Keypoint: Slurry of litigation filed by privacy-plaintiffs has survived its first motion to dismiss challenge in a California court but faces tougher challenges ahead.

Anyone who has called into customer service for any major company has likely been told: “This call is being recorded for quality assurance.” Companies have long used those prepared messages to put callers on notice that their communications are recorded, avoiding claims that the companies have violated wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. Companies are now facing claims that offering the ability for their website visitors to chat with a virtual or human agent violates these same wiretapping statutes when the website visitor accesses the site from an all-party consent state. In this post, we examine the rise of these chat-based wiretapping claims and how website operators may hope to avoid them.

The California Invasion of Privacy Act (“CIPA”) is the California analogue to the federal Wiretapping Act. It is codified as California Penal Code Sections 630 et seq. and was enacted in 1967. It provides a private right of action with a potential statutory damage of $5,000 per violation.

In May 2022, the Ninth Circuit held “Section 631(a) applies to Internet communications” and “makes liable anyone who ‘reads, or attempts to read, or to learn the contents’ of a communication ‘without the consent of all parties to the communication.” Javier v. Assurance IQ LLC et al., 2022 WL 1744107, *1 (9th Cir. 2022). The Ninth Circuit’s decision dealt with session replay technology, which we have covered in this earlier post, and not chat functionality. Nevertheless, the decision has been recognized as kickstarting a flurry of lawsuits. After the Ninth Circuit’s Javier decision, California-courts saw an influx of cases that alleged website operators violated Section 631(a) of CIPA by recording chat conversations with website visitors.

More than 70 cases alleging violation of CIPA by chat functionality have been filed in California Federal district courts since July 2022, mostly filed by one law firm. Although many of these have been voluntarily dismissed, these cases have not yet been meaningfully tested on their substantive, rather than procedural, strengths. Only one district court has considered even a motion to dismiss one of these cases. That one decision, however, did not meaningfully resolve whether these cases would survive a more substantive challenge beyond the pleading stage. In a recent case, the plaintiff alleged they visited the defendant’s website, which allegedly used a third party to embed code in a chat feature that would allow the defendant to record and transcribe private conversations and for a third-party to intercept, eavesdrop, and store transcripts using the chat functionality. 2023 WL 1788553, *1 (C.D. Cal. Feb. 3, 2023). The central district rejected the defendant’s argument that the chat communications did not fall under CIPA and that the plaintiff failed to adequately plead the communications had been intercepted.

The central district did not resolve whether the plaintiff had consented to the alleged recordings. Future decisions will consider this argument, however. The Central District of California is scheduled to hear motions to dismiss in two other matters in early March. Third parties have filed amicus briefs in both matters, which is rare during the pleading stage in district court litigation. The plaintiffs have moved to strike the amicus briefs.

Given the ongoing litigation risk, companies that use chat features should consider implementing steps to mitigate the risk of being sued. This could include adding disclosures to applicable policies and obtaining user consent consistent with the requirements of applicable laws. Companies also should closely monitor how the central district handles the pending motions to dismiss and, if necessary, adjust their processes to incorporate any further guidance.