An online advertising gold rush began from an unlikely source: meticulously mining the data beneath every click, scroll and interaction. It turns out that there was gold in understanding how a consumer views a website. To that end, companies began utilizing cookie technologies to better understand their consumers. However, as companies have nearly-universally adopted these technologies for their public-facing websites, the concept of privacy stands at a critical crossroads. Whether they are aware of it or not, regulators and class action litigators are now in cyber conflict over a 30-year-old telephone statute.
On one front, companies now face regulation under statutes like the 2020 California Consumer Privacy Act (CCPA) and the 2022 California Privacy Rights Act (CCRA). Statutes like the CCPA and the CCRA require companies to provide browsers of their websites with notice of how their data was being collected and a mechanism to reclaim their data autonomy. This mechanism must include the ability by the person browsing to halt the collection and sale of their data.
These statutes create new consumer privacy rights including, among other things: the right to know about the personal information a business collects about them and how it is used and shared; the right to delete certain personal information collected from them; the right to opt-out of the sale or sharing of their personal information; the right to correct inaccurate personal information that a business has about them; and the right to limit the use and disclosure of sensitive personal information collected about them. Notably, there is no private right of action for violations of these rights. Rather, violations of the CCPA and CPRA are solely pursued by the California Attorney General.
These modern privacy rights are now running into conflict with a 30-year-old telephone statute.
The California Invasion of Privacy Act (CIPA) is a privacy law that went into effect in 1994 to protect residents of California from eavesdropping on conversations on telephones. This impermissible eavesdropping could take the form of intercepting the content of the calls (wiretapping) or of recording the timing and participants in the calls (pen register/trap & trace). While “communications” was initially meant to cover phone calls, it has recently been reinterpreted by certain courts to cover any communications online, including those of VoIP calls, video chats and even written communications where third parties are involved. Whether via landline, digital wiretap or cookie pen register/trap & trace, CIPA only banned the practices where there was no consent. The statute, however, does not discuss how online consent could be given. This is not surprising: it was written to address telephones, not online activities.
Since CIPA prohibits the eavesdropping of communications without consent, and that statute remains silent on the mechanics of consent, consumer class action firms have started suing businesses arguing that the use of cookies, web beacons, pixels, scripts or code that track a user while they are using a website constitutes a violation of CIPA. Because any CIPA case hinges on consent, these cases are engaging in an ad hoc rulemaking that could define online tracking consent.
A recent case that underscores the implications of this legislation is the ongoing Northern District of California lawsuit of Vishal Shah and Jayden Kim against Fandom, Inc.. The plaintiffs allege that the gaming website gamespot.com facilitated the installation of third-party tracking software, without their informed consent. They argue that these cookies operate as unauthorized pen registers, as defined by Section 638.51(a) of CIPA. Defendant Fandom has attempted to dismiss the case, arguing that the practice of sending IP addresses to third parties is a common industry standard. However, the court's recent order denied Fandom's motion to dismiss based upon plaintiffs’ claim that they did not anticipate their IP addresses being transmitted to third parties as a consequence of merely visiting the website. While this decision appears bad for businesses on the internet, it may already be moot.
In the abstract, notice and consent seem like slippery concepts. What does it mean to provide consent? Are users truly aware of the extent to which their data is being collected and shared? Maybe that slippery inquiry would be our future if CIPA existed in a vacuum. It does not. As the end process of two democratically produced acts and extensive rulemaking, we actually do know the contours of consent when considering tracking software under California law.
The core of the CCPA set forth the standards for notice, consent and the option to opt-out wherever the Shah-type tracking cookies are deployed. This CCPA/CPRA framework allows consumers to review their data collection and to actively deny businesses the right to sell or share their personal information. The act empowers users, giving them the ability to dictate how their data is used and by whom. This is a consent framework that was designed for the internet age by citizens, and electors in a democratic process. The right to “opt-out,” rather than the requirement to “opt-in,” was a significant and calculated conclusion of this process. Any court faced with CIPA litigation simply must consider CCPA compliance as determinative on the issue of consent. Therefore, while Shah would seem to open the door to litigation under California law, the simple fact is that any company complying with the CCPA/CPRA likely already has legally provided notice and received consent. With consent, the claims must fail.
In conclusion, regardless of whether CIPA prohibitions against wiretaps, pen registers, and trap and trace technologies apply to the online communications, California voters and regulators have already provided their answer on the contours of consent. The opt-out consent model heralded a new era where consumers were empowered to reclaim their digital rights. The ruling denying the motion to dismiss in Shah v. Fandom motion does not change this.