California is famously a two-party consent state when it comes to recovering phone calls. After the Ninth Circuit handed down Javier v. Active Prospect this Tuesday, it appears to have just become a two-party consent state when it comes to recording information about website visits as well. And is that sounds insane–it is.
Let me lead with the headline here and then explain its significance.
Without citing any case law, or performing any analysis, a Ninth Circuit COA panel just casually (and massively) expanded the reach of California’s wiretapping statute–the California Invasion of Privacy Act (CIPA)-to cover essentially all interactions on websites.
Here’s the language:
Though written in terms of wiretapping, Section 631(a) applies to Internet communications. It makes liable anyone who “reads, or attempts to read, or to learn the contents” of a communication “without the consent of all parties to the communication.”
As a result, it appears a website publisher must now obtain the user’s permission before recording any information about the user’s website visit. (Think, i.p. address, date and time of visit, etc.)
You see where this is headed?
Notably, the CIPA contains a $5,000.00 per violation of private right of action. And last time I checked class actions were permitted.
So every website publisher–wait, don’t I own a website?–that records information regarding a California consumer’s visit to their site may be violating California’s two-party consent rules and owe every consumer that has visited their site over the past few years $5k.
Cool. No problem. I can see why the Ninth Circuit COA wouldn’t need to do a deep dive analysis here or think this one through.
Naturally, it gets even better.
Not only is Javier a massive expansion of CIPA, it is also arguably the biggest Telephone Consumer Protection Act (“TCPA”) case since Facebook.
To understand why you have to understand a little bit about how the TCPA operates in cases arising out of webform submissions. The TCPA requires express consent for a business to call a customer or potential customer. FCC regulations put the burden of production on the issue of express consent on the caller. When it comes to consent obtained via a webform submission, therefore, a caller must come to court with evidence regarding the precise verbiage on a website, the date and time of the consent, the ip address and other identifying information, etc.
While this information can usually be captured fairly easily (and regularly) by a website provider–again, Javier puts this basic practice in jeopardy but we’re moving past that right now–in the context of a web form submission that is sold to another party the buyer is not likely to have that information handy.
Actually, let me back up for a second. A lot of you are probably saying “wait, why would a web form submission be “sold”?”
Welcome to the world of performance marketing and lead generation.
There’s a whole multi-billion dollar industry out there that helps connect consumers with products that they need and want. Sellers of products cannot and do not rely on their own internal marketing resources to connect with consumers. They turn to other experts (think Lending Tree) who use various tactics to drive consumers to websites to obtain their consent to be contacted by service providers who can offer them the loans, insurance, or solar panels they’re after. Those webform submissions are then sold to the actual product supplier/service provider.
Weird though it sounds there are actually thousands of these companies, all serving as middlemen between consumers and product suppliers.
Now, here’s is where we get back to Javier.
The product/service suppliers buying these leads need to be able to prove that they have consent under the TCPA if they get sued. And it is a real pain for them to have to go back to the lead seller over and over again for proof that a lead is genuine. Plus–let’s face it–these middlemen might just be lying to them.
So how can you prove that a website interaction is genuine if you the website owner have complete control over the content of the website and the data submitted on the website?
Enter Active Prospect.
AP is a sincerely great company with sincerely great people that work for them–they’re friends of mine and I happen to believe in their solution.
What AP does is track an interaction on a third-party’s website to confirm that a consumer really went onto the website, filled in information, and clicked the button to accept consent. The complete content of the website disclosure is captured and frozen in time. And whether a caller wants to audit its vendors or prove it has consent in defense of litigation it can use AP’s product (called Trusted Form) to accomplish it quickly and easily.
It's truly just a great product.
Except that the Ninth Circuit just held it constitutes wiretapping.
I really cannot.
And somehow this whole thing gets even more facepalm worthy.
A while back I had a case in PA where a Plaintiff claimed my client had violated the state’s eavesdropping statute by recording him without permission. This is a transcript of the call (from memory):
Defendant: Hi, this is [Company]. May we record this call for quality assurance?
The Plaintiff in that case sued my client arguing that it had violated the eavesdropping statute by recording him before he was asked if he could be recorded.
The Court in that case had the wisdom to inform Plaintiff that he was nuts. And the case quickly disappeared.
The Ninth Circuit lacked that wisdom.
Not only does the Javier ruling seemingly endorse the logic of the whakadoodle (my opinion) Plaintiff in that case, it goes even further.
In my case, after all, Plaintiff had said he did not want to be recorded. In Javier, Plaintiff actually AGREED TO BE RECORDED. Yet the Javier panel held he could still sue because HIS AGREEMENT TO BE RECORDED WAS, ITSELF, RECORDED by AP. And that was the predicate act of wiretapping enabling the CIPA claim.
Like I said, I just cannot.
So to summarize:
I’ve had it with judges that do not understand technology–although, per usual, I will question whether the defense lawyers here (not me) did enough to make sure the panel “got it” in this instance;
Until Javier is fixed, website owners probably can no longer safely record any data regarding website interactions with California consumers without consent–and after yet another bad recent Ninth Circuit ruling it is unclear to me whether that consent can be obtained using browser wrap terms and conditions;
Website owners DEFINITELY need to obtain consent before using third-party witness programs like Trusted Form. And NO you cannot use Trusted Form to prove that consent to Trusted Form use was obtained;
I suspect all of this can be solved through the clunky and inelegant method of depriving internet users access to your website until they sign a big ole gross disclosure authorizing you to record all the things you want to record about them. I always love it when I can’t access a website before I sign a disclosure. I’m sure you do too. Thanks to Javier I can guarantee you will see a lot more of these barriers to websites. Maybe it's a good thing. But it certainly will make the internet a junkier pace to live.
The Plaintiff’s bar is all over this. Received three calls this week from Plaintiff’s lawyers telling me they’re going to “crush” so and so company or “ruin” such and such brand. Usually, I would tell them they’re nuts. This time, I’m not so sure they are.
The only good news here–and it is important good news–is that the case is unpublished. Plus it's a federal court’s take on what it thinks the California Supreme Court might do. It is not binding in California, per se. So maybe district courts will ignore the ruling, but probably not. Let’s hope the California Supreme Court or a new Ninth Circuit panel looks at this quick.
Don’t shoot the messenger folks. And (try to) have a good weekend.