The Proliferation of CIPA Wiretapping Lawsuits Targeting Chat Features and Tracking Technologies
Legal Basis for Lawsuits
These lawsuits generally rely on several federal and state laws. Federally, the Electronic Communications Privacy Act (ECPA) and the Video Privacy Protection Act (VPPA) are commonly cited. The ECPA restricts wiretapping and electronic eavesdropping, while the VPPA protects the privacy of video rental records. On the state level, the California Invasion of Privacy Act (CIPA) is frequently invoked and has been described as the new frontier of privacy litigation, alongside similar laws in Arizona, Pennsylvania, Florida, Illinois, and Massachusetts.
Chatbot Litigation
Chatbots and live chat features have become ubiquitous on websites, providing instant customer service and support. However, these tools have also become a focal point for legal scrutiny. Lawsuits in this area allege that user chat data is being accessed by the providers of chat tools to improve their services or train artificial intelligence (AI). This data processing, which often extends beyond the website owner’s intended functionality, raises the risk of litigation. For instance, a lawsuit against Peloton claims that their use of Drift’s chat service resulted in user messages being improperly shared with a third party, violating CIPA. This tsunami of lawsuits has prompted chat providers such as Drift to dedicate resources explaining how to best navigate the challenge.
Session Replay Litigation
Session replay technology records user interactions on websites, allowing operators to understand user behavior and improve site functionality. However, this technology is also the subject of lawsuits claiming it enables third parties to “eavesdrop” on private interactions. These allegations suggest that session replays can be used for purposes like targeted advertising without user consent. In the case of Javier against Assurance IQ, LLC, the plaintiff argued that the website recorded interactions using JavaScript code without consent, violating CIPA.
Pixel Litigation
Pixels, small pieces of code embedded in websites, track user interactions and behaviors. Plaintiffs’ attorneys argue that these pixels collect data surreptitiously, posing a risk, particularly for websites of covered entities and business associates subject to HIPAA, as well as those offering health-related services. The Meta Pixel Healthcare Litigation case illustrates this issue, where plaintiffs allege that Meta Platforms Inc.’s use of Meta Pixel on healthcare provider websites violated CIPA and the ECPA. Even outside the healthcare and related “more sensitive” sectors, many “run of the mill” businesses are also being hit with pixel-based litigation. For example, the New York Times and its sports journalism brand, Athletic Media, were subject to a class action alleging that the New York Times violated the federal VPPA and the New York Video Consumer Protection Act by sharing consumers’ personally identifiable information via the trackers and related technologies present on the website. Closer to traditional video streaming, Paramount was hit with a lawsuit based on the VPPA alleging users’ video streaming selections were shared via Pixel.
“Pen Register” and “Trap and Trace” Litigation
These lawsuits involve technologies such as cookies, web beacons, pixels, scripts, and software code that monitor user activities like location, search queries, browsing, and purchase history. Such practices are argued to violate various privacy laws, both federal and state. A notable case is Jesse Cantu v. Geico Insurance Agency LLC, which may expand the application of the VPPA by considering digital data collection practices under the act’s scope. Of note, and as is expected for the “aggressively creative” plaintiff’s bar in this predatory space, the VPPA is a federal statute aimed at protecting the privacy of people’s video rentals but has been repurposed by these lawyers to act as a foundation for lawsuits against website operators, including a recent case against the NBA.
Recent Decisions
Defendants subjected to these arguably frivolous shakedown-style demands, lawsuits, or arbitrations are in desperate need of reprieve from the courts by way of judges shutting down these vectors of attack, whether in the context of CIPA or other similar laws. There have been some welcoming signs of such clarity, including the following cases:
- Gap Defeats Lawsuit Over Tracking Software in Marketing Emails: Gap Inc. defeated a proposed class action alleging it invaded consumers’ privacy through its use of marketing emails embedded with tracking technology provided by its partner Bluecore Inc.
- Massachusetts’ Top Court Rejects Privacy Arguments, Holds that Hospital Website Tracking is Not a Wiretap: In a recent decision, the Massachusetts Supreme Judicial Court held that the transfer of personal information via embedded tracking technology like a pixel from a hospital website does not constitute wiretapping under the state’s Wiretap Act.
- US Judge Certifies Class in Prudential Financial ‘Wiretap’ Suit: A federal judge granted class certification in a case alleging that Prudential Financial Inc. allowed third parties to intercept customer data without their consent. US District Judge Charles R. Breyer of the Northern District of California in an order on Tuesday sided with plaintiffs that Prudential’s privacy policy didn’t provide a reasonable person of notice of its web-tracking activities.
A Dynamic Litigation Risk Landscape
The rise of lawsuits and related mass arbitration targeting chat features, session replay technologies, pixels, and other tracking tools underscores the importance of robust privacy practices. Similar to ADA website compliance suits, these lawsuits are challenging to navigate and often involve significant legal risks. To mitigate these risks, businesses must understand the specifics of data sharing and processing with service providers, including via data processing agreements, ensure transparent privacy policies and related notices, and obtain clear user consent via a cookie banner. While some CIPA-type lawsuits have been dismissed, the legal landscape remains uncertain, and the plaintiffs’ bar continues to explore new theories of liability. As such, businesses must stay vigilant and proactive in their privacy and data security efforts to avoid costly litigation.