It is challenging for businesses to maintain their competitive marketing edge while simultaneously reacting to ever-changing regulations on consumer data collection, usage, and sharing. In parallel, plaintiffs’ attorneys are leveraging use of common website technologies, such as cookies, pixels, chatbots, and session replay into lawsuits that often hinge on invasion of privacy statutes that prohibit wiretapping and eavesdropping, which are of a much older vintage.
As businesses adapt to new privacy laws, they must not overlook the risks posed by these older laws and their impact on consumer data collection and analytics. Here’s a look at the legal landscape around state invasion of privacy laws as well as some practical takeaways for companies around data collection.
One Catalyst: State Consent Laws on Recording Communications
Certain states require all parties’ consent prior to recording communications. Among other examples, the California Invasion of Privacy Act of 1967 (CIPA) has served as the basis for recent data privacy claims related to purported "recordings." Businesses utilize website technologies and third-party service providers to gain a better understanding of their users’ habits and interactions with the business’s website. Other states are one-party consent states, meaning only one party needs to consent to the recording.
Plaintiffs have made CIPA and similar all-party consent laws the focal point of putative class action complaints, based on CIPA’s prohibition of reading, or attempting to read or learn, a communication’s contents without the prior consent of all parties to that communication. Originally intended to prevent eavesdropping on telephone conversations, some CIPA decisions have been read as extending coverage collection of user data, such as the Ninth Circuit’s decision in Javier v. Assurance IQ LLC. Although this decision was unpublished and excluded from setting precedent, it opened the door for plaintiffs’ attorneys to file numerous suits under CIPA in California. On the other hand, decisions such as Graham v. Noom have required plaintiffs to show that the third-party provider used the information collected on the user for the provider’s own purposes.
The filed complaints to date contain a variety of allegations, including that businesses using these third-party data collection technologies — such as chatbots or session replay — are aiding and abetting wiretapping by allowing a third party to "intercept" communications between consumers and the business. While courts have seen a surge in these claims, many have not survived the motion to dismiss stage for assorted reasons, such as lack of standing, absence of a reasonable expectation of privacy, and failure to establish that communications were intercepted or accessed by third parties.
New Frontiers: From Wiretap to Pen Registries and Trap and Trace
The future of data sharing claims based on invasion of privacy statutes and other eavesdropping related laws remain uncertain, especially as courts increasingly scrutinize and dismiss wiretap theory claims. In Vita v. New England Baptist Hospital, the Massachusetts Supreme Judicial Court recently confirmed that the state’s anti-wiretapping statute does not extend to website tracking technologies.
As states grow hostile to such wiretapping claims, plaintiffs’ attorneys are exploring different technologies and state statutes to prop up their claims, such as those governing pen registers as well as "trap and trace" devices or the stringent consent requirements found in Illinois, Pennsylvania, and Washington. Those devices log incoming or outgoing call events, but not the calls themselves.
While these newer claims will certainly be the subject of vigorous defenses, the time, energy, and money spent to defend marketing collection practices, even if the complaint is ultimately dismissed or settled, cannot be overlooked.
Takeaways for Companies
As plaintiffs’ attorneys refine their strategies, the landscape surrounding data sharing litigation will continue to evolve. By taking proactive steps to secure consent and ensure transparency, businesses can make themselves less vulnerable to costly litigation and avoid emerging legal challenges. Key proactive steps to consider:
- Obtain Clear Consent. Obtaining explicit consent from consumers before using data collection technologies can preempt data sharing claims. Would-be litigants testing your website are more likely to deem an invasion of privacy claim as an uphill battle. If your business is using tracking technologies like cookies, pixels, chatbots, or session replay, ask for consumer consent before collecting user data.
- Disclose Data Recipients. Transparently disclose who receives data collected by these technologies. If vendors collect data on behalf of a business rather than for their own use, it may be difficult for plaintiffs to sustain a violation claim. Ensure that your agreement with your vendor has appropriate consumer protections.
- Offer Opt-In/Opt-Out Options. Provide consumers with any required options to opt in or out of consumer data collection upon visiting the website.
- Educate Teams. Ensure both marketing and legal teams know the tracking technologies being utilized and understand their implications. Implement a process for legal approval before new products are added to the website. Purge unnecessary technologies.
- Stay Updated on Laws and Litigation. Regularly monitor state wiretapping laws and related litigation developments to adjust your practices as needed. Claims often falter if plaintiffs cannot demonstrate that the data was intercepted while in transit or if no actual harm was suffered.
Madelyn Candela also contributed to this alert as part of her summer clerkship at Parker Poe.
For more information, please contact us or your regular Parker Poe contact. You can also subscribe to our latest alerts and insights here.