Understanding The Privacy Risk of Website Add-Ons

June 24, 2024

Third-party add-ons offer a range of convenient enhancements that promote a better user experience. From chatbots to secure payment gateways, these tools present a compelling value proposition. However, the convenience must be weighed against the risk, and each third–party tool you introduce should be carefully considered.

A Cautionary Tale: Esparza v Kohl’s

Kohl’s Inc is facing a class action lawsuit for unlawful eavesdropping under the California Invasion of Privacy Act (CIPA) and California Computer Data Access and Fraud Act (CDAFA). The lawsuit has been allowed to proceed after the California Supreme Court allowed the claim of plaintiff Miguel Esparza, who alleged the breach of California’s laws following a brief conversation via Kohl’s website chat feature.

The claim is based on Kohl’s use of an ADA Support Inc website add-on that offers AI-enhanced customer service. The lawsuit centers around cookies that this add-on installed, which allegedly included a persistent cookie that de-anonymized website traffic and collected personal information that was then shared with other companies.

This lawsuit will now proceed as a class action before the courts.

Surveillance and Wire Tapping Lawsuits California

There is an upward trend in plaintiffs using CIPA provisions to sue website owners for surveillance because of third-party tools. Common ‘culprits’ include chatbots, hotspot/session replays, tracking pixels, and cookies.

While we won’t go into the specifics of the laws here (in part because it is not yet settled law), these lawsuits may arise where a website facilitates the collection and use of personal information by a third party, which then uses the data for its own purposes.

Collecting communications is generally lawful if the personal information is only used for the website owner, since it would fall under the direct party exception. The direct party exception states that a party is not liable for wiretapping a conversation it is a party to. The idea is that the party is not “intercepting” a communication that it receives directly from the individual.

Esparza v Kohl’s also considered the Computer Data Access and Fraud Access (CADFA) provisions, which state that “a person who knowingly accesses a computer system or computer data may be guilty of a public offense.”

Best Practices To Avoid Risks Posed By Third-Party Website Add-Ons

In addition to the legal risks outlined above, reliance on third-party add-ons increases your risk of supply-chain data breaches and unauthorized access to your website. Your use creates additional pathways criminals may exploit to access your website backend and, potentially, network more broadly.

Risk: Unlawful Eavesdropping and/or Surveillance

As we can see from the pending Kohl’s surveillance class action, third-party add-ons that record conversations present an increased risk of legal action from consumers.

To reduce the risk of these claims, do not use any third-party app that sells, discloses, or otherwise uses for its own purposes the data collected from your website’s add-on functionality. It would be beneficial to prioritize more privacy-centric apps and add-ons when choosing your third-party providers.

You should also have policies and procedures in place regarding the selection of third-party add-ons for your website. Your team should not have complete discretion to add plugins or other third-party software at will. Any add-ons should be thoroughly vetted, ideally via an accountable person or department. The person/team with this accountability should receive training about the potential privacy impact and legal risks.

Finally, review your privacy notices and make sure that you are clearly disclosing the third-party add-ons you use and how they operate.

Risk: Data Collection and Use

Whether it’s a third-party chatbot, analytics or SEO tool, website speed checker, email gatherer, or any other website tool, there is a risk that it will gather your customers’ personal information.

To reduce the risk this poses to your business, you should carefully review the privacy notice and the practical privacy impact the add-ons may have on your company’s data. Regulators have repeatedly stated that a breach of personal information caused by a third-party does not absolve you of your obligations to your customers.

You should make sure that any third parties that are granted access to your company’s systems or websites offer similar or greater privacy protections to your customer’s data.

Risk: Gateway For Unauthorized Access

Third-party access to your website and systems offer an additional pathway for malicious actors to access that same information. We’re seeing example after example of criminals executing significant data breaches by exploiting vulnerabilities caused by third parties.

To reduce these risks, companies should set minimum security standards for their third-party providers, including multi-factor authentication and 12+ character password requirements. Moreover, any company that allows third-party access to its systems or website should beef up internal security measures, including access controls, firewalls, and AI-enhanced breach-identifying tools.

If you need help improving your company’s privacy hygiene, reach out. Our experienced attorneys would love to help.


The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you