In a recent decision out of the Northern District of California, the court held that a website operator’s privacy policy, even one presented in a passive, browse wrap-style hyperlink, can defeat the delayed discovery doctrine and render claims under the Electronic Communications Privacy Act (ECPA) and the California Invasion of Privacy Act (CIPA) time-barred. Importantly, if your privacy notice is detailed and up to date, it could serve as a powerful tool to dispose of certain pixel-tracking wiretapping claims before they ever reach the merits.

The wave of website wiretapping litigation shows no signs of slowing down. Plaintiffs continue to file claims under ECPA and CIPA alleging that embedded tracking technologies, advertising pixels, analytics tags, session replay tools, secretly intercept their communications with website operators and relay that data to third parties. These claims carry short statutes of limitations: two years for ECPA and just one year for CIPA. To get around those deadlines, plaintiffs typically invoke the delayed discovery doctrine, which tolls the limitations period until the plaintiff knew or, through the exercise of reasonable diligence, should have known of the facts underlying the claim.

One way to prove such discovery is the website’s privacy notice. More specifically, the privacy notice, assuming it adequately addresses data collection and sharing through cookies and trackers, was “reasonably discoverable.”

In this case, the court’s analysis breaks new ground. The court drew a sharp line between two different legal standards that can apply to a privacy policy’s visibility: the conspicuous notice standard familiar from the browsewrap and clickwrap enforceability case law, and the reasonable discoverability standard that governs delayed discovery tolling.

Under the conspicuous notice framework, courts ask whether a privacy policy hyperlink was sufficiently prominent that a reasonable user would be on notice of its terms and thereby contractually bound by them. That is a demanding standard, and courts routinely refuse to enforce browsewrap agreements where a hyperlink sits passively at the bottom of a webpage. Other factors, recently discussed by State privacy regulators in California and Connecticut, include whether you need to scroll down in order to access the hyperlink in question.

When the question shifts to delayed discovery, the defendant is not trying to hold the plaintiff to a contract. The question is simply whether a plaintiff exercising due diligence would have found the policy and learned that the defendant was sharing user data with third parties. In this case, the court held that a privacy policy hyperlink that might fail the conspicuous notice test for contract formation can still defeat a delayed discovery argument if it was reasonably discoverable. That is, if a diligent plaintiff could have located and read it. There are limits, of course. The court noted that a privacy policy that is truly hidden, inaccessible, or buried in impenetrable legalese might still support a delayed discovery argument.

This distinction has significant practical implications. For companies facing ECPA or CIPA pixel-tracking suits, maintaining a visible and accessible privacy policy that clearly and specifically discloses data-sharing practices with third parties in a manner which is accurate and up to date, is not just a regulatory best practice, it may be an effective defense against stale claims.