If you haven’t heard of the California Invasion of Privacy Act, otherwise known as CIPA, you probably will soon. Agencies and businesses across the country have been receiving demand letters and threats of litigation for supposed “CIPA Violations”, and these letters often demand a hefty settlement for them to disappear.

If your agency does digital work, keep reading, because this could absolutely affect you!

Our goal with this article is to help you (1) understand CIPA, (2) prevent violations from happening, and (3) know your action plan if they do.

What in the world is CIPA?

CIPA is a decades-old law within California’s criminal code that originally targeted illegal wiretapping. In sum, you were not allowed to gather a Californian’s identifying information via phone without their express knowledge or consent.

In 2023, a court interpreted this statute to also prohibit the use of pixels, cookies, tags, web beacons, etc. on a website to collect a Californian’s information without their express consent. Because of this, if a violation occurs now, the Californian can sue the website owner for damages under CIPA, which can reach up to $5,000 per violation.

Are people actually taking advantage of this?

Boy are they. As you can imagine, the people involved in these lawsuits are not suing because they suffered any substantial harm as a result of their data being collected. Rather, they are taking advantage of an “easy money” situation (while it lasts), and have found lawyers willing to enable them to bring these claims.

Imagine your agency receives the threat of a lawsuit for four CIPA violations at $20,000 total. Your lawyer tells you it will cost more than $20,000 to defend the lawsuit, even though you may have a really good chance at winning. In an effort to save time and money, you probably end up agreeing to a settlement, and the person threatening you makes some quick cash. It’s an unethical practice, but it’s unfortunately not illegal. It’s also why there’s not a lot of laws or court cases about this yet – nobody wants to take the hit of defending these claims.

Can I prevent this from happening?

Fortunately, there has been consistent agreement among California courts that “affirmative consent” is a solid defense to these actions.

“Affirmative consent” means that a website visitor actively, intentionally consents to the collection of their data for the purposes that its being collected. Specifically, they need to click a checkbox saying “Opt in” or “opt out”, “I agree” or “I do not agree”, etc. The type and purpose for the collection needs to be explicitly disclosed at the time consent is given. Fortunately you can include this language in the same kind of pop-ups you are already using on your clients’ digital properties.

Our best recommendation at this time is to have this consent incorporated into a standard cookie pop-up with an “Opt in” or “opt out” box. Keep in mind that you will need to have the technical capability of preventing the pixel, cookie, or beacon from “attaching” to the user that has actively opted out. If you do not have this technical capability, contact your lawyer to determine an alternate path forward.

Do I still need a privacy policy if I have the cookie pop up?

Absolutely; your privacy policy still should address GDPR, CCPA, and any other relevant privacy laws. It should also address CIPA and incorporate your cookie pop up by reference, even though the policy itself is not the primary method of preventing a violation.

My client received a CIPA demand letter, and they are blaming me because I put a pixel on their website. What do I do?

If it does not have it already, your Master Services Agreement should be updated to reflect that CIPA (and any other legal compliance) is your client’s responsibility.

Otherwise, if your contract does not contain this type of language and your client has received a demand letter, contact your attorney so that they can assist you with navigating the issue.

If I fix my website now, will that prevent any past website visitors from coming forward with claims against me?

Unfortunately, right now, fixing your website will not likely prevent past visitors from making claims against you. That said, the odds of this happening to you are not high at this time, especially if you do not have a high volume of California visitors.

My business isn’t in California. Why do I have to worry about this?

The law is designed to protect California residents, not punish California businesses. Therefore, the location of your business does not matter, and the residence of your website visitors will determine whether CIPA is relevant.

What does the future of CIPA look like?

Right now, court holdings are a mixed bag. Some courts are allowing claims to proceed, others are dismissing the suits as frivolous. We are waiting for a court of higher standing to make a widespread determination as to the validity of these cases. At this time, however, there is a consensus in the legal field that these claims are weak and should not be allowed.

What are my next steps?

• Talk to your clients, especially those (1) who have engaged you for website services or (2) whose websites contain pixels/cookies/beacons, especially if you put them there. Let them know about CIPA, and encourage them to get the “affirmative consent” pop-up online ASAP.
• Ask your lawyer to update your client-facing agreements to reflect your responsibility with regards to CIPA (i.e., none!)
• Update your own website with a pop up that requires affirmative consent, and ask your lawyer to provide you with appropriate language for the pop up and your privacy policy.
• Check back here for updates!