CIPA vs. cookies: What you need to know

If the saying “what is old is new again” has any relevance to the privacy space, recent activity around the 1967 California Invasion of Privacy Act (CIPA) may be a case in point. The CIPA is a criminal statute designed to counter telephone eavesdropping and wiretapping. Created at a time where today’s online world was not a reality, CIPA had a worthwhile goal – to eliminate illegal, secret wiretapping.

Today’s CIPA challenge, though, lies with a set of definitions that courts and lawyers can interpret in entirely different contexts given today’s technology – ones that law makers did not contemplate in the original drafting of the law.

Recent court decisions have resulted in even more companies take notice of the possibility of running afoul of CIPA – to the tune of $5000 per violation – for common website analytics (like cookies) and chat tools. 

There has been a surge in wiretapping suits filed against organizations hosting tracking technology like third-party cookies and pixels, with over 700 lawsuits in California alone. The likes of Converse, Nike, Capital One and Skims are all in the hot seat for potential breaches that could cost millions.

So do businesses need to be concerned? We’d argue yes.

Overheard conversations… with chatbots?

The initial sets of more modern court cases relied on allegations of non-compliance with Section 631 of CIPA. This first wave of cases alleged that the use of website chat functionality constituted CIPA violation of the wiretapping prohibition.

Chat functions are website real-time messaging features that often provide an initial level of customer support, whether live or AI-enabled (or both). Vendors often provide chat functionality, and companies frequently record chats and save them for some period of time to assess trends in questions, quality of responses, and other business purposes.

At a high level, allegations about website chat functionality argued that chat features secretly wiretap web visitor conversations without consent. Under broad CIPA definitions, this can constitute a violation of Section 631 of that Act.  

However, organizations can learn from the past and easily prevent problems of their own related to Section 631. Adequate notice and consent for chat features can address the CIPA complaint, and since users will be motivated to use the chat, it is likely that users will agree to the practice. US-focused website owners have already begun to include additional chat feature transparency and consent.

Alternately, website owners have the option of not saving chat information at all – eliminating the allegation of illegally saving “contents” altogether. Moreover, courts have increasingly rejected claims under Section 631. As a result, more recent court cases transitioned to point to a different CIPA section, Section 638.51. These newer cases represent a potentially trickier problem to solve.  

CIPA Section 638.51 prohibits use of “pen registers” or “trap and trace” devices without a court order or explicit consent. A “pen register” is “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.”

CIPA defines a “trap and trace” device as a “device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.” In other words, a pen register is a device that records outgoing numbers from a line, and a trap and trace device records incoming numbers to a line. Fines go up to $2500 per violation or one year of imprisonment.  

In cases alleging Section 638.51 non-compliance, plaintiffs generally claim that pixels, cookies, and other tracking devices, such as Meta, Google, and TikTok trackers used for website analytics and that may capture IP address, constitute a violation of CIPA. In this way, plaintiffs attempt to make the case that IP address, a code of numbers that can identify the device a web visitor is using to connect to the Internet, relates to phone lines, and capturing this information without a court order or consent violates CIPA Section 638.51. 

Not all courts agree. After all, IP addresses do not just relate to Google, Meta, and TikTok pixels. Rather, IP addresses allow for Internet connectivity and communication more generally across the online world. In Licea v. Hickory Farms LLC, for example, the court agreed that voluntary website visits do not constitute a violation.  

However, other courts have allowed for the possibility that online trackers could violate wiretapping law. Kohl found that out, as the U.S. District Court for the Southern District of California decided that third party online trackers could violate CIPA without prior user consent.  

CIPA and consent

The problem with IP addresses and online trackers is that transparency and consent are harder to manage and have more implications for businesses using them than do chat features. Opt-in consent for third party online trackers potentially takes care of the problem.

However, given that the U.S. generally follows an opt out model for cookies and other online trackers, getting opt in consent in which no third-party cookies or trackers load before explicit consent is a meaningful change for most U.S. businesses. Marketing may bemoan the loss of analytics data when moving to a opt in model, and a change in model may result in some technical implementation costs.  

How can businesses reduce the risks of CIPA lawsuits?

That said, these court cases may signal a movement towards the European Union explicit consent model for cookies and online trackers. For companies with U.S. websites that want to reduce the risk of CIPA wiretapping complaints, the logical steps would be to: 

1. Disclose use of third-party tracking technologies on websites,  
2. Obtain explicit, opt-in consent for these technologies, ensuring a “zero cookie load” before each web visitor gives that opt-in consent, and  
3. Regularly scan websites for new tracking technologies to maintain compliance on an ongoing basis.  

Some organizations will take a wait and see approach as the debate continues in the courts, deciding to accept the risk rather than take on the technology work and hit to website analytics data.

There is a possibility that courts will eventually determine that CIPA does not, in fact, apply to the online world. However, larger, global, or more publicly online organizations may see this current influx of CIPA allegations as a tipping point, pushing them to establish a more global, explicit opt in approach for all its web assets.