Understanding the California Invasion of Privacy Act (CIPA)

The California Invasion of Privacy Act (CIPA)

The California Invasion of Privacy Act (CIPA), enacted in 1994, is a crucial protection for Californians against unwanted intrusion into their private conversations. Originally aimed at protecting landline phone calls, CIPA has adapted to cover modern communication methods, including cell phone calls and online interactions via platforms like Zoom or CRM systems.

CIPA’s reach extends beyond California’s borders, applying to any communication involving a resident of the state, regardless of where the business operates. While initially designed for phone calls, its scope now includes online exchanges, potentially covering communications through websites.

a. Wiretapping

Wiretapping involves using technology to secretly record a private conversation, constituting a breach of privacy. The California Invasion of Privacy Act prohibits wiretapping, deeming it a criminal offense punishable by fines and imprisonment. Victims of wiretapping have the right to pursue civil lawsuits to seek compensation for the invasion of their privacy.

To succeed in a civil lawsuit for wiretapping, the plaintiff must demonstrate that the defendant intentionally eavesdropped or recorded the conversation using an electronic device, that there was a reasonable expectation of privacy, that consent was lacking from all parties involved, that harm was incurred, and that the defendant’s actions directly caused that harm.

The crime of wiretapping is defined in Section 631 of the CIPA, which outlines illegal actions such as making unauthorized connections to telephone lines, attempting to read phone messages without consent, using information obtained from wiretapping, and aiding or conspiring in wiretapping activities.

b. Confidential Conversation

A confidential conversation occurs when steps are taken to make it private, creating a reasonable expectation of privacy. This expectation varies depending on the circumstances, with factors such as: 

1. 1. Who initiated the call;
   2. The purpose and duration of the conversation;
   3. Past communications between parties;
   4. Whether sensitive information was shared, and;
   5. If there was any warning about recording influencing the determination.

Furthermore, CIPA covers various forms of communication, from phone calls to online interactions involving California residents. Although CIPA predates the advent of many online tracking tools used by businesses today, recent lawsuits argue that technologies like cookies and pixels violate the law. Section 630 of CIPA outlines its purpose: protecting California residents from eavesdropping.

CIPA Violations

1. Businesses intentionally eavesdropping or recording communications using electronic devices.
2. Failure to obtain consent from all parties involved, despite the user expecting privacy.
3. Harm suffered by the website user is attributable to the actions of the business.

Moreover, CIPA prohibits businesses from using pen registers or trap and trace devices without a warrant or individual consent. Pen registers monitor outgoing signals, while trap and trace devices record incoming signals to specific phones or computers.

Of significant concern for businesses is CIPA’s provision allowing consumers to directly sue for violations, potentially resulting in damages of $5,000 per offense. Recent legal actions highlight the use of tracking technologies like cookies or web beacons as potential violations, arguing they function similarly to pen registers, intercepting communications between users and websites.

Applicability

CIPA applies to any business communicating with California residents, regardless of location. Originally targeting landline calls, it now covers all forms of communication, including cell phones and online interactions. This extends to tracking or recording software, such as session replay and chatbots, as using these tools without user consent may be seen as eavesdropping.

Exemptions

CIPA exempts public utilities and correctional facilities. Specifically:

• Public utilities and their employees offer communication services or facilities for construction, maintenance, or operation purposes.
• The use of instruments, equipment, facilities, or services as per public utility tariffs.
• Telephone communication systems are used exclusively within correctional facilities.

Section 632 (e) of CIPA clarifies these exemptions for public utilities and their employees, as well as telephone systems within correctional facilities.

While CIPA applies broadly, Section 632 (e) of CIPA clarifies that certain entities benefit from exemptions, notably public utilities and correctional facilities. However, these exemptions are circumscribed and subject to specific conditions delineated within the legislation.

I’m The One Being Recorded

If you were recorded unlawfully, you may be entitled to compensatory damages. You can file a personal injury lawsuit for privacy violation. Successful claims could result in:

• $5,000 for each violation, or
• Three times the actual damages you suffered.

You can file a lawsuit even if the caller is from another state. As long as you’re in California, you can take legal action. However, there’s a one-year statute of limitations for filing this lawsuit.

Business Requirements

CIPA mandates that businesses must obtain consent before communicating (via phone or internet) with California residents and refrain from using pen registers or trap and trace devices without consent.

1. Communicating Via Phone or the Internet
   CIPA prohibits anyone from intercepting communications without consent, including reading or attempting to learn the contents of messages while in transit. Businesses engaging in any communication with California residents, including using tracking tools for advertising or internet session software, must obtain consent before proceeding.
2. Using Pen Register or Trap and Trace Devices or Processes
   Businesses under CIPA cannot install or use pen registers or trap and trace devices without consent or a court order, except for specific purposes such as testing services or protecting property and rights. A pen register records outputs, while a trap and trace device records incoming information. Recent lawsuits argue that tracking and analytics software, like cookies, may fall under CIPA’s definition of a pen register, as they monitor user-website interactions.

In Greenley v. Kochava, Inc., the court ruled that software correlating consumer data through unique ‘fingerprinting’ qualifies as a pen register under CIPA. Businesses must obtain user consent or a court order before installing or using these devices, except for approved purposes.

How to Comply

To comply with CIPA, follow these steps:

1. Obtain consent from users before accessing their personal information or engaging in communications.
2. Disclose whether you share their communications with any third parties.

Let’s delve into each step further.

1. Obtaining Consent
To obtain consent for recording private conversations, ensure everyone involved agrees, either explicitly or implicitly. Express consent is obtained by asking and receiving affirmation from all parties. Implied consent occurs when the recording is announced, and the conversation proceeds without objections. In California, complying with the Invasion of Privacy Act requires consent from all parties for recording phone calls. 

• • • For instance, if a journalist informs an expert of recording before a phone interview and the expert continues without objection, consent is implied. Overall, obtaining consent ensures compliance with regulations and avoids violating privacy laws.
    • Consent Mechanism: Obtaining consent is crucial, and a simple way to do this is by using a consent mechanism. This mechanism should be user-friendly and readily available, allowing users to express their consent preferences before using your website or services.

California operates under a “two-party consent” rule, meaning all parties must agree to phone call recordings. Implement consent mechanisms whenever you collect personal information, communicate, or use tools that could be perceived as intrusive under CIPA. Embed consent mechanisms alongside legal agreement links like Privacy Policy or Terms and Conditions.

This empowers users to understand data usage and communication practices before consenting. An effective mechanism is the “I Agree” checkbox, typically placed on account creation, checkout, cookie notices, and chat boxes.

2. Notify Users of Communication Sharing with Third Parties

To ensure compliance with CIPA, it’s essential to include a disclosure within your website’s chat box, especially if it’s provided by a third party. This disclosure should inform users that third-party vendors might access chat box communications. This way, consumers have the chance to consent to their messages being shared with third parties before using the chat box.

Enforcement

The California Attorney General enforces the California Invasion of Privacy Act (CIPA). Section 638.55 (b) empowers the Attorney General to compel government entities to adhere to CIPA regulations.

Penalties For Non-Compliance

Non-compliance with the California Invasion of Privacy Act (CIPA) can lead to severe consequences. 

• Offenders may face fines of up to $2,500 per violation and possible imprisonment. 
• Repeat offenders could be fined up to $10,000 per violation, along with up to one year in state prison. 
• Additionally, third parties who unlawfully disclose telegraphic or telephonic communications could be fined up to $5,000 and face up to one year in jail.

California residents have the right to pursue civil action against businesses that violate CIPA, seeking either $5,000 per violation or three times the amount of actual damages, whichever is greater. Businesses may be found in violation if they intentionally eavesdrop or record electronic communications without consent, fail to inform residents of the recording or cause harm by illegally recording or eavesdropping.

Sections 632(a) and 637 of CIPA outline penalties for intentional eavesdropping or recording without consent, including fines and imprisonment. Furthermore, businesses using pen registers or trap and trace devices without court orders or user consent can face fines of up to $2,500 per violation and/or one year in jail, as per Section 638.51.

It’s critical for businesses, especially those accessible to California residents online, to obtain consent before communicating, collecting, or disclosing personal information to avoid costly lawsuits. California residents can bring legal action against violators for damages or $5,000 per violation, as stated in Section 637.2 of CIPA.

CIPA Litigation Developments

Following court rulings allowing claims under the CIPA for tracking California residents on websites, numerous privacy lawsuits have emerged, yielding varied outcomes. For instance:

• In Licea v. Old Navy, LLC, a consumer alleged that Old Navy’s website’s chat feature violated CIPA by recording conversations. However, the court ruled in favor of Old Navy, determining that they couldn’t be liable for eavesdropping on their communications.
• In Byars v. Hot Topic, Inc., the court dismissed a lawsuit regarding a chat feature, considering it an extension of the website owner rather than unlawful third-party interception. 
• In Greenley v. Kochava, Inc., the court refused to dismiss a lawsuit involving software that collects and correlates consumer data, deeming it a violation of CIPA.
• In Lesh v. Cable News Network, Inc., where CNN faced legal action for installing tracking software while users accessed their websites. 

While California courts haven’t definitively ruled on these lawsuits’ outcomes or the extent of damages, the trend indicates a surge in businesses facing legal action over tracking technology used on websites. Although currently targeting large corporations and healthcare businesses, smaller businesses and those in other sectors may soon face similar lawsuits.

Mitigation Strategies

To steer clear of CIPA violations and potential lawsuits, websites employing tracking technologies should undergo a thorough review of all utilized technologies. Consider removing unnecessary features like chat functions or website analytics tools if they serve no practical purpose. Similarly, eliminate tracking technologies, such as Meta pixels for advertising, if not actively used.

Another effective approach is obtaining user consent before tracking them, an established exception under CIPA. This can be achieved through a cookie consent banner, ensuring the following features:

• • Blocking all third-party tracking scripts until users consent (by clicking “accept”).
  • Offering “accept” and “decline” buttons, with “decline” ensuring no tracking.
  • Designing the banner for equal prominence of “accept” and “decline” options.
  • Allowing users to withdraw consent if they change their mind.
  • Providing sufficient information for informed consent.

This cookie consent banner aligns with GDPR regulations. Additionally, furnish users with a Cookie Policy detailing cookie usage, purposes, and durations.

Given the influx of lawsuits and the uncertainty of their outcomes, the safest path to avoid litigation is either refraining from tracking California users or obtaining their prior consent. Utilize tools like the GetTerms Cookie Consent Banner and Cookie Policy Generator to lessen the risk of costly legal action.

Wrapping Up

The California Invasion of Privacy Act (CIPA) was created to address wiretapping and eavesdropping concerns and has since been updated to include modern communication technologies and online tracking methods. Created to combat wiretapping and eavesdropping, CIPA now extends its reach to modern communication technologies, including internet interactions and tracking tools. CIPA applies broadly, encompassing any business communicating with California residents, irrespective of their location. However, exemptions exist for public utilities and correctional facilities.

To comply with CIPA, businesses must obtain consent before communicating with California residents and disclose any sharing of communications with third parties. Employing consent mechanisms, such as an “I Agree” checkbox, can facilitate compliance, while disclaimers within chat boxes further reinforce transparency. Enforcement falls under the jurisdiction of the California Attorney General, with penalties for violations ranging up to $5,000 per offense, along with potential imprisonment for repeat offenders.