The Proliferation of CIPA Wiretapping Lawsuits Targeting Chat Features and Tracking Technologies
Legal Basis for Lawsuits
These lawsuits generally rely on several federal and state laws. Federally, the Electronic Communications Privacy Act (ECPA) and the Video Privacy Protection Act (VPPA) are commonly cited. The ECPA restricts wiretapping and electronic eavesdropping, while the VPPA protects the privacy of video rental records. On the state level, the California Invasion of Privacy Act (CIPA) is frequently invoked, alongside similar laws in Arizona, Pennsylvania, Florida, Illinois, and Massachusetts.
Chatbot Litigation
Chatbots and live chat features have become ubiquitous on websites, providing instant customer service and support. However, these tools have also become a focal point for legal scrutiny. Lawsuits in this area allege that user chat data is being accessed by the providers of chat tools to improve their services or train artificial intelligence (AI). This data processing, which often extends beyond the website owner’s intended functionality, raises the risk of litigation. For instance, a lawsuit against Peloton claims that their use of Drift’s chat service resulted in user messages being improperly shared with a third party, violating CIPA. This tsunami of lawsuits has prompted chat providers such as Drift to dedicate resources explaining how to best navigate the challenge.
Session Replay Litigation
Session replay technology records user interactions on websites, allowing operators to understand user behavior and improve site functionality. However, this technology is also the subject of lawsuits claiming it enables third parties to “eavesdrop” on private interactions. These allegations suggest that session replays can be used for purposes like targeted advertising without user consent. In the case of Javier against Assurance IQ, LLC, the plaintiff argued that the website recorded interactions using JavaScript code without consent, violating CIPA.
Pixel Litigation
Pixels, small pieces of code embedded in websites, track user interactions and behaviors. Plaintiffs’ attorneys argue that these pixels collect data surreptitiously, posing a risk, particularly for websites of covered entities and business associates subject to HIPAA, as well as those offering health-related services. The Meta Pixel Healthcare Litigation case illustrates this issue, where plaintiffs allege that Meta Platforms Inc.’s use of Meta Pixel on healthcare provider websites violated CIPA and the ECPA. Even outside the healthcare and related “more sensitive” sectors, many “run of the mill” businesses are also being hit with pixel-based litigation. For example, the New York Times and its sports journalism brand, Athletic Media, were subject to a class action alleging that the New York Times violated the federal VPPA and the New York Video Consumer Protection Act by sharing consumers’ personally identifiable information via the trackers and related technologies present on the website.
“Pen Register” and “Trap and Trace” Litigation
These lawsuits involve technologies such as cookies, web beacons, pixels, scripts, and software code that monitor user activities like location, search queries, browsing, and purchase history. Such practices are argued to violate various privacy laws, both federal and state. A notable case is Jesse Cantu v. Geico Insurance Agency LLC, which may expand the application of the VPPA by considering digital data collection practices under the act’s scope. Of note, and as is expected for the “aggressively creative” plaintiff’s bar in this predatory space, the VPPA is a federal statute aimed at protecting the privacy of people’s video rentals but has been repurposed by these lawyers to act as a foundation for lawsuits against website operators.
A Dynamic Litigation Risk Landscape
The rise of lawsuits and related mass arbitration targeting chat features, session replay technologies, pixels, and other tracking tools underscores the importance of robust privacy practices. Similar to ADA website compliance suits, these lawsuits are challenging to navigate and often involve significant legal risks. To mitigate these risks, businesses must understand the specifics of data sharing and processing with service providers, including via data processing agreements, ensure transparent privacy policies and related notices, and obtain clear user consent via a cookie banner. While some CIPA-type lawsuits have been dismissed, the legal landscape remains uncertain, and the plaintiffs’ bar continues to explore new theories of liability. As such, businesses must stay vigilant and proactive in their privacy and data security efforts to avoid costly litigation.