Comply With CIPA Even if Litigation Seems Unfair, Attorneys Urge
Though litigation against tracking technologies may have become excessive, it’s better to ensure your company is in compliance with all privacy statutes than to complain about abusive lawsuits, said privacy experts during a panel on the California Invasion of Privacy Act (CIPA) hosted by Troutman Amin on Monday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
“Litigation under CIPA is ... the most dangerous litigation on the face of the planet right now” because "there is a private right of action ... that gives a consumer the right to sue, [and] statutory penalties of $5,000 per violation,” said Brittany Andres, an attorney at the firm.
Nima Vahdat, chief compliance officer at Americor, a finance technology company, said, “A big part of it is just the proliferation of tracking tags and … the way that marketing happens today.” As there are so many tracking methods, "it invites people to pursue litigation.”
“It's also really easy to see,” he added. “You have the ability to use developer tools within your various browser windows and see what's actually being tracked on a particular website. So, it's very easy for a third-party plaintiff's firm to figure out what [companies are] actually doing” with the tracking tools.
The increased number of privacy laws also adds to the increase in litigation, said Pavin Kang, associate general counsel at Kajabi, a tech company that sells business tools for entrepreneurs. “With new privacy compliance and efforts, plaintiffs are also [going to] get onto that and understand that there's potential money to be had for them."
Andres said that it seems there's an effort to curb such litigation, noting a bill (SB-690) by California Sen. Anna Caballero (D) (see 2505280028). The legislation would eliminate wiretapping, pen register and trap-and-trace liabilities from online tracking technologies used for business under CIPA. But the measure was postponed until next year (see 2507010057).
“It might stop the CIPA lawsuits, but I think the work that you're going to do to become compliant with CIPA will cover a lot of other compliance pieces that you need to do anyway,” Kang said.
Anna Mogilevski, privacy counsel at AM Health Care, somewhat disagreed. “What's so different about CIPA is that not only" can businesses go after businesses, but private citizens can sue companies, she said. Caballero's bill tries to say that people are protected by the California Consumer Privacy Act, "so we don't need this.”
The panelists mentioned other ways to combat excessive litigation. “A lot of [these lawsuits are] about risk decisions that people are making,” Vahdat said. “The only foolproof way to prevent this from happening is to create a banner wall where you can't get into someone's website without giving that consent,” which is “a hard line stop to transfer of data.”
“That's a really difficult thing" to tell businesses to do because it adds an obstacle for potential customers, he said. “It's a decision: Do you want to allow that customer in, knowing that there's some risk? Or do you want to have 100% compliance?”
Mogilevski said if companies don’t want banners, then they can remove all third-party technologies from their website.
Kang said auditing is also important. “The most important thing you can do is do a data map and understand what data is coming into you,” he said. “From there, you want to do a really simple audit about whether or not things are actually happening and turning off and actually engaging in the way that” you want.