Timing Is Everything: Ninth Circuit Addresses Chatbot Consent Requirements

According to a recent unpublished Ninth Circuit ruling, obtaining consent prior to using recording technologies is required for purposes of the California Invasion of Privacy Act (CIPA). This ruling is notable for website operators as it signals that obtaining targeted consent before using commonly deployed website features – such as chat bots and lead verification recording programs – can nip burgeoning CIPA “wiretapping” lawsuits in the bud.  

Background: Javier vs. Assurance IQ, LLC and Active Prospect Inc.

As background, Section 631(a) of CIPA prohibits (1) intentional wiretapping, (2) willfully attempting to learn the content of communications while the same are in transit, and (3) attempting to use or communicate information obtained as a result of the two previous prohibitions. Further, California is a two-party consent state – meaning that all parties to a communication must consent to recording protected communications. In Javier vs. Assurance IQ, LLC and Active Prospect Inc, the plaintiff claimed that he visited an insurance website that featured a product called “TrustedForm” that records users’ interactions with the website and creates a unique certificate for each user based on the user’s agreement to be contacted. Prior to requesting an insurance quote, the plaintiff allegedly answered a series of questions about his demographic information and medical history.

Allegedly without the plaintiff’s knowledge, TrustedForm captured and created a video recording of the entire interaction in real time. Critical to the Ninth Circuit’s ruling, the plaintiff was not prompted to agree to the company’s Privacy Policy until after the video recording. The court, ruling in favor of the plaintiff, concluded that Section 631 of CIPA requires the prior express consent of all parties. Retroactive consent is not sufficient.

To be clear, the Javier decision is expressly limited in scope. The Ninth Circuit panel only reversed the district court’s primary ruling that the plaintiff’s retroactive consent to Assurance’s Privacy Policy completely defeated the plaintiff’s Section 631 wiretapping claim. Notably, the district court also ruled – albeit in a footnote – that the plaintiff’s complaint should be dismissed on other grounds, including that Assurance, the website operator, was necessarily a party to the communications, and could not have “wiretapped” its own website.

That, however, has not stopped plaintiffs’ attorneys who specialize in trolling websites for alleged violations of various laws (e.g., ADA website or Unruh Act claims) from latching onto Javier and adding Section 631 claims to their shakedown checklist. But in our view, these claims are, in reality, CIPA Section 632 claims improperly dressed up as Section 631 claims. That is, Section 632 protects confidential communications from being recorded without all parties’ consent, while Section 631 protects any communication from being monitored in transit – true wiretapping. Indeed, these plaintiffs would never be able to establish that their voluntary communications and interactions on public websites could somehow be considered “confidential,” so they are forced to conflate recording with wiretapping. And that’s the real bait-and-switch here.

At bottom, the Javier case is far from over. But perhaps the real lesson from this decision is that it would have been over by simply obtaining opt-in consent prior to recording any consumer communications submitted through the company’s website.

What Does This Mean for your Website?

With the Ninth Circuit’s ruling in mind, website operators that engage in tracking, keystroke monitoring, or use technologies such as chat bots and questionnaires that record web sessions must remain vigilant about their respective privacy practices and how to capture consent. While the use of these technologies continues to assist customers in their endeavors, it now creates increased litigation exposure for businesses that utilize these services without obtaining prior consent.

To address this risk, businesses can:

  • Obtain consent prior to tracking or recording interactions, such as through a cookie wall or pop-up box
  • Fully inform consumers of their privacy practices
  • Remain familiar with the privacy practices of affiliated third-party providers, including without limitation storage, recording, and use practices
  • Fully understand at which point in user engagement consumers are notified that their interactivity is monitored and stored

If you have questions or need assistance with privacy, data processing, cybersecurity, or related litigation, please contact Eva Pulliam, Adam Bowser, Christine Chong, Destiny Planter, or the ArentFox Schiff attorney who usually handles your matters.


Continue Reading