In the past two years, there has been an uptick nationwide in data privacy litigation class actions based on alleged violations of wiretap laws at the federal and state level. Consumer-facing businesses are being accused of intentionally and knowingly sharing their users’ communications with third parties without users’ consent.
Many businesses use various technologies to collect information about the users visiting their websites—for advertising purposes and to enhance user experiences. However, due to the recent lawsuit surge, businesses should carefully review their data collection practices and policies.
New data privacy litigation class actions are appearing each week, and this trend is expected to continue. At the federal level, plaintiffs’ attorneys are bringing lawsuits under the 1986 Electronic Communications Privacy Act, which was enacted to restrict wiretapping and electronic eavesdropping.
At the state level, class action lawsuits alleging breach of state wiretaps laws appear most frequently in California, Pennsylvania, Florida, Illinois, and Massachusetts. However, most states have wiretapping statutes that typically impose liability on any business that intercepts the contents of a user’s communications without prior consent. Most statutes also impose criminal liability and allow for private civil causes of action.
In California, where class action litigation has been the most prevalent, plaintiffs’ attorneys are alleging breach of the 1967 California Invasion of Privacy Act. CIPA lawsuits involving claims that consumer interactions with chatbots have been unlawfully shared have been largely dismissed, and some California courts have even held that CIPA only applies to phone communications.
Nevertheless, plaintiffs’ attorneys continue to bring CIPA class action lawsuits under both existing and new theories of liability. This may be because courts are inconsistent in how they apply CIPA to modern technologies, and some courts are unwilling to dismiss claims. Many CIPA claims, where statutory damages can impose fines of $5,000 per violation, are pending.
Initially, plaintiffs’ attorneys brought claims alleging violations of state wiretap statutes primarily based on businesses’ use of chatbots, website session replay, and pixel tracking technology.
Chatbots are used as a form of online support and can store the information users provide. Plaintiffs’ attorneys argue that chatbots are essentially serving the function of a “secret” wiretap that allows third parties to listen in on conversations without users’ consent.
Website session replay technology allows a business to record user activity on its website, including keystrokes, and play back this activity. Plaintiffs’ attorneys argue this technology permits website operators to allow third parties to “eavesdrop” on private conversations and use them for purposes such as targeted advertisem*nt.
Pixel tracking involves small, transparent images, known as pixels, embedded in emails, webpages, and advertisem*nts. The plaintiffs’ bar argues these pixels allow businesses to surreptitiously collect information about user interactions and behaviors.
Plaintiffs’ attorneys have started filing claims premised on CIPA and other state wiretap statutes, under at least three new theories:
Identity graphing technology involves a business using identity resolution tools to de-anonymize site visitors, thereby allowing businesses to potentially monetize visitors’ browsing habits and share them with third parties.
Email marketing technology, which involves use of email campaign analytics tools that allow businesses to discretely observe and record the interactions of users.
“Pen register” and “trap and trace” tracking software, which may include cookies, web beacons, pixels, scripts, or software code, to monitor a user’s location, search queries, browsing activity, or purchase history.
While plaintiffs’ attorneys continue to bring claims based on use of one or more of these technologies, many courts have dismissed wiretap fraud claims based on using chatbots. The new theories that plaintiffs’ attorneys propound are likely subject to existing defenses.
However, courts generally remain split on interpreting their respective state wiretap statutes, particularly CIPA, which may lead to issues for businesses operating consumer-facing websites.
While many data privacy cases are pending and others were dismissed early in the process, businesses should take these steps to protect themselves from data privacy lawsuits:
- Review technology use to ensure third-party vendors can’t use users’ data for their own purposes without the users’ consent.
- Implement effective data security measures, including drafting clear data security and privacy policies, and revising these policies as necessary. Privacy policies shouldn’t only be updated on websites, but also in chatbot features where users are informed that the chat is being recorded.
- Make all disclosures clearly and conspicuously, as mandated under federal and state standards.
- Address any data breaches quickly that may occur to minimize risk of a lawsuit and the impact.
- Obtain affirmative, express consent of users to allow collection of their data, such as with a popup banner where users must indicate they agree to terms and conditions of business’s data collection practices.
Even if these disclosures prove unnecessary, they can help avoid the costs businesses may face in class action litigation.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author Information
Joshua Briones is managing member of Mintz’s Los Angeles office.
Crystal Lopez and Nadia Zivkov are associates in the litigation practice at Mintz.
Write for Us: Author Guidelines
