Lead Generation Software: The Next Wave of Website “Invasion of Privacy” Lawsuits?

Privacy developments—legislation, enforcement, and litigation in the U.S.—are heating up along with temperatures this summer. The past year brought a slew of website “invasion of privacy” litigation in which putative class representative and individual plaintiffs relied on wiretapping statutes and the Video Privacy Protection Act to pursue claims against companies deploying session replay and pixel software to assist in data analysis and ad targeting on their websites. Now there is another technology in the crosshairs: lead generation software.

Website lead generation software generates “actionable” lead data on users who visit websites, and there are a handful of software companies competing for the market in this space.¹ Lead generation software complaints typically allege that the website owner is using the software to “deanonymize” or “dox”² its website visitors by leveraging cookies that obtain information such as name, I.P. address, LinkedIn profile, and email address.³

Like the initial wave of website invasion of privacy lawsuits related to pixels and session replay software, plaintiffs in the lead generation wave of cases typically rely on state laws that provide for statutory damages, such as the California Invasion of Privacy Act (CIPA). CIPA is California’s state wiretapping law, which plaintiffs typically claim is not limited to phone lines but rather extends to “newer technologies such as computers, the Internet, and email.”

Plaintiffs are also claiming that lead generation software violates California’s unfair competition statute or can give rise to a claim for unjust enrichment.  Some even go so far as to allege that lead generation software violates the California Unauthorized Access to Computer Data Act (CUACDA), which the legislature intended to address hacking and other cybercrimes.⁵ Under CUACDA, “the owner or lessee of the computer, computer system, computer network, computer program, or data who suffers damage or loss by reason of a violation … may bring a civil action against the violator for compensatory damages and injunctive relief or other equitable relief.” Attorney’s fees are also permitted under the statute.

Companies using this type of software should be aware of this trend and consider consulting counsel to explore mitigating measures—e.g., public-facing privacy statement disclosures and methods of obtaining user consent—and to ensure compliance with applicable privacy laws.

Buchanan’s experienced data privacy team and class action team are available to assist companies in compliance, risk evaluation and mitigation, responding to demand letters, and defending suits.