Maryland Legal Alert for Financial Services
Website Compliance Concerns for Financial Institutions
We have seen a recent wave of demands sent by a few creative residents of California. There are a handful of prolific website “testers” who are actively trying to catch financial institutions (and other business types – nationwide) that use website pixels, cookies, and similar tracking/analytic technologies. These individuals have submitted threats to file lawsuits against website operators based on alleged violations of an obscure California provision.
The focus is on a California wiretapping statute called the California Invasion of Privacy Act (CIPA). Some plaintiffs in California are using the CIPA authority to get around federal Gramm-Leach-Bliley Act (GLBA) exceptions in the California Consumer Privacy Act (CCPA), California's robust consumer privacy framework. The CIPA provides for statutory damages for each violation ($2,500/violation or one year of jail time), triggered by the interception of a communication without the consent of the parties to the communication. The basis for these claims is that website operators are using website cookies/pixels (including Google analytics) and similar functionality where website visitors' information is sent automatically to third parties for use with cookies/pixels and similar technology.
The website “testers” are sending what appear to be template notices to financial institutions. The notices include draft complaints that are allegedly to be filed if some kind of settlement is not reached by a specified date. It is unclear whether the senders of these demands will really follow through on the threat to sue (although for one of our clients, a notice was filed with the AAA to initiate an arbitration based on this same type of fact pattern).
Financial institutions that have cookie pop-up notices/consents and a robust disclosure concerning cookies/pixels have a good start at addressing these types of claims. But, the real threat involves whether a financial institution’s online privacy terms clearly and accurately disclose and then get clear consent for any third-party functionality/interaction that happens when a visitor goes to the financial institution’s website.
Practice Pointer: Financial institutions should work with their marketing and IT groups to make sure that what the website and third parties are doing with visitor information closely matches what is disclosed in the financial institution’s online privacy terms.
For more information, contact Christopher R. Rahl.