlying these lawsuits is whether the use of cookies and other website tracking technologies by companies constitutes a violation of individuals’ privacy rights.

What Is the Basis for These Claims?

The new CIPA cases focus on the alleged unlawful use of website tracking technologies, such as cookies, pixels, tags, and beacons, to collect and use personal information of people who visit these websites. Many of the lawsuits and arbitration demands center around a few key arguments.

Website tracking technologies are alleged to be unlawful “pen registers.” Plaintiffs allege that tracking technologies are used to “record” a user’s interactions with websites, which amounts to the use of a “pen register” or “trap and trace” device (although the bulk of the claims and related court decisions have focused on the definition of pen register rather than trap and trace). These technologies capture information, such as IP addresses, when users visit or leave a website, thereby recording “dialing, routing, addressing, or signaling information” transmitted from a device but not the content of the communication. Such activities, plaintiffs argue, amount to illegal pen registers under the CIPA.

Using tracking technologies without consent allegedly violates users’ right to privacy. Under California law, it is prohibited to use a pen register or trap and trace device without either a court order or explicit consent from the person being tracked. Plaintiffs allege that when websites deploy tracking technologies without obtaining consent beforehand, it constitutes a violation of the CIPA.

A frequently cited case in these lawsuits is Greenley v. Kochava. In this case, the court denied the defendant’s motion to dismiss and rejected the argument that a privacy company’s surreptitiously embedded software did not constitute a “pen register.” The court sided with the plaintiff, asserting that when software identifies consumers, gathers data, and correlates that data through unique “fingerprinting,” it constitutes a “process” through which a pen register can be deployed.

Despite many plaintiffs’ heavy reliance on Greenley, it is important to note that this case is still pending and has not yet set a definitive precedent on these legal points. Moreover, the specifics of Greenley distinguish it from many other claims. Defendant Kochava, a data broker, provided software development kits (SDKs) to its customers, meaning the data in question was not collected directly through Kochava’s own website but through software deployed on customers’ websites. Consequently, users who visited these websites were arguably unaware of the Kochava SDK’s presence, differentiating these circumstances from those involving direct website tracking.

This distinction is critical: it suggests that recent claims against website operators may not be directly analogous to Greenley. The indirect nature of data collection in Greenley, compared to direct website tracking claims, underscores how much each CIPA case may turn on its specific facts.

Recent Case Developments

Some companies have opted to settle these CIPA claims rather than litigate them. However, it is crucial to understand that settling early with one claimant does not shield a company from subsequent similar claims and could have the unintended consequence of inviting future lawsuits by plaintiffs’ counsel. For those who have chosen to fight, preliminary rulings have been mixed, and no claim has yet been fully litigated to final judgment.

Two significant cases in this area are Licea v. Hickory Farms and Levings v. Choice Hotels, both in the Los Angeles County Superior Court and involving nearly identical claims regarding defendants’ use of website tracking technologies. These cases, filed by the same law firm, have seen divergent outcomes in their initial rulings.

In Licea, the court sustained Hickory Farms’ demurrer, concluding that the plaintiff failed to demonstrate the use of a “pen register.” The court distinguished this case from Greenley partly by disagreeing that tracking IP addresses was analogous to the unique digital “fingerprinting” involved in Greenley.

Conversely, in Levings, the court overruled Choice Hotels’ demurrer, finding that the defendant had “‘deployed a software device and process’ which first recorded the information transmitted by Plaintiff’s device, and then used that information to install tracking code on Plaintiff’s device.” The court found this sufficient to describe the use of a pen register as defined under California law.

A key difference between these cases is their treatment of consent and the argument that voluntarily visiting a website implies consent to the use of website tracking technologies, even if such technologies are considered pen registers.

In Licea, the court indicated that even if the tool used to capture user information qualified as a pen register, the argument that users implied consent by visiting the website—where an IP address may be voluntarily disclosed—was persuasive. The court referenced prior cases such as Heeger v. Facebook, Inc. and U.S. v. Forrester to support this view.

In contrast, the court in Levings rejected the notion that simply visiting a website constitutes implied consent to collection of information. The court stated that accepting this argument “would allow the exception to swallow the rule whole.”

Given that neither case has progressed to a final judgment, defendants in other suits face potentially contradictory rulings on two critical issues:

  • whether internet tracking tools qualify as pen registers
  • whether visiting a website constitutes consent for the collection of user information

In Licea, the court expressed concern about the broader implications of interpreting web tracking technologies as pen registers, which could render nearly every online entity a potential criminal violator. The court noted that “public policy strongly disputes Plaintiff’s potential interpretation of privacy laws as one rendering every single entity voluntarily visited by a potential plaintiff, thereby providing an IP address for purposes of connecting the website, as a violator. Such broad-based interpretation would potentially disrupt a large swath of internet commerce without further refinement as [to] the precise basis of liability.” This point is potentially a harbinger of the debate that will escalate as more restrictions on website data gathering are considered by the courts and legislatures.

The preliminary rulings in Licea and Levings highlight the complex and evolving nature of privacy litigation in California. Companies must stay informed and be proactive in managing their compliance with privacy laws to mitigate risks associated with these legal challenges.

What Can Companies Do Now, Even If They Haven’t Yet Received a Complaint or Arbitration Demand?

As courts continue to grapple with whether website tracking technologies qualify as pen registers and whether visiting a website implies consent for data collection, companies must proactively review their technology and compliance practices.

Many US state laws, starting with California, include specific rules regarding the notices companies must provide on their websites, how they can use consumers’ information, and how such information can lawfully be shared with third parties. Companies should begin by ensuring that their websites and notices (e.g., website privacy policies) comply with the various states’ data protection laws.

Beyond legal compliance, companies should assess whether they are truly transparent about their website tracking technologies. For instance, does the company’s privacy notice include comprehensive information about cookies and tracking technologies, including which ones are used and how users can block them or opt out?

If possible, companies should consider deploying an opt-in mechanism for tracking technologies for California users. One of the key considerations in the cited cases is whether visiting a website constitutes consent for data collection. By asking for explicit consent (i.e., an opt-in for tracking technologies like cookies), companies could potentially provide an affirmative defense against allegations that an unlawful pen register was deployed, as consent is an exception to the prohibition on the use of pen registers.

Regardless, companies should remain vigilant for threatening letters, demands for arbitration, and service of claims related to the CIPA. Plaintiffs’ firms do not appear to discriminate based on company size or industry. If a company operates a website in the US and California consumers visit it, it is a potential target.

    Authors