Overview
Almost three years ago, we warned of class action lawsuits being filed against entities in certain industries, such as health care. Fast forward to today, where companies in a variety of industries, including construction and retail, located in the Midwest and elsewhere, receive demand letters and lawsuits accusing them of wiretapping or eavesdropping on California consumers who visit their website.
What these letters and lawsuits highlight is an evolution or dramatic expansion, for better or for worse, in what is considered to be private data. Consumer expectation, again, for better or for worse, is 100 percent transparency about what companies collect or track about them. This includes the consumers behavioral data and “recording” of their activities and private “conversations” on your website. Consumer expectation is to have clear disclosures about how companies are using and sharing any information about them—even if privacy statutes and laws don’t require that transparency.
Consumer Privacy and Personally Identifiable Information
As of about four or five years ago, given the uptick in state privacy laws and industry regulations, companies knew to be careful with disclosures, consent, and statements regarding the collection, security, and sharing of personally identifiable information like Social Security numbers, dates of birth, driver’s license numbers, bank account numbers with passwords or access codes, and similar data. Indeed, collection, sharing, security, and retention of this type of data has been heavily regulated, and most companies already have data management protocols and policies in place to abide by federal, state, and industry regulations. (And if you don’t, you should!)
The Shift in “Personal Information” Shared on Your Website
This new frontier of data privacy claims by consumers zeroes in on data that had once been largely considered deidentified or anonymized. Specifically, where a person “clicks” on a website, what searches are being performed, and what kind of “traffic” certain offerings or promotions on the website get. A pervasive data analytics tool like Google Analytics serves as an example of the data at issue as even the most traditional of companies likely have this on their websites. This tool runs on the backend of the website, not immediately visible to website visitors. It collects analytical data that can be used by a marketing department or web developer to focus efforts in their digital advertising spend. These data points are shared with third-party providers as a resource.
However, it is this sharing of these types of data points—even if you don’t know the person’s name, mailing address, age, phone number, or legal status—that sits at the cornerstone of these privacy lawsuits based upon illegal wiretapping.
Specifically, California residents have created a cottage industry of privacy class actions based upon the California Information Privacy Act (CIPA). The actions are based upon these California residents visiting the websites of companies with no brick and mortar in California but who have websites available in California, which do not have specific pop-ups or disclosures. They claim eavesdropping and a “trap and trace”—that when they clicked on or searched for information, products, or services, if there was tracking and sharing with a third-party (because of analytics tools, for example) of that website activity, then the company allowed the third-party to illegally eavesdrops or wiretap that “private conversation” without the visitor’s permission.
These lawsuits benefit from the growing sophistication of technology, including the ability to aggregate deidentified data points to analyze and reach conclusions about people or users, and are the consequence of imaginative consumer counsel.
Like the Federal Eavesdropping Act, CIPA allows for a private cause of action, with a statutory recovery for $5,000 per violation. And, plaintiffs take the position that each tracking technology used is a separate violation. Therefore, one visit to a website, the theory goes, could form the basis of a $40,000 demand as 8 different tracking technologies are being used to “listen in” on the visitor’s activity on your website.
Notably, earlier this year, the U.S. Supreme Court agreed to take up a consumer’s questions regarding applicability as to another (old) statute (a 1988 federal statute, the Video Privacy Protection Act), which analysis and findings could have a ripple effect—whether other, older statutes (like CIPA) apply to newer technology, including tracking technologies. However, only speculation abounds on how the Court will decide, and no opinion will be issued any time soon.
Reducing the Risk of Trap and Trace Lawsuits Against Your Company
The available, legal defenses to this type of claim seem to become narrower and narrower by the day. So, here are some issues or questions you should consider—and discuss with your trusted privacy advisor—today:
- Evaluate your outward facing and easy-to-find privacy disclosures. Do you have a cookie management bar with an easy to locate link to your terms and privacy disclosures?
- Do you provide a clear and conspicuous disclosure or “pop up” when a consumer first comes to your website, such that you do not track any movement/clicks/behaviors of the visitor until they acknowledge the tracking?
- What auditing have you done regarding your tracking technologies? Do you have a fulsome understanding of what your internal team or outside, website developer or vendor has running on your website?
- Do you have a robust, data retention and data deletion plan in place and have you confirmed the data privacy hygiene of your vendors and third-party service providers as well?
