The Proliferation Of CIPA Wiretapping Lawsuits Targeting Chat Features And Tracking Technologies

Privacy Law Harry Richt August 1, 2024

Contents show

As digital technologies evolve, so does the complexity of privacy and data security laws and, by extension, the ways aggressive plaintiff’s lawyers seek to make money. Recently, there’s been a surge in wiretapping lawsuits targeting websites and applications that use chat features, session replay technologies, pixels, and various tracking tools. These lawsuits often revolve around claims of unauthorized data collection and privacy violations. Below, we discuss the primary areas of litigation and the legal bases for these claims.

Legal Basis for Lawsuits

As illustrated in our guide to CIPA, other technology-based and related pixel litigation, these lawsuits generally rely on several federal and state laws. At the federal level, the Electronic Communications Privacy Act (ECPA) and the Video Privacy Protection Act (VPPA) are commonly cited. The ECPA restricts wiretapping and electronic eavesdropping, while the VPPA protects the privacy of video rental records. On the state level, the California Invasion of Privacy Act (CIPA) is frequently invoked. It has been described as the new frontier of privacy litigation, alongside similar laws in Arizona, Pennsylvania, Florida, Illinois, and Massachusetts.

Chatbot Litigation

Chatbots and live chat features have become ubiquitous on websites, providing instant customer service and support. However, these tools have also become a focal point for legal scrutiny. Lawsuits in this area allege that user chat data is being accessed by the providers of chat tools to improve their services or train artificial intelligence (AI). This data processing, which often extends beyond the website owner’s intended functionality, raises the risk of litigation. For instance, a lawsuit against Peloton claims that their use of Drift’s chat service resulted in user messages being improperly shared with a third party, violating CIPA. This tsunami of lawsuits has prompted chat providers such as Drift to dedicate resources explaining how to best navigate the challenge.

Session Replay Litigation

Session replay technology records user interactions on websites, allowing operators to understand user behavior and improve site functionality. However, this technology is also the subject of lawsuits claiming it enables third parties to “eavesdrop” on private interactions. These allegations suggest that session replays can be used for purposes like targeted advertising without user consent. In the case of Javier against Assurance IQ, LLC, the plaintiff argued that the website recorded interactions using JavaScript code without consent, violating CIPA.

Pixel Litigation

Pixels, small pieces of code embedded in websites, track user interactions and behaviors. Plaintiffs’ attorneys argue that these pixels collect data surreptitiously, posing a risk, particularly for websites of covered entities and business associates subject to HIPAA, as well as those offering health-related services. The Meta Pixel Healthcare Litigation case illustrates this issue, where plaintiffs allege that Meta Platforms Inc.’s use of Meta Pixel on healthcare provider websites violated CIPA and the ECPA. Even outside the healthcare and related “more sensitive” sectors, many “run of the mill” businesses are also being hit with pixel-based litigation. For example, the New York Times and its sports journalism brand, Athletic Media, were subject to a class action alleging that the New York Times violated the federal VPPA and the New York Video Consumer Protection Act by sharing consumers’ personally identifiable information via the trackers and related technologies present on the website. Closer to traditional video streaming, Paramount was hit with a lawsuit based on the VPPA alleging users’ video streaming selections were shared via Pixel.

“Pen Register” and “Trap and Trace” Litigation

These lawsuits involve technologies such as cookies, web beacons, pixels, scripts, and software code that monitor user activities like location, search queries, browsing, and purchase history. Such practices are argued to violate various privacy laws, both federal and state. A notable case is Jesse Cantu v. Geico Insurance Agency LLC, which may expand the application of the VPPA by considering digital data collection practices under the act’s scope. Of note, and as is expected for the “aggressively creative” plaintiff’s bar in this predatory space, the VPPA is a federal statute aimed at protecting the privacy of people’s video rentals but has been repurposed by these lawyers to act as a foundation for lawsuits against website operators, including a recent case against the NBA.

Recent Decisions

Defendants subjected to these arguably frivolous shakedown-style demands, lawsuits, or arbitrations are in desperate need of reprieve from the courts by way of judges shutting down these vectors of attack, whether in the context of CIPA or other similar laws. There have been some welcoming signs of such clarity, including the following cases:

Gap Defeats Lawsuit Over Tracking Software in Marketing Emails: Gap Inc. defeated a proposed class action alleging it invaded consumers’ privacy through its use of marketing emails embedded with tracking technology provided by its partner Bluecore Inc.
Massachusetts’ Top Court Rejects Privacy Arguments, Holds that Hospital Website Tracking is Not a Wiretap: In a recent decision, the Massachusetts Supreme Judicial Court held that the transfer of personal information via embedded tracking technology like a pixel from a hospital website does not constitute wiretapping under the state’s Wiretap Act.
US Judge Certifies Class in Prudential Financial ‘Wiretap’ Suit: A federal judge granted class certification in a case alleging that Prudential Financial Inc. allowed third parties to intercept customer data without their consent. US District Judge Charles R. Breyer of the Northern District of California in an order on Tuesday sided with plaintiffs that Prudential’s privacy policy didn’t provide a reasonable person of notice of its web-tracking activities.

A Dynamic Litigation Risk Landscape

The rise of lawsuits and related mass arbitration targeting chat features, session replay technologies, pixels, and other tracking tools underscores the importance of robust privacy practices. Similar to ADA website compliance suits, these lawsuits are challenging to navigate and often involve significant legal risks. To mitigate these risks, businesses must understand the specifics of data sharing and processing with service providers, including via data processing agreements, ensure transparent privacy policies and related notices, and obtain clear user consent via a cookie banner. While some CIPA-type lawsuits have been dismissed, the legal landscape remains uncertain, and the plaintiffs’ bar continues to explore new theories of liability. As such, businesses must stay vigilant and proactive in their privacy and data security efforts to avoid costly litigation.

Additional Legal Developments Re: CIPA, Wiretapping, & Similar Cases

Dressing Old Laws in Class Action Suits: Applying Anti-Wiretapping Laws to AI Transcription Services: An increasing number of class action lawsuits are targeting AI transcription services by invoking decades-old anti-wiretapping statutes, such as the federal Wiretap Act and state-level laws like California’s CIPA and Pennsylvania’s Wiretap Act. Plaintiffs allege that using AI or software to record and transcribe conversations without explicit consent constitutes illegal interception. Recent lawsuits reveal significant legal uncertainty, as courts wrestle with whether modern AI-driven tools fit the statutory language, and with divergent rulings across jurisdictions. These cases highlight growing litigation risks for companies deploying AI-powered communications technology under privacy laws never designed for automated or transcriptional analysis—making compliance and user notice critical until clearer guidance emerges from courts or legislators.
Read More →
Ninth Circuit Upholds Converse’s Win in CIPA Chat Case: What the Gutierrez v. Converse Decision Means for Online Businesses: The Ninth Circuit Court of Appeals issued an unpublished opinion in Gutierrez v. Converse Inc., affirming summary judgment in favor of Converse. The decision provides important guidance on the evidentiary standards required in CIPA cases involving internet-based communications, while leaving open key questions about the statute’s reach in the digital age. Read More →
Bloomingdale’s Customer Revives Website Tracking Suit on Appeal: A federal appeals court restored a consumer’s proposed class action alleging that Bloomingdale’s LLC
used “session-replay” surveillance technology on its website to collect consumers’ personal information in violation of the California Invasion of Privacy Act. Read More →
Businesses Get Big Privacy Win in Tester Plaintiffs’ Wiretapping Case: 3 Key Takeaways: In a big win for businesses, a California federal court just held that a “tester” plaintiff – someone who visits websites for purposes of initiating litigation – cannot bring a claim under the California Invasion of Privacy Act (CIPA). Read More →
Kroger Shakes Calif. Suit Over Interception Of Website Chats: A California federal judge has refused to hold The Kroger Co. liable for a third party’s allegedly unlawful eavesdropping on Kroger website users’ chats, in a ruling that the grocery chain’s counsel predicted could have a “wide impact” on the crush of state wiretapping litigation currently flooding the courts. Read More →
Florida Federal Court Puts Florida’s Security of Communications Act in Play in the Ongoing Wave of Website Privacy Class Actions: In a significant development in the ever-expanding world of privacy class actions, earlier this month, a federal judge in Florida denied dismissal of a website privacy claim brought under the Florida Security of Communications Act (FSCA). Read More →
Ninth Circuit Affirms Dismissal of CIPA and Wiretap Act Claims Against Celebrity Platform: A fan of celebrity LL Cool J filed a wiretapping suit against Community.com (“Community”), claiming that Community accessed her text message to LL Cool J in violation of the federal Wiretap Act and the California Invasion of Privacy Act (“CIPA”). In an unpublished opinion highlighting that Section 632 of CIPA does not protect communications that are by nature a recorded medium, the Ninth Circuit affirmed dismissal of the plaintiff’s claims. Read More →
Tide May Be Turning in Businesses’ Favor After Key California Court Decisions in Website Tracking Cases: Two recent court decisions have provided businesses with long-awaited clarity on the reach of the California Invasion of Privacy Act (CIPA) – and could begin to redefine digital privacy litigation for the better. Read More →

Tags: Litigation

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Insights