CIPA Claims Pick Up - Time For A Checkup
In the last few weeks, we’ve seen an increase in private plaintiff California Invasion of Privacy Act (CIPA) complaint letters, which warrants some important CIPA updates and recommendations at the conclusion of this article.
ICYMI: CA’s Legislative Fix Failure
In July, the California State Legislature was very close to passing SB 690 which would have exempted CIPA claims related to use of standard online technologies such as cookies and pixels for ‘commercial business purposes.’ Unfortunately, the bill was tabled at the end of the legislative session due to aggressive lobbying by the Plaintiff’s Bar. Even if the bill gets resurrected and passed in 2026, it will not come into effect until 2027 so any current CIPA complaints could still proceed to trial prior to any future legislative changes.
Important Court Case Updates: Liveramp and Meta/Facebook
In July, a US District Court denied Liveramp’s Motion to Dismiss several federal, state, and common law tort claims, including CIPA, based in part on information received through plaintiff CCPA data subject access requests. The ruling takes a very critical privacy position against all of Liveramp’s fundamental adtech privacy positions, including that Section 230 (which prevents platforms from being held liable for the information provided by users) does not apply to Liveramp’s Data Marketplace and thus LiveRamp is not immune from liability relating to its Data Marketplace, as well as rejecting a prior court precedent (In Re Facebook, Inc Internet Tracking) that the federal wiretap law (ECPA) does not apply to commercial uses of pixel tags/cookies. On the CIPA claims, the Court specifically cites some of Liveramp’s marketing materials related to identity graphing as potential factual evidence that could lead to a conclusion that ‘contents’ of communications includes ‘profiles’ and subject to CIPA consent. In addition, the Court specifically rejects related decisions that noted pixel tags were not in the legislative history of CIPA and should not be deemed ‘pen register’ devices, finding that the use of pixel tags could constitute a wiretap. Finally, to add on to these claims, the Court also rejected Liveramp’s unjust enrichment defense, which could open the door for significant damages if the Plaintiffs are successful at trial. In this author’s opinion, if this case goes to trial, it will be the most consequential adtech and data broker-related privacy case to be considered in the U.S. since Doubleclick/Abacus in the early 2000’s.
In August, a jury in the case of Frasco v. Flo Health, Inc. (N.D. Cal., No. 3:21-CV-00757) found that co-defendants Meta/Facebook Inc. violated CIPA by capturing data from visitors to Flo Health’s mobile app without consent. While Meta has indicated it will appeal the ruling, the jury concluded that the menstrual tracking information was subject to a ‘reasonable expectation of privacy’ and that Flo Health app users did not provide the level of consent necessary to satisfy a CIPA affirmative defense. In addition, Meta was unsuccessful in arguing that it was just processing pseudonymised data, so it appears that CIPA’s application of device data is akin to the CCPA’s broad definition of ‘personal data’.
There were also two cases filed in March against The Trade Desk, one for their processing of the email-based Unified ID (UID2), and another related more generally to their pixel tag and its use in profiling across websites. While neither of these cases have been reviewed by the courts, they both indicate a more sophisticated view of adtech’s role with potential CIPA complaints and could be influential if they move to trial.
CIPA + CCPA = CMP Audit
One positive CIPA court case result was with Ubisoft’s successful motion to dismiss a class action complaint related to its use of the Meta pixel tag due to its cookie banner/consent management platform (CMP). While CIPA’s standard for consent is commonly assumed to be ‘affirmative’ opt-in prior to the use of pixel tags, the Court accepted Ubisoft’s approach to ‘informed consent’ and its use of a CMP in conjunction with adequate notice in the cookie banner and privacy policy about the use of third party advertising pixels.
On a separate track, both the California Attorney General and the California Privacy Protection Agency (CPPA) have taken aggressive actions against brand name companies such as Honda Motors, Todd Snyder, and Healthline, in part related to their use of CMPs to limit the ‘sales or sharing’ of pixel tag-related advertising data. In these instances, the CMPs were either not configured properly, did not properly indicate the nature of the data being sold, or simply did not opt people out of ‘sales’ or ‘sharing’. Digging deeper, the California AG and CPPA targeted some of these companies for a lack of due diligence on their advertising partners in compliance with CCPA regulations.
Result: CMPs should no longer be viewed as a ‘set it and forget it’ tool, or something to ‘leave to an IT person’ to configure by themself. CMPs should be viewed in the same way as any data subject rights management function, and closely scrutinized by privacy and/or legal professionals in order to determine whether they are functioning for their intended purpose. If that purpose is to mitigate risk of a CIPA complaint, then an analysis of affirmative versus informed consent should be considered (i.e. opt in vs opt out consent), as well as ensuring all copy and privacy policy references align with accurate third-party advertising information.
Finally, all businesses should consider a pixel tag/mobile app SDK and API audit, adtech vendor privacy/commercial terms due diligence effort, and a privacy policy refresh to address potential gaps in data uses or state-specific requirements. A few key considerations as part of these updates should include:
Privacy signal updates. Recently, California, Connecticut, and Colorado announced a joint sweep of ‘opt-out preference signal’ compliance (a.k.a. ‘Global Privacy Control’). All CMPs should have this signal recognition embedded into any pixel consent, but this needs to be confirmed and tested. In addition, if your website is ad supported you should be considering the IAB’s Global Privacy Protocol to ensure optouts are aligned with the adtech ecosystem.
Adtech due diligence. While California requires certain adtech providers to be deemed ‘third parties’ under the CCPA, this doesn’t mean that these companies are automatically ‘independent controllers’ or more importantly ‘licensees’ of your data. There is a difference between a ‘sale’ in the strict privacy-compliance sense and a ‘sale’ in the data monetization sense which should be well known as part of any due diligence effort and properly addressed in any commercial terms.
Complete adtech and martech channel transparency. Few advertising companies capture the full breadth of marketing channel efforts in a privacy and/or pixel-cookie notice. Specifically, many companies utilize email custom audience matching with media platforms, or email onboarding solutions for programmatic/CTV campaigns, and these activities need to be properly disclosed and incorporated into data subject rights notices/tools.
Final Note: Small Businesses Are Not Immune From CIPA Complaints
In-House Privacy, Inc. , Inc. works with many startups and small businesses, and we’ve been surprised to see these companies increasingly targeted with CIPA complaint letters (perhaps ‘professional plaintiffs’ have exhausted letters to all the bigger players). There is truly no rhyme or reason to receiving a CIPA complaint letter, whether the company is business-to-business, in a specific industry, nor having any presence in California. The complaint letters are truly indiscriminate based on business size, products, or services as long as third party advertising pixels are included. While most complaint letters continue to focus on Meta/Facebook pixels (with purported evidence courtesy of Meta’s ‘Off Facebook Activity’ privacy tool), some have referenced TikTok pixels with ‘politically charged’ references, and pixel tags from companies on the California ‘Data Broker Registry’ with ‘unjust enrichment’ claims tagged on. Even with one or two advertising pixels on your website, thorough due diligence is warranted for all third-party pixel tags.
Conclusion: CIPA claims are increasing in scale and scope of claims, with a high degree of success in surviving specific types of defendant motions to dismiss. In addition, U.S. state privacy regulators are ramping up their enforcement actions, with advertising ‘sale’ or ‘share’ activities serving as ‘low hanging fruit’ since they are easily reviewed for compliance. A CMP/data subject rights audit, vendor due diligence, and privacy policy refresh is a simple tactic to help ensure compliance before becoming a target of any plaintiff or regulator.
