ccpa Archives - Tauler Smith LLP Los Angeles Trial Attorneys

Posts

Healthline Pays $1.55M for CCPA Violations

October 7, 2025/in Consumer Protection /by taulersmith

The world’s most popular health & wellness website recently made headlines after being accused of violating California’s consumer privacy laws: Healthline Pays $1.55M for CCPA Violations. Healthline was accused of violating the California Consumer Privacy Act (CCPA), and the $1.55 million fine represents the largest monetary penalty ever issued for a CCPA violation. The settlement followed an investigation by the California Department of Justice which determined that Healthline invaded the privacy of consumers by (1) using online tracking technology to harvest data from visitors to the healthline.com website, and (2) failing to allow consumers to opt out of targeted advertising.

To learn more about the Healthline CCPA settlement, keep reading this blog.

Healthline.com Is a Popular Website That Provides Health & Wellness Articles

Healthline Media LLC operates the healthline.com website, which is marketed as a source for “medical information and health advice you can trust.” The website ranks as one of the top 40 most-visited websites globally, and it reportedly gets 6.5 million monthly visitors in California alone.

The Healthline.com website includes articles and blogs with information about nutrition, physical health conditions & treatments, mental health topics, and general health & wellness guidance. These articles may be available to the public for free – but they still come at a cost to consumers.

How Does Healthline Make Money?

Healthline generates substantial revenues from advertisements that appear next to the free articles. When these ads are targeted at a particular user, they can be even more profitable. That is why the personal data that Healthline was accused of unlawfully collecting from individuals became such an issue: the consumer information being harvested and shared by the company was extremely valuable.

California Department of Justice Investigates Healthline for CCPA Violations

The investigation into Healthline’s alleged consumer privacy violations was conducted by the California Department of Justice. Investigators determined that Healthline failed to give consumers the ability to opt out of targeted advertising, which is a violation of the California Consumer Privacy Act (CCPA). Additionally, investigators found that Healthline shared consumers’ sensitive personal data without any of the online privacy protections mandated by the statute.

Healthline Accused of Violating California Consumer Privacy Act (CCPA)

The California Department of Justice complaint filed against Healthline accused the company of multiple violations of the CCPA:

Failing to Offer Functioning Opt-Outs: The complaint against Healthline alleged that the company kept selling users’ personal information even after the users had opted out of data sharing on the website. This is a direct violation of the CCPA because the law explicitly allows consumers to opt out of the sale or sharing of their data for targeted advertising.
Violating the CCPA’s “Purpose” Limitation: The CCPA states that personal information collected for one purpose cannot later be used for a completely different purpose. But that is exactly what happened with Healthline: the company allegedly disclosed health-related data for targeted advertising purposes by sharing article titles that suggested consumers were diagnosed with specific medical conditions.
Selling or Sharing Personal Data Without Restrictions: Healthline’s contracts with third parties allegedly grant those companies broad use of consumers’ personal data “for any purpose.” This is a violation of the CCPA, which requires companies to ensure that advertising contracts contain privacy protections for users’ data. It is Healthline’s responsibility to ensure that third-party companies comply with the law.

Healthline Accused of Violating California’s Unfair Competition Law (UCL)

The complaint against Healthline also alleged that the company violated California’s Unfair Competition Law (UCL) by “deceiving consumers about privacy practices.” The UCL explicitly prohibits companies from engaging in deceptive business practices. Healthline allegedly violated this guiding principle of the consumer protection law by failing to disable tracking cookies from the website’s “consent banner” even after a user unchecked a box on the banner.

California AG: Healthline Used Online Trackers to Harvest Consumer Data

One of the problems with the Healthline website is that it uses online trackers such as cookies and pixels. This means that anytime a person views an article on the website, their personal data may be collected and then shared with third parties.

According to the California Attorney General’s Office, the trackers used by Healthline “run invisibly in the background in the first milliseconds when a webpage loads.” Investigators found that Healthline was using dozens of these online trackers to harvest consumer data.

California AG: Healthline Failed to Honor Consumer Opt-Out Requests for Targeted Advertising

The California Consumer Privacy Act (CCPA) mandates that companies must give consumers the opportunity to opt out of having their personal information shared for the purpose of targeted marketing.

Although the Healthline website included an opt-out feature, the company was accused of failing to honor user requests to prevent targeted advertisements. The California Attorney General reportedly tested the Healthline website by attempting to opt out of targeted ads, but the site did not allow him to do so. According to the complaint filed against Healthline, the website continued to share users’ personal data even after the opt-out request was submitted.

The Healthline site gives users three options to opt out of data sharing:

A “Do Not Sell or Share My Personal Information” button.
An Opt-Out Preference Signal.
A “cookie banner” that manages privacy settings on the site.

California authorities said that even utilizing all three opt-out options failed to stop Healthline from sharing users’ personal data. After a “triple opt-out,” investigators still found that 118 cookies related to third-party advertisers were accessed and transmitted.

Healthline Shared Consumers’ Health Data with Third Parties

Authorities also determined that Healthline improperly shared users’ personal data with third parties. This invasion of privacy is particularly harmful in the context of the Healthline website because the data often contains information about serious medical conditions that the consumer might suffer from.

The personal data shared by Healthline with third-party companies reportedly included information about which articles the user accessed on the website. Considering the nature of the healthline.com site, this kind of information can be extremely sensitive: some of the data shared with third parties included article titles like “Newly Diagnosed with HIV?” and “The Ultimate Guide to MS for the Newly Diagnosed.”

This information could be used by data brokers to create individual consumer profiles with sensitive health information. In fact, one type of targeted advertisement strategy allegedly utilized by Healthline is known as “cross-context behavioral advertising.” This involves a company collecting a user’s online activity and history to create a profile, and then later accessing that profile to determine exactly which kinds of advertisements are likely to interest the user. For example, one investigator viewed a Healthline article about Crohn’s disease and later received targeted advertisements about a medication to treat the illness.

Settlement: Healthline Ordered to Pay $1.55 Million Fine for California Consumer Privacy Violations

Healthline ultimately reached a settlement with the California Department of Justice and agreed to pay $1.55 million in civil penalties. This is the single-largest penalty in the history of the California Consumer Privacy Act (CCPA).

Another prominent part of the settlement is injunctive relief for victims of Healthline’s violations. The injunctions include:

Healthline must ensure that any opt-out mechanisms on the company’s website are functional and will process user requests to opt out of the sharing of personal data.
Healthline is prohibited from selling or sharing any personal data that would indicate that the user accessed a “Diagnosed Medical Condition Article.”
Healthline must disclose that they are using consumers’ sensitive personal information, and they must give consumers the ability to limit how their data is used.
Healthline must comply with the CCPA going forward. This means that the company has to provide notice that they are sharing consumers’ personal information with third parties.
Healthline must implement a compliance program that audits third-party contracts and maintains accurate website disclosures. The company will also be required to submit annual reports to the Office of the California Attorney General, and those reports should indicate whether Healthline is actually processing consumers’ opt-out requests.

Consequences of Healthline Settlement

California Attorney General Rob Bonta issued a statement announcing the Healthline settlement. Bonta highlighted the importance of the California Consumer Privacy Act (CCPA) and pointed to the “critical privacy rights” that residents are granted by the law. Bonta added that “California continues to lead the nation in enforcing our robust privacy protection law, and businesses that collect consumer data must honor consumers’ privacy rights.”

The Healthline settlement could also have far-reaching consequences for how health information is treated by the California Privacy Protection Agency. That’s because sensitive health data may face heightened scrutiny going forward when it comes to protecting consumers against data breaches and unauthorized data sharing. This is especially likely when the health information is shared for the purposes of targeted advertising.

Other California Consumer Privacy Lawsuits Against Healthline

Despite the settlement, Healthline is still the defendant in multiple lawsuits for violations of the California Invasion of Privacy Act (CIPA). Healthline has been sued in federal court (class action lawsuit) and in California state court (individual claim), with the plaintiffs in both cases alleging that the company unlawfully used tracking technology on its website.

Contact the Los Angeles Data Privacy Attorneys at Tauler Smith LLP

Are you a California resident who visited the Healthline.com website or any other website? Then it’s possible that you were the victim of a data privacy violation that exposed your sensitive personal information. The Los Angeles consumer protection lawyers at Tauler Smith LLP represent plaintiffs in both state and federal court. We can help you protect your personal information against data breaches and get you financial compensation.

Call 310-590-3927 or send us an email.

Study: Data Brokers Don’t Comply with CCPA

October 2, 2025/in Consumer Protection /by taulersmith

UC Irvine researchers conducted a comprehensive study into California data brokers and the extent to which they break state consumer privacy laws, including the California Consumer Privacy Act (CCPA). Legal observers and consumer protection advocates were alarmed by the chief finding of the study: data brokers don’t comply with CCPA requirements. In fact, researchers found that data brokers are guilty of “rampant noncompliance” with California digital privacy laws, with nearly half of all data brokers failing to reply to consumer data requests.

To learn more about the UC Irvine study of data brokers & California’s consumer privacy laws, keep reading this blog.

What Are Data Brokers?

What is a data broker? Data brokers are companies that acquire personal information of millions of people and then sell that data to third-party companies. The California Data Broker Registration law defines a “data broker” as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” The last part of the definition is important because it highlights a unique aspect of data brokers: they collect data from people who have never used their services.

One of the largest data brokers in the world is LiveRamp, which operates a “data collaboration platform” that gives other companies access to consumer data. According to Gene Tsudik, a co-author of the UC Irvine study, data brokers and the companies that do business with them are primarily interested in using the consumer data they collect to pinpoint personal details about consumers, “such as purchasing behavior, financial status, and health conditions.” The data brokers then attempt to monetize this data by selling it to third parties without the consent of the individuals.

CCPA Requires Data Brokers to Respond to Consumer Requests

As set forth by the California Consumer Privacy Act (CCPA), data brokers must respond in a timely manner to consumer requests related to data collection: they must reply within 10 business days to confirm receipt of the request, and then provide an answer to the request within 45 calendar days (with the option to extend the deadline by another 45 days). If the data broker has in fact collected the consumer’s personal data, then the company must provide that information in detail. If the data broker has not collected and/or does not possess any personal information about the consumer, then the company must declare so in writing.

The California Data Broker Registration law requires every data broker that does business in the state to register annually with the California Privacy Protection Agency (CPPA). The state also maintains a Data Broker Registry, which helps with compliance because the California Privacy Protection Agency can use the registry to identify offenders and enforce the law.

“People Search” Websites

One major source of identity theft and fraud is “people search” websites. These sites offer the personal information of consumers to the public for free, with additional information typically available for a fee. The information offered on these websites often comes from data brokers.

UC Irvine Study Examines Data Broker Compliance with California Consumer Privacy Laws

The title of the UC Irvine study is: “Consumer Beware! Exploring Data Brokers’ CCPA Compliance.” The study’s authors are Elina van Kempen, Isita Bagayatkar, Chloe Georgiou, and Gene Tsudik. Funding for the study came from the National Science Foundation, which is an independent federal agency that issues grant money to U.S. colleges and universities for research.

The study was conducted by a team of computer scientists who investigated every data broker registered in California. At the time of the study, there were a total of 543 data brokers doing business in the state. This was the most comprehensive study of data broker behavior ever conducted because it evaluated all data brokers registered in California. By contrast, previous studies only examined a small sample size of 20 people-search websites.

Study Conclusion: California Data Brokers Violate CCPA by Failing to Respond to Consumer Requests

UC Irvine researchers discovered that approximately 50% of data brokers doing business in California are violating the California Consumer Privacy Act (CCPA) by failing to respond to legitime consumer requests.

Gene Tsudik, a computer science professor at UC Irvine and one of the co-authors of the study, emphasized the legal and ethical concerns raised by data brokers’ “rampant noncompliance” with invasion of privacy laws. According to Tsudik, data brokers operating in California are taking advantage of consumers by monetizing their personal information and then selling the data to third parties, including other companies, individuals, and even governments. Tsudik noted that these types of transactions “can open the door to malicious actors, giving them access to consumers’ personal information to mount identity theft, fraud, or phishing activities.”

What Is the Identity Verification Process for Consumer Data Requests?

The purported reason that data brokers must verify a consumer’s identity before releasing any personal information is to prevent data breaches by unauthorized parties. But the identity verification process can be extremely difficult for consumers. The UC Irvine study’s authors referred to it as “Kafkaesque,” questioning how a consumer can possibly prove their identity to a company that might not even have their personal information. Moreover, how can a consumer verify the truthfulness of a data broker who claims that they did not collect any personal information about the consumer?

Data Brokers Request Sensitive Personal Information from Consumers

Worse than the non-responses to consumer requests about personal data were the responses from data brokers that actually requested even more information from the consumer. The study concluded that data brokers are violating the spirit of the CCPA by forcing consumers to “jump through hoops” and “surrender personal data” just to exercise their privacy rights.

For example, several data brokers asked for extremely sensitive information that included the consumer’s legal name, mailing address, driver’s license number, and Social Security number. This was ostensibly for the purpose of “verifying” the consumer’s identity, but it is still alarming that consumers looking to exercise their data access rights under the CCPA are instead asked to incur greater privacy risks by exposing even more personal information to potentially unscrupulous data brokers.

Additionally, researchers observed that “an impersonator could easily receive another consumer’s personal information.” This means that the identity verification process used by data brokers could result in data breaches that harm consumers.

California Consumer Privacy Act (CCPA) Grants Data Access Rights to Consumers

The California Consumer Privacy Act (CCPA) was enacted in 2018. The statute was amended by the California Privacy Rights Act (CPRA) in 2020. Basically, the CCPA gives California residents the legal right to control the personal data that is collected by businesses, including data brokers. The statute specifically requires California businesses to give consumers an opportunity to opt out of the collection and/or sharing of their personal data. Additionally, the law stipulates that companies must respond promptly to any inquiries from consumers about data collection, including requests to delete personal data.

CCPA Consumer Requests

Elina van Kempen, the lead author of the UC Irvine data broker study, noted that researchers looked closely at six (6) aspects of the CCPA consumer request process:

What burden does the consumer have in submitting the CCPA request?
How difficult is it for the data broker to verify the consumer’s identity before answering the request?
How long is the response time for a data broker to answer a consumer request?
How adequate is the data broker’s response?
Was any additional personal information requested?
Are there any other privacy issues implicated by the consumer request?

The study’s authors acknowledged that it can be difficult for consumers to submit a CCPA request in the first place because there is not one standardized way of doing so: different data brokers have different submission processes and require various kinds of information from the consumer. The UC Irvine research team had to deal with multi-step submission forms that necessitated follow-ups, broken links in website privacy policies that made it impossible to initiate a request, and untrained data broker employees and other staff who made it difficult to even start the complicated process.

Call the Los Angeles Data Privacy Lawyers at Tauler Smith LLP

California law stipulates that data brokers that collect and sell consumers’ personal information are required to respond to any consumer requests about the data collected, as well as requests to delete the data. If your personal information was unlawfully shared with a data broker or any other third party, you may have a valid legal claim for financial compensation.

The Los Angeles consumer protection attorneys at Tauler Smith LLP can help you. Call 310-590-3927 or email us today.

Data Deletion on the Flo Health App

September 22, 2025/in Consumer Protection /by taulersmith

Flo Health, the owner and operator of the popular Flo Period & Ovulation Tracker app, was sued in federal court for allegedly sharing users’ personal health data with Meta (Facebook) and Google. Although Flo Health settled the class action lawsuit, the case still went to trial with Meta named as a defendant – and a jury issued a precedent-setting verdict against the social media parent company. Additionally, since Flo remains one of the most downloaded personal health apps in the United States, there are still concerns about user data being exposed to tech companies, data brokers, and others. That’s why it’s important to understand the steps needed for account deactivation and data deletion.

To learn more about how to safeguard your personal health data against privacy breaches on the Flo Health app, keep reading.

Flo Period Tracker App Captured Personal Health Data of Millions of American Women

Women’s health tech is more popular than ever, with millions of women in California and throughout the U.S. using apps, smartphones, and wearable technology to track their periods and fertility. As a result, this industry has become big business for companies that look to target users with online advertisements. According to media reports, women’s health startup companies have received more than $5 billion in investments in the last few years.

The Flo Health fertility-tracking app was reportedly “the first mobile application to make use of artificial intelligence to accurately predict reproductive cycles.” For many years, the Flo has been the #1 women’s health app accessed on U.S. mobile phones. Today, it is one of the most popular health & wellness apps in the world, with more than 38 million monthly users and nearly 200 million downloads. Anyone who has downloaded, used, or otherwise accessed the Flo Health app should be extremely careful about what kind of personal information they reveal. If necessary, users may want to submit a data deletion request to ensure that their information is wiped from the app.

Software Development Kit (SDK) Code Secretly Embedded on Flo Health App

The SDK code – or Software Development Kit code – embedded on the Flo Health app makes it easier to build apps and track user analytics.

Flo Health allegedly used the SDK code to access and then share – without consent – extremely sensitive health information about the app’s users, including:

Menstrual cycles
Pregnancy due dates
Sexual activity
Masturbation habits
Contraceptives used
Mental health
Other general health symptoms

This intimate health information shared with Meta, Google, and others gave those third-party companies valuable information about Flo Health’s users that could be used to create targeted advertisements.

Flo Health Privacy Policy

Flo Health told the users of its period-tracking app that their personal data would not be shared with third parties unless the user explicitly consented to the sharing. However, according to the class action lawsuit, users’ sensitive health information was shared with third parties like Meta and Google. Moreover, the lawsuit alleged that Flo Health’s terms of service did not place any restrictions on how third parties like Meta and Google could use the data shared with them.

If you used the Flo Cycle & Period Tracker app for any reason, it’s possible that your sensitive health information was exposed to third parties. One proactive step you can take to protect your data against further privacy breaches is to email Flo Health and submit a Data Deletion Request, which is referenced in the Privacy Policy.

Flo Health Sued in California Federal Court for Allegedly Sharing Customer Data with Meta and Google

Flo Health was sued in the U.S. District Court for the Northern District of California. The company was accused of quietly collecting users’ health information – such as menstrual cycle dates and pregnancy details – and then sharing the data with giant tech companies like Meta and Google.

The lawsuit, filed by a class of women who used the Flo app, alleged that Flo Health embedded software to eavesdrop on users and intercept their personal identifying information. Flo Health then allegedly shared that information with third parties like Meta, Google, and other tech & analytics companies. Flo Health and Google reached settlement agreements before the trial verdict, leaving Meta as the only defendant in the case.

No Consent

Meta and Google allegedly used the data shared by Flo Health to compile detailed individual profiles. This would then make it easier for the tech companies to create targeted advertising campaigns aimed at Flo Health’s users. However, users of the Flo period-tracking app did not consent to the harvesting of their personal health information, nor did they consent to the sharing of this data with third parties like Meta and Google.

Jury Verdict: Meta Liable for Damages in Flo Health Data Privacy Lawsuit

The trial in federal court culminated with a jury finding that Meta intentionally eavesdropped on Flo Health’s users and unlawfully recorded users’ protected health information without consent. Specifically, the jury declared that Meta violated multiple state consumer privacy laws, including the California Invasion of Privacy Act (CIPA) and the California Confidentiality of Medical Information Act (CMIA). When damages in the case are calculated, it’s possible that Meta will be subject to statutory penalties totaling $200 billion.

The ruling against Meta could have broader consequences for tech firms operating in the health industry going forward. Website operators, tech firms, digital advertisers, and any other companies that collect users’ personal data may now feel compelled to set boundaries when it comes to data harvesting. This is especially likely in the consumer health industry: health data companies will need to be extremely careful about how they collect users’ data. Without affirmative consent from customers, the owners and operators of health apps and websites could be subject to legal action.

Another lesson to be learned from the Flo Health data privacy case is that it might not be sufficient for companies to simply scrub user data after collection. That’s because the mere fact that data was collected in the first place could be enough to expose the operators of apps and websites to liability. Even if you submitted a data deletion request with Flo Health, it’s possible that your personal health information was already shared with data brokers and other third parties.

FTC Settlement: Flo Health Agreed to Keep Users’ Data Confidential

The class action lawsuit against Flo Health and Meta coincided with a government action brought by the Federal Trade Commission (FTC). Like the civil suit, the FTC lawsuit accused Flo Health of sharing users’ health information with marketing and analytics firms, including Facebook and Google. This allegedly happened despite promises by Flo Health that user information would remain confidential.

Flo Health ultimately settled the FTC action, with the women’s reproductive health company agreeing to instruct third-party companies to destroy any user health data that was unlawfully obtained via the menstrual tracking app.

California Consumer Privacy Act (CCPA) and Data Deletion Requests on the Flo Health App

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives consumers the right to delete their data after it has been collected. Compliance with these statutes is enforced by the California Privacy Protection Agency.

Data Deletion Requests

Anyone who created an account with Flo Health or who otherwise used the Flo app should consider exercising their privacy rights and submitting a data-deletion request. The Flo Health Privacy Policy provides users with details on how to request erasure of their accounts and all associated data.

As a California resident, you have a right to send a data deletion request and protect your personal information. You should be able to change the settings in the Flo Health app to deactivate your account. But you may need to take further action to delete your information entirely. To address privacy concerns about any data you’ve already shared on the app, you can email Flo Health customer support directly at support@flo.health. California consumer privacy laws, as well as the app’s terms of service, require Flo Health to fully erase your personal data from their backup systems upon request.

Contact the Los Angeles Consumer Protection Attorneys at Tauler Smith LLP

Did you download a health app on your mobile phone in California? If so, it’s possible that your personal health data was unlawfully shared with third parties. The good news is that California has some of the strongest consumer protection laws in the country. The Los Angeles consumer protection lawyers at Tauler Smith LLP represent victims of digital privacy violations. We can help you protect your data and get financial compensation for any data breaches that have already occurred.

Call 310-590-3927 or email us.

Employee Privacy Rights Under the CPRA

December 9, 2023/in Employment Law /by taulersmith

The California Privacy Rights Act (CPRA) is a consumer protection law that was approved by California voters in 2020. The CPRA placed significant restrictions on how companies may collect, store, use and share consumer data. In addition to protecting consumers, the CPRA also established a number of data privacy rights for employees of companies that operate in California. Employee privacy rights under the CPRA are robust: workers whose personal data is collected by their employers can take legal action when that data is misused.

To learn more about how the CPRA safeguards employee privacy rights, keep reading this blog.

CPRA Requirement: Notification and Disclosures to Employees

Under the California Privacy Rights Act (CPRA), employees of qualifying businesses have the right to be notified by their employers when their personal data is being collected for any reason. This mirrors federal data privacy laws like the Electronic Communications Privacy Act (ECPA) that also require employers to notify employees about data collection practices.

Additionally, employers must notify workers about why their personal data is being collected. If your employer has collected your personal information and failed to notify you in advance so that you could provide consent, then they may be in violation of California data privacy laws.

Moreover, the CPRA mandates that employees must be given very specific details about what type of personal information is being collected by their employers. Previous consumer privacy laws broadly protected employees by compelling companies to disclose certain aspects of their data collection procedures. Now, companies must specifically disclose to all employees the precise category of personal information that has been collected in the previous 12 months.

CPRA Gives Employees the Right to Correct Inaccurate Information

Just like consumers, employees also have the right to correct or delete inaccurate information that has been collected. Similarly, employees can opt out of any plans by the company to share their personal information with others. If an employee makes this kind of request, the company has 45 days to honor it.

CPRA Requirement: Businesses Must Maintain an Employee Privacy Policy

The California Privacy Rights Act (CPRA) also strengthened existing data protection laws that require companies to maintain an employee privacy policy explaining the company’s rules and policies about personal data collection. Under the CPRA, employers must not only have a written employee privacy policy, but the policy also needs to be posted so that it is easily accessible by workers.

Additionally, the employee privacy policy must detail exactly what the collected information will be used for, including whether the data will be sold to third parties or shared with third parties.

The CPRA Protects Employees Against Retaliation

The California Privacy Rights Act (CPRA) intersects with California employment law, which means that employees who exercise their digital privacy rights under the consumer privacy statute are protected against retaliation by their employers.

The California Privacy Rights Act Also Protects Consumers

While the California Privacy Rights Act (CPRA) provides explicit protections for employees, the statute’s primary purpose is to ensure that consumer data remains confidential after it has been shared with businesses. One of the main ideas behind the CPRA is that individuals should have control over how their sensitive personal information is used by companies. When a company violates the privacy of customers, or otherwise fails to take reasonable steps to ensure that customer data remains confidential, that company should be held accountable.

The CPRA officially expanded the scope and protections of the California Consumer Privacy Act (CCPA), which already protected consumers against invasions of privacy involving their personal information. The CPRA gives consumers new privacy rights that did not exist under previous consumer privacy laws. These new consumer rights include the ability to correct inaccurate information being retained by companies. More generally, the CPRA ensures that consumers have a legal right to limit how their sensitive personal data is collected, used, and disclosed.

Contact the Los Angeles Employment Lawyers at Tauler Smith LLP

Did your employer monitor your emails, record your phone conversations, or collect your personal information in any other way? California strictly regulates how companies can collect and/or share the information of their workers. The Los Angeles employment lawyers at Tauler Smith LLP possess an in-depth understanding of both employment laws and privacy laws, and we are passionate about protecting employee rights.

Call 310-590-3927 or email us today to discuss your case.

Consumer Rights Protected by the CPRA

December 7, 2023/in Consumer Protection /by taulersmith

When the California Privacy Rights Act (CPRA) was approved by California voters in the 2020 election, it greatly expanded the privacy protections afforded to consumers. The new law also increased the data security obligations of companies operating in the state. The consumer rights protected by the CPRA are important because they address the kind of digital privacy concerns that are prevalent at a time when businesses have access to an unprecedented amount of personal information about customers. When a company violates the CPRA by failing to protect consumer data, they may be subject to substantial fines and exposed to civil liability.

To learn more about how the California Privacy Rights Act protects consumer privacy rights, keep reading.

What Consumer Privacy Rights Are Protected by the CPRA?

The California Privacy Rights Act (CPRA) was intended to strengthen consumer privacy laws already in effect, such as the California Consumer Privacy Act (CCPA). The idea was to protect California residents against invasions of privacy and data breaches when making purchases from businesses or when communicating with businesses online. The statute does this by strengthening consumer rights that existed under the CCPA and by creating new rights that did not previously exist.

These are the existing consumer rights that the CPRA strengthened:

The right to know about any personal data that has been collected by companies.
The right to delete any personal data that has been collected.
The right to opt out of the sale or sharing of personal data with third parties.
The right to be free from discrimination or retaliation for having exercised any of these consumer rights.
The right to bring a private civil action against companies that fail to protect consumers’ personal information against unauthorized access or data breaches.

Additionally, the CPRA created two (2) entirely new consumer privacy rights:

The right to correct personal information that is inaccurate.
The right to limit how “sensitive personal information” is collected, used, and disclosed.

Consumer Right to Correct Inaccurate Personal Data

Under the CPRA, consumers now have the right to request that a business correct any collected information that is inaccurate. Moreover, this right must be disclosed to consumers in a company or website privacy notice. After a consumer has requested that certain information be corrected, the company must use “commercially reasonable efforts” to make the correction.

Consumer Right to Opt Out of Sharing Personal Data

Data privacy was a major focus of lawmakers when the California Consumer Privacy Act (CCPA) was enacted, but the statute may not have gone far enough. While the CCPA gives consumers the right to opt out of the sale of their personal information to third parties, the CPRA gives consumers the same right with respect to the sharing of personal information. Significantly, this consumer privacy right may be exercised regardless of whether the data is being shared for a monetary benefit.

It should also be noted that the data privacy law requires businesses to inform consumers of this right directly on the company website’s homepage. The business must include a conspicuous link with the title “Do Not Sell or Share My Personal Information,” which the consumer can click on to exercise their opt-out right.

New Obligations for Businesses Under the California Privacy Rights Act

The California Privacy Rights Act (CPRA) also increased requirements on businesses to protect the sensitive personal information of consumers against data breaches or other invasions of privacy. For example, businesses are now prohibited from maintaining customers’ personal data for any longer than absolutely necessary.

The CPRA also increased the penalties that companies can face for consumer privacy violations. The statutory fines start at $2,000 for each violation, and they can go as high as $7,500 for a willful violation. Beyond that, the maximum fines can be tripled when the violation involves a child under the age of 16. If a company wants to collect the personal data of consumers under 16 years of age, the young consumer must expressly consent to it. If the consumer is under the age of 13, a parent or guardian must first provide permission before a company can collect personal data.

Additionally, civil penalties may be imposed when the violation involves the theft of customer login information. This means that businesses that expose customer data to a data breach are subject to a lawsuit with significant damages.

Tauler Smith LLP Protects Consumer Privacy Rights in California. Call Us Today.

California law places clear limits on how businesses may use customer information collected during a transaction or website visit. The Los Angeles consumer privacy attorneys at Tauler Smith LLP understand the law and how it protects consumers against unlawful invasion of privacy. We represent plaintiffs in both individual lawsuits and class action lawsuits when a company illegally monitors, collects, shares, or sells a customer’s personal data without permission.

Call 310-590-3927 or send an email to talk to one of our skilled attorneys and explore your legal options.

California Privacy Protection Agency

December 5, 2023/in Consumer Protection /by taulersmith

The California Privacy Protection Agency (CPPA) is a new state agency tasked with enforcing consumer privacy laws, including the California Privacy Rights Act (CPRA). The CPRA explicitly protects individuals’ data privacy rights by both strengthening existing laws like the California Consumer Privacy Act (CCPA) and creating new consumer rights. For example, the CPRA gives consumers the right to correct personal information that is inaccurate, or even to request deletion of the data. The CPRA also requires companies to safeguard customers’ personal information against data breaches. These statutory requirements are strictly regulated and enforced by the CPPA: when a company violates the statute, the CPPA may impose substantial fines.

To learn more about the California Privacy Protection Agency, continue reading.

What Is the California Privacy Protection Agency?

The California Privacy Rights Act (CPRA) amended the California Consumer Privacy Act (CCPA), which provides explicit protections for California residents who share personal information with businesses. Prior to the CPRA becoming law, the California attorney general had rulemaking and enforcement authority with respect to consumer privacy regulations. After the CPRA passed, the California Privacy Protection Agency became the main state agency with authority to enforce these laws.

The California Privacy Protection Agency has a board comprised of five (5) members. The California Governor appoints two board members, including the Chair. Each of the three remaining board seats are appointed by the Attorney General, the Senate Rules Committee, and the Speaker of the Assembly. Each board member will serve in their position for up to eight (8) years before being replaced.

The California Privacy Protection Agency Enforces the CPRA

The main task of the California Privacy Protection Agency is to enforce the state’s consumer privacy laws. If the agency determines that a company has violated the CPRA or another consumer privacy law, they can enforce the statute and impose monetary penalties. Businesses that do not comply with the strict regulations of the CPRA will be subject to severe penalties: a $2,000 fine for each violation, a $2,500 fine when the violation is negligent, and a $7,500 fine when the violation is willful.

The CPRA also allows the state to impose enhanced penalties when digital privacy violations involve minors. If a company unlawfully sells or shares the personal information of a child under the age of 16, they may be fined another $7,500 for each violation. Importantly, the statute imposes strict liability in these instances. This means that the penalties may be imposed regardless of whether the offending company had actual knowledge of the child’s age. The CPRA penalties for consumer privacy violations involving a minor may be imposed on top of any penalties that may apply for violations of the Children’s Only Privacy Protection Act (COPPA).

Consumers May File Civil Suits for Data Privacy Breaches

Data security is a major focus of California’s consumer privacy laws. In cases involving a data breach that exposed a customer’s personal information, the CCPA and the CPRA give victims a private right of action. This means that you may be able to bring a civil lawsuit against the offending company and seek statutory damages. The CPRA states that consumers are eligible to pursue up to $750 for each privacy violation, or they may pursue actual damages – whichever amount is greater.

Call the Los Angeles Consumer Protection Lawyers at Tauler Smith LLP

The California Privacy Protection Agency is tasked with enforcing the CPRA, which means that companies that violate the statute can be fined. But victims of an invasion of privacy – such as a data breach that exposed their personal information – can also take legal action by bringing a CPRA claim in state court. The experienced Los Angeles consumer privacy lawyers at Tauler Smith LLP are ready to represent you in a civil suit because we routinely assist plaintiffs in consumer protection lawsuits throughout California.

Call 310-590-3927 or email us to schedule a free initial consultation.

Differences Between CPRA and CCPA

December 3, 2023/in Consumer Protection /by taulersmith

The California Privacy Rights Act (CPRA) passed as a ballot initiative in the 2020 general election. The new consumer privacy law is actually an amendment of an earlier law: the California Consumer Privacy Act (CCPA). The major differences between the CPRA and the CCPA involve the level of protection afforded to consumers. The CCPA established a baseline for protecting consumer privacy rights, while the CPRA significantly expands on those protections by giving consumers additional rights. The CPRA also imposes additional obligations on companies that do business in California.

To learn more about the differences between the CPRA and the CCPA, keep reading this blog.

California Laws That Protect Consumer Privacy

The two main California laws that protect consumers against invasion of privacy are the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). The CPRA amended the CCPA.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) was passed by state lawmakers in 2018. It was the first state privacy law that addressed the collection of consumer data, as well as the first law to directly confront digital privacy concerns. After the CCPA went into effect, businesses could no longer monitor customer communications and use the data without authorization. Additionally, California consumers now had some control over whether their personal information was collected by companies and, if so, how it could be used.

California Privacy Rights Act (CPRA)

The California Privacy Rights Act (CPRA) applies to any company that solicits customers in California and collects their personal information. The data privacy law gives consumers more control over their personal data by placing restrictions on how businesses can use customer information. When a consumer shares personal information with a business, there are limits on what the business may do with that data.

What Are the Differences Between the CPRA and the CCPA?

There are a number of differences between the California Privacy Rights Act (CPRA) and the California Consumer Privacy Act (CCPA). The CPRA created new rights for consumers and imposed stricter requirements on businesses that collect customer data. Additionally, the CPRA created a new state agency to enforce consumer privacy laws.

New Consumer Privacy Rights

The CCPA was enacted to protect customer privacy, and those protections were broadened in the CPRA so that additional types of personal information are also protected by law. This includes usernames, email addresses, passwords, and security questions. If a company fails to protect against breaches or unauthorized disclosures of this information, they may be subject to liability under the new statute.

One specific example of the additional rights that the CPRA provides to consumers is the ability to opt out of cross-context behavioral advertising. This is defined as targeted advertising that is based on the personal information collected when consumers visit certain websites or use online platforms like Google, Facebook, Instagram, etc. The CPRA explicitly states that companies must allow consumers to opt out when personal data is shared with other companies for the purpose of cross-contextual advertising.

Restrictions on Businesses

The CPRA established broad privacy requirements for businesses, including an obligation for businesses to only collect and use personal information when it is reasonably necessary and proportionate to their stated purposes for collecting or using the information in the first place. Moreover, the CPRA requires companies to specify exactly how long they plan to retain personal data collected from consumers.

California Privacy Protection Agency

The CPRA established the framework for a new state enforcement agency: the California Privacy Protection Agency. This agency is responsible for enforcing not just the CPRA, but all of California’s consumer privacy laws and regulations. Prior to passage of the CPRA, enforcement of those laws was left up to the California Attorney General.

Contact the California Consumer Protection Lawyers at Tauler Smith LLP

If you visited a website and shared your personal information with the company or website operator, it’s possible that your data was exposed. The Los Angeles consumer protection lawyers at Tauler Smith LLP can help you take legal action under the California Privacy Rights Act and receive financial compensation. We regularly represent plaintiffs in both state and federal courts. To find out if you might be eligible to bring a CPRA claim, call 310-590-3927 or email us today.

California Privacy Rights Act (CPRA)

December 1, 2023/in Consumer Protection /by taulersmith

Consumer protection has been of paramount importance to both lawmakers and residents in California for a long time, resulting in extremely strong laws that limit what companies can do with customer data and personal information. One of these laws addressing digital privacy concerns is the California Privacy Rights Act (CPRA), a new consumer privacy law that recently went into effect. The data protection law was passed by California residents through a referendum on the ballot in the 2020 general election. The CPRA was intended to be the most comprehensive consumer privacy legislation in the United States. Along with the California Consumer Privacy Act (CCPA), the CPRA set the standard for government protection of data privacy rights.

To learn more about the California Privacy Rights Act and how it affects both consumers and businesses, keep reading.

Who Does the CPRA Apply to?

Any for-profit company that does business in the state of California and that has significant gross annual revenues is subject to the regulations of the California Privacy Rights Act (CPRA). Additionally, if a company solicits customers in California and collects their personal information at any point, the company may be required to comply with the statute.

The CPRA can also apply to third parties that have been given access to a consumer’s personal data. If a company shared your information with a third party and you subsequently requested that the information be corrected or deleted, the company must pass on the request to the third party. The same is true for service providers and contractors: a company that shares customers’ personal information with these individuals and/or entities must instruct them about the CPRA requirements, and any violations by these other parties could expose the company to liability.

Additionally, the CPRA doesn’t apply only to consumers. CPRA protections also apply to employees who work for companies that monitor and use their data.

What Is the California Privacy Rights Act?

The California Consumer Privacy Act (CCPA) was the first state privacy law. The California Privacy Rights Act (CPRA) amended the CCPA and made California’s privacy laws even more consumer friendly. At the same time, the CPRA also strengthened existing protections for consumers by requiring businesses to comply with much stricter consumer privacy regulations.

New Obligations for Businesses Under the CPRA

The California Privacy Rights Act (CPRA) imposed further obligations on companies that do business in California and collect personal information from customers. For example, the CPRA created new compliance rules for businesses. This includes the elimination of a previous rule that gave companies 30 days to “cure” any violations of the CCPA. Now, any company that violates the CPRA is subject to monetary penalties under the statute.

Additionally, under the CPRA, companies must take affirmative steps to protect customers’ personal information against data breaches. This means that companies must implement reasonable security measures to ensure that personal data is not illegally accessed by others.

Businesses are also required to perform annual cybersecurity audits to confirm that no breaches have occurred. Businesses must submit the results of these audits to the California Privacy Protection Agency, in addition to conducting regular risk assessments that weigh the benefits of collecting consumer information against the security risks.

CPRA Created New Consumer Privacy Rights

The CPRA formally created a number of new privacy rights for California consumers, including the following:

Consumers can opt out of sharing their personal information with businesses.
Consumers can opt out of allowing businesses to use their “sensitive personal information.” This includes the customer’s Social Security number, driver’s license, state ID card, passport, credit card or debit card, bank account, geolocation data, and emails or text messages. It can also include information about the customer’s racial or ethnic origin, religion, genetic data, health data, and sexual orientation.
Consumers have the right to correct any personal data that is inaccurate. This means that businesses must provide customers with a means to review and then correct wrong information.
Consumers can legally access information about how the company is storing and using their data, as well as the data retention period.

What Types of Data Are Protected by the CPRA?

Basically, the California Privacy Rights Act (CPRA) protects any information that could be used to identify an individual. This includes things like the person’s name, email address, Social Security number, driver’s license number, state ID card, passport number, bank account or other financial account numbers, credit card or debit card numbers, and physical address.

When a company collects this type of information from a consumer, the consumer has a legal right to be notified. Moreover, once notified, the consumer has the legal right to demand that the information be corrected or deleted.

Sensitive Personal Information Protected by the CPRA

Data security is paramount in an age when information can be misused so easily. That’s why the CPRA places even stricter requirements on companies that collect consumer data deemed to be “sensitive personal information.”

What Is “Sensitive Personal Information”?

The California Privacy Rights Act (CPRA) defines a consumer’s “sensitive personal information” as including any of the following:

Social Security number, driver’s licenses, state ID card, or passport.
Website or app log-in information.
Bank accounts, credit cards, debit cards.
Geolocation data that identifies the consumer’s location.
Race, ethnicity, or religion.
Sexual orientation.
Email or text messages.
Genetic data.

The CPRA can also be updated by lawmakers in the future to add more categories that would qualify for protection as sensitive personal information. This definitional flexibility is codified in the statute to “address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.”

How Sensitive Personal Information May Be Used

The CPRA places limitations on how businesses may use customers’ sensitive personal information. A business can only use this type of information to the extent necessary to perform services or provide goods reasonably expected by the consumer. Any use beyond this scope violates the statute.

Disclosures About Sensitive Personal Information

The statute stipulates that businesses must provide clear disclosures about the fact that they are collecting this type of information, as well as disclosures about how the information will be used. For example, a business should create a link on its company website that informs consumers of the collection practices and that gives them the ability to opt out of the collection and/or sharing of their data.

The California Privacy Protection Agency Is Tasked with Enforcing the CPRA

Section 24 of the CPRA created the California Privacy Protection Agency (CPPA), a state agency that implements and enforces the consumer privacy law. The CPPA receives reports of privacy law violations and then conducts investigations to determine whether companies should be penalized under the statute.

The CPPA is not the only state agency that oversees and enforces the CPRA. The California Department of Justice is also heavily involved in enforcing the law and ensuring that consumer privacy rights are protected.

What Are the Penalties for Violations of the CPRA?

The CPRA imposed substantial monetary penalties for noncompliance by companies. These penalties include a fine of $2,000 for each violation.

The penalties may be increased in certain circumstances:

$2,500 for each negligent violation of the statute.
$7,500 for each willful violation of the statute.

Civil Suits Filed Under the CPRA

The original consumer privacy law, the California Consumer Privacy Act (CCPA), gave consumers whose personal data was compromised a private right of action to bring a civil suit against the company that failed to prevent the data breach and protect consumers against invasions of privacy. But there were limitations on what exactly qualified as a “data breach” under the old statute. Under the new customer privacy regulations of the California Privacy Rights Act (CPRA), the types of data breaches that may expose a company to civil liability are greatly expanded: if a business fails to protect customer information such as an email address, username, password, or security question, the business could be sued by the victim.

Contact the Los Angeles Consumer Protection Lawyers at Tauler Smith LLP

Are you a California resident? Did you visit a website that collected your personal information without authorization? Was your personal information exposed in a data breach? You may be eligible to recover statutory damages under the California Privacy Rights Act (CPRA). The experienced Los Angeles consumer protection attorneys at Tauler Smith LLP can help you file a complaint with the CPRA and possibly file a civil lawsuit for financial compensation.

Call us today at 310-590-3927 or send an email to schedule a free consultation.

Nationwide Mutual Insurance CIPA Lawsuit

CIPA Lawsuit Against Nationwide Mutual Insurance

August 24, 2023/in Consumer Protection /by taulersmith

A CIPA lawsuit was recently filed against Nationwide Mutual Insurance for illegal wiretapping and invasion of privacy, and now a federal judge in California has ruled that the case can proceed to trial. The U.S. District Court judge issued the ruling in response to a motion to dismiss the wiretapping claims under Section 631 of CIPA, or the California Invasion of Privacy Act. The civil suit alleges that Nationwide Mutual unlawfully allows a third party to eavesdrop on customer conversations on the insurance company’s website. Chat communications are allegedly monitored in real time, and the sensitive personal data from those conversations is allegedly stored and used for financial gain. These actions would constitute clear violations of California consumer privacy laws.

These days, it is common for many different types of businesses to violate the CIPA and other invasion of privacy laws. If you live in California and used the chat feature on a company’s website, you may be eligible to join a class action lawsuit for invasion of privacy. The Los Angeles consumer protection lawyers at Tauler Smith LLP can help you get financial compensation.

Nationwide Mutual Insurance Sued for Invasion of Privacy

The defendant in the recent invasion of privacy case is Nationwide Mutual Insurance Co., which is a corporation that offers insurance, retirement, investing, and other financial services and products to consumers in the United States, including residents of California. Nationwide operates a website: www.nationwide.com. The website has a chat feature, which customers can use to have online conversations with Nationwide. Sometimes, the customers who use the chat feature may share sensitive personal data with the company.

Third-Party Wiretapping of Customer Conversations

Nationwide Mutual Insurance has been accused of using a third-party company, Akamai or Kustomer, to embed code into the Nationwide website, which allows the third-party company to monitor and store transcripts of the conversations that occur through the chat feature. Akamai specializes in harvesting data from consumer conversations, which is believed to be the reason that Nationwide contracted with them in the first place.

Significantly, Nationwide does not inform customers who use the chat feature on the website that monitoring of conversations, storing of transcripts, or data harvesting occurs. Beyond that, Nationwide does not obtain customers’ consent for any of these activities.

Federal Judge Denies Motion to Dismiss Wiretapping Lawsuit Against Nationwide Mutual Insurance

The plaintiff in the consumer data privacy case is a California resident who used a smartphone to visit the Nationwide Mutual Insurance website and to communicate with Nationwide via the company’s website chat program. She filed her original legal complaint in Los Angeles County Superior Court, and the case was later removed to the U.S. District Court for the Central District of California.

Once the case arrived in federal court, Nationwide filed a motion to dismiss the complaint. The U.S. District Court recently held a hearing on the motion to dismiss. Although the Section 632.7 CIPA complaint was dismissed, the court ruled that the Section 631 CIPA complaint could move forward to trial. The court found that the plaintiff had stated a valid claim under § 631 of the CIPA because she plausibly alleged that Nationwide aided third-party Akamai in violating the consumer privacy statute.

What Are California’s Data Privacy Laws?

On top of having extremely strong consumer protection laws, California also has some of the strongest digital privacy laws in the country. The three most prominent statutes are the California Invasion of Privacy Act (CIPA), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA). All of these data protection laws impose civil liability on companies that invade the privacy of customers. The CIPA imposes a requirement on businesses to obtain permission from customers before recording telephone and internet communications, including online chat conversations. The CCPA specifically prohibits businesses from sharing the personal information of customers with third parties, while the CPRA amended the law to increase the penalties for violating consumer privacy.

What Conduct Is Prohibited by the California Invasion of Privacy Act?

Although Section 631 of the California Invasion of Privacy Act (CIPA) is technically a criminal statute with criminal penalties, the Penal Code authorizes civil liability for violations of the law. This means that consumers whose confidentiality was invaded by a company doing business in California can potentially bring a civil lawsuit for monetary damages.

California courts ruling on CIPA claims have interpreted Section 631 to prohibit three types of conduct:

Intentional wiretapping.
Attempting to learn the contents of a communication in transit over a wire.
Attempting to use information obtained as a result of wiretapping or monitoring of communications.

Additional requirements or elements of a CIPA violation include that the intentional wiretapping was done while the communication was in transit and that the communication was being sent from or received at a location within California. The prohibited conduct includes reading the contents of any message, report, or communication without the consent of all parties to that message, report, or communication. If one of the parties did not know that the chat or other type of communication was being monitored and/or wiretapped, then it would not be possible for them to provide consent or authorization. The bottom line is that eavesdropping on a conversation is a clear violation of Section 631 of the CIPA.

“Aiding” a Violation of the CIPA

Section 631 of the California Invasion of Privacy Act (CIPA) also imposes liability on any company that “aids” or assists another in violating the statute. The plaintiff in this case alleges that Nationwide Mutual Insurance “aided, abetted, and even paid third parties to eavesdrop” on her conversations. Moreover, she alleges that these privacy breaches happened not only with her communications, but also with other consumers’ communications on the Nationwide website.

Party Exception to § 631

There is a “party exception” to Section 631 of the CIPA. Courts have found that a party to a conversation cannot be liable for “eavesdropping” on that conversation. But this gets complicated when the conversation involves a third party. For example, if computer code on a website automatically directs a communication to a third party, the party exception won’t shield the third party from civil liability under the CIPA.

U.S. District Court: Nationwide Mutual Insurance May Have Violated California Invasion of Privacy Law

The plaintiff in the Nationwide Mutual Insurance data privacy case alleged that Nationwide violated the California Invasion of Privacy Act (CIPA) pursuant to California Penal Code § 631. Now, the U.S. District Court for the Central District of California has found that the plaintiff plausibly alleged that Akamai read the contents of her messages, which would constitute a violation of Section 631 by Nationwide for “aiding” in the wiretapping offense. Moreover, the court agreed that it is conceivable that Nationwide hired Akamai specifically to intercept messages and use them for Nationwide’s financial benefit. This would constitute “aiding” the illegal wiretapping by Akamai, which would lead to Nationwide itself being liable for violating the CIPA.

One theory put forward in the case is that Nationwide paid Akamai to “embed code” into the website that “enables Akamai to secretly intercept in real time, eavesdrop upon, and store transcripts” of messages sent via the website chat feature. In fact, it has been alleged that Akamai’s business model is to harvest data from transcripts of communications. Significantly, the federal court said that one inference from the plaintiff’s legal claim is that the personal information being harvested goes beyond mere “record information” like the consumer’s name, address, and subscriber number.

Akamai has been accused of intercepting customers’ messages as they are sent and received on the Nationwide website. The court found that these allegations are “plausible” based on Akamai’s public statements about their conduct. Additionally, the court said that the plaintiff clearly alleged that neither Akamai nor Nationwide Mutual Insurance had her consent to harvest personal data from communications on the Nationwide website.

Contact the California Consumer Protection Lawyers at Tauler Smith LLP

Anyone who used the chat feature on a company’s website may have been the victim of illegal wiretapping and privacy violations. If you are a California resident who visited a website, the Tauler Smith LLP legal team can help you. Contact our Los Angeles consumer fraud and false advertising attorneys today. You can call 310-590-3927 or email us.

California Invasion of Privacy Act & Website Wiretapping

July 7, 2023/in Consumer Protection /by taulersmith

It is important for consumers who interact with businesses online to have a solid understanding of the California Invasion of Privacy Act (CIPA) and website wiretapping. When you have a conversation with someone on the phone or via the computer, there is usually a reasonable expectation that the conversation will remain between the two parties. But what happens when what you believed to be a private conversation was actually being wiretapped, surveilled, and/or recorded by the other party? If this happens in the context of a business transaction, sales call, or online chat, your information could be sold to other companies that profit from the data. This has become a very serious problem in the internet era when personal data can be transmitted and circulated at a rapid pace. It’s one reason that California consumer privacy laws like the CIPA have become so important as tools to protect consumers against unethical business practices.

To learn more about the consumer protections against website wiretapping afforded by the California Invasion of Privacy Act, keep reading this blog.

What Is Website Wiretapping?

Wiretapping is a term used to describe the act of connecting a listening or recording device to a telephone. Website wiretapping occurs when the chat communications on a website are unlawfully recorded, transcribed, or surveilled without permission. These days, wiretapping technology is commonly used to secretly record conversations on websites that were supposed to remain private. Some of the reasons that people might illegally wiretap a website chat include gaining information about a business competitor, learning the details of an opponent’s lawsuit, or acquiring valuable data about a customer that can be sold to others.

Illegal wiretaps are not just against the law; they can also cause significant harm to victims. That’s why both federal privacy statutes and California privacy laws allow individuals to file civil lawsuits against anyone who records their online conversation without consent.

California’s Law on Website Wiretapping: Section 631 of the CIPA

California has a number of very strong consumer protection laws that prohibit companies from jeopardizing the digital privacy and security of customers. Any company that does business in California needs to be completely transparent in their data collection practices, which includes obtaining proper consent from customers and website visitors before any personal information is shared online.

For example, California courts have held that it is a violation of California’s Invasion of Privacy Act (CIPA) for companies to wiretap user chats and other communications on websites. It is specifically a violation of § 631(a) of the CIPA when the intercepted communications contain what might be considered more sensitive than “record information” such as the user’s name, address, email, etc.

Additionally, Section 631 of the CIPA gives consumers a legal right to know when their phone conversation is being recorded, or when their online chat conversation is being monitored and transcribed. That is why a lot of companies provide automated warnings at the beginning of calls to alert customers to the possibility that the call may be monitored or recorded, and privacy policies on websites that disclose the monitoring of website chat communications with session recording technology.

Wiretapping on Websites:

Customers have a reasonable expectation of privacy when they visit a company’s website and use the chat feature. Their privacy rights are violated when a company wiretaps the online conversations, and they are further violated when that company allows third-party entities to eavesdrop on the chat conversations.

In recent years, many companies doing business online have been accused of breaching the privacy of individuals who visit their websites. When those websites are accessible to customers in California, the companies may be violating California’s very robust consumer privacy laws. Companies violate the California Invasion of Privacy Act (CIPA) by illegally wiretapping the conversations of website visitors.

Winning a CIPA Claim for Illegal Wiretapping

The simple fact is that a lot of businesses fail to provide clear warnings about the nature of phone conversations, online chats, or other communications with customers. When a business secretly monitors or records a conversation, the customer whose privacy rights were violated by the illegal wiretapping may be able to take legal action by filing a CIPA claim.

One element of a successful CIPA claim that the plaintiff will need to prove is that they had a reasonable expectation of privacy. Generally, the content and circumstances of the conversation can be used to determine whether such an expectation existed. This is where the court will examine a number of case-specific factors, including:

The identity of the person who initiated the conversation.
The purpose of the communication.
The duration of the conversation.
Whether there were prior conversations between the parties.
The type of information that was communicated.
Whether the party recording the conversation provided a warning.

Section 632(c) of the CIPA clarifies that when the parties to a communication reasonably expect to be overheard or recorded, it does not qualify as a “confidential communication” under the law.

Civil Remedies Available to Consumers Under the CIPA

As mentioned above, the CIPA includes both civil and criminal penalties for companies that violate the statute by unlawfully accessing, maintaining, or sharing customer data. For consumers who have been victimized, the civil penalties can be a valuable tool to get some sort of justice. The CIPA allows consumers to file civil lawsuits in California state court to recover damages of up to $5,000 for each invasion of privacy violation. Additionally, in some cases, the court may order the defendant to pay treble damages that total three (3) times the economic harm suffered by the consumer.

Criminal Penalties for Wiretapping in California

Violations of the wiretapping law can also result in criminal penalties. On the criminal side, the CIPA gives courts the ability to impose penalties such as monetary fines and even jail time. A person charged with a crime for monitoring and recording a private communication could be sentenced to up to three (3) years in the county jail.

The decision about whether to bring criminal charges against a business or individual for breaching your privacy rights by recording a conversation will ultimately be made by prosecutors and other law enforcement authorities. If charges are filed against the defendant, the case will be heard in criminal court. A knowledgeable attorney can help victims start this process, as well as helping victims decide whether to file a civil lawsuit to recover money damages either before or after resolution of the criminal case.

Other Data Privacy Laws in California

Data privacy has been a major concern of California lawmakers for a while now, which is why the state has tended to lead the way with this kind of legislation. In fact, the California Invasion of Privacy Act (CIPA) is just one of the state’s extremely strong consumer fraud laws with a focus on data privacy. The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are two other laws that explicitly protect customers against companies that overreach when it comes to sharing personal data. In fact, both the CCPA and the CPRA require companies doing business in the state to give customers the right to opt out of the sharing of their data.

Recently, plaintiffs have been relying on § 638.51 of the CIPA to file class actions against companies that use pen registers or trap and trace devices to acquire data from website visitors without permission.

Additionally, consumers whose data was secretly collected and/or shared with third parties may be able to file a Federal Wiretap Act claim in federal court. Moreover, both federal and state claims can be filed at the same time because the relevant statutes work in tandem.

Contact the Los Angeles Consumer Protection Lawyers at Tauler Smith LLP to File a Website Wiretapping Claim

Too often, companies doing business online choose to deliberately disregard the privacy concerns of customers who use their websites. Instead, these companies prioritize financial gains over consumer privacy and personal well-being. If you visited one of these websites and shared any information via a chat feature, you may be able to get statutory damages under the wiretapping provision of the CIPA.

The Los Angeles consumer protection lawyers at Tauler Smith LLP can help you file a website wiretapping claim. Call 310-590-3927 or email us to learn more.