Over the past two years, data privacy class action lawsuits based on alleged violations of wiretapping laws at the federal and state levels have increased nationwide. Consumer companies have been accused of intentionally and knowingly sharing users' communications with third parties without their consent.
Many companies use various technologies to collect information about users who visit their websites for advertising purposes and to improve the user experience. However, with the recent surge in litigation, companies should carefully review their data collection practices and policies.
New data privacy class action lawsuits are emerging every week, and this trend is expected to continue. At the federal level, plaintiffs' lawyers are suing under the Electronic Communications Privacy Act of 1986, which was enacted to limit wiretapping and electronic eavesdropping.
At the state level, class actions alleging violations of state wiretapping laws are most frequently filed in California, Pennsylvania, Florida, Illinois, and Massachusetts. However, most states have wiretapping laws that typically impose liability on companies that intercept user communications without prior consent. Most laws impose criminal liability and also recognize private civil causes of action.
In California, the state with the most class action lawsuits, plaintiffs' lawyers allege violations of the California Invasion of Privacy Act of 1967. CIPA lawsuits alleging that consumer interactions with chatbots were illegally shared have largely been dismissed, and some courts in California have even ruled that CIPA only applies to telephone communications. There is.
Nevertheless, plaintiffs' attorneys continue to file CIPA class actions based on both existing and new theories of liability. This may be due to inconsistent ways in which courts apply her CIPA to modern technology, and some courts' reluctance to dismiss claims. Many of his CIPA claims, which can carry statutory damages and fines of $5,000 per violation, are pending.
Initially, plaintiffs' lawyers filed a lawsuit alleging violations of state wiretapping laws based primarily on the companies' use of chatbots, website session replays, and pixel tracking technology.
chatbot It is used as a form of online support and can store information provided by users. Plaintiffs' lawyers argue that chatbots essentially function as “covert” wiretaps, allowing third parties to eavesdrop on conversations without users' consent.
Website session replay technology Companies can record user activity, such as keystrokes, on websites and replay this activity. Lawyers for the plaintiffs argue that the technology allows website operators to “eavesdrop” on private conversations to third parties and use them for purposes such as targeted advertising.
pixel tracking Tiny transparent images known as pixels are embedded in emails, web pages, and advertisements. Plaintiffs' courts argue that these pixels allow companies to secretly collect information about users' interactions and actions.
Plaintiffs' lawyers have begun filing lawsuits that predicate CIPA and other state wiretapping laws on at least three new theories.
identity graph technology This has the potential for companies to use ID resolution tools to de-anonymize site visitors, allowing them to monetize their visitors' browsing habits and share them with third parties.
email marketing technologyThis includes the use of email campaign analysis tools that allow companies to observe and record individual user interactions.
“Pen register” and “trap and trace” Tracking software to monitor user location, search queries, browsing activity, or purchase history. This may include cookies, web beacons, pixels, scripts, or software code.
Plaintiffs' attorneys continue to bring cases based on the use of one or more of these technologies, but many courts have rejected wiretap fraud claims based on the use of chatbots. Any new theory advanced by plaintiffs' attorneys will likely be subject to existing defenses.
However, courts are generally divided on the interpretation of state wiretapping laws, particularly CIPA, which could create problems for companies operating consumer websites.
While many data privacy lawsuits are pending and others are dismissed early in the process, companies should take the following steps to protect themselves from data privacy lawsuits.
- Review your technology usage to ensure that third-party vendors cannot use your data for their own purposes without your consent.
- Implement effective data security measures, including drafting clear data security and privacy policies and revising these policies as necessary. Privacy policies should be updated not only on your website, but also on chatbot features that notify users that their chat is being recorded.
- We will make all disclosures clearly and conspicuously as required by federal and state standards.
- Quickly address potential data breaches to minimize the risk and impact of litigation.
- Obtain affirmative, explicit consent to allow data collection from users, such as through pop-up banners that require users to indicate that they agree to the terms and conditions of a company's data collection practices.
Even if these disclosures prove unnecessary, they can help companies avoid the costs they could face in a class action lawsuit.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Author information
Joshua Briones is a managing member of Mintz's Los Angeles office.
Crystal Lopez and Nadia Zivkov are colleagues in Mintz's litigation practice.
Please write to us: Author guidelines