Businesses that have invested in robust privacy compliance programs to stay up to date with GDPR, CCPA/CPRA, and 18 other comprehensive consumer privacy state laws may still face a surprise when they receive a demand letter alleging violations of the California Invasion of Privacy Act (CIPA). In the latest trend in California class action litigation, plaintiffs are invoking CIPA’s “wiretapping” (Section 631) and “pen register” (Section 638.51) prohibitions to assert invasion of privacy claims against businesses using solutions like pixels, plugins, or cookies on their websites to track visitors. Common targets include tools like the “Meta Pixel” and “TikTok Pixel,” as well as many other tracking and advertising technologies that are not as well-known. These tools are often installed by third-party web developers to help businesses identify users and improve advertising targeting.
Plaintiffs allege that the use of these tools results in the unauthorized sharing of California consumers’ personal data with third parties, such as Meta or TikTok. See In re Facebook, Inc. Internet Tracking Litigation, 956 F.3d 589, 596 (9th Cir. 2020). In more extreme cases, plaintiffs claim that these tools allow third parties to “eavesdrop” on their web activity, including interactions with features like chatbots. See Byars v. Hot Topic, Inc., 656 F. Supp. 3d 1051 (C.D. Cal. 2023).
Such activity should be subject to user notice and consent. When a California consumer visits a company’s webpage, they should be greeted by a privacy pop-up asking them to accept or reject cookies that enable a “personalized web experience.” A properly implemented consent tool should address any concerns raised by these actions, yet plaintiffs are undeterred from pursuing claims—sometimes asserting that the mere presence of the tracking code on the site is sufficient to state a claim.
The disparate outcomes at the pleading stage make it more difficult to assess the risk of these claims. When applying the outdated CIPA statute to modern technology—technology that its drafters could not have anticipated—state and federal courts have reached mixed conclusions. While courts are often skeptical of these claims, a significant number have found them plausible based solely on the pleadings. See, e.g., Dino Moody v. C2 Educational Systems, Inc., U.S. District Court, Central District of CA, Case No. 2:24-CV-04249 (later dismissed due to the plaintiff’s failure to timely file a Motion for Class Certification).
A business that maintains a website with a comprehensive “Opt-In” privacy consent framework should have no difficulty prevailing against these claims, as the user’s informed, affirmative consent serves as a complete defense. See, e.g., Nguyen v. Barnes & Noble Inc., 763 F.3d 1171, 1178–79 (9th Cir. 2014). However, it remains unclear whether the “Opt-Out” privacy consent framework prescribed by the CCPA/CPRA would be sufficient in this context. Unfortunately, since judges are often reluctant to dismiss these claims early when the plaintiff alleges a lack of consent, even weak claims can result in significant litigation costs before reaching a successful motion for summary judgment.
Munck Wilson Mandala is actively pursuing several additional defenses in response to these claims on behalf of our clients. These defenses include both procedural (such as identifying necessary third parties and challenging personal jurisdiction) and substantive (such as contesting inaccurate interpretations of website code and demonstrating the use of compliant consent frameworks) arguments that may apply on a case-by-case basis.
Importantly, even if plaintiffs correctly assert that these tools are covertly violating consumer privacy rights despite a business’s best efforts, the tech companies that developed these tools may ultimately bear the brunt of liability. The accused business may only be subject to claims of aiding and abetting. See Yoon v. Lululemon USA, Inc., 549 F. Supp. 3d 1073 (C.D. Cal. 2021); Saleh v. Nike, Inc., 562 F. Supp. 3d 503 (C.D. Cal. 2021).
Munck Wilson Mandala is actively advising clients on their exposure to CIPA actions. If you have received a CIPA demand letter or would like to proactively assess your website’s compliance with CIPA and other data privacy regulations, please contact Brent Lehman or Jane Davidson.
