CIPA vs. Chatbots: Can Websites Be Sued for Eavesdropping? 

In a previous post, we looked at rising litigation relating to privacy and wiretapping laws and the use of session replay software. In this post, we’ll examine how a state wiretapping law has been featured in cases about websites’ use of chatbots. 

Plaintiffs’ attorneys have been leveraging the California Invasion of Privacy Act (“CIPA”) in innovative ways, bringing civil class actions and individual claims against websites utilizing session replay and chatbots in the California state court system. The novel argument centers around the assertion that the use of third-party chatbots on defendant websites constitutes a CIPA violation, framing it as wiretapping and eavesdropping on the conversation between the website user and the site. 

Understanding the California Invasion of Privacy Act (CIPA) 

Enacted in 1967, CIPA is a criminal statute designed to safeguard privacy by prohibiting the recording of and eavesdropping on private communications. Section 631(a) specifically addresses “wiretapping,” making it unlawful to tap or connect with telegraph or telephone wires without the consent of all parties involved. Liability extends to those who aid, agree with, employ, or conspire with any person violating the wiretapping prohibition. Section 637.2 of CIPA allows for damages of $5,000 per violation or three times the amount of actual damages. 

CIPA and Chatbots – Javier v. Assurance IQ, LLC 

In the case of Javier against Assurance IQ, LLC, CIPA violations were alleged when the plaintiff’s interaction with the website was recorded by JavaScript code “TrustedForm.” This code captured keystrokes, mouse clicks, and other communications. The plaintiff was not provided with the website privacy policy and did not consent until after the interaction was recorded. However, the trial court dismissed the claim based on the plaintiff retroactively consenting to the recording by agreeing to the website privacy policy. The Ninth Circuit reversed the trial court’s decision and referred it back to the district court, but the latter dismissed the plaintiff’s claims again. Due to the statute of limitations, it is the end of the road for the Javier case. However, it is unlikely that this will be the last CIPA case. 

What’s Next? 

While the targets for CIPA cases may be large companies with significant web traffic from California, the legal landscape is evolving. This is an important reminder that website privacy notices should clearly state the type of activities occurring and that consent should be obtained prior to any collection or processing of personal data. 

You may also like:
Session Replay Software and Privacy
Accidental Data Breach? Misdirected Emails Can Land You in Hot Water
Dark Patterns: How to Detect and Avoid Them

Related topics: Compliance Tools and AdviceUS Privacy LawsPrivacy News

Contact VeraSafe to discuss your data security management and privacy program today.