Ads, Websites and Wiretaps

I’m Alan Chapell. I’ve been working at the intersection of privacy, competition and advertising for decades and I’m now writing for The Monopoly Report. If you have a tip to share in confidence, ping me at my last name at Gmail or find me on Bluesky. If you like this article, PLEASE take a minute to share it using the icon on the left.

Our latest Monopoly Report podcast is out with Alysa Hutnick - Partner at Kelley Drye who shares her thinking about the impact of CIPA and similar wiretap laws on the ads space.

Wiretap laws are back & they’re coming for your ads

Wiretapping laws in the U.S. have a colorful history given the natural temptation to gain an advantage by listening into the communications of others. Union and Confederate soldiers intercepted one another’s telegraph wires during the Civil War. The New York Police Department is believed by some to be the godfather of official government wiretapping, beginning in 1895 under NYC Mayor William L. Strong.

U.S. federal law enforcement first began listening in on the calls of bootleggers as early as the 1930’s – and regularly used wiretaps to come after organized crime. (e.g., as witnessed by this explicative filled exchange between De Nero and Ray Liotta in Goodfellas). At some point, law enforcement began to use wiretaps to listen in on conversations with the likes of MLK Jr., RFK, Communists, homosexuals, the American Indian movement and critics of the Vietnam war.

At some point, U.S. Courts had had enough, and took the position that it might be a bad idea to allow the Government to indiscriminately listen in on conversations of its citizens. Similarly, Congress and state legislatures eventually drafted privacy laws to limit if not prevent wiretapping. One of the ironies of life is that all that wiretapping by the FBI ushered in a wave of privacy laws culminating with the Privacy Act of 1974 - which might have been the last time the U.S. federal government enacted meaningful privacy legislation. (There’s also a NY Jets / Knicks joke in there somewhere, but I digress).

Anyway, some of those wiretap laws from the 60’s and 70’s are back - and they are creating all kinds of trouble for the ads space.

Déjà vu?

Anyone who’s an OG in the digital ads space might remember that this isn’t ad techs’ first time defending against wiretap allegations. There were a number of these types of cookie wiretap cases raised nearly 25 years ago. Ad tech wiretap cases typically alleged that a cookie placed on a desktop was “intercepting” a communication between a website owner and a user in violation of one or more of those pre-Internet wiretap laws. The cases were generally settled in favor of defendant tech companies – mostly because the website was deemed “a party” to the communication and had consented to the tech companies’ (e.g., DoubleClick) placement of cookies constituting the interception.

Anyway, the conventional wisdom up until just a few years ago was that the cookies were not an interception as defined under federal and most state wiretap laws. There were occasional class action claims brought, but almost all of them were dismissed early in the process – which in turn reduced the number of claims being made.

More recently, Courts have been much more willing to entertain state wiretapping law claims – including CIPA claims.

What in the world is CIPA?

The California Invasion of Privacy Act (CIPA) was passed in 1967 and makes it illegal for businesses to wiretap consumer communications and record them without the consent of all parties to the communication. (i.e., so whether the ad intermediary had the consent of the website was irrelevant).

CIPA was originally enacted to prevent the use of technology to capture telephone numbers and similar communications. Over the past few years, the admittedly outdated language in CIPA has been leveraged to come after websites for many of the types of behaviors which are integral to their operations. Unlike the federal wiretap laws which are “single party consent” laws, CIPA requires both of the parties to consent. As such, (and unlike the federal wiretap laws), the website is unable to consent to the interception of the communication.

CIPA has been around for 50 years - why is it now a problem?

One of the biggest hurdles to these types of class actions is that the plaintiffs need to demonstrate that they were “harmed” by the interception (at least if they want to collect damages - which is kind of the point.) We’ve talked about HARM a bunch here (and in even more detail in The Chapell Report). If all that’s happened is that you’ve been served the RED banner instead of the BLUE banner, it’s hard to get a court to agree that you’ve been harmed. But as data driven advertising has started to become more intrusive, and include identifiable data, location data and other sensitive data…. well… there are all kinds of examples of harm.

One can point to some specific court cases over the years where courts have become increasingly more willing to entertain wiretap claims: (1) Matera v. Google Inc. (2016) – Court held that CIPA is not only applicable to phone lines, but also applies to “new technologies” such as computers, the Internet, and email, (2) Greenley v. Kochava (2022, ongoing), which held that a mobile SDK could violate the CIPA (although it’s worth noting that Kochava’s SDK was collecting precise location data which probably helped demonstrate harm – and in any event is viewed as more sensitive.) (3) In re Facebook, Inc. Internet Tracking Litigation (2020) where the Court opened the door to large scale collection and sharing of URLs and search terms as actionable privacy issues that were questions of fact for a jury and not easily dismissible.

Put another way, the trend over the past several years is that Courts are increasingly reluctant to dismiss claims at the initial complaint stage where the data collection practices are of a large scale, more intrusive, and/or collect potentially sensitive data.

How can you lower the chances of a CIPA or similar claim?

Listen to this week’s TMR pod - Alysa Hutnik has some fantastic suggestions for reducing risk and limiting liability. As always, your best bet is to get your advice directly from a great privacy lawyer like Alysa. I’m seeing more and more well meaning advertisers getting dinged - in part because they didn’t fully understand the ramifications of the technologies being implemented on their sites. If it can happen to Oracle Advertising, it can also happen to your company. Some suggestions:

• Use a CMP (and for god’s sake, configure it properly) – This is a wonderful example of why marketing and legal/privacy teams need to communicate. So many CIPA issues are caused by mis-configured CMPs.

• Less intrusive is better – Courts are more willing to entertain claims that a User was harmed when the data collected is linked to identifiable data, when the scope of data collection is broader (e.g., keystroke logging), or when the data collected is viewed as sensitive (e.g., precise location, health).

• Be a Service Provider / Processor – Some courts are more willing to see the third-party collection as an extension of the website’s own data collection if the third-party is ONLY using the data as directed by the website. (This approach might be difficult for most adtech companies given how restrictive the CCPA is re: service providers).

• Disclose your use of AI tools – The specific rules around ethnical use of AI are still being developed. But we’re already starting to see CIPA complaints around the use of third-party tech to ingest all kinds of User content (e.g., phone calls, site visits, purchase activities) to determine purchase interest using automated decision-making.

Alan’s Hot Takes…

Here are a few additional stories that hit me over the past week:

• The pros/cons of addressibility and targeting solutions? – If you’re wondering what happened to the promised follow-up to last week’s article on targeting and addressability solutions, rest assured that I’ll return to that subject in 2025. Meanwhile, check out this great piece on identity signals in adtech explained.

• Google’s Evidentiary Adventures -Some thoughts and data points from Ben Edelman that contradicts those who suggest that Google’s issues with evidence in their antitrust trials are just some sort of misunderstanding.

• Jonathan Kanter’s Farewell Speech - Do yourself a favor a read this speech. It’s difficult to predict what 2025 will bring, but this gives me hope that we’ve turned the corner on antitrust enforcement in the U.S.

If there’s an area that you want to see covered on these pages, if you agree/disagree with something I’ve written, if you want tell me you dig my music, or if you just want to yell at me, please reach out to me on LinkedIn or in the comments below.

Finally, h/t to Terry Kawaja for coming up with a fantastic caption for this week’s picture - and for demonstrating that in December 2024 at least, it’s ALL about CURATION.

Happy Holidays - see you in January.