The U.S. District Court for the Northern District of California gave website operators an expedited exit from privacy-related complaints and lawsuits under the California Invasion of Privacy Act (CIPA), a 1960s-era law designed to prevent unlawful telephone wiretapping. Plaintiffs attempt to use outdated CIPA framework to attack the use of cookies and pixels (and other tracking mechanisms) that is standard practice for websites. Not only did Judge Vince Chhabria grant the website operator an exit from litigation without a trial, but he called on the California legislature to update CIPA to address modern technology and prevent its further abuse.
In Doe v. Eating Recovery Center, LLC, the Court’s summary judgment order held that “using a third-party company to perform data analytics for web traffic is worlds different from wiretapping and eavesdropping.”
As in many CIPA cases, the plaintiff, a California resident, visited a website only to claim that the website operator improperly shared her data with a third party to perform data analytics and targeted advertising.
The Court highlighted the relevant questions at issue: (i) should the event data obtained by the third party be considered the “contents” of plaintiff’s communications with ERC, and (ii) did the third party read, attempt to read, or attempt to learn this information while it was “in transit?”
The Court held that the event data are “contents” of communications with the website: (1) the specific URL of each page plaintiff browsed; (2) the time Plaintiff spent on each page; (3) the path plaintiff took to get to that page; and (4) actions such as affirmative clicks. Given prior precedent, the Court found that URLs reveal information such as address, click history, browsing path and how long the plaintiff stayed on each page, the Court held URL-related data obtained by the third party constitute the contents of a communication.
However, the Court granted summary judgment to ERC, despite split authority that the contents were not “in transit” in the internet context. Plaintiff argued that because the third party utilized a process to filer URLs to remove information that it did not wish to store, that step constituted “reading the communication” while in transit. The Court called out the argument as “wrong” as the third party’s automated effort to avoid storing material it should not be storing cannot reasonably be considered as “reading” or “learning” the contents of the communications holding that the third party’s filtering process is more akin to sorting mail than reading the contents of a sealed envelope. Additionally, the filtering process occurred after the communication had traveled from the website visitor to the website operator (even if it was just 0.2 seconds later) and not intercepted in transit.
The Court’s ruling echoes that of a Federal court in Torres v. Prudential that ruled in favor of the defendant because the data in question was not intercepted while it was “in transit.”
The Court also expressed its concern that because CIPA carries criminal penalties, courts should read it narrowly, not broadly to protect people from potential criminal penalty from a vague and overly broad statute. And, the Court encouraged California’s legislature to update CIPA from its pre-internet birth to the modern internet age to protect people from lawsuit abuse that the CIPA authors could not foresee.
Doe v. ERC is a positive development for businesses facing CIPA litigation. As CIPA cases and other privacy laws continue to evolve, California businesses should remain vigilant and proactive in implementing precautionary measures. Internet business should retain counsel to discuss undertaking reviews of:
- privacy policies;
- terms of use;
- notices;
- user consent;
- compliance checks and/or audits.
CDF will continue to update you on legislative efforts to curb CIPA abuse. Last session, Senate Bill 690 targeted ending abusive lawsuits under CIPA but was not successful. We expect new proposed legislation to attempt to curb or update CIPA in the next lawmaking cycle.
Feel free to contact Dan Forman, Linda Wang or any member of CDF’s Privacy Practice Group for a consultation.
