Bring Your Vision to Life Get Started

CIPA Privacy Litigation Attorney in Silicon Valley, California

The Rise of CIPA Pro Se Trolls

A Privacy Website Tracking Lawsuit Is Coming for You, and Maybe More than One

If you manage a consumer-oriented business of any type, your website probably incorporates third-party tracking technologies, such as cookies, pixels, tags, and beacons, to collect and use personal information of people who visit your site.  So, buckle up.  Your “wiretap” lawsuit looms.  Internet consumer lawsuits against businesses are exploding.  Although these suits plague major corporations, even smaller businesses under $100 million in revenue cannot escape their grasp.  Nor do they avoid liability risk if outside the high tech industry; the issue affects all kinds of businesses.

In particular, the controversy swirls around CIPA—The California Invasion of Privacy Act, codified in California Penal Code sections 630 through 638.55.  CIPA is a 1970’s-era wiretapping statute.  Recently, however, this decades-old wiretapping statute has been repurposed well beyond its original intent.

This section has been applied in CIPA suits to allege the website owner is “aiding” the third-party vendor’s willful accessing the content of internet communications by this automated sharing.   Alert businesses have been aware that these tracking technologies are problematic.  Typically, their websites incorporate some form of consent in their terms and conditions page or require express consent after the user has accessed the site. 

These tracking technologies are common to virtually all consumer business websites. Such technologies are used to record a user’s interactions with websites.  They capture information like addresses and routing when consumers view a website but often not the content of the communication.  

But here’s the rub.  Starting with the Ninth Circuit’s 2022 appellate decision of Javier, express consent by the accessing consumer before the consumer got onto the website is required.  (Javier v. Assurance IQ, LLC, 30 F.4th 849 (9th Cir. 2022).)  Implied or retroactive consent, after the third-party sharing had instantly begun by accessing, the court reasoned, was ineffective.

With that, CIPA “trolls” were off to the races.  Over one hundred California class actions have been filed since Javier by parties whose only motivation to access the websites was to trigger such liability.  With a penalty of up to three times actual damages or $5,000 per violation, class actions pose large liability exposure.  Compounding the problem is the lack of clear guidance on the law. 

Cases have produced conflicting results, and virtually no courts of appeal have yet weighed in.  For example, the U.S. District Court for the Central District of California denied defendant’s motion to dismiss in the CIPA case of Byars v. Goodyear Tire & Rubber Co., 654 F.Supp.3d 1020 (2023) (C.D. Cal. 2023).  But the same plaintiff (with the same counsel) lost a motion to dismiss in another CIPA case in Hot Topic.  (Byars v. Hot Topic, Inc., 656 F.Supp.3d 1051 (C.D. Cal. 2023.)

Want to Learn More?

Reach Out Today

The Rise of Pro Se Trolls

Add a new wrinkle to this narrative: the rise of pro se trolls.  Plaintiffs who sue without representation by counsel are called “pro se.” While class action suits are brought on behalf of numerous “injured” persons and may or may not be brought by trolls, they involve large potential damage awards in the millions.

Increasingly, however, suits have been brought and threats have been made by individuals without invoking class action representation.  In a space of five weeks, ending October 18, 2024, a pro se plaintiff filed roughly thirty-five lawsuits involving CIPA claims. 

Because the amount at stake is correspondingly much smaller, these claims and demands are often brought by pro se plaintiffs.  The necessarily smaller demand produces a change in litigation strategy.  Pro se plaintiffs commonly adopt a nuisance value approach to their settlement demands: either pay a small settlement now, or incur higher legal fees, not much later. With some big firms charging over $1,000/hour in privacy suits, this is no idle threat.  Insidiously, unlike nearly all class action settlements, paying off the individual plaintiff does not end your trouble; the settlement binds only that particular plaintiff, not the next one lurking around the corner.

Smaller businesses, faced with this challenge, have three basic options:

  1. Negotiate and pay an early settlement, without fighting;

  2. Challenge the suit by filing a motion to dismiss the action, while seeking early settlement; or

  3. Defend the lawsuit vigorously, despite the cost of litigation, often forcing the plaintiff to cave first.

Option #2 involves a two-prong effort: Seeking outright victory by motion but pressuring plaintiff to reduce his or her demand in settlement while the motion is pending.

Finally, what can you do proactively, before a claim is asserted? Companies should review their technology and compliance practices, including their website privacy policies. Beyond that, companies should assess how transparent their website tracking technologies are. Their privacy notice should include comprehensive information about cookies and tracking technologies.  It should detail which ones are used and how users can opt out.  Possibly, an “opt-in” choice should be provided, to establish express consent by the consumer.

While there is no one answer to which is the best course to take when faced with CIPA litigation, we can help.  Contact Payne IP Law at payne@bobpayne.com to chart the right course.

___________

Robert Payne is founder of Payne IP Law, in San Jose.  www.bobpayne.com.  He practices intellectual property and privacy litigation and trademark prosecution for small- and medium-sized businesses.