What a Swigart Lawsuit CIPA Claim Reads Like

Please be advised that our client below has claims against your company for violation of California privacy law. This letter is a notice of dispute and demand sent pursuant to the pre-arbitration notice of disputes section of your terms and conditions. A synopsis of our client’s claims, detailed information on those claims, the applicable law, a demand, the basis of the demand, as well as further settlement discussion points are below.

Claimant’s Information

Redacted for this example (“Claimant”)
Email: redacted-email@gmail.com

Governing Law

Under the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code § 630 et seq (“CIPA”), a person whose communications are illegally tapped, read, or contents are learned is entitled to the following damages:

• $5,000 per violation, pursuant to Cal. Pen. Code § 637.2.

Courts have ruled that Cal. Penal Code § 631(a) of CIPA is not limited to phone lines, but also applies to “new technologies” such as computers, the internet, and email. See Matera v. Google, Inc., 2016 WL 8200619 at *21 (N.D. Cal. 2016) (CIPA applies to “new technologies” and must be construed broadly to effectuate its remedial purpose of protecting privacy); Bradley v. Google, Inc., 2006 WL 3798134 at *5-6 (N.D. Cal. 2006) (CIPA governs “electronic communications”).

Under California common law, claims for intrusion upon seclusion and invasion of privacy involve a similar test, so courts consider the claims together and ask whether: (1) there exists a reasonable expectation of privacy, and (2) the intrusion was highly offensive. In re Facebook, Inc. Internet Tracking Litigation, 956 F.3d 589 (2020).

Basis for Demand

Respondent utilizes tracking software, including a Meta Pixel, that allows Respondent to embed a JavaScript in the HTML code of Respondent’s website that intercepts, tracks, stores, and analyzes Claimant’s interactions with Respondent’s website. By embedding the Meta Pixel within its website, Respondent aided Meta dba Facebook to intercept, store, and analyze Claimant’s electronic communications for the purposes of data mining and targeted advertisement.

We downloaded the HTTP Archive Format (“HAR”) file from Respondent’s website which exposes the vast extent of wiretapping and data mining in which Respondent and its co-conspirator Meta engage. In addition to Meta, Respondent aids other companies in tapping and learning the contents of Claimant’s electronic communications with Respondent’s website.

Claimant realized this was occurring after finding a detailed list of interactions with Respondent’s website in Claimant’s personal Facebook account (“off-Facebook activity”). The interactions included Respondent’s tracking analysis of Claimant’s interactions, each labeled as an “Activity.” The information found in Claimant’s off-Facebook activity includes (1) Claimant’s personalized ID number, (2) the date and time of the activity and (3) the event, or the activity itself (i.e. “Page View” or “Content”). The off-Facebook activity constitutes the tip of the iceberg of the information the Meta Pixel collects. The information in Claimant’s Facebook account confirms Respondent embedded a Meta Pixel on Respondent’s website which allowed Respondent and Meta to intercept, store, and analyze Claimant’s communications for their commercial benefit. The images below depict two data sets which reveal just a snippet of the data obtained by Respondent and Meta by using Meta Pixel on Respondent’s website.

Respondent utilizes the Meta Pixel to surreptitiously and covertly gather Claimant’s electronic communications and data, which includes, but is not limited to: 1) a full-string, detailed URL for each page on Respondent’s website that Claimant views and 2) the website folders and sub-folders on Respondent’s web-server, which provides vast quantities of Claimant’s data to Facebook. The Meta Pixel script embedded on Respondent’s website allows both Respondent and Meta to surreptitiously tap and learn the contents of Claimant’s electronic communications. This is the exact factual scenario of which Courts have been concerned; the surreptitious tapping and collection of user data for the purposes of future data mining and benefit.

The information Respondent aided Meta to intercept includes much more than Claimant’s IP address and gives rise to serious invasions of privacy and inclusion upon seclusion claims. Respondent’s invasion of Claimant’s privacy occurred, as the Meta Pixel confirms, within milliseconds – a time where Claimant could not possibly read Respondent’s Terms of Use and Privacy Policy, let alone agree to them.

Any alleged consent occurred well after the tapping began. The pixel spyware became active instantaneously upon visiting Respondent’s site. Even if Claimant later consented to its use, it would have occurred well after the fact. Such was the case in Javier v. Assurance IQ, LLC where the Ninth Circuit rejected retroactive consent for tapping website users. Javier v. Assurance IQ, LLC, No. 21-16351 (9th Cir. May. 31, 2022).

Such an intrusion is highly offensive even to the most reasonable consumer considering that Respondent willingly chose to embed the script on Respondent’s website thereby aiding Meta to tap and collected Claimant’s communications in a matter of milliseconds. This is not a case where Respondent can claim that the information collected was just for its own private consumption and therefore can avail itself to any “party exception” which could apply. The Ninth Circuit, along with the First and Seventh Circuits have held that the simultaneous, unknown duplication and communication of “GET requests” like those at issue here do not exempt a defendant from liability under the “party exception.” Additionally, the key distinction in this case, separate and apart from other claims that Respondent may face, is that Claimant’s data was collected instantaneously by both Respondent and Meta for the sole purpose of having the data aggregated, and then independently used and sold.

By way of further explanation, what typically occurs when Claimant visits Respondents website is that Claimant’s internet browser sends a GET request to Respondent’s website server, which causes the website to send the information requested by Claimant to Claimant. This communication usually only occurs between the user’s web browser and the website being viewed. But on Respondent’s website, Respondent placed JavaScript code that allowed Respondent and Meta to track visitor activity by directing the user’s browser to copy the referrer header from the GET request and send a separate, but identical, GET request and the associated referrer header to Meta’s server. This is the conduct Claimant alleges is unlawful.

The screenshot below provides a screenshot of the HAR file downloaded from Respondent’s website and exposes the true extent of the data interception, collection, and dissemination in which Respondent engages. The screenshot is not of Claimant’s interactions with Respondent’s website; however, Claimant alleges the same data collection and dissemination occurred on the day(s) Claimant interacted with the website.

In this sample, Respondent’s website received (This is where they insert the number of requests) 550 GET requests from the browser with a total of (insert the number of KB) 3850 Kilobytes of information collected and disseminated within seconds. Of the 210 GET requests, nine (9) went to separate third party which included, but were not limited to: Clarity, Google, Okendo, Vestico, Clarity, Cloudflare, Postscript, Mailchimp and Sentry.

Settlement Demand

Claimant’s Facebook data shows that Respondent aided and conspired with Meta to tap and learn the contents of Claimant’s sensitive and private electronic communications on at least one occasion within the last year. Claimant will testify to that at the arbitration hearing and the back-end data, confirmed by our expert, will support Claimant’s testimony. Each such occasion constitutes a separate violation of Cal. Pen. Code § 631(a) with each violation allowing for $5,000 in statutory damages.

Respondent’s one (1) interception results in a total of $5,000 in statutory damages under CIPA. Furthermore, the nine (9) GET requests sent to third parties results in a total of $45,000 statutory damages under CIPA. Based on this information, the total amount in statutory damages amounts to $50,000. This is Claimant’s opening settlement demand.

Claimant’s Statement and Signature

I, Name of Plaintif Redacted, hereby authorize Respondent to disclose my confidential information it has to Swigart Law Group, APC, as necessary to resolve my claims. Please do not contact me directly. All communications should be directed to my attorneys at Swigart Law Group, APC.

/s/ Name of Plaintiff Redacted
Name of Plaintiff Redacted

NOTICE:

We are sending this communication via email. A copy of this letter was also sent via mail when required. This serves as a written notice of dispute and impending arbitration, per Respondent’s terms.

Sincerely,

/s/ Joshua Swigart
Joshua B. Swigart
Swigart Law Group, APC