California Invasion Of Privacy Act (CIPA) Decisions Continue To Create Uncertainty For Websites Using Third-Party Technology

• Jurisdiction: California,United States
• Law Firm: Goodwin Procter LLP
• Subject Matter: Consumer Protection, Litigation, Mediation & Arbitration, Privacy, Technology, Data Protection, Class Actions, Dodd-Frank, Consumer Protection Act, Security
• Author: W. Kyle Tayman and Collin Grier
• Published date: 13 June 2023

The pace of internet consumer privacy class action litigation is skyrocketing. Remarkably, no specific legislative change in the law triggered the increase in litigation. Instead, the driver of this litigation explosion ' in particular litigation under the California Invasion of Privacy Act (CIPA), Cal. Penal Code ' 630, et seq. ' follows two recent appellate court decisions involving whether a website's use of third-party technology can constitute an unlawful wiretap or eavesdropping under state law. The key issue lower courts at the federal and state level are grappling with following those decisions is how to treat third-party technology used by a website operator to enhance the consumer experience' such as session replay, keystroking, or chatbot technology. Courts consider whether the third-party technology provider is (a) a direct party to any communications or interactions by the consumer, (b) simply a tool used by the website operator, or (c) a third party that unlawfully intercepts such communications when not disclosed to the consumer. Courts addressing these issues are reaching opposing and divergent decisions, often on the same claims and technology, leading to uncertainty for companies.

The plaintiffs' bar ' fueled by the potential recovery of high statutory damages that can reach $5,000 per violation ' has seized on the opening provided by the appellate courts, filing dozens of consumer class actions, predominantly in California. The targets of these lawsuits are companies in almost any consumer-facing industry. For instance, clothing retailers, tire companies, financial institutions, and online jewelry retailers have all been targets. No industry or company is safe from being targeted until such time as there is clarity in the law. Until then, companies should learn the risks presented by these lawsuits and take affirmative steps to reduce their profile as potential targets.

Two Appellate Decisions Sparked the Wave of Litigation

The current spate of consumer class action privacy litigation follows two 2022 decisions from federal appellate courts. First, the Ninth Circuit held in Javier v. Assurance IQ, LLC, 2022 WL 1744107(May 31, 2022), that consent to a website session recording technology cannot apply retroactively. In that lawsuit, the plaintiff alleged an unlawful wiretap over the session recording technology that helps companies protect against litigation abuse from the Telephone Consumer Protection Act (TCPA). The district court granted summary judgment because the consumer agreed to the website's terms of use (and consented to the use of the recording technology) when completing an online submission form. The Ninth Circuit overturned that decision, holding that the recording began as soon as the consumer visited the website, so her consent to that recording could not be captured later, after the fact.

Second, the Third Circuit's decision in Popa v. Harriet Carrier Gifts, Inc., 52 F.4th 121 (3d Cir. 2022) held that a party to a conversation can be liable for its own "interception" of (i.e., eavesdropping on) that conversation in violation of Pennsylvania's Wiretapping and Electronic Surveillance Control Act. The company in Popa used a third-party technology to track consumer interaction with the company's website. Plaintiff alleged this was an unlawful wiretap and interception. In overturning summary judgment in favor of defendants, the Third Circuit relied on a change in the law from a decade earlier by the Pennsylvania Legislature to hold that there was no longer a "party exception" to the statute's consent requirement for an interception, meaning that a website provider could be held liable for intercepting a communication where it is a party.

Following these decisions, enterprising plaintiffs' attorneys have sought to repurpose decades-old state wiretapping and eavesdropping statutes passed during the Cold War era (like CIPA) to generate claims arising from the use of 21st-century internet and website technologies intended to aid companies in enhancing the consumer experience. For example, a plaintiff in Maryland sued a prominent restaurant chain alleging violations of the Maryland Wiretapping and Electronic Surveillance Act, Md. Code Ann., Cts. & Jud. Proc. ' 10-401, a 1970s-era statute, based on the alleged collection of her...