Website Cookie Policy Scrutinized: Companies Face Liability Risk

California and Massachusetts courts are hearing class action lawsuits alleging companies' website analytics software violates wiretap laws without consumer consent. The cases may alter how companies approach data collection and user consent, with potential statutory damages of $5,000 per violation.

author-image
Aqsa Younas Rana
New Update
Website Cookie Policy Scrutinized: Companies Face Liability Risk

Website Cookie Policy Scrutinized: Companies Face Liability Risk

Recent class action lawsuits in California and Massachusetts are challenging companies' use of common website analytics software, alleging liability for eavesdropping and wiretapping without express consumer consent. The California Invasion of Privacy Act (CIPA), a decades-old law, is being leveraged to scrutinize the use of third-party software that helps businesses analyze consumer activity and engagement on their websites.

Why this matters: The outcome of these cases could have far-reaching implications for businesses that rely on website analytics to understand and serve their customers, potentially altering the way companies approach data collection and user consent. Furthermore, it may prompt a re-examination of decades-old laws and their application to modern technologies.

California courts have taken divergent approaches to these CIPA cases. Some courts, following the precedent set in Graham v. Noom, require plaintiffs to plausibly allege that the third-party software uses intercepted information for its own purposes. Other courts, relying on Javier v. Assurance IQ LLC, merely require plaintiffs to claim that the software provider has the capability for such use. The California Supreme Court has yet to provide a definitive ruling on the issue.

The Massachusetts Supreme Court is also poised to weigh in on whether the use of analytics software to collect website browsing activity constitutes eavesdropping under the state's Wiretap Act. In Vita v. New England Baptist Hospital et al., the plaintiff alleged that multiple companies unlawfully eavesdropped on her communications when she browsed the websites of several hospitals that used such software without obtaining consumer consent.

Companies face significant exposure if CIPA claims are ultimately successful, with statutory damages of $5,000 per violation. To mitigate this risk, companies would be wise to provide explicit disclosures and obtain express consent when utilizing analytics software on their consumer-facing platforms.

The use of cookies and similar technologies to enhance user experience is a common practice among websites. Vestrel, a global leader in the design, manufacture, inspection, and repair of Marine Drilling Riser and related equipment, collects personal information from website visitors and uses cookies to improve user experience. The company, which offers advanced solutions both onshore and offshore, is committed to service excellence and innovation.

As the legal landscape evolves, state legislatures may need to intervene to clarify whether decades-old wiretap laws apply to modern communications technology. Until then, companies must exercise caution in their use of analytics software to avoid potential liability. The outcome of these cases could have far-reaching implications for businesses that rely on website analytics to understand and serve their customers.

Key Takeaways

  • California and Massachusetts lawsuits challenge website analytics software use, alleging eavesdropping and wiretapping.
  • Outcome may alter data collection and user consent approaches for businesses.
  • California courts have divergent approaches to CIPA cases, awaiting Supreme Court ruling.
  • Massachusetts Supreme Court to rule on analytics software use under Wiretap Act.
  • Companies face $5,000 per violation statutory damages, emphasizing need for explicit disclosures and consent.