In recent months, there’s been a noticeable uptick in privacy-related demand letters and lawsuits targeting websites and mobile apps. If you operate in the digital space, this growing trend should be on your radar.
What’s fueling the litigation is that many of these claims stem from the use of common digital tools like chat bots, web analytics, ad trackers, and social media integrations. Surprisingly, they’re often rooted in an older California law—the California Invasion of Privacy Act (CIPA), originally designed to ban pen registers and eavesdropping (yes, a real throwback for the tech- savvy among us).
Now, those legacy laws are being repurposed in modern lawsuits—often alleging that digital tracking technologies function like the “pen registers” of the past.
What Businesses Should Be Asking
If your business operates a website or mobile app, it’s time to ask yourself a few critical questions:
1. Do you run a website or mobile app?
It may seem obvious, but this is where most privacy risks arise. If you’re online, you’re in the
game.
2. Does your site use chat bots or live chat features?
These tools can enhance user experience—but they also collect user data. Make sure you’re aware of what’s being collected and how it’s being stored or shared.
3. Are you using analytics, online marketing, or social media tools?
Whether it’s Google Analytics, Facebook Pixel, or other marketing tech, these tools often track user behavior. Transparency and compliance are key.
4. Do you have a privacy policy?
Every site should have a clear, up-to-date privacy policy that explains what data is collected,
how it’s used, and with whom it’s shared.
5. Do you display a cookie notice?
If you’re using cookies (and most sites are), users should be informed. In many jurisdictions, consent is required before cookies are dropped.
6. Do your chat features include a disclaimer?
Be upfront about how chat data is used. Users need to know if their messages are being logged or analyzed for marketing or other purposes.
Recommended Next Steps
To reduce legal risk and build trust with your users, consider taking these actions:
- Review and update your privacy policies regularly. Make sure they align with your current data practices and the latest privacy laws.
- Provide clear notice and obtain consent for the use of analytics, marketing tools, and third-party trackers—especially if you’re operating in California or the EU.
- Be transparent about chat bot data collection. A simple disclaimer can go a long way
in demonstrating compliance and avoiding misunderstandings.
Why This Matters
Many of the recent lawsuits have targeted companies under CIPA, claiming that technologies like third-party cookies and IP tracking beacons act like unauthorized surveillance tools. Plaintiffs argue that these function as digital “pen registers” or “trap-and-trace” devices—terms that might sound outdated but are proving effective in modern privacy litigation. Some of these lawsuits even invoke the federal Video Privacy Protection Act (VPPA)—which was intended to restrict the disclosure of video rental or purchase records by video tape service providers; and
now plaintiffs allege that use of video content on websites can potentially lead to violations of
the VPPA.
Final Thoughts
If your company relies on digital platforms—and let’s face it, most do—it’s worth taking a hard look at how you’re collecting and using user data. Proactive steps today could save you from legal headaches tomorrow.
Need help reviewing your privacy practices? It might be time to consult your legal or compliance team—or bring in outside expertise. The legal landscape is evolving fast, and your best defense
is preparation.
For more information, contact any member of Ice Miller’s Data Security & Privacy Group.
This publication is intended for general information purposes only and does not and is not
intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.