Websites Facing Privacy Litigation Over Data Collection Practices

Previously, I’ve written about litigation arising from AI notetaking apps and call monitoring systems. These cases allege that pre-Internet wiretap laws, such as California’s Invasion of Privacy Act, prohibit companies from sharing recordings of conversations with AI developers without the consent of all parties. However, another class of litigation is brewing along the same lines. These cases target websites collecting user data, such as session recordings, even if those recordings are not being shared. A recent memo from Wiley discusses strategies for mitigating these litigation risks and responding to demand letters:

“Before receiving a demand letter, companies can:

• Review their website data collection practices to assess compliance obligations.
• Update their privacy policies, cookie banners, and cookie consent management features to ensure compliance with privacy laws.
• Audit their cookie banner and consent management features regularly.

After receiving a demand letter, companies should also assess potential factual and legal defenses. These defenses could include:

• Lack of standing based on failing to suffer an actual injury.
• Claims that conflict with applicable regulatory frameworks and are therefore unsupportable.
• Consent to use of online technologies.”

Often, these plaintiffs are looking for quick settlements, and none have won major verdicts using these theories. However, for websites servicing thousands, or even millions, of users, these settlements can add up quickly. Companies should understand the data they collect and the third-party tools they use to collect it. Where necessary, data collection should be disclaimed and users given the opportunity to opt in. Unfortunately, opt-in banners are likely to reduce the amount of data collected, making it harder for websites to diagnose and address user experience issues.