This fall, a federal court in California granted summary judgment in favor of a website operator for alleged violations of the California Invasion of Privacy Act (CIPA). In its decision, the Court emphasized that it was “virtually impossible” to apply CIPA to internet communications and urged the California legislature to “step up” and “speak clearly” about how internet activity should be treated under the statute in light of a deluge of claims that have been filed recently against website operators.

Case Background

Many businesses with a website use a pixel or analytics tool like the Meta Pixel, TikTok Pixel, or Google Analytics. These pixels are pieces of code on a website that assess visitors’ interactions with a website and may transmit that data to a third party. Those third parties can then use the data to, among other things, serve ads. For several years, plaintiffs have alleged that these transmissions violate CIPA, a criminal wiretap statute with a privacy cause of action.  Specifically, plaintiffs have alleged that the transmissions violate CIPA Section 631(a)’s prohibition against “learn[ing] the contents or meaning of any message, report, or communication while the same is in transit” in California without consent to all parties to the communication. CIPA also prohibits aiding and abetting another’s violation of CIPA.

Plaintiff in this case was a California resident who visited Eating Recovery Center’s (ERC) website to consider treatment options for an eating disorder. Plaintiff began receiving ERC ads on Facebook the same day she first visited ERC’s website. So, she filed a class action lawsuit, claiming ERC violated Section 631(a) of CIPA by recording and transmitting her website activity to Meta via the Meta Pixel, thus aiding and abetting Meta’s CIPA violation.

Two Issues for the Court on Summary Judgment

At summary judgment, the Court boiled down Plaintiff’s CIPA claim to two questions. First, was the data obtained by Meta the “contents” of Plaintiff’s “communications with ERC?” And second, “did Meta read, attempt to read, or attempt to learn this information while it was ‘in transit’?”

The court answered the first question in the affirmative. Through ERC’s use of the Pixel, Meta obtained information related to the URLs Plaintiff browsed, how long she spent on each page, and the buttons Plaintiff clicked. And the URL data Meta received revealed that Plaintiff researched and explored treatment options for a specific eating disorder. The court was satisfied that the information conveyed to Meta was specific enough to qualify as the contents of Plaintiff’s communications.

The second question – whether Meta attempted to learn this information while in transit – was a technical question that was informed in part by Meta’s testimony on how its pixel worked.  Ultimately, because the data containing communications “is transmitted to Meta about 0.2 seconds after the visitor’s action is transmitted to the website,” the data could not have been read “in transit.” Therefore, the Court entered judgment in favor of ERC on the CIPA. The Court noted, however, the absurdity that liability for CIPA would turn on the timing which Meta performed an action (reading website communications) and not the action itself.

Court Relies Upon Criminal Law Principles to Limit CIPA’s Scope

Relatedly, a crucial factor informed the court’s decision to rule in ERC’s favor on these statutory questions: the rule of lenity. The rule of lenity is a principle used in criminal law, and it requires courts to apply an unclear or ambiguous law in a way that is most favorable to the defendant.  Because CIPA is a criminal statute, the court applied the rule of lenity and concluded that “it would not be appropriate to interpret the ‘in transit’ requirement of Section 631(a) so broadly as to cover the conduct at issue here.” And it cautioned that courts “should not be so quick to assume” that the California legislature intended to “subject companies like ERC to criminal liability for using third-party software to track website activity[.]”

Court Urges Legislative Action to Curb Deluge of CIPA Claims

After ruling in ERC’s favor, the court closed its opinion with a call to action: “Hopefully, the Legislature will go back to the drawing board on CIPA. Indeed, it would probably be best to erase the board entirely and start writing something new.” It is yet to be seen whether the California legislature will act on the call, perhaps by enacting a proposed amendment to CIPA (SB 690). Regardless, this well-reasoned decision can help decrease the risk that common website activity will incur liability under CIPA Section 631. Privacy World will be there to keep you in the loop on CIPA developments in both the state house and the courthouse.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

Stay Ahead on Consumer Privacy News

Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.

Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.