Search Our Website:
menu
BACK TO INSIGHTS
BIPC Logo
ARTICLES & ADVISORIES
JAN 10 2025

Navigating the Next Wave of Privacy Claims: How to Avoid Becoming a 'Web Wiretapping' Target

In previous posts, we examined the rise of chat and pixel cases under Section 631(a) of the California Invasion of Privacy Act (CIPA), as well as the increasing prevalence of pen register, trap and trace cases, and search bar pixel cases under CIPA Section 638.51. In this post, we discuss other trending privacy claims and offer recommendations to help you avoid becoming a target of website-based privacy lawsuits and arbitration claims.

Alongside these developments, other website privacy claims are evolving and becoming increasingly prevalent in several states. For instance, cases alleging that common email marketing analytics technologies can violate the Arizona Telephone, Utility and Communication Service Records Act (Arizona Act) are on the rise. Major retail companies such as Target1 and Gap2  are facing accusations of violating the Arizona Act by embedding analytics technologies, referred to as “spy pixels” in the complaints, in emails without obtaining consumers’ consent. Plaintiffs assert that the data collected, including information on email opening times and locations, frequency of interactions, forwarding, printing and recipient email server types, constitutes “communication service records” under Arizona Act. These data points are very widely used in digital marketing. While many of these cases are currently in the motion-to-dismiss stage, companies using tracking technologies in their email marketing campaigns should be wary of potential lawsuits from Arizona consumers.

Additionally, there has been an uptick in website privacy cases under the Song-Beverly Credit Card Act, a California law established in 1971. These lawsuits allege that gathering personal information, including IP addresses, during online credit card transactions violates the Act’s prohibition on requiring the provision of personal information in exchange for completing a credit card transaction. This raises questions about the definition of “necessary data” permissible under the statute and whether IP addresses constitute personally identifiable information (PII) under California law. This intersection of Song-Beverly and Pixel cases is a prime example of how the plaintiff bar is adapting old laws to regulate new technologies.

The outcomes of these lawsuits will shape future litigation strategies and provide valuable guidance for companies looking to refine their data collection practices to mitigate legal risks. As we approach 2025, it is crucial for businesses to proactively assess and adapt their data privacy policies and compliance these evolving legal precedents. By staying informed about the implications of recent rulings, companies can better anticipate potential challenges and adapt their strategies accordingly.

Avoid Becoming a “Web Wiretapping” Target

Many website owners mistakenly believe that if they have a California Consumer Privacy Act (CCPA)-compliant website and privacy policy, they are immune to these claims. To be CCPA-compliant means, among other things, that the website protects the data privacy rights of California residents as outlined under CCPA. However, most website invasion of privacy cases do not bring claims under the CCPA, and the CCPA does not require the types of consents and mechanisms that will enable website owners to thwart these claims.

Even if all the tracking technologies deployed on a website are clearly disclosed in a posted privacy policy and a cookie banner allows users to select cookie preferences, it becomes a challenge to argue that prior consent exists if those tracking technologies are firing before the website users have given their prior informed consent.

What about implied consent? While consent can be either express or implied,4 implied consent is often difficult to argue in the case of a typical consumer. Many plaintiffs’ firms employ “tester plaintiffs” to bring these claims, similar to the wave of tester plaintiffs in the heyday of Americans with Disabilities Act (ADA) website lawsuits. These plaintiffs appear to visit websites specifically to identify those that may be vulnerable to privacy violation claims. It can be argued that a privacy tester plaintiff, who intentionally enters data with the expectation that it may be "stolen" or subject to eavesdropping under the CIPA statute, has impliedly consented to such conduct. If you find yourself facing these challenges, consider consulting experienced web wiretapping counsel who can help develop this argument.

At least one court has expressed disapproval of the use of “testers” to bring these claims in mass: “When the goal is to file as many lawsuits as possible in the least amount of time, it is far easier and cheaper to copy and paste a complaint over and over again, and to write the original template in such a way that hardly anything needs to be swapped out. … And surely, whatever one’s views on the propriety of copying and pasting from boilerplate pleadings, there is a point at which all reasonable people should agree the practice has gone too far.”5 Despite this, cases involving “tester” plaintiffs continue to be filed and accepted by the courts, at least for now.

To proactively avoid these claims, we recommend the following strategies:

  • Hold regular meetings between marketing and legal teams to ensure a full understanding of the technology being used and how to mitigate associated liabilities.
  • Obtain additional technical advice if the marketing team does not fully understand how the tracking technologies operate.
  • Review all website technology use to ensure third-party vendors cannot use consumer data for their own purposes without consent.
  • Review and revise privacy policies regularly to ensure that they are comprehensive and accurate.
  • Regularly review the tracking technologies active on your website to ensure that each one serves a current important purpose and is described in the privacy policy.
  • Assess website chat features to ensure that the website owner is gathering explicit consent to the chat to be recorded and/or shared.
  • Obtain affirmative, express consent from users for the specific types and purposes of data collection, such as using a banner that requires explicit, trackable consent to the terms and policies disclosing the software on the site before it is deployed.

The Need for Experienced Counsel in Privacy Law and Litigation

The Cybersecurity and Data Privacy team at Buchanan delivers comprehensive strategies for managing data privacy and cybersecurity challenges. We specialize in both compliance and litigation, with extensive experience in handling website wiretapping issues, including tracking and tracing. Our team has defended clients in a variety of contexts, from mass arbitrations to class actions, in courts nationwide. Our approach focuses on understanding our clients' business and marketing objectives, working collaboratively to achieve those goals while mitigating data privacy risks. Additionally, we offer a flat fee website auditing service designed to identify potential areas of risk and exposure. For more information about our flat-fee auditing service, click here to view our brochure, and reach us at cyber@bipc.com.

  1. Smith v. Target Corporation
  2. Carbajal v. Gap Incorporated et al.
  3. Schneckloth v. Bustamonte, 412 U.S. 218, 227 (1973)
  4. Byars v. Hot Topic, Inc., 656 F. Supp. 3d 1051, 1060 (C.D. Cal. 2023)
Contributors
Related Services & Industries
Related Offices