Podcast

Speak with an Expert
Home » Resources » Podcast » S4 E04: The California Invasion of Privacy Act – Managing CIPA Risks

S4 E04: The California Invasion of Privacy Act – Managing CIPA Risks

Audio version

The California Invasion of Privacy Act – Managing CIPA Risks

Transcript

Jordan Eisner  
All right, welcome back. Here we go. Another episode of Compliance Pointers, another guest appearance by Matt Dumiak. This is not the only podcast you’ve done now.


Matthew Dumiak  
No, no, it’s not. I’ve been on a couple in the last couple weeks, so a couple.


Jordan Eisner  
A couple. Uh, name the other ones. Make a plug.


Matthew Dumiak  
It’s adding up. It’s adding up. So last week I participated in Ketch’s podcast, so it’ll be a privacy spotlight. That was great. Got to record it at Kelly Drye’s new offices in DC while we were up there for the Privacy State of the Union, which was also a great event. So it was nice to hit that event. And then the day after had some meetings and stopped by the office and recorded. So it was great.


Jordan Eisner 
OK, so you’re on the Ketch podcast. What was the other one you mentioned?


Matthew Dumiak  
Well, I was talking about the CompliancePoint podcast.


Jordan Eisner  
Compliance Pointers. Oh, so you’ve been on two.


Matthew Dumiak  
Compliance Pointers. Have you heard of it?
I’ve been on couple times.


Jordan Eisner  
Yeah, yeah, you made it sound like those were exclusive to this one.


Matthew Dumiak  
Oh, got it. No, no, no. That was not the intention.


Jordan Eisner  
It’s OK, not yet.


Matthew Dumiak  
Not yet.


Jordan Eisner  
And for our listeners, you said it pretty quick. The Ketch podcast, Ketch, as in the privacy management software.


Matthew Dumiak  
Yeah, that’s right. Ketch, yes.


Jordan Eisner  
Yeah, so check that out wherever podcast can be listened to. Our own Matt Dumiak was on that podcast with Max Anderson, Co-Founder over there, right? Head of product and then also was Colleen on Head of Marketing. All right, good. Yeah, I’m sure it’s great.


Matthew Dumiak  
Colleen was on as well. Yeah, it was. It was a trio. It was fun.


Jordan Eisner  
Well, send it to me when it’s released. I want to hear it.


Matthew Dumiak  
I will. I will. I think it’s gonna be another week before it’s released.


Jordan Eisner  
And so, OK, there you go. You’ve been informed. Tune in. We’re gonna drop it on Sunday at 6:15 PM. I don’t think there’s anything else.


Matthew Dumiak  
Nothing else going on exactly right. You should be by your computer, ready to go. Fire it up. It’s going to be probably the most.


Jordan Eisner  
There’s that football game LXLX something. I don’t know what that. I don’t know what that means.


Matthew Dumiak  
Licks. Yeah, I don’t know what if that is either. I don’t either. I will not see you that day, Jordan. So we’ll have to fire up that podcast on our mutual machines and and get it rocking and rolling. Yes. And then chat live commentary. Please give me, you know, I’m always seeking feedback. I want to be better.


Jordan Eisner  
Yeah, we can listen to it at the same time in different places.
No.
Yes, yes. It’s kind of like we did with Fuego by Fish last Friday when we started the same live version at the same time. Yeah, it’s great.


Matthew Dumiak  
That’s right. Madison Square Garden 2023. So it’s great.


Jordan Eisner  
All right, I guess we better talk about privacy.


Matthew Dumiak  
Yeah, let’s dive in.


Jordan Eisner   2:58
And who better to do that with than you, with 15-plus years at Compliance Point and 16-plus years, right? Yes, head of our, I like to call it the regulatory division, which what that means is Matt’s so good at his job. He manages not just one practice here at Compliance Point, he manages two.


Matthew Dumiak  
Yeah.


Jordan Eisner  
What we call our Marketing Compliance group. And this really has to do with all things outbound direct marketing compliance, telemarketing. A lot of people don’t like that name, but it applies in much more than you think. Texting individuals right on their cell phones, that’s telemarketing.


Matthew Dumiak  
Yeah, exactly right. Even with permission, you know, so.


Jordan Eisner  
E-mail can spam even with permission. That’s right. It’s a broad range and very litigious space of TCPA class actions. And so you’ve been doing that for all of your tenure compliance point, but for a majority of it you’ve also been building out and now manage our data privacy practice group, which listeners that have tuned in to hear more about CIPA and CCPA would be a little bit more aware of that, really born out of GDPR back in 2016. And then of course when I went into enforcement in 2018, really sort of changed the privacy landscape. California soon followed. I don’t have to give you the history lesson here. If they’re listening for privacy, they know about this from now. But this is where we are today. And in a similar vein that we’re starting to see that we’ve seen for years demand letters about do-not-call violations and wireless violations we’re seeing CIPA demand letters.
Some of the listeners maybe have gotten them, and maybe that’s part of why they’re tuning in. I’ve dealt with them, but there’s been no shortage. In fact, there are some numbers at the Privacy State of the Union that we heard last week. Hopefully I don’t mess these up too much, but they said something like 2800.


Matthew Dumiak  
Yes.


Jordan Eisner  
Cases around this over the past 2-3 years. Maybe I might be standing a little bit of Thunder here, but that’s just the ones that are known. They said you can probably 10X that for demand letters and the ones that didn’t go to court. So that’s a lot over just a couple years.


Matthew Dumiak  
No, no, this is good.
Yeah, those are the ones that exactly.
Exactly.


Jordan Eisner  
So this is becoming a hot button issue and so we brought it back up. We’re going to break it back down again. We’re going to talk about overview of it.
Why you might be out of compliance with it, what to do if you get a demand letter, or actually better yet, what to do to prevent getting a demand letter. That would probably be a little bit more meaningful material for the listeners and watchers. So just start with.
What is CIPA?


Matthew Dumiak 
Yeah, yeah. We could start the foundation there, California Invasion of Privacy Act, Jordan, to your point talking earlier about kind of the marketing compliance lens of this. We would run into this a lot and still do oftentimes when an organization is recording calls as you can imagine or when you as you know through your own experience and the listeners here as well. When you telephone in, you place an inbound call to a company and they give you that notice, hey, this call may be recorded for quality assurance purposes or monitored, that type of thing. That is to comply with the two-party consent requirements at the state level, including CIPA in California.
Even when you go to and these things get looped into this, these demand letters too. But if you go to a website and you use the chat function, you may see a disclosure on that that states that the chat transcript will be reviewed for quality assurance purposes, that type of thing. All of those disclosures are to comply with this require the CIPA, the statute. However, the exactly right the demand letters we’re seeing are in a in a slightly different context, slightly different in that they are applying or plaintiffs are applying the statute to tracking.


Jordan Eisner  
That’s what it was made for.


Matthew Dumiak  
Technology on an organization’s website. And so as you know and successfully and we’ll talk about that, but that many organizations or organizations, businesses, they all have tracking. Most have tracking technology on their website. It’s really important to.


Jordan Eisner  
And successfully.


Matthew Dumiak  
In terms of business or revenue generation, I mean it’s critical. You got to have like most organizations would feel that at least they have to have some level of digital trackers on their website in order to better communicate to their to their customers.


Jordan Eisner  
It’s an opportunity like if it were a brick and mortar, know who’s coming in the store and shopping.


Matthew Dumiak  
Exactly right. And that technology just keeps getting smarter and smarter, creepier and creepier, can track you across the web, as you know. No, no, no, no, no. I’m neutral third party here. I’m we’re just helping these businesses navigate these obligations, so.


Jordan Eisner  
Hey, you have no opinions. You have no opinions here.
Your opinion is on risk.


Matthew Dumiak  
That’s right, exactly. And right now this is risky, so.


Jordan Eisner  
OK, so walk that back.
So how’s it impact companies with cookies and web trackers?


Matthew Dumiak  
Yeah. So what the demand letters are alleging is that, and I know we’ve talked about this being a hot topic, it’s it has been over the past couple of years that this has been occurring. So organizations are getting to or starting to come around on in some ways how at least some strategies to mitigate risk they might not be willing to.
To apply it because of what I’ll talk through, but you know there are, it’s becoming more and more clear what organizations may need to do to really totally mitigate risk to receive a demand letter. So anyway, we talked about it. It’s the trackers on the website. What organizations or what businesses are really facing is that if they have any type of tracker on their website. To your point, it’s very these law firms are sending thousands of demand letters, so it’s very easy for a plaintiff to go to a website. See tracking technology is placed. Allege keyword allege that there’s a violation of the CIPA status.
Statute O That’s what makes this really challenging and frustrating for businesses is that the novel application of this law in the online world.
Is not traditionally or not really how this law was applied or even envisioned when it was written in in the early 1900s. So they, you know, they’re yes, in like 1946 I believe. So because of wiretapping, yeah.


Jordan Eisner  
What? Hold on a second.
CIPA. Oh, wow. I did not. I did not realize that.
Uh, simpler times. Simpler times.


Matthew Dumiak  
So it’s a kind of a novel application of the law. And so when they the courts currently are a little bit all over the place when even you know yes to your point they’ll set you some a lot of businesses will simply settle some have gone.


Jordan Eisner  
Yeah.


Matthew Dumiak  
To court to fight the allegations. Some have lost, some have actually had these court cases dismissed depending on the tracker. And there’s a lot of technical, you know, a technical from a legal and legitimate, like legitimately technical analysis of a forensic analysis of, OK, how are these laws applied to this tracking technology? What’s actually transmitted over these to these tracking technologies? And so it can be I bring that back to it can be frustrating because it’s an allegation and the courts are not clear candidly like whether or not placing trackers when someone visits the website is actually a violation of CIPA, and so that’s where businesses get frustrated. Yeah, go ahead.


Jordan Eisner  
Yeah. OK. So two questions, two questions and then I think.
The most logical next step is what do companies need to be doing to avoid this, but two questions. Is there a trend? Is there a pattern in those 2800 companies? Or is it anybody and everybody that runs a website? I assume it’s it’s deeper pockets, but you know what happens when you assume?


Matthew Dumiak  
Here’s why I think you could assume that it’s deeper pockets for the organizations that are actually businesses that are going to court is that those businesses can’t afford to go to court. The demand letters, yeah.


Jordan Eisner  
OK. So that’s one’s going to court. So that’s the 2800. Yeah. Yeah. What about the demand letters? Any any patterns there? Is that it’s it’s dark data. We don’t have it.


Matthew Dumiak  
All over the place we have seen, yeah, well, we don’t. But I think, you know, through our experience we can have an idea or shed some light on that anecdotally that it it’s anything from B2B.


Jordan Eisner  
Anecdotally.


Matthew Dumiak  
Smaller size companies that have limit even limited trackers on their website for all intents and purposes. And when you really look at the scale, everything’s relative to large organizations B2C targeting.
Younger populate and what I mean by that is like 18 plus populations in terms of like student housing or some other things like that, that it’s just all over the place. So to answer your question, I don’t think any business if they’re running a website and they have trackers.


Jordan Eisner  
Across the board of our clients, there’s been no pattern, yeah.


Matthew Dumiak  
Right. No, there has not been a sector or a certain size that we’ve seen like, Oh yeah, if you’re hitting this now, you will find that, and this is again anecdotally, that there is a sweet spot in terms of the type of law firm that is doing this and that they don’t want to go to court and fight these lawsuits, they would much more. They would these allegations, they would much prefer to settle. Obviously they don’t want to spend the time tied up in the courts. And So what they’re, I think they’ve adjusted a little bit to look for organizations that are large enough to pay. Small enough that they don’t want to go to court. So there’s kind of a sweet spot there. You could probably say 10 million to 20 million in annual revenue that says like, hey, that’s it might be a little broader than that. I like that. But but you know, I think 10 million or so is kind of a cap.


Jordan Eisner  
OK.


Matthew Dumiak  
Where you’re going to look at it and go, OK, they’ll they have enough money to pay and they have some level of consumer trust or compliance program that.


Jordan Eisner  
Above 10, maybe under 100, yeah.


Matthew Dumiak  
Maybe under 100 where they’re saying, yeah, we’re not gonna go fight this, so.


Jordan Eisner  
Yeah, well, you know, Odell Beckham said $100 million is not a lot of money. It’s not easy to live off.


Matthew Dumiak  
No, it’s not. I did hear that. I saw that. Yeah, no, it’s not a, you know, since once after the after taxes and lifestyle.


Jordan Eisner  
Then you’re only left with like $60 million. I mean, what?


Matthew Dumiak  
Except what are you going to do, right? It’s in my experience, not far, you know? So yeah.


Jordan Eisner  
How long does that get?
Yeah, yeah. Disclaimer, those comments were made in jest.


Matthew Dumiak  
In jest Yes.


Jordan Eisner  
All right, so that’s question one. Question two, what’s the relation, if any, with CCPA?
And then we’ll get into what companies need to do.


Matthew Dumiak  
Yeah, sure. The interplay there also frustrating for organizations. So the state privacy side, CCPA included is an opt out environment. And So what that means is from a targeted advertising or sale perspective.
The CCPA and many other states would say you need to enable consumers or allow consumers to opt out of that type of processing if they wish to do that.
Even at the State of the Union when we heard Michael Macko say, and this is a little extra color here, but he said, you know, that’s the compromise for the state privacy side is that individuals can opt out, but it needs to be easy to opt out. So I like that word compromise. So I thought I I like to, I appreciated his perspective on that with.


Jordan Eisner  
He was great at answering questions by not answering questions.


Matthew Dumiak  
He yeah, he was and so. But the California Invasion of Privacy Act however, is in some ways some would maybe argue against this, but a consent based law that states in the context of the website tracking is what I’ll say is that.
It’s a So you can see how it conflicts with the state privacy law, which is opt out. CIPA is opt in. And so traditionally, again, that’s where you would ask the consumer before transmitting, collecting and transmitting their communications to a third party. You would ask for their permission to do so.


Jordan Eisner  
So that’s a great segue. So people just need to get consent and they’re good, right?


Matthew Dumiak  
That is one Ave. to do that and or not so fast my friend. Yeah, that’s well, it’s an it’s certainly in in an approach to mitigate risk around it depending on.


Jordan Eisner  
You’re supposed to say not so fast, my friend, but go ahead.


Matthew Dumiak  
The but, there are a couple caveats there. So even with consent, depending on their language, how it’s presented, that type of thing within the banner, is it clear? Yes, even the consent language.


Jordan Eisner 
The consent language. So what? Like that’s clear and conspicuous that there’s no contingencies upon given the consent. What else?


Matthew Dumiak  
Yeah, who you’re sharing it with, you know, third and it doesn’t just that it’s third-party trackers, analytics, that type of thing. It can be at a, yeah, exactly. It can be at a categorical level. You know, that’s where sometimes organizations still misstep with that, but that will certainly mitigate some risk and not make a business an easy target.


Jordan Eisner  
You have to disclose that.
OK, you don’t have to mention name or anything.


Matthew Dumiak  
However, that’s going to that’s going to shut down a business’s ability to remarket or retarget. I’ve seen statistics as high like a drop of 40 to that’s right like it’s a little bit of a broad range, but between 40 and 60% of folks are going to visitors.


Jordan Eisner  
Individuals that don’t consent.


Matthew Dumiak  
They’re gonna opt out. They’re not gonna opt in, I should say. They’re gonna say decline all and move on, right? Strictly necessary. And So what we’ve seen is that organizations that are reacting to a demand letter will go the consent route.


Jordan Eisner  
Strictly necessary.


Matthew Dumiak  
For a while, see how that plays out and we see that they and this is, you know, a lot of times we’re.


Jordan Eisner  
Then all of a sudden, the price of eggs hurt even more.


Matthew Dumiak  
Exactly right. And and we’re you know we’re a lot of times working at the direction of outside counsel as well when we when we assist clients with opera coming in and responding to a a demand letter and helping them stand up their CMP or optimize the CMP if you will like moving it from opt out to opt in.
Is that, you know that is the approach we’ve seen is that the consent tends to get reversed after a period of time based on seeing a fairly significant drop in the ability to retarget. Obviously like those statistics we just shared between 40 and 60% are not going to opt in.


Jordan Eisner  
Sure. If they’re a for-profit company, that’s sort of the name of the game.


Matthew Dumiak  
And so they’ll revert back.
That’s right. Exactly right. I mean, we have some clients out there. They’re going to accept the risk. They will pay the settlement. They’re going to have a banner to Nope. They’re going to have a banner to comply with, not even a banner. They’re going to have something in the footer that’s appropriate to comply with state privacy laws.


Jordan Eisner  
Don’t name them.


Matthew Dumiak  
But they won’t even put a banner, they don’t even have a banner that’s a notice. So they’ll because they’ll accept the risk and that’s well within, you know, that’s their argument they’re going to make.


Jordan Eisner  
Yeah, OK, so if you don’t get consent, what can you do?


Matthew Dumiak  
Couple things. So consent obviously is the most forward and where I think it’s attractive is that a plaintiff who goes to the site will see that, probably do some light testing to see if things are firing, that type of thing. If not, probably going to leave it to the easy targets and move on. There are a couple other things that organizations can do. They could move to server-side tracking and Jordan, you and I have explored and had conversations with products that might enable this where it doesn’t send when a visitor hits the site, it sends them. It does not send that information to a third party. It sends it to the business’s servers first, enables that business to then make certain decisions around that before sending it to third parties.

Jordan Eisner  
Did the business in that instance.
Try and get consent.
For the third party sharing it another way e-mail link to a web form.


Matthew Dumiak  
Right. Potentially they could. That could be a strategy. I have not seen much of that, but I think that could be a strategy. I think another strategy is anonymizing it before sending it.


Jordan Eisner  
Do you see much of that?


Matthew Dumiak  
And saying, OK, we’re not sharing personal information, we’re not transmitting any PII or communications. Some of that I think with some of the providers out there might be done relative, right? Exactly. There’s kind of this downfall. Well, and I call out the server side because.


Jordan Eisner  
Yeah, but then you can’t really track them.


Matthew Dumiak  
And the testing with the consent.


Jordan Eisner  
Well, it depends on what you’re doing with the data, right? Depends on what you’re doing with the data. That could work depending where you’re you’re looking at populations, you’re looking at group data to make different decisions oriented marketing. That sounds like a good, good thing, but as we know, sometimes it’s just about tracking and marketing to that specific IP address.


Matthew Dumiak  
Yeah, exactly.
Yep, analytics on like where?
Exactly right. And do organizations want to do that behavioral advertising? The businesses, do they want to do behavioral advertising where it tracks you across the web and where you’ve been to different websites and you’re still seeing the same ad for something you checked out, like new new shoes to go to the gym or golf clubs or, you know, I know you’re really into golf, Jordan, so like golf clubs or maybe.


Jordan Eisner  
Well, I just got an electric bike ad the other day and it’s like, whoa, I think I had like a two day period where I was Googling that months ago and now I’m getting hit with these. It’s like, did did my.


Matthew Dumiak  
New.
Getting old.


Jordan Eisner  
Data like time period expire on that or something and they’re like, oh, you know, new year, new bike, I don’t know.


Matthew Dumiak  
New year, Yeah. Well, and that’s how amazing this technology is. It can even cross-reference that information with who you’re connected with on either LinkedIn or Facebook. And they know who you’re married to and who your friends are. And if you were talking about if they are looking up something, it was likely they had a conversation with you.


Jordan Eisner  
Oh yeah.


Matthew Dumiak  
At a cocktail party. So they’re going to send you that ad. That’s why a lot of people think that their phones are listening to them, when really it’s just cross referencing all of these things. Meta, I mean, is great at that. It’s an unreal.


Jordan Eisner  
Yeah, it’s like when my water.
Yeah, it’s like when the password to my to pay my water bill and I get the notification that you know this has been seen somewhere on the black web or.


Matthew Dumiak  
Uh huh.


Jordan Eisner  
The dark net. It’s like, OK, what’s somebody gonna do? Pay my water bill? And somebody might listen or watch this and be like this idiot. But it’s like, it’s like, I’m, I’m sure that’s leaked.


Matthew Dumiak  
Cool.
Go pay the water bill.


Jordan Eisner  
You know, it’s probably 10 years ago. The water company’s just, you know, realizing that.


Matthew Dumiak  
Uh huh.
Pun intended leaks. Yeah, exactly with the water company there, so.


Jordan Eisner  
Or not the water company. You know, whatever third party they use for bill management. Yeah, exactly.


Matthew Dumiak  
Whatever third party. Yep. So there are some other approaches. There’s a notice approach, notice only, which is a banner. There’s a delayed firing of scripts and cookies if you want to. If an organization wants to try that, that gets a bit more complex regarding that notice and allowing people to read the notice and close it out.
Out or let it go away before things fire. Again, that can be a bit more challenging, as you know, Jordan, I mean, as you navigate a website, it’s that type of thing. So different things fire at different times, not to just point out the problems. There is some hope for organizations or for businesses that They’re in the Northern District of California, there was a judge that dismissed a case and called and we’ll see where this goes eventually. I know there’s been a couple proposed amendments to CIPA itself. There’s been regular, there’s been a proposal that if an organization is complying with CCPA. It’s exempt from the California Invasion of Privacy Act. That didn’t go anywhere. I know, we’ll see. But there was a case dismissed in the Northern District of California, and the judge said that.


Jordan Eisner 
Oh, you comply with data privacy laws? Wiretapping, by all means. All good.


Matthew Dumiak  
Wiretap it up exactly. And I think that’s why that failed. There were some concerns there. You know, there’s other applications for this law. And so, yeah, I’m sure there were some, some specific call outs in within that rate, within that exemption, within that amendment.


Jordan Eisner  
Yeah.
It’s just so different. It’s just so different.


Matthew Dumiak  
But as you know, there are right. I mean, there’s always ways to write.


Jordan Eisner  
Legitimate wiretapping and tracking somebody, but yeah.


Matthew Dumiak  
I know it’s there’s always ways to exploit it. I mean, we even ran into a case where.
It was somewhat unique in that an organ an individual had identified a loophole in the way websites were designed. I don’t want to get too much into detail there, but the CMP was set up correctly and there was still a way in which an individual could proactively put personal information into something and send it.
To third-party trackers, potentially, potentially the consent management platform, yeah.


Jordan Eisner  

CMP being cookie management platform, consent management platform. OK, all right.

OK, so yeah, maybe that’s a good nugget to throw in there and then we wrap is that there’s a lot of tools out there to help with consent management, help with cookies, but you got to configure it.
You got to get in there. You got to adjust it according to what you’re doing and how you’re doing it. It’s not an off-the-shelf thing that you just put in and magically you’re not going to get these demand letters or you’re not exposed to this sort of thing. And we’ve seen that quite a bit.


Matthew Dumiak  
Yep. Or someone thought something was happening that wasn’t exactly.


Jordan Eisner  
Well, this has been good. We should leave it there because at some point can’t give away the farm. This is what we do. And so if the listeners have more questions about this, hopefully this has been very informative. They can go out there, they can build a business case.


Matthew Dumiak  
Yeah, enjoyed it, Jordan.


Jordan Eisner  
Or they can even figure out on their own how to close some of this up with some of the tips you gave about anonymizing the data, or having it go to the business servers first and then they can decide what to do with that data. Or just turn it off altogether, which doesn’t seem recommended if you like revenue.


Matthew Dumiak  
Yep.


Jordan Eisner  
And you rely on that sort of traffic for your revenue, the direct tie ins. But if you have further questions on that, how to actually, you know, configure some of the stuff in the back end, it’s beyond it. You don’t have the time, you don’t have the bandwidth, you don’t have the expertise.
Please reach out. Compliancepoint.com is the easiest way to find us. Connect@compliancepoint.com is an e-mail distribution that goes to many people here, myself included and Matt included. We can respond accordingly and hear what you’re going through and maybe support you and so.
If you have issues like this or others in the realm of information security, information privacy, please don’t hesitate and we’ll continue to try and put out more content and spread the word on how to avoid these things and how to help organizations who seem to be struggling with how to button it up, Matt. It was a pleasure as always.

Let us help you identify any information security risks or compliance gaps that may be threatening your business or its valued data assets. Businesses in every industry face scrutiny for how they handle sensitive data including customer and prospect information.

Get a Quote