For business owners with an active website, you may already be the unknowing target of a lawsuit under California’s Invasion of Privacy Act. The 1967 California criminal statute was intended to protect Californians against wiretapping telephone calls but has recently been weaponized to attack websites.
Companies across the country have received demand letters or lawsuits alleging that their common website tracking tools designed to improve user experiences and advertising violate CIPA.
Here’s what you need to know.
Primary CIPA Theories
Plaintiffs commonly assert that website owners violate CIPA by illegally wiretapping the user’s communications with the website and even beyond the website, extending to the user’s broader internet activities, or by having the website surveil the user’s routing, addressing, or signaling information with a pen register or trap-and-trace device.
The Wiretap Provision. Plaintiffs often allege that a user’s interaction with a website, such as typing a word into the search bar, violates CIPA Section 631(a), which prohibits a third party from reading or attempting to read the contents of a message or communication while in transit. Plaintiffs contend that the communication gets “intercepted” by third party service providers without the user’s consent, with the website owner assisting and conspiring to achieve the illegal interception.
Pen Register and Trap-and-Trace Provisions. Plaintiffs also allege that websites with tracking tools that collect a user’s information, such as their IP address, constitute illegal “pen registers” or “trap and trace” devices, which are prohibited, absent a court order or some limited exceptions by CIPA Section 638.51.
Surging CIPA Claims
CIPA lawsuits filed by pro per plaintiffs such as Vivek Shah as well as plaintiffs’ law firms are surging. These lawsuits are very attractive for several reasons.
CIPA authorizes victims in civil actions to recover $5,000 per violation or three times actual damages, whichever is greater. Plaintiffs typically argue that each website visit constitutes a separate violation.
There also is uncertainty in the case law. Courts have reached inconsistent conclusions on key issues regarding how CIPA applies to websites, including on issues of consent, what constitutes the “contents” of a communication, and the meaning of “in transit.”
California state courts have increasingly rejected the theory that routine website tracking practices constitute illegal pen registers. California federal courts, in contrast, have been more willing to entertain such claims, at least at the pleading stage.
There are also inconsistencies as to what is required to establish “injury.” Although several courts have dismissed CIPA claims where plaintiffs failed to allege a concrete injury beyond merely the asserted statutory violation, especially those involving “tester” plaintiffs—a serial plaintiff who visits websites specifically to identify alleged violations to ensure legal compliance, in other words for purposes of litigation—other courts have concluded that an alleged violation of one’s privacy rights is sufficient to state a CIPA claim.
Another complex issue is whether California courts may exercise personal jurisdiction over out-of-state businesses whose only alleged connection to California is through their publicly accessible websites.
Although plaintiffs argue that collecting data from California users is enough, courts generally require something more than a passive website. In Briskin v. Shopify, Inc., the US Court of Appeals for the Ninth Circuit broadened jurisdiction by rejecting the “differential targeting” requirement, holding that an interactive website may expressly aim conduct toward California even when serving a nationwide audience. But Briskin didn’t find that a public website alone suffices.
Subsequent cases have distinguished Briskin, emphasizing that jurisdiction remains a fact-intensive inquiry instead of an automatic result of having an online presence, and confirming that many out-of-state defendants have strong personal jurisdiction defenses to CIPA claims filed in California.
The lack of clarity on these issues creates pressure for companies to settle cases early and out of court.
Moreover, Plaintiffs typically demand settlement amounts that are calculated to dissuade litigation. The demands are often low enough that fighting the allegations in court is more expensive than simply paying the settlement demand. Many companies are forced to make the unpleasant business decision of paying the demands rather than spending more on legal fees to win on the merits. CIPA website claims are inexpensive and easy to assert but can be costly to defend.
Takeaways for Businesses
As businesses are left navigating an unsettled and often inconsistent legal landscape, it’s important to consider the following:
- Learn your website. Know how your website operates and whether any tracking or other third-party tools are employed. Are they necessary and can the same result be achieved in a different way, without third-party review?
- Consent banners. Consider including a consent banner that appears on the website and obtains the user’s affirmative consent for the website to use data in the manner it does before any information is actually transmitted or intercepted. If a court determines that a user provided affirmative consent for the website’s use of its data prior to any information actually being transmitted, recorded, or intercepted, your business should have a strong defense.
- Evaluate contacts with California. Does your business sell or market to, or have any contacts with, California? If not, evaluate whether your business or anything on your website can be viewed as targeting California consumers.
- Monitor the evolving law on CIPA. The law on CIPA is evolving and inconsistent. Keep up to date with the latest decisions and developments.
The CIPA landscape is complex and continually evolving. It’s critical to consult experienced legal counsel to evaluate the considerations above and establish a strong and successful defense to threatened claims and lawsuits.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.
Author Information
Sarah Miller is a litigation partner in Glaser Weil’s Newport Beach and Century City offices.
Elizabeth Sperling is a litigation partner in Glaser Weil’s San Diego office.
Write for Us: Author Guidelines
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.