Publications

You should read this client update if you are a company that has a website accessible from the United States and that uses cookies, pixels, SDKs, or any form of tracking technologies or software, or chatbots.

What is this new trend about?

California’s Invasion of Privacy Act (“CIPA”) was enacted in the 1960s to prevent unlawful eavesdropping and wiretapping. However, this law is now being used to bring legal actions against companies that use cookies and tracking technologies on their online properties. Claimants argue that these tools, when used without user consent, involve illegal interception or eavesdropping. This is the case when the cookie or tracking technology is provided by a third party that receives information or content from user interactions. In the last few months, there has been a significant number of such claims being brought against Israeli companies.

What is the legal basis for these claims?

Under CIPA, a person whose communications are illegally tapped, read, or whose contents are learned is entitled, among other things, to damages. Courts have ruled that CIPA is not limited to phone lines but also applies to “new technologies” such as computers, the internet, and emails.

What is the exposure under CIPA?

Every separate violation of CIPA allows for up to $5,000 in statutory damages. These lawsuits are often brought as class actions.

Moreover, if you happen to be undergoing due diligence, it is very likely that you will have to disclose the existence of outstanding CIPA claims, which may generate delays or raise concerns. In fact, this is a common due diligence question.

As an Israeli company, should I be concerned?

The short answer is yes. Many Israeli companies operate websites that are accessible from the US, including California, and use tracking technologies. Moreover, many Israeli companies have clear ties to the US, including corporate entities, offices, employees, or business activities there. Having corporate entities in the US increases the exposure to CIPA claims. Separately, if you receive a CIPA claim, you will likely face costs and legal expenses, whether you settle it out of court or choose to defend it.

What can I do to decrease risks? 

• Map your cookies and tracking tools. You should know what information they process, share, and how they use it. If they process or share sensitive data, the contents of communications or user searches, the exposure will likely be high. Consider removing unused or unnecessary cookies.
• Be transparent. Your cookie notice and privacy notice should be clear on what data is collected, used and shared and what third parties are involved.
• Obtain proper consent. Adopt an opt-in or opt-out consent mechanism, as required by law, prior to collecting any data, tracking or sharing data with third party tracking tools. Remember that you need to be able to prove consent.
• Adopt privacy principles, such as limiting data collection, data retention or unnecessary data sharing. Many tracking tools allow you to change these settings (e.g., you can enable IP address masking when using Google Analytics). Moreover, consider executing and saving a copy of data processing agreements with all your vendors and verify that they do not reuse data for training, selling or sharing purposes.
• Adopt a granular approach. Because different countries and states have different rules on privacy, tracking and cookies, you may consider using different rules for users and traffic coming from different countries and states.

If you would like to discuss this matter or would like us to assist you, feel free to reach out to us.