By Brent Lehman and Daniel E. Venglarik
A new ruling out of the Central District of California may provide businesses with a roadmap for defeating frivolous “CIPA claims” without having to engage in expensive and robust litigation. We have previously discussed the prevalence of “CIPA claims”
As a refresher, businesses around the county have received demand letters alleging violations of the California Invasion of Privacy Act (CIPA). In the latest trend in California class action litigation, plaintiffs are invoking CIPA’s “wiretapping” (Section 631) and “pen register” (Section 638.51) prohibitions to assert invasion of privacy claims against businesses using solutions like pixels, plugins, or cookies on their websites to track visitors. Common targets include tools like the “Meta Pixel” and “TikTok Pixel,” as well as many other tracking and advertising technologies such as chatbots. These tools are often installed by third-party web developers to help businesses identify users and improve advertising targeting.
Plaintiffs allege that the use of these tools results in the unauthorized sharing of California consumers’ personal data with third parties, such as Meta or TikTok. See In re Facebook, Inc. Internet Tracking Litigation, 956 F.3d 589, 596 (9th Cir. 2020). In more extreme cases, plaintiffs claim that these tools allow third parties to “eavesdrop” on their web activity, including interactions with features like chatbots. See Byars v. Hot Topic, Inc., 656 F. Supp. 3d 1051 (C.D. Cal. 2023).
As we’ve noted before, when applying the outdated CIPA statute to modern technology—technology that its drafters could not have anticipated—state and federal courts have reached mixed conclusions. While courts are often skeptical of these claims, a significant number have found them plausible based solely on the pleadings. See, e.g., Dino Moody v. C2 Educational Systems, Inc., U.S. District Court, Central District of CA, Case No. 2:24-CV-04249 (later dismissed due to the plaintiff’s failure to timely file a Motion for Class Certification).
Now, at least one holding in the Central District of California seems to understand the issues when it comes to third-party chatbots. In Sonya Valenzuela v. The Kroger Co., U.S. District Judge Dolly M. Gee granted Kroger’s motion to dismiss plaintiff Sonya Valenzuela’s sole allegation that the company violated CIPA by deploying a chatbot on its website provided by a third-party software developer that allegedly eavesdropped on the chat-based conversations visitors believed they were having with the grocer. Valenzuela claimed in her proposed class action that Kroger ran afoul of the fourth prong of this section by aiding and abetting the third party’s interception of these chats, conduct which the software provider allegedly profited from because it allowed Meta to mine chat data for information about user interests to use for targeted advertising.
Judge Gee rejected multiple arguments related to Kroger’s alleged knowledge of data harvesting (knowledge being a crucial part of a CIPA claim). While the rejection of Valenzuela’s claims rests on factual particularities, the Court’s ruling provides a roadmap to challenge allegations that a company’s website violated CIPA itself. It is clear in the case of Kroger, there was no outward evidence that Kroger would know that its third-party chatbot would “eavesdrop” on users. The marketing materials expressly indicate that individuals would need to opt in to tracking services. As such, Kroger had no knowledge of the CIPA violation.
However, this may not always be the case. As Judge Gee pointed out, “In a more analogous case, the Southern District of California ruled that the following allegations showed a website owner knew a software provider’s conduct constituted a breach of duty: the software provider’s publicly available information included that it monitored billions of visitor sessions per month across customer websites and combined this data with other information to “develop insights . . . which lead[] to optimized campaign outcomes for sales and service transactions.” Rodriguez v. Ford Motor Co., No. 3:23-CV-00598-RBM-JLB, at *2 (S.D. Cal. Dec. 3, 2024).” In addition, the software provider’s website marketed its services to clients such as the defendant by, among other things, stating that they were built on “one of the world’s most extensive customer datasets.” Id. at 3; see also id. at 10.
Munck Wilson Mandala is actively pursuing several additional defenses in response to these claims on behalf of our clients. These defenses include both procedural (such as identifying necessary third parties and challenging personal jurisdiction) and substantive (such as contesting inaccurate interpretations of website code and demonstrating the use of compliant consent frameworks) arguments that may apply on a case-by-case basis.
If you have received a CIPA demand letter or would like to proactively assess your website’s compliance with CIPA and other data privacy regulations, please contact Brent Lehman and Daniel E. Venglarik.
