California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
In recent years, there has been a flurry of demand letters and lawsuits from plaintiffs alleging violations of the California Invasion of Privacy Act (CIPA), the state’s wiretap statute. Primarily targeting eCommerce websites, the plaintiffs typically allege that some third-party tool on the website, such as an AI chat-bot feature, amounts to an unlawful interception of their communications, and that the website itself has aided the third party in the act.
The costs associated with these claims range from thousands of dollars for individual settlements, to millions in damages and attorneys’ fees from a class-action lawsuit. Understandably, executives and business owners would like to avoid the problem altogether. Here we’ll broadly go over the legal issues involved, as well as some steps you can take to reduce the likelihood of your business being targeted by one of these claims.
CIPA is a criminal statute meant to punish electronic eavesdropping on private communications. Among other things, CIPA prohibits anyone from reading the “contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable” without the consent of all parties to the communications. A violation is punishable by fines or even imprisonment, but also gives rise to a private right of action, meaning victims of unlawful wiretapping can sue the violator in civil court.
An eCommerce website operator may wonder what all of this has to do with them.
Consider, for example, an online retail website that uses a third-party “session replay” software which records users’ interactions with the site, such as where they move their cursor and how long they spend on each page. The recordings are stored on the third party’s cloud servers, where they can be accessed by the retailer.
Courts have interpreted such recordings to be the “contents” of a communication, and therefore protected from interception by CIPA. Since the retailer is a direct party to the communication, it cannot be considered as intercepting the contents of that communication. The software provider, on the other hand, is a third party; it is considered to be “listening in” on the conversation. Because the retailer installed the software on its site, it is “aiding” the software provider in its interception of the communication.
If the retailer first obtains a visitor’s consent before using the software, there is no problem. If the retailer has not obtained a visitor’s consent, then it may have violated CIPA. (More on consent below.)
There are certain website tools that have already been deemed by courts to be intercepting the contents of private communications. Prominent among these is session-replay software, chat tools that use AI-driven chat bots, and keystroke-tracking software.
However, this should not be considered an exhaustive list. Anything that allows a third party to monitor visitors’ interactions with the site in real-time or to access the contents of other communications should be considered a potential interception under CIPA.
It is not necessarily unlawful to use these tools, but you must obtain site visitors’ consent first.
Unfortunately, judges’ interpretations of what kind of consent is required have not been especially clear and sometimes even conflict with each other. In one case, the court has suggested that merely including a disclosure of the use of such tools in the site’s privacy policy is sufficient, provided there is a prominent link to the policy on every page.
In another case, the court stated that this is not enough and the website must provide more notice and perhaps require some affirmative action by the visitor to demonstrate acceptance of the terms.
So it seems website operators must, at the very minimum, include a disclosure in their privacy policy stating that they use tools that may allow third parties to monitor or access the contents of their communications or interactions with the website. Beyond that, it’s probably a good idea to bring more attention to the privacy policy, such as by adding a pop-up banner that requires visitors to click something to signal they understand they are accepting the site’s privacy policy by continuing to use the site.
An even more cautious approach would be to include the disclosure of the use of such tools in a consent dialog box, so the visitor must affirmatively consent before using any page or feature where the tools are in use.
It is reasonable to think that being compliant with the California Consumer Privacy Act (CCPA) would be enough to protect a business against this kind of wiretap lawsuit, however that is not necessarily the case. Though they both deal with the same core issue (i.e., information privacy), CIPA is different enough that businesses should not assume that CCPA compliance will be sufficient.
The main reason for this is the issue of consent. The extensive privacy disclosures required by the CCPA may be enough to put the website visitor on notice in some circumstances. (In one case, a simple statement in the company privacy policy that read, “We may share your personal information with our agents, representatives, contractors and service providers” was found to be enough.)
However, it’s only sufficient if the visitor is deemed to have consented to those terms, and consent is typically not a requirement under the CCPA. Unless a business is selling or sharing the personal information of minors, the CCPA only requires a link to the privacy policy. As stated above, it’s just not clear that providing a privacy policy link is enough for CIPA purposes.
While being CCPA compliant is a great start to protecting your business against a California wiretap lawsuit, it would be wise to consider other measures to ensure you are obtaining site visitors’ consent before using any third-party tool that may be monitoring private communications or interactions.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.