Written by Mona Hanna and Aaron Plesset
A growing number of businesses with websites are facing costly class action lawsuits under California’s Invasion of Privacy Act (CIPA), where potential exposure can reach $5,000 per violation or three times the actual damages, whichever is greater. At the center of these claims are widely used tools like Google Analytics and Meta Pixel, which track visitor activity online. If your business uses similar tools, you could be at risk for significant legal exposure.
Why Does This Matter?
CIPA is a California law passed in 1967 that protects individuals' privacy. Suddenly, this decades-old statute is being leveraged in a surge of new class action lawsuits contending that these tracking tools may be violating the law. Two critical parts of CIPA are involved: Section 631, which covers wiretapping—the unlawful interception of communications—and Section 638.51, which addresses devices that track the origin or destination of a communication, like identifying where a website visitor came from or went next.
While many are familiar with the concept of wiretapping, the idea that web tracking tools could be considered wiretapping or tracking devices is new to most. Plaintiffs, along with their counsel looking to seize upon the opportunity to sue, argue that tools collecting website visitor data—such as IP addresses or browsing habits—without proper user consent are violating CIPA.
What Does the Law Say?
Section 638.51 focuses on devices that capture "signaling information"—data that reveals where a user came from or went online, but not the content of their communication. This law originally applied to devices used by law enforcement to track phone numbers, but plaintiffs now assert that website analytics tools (again, such as Google Analytics and Meta Pixel) qualify as “trap and trace devices” under this provision.
This significantly expands a business’ potential liability. Historically, plaintiffs’ class counsel targeted businesses for CIPA violations under Section 631, limiting claims to those related to the interception of the content of communications. Of note, the collection of metadata related to communications (like IP addresses and browsing patterns) were generally considered exempt. More recently, however, plaintiffs—through their lawyers—have been challenging this notion, arguing that the collection of data falls within the scope of Section 638.51 and is therefore prohibited by CIPA. While only a few cases have been decided, courts have not ruled out that web analytical tools could, in fact, be considered “trap and trace” devices under Section 638.51. This uncertainty exposes businesses to potentially devastating liability, as plaintiffs may now have claims where they previously did not.
What Does This Mean for You?
With lawsuits on the rise, businesses should take proactive steps to ensure that their website tracking tools comply with CIPA. This means conducting regular privacy audits to ensure that no data is being collected from website visitors without clear, informed consent. Implementing proper consent forms is critical because obtaining explicit consent from users can serve as a complete defense to CIPA claims under both Section 631 and Section 638.51.
By adopting these measures, businesses can reduce the risk of costly litigation and ensure compliance with California’s evolving privacy laws. Of course, the attorneys at Michelman & Robinson, LLP stand ready to assist toward that end.
This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.