Privacy Laws & Meritless Claims

One of our core values at Fourscore is raising the bar on our industry. Unfortunately, we come across some attorneys and firms that make most lawyer jokes understandable. We recently had two different clients in different industries and states receive nearly identical demand letters from the very same attorney. Both letters alleged violations of a California privacy law, but not the one you’d think, and asked for upwards of $25,000 to settle the claims or proceed with arbitration.

It is intimidating to receive a letter from a lawyer claiming that you violated the law. They must have researched the statutes and cases, and investigated the facts surrounding your case, right? It’s an ethical obligation, granted, but some lawyers have found that the right mix of confusion and pressure can force even thoughtful people into paying money to settle a claim instead of paying a different lawyer for help to figure it out or fight it.

Since they are casting their nets far and wide with their letterhead, likely seeking a high volume and amount of settlement for nuisance value, which adds up, we wanted to do what we can here to combat that. Not all heroes wear capes, and not all lawyers are sleazy. We’re here to be a resource if you find yourself on the receiving end of one of these demand letters, and hope this exposure stops these firms and lawyers in their tracks.

Here’s the law they’re using (misusing): California’s Information Privacy Act (“CIPA”) is California Penal Code Section 630 et seq., California’s equivalent of the federal Wiretap Act (18 USC § 2511). It went into effect in 1967 and imposes fines and other penalties for wiretapping and eavesdropping, including criminal and civil charges. CIPA imposes a $5,000 statutory penalty per violation.

The California Consumer Privacy Act (CCPA) is a more modern privacy law from 2018. Most people think this is the law they’re being accused of violating, since it’s relatively new and many businesses had to change their data collection and retention practices to comply. This is not that, though.

Here’s what the CIPA (the old 1967 law) is intended to do: Prevent wiretapping. Yes, they are using big fancy words to claim that you’re spying on people. In our cases, both our clients actually had cookie consent clickboxes as soon as you visited the website, but that is not enough.

Here’s what they’re doing with it instead: Shaking down businesses. Whatever you might settle for, multiply that by hundreds or thousands, and you’ll begin to understand what drives this volume practice. Since our firm reviewed more than one of these letters addressed to our clients, we had the opportunity to run a redline comparison of the letters. No joke, they were exactly the same, line for line and letter for letter, except they changed the date, recipient name, complainant name, number of alleged violations and dollar amounts.

In both these cases, so far, the arbitration claims came and went, and the lawyer did not file claims in court, potentially because that would expose their tactics to a higher degree of scrutiny, publicity, and perhaps accountability. The particular firm our clients were harassed by is facing a lawsuit, as a defendant, for these practices, but the lawyers seem undeterred, so…

Here are some best practices you can employ to reduce the risk of wasting your valuable company resources on bogus claims like these:

1. Make sure that your terms of service (TOS) specifically reference the new mass arbitration rules employed by AAA/JAMS to ensure the most favorable administrative filing fee schedule will be applied to your arbitration.

2. For businesses that are registered or incorporated outside of California or have a principal place of business outside of California, include a strong choice of law provision in your TOS that applies the state law of the state where the company is registered/incorporated or where the company has its principal place of business is essential. CIPA is a California state law and can only be applied where California law is applicable and therefore the CIPA’s $5,000 per violation penalties can only be assessed where California law is applicable to a case or controversy. A strong choice of law provision in a website’s TOS that makes clear any and all cases or controversies arising out of the use of the website are to apply that state’s law will make it much more likely California law, and therefore CIPA, will not apply to a particular visitor’s use of your website. Include clear and conspicuous disclaimers about any data tracking policies or software employed on the website, with an option to “opt-out” of any such tracking.

3. Reach out to your business legal counsel before responding to any demand letter referring to the CIPA (or based on any alleged violation of law or contract, really).

If you receive a nasty letter demanding a settlement payment based on a violation of the CIPA, here are some places where you can file a complaint:

California Bar Association: https://apps.calbar.ca.gov/complaint/

California Department of Consumer Affairs: https://www.dca.ca.gov/

Local Consumer Protection Agency and the FTC: https://reportfraud.ftc.gov/

If you need any help updating your terms or service or privacy policy, the team at Fourscore would be happy to help.

About Fourscore Business Law

Whether you're launching a startup, raising capital, or navigating M&A, our experienced team provides strategic, world-class legal counsel that supports your vision and enables confident decision-making at every stage of growth. Fourscore Business Law empowers forward-thinking entrepreneurs and business leaders by simplifying complex legal transactions. With a focus on efficiency and personalized service, we help you overcome legal challenges so you can focus on innovation and scaling your business. Ready to secure your startup's future? Take our free legal assessment for founders today to better understand your company’s legal health.

Start Your Free Legal Review