Data analytics software has become an essential tool in the online marketplace. Businesses rely heavily on technologies such as chat boxes, session replay and embedded tracking pixels to develop critical insights about their customers and guide their decision-making. Business owners should beware, however, of recent challenges to the use of such technologies under an expansive reading of the 1967 California Invasion of Privacy Act (CIPA). This law prohibits any party from using electronic means to learn the contents or meaning of any communication without consent, providing a statutory penalty of up to $5,000 per violation. Cal. Pen. Code §§ 631(a), 637.2.
Based on 2006 and 2020 cases interpreting the law, CIPA actions have been allowed against out-of-state businesses so long as they have customers within California and against businesses using website tracking and analytics technologies. Together, these decisions significantly expanded the geographic reach and technological relevance of CIPA, rendering any business offering online services to customers in California within the law’s potential ambit.
As a result, attorneys have sought to determine the outer limits of liability in California “pen register” and “trap and trace” litigation; and California’s lower courts continue to define the contours of this evolving legal landscape. Given the uncertainty of what exactly is allowed under CIPA, there has been an increase in demand letters that threaten direct action or class action lawsuits against businesses for purported violations of the law—including the simple use of popular marketing analytics software. Plaintiffs claim that website chat boxes and session replay tools offend CIPA by capturing a visitor’s dialog within a chat or mouse movements, keystrokes and navigation through a website. Moreover, plaintiffs claim that technologies like website pixels offend CIPA by abetting third parties in capturing a visitor’s browsing history and search queries.
Despite the assertive claims made in typical demand letters, the issues are not necessarily clear cut. Rather, this analysis is highly fact intensive and the law remains unsettled. As such, the letter writer may not have the critical information about the technology at issue, website involved and state of the jurisprudence, all of which is necessary to determine potential liability. We encourage you to reach out to our attorneys if you have any questions or needs regarding CIPA claims.