08/03/2023

California Courts Rule On Website User's Privacy And Class Actions: Learn About The New Wave Of Litigation

Over the past year and a half, there has been a rise in litigation and class actions alleging violations of Sections 631(a) and 632.7 of the California Invasion of Privacy Act (CIPA). These claims are based on the use of chatbots and live chat technology, with a new wave of claims alleging that certain practices constitute wiretapping. To this point, most courts have dismissed these claims, but there is little indication that the number of new claims will be declining any time soon.

What is CIPA?

CIPA prohibits certain parties from engaging in wiretapping, eavesdropping, and nonconsensual telephone call recording. The purpose of CIPA is to prevent nonparties from listening in on confidential communications where the parties have a reasonable expectation of privacy and protecting certain telephone communications which are the most susceptible to breaches. Violations of CIPA are particularly attractive for plaintiffs because a successful suit can result in a $5,000 statutory penalty per violation.

Section 631(a). Section 631(a) of CIPA addresses communication through telegraph and telephone wire. This section makes it unlawful for a third party to eavesdrop on a conversation without the consent of the user, to use or attempt to use information obtained from such a communication, or to tap or make an unauthorized connection with a telegraph or telephone wire.

Section 632.7. Section 632.7 of CIPA addresses the intentional recording of cellular radio and cordless telephone communications between (1) two cellular radio telephones, (2) a cellular radio telephone and a landline telephone, (3) two cordless telephones, (4) a cordless telephone and a landline telephone, or (5) a cordless telephone and a cellular radio telephone. This section makes it unlawful for a third party, without the consent of all parties, to intercept, receive, or intentionally record a communication transmitted between any combination listed above.

Class Actions and Claims Brought Under CIPA

In recent years, plaintiffs have sought to expand the scope of CIPA by using its provisions to challenge a number of website features, including live chat features. Below are some of the recent claims that have been brought by plaintiffs arguing violations under CIPA:

• Plaintiffs have argued that session replay technologies effectively permit website operators to grant third parties the ability to eavesdrop on users’ private conversations.
• Plaintiffs have claimed that websites’ chatbots operate as a secret wiretap that allows third parties to eavesdrop on private conversations without users’ consent.
• Plaintiffs have also claimed that website operators have aided and abetted third parties’ activities in spying on users’ private conversations and have used individuals’ data for targeted advertising purposes in violation of CIPA’s Section 631(a).

Court Decisions Regarding the Class Actions

Most court decisions have dismissed CIPA chatbot claims, but many other cases remain pending. To assess the claims, California courts have generally looked at various issues, including:

• Party to Communication. Courts have ruled that an intended recipient of a communication cannot be held liable for wiretapping its own communication.
• Intercepted in Transit. For a plaintiff claim to be successful, the relevant communication must have been acquired while in transit. Crucially, courts have found that a plaintiff’s mere allegation that an interception occurred while in transit is, on its own, insufficient to create standing.
• Telephone Requirement Under Section 632.7. There is some inconsistency in previous cases over whether Section 632.7 of CIPA requires only one, or both parties, to be using a telephone, which makes predicting case outcomes difficult. Despite this, most courts have held that Section 632.7 does not apply to web-based communications, which generally bars any claims based on web-based communications under this Section.
• Aiding and Abetting. Courts have generally rejected plaintiff-proposed theories that attempt to hold website operators liable for alleged violations committed by third-party software providers. When making decisions in cases that involve third-party software, some courts have examined the extent to which the relevant software enables the recording of chat communications.
• Internet Communications. In one particular case, a judge ruled that Section 631(a) does not apply to any internet-based communications, even if one party to the communication accesses the internet through a smartphone.

What Can Companies Do to Mitigate Risk?

Companies that use, or are considering using, customer chat functionality on their websites should be aware of this recent wave of both class action and individual litigation. This is an especially critical consideration for such business because statutory damages can impose significant monetary damage of $5,000 per violation, in addition to plaintiffs’ attorney fees and costs.

Companies should be sure to update their privacy policies, terms of use, and relevant disclosures to consumers, both on their websites and in their chatbot features. These updates should be curated to assure that the website operators have received web users’ proper consent prior to the use of chat transcripts and related content. Disclosures should be conspicuous, as required under federal and state standards.

Contact one of the privacy experts in McGrath North’s Privacy and Cybersecurity team for all of your questions related to the CIPA and how the current state of class actions and individual suits may impact your business.