Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Videos
    4. What’s driving the increase in CIPA class action litigation?

      Videos

    What’s driving the increase in CIPA class action litigation?

    March 20, 2024

    LinkedInX (Twitter)EmailCopy URL

    By Jenny Holmes, Jason Kravitz and Stacy Boven

    Stacy Boven explains the California Invasion of Privacy Act, the recent flood of CIPA-related class action litigation in California, and what companies with public facing websites need to know to protect themselves. 

    The California Invasion of Privacy Act (CIPA) is having a moment, not necessarily in a good way. We’re lucky to have Stacy Boven with us to help us better understand this new flavor of class action litigation. Stacy is based in Nixon Peabody’s San Francisco office. She’s a member of the firm’s Cybersecurity & Privacy practice and leads Nixon Peabody’s California CIPA litigation team.

    Watch this episode of A Little Privacy, Please!® on the California Invasion of Privacy Act (CIPA)

    Tell us about the California Invasion of Privacy Act.

    We are seeing a flood of litigation under CIPA, the California Invasion of Privacy Act. CIPA is a bigger statute, but I want to talk specifically about the wiretapping statute. What we’re seeing in California right now is all of these companies with public websites who did their data due diligence, they dotted the I’s, they crossed the T’s with their privacy policies in their terms of service, are suddenly getting hit with these lawsuits claiming that they are liable for aiding wiretapping.

    Now, what do you think about when you hear wiretapping? I think about a guy in an unmarked white van with big headphones on trying to listen to a conversation across the street. That’s not what’s happening with websites. So, it’s a strange surprise for these companies who don’t understand why they are on the wrong end of a civil lawsuit.

    And if this sounds confusing, it’s because it is.

    But let me back up and explain what CIPA is. It’s a very old statute put on the books to protect Californians against wiretapping. Back when telephones were connected with wires, it prohibited tapping a phone wire, trying to learn the contents of a message sent through a wire, or assisting someone in these illegal eavesdropping activities.

    We now see plaintiffs trying this new creative application of CIPA to claim that using third-party technology on a website violates the California Invasion of Privacy Act.

    Why are we seeing an increase in CIPA litigation now?

    People have never been more concerned about data privacy. Some of this has to do with what we see in the headlines, including talk about generative AI. Consumers are also noticing signs that they have data, through targeted ads for example, and are wondering who can access this data. So data privacy is very much part of the zeitgeist at a time when data has never moved more quickly.

    Then, the Ninth Circuit cracked open the door with an unpublished decision that was meant to address a very specific, narrow issue on consent under CIPA. That decision had language in it saying that the wiretapping section of CIPA applies to internet communications, opening the door for this kind of litigation.

    And I want to back up and explain what plaintiffs are claiming here. The argument goes like this: The website user goes to a website and fills out information in a form, communicates with a chatbot, or maybe just clicks around on the site. Plaintiffs are claiming that activity is a communication. Almost every website uses third-party software to improve the functionality of their website—whether it’s adding in a chat feature or using third-party software to manage their data through session replay or pixels—the use of this third-party software is what plaintiffs are pointing to as eavesdropping. They’re saying the third-party software is the eavesdropper, eavesdropping on the website users’ communication on the site. And then the plaintiffs are turning around and suing the website who paid for the software, and saying, well, you’re aiding eavesdropping and that violates the law.

    Who is at risk of getting caught in CIPA litigation, and what is that risk?

    Because the use of third-party software in websites is so ubiquitous, any company that’s doing business in California with a publicly facing website is at risk of civil litigation. In terms of the risk, it’s expensive litigation. CIPA claims carry a statutory penalty of $5,000 per occurrence.

    If you get hit with a class action litigation on behalf of every user who has been to your website in the last year, you’re looking at damages claims in the millions.

    How can companies protect themselves against CIPA violations?

    Companies have got to get their data house in order.

    I know that everyone has heard this a lot, we say it to our clients early and often, but you have to make sure that your privacy policies, your cookie consent banners, your terms of service are all current. You need to be accurate, and they need to not just comply with California and federal law, but they need to be formatted in a manner that’s going to protect your company against this new CIPA litigation.

    What does that mean? Take, for example, websites in Europe. Almost uniformly, if you go to a European website, before you can interact with that website, you’re going to see a grayed-out screen and a cookie consent policy that the user has to interact with. Users have to affirmatively select yes or no on cookies and get data usage notifications. That doesn’t happen as much in the US, but you’re certainly more protected the more communication there is with the website user. There’s a big difference between a banner that requires affirmative consent from the user as opposed to a tiny link in the bottom of your website.

    What’s important here is transparency. Making sure that you have transparent communication with your website users about the data you’re collecting and how you are using that data is critical. In order to have transparent communication, you need to understand what you are doing with your data.

    That sounds simple, but it’s really not. Technology is developing so fast these days. There’s new and interesting tools that companies can use to work with data. You really have to understand what you are doing with data, how you’re collecting it, where it’s going, what safeguards you put in place for when it’s stored, who can access it internally and externally, and whether and how you use it.

    Once you know those basic facts, you can have transparent communication and ensure that your disclosures and your privacy policies accurately communicate that to website users.

    A Little Privacy, Please!

    Locations

    San FranciscoLos Angeles

    Practices

    Cybersecurity & Privacy

    Insights And Happenings

    • Video

      Professor Hartzog on Web Scraping, AI, and Privacy

      Cybersecurity & Privacy
      Aug 5, 2024
    • Video

      Improving Cybersecurity for Small and Medium-Sized Businesses

      Cybersecurity & Privacy
      June 26, 2024
    • Video

      Cybersecurity risk and public finance credit ratings

      Cybersecurity & Privacy
      April 22, 2024
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved