In recent years, private plaintiffs have leveraged the California Invasion of Privacy Act (CIPA) against companies over customer service call recordings, transcription services, and website monitoring. These lawsuits allege that businesses violate CIPA by disclosing or allowing third parties to monitor private communications. Even though many cases are dismissed or settled before trial, defending a CIPA action is expensive. Naturally, businesses turn to their insurance carriers for help. But here’s where things get tricky: coverage terms in cyber liability and commercial general liability (CGL) policies can leave companies without protection when they need it most.

Often cyber liability policies cover data breaches and cyber incidents but may also extend to claims of improper collection, retention, or disclosure of private information. CGL policies are typically broader in scope, and sometimes cover “personal and advertising injury,” which can include privacy violations.

On the surface, these policies sound like a lifeline for companies facing CIPA lawsuits, but exclusions and limitations can close the door on coverage.

To protect your business, you should review your policies and the coverage to determine the following:

Privacy Statute Exclusions

• Cyber policies may exclude violations of specific laws like Illinois’ Biometric Information Privacy Act (BIPA).
• Some policies use broader “catchall” language to sweep in any state or federal privacy statute, which could capture CIPA claims.
• Eavesdropping & Data Collection Exclusions
  Some cyber policies specifically bar coverage for claims of improper tracking, recording, or monitoring of communications.

Statutory Violation Exclusions in CGL Policies

• CGL policies often exclude claims tied to statutory violations, either naming statutes explicitly or using sweeping language designed to block coverage for any state or federal privacy law claim.

Intentional Conduct Exclusions

• If an insurer argues that a business deliberately tracked or recorded communications, it may deny coverage on the grounds that the alleged conduct was intentional.

Because courts haven’t yet squarely addressed CIPA insurance coverage, cases involving Illinois’ BIPA offer useful insights.

In 2022, the U.S. Court of Appeals for the Seventh Circuit ruled on whether CGL policy exclusions applied to BIPA claims. The court upheld an access and disclosure exclusion, finding that biometric identifiers are clearly personal information, but it rejected an overly broad statutory violation exclusion, reasoning that BIPA protects biometric data in a way “patently different in kind” from statutes like the TCPA or CANSPAM.

This split decision highlights how nuanced policy interpretation can be. When applied to CIPA claims, the outcome may depend on whether courts see customer service calls and website chats as “personal information” and whether catchall exclusions for “communications statutes” apply.

The key takeaway for CIPA claims is this — don’t assume your insurance will cover privacy lawsuits. Now is the time to:

• Review your current policies for exclusions tied to statutory violations, eavesdropping, or intentional conduct.
• Negotiate coverage upfront to avoid broad exclusions, especially for new or evolving privacy statutes.
• Stay alert to case law developments, since courts are still defining how cyber and CGL policies respond to CIPA and similar claims.

By carefully reviewing policy language and negotiating coverage terms, businesses can better position themselves to secure coverage when privacy claims like CIPA inevitably come knocking.