In recent years, there has been a flurry of demand letters and lawsuits from plaintiffs alleging violations of the California Invasion of Privacy Act (CIPA), the state’s wiretap statute. Primarily targeting eCommerce websites, the plaintiffs typically allege that some third-party tool on the website, such as an AI chat-bot feature, amounts to an unlawful interception of their communications, and that the website itself has aided the third party in the act.
The costs associated with these claims range from thousands of dollars for individual settlements, to millions in damages and attorneys’ fees from a class-action lawsuit. Understandably, executives and business owners would like to avoid the problem altogether. Here we’ll broadly go over the legal issues involved, as well as some steps you can take to reduce the likelihood of your business being targeted by one of these claims.
CIPA is a criminal statute meant to punish electronic eavesdropping on private communications. Among other things, CIPA prohibits anyone from reading the “contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable” without the consent of all parties to the communications. A violation is punishable by fines or even imprisonment, but also gives rise to a private right of action, meaning victims of unlawful wiretapping can sue the violator in civil court.
An eCommerce website operator may wonder what all of this has to do with them.
Consider, for example, an online retail website that uses a third-party “session replay” software which records users’ interactions with the site, such as where they move their cursor and how long they spend on each page. The recordings are stored on the third party’s cloud servers, where they can be accessed by the retailer.
Courts have interpreted such recordings to be the “contents” of a communication, and therefore protected from interception by CIPA. Since the retailer is a direct party to the communication, it cannot be considered as intercepting the contents of that communication. The software provider, on the other hand, is a third party; it is considered to be “listening in” on the conversation. Because the retailer installed the software on its site, it is “aiding” the software provider in its interception of the communication.
If the retailer first obtains a visitor’s consent before using the software, there is no problem. If the retailer has not obtained a visitor’s consent, then it may have violated CIPA. (More on consent below.)
There are certain website tools that have already been deemed by courts to be intercepting the contents of private communications. Prominent among these is session-replay software, chat tools that use AI-driven chat bots, and keystroke-tracking software.
However, this should not be considered an exhaustive list. Anything that allows a third party to monitor visitors’ interactions with the site in real-time or to access the contents of other communications should be considered a potential interception under CIPA.
It is not necessarily unlawful to use these tools, but you must obtain site visitors’ consent first.
In another case, the court stated that this is not enough and the website must provide more notice and perhaps require some affirmative action by the visitor to demonstrate acceptance of the terms.
An even more cautious approach would be to include the disclosure of the use of such tools in a consent dialog box, so the visitor must affirmatively consent before using any page or feature where the tools are in use.
It is reasonable to think that being compliant with the California Consumer Privacy Act (CCPA) would be enough to protect a business against this kind of wiretap lawsuit, however that is not necessarily the case. Though they both deal with the same core issue (i.e., information privacy), CIPA is different enough that businesses should not assume that CCPA compliance will be sufficient.
While being CCPA compliant is a great start to protecting your business against a California wiretap lawsuit, it would be wise to consider other measures to ensure you are obtaining site visitors’ consent before using any third-party tool that may be monitoring private communications or interactions.
Contact our team to learn more about the TrueVault US privacy compliance software.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.