California continues to grapple with a significant surge in lawsuits and arbitration demands aimed at businesses operating websites employing technology to monitor online activities. These cases hinge on the California Invasion of Privacy Act (“CIPA”), a pre-internet era law to combat unlawful wiretapping and electronic surveillance that is currently used against modern website technologies. Allegations often assert that businesses with websites frequented by California residents engage in unlawful “wiretapping” and “pen register” activities through technologies like cookies and pixels to track website traffic and collect user data.

The Legal Landscape

California courts have yielded varied outcomes in response to these cases. In Byars v. Hot Topic, Inc., 2023 WL 2026994 (C.D. Cal. 2023), the court dismissed the CIPA claim, ruling that the website owner and its vendor, as intended recipients of plaintiff’s communications, could not be held liable for illegal wiretapping. Conversely, in Greenley v. Kochava, Inc., 2023 WL 4833466 (S.D. Cal. 2023), the court allowed the lawsuit to proceed, concluding that allegations of defendant’s use of tracking software for its own purposes constituted a process that recorded routine information and sufficiently described a CIPA violation.

Potential Damages and Liability for Businesses

Businesses with websites accessed by California residents must remain vigilant about these legal trends and ensure adherence to relevant privacy laws to mitigate potential risks. Companies across various consumer-facing industries with websites are susceptible to such lawsuits. With statutory damages of up to $5,000 per violation and no requirement for plaintiffs to demonstrate actual damages, the stakes of CIPA litigation are considerable.

Proactive Measures to Mitigate CIPA Litigation Risks

Consent plays a pivotal role as the first line of defense in CIPA litigation. Therefore, we strongly urge all companies to conduct a comprehensive review of their data-gathering websites, encompassing tracking technology deployment, third-party technologies, privacy policies, and user choices (e.g., opt-in or opt-out features). Equipped with this insight, companies can proactively mitigate potential CIPA litigation risks.

When confronted with a lawsuit or arbitration demand, businesses must prioritize securing competent legal representation. Settling early with one claimant does not shield a company from subsequent similar claims. Therefore, it is imperative that companies develop a comprehensive strategy, including collaborating with experienced outside counsel who can assist in formulating an effective response tailored to the case’s specifics.