No! Do Not Ignore a Demand Letter. Speak with an experienced website privacy attorney.
What is a Demand Letter?
A demand letter is an attempt to resolve a dispute without court intervention. This letter, frequently drafted by an attorney, describes the issue or violation and asks for some action or payment to avoid further litigation. The letter will also provide a deadline for a response. If the deadline passes without a response from the recipient, the sender may file a complaint in superior court.
The demand letter sender may be a business or their attorney who is looking to recover damages, enforce the terms of a contract, or ask the recipient to cease some activity. A demand letter isn’t a legal complaint or court filing. It’s formal notice that the sender may pursue legal action if the specific demands aren’t met.
In addition to the threat of a lawsuit, ignoring a demand letter can mean unnecessary expenditures of your time, added stress, and more work.
We will look at demand letters in the context of website privacy violation in California.
The California Invasion of Privacy Act (CIPA)
It’s not uncommon for California companies to receive demand letters for purported violations of the California Invasion of Privacy Act (CIPA). These letters usually take aim at common website tracking technologies. Law firms are determining how far they can go to bring lawsuits under this law that was enacted in 1977. To be sure, courts in California have not been in agreement in their application of CIPA to the modern web environment. As a result, there’s the potential for the risk of litigation for companies that employ Internet tools such as chat widgets, Meta "unfollow" tools, session replay, social media plugins, and website analytics.
CIPA was enacted to thwart secret wiretapping by law enforcement, as well as private citizens. Recently, plaintiffs have used the law to challenge modern website technologies. Companies use website tools to help improve the customer experience, measure performance, prevent fraud, and increase brand awareness. Frequently, these tools capture data about the way in which individuals interact with webpages, including clicks, cursor movements, page navigation, chat messages, and data form entries. Plaintiffs now contend that the use of these types of tools constitute the unlawful interception or recording of communications under CIPA.
Some courts have held that visitors to a website can reasonably expect chats, form entries, and some click activity to remain private. In these cases, disclosures may not be treated as sufficiently clear or sufficiently connected to meaningful consent for the specific tracking at issue. Other courts have held that website interactions aren’t confidential when users are clearly informed that their data and usage may be collected and/or tracked. In these cases, prominent disclosures and clear notices may weaken claims that a “secret” interception occurred.
What Can Companies Do to Protect Against CIPA Demand Letters and Lawsuits?
While the courts in California remain at odds on what constitutes a CIPA website violation, California businesses can decrease risk by looking at these areas:
- Privacy Policies;
- Terms of Use disclosures;
- The sharing of IP addresses;
- Consent banners and how consent is captured;
- The use of tracking pixels;
- The need for tracking tools and their configuration; and
- Arbitration provisions and class action waivers.
Bottom Line
Understanding the nature of a demand letter for a purported CIPA violation and the potential ramifications for ignoring it is critical. Being proactive is the best risk-management approach. California business owners should understand what their websites are doing; set realistic disclosures; improve notice and consent flows; and examine contractual vehicles like arbitration clauses and class waivers.