Your Online Business Could Be the Next Target for Costly Data Privacy Lawsuits

If your business operates online and uses common marketing tools, your business is at risk of being targeted for lawsuits under pre-internet wiretapping and video rental privacy laws. It is critical to address and mitigate risk before these claims are filed. 

With few exceptions, modern data privacy laws such as California's CCPA do not give consumers the right to sue businesses directly for privacy violations. Instead, the plaintiffs' bar has turned to pre-internet laws to assert privacy claims against websites.

The result? A huge upswing in lawsuits and demands against websites based on alleged violations of anti-wiretapping provisions of the California Invasion of Privacy Act ("CIPA") and the Video Privacy Protection Act ("VPPA”).

Key Information on the Most Common Consumer Data Privacy Claims

The anti-wiretapping and two-party consent provisions of CIPA prohibit intentionally intercepting or accessing the content of a communication without the consent of all parties involved. The wiretapping provisions in CIPA were first passed in 1967 and are facially focused on the tapping of telephone lines. Recently, enterprising plaintiffs' attorneys have argued, with some success, that third parties that collect data or facilitate communications with customers can be construed as "wiretappers" under the statute. Such internet CIPA claims typically target the use of "pixels," like those provided by Meta or TikTok, chat services, and "session replay" technology, that provides information on customer behavior on a website. If your site uses common third-party tools to interact with consumers or collect consumer data, your business is at risk of a CIPA claim.

The VPPA was passed in 1988 after Supreme Court nominee Robert Bork's video rental history surfaced during his 1987 confirmation hearings. Under the VPPA, a "videotape service provider" cannot disclose information that identifies any of its purchasers, renters, or subscribers without receiving consent that is separate from any other contract between the business and the customer. While Blockbuster locations may have disappeared, VPPA claims have recently proliferated. Plaintiffs' attorneys are increasingly arguing that web sites and other technologies that transmit video to consumers are subject to the VPPA, and that the use of pixels, session replay, and other common marketing data tools constitute violations of the VPPA. If your site embeds video that’s served from a third-party host (like YouTube) or delivers video in a subscription form, including email newsletters, you are at risk of a VPPA claim.

The upsurge in data privacy litigation is exemplified in a recent decision in which a federal appellate court allowed a case under the VPPA to proceed against the NBA. The NBA case makes clear that courts are going to permit consumers to use the VPPA to assert data privacy claims, and that businesses need to proactively mitigate their risk and exposure under the VPPA.

Best Practices for Avoiding These Claims

Following these best practices should reduce the risk of increasingly common CIPA claims:

• Full Disclosure and Consent: For CIPA, a banner or click-through consent that links to your privacy notice and user agreement can provide the basis for a strong consent defense. For VPPA, the consent provisions are narrowly drawn, so a separate consent agreement is needed.
• Contracts: Ensure agreements with providers prohibit using your users' data for anything other than fulfilling their obligations to you. A solid Data Processor Agreement ("DPA”) or CCPA-compliance clause will typically cover this.
• Route Data Through You: Configure tools to collect data through your business. Routing data through your business' servers first defeats the core interception element of a wiretap claim.
• Review Your Terms: Arbitration clauses are very common and can be helpful to businesses. However, when combined with a waiver of class actions, they could cause your business to fall into the "arbitration trap" in which it is required to defend thousands of claims in a "mass arbitration" rather than consolidating them into a class action. This trap is costly because arbitration filing fees are typically charged on a per-claimant basis, and in states where the business is required to pay all, or most, of the fees, a claim with thousands of claimants can yield millions of dollars just in arbitration filing fees. With a few tweaks to an arbitration provision, including providing for the batching of claims, an online business can obviate some of the risks posed by common arbitration clauses.

How Greenberg Glusker Can Help

The best solution is prevention. At Greenberg Glusker, we can help you diagnose risks, choose smart providers and make consents as frictionless as possible. We can also draft, overhaul, or refresh your user agreement and privacy notices.

If you receive a demand or claim, litigators within our Consumer Claim Defense Task Force can litigate the claim, whether your goal is to contest the claim to trial or settle it. Our litigators square off against many of the most prominent plaintiffs' firms in this area and have experience efficiently investigating, responding, and resolving the claim.

If you have any questions, please reach out to Jesse Saivar or Ira Steinberg. We are here to help you understand and comply with privacy obligations.