CIPA/TCPA Ninth Circuit Ruling May Affect Website Visits
California is known to be a bipartisan consent state when it comes to picking up phone calls. After the ninth circuit returned Javier v. Active lead this Tuesday, it appears to have just become a bipartisan consent state when it comes to logging information about website visits as well. And does that sound crazy – it is.
Let me start with the title here and then explain its meaning.
Without citing case law or performing analysis, a Ninth Circuit COA panel has simply (and massively) expanded the scope of California’s wiretapping law – the California Invasion of Privacy Act (CIPA) – to cover essentially all interactions on websites.
Here is the language:
Although written in terms of wiretapping, Section 631(a) applies to Internet communications. It makes liable anyone who “reads, or attempts to read or learn the content” of a communication “without the consent of all parties to the communication”.
Therefore, it seems that a website publisher must now obtain the user’s permission before recording any information relating to the user’s visit to the website. (Think, IP address, date and time of visit, etc.)
Do you see where this leads us?
Notably, the CIPA contains $5,000.00 per violation of the private right of action. And last time I checked, class action lawsuits were allowed.
So every website builder – wait, I don’t own a website? – that logs information about a California consumer’s visit to its site may violate California’s two-party consent rules and owes each consumer who has visited its site in the last few years $5,000.
Cool. No problem. I can see why the Ninth Circuit COA wouldn’t need to do an in-depth analysis here or think about this one.
Naturally, it gets even better.
Not only is Javier a massive expansion of CIPA, but it’s also arguably the biggest ever Telephone Consumer Protection Act (“TCPA”) case. from Facebook.
To understand why you need to understand a bit about how the TCPA works in cases resulting from web form submissions. The TCPA requires the express consent of a business to call a customer or potential customer. FCC regulations place the onus of production on the issue of the caller’s express consent. Therefore, when it comes to consent obtained through a web form submission, an appellant must come to court with evidence regarding the specific verbiage on a website, the date and time of the consent, IP address and other identifying information, etc.
While this information can usually be captured fairly easily (and regularly) by a website provider – again Javier puts this basic practice at risk, but we are going beyond that at this time – in the context of a web form submission that is sold to another party, the buyer is unlikely to have this information at hand.
Actually, let me back up for a second. Many of you are probably wondering “wait, why would a web form submission be ‘sold’?”
Welcome to the world of performance marketing and lead generation.
There’s an entire multi-billion dollar industry that helps connect consumers to the products they need and want. Product sellers cannot and do not rely on their own internal marketing resources to connect with consumers. They turn to other experts (think Lending Tree) who use various tactics to direct consumers to websites to obtain their consent to be contacted by service providers who can offer them loans, insurance or the solar panels they are looking for. These web form submissions are then sold to the actual product/service provider.
Strange as it may seem, there are actually thousands of these companies, all of which serve as intermediaries between consumers and product suppliers.
Now here is where we come back to Javier.
Product/service providers purchasing these leads must be able to prove that they obtained their consent under the TCPA if they are sued. And it’s a real pain for them to have to keep going back to the main seller for proof that a lead is genuine. Plus, let’s face it, these intermediaries might just be lying to them.
So how can you prove that an interaction with a website is genuine if you, the website owner, have full control over the content of the website and the data submitted on the website?
Enter Active Prospect.
AP is a genuinely great company with genuinely great people working for them – they’re friends of mine and I happen to believe in their solution.
What AP does is track an interaction on a third-party website to confirm that a consumer has actually gone to the website, filled in the information, and clicked the button to accept consent. The full content of the website disclosure is captured and frozen in time. And if a caller wants to audit their suppliers or prove they have consent to defend themselves in litigation, they can use AP’s product (called Trusted Form) to accomplish this quickly and easily.
It really is just a great product.
Except the Ninth Circuit just declared it a wiretap.
I really can not.
And somehow, it all becomes even more facepalm-worthy.
A while back I had a case in Pennsylvania where a plaintiff claimed my client violated state wiretapping law by recording it without permission. This is a transcript of the call (from memory):
Accused: Hello, this is [Company]. Can we record this QA call?
The call ends.
The plaintiff in this case sued my client claiming that he violated the wiretapping law by taping it before he was asked if he could be taped.
The Court in this case had the wisdom to inform the plaintiff that he was insane. And the case quickly disappeared.
The Ninth Circuit lacked this wisdom.
The Javier decision not only apparently endorses the logic of plaintiff whakadoodle (in my view) in this case, it goes even further.
In my case, after all, the applicant had said that he did not want to be recorded. In Javier, the plaintiff did ACCEPT TO BE REGISTERED. Yet the Javier panel felt he could still sue because HIS AGREEMENT TO BE RECORDED WAS, ITSELF, RECORDED by AP. And that was the predicate act of wiretapping enabling the CIPA claim.
Like I said, I just can’t.
So to summarize:
I’ve had some with judges who don’t understand the technology – although, as usual, I wonder if the defense attorneys here (not me) did enough to make sure the panel “got it.” ” in this case ;
Until Javier is fixed, website owners probably can no longer securely log data regarding website interactions with California consumers without their consent – and then again. another recent bad decision from the Ninth Circuit I don’t know if this consent can be obtained using the terms and conditions of the browser wrapper;
Website owners MUST obtain consent before using third-party cookie programs such as Trusted Form. And NO, you cannot use Trusted Form to prove that consent to use Trusted Form has been obtained;
I suspect this can all be solved by the clumsy and inelegant method of denying people access to your website until they sign a big, crass disclosure allowing you to save anything you want to save About them. I always love it when I can’t access a website before signing a disclosure. I’m sure you do too. Thanks to Javier, I can guarantee that you will see many more of these website obstacles. Maybe that’s a good thing. But it will certainly make the internet a more junkie pace of life.
Plaintiff’s bar is all over it. Received three calls this week from the plaintiff’s lawyers telling me that they are going to “crush” this or that company or “ruin” this or that brand. Usually, I’d tell them they’re nuts. This time, I’m not sure they are.
The only good news here – and it’s important good news – is that the case is not being published. Plus, it’s a federal court’s view of what it thinks the California Supreme Court might do. It is not binding in California, per se. So maybe the district courts will ignore the ruling, but probably not. Hopefully the California Supreme Court or a new Ninth Circuit panel looks into this soon.
Don’t shoot the messengers. And (try to) have a good weekend.