The United States District Court for Northern District of California recently dismissed a complaint alleging violations of California’s CIPA Law in connection with common website data collection practices. The decision will be celebrated by both retailers and software service providers alike. Judicial affirmation of the principle that website operators’ data collection practices, when done properly, are compliant with consumer data privacy protection laws provides businesses with always-useful certainty.
On what basis were the allegations of CIPA Law violation dismissed?
Originally enacted in 1967, the California Invasion of Privacy Act (“CIPA”) has been a law traditionally used by law enforcement and plaintiffs to bring claims of illegal eavesdropping and unauthorized recording of telecommunications. The plaintiffs’ bar has, in recent years, attempted to adapt the law to modern advancements in communications technology. This has most often led to lawsuits against manufacturers of smart speakers. However, the case at issue concerned allegations against a data collection software developer. Specifically, this plaintiff claimed that the technology provider violated the CIPA Law by purportedly eavesdropping upon users’ communications with Gap, Inc., the retailer which embedded the developer’s software, which tracks consumer website activity (such as mouse clicks, keystrokes, and data entry), on its website.
The Court was unconvinced by this misguided attempt to apply the CIPA Law to data collection software. Consequently, it summarily dismissed the CIPA Law violation claims, finding that the plaintiff failed to properly plead a cause of action for eavesdropping. In dismissing the allegations at issue, the Court adopted the rationale contained in prior precedent which held that similar software service providers are a direct party to the communications with consumers by virtue of being extensions of the retailer to which they provide data tracking software. Thus, as a direct party to the communications with consumers, the subject software service provider at issue in this proceeding could not plausibly have eavesdropped in violation of the CIPA Law.
Lessons Learned From this CIPA Law Dismissal
Retailers and software service providers are cautioned not to read this decision too broadly. Courts have been quick to draw a stark contrast between certain categories of software service providers. On the one hand, providers which capture data on their clients’ websites, host the data on their servers and then make it available to clients for future analysis, are generally deemed to be compliant with CIPA Law. On the other hand, those service providers which partner with website operators for the purpose of capturing data in order to build their own marketing databases for their own use risk running afoul of the statute for possible eavesdropping and/or marketing violations. In order to ensure that your business falls on the correct end of that spectrum, it is critical to work with knowledgeable marketing and privacy law attorneys to review all aspects of your business’s operations.
If you need help evaluating or updating your privacy practices and procedures, please email us at email@example.com or call us at (212) 246-0900.
The material contained herein is provided for information purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Photo by Sergey Zolkin on Unsplash
Similar blog posts:
Federal Privacy Law: One National Standard
New Virginia Privacy Law Coming Soon