As ComplyAuto has warned, in 2024, there has been a massive increase in demand letters, individual lawsuits, and class actions allegingCIPA violations based on businesses’ use of commonplace website technologies. In two recent articles, one entitled “Cos. Should Mind Website Tech As CIPA Suits Keep Piling Up” written by prominent privacy attorneys Wynter Deagle, Anne-Marie Dao, and Teresa Morin, and another entitled “Your Third-Party Website Vendors Might Be Exposing Your Business to a New Theory of Liability: 3 Steps You Should Consider Right Now,” written by prominent privacy and cyber attorneys Anthony Isola, Usama Kahf, and Kile E. Marks, the authors highlight the rapidly evolving landscape of privacy litigation under the California Invasion of Privacy Act (“CIPA”), a decades-old statute originally designed to combat wiretapping.
The articles describe the initial wave of CIPA litigation that focused on claims that various technologies like third-party cookies, chatbots, session replay, web beacons, and other tracking technologies violated CIPA’s anti-wiretapping provisions. Since then, hundreds of lawsuits have been filed in California and other states, with plaintiffs claiming that website operators are violating CIPA by aiding or conspiring with third parties to intercept user data. While many of these cases were settled or dismissed, plaintiffs’ lawyers have now zeroed in on a little-noticed part of CIPA – the prohibition on installing or using pen registers and trap-and-trace devices without a court order.
A 2023 ruling in Greenley v. Kochava held that software collecting certain data from mobile apps could be considered a “pen register” under CIPA’s broad definition. Seizing on this, plaintiffs’ firms have filed over 150 new lawsuits in California alleging that pixels and other web technologies are unlawful pen registers or trap-and-trace devices.
As these cases work through the courts, the authors note that the scope of CIPA’s pen register provision remains unclear and suggest that businesses take steps to avoid becoming targets of these types of claims. The authors note that businesses should proactively review their use of website technologies and privacy disclosures to ensure they can establish user consent, which is a defense under the law. The Isola article also suggests that implementing opt-in mechanisms that require a user to click a button before any data disclosure to third parties may offer the strongest protection against these claims.
Our Recommendation to Dealers:
As CIPA litigation heats up, auto dealers must exercise caution when implementing new website technologies or analytics tools. Be wary of companies pushing solutions that may not be fully compliant with the latest litigation trends. Additionally, as ComplyAuto has noted, it is not just CIPA that businesses should be aware of. Other states’ wiretapping laws are being applied in similar ways. These state laws are also being used to target out-of-state businesses, so this is something that businesses across the country should be aware of.
We advise against signing long-term contracts for these services unless they include a clause allowing you to cancel if the provided solution is determined to be non-compliant with privacy laws. The legal landscape is shifting quickly, so retaining flexibility is key.
Consult with counsel to assess your current web technologies and make any necessary adjustments to your privacy disclosures and practices. Establishing clear user consent mechanisms could provide a valuable defense in the event of a CIPA claim.
Staying informed and adaptable will be essential as privacy litigation under CIPA and wiretapping continues to unfold in 2024 and beyond. Choose your service providers and contract terms wisely to mitigate risk in this dynamic environment.