As privacy litigation intensifies in California, companies operating websites and engaging in online marketing must be aware of the major legal risks and compliance strategies shaping digital business today. Below, I examine:
- The surge in California Invasion of Privacy Act (CIPA) lawsuits targeting website tracking technologies;
- Telephone Consumer Protection Act (TCPA) risks in digital marketing;
- Key California Consumer Privacy Act (CCPA) compliance and litigation trends; and
- The vital role of arbitration clauses and class action waivers in website Terms of Use.
CIPA and Website Tracker Claims
CIPA (Cal. Penal Code §§ 630-638) prohibits certain forms of wiretapping and eavesdropping on “confidential communications” without the consent of all parties. Recently, plaintiffs’ law firms have targeted website operators for:
- Use of session replay tools that record user interactions for analytics;
- Chatbots and third-party customer service widgets embedding code on websites; and
- Allegedly “intercepting” or “eavesdropping” on website visitors’ communications.
CIPA permits statutory damages of $5,000 per violation, making claims lucrative for class actions. Multiple federal courts have declined to dismiss claims stemming from websites using third-party tracking scripts that record or transmit user communications. Companies should:
- Assess all scripts and tracking tools on their sites, especially those relaying data to third parties;
- Update privacy disclosures and obtain explicit user consent where required; and
- Consider disabling or modifying session replay technologies for California visitors.
TCPA Risks in Digital Marketing
The TCPA, 47 U.S.C. § 227, restricts telemarketing and the use of automated technologies (including text messages and pre-recorded voice messages) to contact consumers.
Website operators face TCPA risks when:
- Collecting contact information for promotional texting, call, or robodialing; and
- Using pre-checked boxes or ambiguous consent language in lead forms.
The TCPA imposes statutory damages of $500 to $1,500 per violation, encouraging class-action litigation. To reduce risk:
- Collect prior express written consent using clear, conspicuous language;
- Maintain robust records of consent; and
- Regularly review marketing workflows for TCPA compliance.
CCPA: Compliance and Litigation
The CCPA and its amendment (the California Privacy Rights Act) have created sweeping privacy rights for California residents, including:
- The right to know, delete, and opt-out of the sale/sharing of personal information; and
- Strict notice and transparency requirements for data practices.
Recent CCPA class actions have focused on alleged “sales” or “sharing” of personal data via analytics/ad tech scripts, and on disclosures deemed incomplete.
Best practices for CCPA compliance:
- Implement and maintain Do Not Sell/Share links or toggles on websites;
- Provide accurate, up-to-date privacy notices;
- Carefully vet all service provider- and third-party data-sharing relationships;and
- Promptly respond to access and deletion requests.
Including Arbitration and Class Action Waiver in Website Terms
Given the surge of privacy-related class actions, it is crucial to implement arbitration agreements and class action waivers in your website’s Terms of Use:
- Arbitration clauses require disputes to be resolved in private arbitration which is typically quicker and less costly than court; and
- Class action waivers prevent users from aggregating claims into costly class actions.
California’s evolving privacy landscape poses major compliance and litigation risks for digital businesses. Proactive steps such as auditing website tracking, securing proper marketing consents, ensuring airtight CCPA compliance, and embedding robust dispute resolution clauses, are critical defenses against costly class actions.