NOTE: This document provides guidance but does not replace legal counsel. For specific questions about CIPA or other privacy laws, consult a qualified attorney.
What is the California Invasion of Privacy Act (CIPA)?
The California Invasion of Privacy Act (CIPA) is a state law that protects the privacy of electronic communications. CIPA prohibits unauthorized interception, recording, or tracking of communications within California, covering any device or process that monitors or captures communication information without consent.
There are many provisions under CIPA, but one specific provision that has been linked to consent services restricts the use of “trap and trace devices” without a court order. California Penal Code § 638.51 defines a “trap and trace device” as any device or process that captures incoming electronic impulses to identify the originating number or other routing information of a communication. While it does not capture the contents of a communication, this tracking information is still subject to CIPA protections.
Understanding Trap and Trace in Modern Tracking Technologies
Tracking technologies such as web beacons, pixels, and cookies are commonly used for data analytics and user tracking. However, under CIPA, these technologies can potentially be viewed as trap-and-trace mechanisms if they collect identifying information without proper user consent.
For example, the TikTok web beacon has been observed to capture user information such as device type, browsing activity, and even demographic data, solely to trace the communication origin. This type of tracking can resemble trap and trace methods and may expose organizations to CIPA-related claims if used without explicit consent from users.
Recent cases involving platforms like Meta and TikTok highlight the risks associated with deploying these tracking tools. Many lawsuits claim that tracking tools have violated CIPA when they capture or share communication routing information without adequate user disclosure and consent. These developments underscore the importance of carefully assessing the tracking tools in use and ensuring transparent and compliant data practices.
CIPA Recommendations for Compliance
To comply with CIPA and minimize the risk of legal exposure, organizations should consider the following steps:
-
Review and Update Privacy Policies: Ensure privacy policies clearly disclose the types of data collected, the purposes for collection, and any third parties with whom data is shared. Include disclosures about tracking technologies like cookies, web beacons, and pixels, especially if they capture identifiable routing information.
-
Evaluate and Classify Tracking Technologies: Conduct an internal audit of the tracking mechanisms deployed on your website or app. Identify which technologies might collect routing information and determine whether user consent is required for their use.
-
Establish Consent Mechanisms: Implement consent mechanisms that inform users and allow them to manage their preferences around data collection. A comprehensive Consent Management Platform (CMP) can help provide transparent options for users to opt into or manage tracking settings.
Best Practices for Configuring Tracking and Consent Banners in Osano
To align with CIPA and other privacy laws, it is essential to configure tracking and consent banners correctly. Here’s a breakdown of Osano’s current banner options and recommendations for California-specific compliance:
Use Osano Cookie Consent Manager to obtain explicit consent for the above functionality. Ex. If using the Meta Pixel, obtain explicit consent by classifying the pixel appropriately and disclosing the purpose for use.
Allow for ease of opting out by providing links to change cookie preferences throughout the customer journey as well as whenever sensitive or video viewing information might be collected.
-
Provide Clear Notice: Inform individuals about their rights and the types of information that will be disclosed. Clearly state the purpose of the information disclosure and provide an easy way for individuals to revoke their consent at any time.
Disclose within your Cookie Consent Manager which trackers you are using for this purpose and why AND be sure to clearly lay these out in your privacy policy or cookie notices documentation.
-
Limit Information Disclosure: Only disclose information that is necessary for the intended purpose and only to authorized parties. Avoid unnecessary sharing of personal information.
Recommended Settings in Osano
-
California-Specific Banner (Default Banner 3): Osano’s default for California visitors is Banner 3, an explicit consent banner with “Accept/Deny” options. It can also be configured to include a “Manage Preferences” button to give users more control over their data. Ensure the US STATE LEVEL OPT OUT setting is turned OFF.
-
Strict Banner Enforcement: Ensure Osano is operating in STRICT mode to ensure no unclassified content is running prior to consent.
- Global Privacy Controls: Enable GPC to support browser opt out signals automatically.
Additional Resources
For further information on CIPA and evolving litigation trends around tracking and privacy technologies, here are some helpful resources as of October 2024:
- Pen Register and Trap and Trace Claims: The Latest Wave of CIPA Litigation
- Help! I Was Served with a CIPA Lawsuit
Related to