What to Do When (or Before) You Receive a CIPA Demand

We’re seeing a substantial uptick in connection with demands under the California Invasion of Privacy Act (“CIPA”) for violations of the wiretapping or pen register portions of the law based on a business’s website. In particular, these demands are being made by an individual named Vivek Shah.  Mr. Shah deploys the tactic of sending an unfiled compliant to a business alleging violations of CIPA and stating that the complaint will be filed if the matter remains unresolved, as a way to encourage settlement.

The claims made by Mr. Shah essentially allege that his information, as a visitor to a website, is improperly transferred to third parties when cookies, pixels, or chat bots are deployed prior to the business providing notice to and collecting consent from the visitor for use of these technologies. There are a number of cases proceeding through the California court system for CIPA violations, but at this time we do not have a clear picture as to whether application of CIPA to websites will be upheld as a legal theory of recovery for plaintiffs.  CIPA has traditionally applied to telephone communications regarding wiretapping and pen registers, so the application to internet communications is a relatively new legal theory.

If you receive a demand from Mr. Shah, or another entity, we are able to assist in assessing the demand and reviewing the notice and consent features of your website.  Even if your business is entirely outside the State of California, we are seeing claims in California move forward based on accessibility of the website from California, by a California resident, and the alleged transmission of information on a California resident to a third party.

Similarly, if you have not received a CIPA demand, now is the time to review your website features to ensure that proper notice and consent is in place to minimize the likelihood of receiving a CIPA demand.