In an era of complex privacy regulation, many claims have been filed against companies alleging violations of antiquated statutes originally designed to prevent invasions of privacy in the pre-internet age. These statutes are now being applied to modern tracking technologies, presenting serious challenges for businesses with an online presence.
Ironically, in California, often viewed as a leader in privacy protection legislation, consumer protection law firms are pursuing claims against companies under a Cold War-era wiretapping law. Because the law has only recently been asserted to apply to online tracking tools, there is no appellate guidance interpreting its application.
Plaintiffs’ firms are taking advantage of the legal uncertainty. Given current laws, these claims are likely to persist for the foreseeable future, with significant implications for businesses.
Businesses of all sizes rely on technology with the hope of gaining an edge over their competition. Most companies with an online presence use marketing and tracking technologies such as cookies, web beacons, and pixels to gather data about their website visitors. These tools provide critical insights into website performance, customer behavior, and marketing effectiveness. According to the US Chamber of Commerce, 87% of small businesses report that technology platforms have improved their operational efficiency, underscoring the integral role of data in modern business operations.
However, the widespread use of these tools comes with legal risks. Embedded tracking technologies are often invisible to consumers, and many companies do not adequately disclose their use in privacy policies. This oversight has made businesses vulnerable to lawsuits by plaintiffs leveraging outdated privacy laws. For example, in Garcia v. Alo, the class action complaint alleged that although the company had a privacy policy and cookie notice, it failed to inform website visitors that pixels were being used to collect information during their visit.
California’s Invasion of Privacy Act is one of the key statutes driving these claims. Originally enacted in 1967 during a period of societal upheaval, including the Vietnam War and the space race, the CIPA was designed to prevent unauthorized eavesdropping on telephone communications. It imposes criminal and civil penalties, allows for actual damages and permits successful plaintiffs to recover attorneys’ fees.
In recent years, plaintiffs have argued that CIPA applies to website tracking technologies. They claim these tools violate privacy rights by capturing data without proper disclosure. Hundreds of lawsuits—ranging from class actions to individual claims—were filed, with some being directed to arbitration. Trial courts have issued conflicting rulings on whether CIPA applies to modern tracking technologies, leaving businesses in a state of uncertainty. Until appellate courts provide clear guidance, these claims will likely continue to proliferate.
Practical Guidance
At their core, these claims allege a lack of disclosure by businesses of their use of tracking tools. While many companies have robust privacy programs, disclosures that specifically disclose marketing, customer service (e.g. chat functions) and tracking tools are frequently overlooked in privacy notices.
To mitigate risk, businesses should prioritize a proactive approach to compliance. Here are key steps to consider:
- Companies should work with internal stakeholders, including technology and cybersecurity teams, to identify all tracking tools used on their websites and determine what data is being collected.
- Update privacy policies to include detailed disclosures about tracking technologies and the types of data being collected.
- Clearly inform website visitors about the use of tracking tools and obtain their consent where required.
- Stay on top of evolving case law and regulatory guidance to ensure ongoing compliance.
Until appellate courts clarify CIPA’s applicability to tracking technologies, robust disclosure remains the most effective way for businesses to safeguard against these claims. By taking proactive steps now, companies can minimize legal exposure while maintaining consumer trust.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
David Piper is partner at Stradley Ronon Stevens & Young and focuses on commercial disputes, securities arbitration, privacy, cybersecurity, real estate, and bankruptcy.
Write for Us: Author Guidelines
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.