Companies have websites to reach customers, share products and services, and communicate brands. But websites can also create legal risks. Recently, litigation has surged against website owners for violating the California Invasion of Privacy Act (CIPA). This 1960s phone-wiretapping law is now used against websites that collect and share visitor data with third-party vendors. The legal theory, in part, is that when a user visits a website and their information is processed, the third-party vendor listens in on this communication without notice or consent from the website user.
But what is a communication anyway?
There’s little question that a phone conversation is a communication under CIPA—the law was originally passed in 1967 to protect phone conversations from elicit wiretaps. And while no California state appellate court has published on this question, several courts in California have held that typing information into a website chat box is a communication.
Efforts have been made to stretch the definition of a ‘communication’ under CIPA even further. Are website clicks, time spent on a webpage, or information gathered from the route a user takes to complete a purchase communications? Litigation in California lower courts has yielded mixed results. In October 2023, the Massachusetts Supreme Judicial Court ruled that web browsing is not a communication under Massachusetts’ wiretap law. But we still do not know if California appellate courts will follow.
You can take practical and straightforward steps to significantly limit your risk of liability under CIPA. And, if done right, this low-cost preventative work does not have to impact how your business or website operates. Reach out if you want to discuss.