Class Actions: The California Invasion of Privacy Act

In 1967, California passed the California Invasion of Privacy Act (CIPA) to protect its citizens from attempted eavesdropping on their private conversations. Now, California plaintiffs are wielding CIPA to challenge whether websites may use marketing technology that tracks website usage absent prior explicit consent. Dozens of class action cases based on this theory of liability have been filed in federal and state courts in California. Hundreds of demand letters based on this same theory have been sent to companies. Crowell has been closely monitoring the wave of website-based wiretap class actions cropping up.

This new surge of privacy class action litigation is significant because it puts all website tracking technology at risk. Many publicly available software tools give website owners the ability to understand their users’ online preferences. And user preference data has become an important tool for companies when making marketing and sales decisions. Now, as the software that facilitates user-tracking is being challenged, website owners may have to obtain prior consent from website visitors to employ this technology, or owners may have to rethink their marketing and sales practices. Both alternatives bear risk, though—the former may not be technologically practicable, and it may discourage website visitors; the latter may impact how the company researches its market and develops business strategy.

Liability under CIPA bears risk, too: a private litigant is entitled to the greater of $5,000 per violation or treble damages. And while these are novel theories of injury that have not received a stamp of approval from California appellate courts, they have not been rejected by the appellate courts either. The legal uncertainty creates its own risk as well.

In 2024, Crowell is closely monitoring the California legal system to see if we receive further guidance on the viability of a CIPA claim against the use of website tracking tools. For now, companies should strongly consider auditing their own use of tracking technology—do the tools provide business value, and what protections, if any, are available under your contracts with the software vendors? While we don’t have a crystal ball, we think it is likely that the wave of CIPA class action litigation will continue.