While readers of this blog are familiar with the proliferation of California Invasion of Privacy Act (“CIPA”) wiretapping claims, our readers may be less familiar with CIPA-related GET Request claims. Below, we explain what GET requests are and how the Plaintiffs’ Bar is alleging that GET Requests violate CIPA.
Does a GET Request Violate CIPA?
Plaintiffs typically allege that the use of unauthorized third-party GET requests violates CIPA and constitutes illegal wiretapping. In its simplest terms, a GET request is a means for collecting data from a source via the internet. Although it is capitalized, “GET” is not an acronym, but rather, can be thought of as “GETing” data. A GET request is a command that internet web browsers use to communicate with website servers. For example, when an internet user navigates to a website via his/her web browser, the browser sends a GET request to the server for that particular website. This GET request first tells the website what information is being requested and then instructs the website to send the information back to the user. The GET request also transmits a referer header containing the user’s personally-identifiable URL information. Typically, this communication occurs only between the user’s web browser and the subject website. However, on websites that utilize third-party tracking technologies, such as those employed by Google, Meta, and TikTok, to name a few, the tracking code directs the user’s browser to copy the referer header from the GET request and then sends a separate, but identical, GET request and its associated referer header to the third-party’s server.
Whether a GET request violates CIPA’s wiretapping statute often depends on the jurisdiction where the case is brought. In analyzing Federal Wiretap Act claims, the First and Seventh Circuit Courts of Appeal have determined that defendants may face liability for the use of such third-party GET Requests. Similarly, in Davis v. Facebook, Inc. (In re Facebook Inc. Internet Tracking Litig.), the Ninth Circuit Court of Appeals held that Facebook’s receipt of data via a GET request did not exempt it from liability under CIPA. In contrast, in In re Google Inc. Cookie Placement Consumer Privacy Litig., the Third Circuit Court of Appeals considered whether internet advertising companies were parties to a communication when they placed cookie blockers on web-users’ browsers to facilitate the delivery of online advertisements. In Google, the users’ browsers sent GET requests to third-party websites, and upon receipt, the websites duplicated the GET requests and sent them to defendants. Applying California law, the Third Circuit court concluded that defendants were “the intended recipients” of the duplicated GET requests, and thus, “were parties to the transmissions at issue.” Because a party cannot wiretap its own communications, the Third Circuit affirmed the trial court’s dismissal of plaintiff’s wiretapping claims.
Was Your Company Named in a CIPA Lawsuit?
CIPA GET request claims often mirror those alleged in a litany of other lawsuits against companies that use third-party tracking software. Because CIPA allows for the recovery of: (1) $5,000 per violation; or (2) three times the amount of actual damages, if any; and (3) injunctive relief, these alleged violations, especially when they are brought as a class action, can be quite expensive.
[View source.]
