Timing Is Everything: Ninth Circuit Addresses Chatbot Consent Requirements
According to a recent unpublished Ninth Circuit ruling, failure to obtain consent prior to using recording technologies is not sufficient for purposes of the California Invasion of Privacy Act (CIPA). This ruling is notable for website operators as it signals that obtaining targeted consent before using commonly deployed website features – such as chat bots and lead verification recording programs – can nip burgeoning CIPA “wiretapping” lawsuits in the bud.
Background: Javier vs. Assurance IQ, LLC and Active Prospect Inc.
As background, Section 631(a) of CIPA prohibits (1) intentional wiretapping, (2) willfully attempting to learn the content of communications while the same are in transit, and (3) attempting to use or communicate information obtained as a result of the two previous prohibitions. Further, California is a two-party consent state – meaning that all parties to a communication must consent to recording protected communications. In Javier vs. Assurance IQ, LLC and Active Prospect Inc, the plaintiff claimed that he visited an insurance website that featured a product called “TrustedForm” that records users’ interactions with the website and creates a unique certificate for each user based on the user’s agreement to be contacted. Prior to requesting an insurance quote, the plaintiff allegedly answered a series of questions about his demographic information and medical history.
That, however, has not stopped plaintiffs’ attorneys who specialize in trolling websites for alleged violations of various laws (e.g., ADA website or Unruh Act claims) from latching onto Javier and adding Section 631 claims to their shakedown checklist. But in our view, these claims are, in reality, CIPA Section 632 claims improperly dressed up as Section 631 claims. That is, Section 632 protects confidential communications from being recorded without all parties’ consent, while Section 631 protects any communication from being monitored in transit – true wiretapping. Indeed, these plaintiffs would never be able to establish that their voluntary communications and interactions on public websites could somehow be considered “confidential,” so they are forced to conflate recording with wiretapping. And that’s the real bait-and-switch here.
At bottom, the Javier case is far from over. But perhaps the real lesson from this decision is that it would have been over by simply obtaining opt-in consent prior to recording any consumer communications submitted through the company’s website.
What Does This Mean for your Website?
With the Ninth Circuit’s ruling in mind, website operators that engage in tracking, keystroke monitoring, or use technologies such as chat bots and questionnaires that record web sessions must remain vigilant about their respective privacy practices and how to capture consent. While the use of these technologies continues to assist customers in their endeavors, it now creates increased litigation exposure for businesses that utilize these services without obtaining prior consent.
To address this risk, businesses can:
Obtain consent prior to tracking or recording interactions, such as through a cookie wall or pop-up box
Fully inform consumers of their privacy practices
Remain familiar with the privacy practices of affiliated third-party providers, including without limitation storage, recording, and use practices
Fully understand at which point in user engagement consumers are notified that their interactivity is monitored and stored