California Invasion of Privacy Act (CIPA) has become a focal point in recent legal battles, particularly within the retail industry. As retailers increasingly adopt technologies like session replay and chatbots to enhance customer experiences, they inadvertently tread into murky legal waters. These technologies, while valuable for optimizing websites and addressing customer inquiries, have faced a barrage of lawsuits and threats. Claimants argue that using these tools without obtaining customer consent amounts to wiretapping or using a “pen register.”
Session-replay software records specific customer interactions on websites, aiding in bug fixes, issue investigation, and market optimization. However, these tools may fall under so-called “two-party consent” statutes. For instance, the California Penal Code § 631 (a) requires consent from all parties involved in a communication. Retailers across various industries—clothing, finance, jewelry, and more—have found themselves in the crosshairs of these lawsuits.
At least 40 lawsuits originating in California have been filed involving CIPA since May 31, 2022. May 2022 was when the U.S. Court of Appeals for the 9th Circuit ruled in Javier v. Assurance IQ that, under CIPA, allparties to a “communication” must consent to that communication. Essentially finding that if a website does not request consent prior to a consumer engaging with a website, recording of any kind would be without valid consent.
As such, retailers with an online presence need to review the use of technologies such as session replay and chatbots and ensure there is a mechanism for consent from the consumer prior to interaction to ensure compliance with CIPA and other statutes that require two-party consent when recording communications.
If you have questions about CIPA compliance or related issues, contact a Jackson Lewis attorney to discuss.