Lawyers: CIPA Injuries Must Be Based on Traditional Torts
A federal court recently added to the split in thinking on bringing claims against website tracking tools and analytics under the California Invasion of Privacy Act (CIPA). In this situation, it dismissed a case for lack of standing after the plaintiff failed to allege a concrete injury, said Fisher Phillips lawyers in a blog post Thursday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
In Price v. Converse, the plaintiff argued CIPA’s Trap and Trace Law was violated after the shoe company's website deployed a software development kit (SDK) that collected data and shared it with a social media company’s tracking pixel, without the prior opt-in consent of the plaintiff.
But the U.S. District Court for Central California found that “merely claiming a statutory violation of CIPA is not enough” to bring a case, said the lawyers. Instead, “there must be a harm closely related to traditional privacy torts like intrusion upon seclusion or disclosure of private facts” to establish a concrete injury and standing.
Though Judge Fernando Aenlle-Rocha noted the alleged device fingerprinting and subsequent data collection was, as the blog put it, “potentially undesirable,” it was not a “highly offensive” invasion of privacy. As in Popa v. Microsoft, the takeaway was “that an ‘injury in law is not an injury in fact’” (see 2508270052 and 2510240042).
“This case underscores a growing judicial recognition that many CIPA ‘pixel’ lawsuits are overreaching -- targeting ordinary marketing activity rather than genuine invasions of privacy,” said the Fisher Phillips lawyers.
Still, businesses should practice prevention, even though the courts "increasingly [are] dismissing suits that allege technical privacy violations without real-world harm.” Auditing websites for tracking tools, monitoring cookie consent processes, gaining user consent and disclosing data collection are recommended, the blog said.
In a LinkedIn post, Usama Kahf, a Fisher Philips privacy attorney, said Converse “hits it out of the park” and “scored a great win for all businesses facing” CIPA cases alleging tracking software.
Federal courts are divided on whether data collected through pixels is private enough for there to be a concrete injury, Kahf said.
“For the typical website operator, there really is no harm," Kahf argued in the post. "So what if third parties got your IP address and device identifiers and what you clicked on?” he added. “How are you really harmed? If you don't want to be surveilled," stay away from those sites.