The information provided within this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available within this article are for general informational purposes only. The information herein should not be used upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author, who is not a legal professional. 

When most people imagine “wiretapping,” typically a website isn’t the first thing that comes to mind. You might be picturing a team of federal agents, ear to a headset, with a big tape recorder running in the background. What about a chatbot, though, or even a tracking pixel? Is that a form of wiretapping?

What is wiretapping?

Let’s take a look at the legal definition of wiretapping, as defined by the California Invasion of Privacy Act (CIPA). “Wiretapping” is defined by California Penal Code §631, according to the law firm Neal, Gerber, and Eisenberg, as “using a machine or instrument to intentionally make a connection via a line or cable to read or attempt to read the contents of a communication.”

This law also prohibits the use of both a “pen register” as well as “trap and trace” devices without explicit consent or a court order. The statute defines a “pen register” in §638.50 as “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” A “trap and trace” device is similar, it records incoming impulses, electronic or other, that identify the originating signal information and, by extension, the reasonable identity of the source of that information—again without collecting the contents of that transmission.

In short, a “pen register” records phone numbers or “routing” information that is outgoing from a device, while a “trap and trace” device records incoming routing information. The key here is that the statue defines these devices as capturing “routing information” and not necessarily phone numbers.

That all sounds pretty vague, huh? It certainly is, and that’s where the problem arises.

Website owners are being sued for wiretapping

Last year, a Southern District of California District Court denied a motion to dismiss in Greenley v. Kochava, according to experts at Husch Blackwell. In this case, the plaintiff argued that the developer of a software development kit (SDK) has violated CIPA by including code that forwarded the location information of the user, unwittingly, to the developer. They argued this was tantamount to a “pen registry” or “trap and trace” device, in that it revealed the source of a particular communication, even if it didn’t reveal the communication itself.

Keep in mind that this bill was written in 1967, so this interpretation is quite a stretch from the original interpretation. However, there are plenty of creative law firms out there. Plaintiffs have filed hundreds, if not thousands, of individual and class action lawsuits in California courts asserting new, creative applications of CIPA to new technologies, according to lawyers at Nixon Peabody.

These aren’t shots in the dark, either! Plaintiffs are seeing some level of success in their suits—though not all of them.

In Licea v. Hickory Farms, courts rejected the notion that collecting a visitor’s IP address constituted an illegal pen register. So while simple analytics is probably safe from a CIPA suit, it isn’t exactly clear what technologies do constitute an illegal wiretapping. However, there are a few common victims.

Plaintiffs' attorneys are primarily bringing claims against businesses for their use of chatbots, website session replay technologies, and pixel tracking technologies, according to Bloomberg Law.

• Chatbots are being likened to what CIPA considers as a “secret” wiretap that allows third parties to listen in on a conversation without the users’ consent.
• Website session replay technology, like Microsoft Clarity, may, according to plaintiffs, allow website owners to eavesdrop on private conversations for use in targeted advertisements.
• Pixel tracking, a common target of many privacy laws—including the recently passed Colorado Privacy Act may allow businesses to surreptitiously collect information about user interactions and behaviors.

Frankly, the merits of these lawsuits aside, these are technologies you should be concerned about from a privacy perspective anyway. Dozens of states have enacted increasingly stringent regulations governing the use of these technologies that are far clearer than this archaic interpretation of a decades old California law.

Yet, what makes this law so enticing for plaintiffs is the payout. CIPA claims can impose statutory damages of up to $5,000 in fines per violation. Since each visitor counts as a violation, even a desolate website with only a couple hundred visitors per month could see a hefty bill totalling nearly a million dollars.

CIPA has a long reach

Despite the name, you don’t necessarily need to be based on California to be impacted by the California Invasion of Privacy Act. 

Experts at BakerHostetler recommend businesses situated outside of California being faced with, or concerned about, a CIPA suit ask themselves the following questions:

• Is the company website California-specific (i.e., is the subject matter of the website specifically tailored to Californians)?
• Does the company engage in activities to drive California residents to its website?
• Does the company specifically profit from California website viewers (as opposed to viewers generally)?
• Does the company profit from California-specific advertisements on its website?
• What percentage of the website’s users are associated with a California address?
• Where is the website hosted (i.e., within California or in a location specifically intended to increase the number of California users)?
• Are the website’s terms and conditions and/or privacy policies aimed at Californians or users as a whole?
• Does the website collect the same information on all users, or does it collect different information if the user is associated with a California address?

Businesses should also consider whether or not their servers are physically located in California. For modern distributed, cloud-based websites, that isn’t always clear. In fact, none of those questions are particularly straightforward to answer.

Stop these lawsuits in their tracks

All privacy laws, including CIPA, tend to have a uniting factor; user consent. A fantastic way to help your clients avoid these frivolous shakedown attempts is to request explicit permission to install cookies, record session information, or perform nearly any kind of behavior tracking.

Not only will this protect your client from scary, unnecessary demand letters, but it’ll also future-proof their website. This month alone new privacy laws went into effect in Florida, Oregon, and Texas, with Montana to quickly follow suit beginning October 1st. 

The United States federal government isn’t far behind, either. In April, a bipartisan, bicameral coalition unveiled a draft of the “American Privacy Rights Act,” following increasing public pressure to protect consumer privacy online.

Now is a great time for your clients to get their data houses in order, before it’s too late. Well written privacy policies, comprehensive terms of service, and effective cookie consent banners can work in tandem to protect your customers from aggressive privacy lawsuits like the CIPA ones we have seen appearing in courts across California.

Apps like Termly and Termageddon can dramatically simplify this process for your SMB customers, especially those without a dedicated legal team. Termageddon has written extensively about the threat of CIPA lawsuits, and is proud to offer a policy generator that explicitly protects against this specific threat.

While these lawsuits may be frivolous, an old saying still rings true, “better safe than sorry.”