The California Invasion of Privacy Act (CIPA) is a statute that prohibits wiretapping or recording confidential communications. Originally enacted in 1967, CIPA is California’s version of the state law incarnations of the federal Wiretap Act. Although there are no specifications set for the monetary penalty available in cases brought under CIPA, lawsuits could carry a penalty of up to $5,000 per violation per person affected, which is an attractive proposition for trial attorneys. Due to these potentially substantial payouts and two recent federal court opinions broadly interpreting CIPA’s applicability, plaintiffs’ attorneys have brought forth several claims alleging that third-party tools such as chatbots and session replay tools should be considered unlawful wiretapping under CIPA. In short, those cases allege that “recording” via keystroke logger or click-tracking begins the moment an individual accesses a website or app. The claims further allege that CIPA must apply so strictly that retroactive permission (such as through a privacy policy or terms of service agreement) may not be granted. To the extent courts adopt this interpretation, using third-party analytics components—to understand how people use apps so that they can be improved, for example—would be difficult in practice.
This risk stems from the issue of no state consensus regarding the legal status of third-party tools under CIPA, the Wiretap Act, and their counterparts in other states. This is not a black-and-white issue as there needs to be consideration of many factors such as whether the tools directly interact with the customer, intercept information without the knowledge or consent of the customer, or whether it is simply a tool to help the website function.
We see small businesses use third-party tools in a broad set of scenarios never contemplated by CIPA’s drafters in the late 1960s. Third-party tools can be defined as services that a company does not create but source from another group to enhance user experience. Such extensions may or may not directly interact with users based on their purpose. Some of the most commonly used third-party tools are services like pdf modification tools, chatbots, payment services, and antivirus programs, to name a few. Larger companies, on the other hand, are more likely to be able to perform the functions of third-party tools in-house, as they have more resources at their disposal. If courts rule third-party tools effectively illegal by making consent for their use practically impossible, it will lead to problems for small businesses like disrupted services, hindered innovation, and damaged reputation.
Here are some implications for small businesses if the use of third-party technologies constitutes unlawful wiretapping:
- Lack of Innovation and Growth
The growth of a wide range of companies across industry sectors is at least partially dependent on the use of third-party technologies. Many small businesses build their services atop existing platforms, which may serve as third parties surveilling user conduct under broad interpretations of CIPA. Often small businesses will use such tools to help make a name for themselves and to come up with new ideas on how to make their services smoother and more accessible for their consumers. A lack of resources would impede innovation and growth and could cause small businesses to face insurmountable barriers. This could discourage market entry in the first place, which in turn would affect consumers as their choices for a given product or service would be more limited or eliminated.
- Disruption of Services and Processes
Small businesses rely on third-party services to enhance their user experience. They may rely on analytics from third-party groups to see what features keep viewers engaged or what updates may be necessary to better a user’s experience. If courts determine that third-party tools are practically illegal under state wiretap laws, many small businesses would be unable to use them in their websites and services. They would have to turn and look for other resources or be forced to create their own, which can take time, money, and effort that should be spent on their core products or services. The systems that businesses usually run on would be disturbed, and it can take time to get services back to where they originally were if such an outcome is possible. It may also force small businesses to change the format of their services or the foundation on which they operate, causing damage to their products, services, and sales. This would also create significant burdens for consumers—imagine having to navigate a unique checkout system each time you use a payment service.
- Damaged Reputation and Loss of Consumer Trust
Businesses are dependent on their reputation to attract customers and consumers. Regular and return clients help small businesses to get on their feet and to help put their services out there. When a customer trusts a business and recommends their services to a friend or acquaintance, it helps build the firm’s reputation, allowing it to expand. Declaring day-to-day use of third-party tools unlawful would undermine consumers’ trust in newer entrants’ offerings by causing certain parts of the website or app to cease functioning or abruptly work much differently. As a result, the businesses may lose their credibility and face reputational damage, disrupting the usual, trust-based path toward growth. Businesses cannot function without customers, so if a small business loses its pool of clients, especially early in its lifecycle, there is a good chance that it will not have the means to operate anymore.
- Other Laws in Place Addressing Data Sharing Transparency
The idea of using CIPA for a failure in transparency might be ethical were it not for the fact that other laws address this question of transparency in data sharing. The Federal Trade Commission (FTC) Act was created to guarantee that action is taken against companies that do not follow their privacy laws or fail to set proper data security measures. Furthermore, California also has other state privacy laws like the California Privacy Rights Act (CPRA). The CPRA imposes duties on companies like informing consumers when and how their data is collected, allowing them to opt-in or out of data collection, and allowing them to access and edit their personal information. Having CIPA constitute third-party services as wiretapping becomes unethical given that other data privacy laws exist.
Lawyers view CIPA as a measure of monetary gain. If third-party tools were to be ruled unconstitutional, it would become extremely easy for attorneys to profit from suits against small businesses. Small businesses rely on having access to third-party tools to limit costs, streamline their services, and provide the best possible experience for their consumers. Ruling third-party technologies illegal would cause detrimental impacts on small businesses and their customers and induce setbacks. Lack of innovation will cause delays in the progression of technologies and tools accessible to people in need, depressing consumer choice and ultimately access to important services. We will continue to monitor the outcomes of these cases and identify opportunities to ensure that the legal environment continues to support the success and growth of small app companies.