Welcome to a three-part series that provides an overview of the California Invasion of Privacy Act (CIPA), examines recent CIPA litigation involving smart speakers, and proposes defenses in response to an alleged violation.

CIPA in the Age of Smart Devices

The California Invasion of Privacy Act (CIPA)[1]—traditionally used by law enforcement and the plaintiffs’ bar to address illegal recording/eavesdropping on phone calls—has seen renewed interest in the age of smart speakers. Smart speakers, such as Amazon’s Alexa, Google Home and Apple’s Siri, are voice-enabled devices where the user utters a “wake word” to activate a “virtual assistant”. A number of putative class actions have recently been filed over these “virtual assistants” and whether they illegally record individuals without their consent. This recent spate of lawsuits highlights CIPA-compliance risks associated with these new technologies. This article provides an overview of CIPA’s history and features, addresses recently filed CIPA smart-device cases, and recommends defenses for responding to a smart device CIPA action.

CIPA Background and Overview

Enacted by California in 1967 “to protect the right of privacy of the people of this state,” CIPA prohibits various forms of intentional recording of or eavesdropping on confidential communications without the consent of all parties. The CIPA makes it a crime to use an electronic device to monitor or record a private conservation.

Section 637.2 of CIPA provides a private right of action for “any person who has been injured by violation of this chapter.” Cal. Penal Code § 637.2 (a). The statute provides for damages in the greater of either $5,000 per violation or “three times the amount of actual damages, if any, sustained by the plaintiff.” Id. at (a)(1)-(2). In order for a person or entity to be liable under CIPA, the act must be: (1) intentional, (2) occur without the permission of the parties involved in a confidential[2] conversation, and (3) involve the use of an electronic device. Id. at § 632. Businesses have generally complied with CIPA by playing a pre-recorded disclosure before each inbound and outbound call advising the caller that the call may be recorded.[3]