California is notoriously on the forefront of implementing expansive cyber privacy regulations and, in turn, prosecution through litigation and other legal avenues to enforce those policies. While the world of data privacy and cybersecurity is an everchanging landscape, so is the judicial administration and enforcement of these laws—with the outcome often depending on the factual circumstances surrounding the alleged violation. Understanding as much highlights the necessity to stay apprised of regulatory decisions and judicial rulings. So, let's take a look at some recent California opinions on matters involving charges of various data privacy violations.
Mobile app developer settles with California attorney general for unlawful collection and sale of children's personal data?
On June 18, 2024, Tilting Point Media agreed to settle a lawsuit brought by California's Attorney General for violations of California's Consumer Privacy Act (CCPA) and the federal Children's Online Privacy Protection Act (COPPA) in connection with its data collection and sharing practices used in its mobile app "SpongeBob: Krusty Cook-Off"—a mobile video game predominately marketed to and utilized by child users. Specifically, the settlement required that Tilting Point Media pay $500,000 in civil penalties, along with an expansive list of injunctive relief requiring the app developer to take affirmative steps to ensure it properly discloses its data collection, and, more importantly, obtains proper consent—including parental consent when required.
California's state privacy act, the CCPA, protects the privacy rights of California consumers and their personal information. While it is an understood practice that online businesses collect, share, and disclose internet users' information, the CCPA provides California consumers with the right know how their information is being gathered and utilized, as well as to opt-out of the sharing and selling of their personal information. Further, when the user is under the age of 16, the CCPA requires a business to obtain affirmative opt-in consent prior to distributing the user's personal information; and, when the user is under the age of 13, affirmative, verifiable parental consent is required. See Cal. Civ. Code § 1798.120(d).
Relatedly, COPPA serves as the federal law aimed to protect the privacy rights of consumers, specifically children. In a similar manner as the CCPA, COPPA imposes a responsibility on website operators to provide notice to a parent, and obtain parental consent, before it collects and disseminates the user's personal information when the user is under the age of 13.
While the settlement here imposed a meaningful monetary fine on Tilting Point Media, the injunctive relief is perhaps more meaningful. The California Attorney General released a statement highlighting some of the injunctive relief Tilting Point Media agreed to:
- Comply with the CCPA and COPPA related to children's data in the SpongeBob game and all of its games directed to children.
- Not sell or share the personal information of consumers less than 13 years old without parental consent, and not sell or share the personal information of consumers at least 13 and less than 16 years old without the consumer's affirmative "opt-in" consent.
- In instances where Tilting Point sells or shares the personal information of children, provide a just-in-time notice explaining what information is collected, the purpose, if the information will be sold or shared, and link to the privacy policy explaining the parental or opt-in consent required.
- Use only neutral age screens that encourage children to enter their age accurately.
- Appropriately configure third-party SDKs to comply with legal requirements related to children's data.
- Implement and maintain an SDK governance framework to review the use and configuration of SDKs within its apps.
- Comply with laws and best practices related to advertising to minors and minimize data collection and use from children.
- Implement and maintain a program to assess and monitor its compliance with the judgment, including annual reports to the California Department of Justice and Los Angeles City Attorney's Office.
Not only does this settlement display the robust requirements imposed by both the CCPA and COPPA, it also signifies the active role of regulatory enforcement. Businesses and website operators should remain up to date with their respective data collection policies and procedures in order to ensure compliance with legal requirements.
Understanding CIPA and the rapidly changing landscape of judicial interpretation
It's not news that the California plaintiffs' bar has found creative ways to manipulate the California Invasion of Privacy Act (CIPA), a 1960s-era bill originally enacted to combat illegal telephone wiretapping and eavesdropping, to cover modern-day uses of the internet. We have seen surges of lawsuits over the last few years attempting to expand the reach of CIPA to alleged consumer privacy violations. CIPA claims, generally governed by Cal. Pen. Code § 631, follow two main theories of liability: (1) liability for the direct or indirect (i.e., aiding and abetting) "interception" of communications by chatbots deployed on websites; and (2) liability for the collection (commonly referred to as "trap and trace") of personal information by cookie or pixel without affirmative consent prior to the deployment of the tracking technology. In the wake of the mass amount of CIPA actions filed throughout the different California courts, it is no surprise that courts have interpreted the statute differently, and ultimately reaching inconsistent decisions. Let's examine recent caselaw on the different theories of liability.
a. Chatbot violations under Cal. Pen. Code § 632.7
Recently, the Southern District of California, in Rodriguez v. Ford Motor Co., Case No. 323CV00598RBMJLB (S.D. Cal. Mar. 21, 2024), dismissed a class action lawsuit alleging that Ford's website allowed, or aided and abetted, a software company to eavesdrop and record conversations between website visitors and Ford's customer service representative via a chatbot. Online merchants routinely use chatbot features in an effort to support customer engagement and service assistance as an economical alternative to the outdated use of physical call centers.
There is currently a split in the courts on the application of CIPA to chatbot claims—one side holding that the third-party software providers serve at the direction of the website operator, effectively acting as an extension of the operator and not using the collected information for any personal benefit, thus website operators cannot be held liable for unauthorized third-party recording; the other side holding that third-party software providers are not an extension of the website operator, thus the operator may be held liable for permitting the third party eavesdropping.
Here, the Rodriguez court agreed with the latter approach, but it did not find that factual support existed to confer aiding and abetting liability on Ford because there was no proof that the chatbot provider recorded the data for its own purposes, nor did Ford know of such use if it existed. Interestingly, the Southern District also decided not to extend CIPA liability to internet-based messages sent from a smartphone.
Although the court here ultimately ruled for the defense, plaintiffs are undeterred from continuing to assert these claims and it is crucial to be aware of how this split in approach is eventually resolved.
b. Pen register, or 'trap and trace' violations under Cal. Pen. Code § 638.51
Turning to California state court enforcement, there is again contradictory approaches in the enforcement of CIPA's trap and trace provisions. Beginning with an understanding of the legislative requirements, CIPA defines a pen register as: "a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication." Cal. Pen. Code § 638.50(b). While a trap and trace device is defined as: "a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication." Cal. Pen. Code § 638.50(c). At the time CIPA was originally made law in the late 1960s, these devices were primarily utilized by law enforcement agencies to track and record incoming and outgoing telephone numbers from a specific telephone line. Plaintiffs' attorneys now seek to wield this law for the purpose of extending it to online tracking tools, such as cookies and pixels, and leaving the courts with the tall task of determining the appropriateness of such an application. Earlier this year the Los Angeles County Circuit Court reached conflicting results in deciding this issue.
First, the court in Licea v. Hickory Farms LLC, Case No. 23STCV26148 (Cal. Sup. Ct. L.A. County Mar. 13, 2024) rejected to extend Section 638.51 to allegations that a company's website recorded users' IP address and aggregated it with other personally identifiable information (PII), in violation of the statute as an illegal pen register. In reaching its decision, the Licea court in part reasoned that public policy disfavors such an expansive definition of what constitutes a pen register, and accepting the plaintiffs' proposition would potentially disrupt internet commerce without a precise basis for liability.
In less than a month, when facing a substantially similar factual scenario, the same jurisdiction reached a contradictory outcome. In Levings v. Choice Hotels International Inc., Case No. 23STCV28359 (Cal. Sup. Ct. L.A. County Apr. 3, 2024), the court was disinterested with the public policy concerns raised in Licea, and instead focused on the lack of consent to such data collection practices. The Levings court ultimately held that accepting consent by simply visiting a website, or lack of affirmative opt-in consent, would render the definition of a pen register useless.
It is evident that courts across different jurisdictions, and even those within the same jurisdiction, are struggling to find consistent application of the enforcement of CIPA with plaintiffs' attorneys' creative approaches to expand liability in the internet-age.
The Song-Beverly Act: plaintiffs' attorneys' newest means for litigation
In accordance with what is the common theme discussed here, the plaintiffs' bar has yet again found a way to take a dated statute and manipulate its intention to cover a much broader scope in order to effectuate litigation. Specifically, in a herd of recent class actions filed in California state courts under the California Song-Beverly Credit Card Act (the "Act"), Plaintiffs argue that businesses are improperly collecting IP addresses during online credit card transactions, and that this information is then used to target marketing efforts to consumers, in violation of the Act.
The Act, originally enacted in 1971, long before the era of online commerce, was aimed at protecting the personal privacy of individuals during credit card transactions. To that effect, the Act prohibited retailers from requesting consumers' "personal identification information" during, or before, the credit card transaction and creating a record of that transaction (generally, a receipt) that includes the personal identification information provided. The Act expressly defines "personal identification information" as any information concerning the cardholder that is not set forth on the credit card, including the cardholder's address and telephone number. According to the plaintiffs' filings, because an IP address is "not set forth on the credit card," and does not "concern the cardholder," the collection of an IP address during online credit card transactions is in violation of the Act.
Plaintiffs' recent assertion, that collection of IP addresses violates the Act, is flawed and poses practical problems in its application. When dealing with online transactions, the collection of an IP address is a necessary part of the transaction in order for the consumer to actually interact with the webpage. As one federal district court has explained, without "recording the IP information sent to" website operators, "the Internet could not function because standard computer operations require recording IP addresses so parties can communicate with one another over the Internet." But, in other contexts, California courts have held that the collection of zip codes—which can function much like IP addresses— during the credit card transaction is in violation of the Act.
It is clear that courts are faced with the issue of deciding how far to extend the application of the Act, given the recent wave of new lawsuits. The collection of IP addresses, while seemingly innocuous or necessary to facilitate online interactions, may in certain contexts provide the basis for liability. Online businesses engaging in e-commerce should remain vigilant in how courts determine the scope of the Act and its application, as this could have reverberating effects on the landscape of online shopping.
~~~
As evidenced by the relentless plaintiffs' bar method to bring litigation, there is a persistent risk of potential violative data collection liability. Businesses who operate in, or make products available to, California consumers online should take affirmative steps in protecting their interests and reducing potential liability exposure. To that end, for example, businesses should: (1) audit their websites to determine compliance with various privacy laws, and consult with an attorney when necessary; (2) remain up-to-date with their respective privacy policies and website terms of use, including proper disclosures of in-house or third-party software used; (3) ensure their privacy policies contains legally effective terms related to arbitration and class action waiver clauses; and (4) provide proper consent notifications when utilizing tracking technologies, among other things. In the internet age, it is crucial for businesses and website operators to remain vigilant in their efforts to avoid privacy liability.
Co-authored with Nicolas V. Dolce.
