The California Consumer Privacy Act (CCPA) was passed in 2018 and amended in 2020 as the California Privacy Rights Act of 2020 (CPRA), to provide a robust framework for California consumers to be free from unwanted breaches of privacy.
Both laws impose specific restrictions on the use of cookies, particularly concerning the collection and use of personal information through cookies. The regulations require that any method for submitting requests to limit the use of personal information, including cookies, must address the specific right to limit and not just the collection of personal information. Furthermore, the use of cookies to track and store internet use must be managed to respect the consumer’s privacy rights, including the right to opt out of the sale or sharing of their personal information. Under the CCPA and CPRA, businesses must provide clear and comprehensive information about how consumer personal information is collected, used, and shared, including through cookies. They must also provide mechanisms for consumers to opt out of the sale or sharing of their personal information, which includes the use of cookies for such purposes. Additionally, businesses are required to process any opt-out preference signals related to the sale or sharing of personal information, which can be transmitted through cookies or similar technologies. But only certain “covered” businesses are implicated (those to collect or aggregate large amounts of data).
The California Invasion of Privacy Act (CIPA) is a comprehensive state law designed to protect the privacy of individuals by regulating the recording and interception of communications. Enacted initially in 1967, CIPA has been amended over the years to address evolving privacy concerns related to technological advancements in communication[1]. CIPA, codified in the California Penal Code sections 630 to 637. 6, prohibits the intentional eavesdropping or recording of confidential communications without the consent of all parties involved. Specifically, section 632 makes it illegal to use any electronic device to intentionally eavesdrop upon or record a confidential communication unless all parties to the communication have given their consent[2]. Additionally, section 632.7 extends these protections to communications involving cellular and cordless telephones, emphasizing that consent must be obtained regardless of the communication’s confidentiality status. The Act not only addresses the interception and recording of communications but also establishes civil liabilities and penalties for violations. Individuals who believe their privacy rights under CIPA have been violated can pursue both civil and criminal remedies. The law allows for the imposition of fines and imprisonment for those found guilty of violating its provisions, and victims can seek damages through civil lawsuits[3]. Moreover, CIPA reflects a broader legislative intent to protect privacy as a fundamental right, underscoring the state’s commitment to safeguarding personal liberties against unwarranted intrusions facilitated by modern devices and techniques[4]. This legislative framework is part of California’s wider recognition of privacy rights, which also includes protections against the misuse of personal information by businesses and government entities[5].
Now, however, Plaintiff’s lawyers have initiated a barrage of litigation against California businesses by using the California Invasion of Privacy Act as a sword. More specifically, many CIPA-based claims allege that businesses are liable if their websites use advertising pixels without first using prior consent (on an “opt-in”) basis. The theory here is that the website (business owner) allows the third-party pixel owner to eavesdrop on communications between the user and the website owner. Moreover, other CIPA-based complaints have alleged that simply using cookies and pixels by the business on its website is akin to using an illegal pen register or trap and trace device, if the user does not consent (or opt-in). Not only do these arguments create a dangerous precedent, they have dire implications for businesses in California. First, businesses will have the burden of having to comply with the “opt-in” standards imposed by the CIPA-based cases, while concurrently complying (for those Covered Businesses) with the “opt-out” framework for the collection of data in the CCPA and CPRA.
These new cases provide an incentive for all businesses with exposure to the California markets to reevaluate their website privacy policies and technical provisions for compliance purposes.
[1] People v. Guzman, 11 Cal. App. 5th 184, People v. Lyon, 61 Cal. App. 5th 237, Shulman v. Group W Productions, Inc., 18 Cal. 4th 200
[2] Gruber v. Yelp Inc., 55 Cal. App. 5th 591, Santa Ana Police Officers Assn. v. City of Santa Ana, 13 Cal. App. 5th 317.
[3] Licea v. Jockey Int’l, 2023 Cal. Super. LEXIS 69728, Shulman v. Group W Productions, Inc., 18 Cal. 4th 200
[4] People v. Lyon, 61 Cal. App. 5th 237, Shulman v. Group W Productions, Inc., 18 Cal. 4th 200
[5] Grafilo v. Wolfsohn, 33 Cal. App. 5th 1024, Board of Registered Nursing v. Superior Court, 59 Cal. App. 5th 1011.
