California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
It’s an increasingly common scenario playing out at hundreds of businesses: A letter arrives from an attorney alleging that you’ve violated the California Invasion of Privacy Act (CIPA) by allowing third parties to intercept the online communications of your website visitors. The letter may use inflammatory terms like “spyware” and “highly offensive,” but it ultimately comes down to one thing: They want money.
While most businesses choose to quickly settle these complaints, the best strategy of course is to avoid them in the first place. Here is a quick summary of CIPA and how to protect your business from these expensive lawsuits.
The California Invasion of Privacy Act is a Cold War-era law meant to protect people from unauthorized wiretapping. Though the law was passed in 1967, well before the advent of the internet, enterprising plaintiff’s attorneys have had success applying it to the online collection of information. It is a lucrative area of practice because, unlike privacy laws like the California Consumer Privacy Act (CCPA) that were actually meant to apply on online data collection, CIPA includes a private right of action and provides for statutory damages of $5,000 per violation.
For most consumer-facing businesses, the complaints allege that the business aided a third party in reading or learning the contents of a communication while it is in transit over any wire, line, or cable without the consent of all parties. The third party in these situations is generally a third-party software that is installed on the website, such a chatbox, session replay tool, or tracking pixel.
For example, if a business has a chat feature on its website hosted by a third-party vendor, the contents of those chats likely pass through the vendor’s servers, and this technically could be considered an interception of the communications to which the user has not consented.
Another branch of CIPA claims that is growing in popularity is to allege violations of the law’s “pen register” and “trap and trace” provisions. Pen registers and trap-and-trace devices were used to capture information about outgoing and incoming phone calls. The new wave of CIPA lawsuits allege that certain software developer kits act analogously to these devices by collecting information such as geolocation and IP address and using it to “fingerprint” website visitors.
Either way, the prevention strategies are largely the same.
The first and best strategy for avoiding a CIPA lawsuit is to get consent from website visitors for any data practice that might fall under the law. Bearing in mind that court decisions have not produced a uniform set of rules as to what constitutes valid consent under CIPA, here are a few helpful guidelines.
If the data practice is disclosed to the website visitor in advance and with sufficient detail (i.e., informing them as to what data may be disclosed, for what purposes, and to which third parties), and the visitor continues to use the website anyway, they will likely be deemed to have impliedly consented to that data practice.
That isn’t to say that express (opt-in) consent has no place in CIPA compliance. Express consent is much clearer and you should consider implementing it in higher-risk areas. For example, adding a consent checkbox to a chat feature offers additional protection.
Critically, the visitor must be able to give their consent (express or implied) before the data processing takes place. Many of the technologies at issue, such as session replay software and targeted advertising, rely on cookies (or tracking pixels) placed on the visitor’s device. These cookies are typically set immediately when the visitor loads the webpage, so any subsequent consent may be invalid.
Example: A website provides a pop-up notice that informs the visitor that it uses tracking cookies for advertising. If the visitor decides they don’t like that and immediately navigates away from the website, those advertising cookies have been placed on their device anyway. The visitor cannot be said to have consented to the use of those cookies.
It is likely because of this fact that CIPA complaints focused on cookies and tracking pixels have become more common. For businesses looking to increase their protection from CIPA lawsuits, a GDPR-style cookie-consent banner should help.
Consent is only valid if it is informed consent. That means you have to let website visitors know how their personal information is being collected and disclosed to outside parties, which in turn means creating a data map.
Data maps are the foundation of privacy compliance. They require a systematic review of how your business handles personal data, for the purpose of identifying (at a minimum):
With this information in hand, it should be relatively simple to create the privacy disclosures required to get informed consent from website visitors.
When it comes to implied consent, while it’s possible that simply posting everything in a privacy policy passes legal muster for putting website visitors on notice, it’s a somewhat risky strategy. Remember, the point is not to win a legal argument in a lawsuit, but to avoid any CIPA demand letters altogether.
A safer strategy is to draw website visitors’ attention to any processing activities that could otherwise be used as the basis of a CIPA lawsuit. For example, an informational pop-up banner that informs visitors that their activity or personal information may be disclosed to or processed by third parties (along with a link to the privacy policy) can likely increase your business’s level of protection without being too intrusive for regular website visitors.
Similarly, just-in-time notices that consumers will see before interacting with certain higher-risk technologies are also a good idea. For example, chatboxes have been the target of many CIPA lawsuits; placing a disclosure within that tool stating that chats are processed by a third party is likely sufficient to put users on notice.
Most CIPA lawsuits are opportunistic in nature, with attorneys and their clients looking to make easy money. By posting conspicuous notices in the right places and requesting opt-in consent where necessary, you can make your business a far less attractive target.
TrueVault is a comprehensive privacy platform that manages compliance with data privacy laws from across the globe. Build your data map, post privacy notices, create a cookie-consent banner, and more, all in as little as a few hours.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.