Over the past two years, we have seen an influx of lawsuits asserting that the use of tracking technologies on websites violates the California Invasion of Privacy Act (CIPA). Some companies have successfully dismissed these CIPA claims on the basis that the information allegedly intercepted by the tracking software—i.e., pages viewed, keystrokes and mouse clicks, etc.—do not constitute the “contents’ of a communication, and are thus not protected under CIPA.
In a seeming attempt to plead around these holdings, California plaintiffs’ attorneys have added a new spin to these CIPA claims—that when website users enter search queries on a website, descriptive URLs are created (containing those search queries), which are then conveyed to third parties via tracking pixels (e.g., the Meta pixel) and used for targeted advertising campaigns in violation of CIPA.
A recent California federal court decision has given this theory some traction. In Heerde v. Learfield Communications, the court held that “[s]earch terms constitute ‘contents’ of a communication”, and that a company’s sharing of those search terms with Facebook via the Meta pixel potentially violates CIPA. See Heerde v. Learfield Communications, Case No. 2:23cv4493, 2023 WL 3583874, at *5-6 (C.D. Cal. July 19, 2024). Since this decision, we have seen a wave of demand letters alleging CIPA violations of this nature.
What can be done to prevent these CIPA claims? Companies should review the tracking technologies used on their websites, and ensure that their privacy policies are comprehensive and accurate. Companies should also consider obtaining users’ express consent prior to the firing of any tracking software, or adding pop-up disclosures that inform users that their search queries may be shared with third parties.