December 3, 2022

Volume XII, Number 337


December 02, 2022

Subscribe to Latest Legal News and Analysis

December 01, 2022

Subscribe to Latest Legal News and Analysis

November 30, 2022

Subscribe to Latest Legal News and Analysis

Timing Is Everything: Ninth Circuit Addresses Chatbot Consent Requirements

According to a recent unpublished Ninth Circuit ruling, failure to obtain consent prior to using recording technologies is not sufficient for purposes of the California Invasion of Privacy Act (CIPA). This ruling is notable for website operators as it signals that obtaining targeted consent before using commonly deployed website features – such as chat bots and lead verification recording programs – can nip burgeoning CIPA “wiretapping” lawsuits in the bud.  

Background: Javier vs. Assurance IQ, LLC and Active Prospect Inc.

As background, Section 631(a) of CIPA prohibits (1) intentional wiretapping, (2) willfully attempting to learn the content of communications while the same are in transit, and (3) attempting to use or communicate information obtained as a result of the two previous prohibitions. Further, California is a two-party consent state – meaning that all parties to a communication must consent to recording protected communications. In Javier vs. Assurance IQ, LLC and Active Prospect Inc, the plaintiff claimed that he visited an insurance website that featured a product called “TrustedForm” that records users’ interactions with the website and creates a unique certificate for each user based on the user’s agreement to be contacted. Prior to requesting an insurance quote, the plaintiff allegedly answered a series of questions about his demographic information and medical history.

Allegedly without the plaintiff’s knowledge, TrustedForm captured and created a video recording of the entire interaction in real time. Critical to the Ninth Circuit’s ruling, the plaintiff was not prompted to agree to the company’s Privacy Policy until after the video recording. The court, ruling in favor of the plaintiff, concluded that Section 631 of CIPA requires the prior express consent of all parties. Retroactive consent is not sufficient.

To be clear, the Javier decision is expressly limited in scope. The Ninth Circuit panel only reversed the district court’s primary ruling that the plaintiff’s retroactive consent to Assurance’s Privacy Policy completely defeated the plaintiff’s Section 631 wiretapping claim. Notably, the district court also ruled – albeit in a footnote – that the plaintiff’s complaint should be dismissed on other grounds, including that Assurance, the website operator, was necessarily a party to the communications, and could not have “wiretapped” its own website.

That, however, has not stopped plaintiffs’ attorneys who specialize in trolling websites for alleged violations of various laws (e.g., ADA website or Unruh Act claims) from latching onto Javier and adding Section 631 claims to their shakedown checklist. But in our view, these claims are, in reality, CIPA Section 632 claims improperly dressed up as Section 631 claims. That is, Section 632 protects confidential communications from being recorded without all parties’ consent, while Section 631 protects any communication from being monitored in transit – true wiretapping. Indeed, these plaintiffs would never be able to establish that their voluntary communications and interactions on public websites could somehow be considered “confidential,” so they are forced to conflate recording with wiretapping. And that’s the real bait-and-switch here.

At bottom, the Javier case is far from over. But perhaps the real lesson from this decision is that it would have been over by simply obtaining opt-in consent prior to recording any consumer communications submitted through the company’s website.

What Does This Mean for your Website?

With the Ninth Circuit’s ruling in mind, website operators that engage in tracking, keystroke monitoring, or use technologies such as chat bots and questionnaires that record web sessions must remain vigilant about their respective privacy practices and how to capture consent. While the use of these technologies continues to assist customers in their endeavors, it now creates increased litigation exposure for businesses that utilize these services without obtaining prior consent.

To address this risk, businesses can:

  • Obtain consent prior to tracking or recording interactions, such as through a cookie wall or pop-up box

  • Fully inform consumers of their privacy practices

  • Remain familiar with the privacy practices of affiliated third-party providers, including without limitation storage, recording, and use practices

  • Fully understand at which point in user engagement consumers are notified that their interactivity is monitored and stored

© 2022 ArentFox Schiff LLPNational Law Review, Volume XII, Number 234

About this Author

Adam D. Bowser Litigation TCPA Communications Telecom Law Partner Arentfox Schiff LLP

Adam’s practice focuses on complex litigation in federal and state courts, including class action trials and appeals, as well as related advocacy before administrative agencies in rulemaking and enforcement proceedings. He has been recognized as a Washington, DC Super Lawyers “Rising Star” in Communications Law every year since 2014 and he has recently won several notable victories for clients brought into class-action litigation arising out of consumer protection and privacy laws, particularly the Telephone Consumer Protection Act (TCPA). As part of his deep expertise...

Eva J. Pulliam Attorney Brand Protection Arent Fox Schiff Washington DC

Eva splits her time between Washington and San Francisco and concentrates her practice on brand protection: protecting data, brand image, and brand names. She advises clients across numerous industries on best practices in the areas of data privacy, advertising and marketing, and trademark. Household names, tech giants and startups, non-profits, and other innovative organizations call on Eva to guide them through product development and brand management. 

In the privacy space, Eva counsels clients around data collection, use, and transfer, as...

Christine Chong Privacy Attorney ArentFox Schiff San Francisco

As an Associate on the privacy, cybersecurity, and data protection team, Christine helps clients with regulatory compliance, data breach response, technology transactions, vendor contracting, marketing initiatives, and external and internal-facing policies. Her clients include international consumer products, e-commerce, manufacturing, data analytics services, retail and technology businesses, and not-for-profit organizations. 

Christine regularly advises on ethical data use, machine learning and artificial intelligence, vendor contracting, and...

Destiny Planter Attorney Copyright Law ArentFox Schiff Washington DC

Prior to joining ArentFox Schiff, Destiny was awarded the Frances Phillips Fellowship. She used this opportunity to work with the African Network for the Prevention and Protection against Child Abuse and Neglect and volunteer in orphanages in Kenya and Ghana. She then joined the Carolina College Advising Corps at Ben L. Smith High School in Greensboro, North Carolina, where she worked to increase the rates of college enrollment and completion among low-income, first-generation college and underrepresented high school students.

While in law...