Online tracking technologies embedded into websites, such as tracking pixels, session replay software and cookies, are used to analyze consumer behavior and often to help businesses target marketing efforts, improve user experience and fix bugs in the system.
Recently, courts in California have determined that using these tracking technologies may violate the California Invasion of Privacy Act, a wiretapping statute originally passed in 1967. Plaintiffs are now using CIPA for lawsuits against companies who use online tracking technology, alleging that these tools constitute a violation of CIPA because they illegally intercept communications without user consent and therefore infringe on the plaintiffs’ statutory privacy rights. CIPA is now being considered a primary source of legal disputes in today’s tech-driven world.
While several state privacy statutes exist, including the Texas Data Privacy and Security Act, plaintiffs are using CIPA because it provides a private right of action with statutory damages. Furthermore, the act is especially attractive to plaintiffs because it does not require proof of actual harm, meaning the legal wrong itself is wrong per se and sufficient for recovery.
CIPA stands out because it allows for both criminal charges and civil lawsuits for statutory violations. This sets CIPA apart from more recently enacted consumer privacy laws in both California and Texas, which do not include civil enforcement. This has turned CIPA into the go-to law for attorneys looking to challenge web privacy practices in court.
CIPA’s broad reach brings Texas companies into the crosshairs, with Texas companies becoming increasingly aware of and worried about potential claims under CIPA. CIPA applies to companies of all sizes who monitor, record or intercept communications. This is especially worrisome for Texas companies, as judicial precedent has established that CIPA’s reach is determined by the user’s location. Additionally, the litigation risk is significant, as individuals can recover statutory damages of $5,000 per violation, compensation for proven harm, punitive damages, injunctive relief to stop violations and legal expenses. Further, the greater of either the statutory damages or triple the actual damages may be awarded, proving that a CIPA claim can be more costly than businesses realize. Based off of historical cases which survived motions to dismiss, businesses who utilize certain website technologies are at a higher risk of litigation. These technologies include software developer kits, third party tracking pixels and software, “fingerprinting software,” cookies and identity profiles, application programming interfaces (API), website analytics and conversation intelligence software-as-a-service (which records and processes customer interactions in real time).
Claims commonly use three sections of CIPA: Section 631, which prohibits the intentional interception of communications in transit without the consent of all parties to the communication; Section 632, which regulates the recording or eavesdropping of confidential communications without the consent of all parties; and Section 638.51, which prohibits the use of a pen register without a court order or prior consent. While the application to websites and online tracking is fairly recent, case law has shaped much of the interpretation of CIPA, meaning the Act’s application to modern day technology is constantly evolving. To further muddy the waters, much of the existing judicial guidance comes from motions to dismiss decisions, which do not find culpability but rather find that culpability is plausible. From there, most cases settle under confidential terms, adding ambiguity to the already unclear space. With the Act’s provisions now reaching generative AI and chatbot tools, businesses are constantly fielding CIPA claims and judicial splits with conflicting holdings and readings of CIPA leaving businesses confused and unsure of how to comply with the statute.
Two main online tracking tools, session replay and tracking pixels, are at the heart of this legal issue. Session replay tools record mouse movements, scrolls, page views, keystrokes and other use activity on a webpage and reproduce these interactions in a video-like playback of a user’s experience on a website. As it stands, courts disagree on whether session replay technology constitutes an illegal interception of communications under CIPA. Plaintiffs argue that session replay software is the modern version of wiretapping a phone call, particularly since outside service providers often have access to the recorded information. In an important case for this developing legal challenge, Javier v. Assurance IQ, the court held that the necessary statutory consent for session replay must be obtained before tracking begins, barring retroactive or implicit consent as a defense. Tracking pixels record user activity as a snapshot as the activity happens and stores this information. Plaintiffs are targeting these technologies as illegal “pen registers” under the CIPA, while defendants argue that consumers consent to the use of these tracking technologies and that the use of these technologies is essential to everyday business purposes.
In the wake of unclear judicial direction, Texas businesses can help protect themselves from CIPA claims by improving their consent practices to better support a finding of affirmative consent from users. This could include clearer language explaining what the user is consenting to and an affirmative act indicating their consent, with the tracking technology only commencing following this act. Furthermore, Texas companies can limit their relationship with AI service providers to a strict agency relationship, with a third party serving as an extension of the business.
While CIPA is being widely used today, the act itself is dated, and many of its definitions are having to be interpreted by courts to apply to today’s technology, leading to conflicting judicial outcomes and lack of guidance for businesses. To achieve consistent rulings during this new era of online activity and tracking tools, courts (and lawyers) need a clearer legal framework to evaluate modern digital surveillance technologies.
Mia Crossen is a law student at SMU Dedman School of Law, where she focuses her studies on M&A, corporate law, and data privacy.
