California class action lawyers have turned their sights on a new target: websites that employ “chat bots,” digital assistants that allow companies to communicate with customers without employing live website customer service representatives. These cases allege that the website owners violate the California Invasion of Privacy Act (CIPA, Penal Code Section 630 et seq.) by “recording” communications between consumers and company chat bots without the consumers’ knowledge or consent. Within the last three months, more than three dozen putative class action lawsuits have been filed in California state and federal courts against companies in a variety of industries, including retailers, insurance companies, financial services companies and technology companies. Many companies have received pre-litigation demand letters that may result in even more cases being filed.
These are novel claims that seek to apply privacy laws first enacted in the late 1960s that address recording phone conversations to a consumer’s interactions and communications with a website. In recent years, the California plaintiffs’ bar has sought to apply CIPA to certain website tracking technologies such as session replay. Now that trend has extended to chat bots, with new lawsuits asserting claims for violation of Penal Code Section 631, the CIPA’s anti-wiretapping statute, which prohibits a third party from eavesdropping on or recording communications between two other parties without the parties’ consent. Recently, several complaints have been amended to assert claims under a separate provision of the CIPA, Penal Code Section 632.7, which prohibits recording communications over cell phones without consent.
Both statutes allow a successful plaintiff to recover $5,000 per “violation” without proving that the plaintiff suffered any actual harm. Each individual interaction with a chat bot potentially constitutes a separate violation, so the ceiling of alleged damages in a certified class action could be astronomical. The statutes also allow recovery of attorneys’ fees. The combination of statutory damages and prevailing party fees makes these statutes very attractive to class action plaintiffs’ counsel.
The claims raise numerous unsettled issues, including whether the statutes even apply to this conduct, whether a website owner can be liable for “wiretapping” its own communications with its customers, and whether users expressly or impliedly consented to the “recording,” as those terms are defined by the statutory text and case law, to name only a few. There are also interesting and novel issues regarding the interplay between the 50-year-old CIPA and the recently enacted California Consumer Privacy Act of 2018 (CCPA) and its even more recent voter-enacted amendment, the California Privacy Rights Act of 2020 (CPRA), as well as the California Bot Disclosure Law, which requires basic transparency around chat bots. In addition, based on case law interpreting the CIPA in the call recording context, the plaintiffs in these cases may face serious obstacles in obtaining class certification.
No court has weighed in on these issues as applied to chat bot deployment, and the defendants have only just begun filing motions challenging the lawsuits. Because the cases are assigned to many different judges, it is possible—even likely—that there will be conflicting rulings on the merits of the claims. It may be months or years before the Ninth Circuit or California appellate courts provide more definitive guidance.
As the old saying goes, an ounce of prevention is worth a pound of cure. Companies that use chat bots and similar technologies on their websites should review their disclosures and consent flow to evaluate their risks. Due to the dynamic nature of privacy regulation, consultation with legal counsel on privacy and data protection is recommended. Being proactive may help avoid the expense and aggravation of having to defend one of these novel and potentially costly claims.