Hello all, and happy Thursday!
Wiretap risk may have just become a whole lot riskier.
Nowadays, it’s pretty common to see law firms sue businesses for their use of commonplace website tracking technologies under these Cold War-era laws, like CIPA. You’ll often see lawsuits that invoke CIPA also pile on violations of the federal ECPA to get a bigger payout. Now, the Northern District of California has ruled that the CCPA can be stacked on top of CIPA suits, too.
The CCPA only permits a private lawsuit if a consumer’s personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” So, if a company gets hacked due to its poor security and your data is exposed, you could sue under the CCPA in theory.
But a district court just ruled in Allison v. PHH Mortgage that the CCPA’s private right of action isn’t limited to third-party breaches. The court ruled that the CCPA’s private right of action can trigger even for intentional or negligent unauthorized disclosures. So, if you’re using, say, a third-party tracking pixel on your site and don’t secure consent for that data transfer, an enterprising law firm might eye you for a CIPA and a CCPA suit.
The good news? This ruling doesn’t change the best practices for reducing your wiretap (and now, CCPA) risk. We held a webinar on reducing your CIPA risk earlier this year–if you couldn’t attend back then, it might be worth watching.
Best,
Arlo
Highlights From Osano
When a complex, legacy consent management platform left a global travel company's legal team locked out of their own privacy program, switching to Osano gave them something they'd never had before: a tool they could actually use, the visibility to prove their decisions were being followed, and peace of mind knowing they were in control.
The Cold War may be over, but wiretap laws are alive, well, and–if you’re a member of the plaintiff’s bar–very lucrative. Thousands of lawsuits have been filed under decades-old wiretap laws in recent years, with the California Invasion of Privacy Act (CIPA) chief among them. How can you protect your business against opportunistic CIPA lawsuits?
When the CCPA was first enacted, it was seemingly clear that its right to private action would be limited to traditional data breaches. Over the past two years, however, some courts have called this interpretation into question by expanding the CCPA’s private right of action clause beyond the traditional breach scenario—and instead into alleged privacy violations. A recent holding from the Northern District of California could signal that more of those claims could be tacked onto the wiretap cases that are already flooding dockets.
Recently, the Alabama legislature unanimously passed the Alabama Personal Data Protection Act. If signed by Governor Kay Ivey, the law will take effect on May 1, 2027. While many recent additions to the state privacy patchwork have closely tracked the Virginia model, Alabama’s law introduces several notable departures, particularly around applicability thresholds, the definition of “sale,” and entity-level exemptions, that businesses collecting data of Alabama residents will need to evaluate carefully.
The age verification app aimed at supporting EU Digital Services Act implementation and broader European age-assurance goals is moving closer to operationalization. European Commission President Ursula von der Leyen announced that the app is "technically ready" and will be "soon available for citizens to use."
The UK government plans to hold senior technology executives personally liable, including possible jail time, if their platforms fail to remove non-consensual intimate images when ordered by regulators. The proposal will be introduced as an amendment to the Crime and Policing Bill, and is expected to be debated in Parliament. If approved, executives who ignore Ofcom’s enforcement decisions under the Online Safety Act could face criminal penalties, thereby expanding accountability beyond corporate fines to individual leadership.
Organizations are increasingly turning to AI-enabled tools throughout the recruitment lifecycle. While these tools can offer real advantages, their use often creates a tension with data protection principles that restrict decision-making based solely on automated processing. As a result, the UK Information Commissioner’s Office (ICO) recently published a report and draft guidance on the use of automated decision-making in recruitment.
There's more to explore:
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
Join our official subreddit to stay up to date on the latest news, analysis, guidance, and content from Osano!
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!