By: James K. Paulick, Esq.
The California Invasion of Privacy Act (CIPA), California’s “wiretap act,” is slowly coming into its own as a class action boon for plaintiff’s counsel – and businesses should pay attention. Similar to American’s With Disabilities (ADA) website compliance actions, professional plaintiffs may start filling court dockets against businesses who violate CIPA.
The CIPA, California Penal Code Sec. 631 is California’s homegrown brother to the U.S. Federal Electronic Communications Privacy Act (ECPA) wiretap act. The term ‘wiretap’ may conjure images of the classic scene of the FBI tapping a crime boss’s rotary phone in their home to obtain key evidence to bring down a criminal organization, but the definition of ‘wiretap’ under CIPA refers to much broader and more modern and “accepted” modes and methods of information gathering in the online business context.
For purposes of CIPA, a “wiretap” is defined as any unauthorized reading, or attempted reading, of any message, report, or communication while the same is in transit or passing over any wire, line, or cable as well as the use of any information so obtained.
The 9th Circuit, which is the federal appellate court for California, has held that CIPA applies to internet communications, see Javier v. Assurance IQ, LLC, 21-16351, 2022 WL 1744107, at *1 (9th Cir. May 31, 2022).
CIPA is quietly being utilized by plaintiff’s counsel as a big stick against medium to large companies who obtain information from website visitors and consumers who interact with their website. For example, if your business provides a chat function to develop sales leads or to provide support to its customers, and a warning is not displayed that personal information will be recorded and/or shared with third parties, a business could be held liable. CIPA provides for private causes of action with statutory penalties, under CIPA Sec. 637.2 of $5,000 per violation and three times the amount of actual damages, if any, sustained by the plaintiff.
This law has also been applied, successfully, against businesses who gather cookie and referring URL data for purposes of compiling data and later selling it or providing it to a third party for a purpose other than that was consented to by the website visitor/consumer.
Any time a regulatory body of law provides for a private cause of action with no burden to prove actual damages businesses should be especially careful with compliance. Statutes like CIPA create immediate opportunity and impetus for plaintiffs to go hunting for non-compliant businesses.
If any businesses are familiar with the wave of Americans with Disabilities Act (ADA) website compliance lawsuits, this could be the next wave of lawsuits that pummels unsuspecting and unprepared businesses. In contrast to the ADA, CIPA does not provide attorney’s fees. However, as noted above, CIPA does not require that the plaintiff has suffered any threatened or actual damages. Thus, the mere gathering of information without consent provides standing for a plaintiff to assert a claim even if the plaintiff suffered zero harm or inconvenience.
The good news is compliance with the law is not difficult. A business must take certain steps, as part of its privacy program, to ensure that any time the business is gathering, either automatically, or with a chat feature, personal data of a consumer/website visitor, that it obtains valid consent consistent with the holdings and determinations of the courts interpreting CIPA and other applicable Data Privacy laws.
For assistance with complying with CIPA or other privacy/wiretap related law, please contact James K. Paulick at firstname.lastname@example.org or 424.738.4400 for an initial consultation. Jim is Counsel with Leech Tishman and a member of the Corporate Group, where he leads the Data Privacy & Cybersecurity Group.
Leech Tishman’s Facebook Page: https://www.facebook.com/leechtishman
Leech Tishman’s Twitter: https://twitter.com/LeechTishman
Leech Tishman’s Company Page on LinkedIn: https://www.linkedin.com/company/leech-tishman
Leech Tishman Fuscaldo & Lampl is a full-service law firm dedicated to assisting individuals, businesses, and institutions. Leech Tishman offers legal services in business restructuring & insolvency, construction, corporate matters, employment & labor, estates & trusts, intellectual property, litigation & alternative dispute resolution, and real estate. In addition, the firm offers a wide range of legal services to clients in the aviation & aerospace, cannabis, emerging cyber technologies, energy & natural resources, healthcare, and hospitality industries. Headquartered in Pittsburgh, PA, Leech Tishman also has offices in Chicago, Los Angeles, New York, Philadelphia, Sarasota, and Washington, D.C.