WHAT IS CIPA? WHY AM I GETTING LEGAL THREATS ABOUT MY WEBSITE PIXEL TAGS? AND HOW DO I HANDLE THEM?
I never thought I’d be writing an article that reads like one of those late night infomercials where the headline is “If your company is a victim of threats related to your use of website pixel tags, call 1-800-Privacy Attorney.” Unfortunately, thousands, if not tens of thousands, of notices and demands have now been sent to businesses claiming that they are violating the California Invasion of Privacy Act (CIPA). While it is the opinion of this attorney that these claims are entirely without merit, select judges have been unwilling to automatically dismiss these claims which has led to a ‘litigation factory’ where every website with a third party pixel tag is now at risk of being sued or drawn into arbitration to defend their business practices.
A TL;DR On CIPA
CIPA addresses ‘electronic surveillance’ and provides for a private right of action for aggrieved individuals to directly sue businesses. While CIPA pre-dates the use of website pixel tags, the language and scope of the law is so broad that it could possibly cover any such technologies regardless of whether they are ubiquitous across the Internet. The latest complaints related to pixel tags focus primarily on third-party advertising services (often Meta/Facebook) where the third party ‘may’ be ‘intercepting’ the associated visitors website information for their own business purposes, hence the claims that these pixel tags violate CIPA.
Why Pixel Tags (And Not Cookies)
Pixel tags are invisible images that enable a website to ‘call’ another business and share select information about a website visitor. Once that other business gets the call, they can then choose to try and place a cookie (text file), or read an existing cookie, within the visitor’s browser in order to ‘remember’ or ‘associate’ the visitor with the website visit information. While cookies can easily be blocked by browsers or opted out of through various tools, pixel tags typically ‘fire’ on a website by default upon a visit (at least in the United States). The automatic ‘sharing’ of the metadata associated with third-party pixel tags with other businesses is the key issue with these CIPA claims. The metadata typically includes an Internet Protocol (IP) address that potentially can be associated with an individual or household (and is now defined as ‘personal information’ under the California Consumer Privacy Act).
The Website Services In Scope For CIPA Claims
Plaintiffs are claiming that numerous different website technologies related to pixel tags all violate CIPA (under various legal rationales), including:
Session Replay Software: Session replay software enables websites to measure the ‘path’ visitors take on their website, or other visitor-specific measurement efforts.
Chatbots: Chatbots and other interactive customer service chat functionality that enables a third party software or service to automate answers to visitor questions or engage a live respondent.
Advertising Pixel Tags: Advertising pixel tags, including Meta/Facebook’s, Google’s, TikTok’s, Snap’s, and others are referenced in these claims. In particular, the Meta/Facebook is often referenced because Meta enables Facebook users to identify which websites share information with Meta through their ‘Off Facebook Activity’ tool, which these plaintiffs have used as purported evidence alongside their complaints.
Courts Are Split On Automatic Dismissals
To be clear, no court decision has set a clear precedent related to CIPA pixel tag claims. While there are a few cases working their way through various courts, the judges hearing business defendant’s motions to dismiss these claims have been split on how to properly interpret CIPA claims at the pleading stage. Because some judges have allowed these claims to move past a motion to dismiss, plaintiffs’ attorneys are capitalizing on this uncertainty, issuing demand letters and filing numerous complaints against companies, seemingly in an exercise to engage them in settlement negotiations - rather than proceed with more costly litigation.
These splits in court decisions are not on technical details, but rather whether CIPA even applies to these technologies generally. For example, on March 13, 2024 in Licea v. Hickory Farms LLC, a California Superior Court in LA County firmly dismissed the case stating, “Nothing in the complaint establishes an IP address as equivalent to [ ] ‘unique fingerprinting’” as is necessary to establish in typical ‘pen registry’ claims. Moreover, the court found,
“public policy strongly disputes Plaintiff’s potential interpretation of privacy laws as one rendering every single entity voluntarily visited by a potential plaintiff, thereby providing an IP address for purposes of connecting the website, as a violator. Such a broad based interpretation would potentially disrupt a large swath of internet commerce without further refinement as the precise basis of liability, which the court declines to consider.”
And yet, just 2 weeks later on April 3, 2024 (also in Los Angeles county), a different Superior Court held in Levings v. Choice Hotels International, Inc., that a nearly identical complaint could proceed past the pleading stage. Here, the court found that the plaintiff’s allegation that the defendant had “deployed a software device and process” was sufficient and that “a detailed description of the software and the precise mechanism it employs are evidentiary facts which need not be included.” Moreover the court rejected the defendant’s argument that the plaintiff had consented to the use of such a “device or process” stating that if merely visiting a website could establish consent, then the exception would swallow the rule.
Courts could not be more split, leaving the future of CIPA litigation a complete mystery.
What To Do If You Receive A Complaint Letter
(1) Audit The Claims
The first step in handling a CIPA demand notice is to evaluate the validity and strength of the claims. Receiving a demand letter does not necessarily mean that your business has done anything that could expose you to liability under CIPA. Plaintiffs’ attorneys often send demand letters, and their goal is more likely to extract quick settlements through ‘recruited plaintiff’s’ rather than litigate on behalf of genuinely ‘harmed’ individuals. In fact, we’ve seen that, ironically, some plaintiffs attorneys are recruiting ‘professional plaintiffs’ via ads on Meta/Facebook.
Notably, since these are often not genuine business customers with valid complaints, many of these claims may not have adequate standing for such a complaint, or have sloppy filing practices such as a lack of any discernible evidence or even filing outside the one year statute of limitations.
It is important to closely evaluate the claimant and their standing, the strength of the claims, and the terms of any website arbitration provisions, if any, to determine the best strategy. Below are just some of the key questions to be asked upon initial receipt of such a claim:
Does your website terms of service, or terms of use, have mandatory arbitration provisions? If so, do they include references to website visitors, customers, or other users?
Do the claimants have standing in California or under CIPA?
Does your business have nexus, or otherwise ‘avail’ itself as doing business in California? For example, in Briskin v. Shopify, a California court ruled in favor of Shopify’s motion to dismiss since it has no physical operations in California and operates equally across the U.S.
Does your business attempt to acquire consent from website visitors for cookies and other tracking technologies?
For a more detailed analysis of the types of questions and audit techniques used to evaluate these complaints, the Interactive Advertising Bureau (IAB) has published this Wiretapping Claims Litigation Preparation & Defense Toolkit that can help you audit the claims of a CIPA demand notice.
(2) Determine Whether Or How To Respond
The next step is to determine your budget and appetite to engage in a defense. Generally, the least expensive path is going to be a settlement, but it's important to note that plaintiffs attorneys have no legal obligation to waive any future complaints, so businesses could receive a fresh new complaint the next day after a settlement is reached. Equally important is that a settlement will not deter other plaintiffs attorneys from sending their own complaints. Sadly, a businesses willingness to settle may make them an ideal defendant for other plaintiffs attorneys who learn of such settlements.
While arbitration is often the most economical way to resolve such a claim, the cost of arbitration with legal consultation is also likely to exceed that of the settlement. In addition, the arbitration decision is confidential and limited to that party (or parties if mass arbitration), which is unlikely to serve as a deterrent to other plaintiffs or plaintiff’s attorneys.
In order for these claims to truly cease being a ‘nuisance’, businesses must consider some aspect of a full defense. This doesn’t necessarily mean going to trial, but plaintiff’s attorneys must be on alert that a business may be willing to go the distance and cost them significant resources rather than receive a quick settlement.
In one such example, L’Occitane is even counter suing the plaintiffs law firm Zimmerman Reed for “‘manufacturing’ mass arbitration claims by having people visit the L'Occitane website and claim their privacy was violated by third-party tracking software.” (And congrats to L’Occitane who recently defeated Zimmerman Reed’s motion to compel arbitration with 3,144 individual consumers, with the judge stating that, even if he agreed that an arbitration agreement could exist simply by accessing a website (which he doesn’t), Zimmerman Reed's clients did not show any evidence they had visited L'Occitane webpages."By failing to establish that they visited the website, claimants have… failed to meet their burden to establish an agreement to arbitrate between L'Occitane and any of the 3,144 claimants, let alone all of them.”)
It can’t be stressed enough that if businesses don’t fight back, then these CIPA claims will continue.
Once you understand your budget and appetite for a defense, you can determine the best approach to a response. The best option may be a quick response to the demand notice alerting the plaintiff to all of the weaknesses of the claims and threat of an aggressive defense in hopes that the plaintiff chooses not to file their complaint in court or arbitration. In other instances, a good option may be to not respond at all, thus avoiding providing the plaintiff with any information about your business position or defense strategy ahead of their filing. This option may leave the plaintiff more likely to have the case dismissed like in Cousin v. Sharp Healthcare, where the court granted Sharp’s motion to dismiss on this basis because Plaintiffs did not provide sufficient factual support to plausibly claim their content was intercepted by Meta. We’ve seen many cases dismissed for the plaintiff's lack of providing factual support.
But even where your business may wish to settle, it's important to consider the timing and tactics with such a settlement negotiation and whether your business would still be willing to fully defend if the settlement negotiations fail. Knowing how these example cases are playing out during such a settlement negotiation goes a long way to negotiating the best terms.
(3) Get Proactive And Audit Your Business Privacy Practices
Alongside any analysis of CIPA claims, every web business should be auditing and remediating risks with their privacy practices to avoid future claims. We’ve seen businesses settle with plaintiffs only to have the plaintiff’s attorney file a nearly identical claim against the business with a new plaintiff (we’ve said it before and we’ll say it again, CIPA has become a ‘litigation factory’). At IHP, we’ve developed a methodology of reviewing all aspects of a web business's privacy practices, including consent mechanisms, privacy notices, terms of service, vendor risk audits, and overall data governance programs. With more than a dozen U.S. state privacy laws enacted, not to mention global privacy laws aggressively being enforced, it is imperative for businesses to understand and remediate their privacy risk exposure.
Conclusion
CIPA complaints require careful diligence from both a legal and technical perspective. Each complaint might include differing levels of defense strategies, or potentially expose more serious privacy-compliance risks. Every business is recommended to contract the right external professionals to review and advise on their privacy risk exposure, and a knowledgeable attorney to advise on any such responses to potential legal claims. Here at In-House Privacy, we’ve been advising corporate clients for more than 25 years on the intersection of privacy laws with novel technologies, and CIPA is just the latest ‘flavor of the day’ which we intend to vigorously defend and advise companies on their best approaches to resolve any such risks.
