By Mark Sanborn
Senior Product and Regulatory Counsel
December is here, and while the weather might be cooling down, the legal landscape around website wiretapping claims is still as hot as ever—especially claims under the California Invasion of Privacy Act (CIPA). As we’ve covered in past newsletters and alerts, auto dealerships and other businesses with an online presence continue to face legal headaches over cookies and tracking technologies. These claims often arise under state-specific privacy laws like CIPA. And it’s not just California, similar lawsuits are popping up in states like Pennsylvania and Massachusetts, which have their own wiretapping laws, as well as under federal wiretapping laws.
Here’s a quick update on the world of tracking tech litigation.
CIPA Claims – Plaintiffs Maintaining the Pressure
FCA has become the target of a recently-filed CIPA lawsuit, centered on the alleged use of tracking technology on its Jeep.com website.1 The complaint, filed by a law firm that has brought similar actions, alleges that the tracking technology operates as a “pen register” or “trap and trace device,” collecting users’ device information and activities without their consent. Specifically, the technology purportedly gathers routing, addressing, and signaling information, such as IP addresses, from website visitors. According to the complaint, FCA utilizes this data for purposes including analytics, targeted advertising, and revenue generation. Consistent with other recent CIPA cases, the plaintiff asserts claims under the statute’s pen register/trap and trace provisions, which do not require evidence of intercepted communications. Instead, the allegations hinge on the mere recording of signaling information.
In a separate class action case,2 Ford Motor Company’s motion to dismiss a CIPA wiretapping case was only partially granted. The plaintiff alleges that Ford allowed LivePerson, a third-party provider, to intercept and record chat communications on Ford.com without user consent. The Court denied the motion to dismiss, citing sufficient allegations that LivePerson could use intercepted chat data for its own purposes, potentially constituting eavesdropping. Additionally, there was enough evidence to suggest that Ford knew or should have known about LivePerson’s actions and associated privacy risks. A motion to dismiss assumes all allegations are true and does not involve a determination of facts. However, the denial of the motion to dismiss means Ford must defend the case and signals that courts continue to interpret CIPA as applicable to website communications.
A Tentative Limitation of the Massachusetts Wiretap Law
In October, the Massachusetts Supreme Judicial Court3 issued its opinion in a closely-watched website wiretapping case involving the websites of two hospitals.4 The case centered on whether two Massachusetts hospitals violated the Massachusetts’ wiretap law (G.L. c. 272, § 99) by using third-party tracking software to monitor and share website users’ browsing activities without their consent. The plaintiff alleged that her browsing activities, which included searching for information about symptoms, doctors, and medical procedures on the hospitals’ websites, constituted protected “communications” under the law.
The Court ruled that the Massachusetts wiretap law does not extend to website browsing activities as “communications.” The Court emphasized that web browsing involves accessing pre-generated content rather than engaging in interpersonal communication. Consequently, the court reversed the denial of the hospitals’ motion to dismiss.
The Massachusetts law is somewhat unique because it had severe criminal penalties, unlike most other state wiretapping laws. The possibility of harsh criminal penalties likely swayed the Court’s decision in this case. Notably, there was a strong dissenting opinion, and the Court urged the state legislature to create new legislation to address the challenges posed by these online practices.
Dealers Should Remain Vigilant
ComplyAuto is actively working with Massachusetts dealers to help ensure their cookie banner settings are appropriate. Massachusetts dealers who are interested in this issue are encouraged to contact ComplyAuto to schedule a review of their website settings in light of the recent case law.
1 Martin v. FCA US LLC, No. 24STCV29096 (Cal. Super. Ct. Los Angeles Cnty. Nov. 6, 2024).
2 Rodriguez v. Ford Motor Co., No. 3:23-cv-00598-RBM-JLB (S.D. Cal. April 16, 2023).
3 This is the highest state court in Massachusetts.
4 Vita v. New England Baptist Hosp., 494 Mass. 824 (2024).