Like many organizations, Peloton is facing a legal challenge under the California Invasion of Privacy Act (CIPA) relating to the company’s alleged use of third-party technology on its website to intercept chat communications without user consent.

In the wake of growing uncertainty on the interpretive impacts of CIPA related to analytical, customer support, and other web-based tools and tracking technologies, companies utilizing these third-party technologies should adopt robust privacy practices and stay informed on the latest interpretive developments.

Matter Overview

In Jones v. Peloton Interactive, Inc., Case No. 3:23-cv-01082, Peloton is accused of embedding third-party software into its website chat feature, which allegedly intercepted and recorded chat communications between users and Peloton representatives without the users’ consent. The intercepted data was purportedly used by the third party to enhance and train its artificial intelligence (AI) tools.

Plaintiff’s primary claim is under CIPA section 631(a), which prohibits the interception of communication without consent from all parties. On July 5, 2024, the court denied Peloton’s motion to dismiss the case, allowing plaintiff’s claims to proceed and emphasizing that the service provider’s actions could be considered third-party eavesdropping under CIPA.

AI Chatbots and Tools: Potential Risks

Many companies employ AI-driven web-based chatbots and other tools to enhance customer interactions and streamline service processes. These tools, however, pose significant privacy risks if not properly managed. Common AI tools that may give rise to privacy claims include:

• Chatbots: Automated chat systems that handle customer inquiries and provide support. These can range from simple rule-based chatbots to sophisticated AI-driven conversational agents.
• Session Replay Tools: Software that records user interactions on websites, such as webpage navigation and website feature clicks, to analyze user behavior and improve user experience.
• Keystroke Logging Tools: Programs that track and record user keystrokes, such as when entering passwords or search bar requests, to gather data on user interactions and inputs.
• Voice Assistants: Systems that process and respond to voice commands, potentially recording conversations without explicit consent.
• Customer Relationship Management (CRM) Tools: Systems that track and analyze customer interactions across various channels, often integrating AI to enhance functionality.

CIPA Claims

CIPA encompasses several causes of action, particularly when involving the use of third-party technologies:

1. Wiretapping Claims: This section prohibits unauthorized interception of communications. Companies may be found liable if third-party tools they employ intercept communications without proper user consent.
2. Eavesdropping Claims: This section addresses unauthorized eavesdropping on confidential communications. AI tools that record conversations without explicit user consent may trigger claims under this section.
3. Recording Telephone Communications: This section prohibits unauthorized recording of telephone communications. AI systems that record phone conversations without user consent may lead to claims under this section.
4. Aiding and Abetting: Companies can also face claims for aiding and abetting if they utilize third-party tools that engage in prohibited activities, even if the company itself did not directly perform the interception or recording.

Damages for Violations of CIPA

Violations of CIPA can result in significant financial penalties. Plaintiffs can recover up to $2,500 per violation, and up to $10,000 per violation if the defendant has previously been convicted of violating the statute.

In the context of a class action, these damages can quickly accumulate, potentially resulting in substantial liabilities for companies. For instance, if a class action involves thousands of users, the cumulative damages could reach well into the millions.

Implications for Businesses

This lawsuit underscores several important implications for businesses, particularly those operating in California or engaging with California residents:

• Third-Party Technologies: Companies that use third-party technologies for customer interactions, analytics, or advertising purposes can face serious privacy legal risks. These services are being more closely examined by courts to determine if they act as separate listeners or as instruments of the main business.
• Consent and Disclosure: Businesses should ensure they obtain consent (affirmative or express consent preferably) from users before sharing or recording communications. Clear and conspicuous disclosures about the use of third-party technologies and the purpose of such technologies and related data collections are essential to mitigate legal risks.
• Compliance with Privacy Laws: Companies should regularly review and update their privacy policies, cookie notices, and related practices to ensure compliance with applicable laws, including CIPA, the California Consumer Privacy Act (CCPA), and other state and federal privacy regulations.
• Conduct Regular Privacy Audits: Regularly audit and review all third-party technologies used in customer interactions to ensure compliance with privacy laws. This includes evaluating whether these technologies have access to user communications and how they handle such data.

Conclusion

Peloton’s wiretapping suit serves as a crucial reminder of the potential privacy risks associated with using third-party technologies for customer interactions. Businesses must take proactive steps to ensure compliance with privacy laws like CIPA to avoid similar legal challenges.