CIPA: The 30-Year-Old Privacy Law Getting Website Owners Sued

Everyone loves a good comeback story, right? ‘Seabiscuit’, ‘The Mighty Ducks’, Rober Downey Jr., ‘Rocky’… the California Invasion of Privacy Act (CIPA). Well, maybe not that last one.

Either way, here it is, trying to make a name for itself after 30 years of living in its parents’ basement. So, what is it? Why is it back in the news? And why are business websites suddenly being sued for a law written before Google was even founded?

Let’s look into it.

What is CIPA?

CIPA is a privacy law that went into effect in 1994 to protect residents of California from the harms that come when a third-party eavesdrops on private communications – prohibiting businesses from installing or using a pen register or trap and trace device without first obtaining a warrant unless the consent of the individual is obtained. Since “communications” was originally intended to mean phone calls over land lines, CIPA has been largely ignored by the web design industry since it didn’t typically apply to them. Even attorneys overlooked it, thinking it would never apply to websites… but not anymore.

Since the law prohibits recording communications with a California resident without consent (again, intended originally for phone calls), Courts have recently reinterpreted this to include communications via websites as well.

What’s considered a CIPA violation today? 

As before, CIPA can still apply to any business communicating with a resident of California, even if your business is located elsewhere. That being said, CIPA violations look slightly different now that the law has been reinterpreted to include websites. For example, a modern CIPA violation must contain the following elements:

1. A business intentionally used an electronic device to eavesdrop or record a communication with a resident of California;
2. The website user had a reasonable expectation that the communication was not being recorded or eavesdropped on;
3. The business failed to obtain the consent of all parties to record the communication; 
4. The website user was harmed; and
5. The harm was caused by the website owner.
   

But wait, there’s more. 

CIPA is particularly risky for businesses since it allows consumers to sue them directly for violations. That’s right, the same people who brought you “Caution Hot” on coffee cups could potentially sue a business directly (for damages of $5,000 per violation or more) based on its website features.

*Note: We’re almost always in favor of consumers having power over their privacy but, for website owners and web designers, it can be a bit scary too.

Consumers aren’t wasting any time with this new power, either, as there has been a recent spike in businesses being sued directly for using cookies, web beacons, pixels, scripts or tracking software – tools the lawsuits are claiming act as the “pen registers” mentioned earlier in this article. 

Recent CIPA lawsuits

Once Courts started to determine that CIPA can be used for litigating claims where a resident of California was tracked without their consent when using a website, multiple privacy lawsuits have been filed alleging similar violations. While some are being dismissed, others are being allowed to proceed.

At the time of writing this blog, some of the more notable CIPA lawsuits include: 

• Licea v. Old Navy, LLC – DISMISSED – a consumer alleged that Old Navy’s website contains a chat feature which allows the recording and creation of transcripts of conversations with the chat in violation of CIPA. However, the Court ruled for Old Navy, finding that since Old Navy was a party to the communications, they could not be held liable for eavesdropping on their own communications.
• Byars v. Hot Topic, Inc. – DISMISSED –  the Court found that a chat feature was a “tool” and an extension of the website owner, meaning that there was no unlawful third-party interception and the lawsuit was dismissed. 
• Greenley v. Kochava, Inc. – NOT DISMISSED –  a Court found that the use of software that identifies consumers, gathers data, and correlates that data through fingerprinting can constitute a violation of CIPA and thus the Court refused to dismiss the lawsuit. 
• Lesh V. Cable News Network, Inc. – UNDECIDED – an individual sued CNN for installing three types of tracking software as the user was using the CNN website.

*Note: Although several of the cases listed above were dismissed, it’s important to point out that these cases can be lengthy and expensive if left up to the Courts to work their way through them. Businesses could have saved valuable time and money if they had gained proper consent to begin with. 

While California Courts are certainly undecided on whether some of these lawsuits should proceed and there is no real clear guidance as to whether large damages will be applied, the fact is that many more businesses are being sued for violations of CIPA through the use of tracking technologies on websites.

At first, the lawsuits seemed to target either large corporations or businesses that work in the healthcare fields. However, we at Termageddon have already had many agency partners reach out to us claiming some of their small business clients (none of whom are Termageddon users) have received demand letters regarding CIPA. 

So, while we’re still in unknown territory regarding CIPA lawsuits, it might be best for web designers to get ahead of all this and avoid any scares altogether. 

Avoiding CIPA violations

Option 1: Remove unused or unnecessary tracking tools

Since CIPA and the recent lawsuits have been targeting businesses that use tracking technologies (or other technologies that intercept communications between the website and a resident of California), website owners that use such technologies should ask themselves one simple question: “Do I need this on my website?” 

For example, if you currently use a chat feature on your website and get no inquiries from the chat feature, you should consider removing it. Or, if you are using a website analytics tool but never view the actual analytics, consider removing that tracking technology from your website. In both these cases, the risk might just outweigh the reward. 

Option 2: Get consent

The second best way to avoid CIPA violations is to obtain the consent of the user prior to tracking them. Getting the consent of the individual is listed as an established exception to CIPA.

Consent can be obtained through a cookie consent banner. It’s important to note that a cookie consent banner only obtains consent for tracking technologies, not phone calls, and the banner should:

• Ensure that all third-party tracking scripts and technologies are blocked until website visitors consent to being tracked
• Have an “accept” and a “decline” button
• Not track users who have selected “decline”
• Be designed in such a way that the “accept” and “decline” options are given equal prominence
• Allow individuals to withdraw their consent if they change their mind
• Provide individuals with enough information to make an informed decision as to whether or not they would like to be tracked

Sound familiar? This is because a CIPA cookie consent banner should follow all of the same rules as the GDPR cookie consent banner. In addition, you should also provide a Cookie Policy to users so that they have adequate information as to what cookies and other tracking technologies are being used on the website, what their purpose is, and what their duration is.

If only there were a place, one that perhaps rhymes with Furmageddon, that offered a cookie consent banner and Cookie Policy generator that can help you avoid costly litigations from the likes of CIPA and other privacy laws. Jokes aside, Termageddon currently stands as the only website policies generator addressing CIPA. We hope this will not only help our customers but also help slow down this new wave of ambulance-chasing lawsuits…

One can dream.