DocuSign accused of violating California privacy act


Businessman using a computer to document management concept, online documentation database and digital file storage system or software, records keeping, database technology, file access, doc sharing.

By: Anna Perry

A lawsuit out of California claims DocuSign is violating the California Invasion of Privacy Act (CIPA). The lawsuit involves allegations against the company for violating California’s digital privacy laws through the use of tracking software on its website, specifically “pen register” and “trap and trace” devices. This lawsuit was brought under CIPA and is a great example of the growing trend in litigation focused on consumer privacy and the use of digital tracking technologies.  

A pen register, commonly used by law enforcement, is a device or process that traces outgoing signals from a specific computer to the signal’s destination. Trap and trace technology records the source of incoming signals to a specific phone or computer. Through this technology, DocuSign is alleged to capture the location, race, age, and ethnicity of each user that comes across its site.  

While the lawsuit was brought in California, its effects may prove to be far reaching, as users across the globe may choose to opt out of a service that is suspected of tracking the user and gathering identifying material. Further, DocuSign is commonly used by attorneys, accountants, and other professionals to capture signatures for contracts or forms. Understandably, individuals signing these contracts, or utilizing DocuSign’s features, expect a certain level of privacy for their dealings. As alleged in the lawsuit, the spyware utilized by DocuSign’s website installs itself without consent and monitors and reports the user’s online habits even after they leave the website. 

The legal landscape surrounding CIPA itself is complex, with courts divided on how to apply the Act to modern technologies like internet communications and keystroke recording, as well as its application to third-party actors. Key inquiries include whether such third-party technologies constitute a violation of CIPA, requiring consumer consent, and whether the intercepted communications are protected under CIPA. These uncertainties reflect broader concerns about privacy in the digital age and the challenges of applying existing laws to new technological contexts, just as we’ve seen with the Video Privacy Protection Act in recent years. 

This case not only underscores the multifaceted legal challenges companies like DocuSign face in today’s digital world, but could show a shift in what services attorneys, accountants, closing companies, and the like use for themselves and their clients.  

For more information, please contact Anna Perry at or your local FMG attorney.