The California Invasion of Plaintiffs Act: A Cold War-era law is heating up court dockets

Over the last two years, there's been an onslaught of putative class actions alleging violations of the California Invasion of Privacy Act (CIPA), Cal. Penal Code §630 et seq. Enacted in 1967, CIPA was intended to outlaw the surveillance of Californians' communications sent via telephone wires (later, cellular phones). Recently, enterprising plaintiffs have been seeking to wedge modern-day website technologies like chatbots, session replay software, and advertising pixels into the statute.

To date, diverging court rulings are giving rise to a deluge of plaintiff demands. Unless an authoritative judicial ruling clarifies CIPA's (non-)applicability to these common internet technologies or the legislature amends the law, the best risk mitigation strategy for companies is to review their current practices, ensure robust disclosures, and obtain prior consent. A summary of CIPA, how courts have applied it, and some potential steps companies can take to mitigate risk follows.  

Background

California Penal Code Section 631(a) proscribes three independent patterns of conduct: (1) intentional wiretapping, (2) "attempting to learn the contents or meaning of a communication in transit over a wire," and (3) "attempting to use or communicate information obtained as a result of engaging in either of the previous two activities." See Tavernetti v. Super. Ct. of San Diego County, 22 Cal.3d 187 (Cal. 1978). The final clause of Section 631(a) makes liable any person who aids another in carrying out conduct prohibited by the prior three clauses.

Courts have read a direct party exception into Section 631(a), reasoning that a party to a conversation cannot eavesdrop on its own conversation. See In re: Facebook Inc. Internet Tracking Litigation, 956 F.3d 589 (9th Cir., 2020). Thus, the final clause in Section 631(a), which established aiding and abetting liability, has been the predominant driver in the wave of CIPA class actions.

A separate section of CIPA, Section 638.51(a), prohibits a person from installing or using a pen register or a trap-and-trace device without proper consent or a court order. A "pen register" captures outgoing transmissions and a trap and trace device captures incoming transmissions. Absent limited exceptions, use of a trap and trace device or pen register is unlawful.

CIPA recognizes a private right of action for an individual to seek an injunction, and successful plaintiffs are entitled to the greater of $5,000 per violation or treble damages, pursuant to Section 637.2.

Chatbots

Generally, a chatbot is a computer program that simulates human conversation via a "live chat" feature. In the initial phase of CIPA litigation, Plaintiffs argued that a company using a third-party service provider to integrate a chatbot feature on its website constituted "aiding and abetting" the third-party provider's wiretapping of the website user's chatbot communications with the defendant.

More recently, plaintiffs, such as the plaintiff in Cody v. Boscov's, Case No. 8:22-cv-01434-SSS-DTB, (C.D. Cal. May 6, 2024, have turned to Section 638.51 to argue that a chatbot feature constitutes an unlawful pen register. In that case, the Court held that the expansive definition of a pen register could cover new internet technologies.

Session replay software

Session replay software can capture reconstructions of a user's interaction with a website, including recording keystrokes, mouse clicks and movements, the pages and content viewed, etc. Plaintiffs have alleged that the software violates CIPA by enabling the software vendor to intercept communications between a company using the software and its website visitors. 

In a July 18, 2024 decision granting a motion to dismiss, the chief judge for the Southern District of California, however, found that keystrokes and mouse clicks do not constitute "the contents or meaning of any message, report, or communication" between users and websites because they do not "in any way specify the nature of the alleged intercepted communications." Augustine v. Great Wolf Resorts, Inc. (Case No. 23-cv-00281-DMS-DTF, S.D. Cal, 2024).

Pixels

Pixels are small bits of software code embedded in websites or emails that can collect information about an individual's interaction with content, online browsing habits, or an individual's personal information such as an online ID or email address. Plaintiffs have alleged pixels "wiretap" communications between users and websites and that companies using these pixels aid and abet that wiretapping.

In Dino Moody v. C2 Educational Systems, the U.S. District Court for the Central District of California concluded that the plaintiff adequately pled that the C2 website deploying the TikTok pixel to capture form data entered by users on the C2 website, including name, date of birth, addresses, to undertake a device fingerprinting process to identify website visitors was plausibly comparable to unlawfully installing a pen register or trap-and-trace device in violation of Section 638.51(a). Worse, the court specifically rejected C2 Education's argument that CIPA does not provide a private right of action for Section 638.51(a)violations.

Risk mitigation measures

As courts continue to deliberate how, if at all, CIPA might apply to common web technologies, companies can mitigate their risk by:

1.    Mapping the technologies currently in use and existing disclosures regarding those technologies to identify risks.

2.    Enhancing consumer-facing disclosures alerting consumers to the presence of third-party web technologies. 

3.    Obtaining opt-in consent for targeted advertising, even if legally unnecessary.

4.    Revising service provider agreements to more explicitly restrict vendors' use of personal information, which can strengthen an argument that these vendors fall within CIPA's party exception.