As more consumers fight back against data privacy violations, Big Tech companies and their defense attorneys are trying to spread 5 myths about the California Invasion of Privacy Act (CIPA). These companies have attempted for years to persuade legislators to weaken CIPA protections for consumers, but the law remains more relevant than ever. It also continues to be a vital tool that California residents can use to seek justice and financial compensation anytime their personal information is collected without permission and shared with data brokers or other third parties.
Continue reading this blog to learn more about the CIPA and how it can be used to shield consumers against data privacy violations.
CIPA Protects California Consumers Against Data Privacy Violations
California consumers who use the internet or social media may find themselves frequently bombarded by targeted digital ads. That’s often because their data has been harvested and shared with data brokers who use it to create targeted advertisements for individual users. This can be extremely profitable for online advertisers – and extremely dangerous for anyone who wants to keep their personal information private.
California lawmakers recognized the value of individuals’ privacy rights when they passed the California Invasion of Privacy Act (CIPA). Although the CIPA was initially intended to safeguard telephone communications from illegal wiretapping, the law has since been interpreted by courts to also apply to internet communications. This means that when a company uses tracking technology such as cookies, pixels, or software development kits (SDKs) to spy on a person and collect their data without consent, the company may be subject to statutory penalties and a civil lawsuit for damages.
What Are the Most Common Myths About the California Invasion of Privacy Act?
In a recent article, attorney Robert Tauler of Tauler Smith LLP discussed myths about the California Invasion of Privacy Act (CIPA):
- Myth #1: Modern online data privacy lawsuits are not covered by the CIPA, which was passed decades ago.
- Myth #2: Consumers whose data is unlawfully collected by website operators don’t actually suffer any real injury.
- Myth #3: Privacy lawsuits based on the CIPA are deeply unpopular.
- Myth #4: The CIPA was made obsolete by the passage of other privacy laws like the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
- Myth #5: Standard “consent prompts” used on websites are sufficient for companies to avoid violating the CIPA.
Fact: CIPA Regulates the Use of Online Tracking Software
Perhaps the most common myth about the California Invasion of Privacy Act (CIPA) is that it is not relevant to modern consumers because it only applies to telephone wiretaps by law enforcement. But the truth is that the CIPA is more relevant than ever for California consumers: the privacy statute was actually updated in 2016 to explicitly cover electronic communications. Subsequently, courts have ruled that the updated CIPA applies in tracking-pixel cases.
The recent Flo Health lawsuit highlighted the importance of CIPA to website data. The case went to trial in the U.S. District Court for the Northern District of California and culminated with the jury finding that Meta violated the CIPA by collecting menstrual cycle information and other sensitive data from users of the Flo Health mobile app.
Fact: Consumers Are Harmed When Their Online Activity Is Monitored by Tracking Pixels
Another myth about the CIPA is that it is simply not necessary as a tool for protecting consumers because nobody is hurt by online tracking. For starters, consumers' personal data has significant economic value. Additionally, the reality is that consumers suffer substantial harm when Big Tech companies unlawfully spy on their online activity. Moreover, there are numerous recent examples of consumers being harmed by pixel tracking.
Earlier this year, The Wall Street Journal detailed how consumers across the U.S. are being targeted by criminals who flood social media platforms with an “epidemic of scams.” According to an internal analysis, more than 70% of new advertisers on Instagram and Facebook are using the platforms to promote scams or to sell low-quality products.
Additionally, Reuters reported that Meta earns 10% of its revenue – roughly $16 billion – from online ads for scams and banned goods. Although Meta’s internal warning systems routinely flag suspicious activity, the company does very little to stop it.
To make matters worse, consumers’ data is often exposed regardless of whether they actually use Facebook, Instagram, WhatsApp, or any other type of social media. That’s because many companies with websites have agreements to share site visitors’ activity logs and personal information with the surveillance giants.
Fact: CIPA Lawsuits Are Popular Tools for Protecting California Consumer Rights
One myth about CIPA lawsuits is that they are unpopular. However, the truth is that the California Invasion of Privacy Act (CIPA) is widely accepted by California residents and the legal community because it is an important tool to protect consumers’ privacy rights. In fact, it is the Big Tech companies engaging in unsavory data collection practices who are deeply unpopular for trying to weaken state privacy laws. Far too often, the “surveillance advertising oligopoly” takes advantage of consumers by scraping their internet content and social media interactions without permission. In the worst cases, these companies turn a blind eye to data breaches, fraud, and abuse.
Fact: CIPA, CCPA, and CPRA Are Strong Data Privacy Laws That Protect Consumer Rights
A common misconception about the CIPA is that it was made irrelevant by the passage of other privacy laws like the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). In practice, however, all of these laws work together to provide broad protections for consumers against data privacy violations.
How the CCPA Protects Consumers
According to a legislative analysis of California’s SB 690, the CCPA and the CIPA are not mutually exclusive. Rather, the CCPA provides remedies in certain cases where the CIPA may not be applicable. For example, the CCPA provides a unique data privacy right by giving consumers the ability to opt out of having their personal data shared by businesses. Beyond that, the CCPA provides consumers with even more privacy rights, such as the right to know exactly what type of personal information has been collected by a business and the right to request deletion of any personal information collected by a business.
How the CPRA Protects Consumers
The CPRA amended the CCPA to provide additional data privacy rights to consumers, including the right to correct inaccurate personal information collected by companies. Moreover, while the CCPA allowed consumers to opt out of the sale of their personal information to third-party advertisers, the CPRA gives consumers the ability to opt out of the sharing of personal information with third parties. Also, the CPRA imposes strict requirements on businesses to implement security measures to protect customer information against data breaches – which is a new obligation not found in the other statutes.
How CIPA, CCPA, and CPRA Protect Consumers
The key takeaway is that all three California privacy laws – CIPA, CCPA, and CPRA – work together to cover gaps in the statutes and provide wide-ranging protections for consumers. This is particularly important when it comes to filing a lawsuit. In most circumstances, the CCPA does not allow individuals to bring a civil suit. The same is true of the CPRA, which may expose a company to civil liability only when they fail to protect customer information against a data breach. The CIPA fills these gaps by explicitly providing victims of data privacy violations with a private right of action to pursue financial compensation.
Fact: Website Consent Prompts Do Not Eliminate Liability for CIPA Violations
More and more companies in the United States are putting consent prompts on their websites, which has led to a mistaken belief that these companies are now free to collect user data without any legal repercussions. But this is simply not true.
While consent dialogs are a common way for European companies to avoid liability for GDPR-related privacy violations, the same is not true for U.S. businesses that commit CIPA violations. That’s because courts have consistently ruled that California’s stringent privacy laws demand “real consent” from consumers.
For example, in Calhoun v. Google, the 9th Circuit Court held that the average person can’t possibly be expected to decode complicated legalese found in the standard website consent prompt. Similarly, the jury in the Flo Health case found that app users who technically agreed to data collection still could not legally consent to it. That’s because the users likely lacked a clear understanding of exactly what it was that they “agreed to” in the first place.
Call the California Consumer Protection Attorneys at Tauler Smith LLP
Do you believe that your personal information may have been unlawfully collected by a website? The Los Angeles data privacy lawyers at Tauler Smith LLP have extensive experience bringing consumer protection claims as both individual lawsuits and class actions. Call 310-590-3927 or send an email to discuss your case.
