« View All Publications

Website Operators Beware: Privacy Litigation on the Rise

November 15, 2024

By: Artin Betpera, Christina Morgan and David Liu

I. Introduction

Any business operating a website needs to be aware of the proliferation of lawsuits targeting websites which use any type of customer tracking technology.  While advantageous to the business in its marketing efforts, the data collection subjects the business to potential liability.  This is true whether the business is physically located in California or elsewhere – if the business gathers California customer’s information, a risk arises.

II. What sort of technologies are being targeted?

a. Web Beacons: Web beacons gather information about visitors to websites.  They are usually invisible and used to monitor website traffic and the effectiveness of email marketing campaigns.  Web beacons track visitor behavior, such as the pages they view and the links they click.  When a web beacon loads on a website or in an email, it sends data back to the website owner or the third-party company.

b. Session Replay:  The Session Replay Code enables website operators and third-party providers of the technology to record, save, and replay users’ interactions with the website, like an electronic transcript.  The code captures interactions at a granular level, including all of the user’s mouse movements, clicks, scrolls, zooms, window resizes, keystrokes, text entry, and other navigations through the website.  Session Replay Providers use the information captured to recreate a video playback of the user’s interaction with the website.

c. Chat Features:  Live or automated instant messaging features on websites designed to help users communicate for customer service purposes.

d. Pixel Trackers and Google Analytics:  The Meta Pixel is a publicly available piece of code that Meta allows third-party website developers to install on their websites. In a nutshell, the Meta Pixel allows website developers to learn: (1) if and when website users take certain actions on a website, and (2) generalized information about website users, which can be used for targeting advertising.  Google Analytics operates similarly to the Meta Pixel.

III. California’s Invasion of Privacy Act

The California Invasion of Privacy Act (“CIPA”) was created to address illegal wiretapping. Now, the plaintiffs’ bar is using CIPA to attack new, web-based technologies. CIPA provides for a civil private right of action, , civil penalties of $5,000 per violation; or (2) trebled actual damages, whichever is higher. CIPA also authorizes courts to enjoin future and ongoing violations of the Act.  T

CIPA also has prohibits use of a “pen register” (a log of outgoing phone numbers) or use of a “trap and trace device” (a log of incoming phone numbers).  In addition to the civil remedies discussed above, businesses can be liable for a fine up to $2,500.

IV. Why These Technologies and CIPA Matter to You and Your Business

The plaintiffs’ bar has been sending numerous demand letters and filing myriad CIPA lawsuits, including class action suits, arising out of the use of third-party web technologies and “trap and trace” devices. To limit your exposure, it is important to be proactive, by ensuring you have an up-to-date Terms of Use and Privacy Policy. If your business becomes the target of a demand letter or lawsuit, Buchalter has an experienced team of litigators ready to assist.

Buchalter attorneys partner closely with clients to provide broad, protective counsel that minimizes risk exposure. Our critical risk-management solutions allow clients to focus on managing their businesses while we manage the details of their employment and workplace problems. We work closely with business management to ensure workplace compliance and an immediate response when conflict arises. We prepare and implement employee handbooks, advise on personnel matters and union relations, negotiate employment and severance agreements, draft contractor agreements, and defend lawsuits. Our clients vary from closely-held companies to major financial institutions, restaurant chains, manufacturers and retailers, with offices and locations nationwide.

Artin Betpera is a Shareholder in the Firm’s Orange County office and a member of the Litigation and Cyber Security practice groups. 

Christina M. Morgan is Of Counsel in the Firm’s San Diego office and a member of the Litigation and Privacy & Cybersecurity practice groups.

David Liu, CIPP/US, is Special Counsel in the Firm’s Los Angeles and Orange County offices and a member of the Litigation and Cyber Security practice groups.


This communication is not intended to create or constitute, nor does it create or constitute, an attorney-client or any other legal relationship. No statement in this communication constitutes legal advice, nor should any communication herein be construed, relied upon, or interpreted as legal advice. This communication is for general information purposes only regarding recent legal developments of interest, and is not a substitute for legal counsel on any subject matter. No reader should act or refrain from acting on the basis of any information included herein without seeking appropriate legal advice on the particular facts and circumstances affecting that reader. For more information, visit www.buchalter.com.