Why does an obscure California law apply to your website?

Cameron Shilling

Businesses commonly embed in their websites certain tracking technologies, like Meta Pixel, Google Analytics or LinkedIn Insight. These plugins analyze website visitor activities and facilitate advertising for the business on social media sites and internet browsers. However, businesses that use them are getting sued by California lawyers under an obscure law called the California Invasion of Privacy Act, or CIPA.

CIPA is a wiretap statute intended to prevent interception of electronic communications and requires consent to do so. California lawyers claim that tracking technologies violate CIPA by intercepting electronic communications between a website operator and its visitors, such as clicks, page views and keystrokes, and then by transmitting that data to the tracking technology provider. Even if the business cannot identify its website visitors, the tracking provider can do so using data from a cookie that it previously placed on the devices of the website visitors.

California lawyers are not suing the tracking technology providers, like Meta, Google and LinkedIn. Doing so would pick a fight with an enormous adversary, involve expensive litigation, and potentially result in a court ruling determining that CIPA does not apply. If that were to occur, it might put an end to this litany of lawsuits.

Instead, these lawyers find a California resident who has visited the website of a small or medium-sized business and assert a putative class-action claim against the business for aiding and abetting CIPA violations by the tracking technology providers. When doing so, they seek statutory damages of $5,000 per website visit by the name-plaintiff California resident, resulting in settlement demands from $50,000 to $200,000, and ultimate settlements of 10%-25% of the initial demand. For small to mid-sized businesses, settling a claim is far cheaper than litigating it, which was the outcome desired by the lawyers asserting the claim in the first place.

What can businesses do to avoid being targeted?

• Audit the website to determine if tracking technologies are being used.
• Update the privacy policy to state that the website uses tracking technologies that forward information about visitors to third parties, such as Meta, Google or LinkedIn, and that those third parties will use that information to advertise to those individuals.
• Reset the cookie banner to require all website visitors the next time they visit the site to reject all, accept all, or select which cookies they permit on your site. Require website visitors when making the cookie selection to consent to the new version of the privacy policy discussed above, and log that consent for potential future use.
• Do not transmit information to tracking technology providers unless and until a website visitor has consented to such transfers via the cookie banner and new privacy policy.
• Honor privacy rights requests of website visitors, including their cookie selections and their right to limit how the business uses their personal information.

California lawyers are relentless, targeting unaware and unprepared businesses with CIPA class-action claims designed to leverage moderate settlements to avoid expensive litigation. Take action now to ensure that your business does not become their next victim.

Cam Shilling founded and chairs McLane Middleton’s Cybersecurity and Privacy Group. The group of six attorneys and one paralegal assist businesses and private clients to improve their security, privacy and AI compliance, and address any incidents or breaches that occur.