In-House Counsel Asks California Appeals Court To Resolve CIPA Privacy Questions Amid Digital Wiretapping Litigation Flood
The Association of Corporate Counsel (ACC) is urging the California Court of Appeal to resolve growing questions around whether the California Invasion of Privacy Act (CIPA) should be applied to commonplace technologies like cookies and tracking pixels. The decades-old California privacy law is driving tens of thousands of arbitrations, demand letters, and lawsuits against businesses that use basic website tracking tools. This trend is draining time and resources from in-house counsel trying to advise their businesses across the country, ACC told the court in an amicus brief April 8. Without clarity on CIPA, in-house counsel will continue to be pulled away from other essential legal compliance work and businesses will be forced to seek court orders just to operate their websites. The brief, drafted by FP’s Usama Kahf, Darcey Groden, and David Shannon on behalf of ACC, argues that the California Consumer Privacy Act (CCPA) should be governing California’s privacy regime, as it explicitly addresses website data sharing and cookie usage. The brief shines a light on the litigation minefield businesses with California-based customers are navigating when it comes to privacy compliance and how it’s impacting their real-world operations. This Insight will cover everything you need to know about the issue and how it could potentially affect your business.
How Did We Get Here?
CIPA was enacted in 1967 to address wiretapping and eavesdropping. It contains broad language banning “intercepting” communications without consent and prohibits “pen registers” and “trap and trace devices” absent a court order. Because CIPA predates the modern internet, it contains no clear statutory provisions or legal guidance tailored to website tracking technologies or regulations.
CIPA was amended in 2015 to prohibit use of “pen registers” and “trap and trace” devices without a court order. Although the internet and website tracking technology was in wide use at the time, this 2015 amendment said nothing about website cookies and pixels, as the devices it prohibits are historically used by law enforcement to attach to a physical telephone line. And even the process this amendment spelled out for obtaining a court order to install these devices appears to be limited to telephone lines.
Plaintiffs across the country have been filing thousands of lawsuits against websites visited by California residents. They argue that routine digital tools and software like cookies, pixels, session replay, chat widgets, search bars, and ADA accessibility tools fall into the category of illegal “pen registers” or “trap and trace devices” under CIPA because they capture information without consumer consent.
This tidal wave of litigation has split California courts, making it nearly impossible for businesses to understand their compliance obligations without constantly monitoring evolving case law. “What we are left with is a whole bunch of conflicting court opinions applying the law to new technology,” said FP’s Kahf, who helped draft the amicus brief submitted in Variety Media, LLC v. Superior Court (Rose). “Every court is coming out differently. Same complaints, same courthouse, two different judges, two different outcomes.”
The resulting confusion has only further fueled the litigation trend, and in turn, drained in-house counsel by pulling them away from other essential compliance duties.
"Every demand letter has to be evaluated. Someone has to determine next steps, hire outside counsel, inform the business of what’s happening, etcetera,” said Susanna McDonald, vice president and chief legal officer at ACC. “It takes hours out of a person’s day that they could be using to develop and enforce compliance programs and helping the business be a better corporate citizen."
Clogging Up The Courts
At the heart of these cases, including the Variety Media case pending before the appeals court, plaintiffs are alleging that cookies, pixels and other metadata tools on websites should be treated as pen registers or trap and trace devices under CIPA. Under the statute’s original design, pen registers and similar wiretapping technologies were law enforcement surveillance tools that must be authorized via a court order. If the appeals court found that cookies and tracking pixels were pen registers, then companies will be forced to request court orders just to use these commonplace tools on their websites, ACC said.
“Are the courts prepared to handle an avalanche of applications for court orders to approve installation of pixels on websites?” FP’s Kahf said. However, if the court were to side with Variety, which argues that cookies and tracking technology aren’t pen registers under CIPA, the ruling could limit similar claims against other businesses.
ACC’s Request to the Court
The courts should recognize the CCPA as the intended law for regulating online privacy and website data collection and sharing, the ACC said in its brief, because it was enacted expressly to address issues related to consumer privacy and data disclosure. CIPA, on the other hand, makes “no mention of website data and cookies,” and is being stretched beyond its original purpose. Interpreting CIPA to cover the same website technologies as the CCPA would also conflict with the opt-out and disclosure rights established under CCPA, making some of its rules largely meaningless.
Businesses that operate websites should also have all the necessary oversight and information to comply with the CCPA through the law’s regulatory process and oversight agency, the California Privacy Protection Agency. “The attempts to overlay CIPA on top of California’s online privacy regulatory regime leaves in-house counsel in the dark on how to avoid CIPA allegations while simultaneously complying with the CCPA’s comprehensive requirements,” the brief said.
Staying On Top of Privacy Litigation
Website privacy litigation under CIPA, as well as other federal and state privacy laws, is rapidly evolving. For a fuller picture of digital wiretapping litigation trends nationwide, visit our Digital Wiretapping Litigation Map, which tracks related cases across all 50 states.
FP’s years of experience advising businesses on consumer privacy issues and work litigating cases tied to website and app technologies was key in its partnership with ACC. If you have any questions about how to ensure your business is compliant with CIPA and other privacy laws, contact a member of our Privacy and Cyber Practice Group or Digital Wiretapping Litigation Team.
Conclusion
We will continue to monitor developments related to this litigation, so make sure you are subscribed to Fisher Phillips’ Insight System to get the most up-to-date information. If you have questions, contact your Fisher Phillips attorney, the authors of this Insight, or any member of our Privacy and Cyber Practice Group or Digital Wiretapping Litigation Team.
Related People
