Navigating CIPA Claims: Strategies for Protecting Your Business

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

Hi, Jodi Daniels, here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:35

Hi, I’m Justin Daniels, I am a shareholder and corporate M&A and tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology, since data is critical to every transaction, I help clients make in four business decisions while managing data privacy and cybersecurity risk and when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 0:54

This episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com.

Justin Daniels 1:34

What’s up? Been a long time since we last broadcast?

Jodi Daniels 1:39

Well, we’re here for some more fun. Are you ready for some fun? Let’s have some fun. All right, today we have Jessica Lee, who chairs Loeb & Loeb privacy security and data innovations practice and serves as chief privacy and security partner. Jessica provides strategic legal counsel to companies navigating complex data governance issues, helping companies turn compliance into a competitive advantage, which I just love. So Jessica, welcome to the show.

Jessica Lee 2:11

Thank you for having me.

Jodi Daniels 2:13

You’re back to being giddy again today. Did you take, like, the giddy pill or something?

Justin Daniels 2:16

No, I did not. I had coffee this morning. But, you know, I don’t drink coffee — you should try something. No, they have lemonade. So I drink that.

Jodi Daniels 2:24

She had a delicious cup of coffee this morning. It was so hot, and I’m trying to figure out how they keep it so hot. My coffee at home is hot for about four seconds. One of the world’s mysteries is a mystery. If anyone listening has a solution to keeping my coffee hot. I genuinely would like to know.

Justin Daniels 2:43

Maybe you should make that into a LinkedIn post with a hot cup of coffee.

Jodi Daniels 2:46

I need a social post today. It’s going to be coffee if anyone’s listening now, you know when we record it. Okay, carry on.

Jessica Lee 2:52

You need — I’ll say I can give a suggestion here. Please. You need a mug. And Zojirushi is a Japanese brand. It is the best coffee mug I’ve ever had. I make them make the coffee at home, like four o’clock if I wanted to. Coffee is still hot later,

Jodi Daniels 3:09

I definitely need to check this out. Thank you. I really appreciate it. That is my contribution. I appreciate it, right? We’re all done here. We can move on. Okay, no, we’re not really gonna move on. Yeah,

Justin Daniels 3:20

sure. Okay. So, Jessica, why don’t you tell us a little bit about your career journey?

Jessica Lee 3:25

Sure. Well, my journey is probably similar to some of the other privacy professionals you’ve spoken to, and that is, it was winding. So I, you know, started my legal career off at Skadden Arps in their litigation department. So I was doing big securities litigation, completely unrelated to what I’m doing today, except the fact that, you know, generally, litigation skills, I think, are very transferable. But there was no privacy curriculum when I was in law school. I think the closest I got was an electronic communication class and some media and communications classes, but it wasn’t an area that was introduced to me. And so I, you know, stayed at Skadden for a few years. I had a federal clerkship for a year, and then I made my way over to Loeb & Loeb in 2011 mostly because I I thought where my interests were going to lie were really at intellectual property. And Loeb had a great practice, great entertainment practice, big advertising practice. But while I was here, I started doing work for a group called advanced media and technology, and that work was really exciting. That was where, kind of all the digital work land. It was a group that the firm formed when Google acquired double click with an eye, that they would deal with all the issues that would come up when advertising went online, and so they had some privacy issues when they needed help. I would do the research. And a year into my time at Loeb, and moved into that group full time, and started doing all the things that that group did, but eventually focusing on privacy. And then, you know, Dot. Dot. Dot. Now I’m the chair of the —

Jodi Daniels 5:01

True. I love the winding concept. It really is true for so many privacy professionals, if you’re not brand new at kind of graduate who’s choosing this career, but if, if you’ve been doing something for a while, there’s definitely a winding path. I really like that concept, which I

Jessica Lee 5:18

actually think is good, because I think you get the grounding and the the business and the industry and other legal principles and all of that is relevant, I think, to what we have to navigate on a day to day basis. And so I do think it’s helpful, because sometimes I’m jealous of the people who say they can come out and they know exactly where they’re going, and they’ve taken, you know, a ton of privacy classes in law school, and they just kind of hit the ground running.

Jodi Daniels 5:41

I do agree. I think the business experience that I have is really helpful, because I’m always thinking about the business issues from multiple different angles because of the experience I have when we’re trying to sort through whatever interesting problem they have. Speaking of problems, today, we’re going to talk a lot about CIPA, which seems to be the bane of some privacy pros daily, and it’s a really popular discussion. And at the same time, not everyone actually knows what CIPA is. I was hoping we could start with, can you give us a little bit of a primer? What is CIPA? And then do we just have to worry about CIPA, or are there CIPA, like other laws that maybe companies should be paying attention to as well?

Jessica Lee 6:28

Yeah, absolutely. So, I mean, at the federal level, there’s a federal wiretapping act, and then there’s ECBA, the Electronic Communications Protection Act, which extended the federal wiretapping regulations to electronic communications. And so CIPA, California’s Invasion of Privacy Act, is the state law version of that federal bill, right? So we see this in a number of places. You have a federal law, you have state law versions or implementations of that. So that’s to say that CIPA is, I think, one of the most popular with the plaintiff’s bar. But there are CIPA-like laws in multiple other states, and you know, the plaintiff’s bar, I think, has latched on to CIPA, in part because for eavesdropping at the federal level, and then at some states, you only need one party to consent, right? Right? So if I’m the one recording our call and I consent, that’s good enough. California requires two parties to consent, and so that’s where the rub is, right. If you don’t have the other party, and you need the consumer in those cases — their consent, you know you potentially have an argument that you violated CIPA. And so big picture, CIPA is the state version of the federal wiretapping Act, which makes it illegal to record calls or intercept communications, I should say, without the consent of both parties. And there’s some nuance in there. You know, it’s the content of the communication. Those communications have to be in transit. But big picture, that’s what the regulation covers. And there is the interception of communications piece of it. There’s also another piece of it, which has become more popular, I would say, like in the last year or so, which also restricts the use of pen registers and tap and trees technology without getting without getting a federal subpoena or without getting cons, without getting a subpoena or without getting consent, so we see interception of communications or using tap and trace technology. Those are kind of the two prongs of CIPA, and those are where most of the claims have been concentrated.

Jodi Daniels 8:39

Very good primer. Thank you so much.

Justin Daniels 8:45

So I think the next thing we’re interested in talking a little bit about is, you know, can you give a flavor for what we’re seeing lately with some of these CIPA cases and how they’re progressing through the courts, and do you see them increasing or decreasing? I would think with AI, we may only see more stuff. But what do you think, Jessica?

Jessica Lee 9:04

Sure. I mean, it’s like a little bit of a roller coaster that’s actually been going on for several years at this point. So we started off a few years ago without with claims that session replay cookies, right? Cookies that would be on the site that would basically monitor your mouse movements or create heat maps. The idea is most for the most part, the session replay cookies were used to understand how someone was navigating around a site, so you can make sure it’s optimized for the best use. Sometimes the session rate replay cookies could be used to capture consent. So if you’re getting consent, that cookie could be used for that purpose as well. But I think you know, prior to that, had been seen as fairly innocuous cookies, but the allegation was that, because you could capture some potential communication with the website, that those cookies were the use of those cookies without getting consent violated CIPA and there have been a mix of decisions. You know, there were a number of favorable decisions to the defense side, which came out and said, Well, you know, this isn’t really what this is. This technology isn’t really what the law was meant to cover. These aren’t really communications questions around whether or not it was in transit, kind of getting down into the weeds of what these claims were. And then, you know, the plaintiff’s bar, that was very creative, and so they just move on right? And so we’ve seen these cases brought up in the context of a session replay cookie is we’ve seen it brought up in the context of chat bots. I think those have had a little bit more stickiness, although that’s an easier problem to solve you. But the fact that the you know chat will be recorded at the top of the chatbot window, and that should be sufficient. And then you see in a new flavor, which was really focused on social media pixels with, you know, Meta and TikTok pixels being kind of two, I think of the, again, favorites of the plaintiff’s bar, to say, using those on your site without getting consent potentially violates CIPA. And so those have wound through the court. The problem is there have been a number of cases like I said that if that came out and said, you know, this doesn’t apply, or have dismissed the claims and for a variety of reasons, but you always have one or two cases here and there that give the plaintiff’s bar some hope. And so that’s kind of what we’ve seen. And the most recent wave that I mentioned earlier with the tap and trace technology. And, you know, just to, you know, for those who haven’t dug into this, you know, the pen register and the tap and trace, think of it as like outbound and inbound, right? So one records address information that gets sent out, others record what gets sent in. So it’s not the content of the communication. It’s basically like the addressing information, the sender and the receiver information. So if we’re talking about pixels, we’re probably talking about like IP address for example. We have seen some favorable cases. There was a case actually involving Ka’Chava that alleged that session replay software could be a pen register that was installed without getting consent. And the court there said, Well, you know, if the software identifies the consumer, gets data, and, you know, correlates that data through fingerprinting that potentially could fall into the definition of a pen register under CIPA and so again, that gives the plaintiff’s bar some hope, and we should keep in mind here, I don’t know how many plaintiff’s lawyers are listening to the podcast, so I will apologize in advance, but you know, from My point of view, these are really shakedown claims, right? Like, we have cases that are working their way through court, but the vast number of these are getting settled beforehand, right? Because litigation is expensive and you really have to have the appetite to fight the claim. So a lot of these, you’re getting, like, form letters that get sent that say we can see that you have this cookie, this chat bot, we have this pixel installed on your site. You did not get consent. You violated CIPA. Sometimes they’ll tack on some other claims. And you know, sometimes these things settle from somewhere between like $12,000 and $50,000. You know, rinse and repeat that enough times. You know that’s a good enough business, I guess, for some. And so we’re watching what happens in the court, but we’re also just seeing a lot of these cases get settled. And when you have one or two good decisions, it just means that the life of these will continue, and if you get a bad decision, you’ll just find a new Ave, potentially, or a new, creative path through which to kind of push these claims forward. So I do think that, you know, if you ask me this question, maybe, like, a year, year and a half ago, I might have said, Oh, we’ve got, like, a couple of favorable cases, so we might start to see these, these die off. But with, you know, some of the cases that came out last year there. I think there is at least a sprinkle of hope for the plane to spar and so we’ll see them continue, at least for now.

Jodi Daniels 14:06

My next question is, what, what do we think about the flavor for, for next, for the next wave? So I guess we’ll just have to wait and see a little bit, which brings people listening, well, the million-dollar question. Well, maybe not million dollars, just the big question, what should companies do to try and help mitigate the risk from any of these cases? What would you recommend companies start with, sure?

Jessica Lee 14:35

I mean, I would start with doing an audit, right, of your site, right? Right? Because these are the reasons why these claims are somewhat easy to bring, because it’s visible, right? You can use, you know, easily accessible technology to scan a website and see what cookies are running. You know, you can look into the code or the header the site and see, potentially, what data is leaving and who’s who it’s going to Yeah. And that’s really what’s forming the basis of these, you know, the demand letters when they come in. So, and I, you know, a lot of companies, particularly larger companies, if you have multiple websites, multiple platforms, multiple teams running these platforms, you know, getting a good system of understanding Well, what’s actually on all the sites that we control and how is everything configured. Do we need to, you know, make it clear in our privacy policy that we’re using this technology. Do we need to get consent? You know, consent not necessarily always being opt-in consent, but is there some version of consent that we need to get that would, you know, make our position a little bit more defensible? What can we put in place if we have a chat bot? Do we have, you know, the consent language in the chat bot? So, I mean, the base layer of everything is figuring out what’s going on on your site. And then the next piece of it is, do we have things configured properly if we’re not trying to share as much information? And if we don’t do we need to be clear, transparent, and look for ways to get consent. Those are kind of the steps I would take.

Jodi Daniels 16:07

Well, knowledge is certainly power, and always understanding which pixels and which cookies you have on a site is very, very important. And we see a massive gap of companies not knowing what is there, for a number of different reasons that I think we might talk about here soon.

Jessica Lee 16:28

Yeah, and I would also say, I mean, there was, there’s some, there’s a concept of a primary purpose exemption, or primary purpose exemption. So if a company is working on your behalf, like they’re an extension of you, they’re not using your data, the data, for their own purposes. You know that potentially, is an avenue out of this litigation, but that, again, requires you to have, you know, good contract terms in place. So after you get past the technology piece, it’s also, what terms do we have in place? Do we have strip controls over, you know, any third parties about cookies or trackers on our site? If we can’t get those terms in place, can we configure it so that they don’t get as much data, or the data gets sent back to our systems, not to their systems, you know? So it’s hard to give, you know, the high level advice, because you kind of have to get into the weeds of what’s going on your site, but it’s both the technology, I think, and also some of the contractual protections, again, trying to build up as many defenses as possible for when these claims come.

Jodi Daniels 17:31

Jessica, that is suggesting kind of like the service provider concept, where, if I was sending data to this other third party, but the third party can’t use it for other purposes. Is that what you mean or something a little bit different?

Jessica Lee 17:44

Yes, yes, exactly, and that’s for the interception of communications prong of CIPA. So if you can show that that third party is merely acting on your behalf, right, they’re not using that data for their own purposes, that’s one potential avenue out of the out of the lawsuit. And, you know, I should say the challenge here is also where, and we see this in other cases. This comes up in the VPPA litigation as well, where you’re applying, you know, old laws to new technology, and so you’re seeing judges kind of grapple with, does this thing that doesn’t exist, that didn’t exist when this law was passed. Does it kind of fit into this legal framework that can we parse through this technology and how it works, and you’re asking judges to parse through technology and understand how it works, and sometimes that works well and sometimes it doesn’t. I think that’s also why you’re seeing this like back and forth in some of the case law, because it really kind of depends. On who you’re in front of and and how well you can explain whether or not what you did on your site meets the statutory definitions. So that’s also why it’s kind of like, you know, building up ammunition. So it can’t be just one there’s no one solution. It’s not like, slap a cookie banner up on your website, and that’s going to take care of it. You need to have multiple potential defenses against these claims.

Jodi Daniels 19:08

The idea of an archaic law in modern technology. Justin, I feel like we’ve had that discussion a number of different times in a variety of areas.

Justin Daniels 19:17

Yep, the VPPA would be another one. And but you’re right.

Jodi Daniels 19:23

Well, just even in general, so beyond banners and opt out, so we just talked about maybe not just a cookie banner is going to be the complete solution. What are best practices that you’re seeing companies do as it relates to managing all these different pixels and trackers that they have on their sites?

Jessica Lee 19:42

Yeah, I mean that that cookie audit and cookie management and having a program around that, you know, it’s not always possible, but you know, companies that are able to have either a centralized system so that, you know, there’s one place to manage when cookies go up and come down. Particularly for companies that, you know, run ads on their site, sometimes cookies go up in a campaign and you don’t remember to take it down. So you have a cookie that’s on the site that you know, no one’s remembered to remove, right? So getting a good kind of cookie pixel hygiene, I think, is critical if you can’t have it centralized, you know, have clear owners, right? Have some system or process in place so that you don’t have activity happening on your site that could jeopardize because I jeopardize your position, because what I see sometimes is that, you know legal or harbors and compliance puts together a privacy statement, or they design whatever the privacy communication or disclosures on the website, and then you have another team that’s actually doing the things that the website does right, like the advertising, the marketing motions, all the coding. And if those two teams aren’t talking to each other on a fairly regular basis, what I told you today that went into what those disclosures said might have changed. And so now what you said publicly is no longer accurate, and so making sure that there is this kind of like constant flow of communication, I think, is critical. And I do see companies putting up, you know, cookie banners, or looking for more prominent notice, making sure whatever they’re doing, whether it’s session replay cookies or something else, all of that is clear in their privacy policies. I mean, this litigation is all happening at the same time as we’re seeing, you know, each year a new wave of new privacy litigation that also, I mean, sorry, privacy regulation from the states that also requires you to, you know, have transparent notices. Sometimes get consent, you know, provide clear opt outs. And I think it’s, it’s challenging for companies, because you have one set of regulations that says one thing, and most of these laws, outside of sensitive information or kids, are opt out, right? You can have the do not sell or share in the footer of your site, and that’s generally that, you know, that complies with with most of what these regulations require, and then you have this litigation that’s coming up, and you’re trying to play Whack-a-Mole with it, and, you know, so do do I now need to get opt in consent, when the law doesn’t require me to get opt in consent? Do I get opt in consent? Because that’ll satisfy this risk, knowing that there could be, there’s some new law that could get dug up, right? You know, we saw if it was last year, the year before a New Jersey law, the Daniel’s Law, was being brought out, potentially. So there, there’s going to be, there’s always going to be some attempt to, you know, raise some law from the dead and use it for a new purpose. And I think, kind of trying to anticipate that is a challenge. So I see companies just trying to get good hygiene around what they’re doing so that they can make sure that they are at least as buttoned up as possible, understanding that it’s going to be like trying to chase a ball down a hill, like trying to get ahead of the litigation. So I don’t know if that’s the best endeavor, as opposed to just making sure you have a defensible position about what you’ve done in terms of your program.

Jodi Daniels 23:06

Cookie governance, I think, is a popular topic this year that I’m really hearing companies focus on, and the need to be able to understand and really rein in what is actually happening on the site. A lot of companies will rely on agencies, and agencies sometimes have free rein, and companies don’t always know what is actually happening. So I would encourage anyone listening, if you’re working with agencies and they have access to your site, to really create ongoing reviews, ongoing scans, conversation approvals in place to be able to manage that. And some people might say, well, but there’s thousands of those pixels. There’s still a way to be able there’s our tools and technologies available to be able to scan for that, and then you need someone to be able to review and kind of flag. And I also see Jessica you commented on, which is that people will put those pixels up, and then they forget to take them down. And you could have those up for years, and when you do that scan, people are saying, what is that random cookie? Oh, right, remember, we tried those people out, and we completely forgot about them for years. You’ve been giving data now to a company, and who knows what that company is doing with that data. So we really don’t want data leakage, and cookies are one of those places that can have that. And I’m very excited that I think cookie governance is here to stay, or get started, even more than just cookie banners. I think we’re starting to move to that next evolution beyond just the banner and opt-out or link.

Jessica Lee 24:34

I hope so. I hope so. Yeah, because I see the same thing, I feel like we’ve had conversations, you know, coming out of the EU and the e-privacy directive to all the sales share conversations, there’s been a lot of talk about cookie and cookie governance. But, you know, these are big lifts for some companies, so I feel like it’s been a slow move, but I definitely see the momentum increasing, because the risk, you just can’t ignore it now. Now it’s kind of coming from all sides, so it’s hard to bury your head in the sand, even though it is a big project, I think, to get your to arms around.

Jodi Daniels 25:08

Absolutely, I completely agree.

Justin Daniels 25:13

So Jessica, what is your best personal privacy tip you’d share if you were hanging out at a party and privacy came up?

Jessica Lee 25:21

Well, I mean, it comes up at every party I go to. So, you know, I really have to sample my toes with information. For people, you know, I’ll say two things. It kind of depends on who I’m talking to and where they said, like so, for example, my sister, unlike me, is very much a tin foil hat. Person she, you know, does not want to be on social media, does not want any of those things. And so, you know, I tell her where to go to look in the privacy policy for the information that she wants, right? Like you want to know what’s getting collected and who it’s going to and generally, how it’s going to be used. And so how do you kind of parse through what ends up being a long document to find kind of the key information? And then, you know, I talked to her about things like the controls on your browser, in terms of like clearing your cookies out, you know, making sure all the height and controls are on your phone. Not everyone is in that position, though. So if I’m talking to someone who’s a little bit just call it a little bit more open about things, I go back to just at least understand what’s happening on the site when you’re navigating it, look at the privacy policy, that’s what it’s there for, and then make a decision based off of that.

Jodi Daniels 26:40

You have a face: I read privacy policies.

Jessica Lee 26:45

Yeah. I mean, you don’t have to read the whole I mean, I mean, you read what you like thing —

Jodi Daniels 26:51

Relevant sections.

Jessica Lee 26:53

Yeah, exactly. Relevant sections for, oh, I didn’t know that they were doing that. Well, they told you, you just didn’t want to read, you know, the policy for it, but yeah, I mean, and obviously there are tons of controls with people who don’t want to be tracked and don’t want to be followed, and, you know, browsers that people can use, but most of the time, you know, all the fun parties where privacy is the hot topic. People really just want to understand why or how something’s happening, as opposed to all like wanting to shut it off. It’s more of a how do I figure out what’s going on and parse through the noise?

Justin Daniels 27:31

Interesting. So when you are not advising clients on privacy or talking privacy at a party, what do you like to do for fun.

Jessica Lee 27:43

Well, anyone who’s heard me speak before, this might not be a surprise and might not be that fun to everyone, but I do. I run marathons, so that is a hobby I guess I have. Like I was up at 6:15 on the track this morning in the freezing cold to run to prepare for the next marathon that I have. So I don’t know if that qualifies as fun, but —

Jodi Daniels 28:13

It’s fun for you.

Jessica Lee 28:14

That is something I do for fun.

Jodi Daniels 28:17

I am glad there are people like you who find that fun. I do not find marathons fun, but that is okay.

Jessica Lee 28:23

Yeah. Well, you travel. I’m running the Berlin marathon later this year. So, I mean, you know, you go for a couple of hours of running in Berlin, that can’t be, that can’t be bad.

Jodi Daniels 28:33

Oh, the Berlin part sounded good. Yeah, it was the couple hours in the middle. Well, we’re so glad you joined us today. If people would like to connect and learn more, where’s the best place to go?

Jessica Lee 28:48

Sure, you can find me on LinkedIn, or you can — yeah, actually LinkedIn is the best place. So if you look for Jessica B. Lee on LinkedIn.

Jodi Daniels 28:58

Awesome. Well, thank you so much. We really appreciate all the insights you shared on the fun of CIPA, thank you. Thanks for having me.

Outro 29:10

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.