Recent legal developments highlight the importance of clear and specific website privacy disclosures, especially for companies using session-replay technology to collect user data in real time. A recent federal court decision underscores how vague privacy notices can leave companies vulnerable to legal challenges under the California Invasion of Privacy Act (CIPA).
Why This Matters to You
If your website collects visitor information—whether to provide instant quotes, enable interactive features, or improve user experience—this case is a wake-up call. Businesses across all industries should take note of the court’s decision in Torres v. Prudential Financial, Inc. (N.D. Cal. Case No. 22-cv-7465-CRB, Nov. 26, 2024). It provides valuable guidance on crafting privacy notices that meet legal standards and protect user trust
The Case in Brief
What Happened?
Prudential Financial, Inc. and its subsidiary Assurance IQ, Inc. used a website form to offer instant life insurance quotes. Visitors entered personal information such as marital status, employment details, and medical history. Meanwhile, a third-party vendor, ActiveProspect, captured this data in real-time using session-replay technology.
The Allegations
Plaintiffs claimed they were unaware of ActiveProspect’s data collection practices and did not consent to their personal information being intercepted and recorded. They argued this violated CIPA, which protects Californians from unauthorized data interception.
Key Issue
Prudential’s privacy notices failed to clearly disclose the real-time data collection, the role of ActiveProspect, or the specific purpose of the data capture.
Court Findings
The court’s decision to certify the class hinged on deficiencies in Prudential’s privacy notices. Here’s what the court highlighted:
- No Carry-Over Consent: Prior interactions with Assurance’s website did not imply ongoing consent to similar practices on Prudential’s site. Consent must be tied to clear, specific disclosures from the website operator.
- Insufficient Notice of Real-Time Tracking: Prudential’s privacy notices used general language, such as stating that “information gathered from your internet or network activity” may be collected. This did not adequately inform users that every keystroke, click, and response was being recorded in real time.
- Opaque Third-Party Involvement: The notices did not clearly explain that a third party (ActiveProspect) was actively accessing and recording user interactions. Vague references to “business purposes” failed to provide the necessary transparency.
What This Means for Your Business
To avoid similar legal risks, website operators must ensure their privacy notices meet user expectations and legal requirements. Here’s how:
- Be Transparent About Real-Time Data Collection
If you use session-replay technology, your privacy notices must explicitly state:- What data is being recorded (e.g., keystrokes, clicks, interactions).
- That this data is collected in real time.
- The name of the technology or vendor involved.
- Why the data is being collected and how it will be used.
- Prioritize Clarity Over Placement
A link in your website’s footer isn’t enough if the notice’s content is vague. Ensure your disclosures are detailed and written in plain language so users understand how their data is being handled. - Consider a Cookie Banner
Having the information in your privacy policy may not be enough to put a website visitor on notice that you are using session replay and other technologies. A cookie banner alerts the visitor to the disclosure before they can use the website and should include a link to the privacy policy with all of the details.
- Work With Legal Experts
Collaborate with legal counsel to create privacy policies that are both legally compliant and user-friendly. Your notices should clearly outline:- When and how data is collected.
- The parties involved.
- The intended use of the data.
Bottom Line
Clear, detailed privacy notices are not just a legal requirement—they’re a foundation of trust with your users. If your company uses technologies like session replay, take proactive steps to inform visitors and address potential legal risks. Don’t let vague or outdated privacy notices undermine your efforts to create a seamless and secure user experience.
Contact Us for Expert Legal Guidance!
We are excited about the strategic association between Marashlian & Donahue, PLLC, The CommLaw Group and the Law Office of Julia A. Clayton. This collaboration enhances our ability to address complex privacy litigation (CCPA and CIPA) and other legal challenges in California and beyond, including False Claims Act matters and State Attorneys General investigations. Clients of our firm now have access to a broader range of expertise and support, ensuring comprehensive legal solutions. For those interested in or impacted by these issues, this association offers invaluable opportunities to navigate the evolving legal landscape effectively. Contact us to learn how we can assist you with your specific legal needs.
