A Claim That Does Not (Pen) Register, but Can Still Carry a Punch
Readers may be familiar with the California Invasion of Privacy Act ("CIPA"), a penal statute with origins in the 1960s that was designed to protect the privacy of communications. As we previously discussed, 2023 was marked by "gotcha" class action and individual lawsuits by the plaintiffs' bar against website operators who used customer "chat boxes." In these cases, the plaintiffs alleged that CIPA's wiretapping provisions — which were enacted decades before the internet — applied to online interactions, and that companies violated the statute by allowing third-party chat software providers to "eavesdrop" on the customer service chat conversations.
In 2024, the plaintiffs' bar has moved on to another arcane section in CIPA: Penal Code section 638.51, which restricts the use of pen register or a trap and trace devices. As in chat box litigation, pen register plaintiffs target businesses who employ widely-used modern technology like tracking pixels and beacons on their websites. With statutory penalties of $5,000 per website user, damages can proliferate quickly (not to mention potential criminal liability).
What is a pen register or a trap and trace device?
Traditionally, pen registers and trap and trace devices were tools that law enforcement could use to track communications. A pen register recorded the destination of a communication, such as a phone number dialed. A trap and trace device recorded the origin of a communication.
How are plaintiffs applying the pen register provisions of CIPA to internet activity?
Plaintiffs are arguing that common website technology, including web beacons and pixels, violate the pen register provisions of CIPA. They reason that these technologies collect multiple types of data from users, which can be used to fingerprint them. This fingerprint can then be used to sell profiles to third parties.
In essence, they are arguing that the software is designed to record or decode information about users' online activity, which they contend constitutes a pen register or a trap and trace device. CIPA prohibits the installation of pen registers or trap and trace devices without a warrant or the user's consent.
A single, non-precedential district court order denying a motion to dismiss may have opened the floodgates to these claims. Greenley v. Kochava involved a lawsuit against a software developer kit ("SDK") developer for allegedly collecting data from users without a court order in violation of CIPA.
The court found that CIPA's pen register provision could potentially — but did not definitely — apply to the SDK, reasoning that software that identifies users, gathers data, and correlates that data through unique fingerprinting is a process that falls within CIPA's pen register definition. The SDK developer was a third party to purported communications between plaintiff consumers and companies that used apps or websites to interact with consumers.
The Greenley court did not address whether website hosts could be liable for using website technologies like analytics tools on their own websites. But, seizing on this ambiguity, the plaintiffs' bar quickly started sending demand letters to and filing lawsuits against website operators who use scripts, pixels and beacons (i.e., potentially the entire retail internet world).
What has the outcome of the lawsuits been so far?
Given the newness of the claims, there are few decisions yet on whether CIPA's pen register provisions apply to common website analytics technologies. The handful of opinions so far have been a bit of a mixed bag.
In one case, a plaintiff argued that the business used pixel technology (the supposed pen register) in conjunction with the IP address of the plaintiff's mobile phone to illegally track the plaintiff online. The court dismissed the claim, finding that the plaintiff did not show that an IP address is equivalent to the "unique fingerprinting" relied on by the court in Greenley when finding embedded software into a mobile phone, thereby providing unique location and other information normally within the domain of law enforcement officers with a warrant.
The court also cited public policy concerns, noting that the plaintiff's "broad based interpretation would potentially disrupt a large swath of internet commerce without further refinement as the precise basis of liability." However, the court did not toss the case altogether, and instead gave the plaintiff another opportunity to state a claim.
Other courts have been more willing to allow these claims to proceed. In another case, the plaintiff merely alleged, without detail, that the defendant "deployed a software device and process" which first recorded the information being transmitted by the plaintiff's device, and then used that information to install tracking code on the plaintiff's device. The court found this allegation to be sufficient to describe a pen register and the alleged illegal use of a pen register.
What can companies do to mitigate risk?
Businesses can mitigate litigation risk by reviewing their data collection practices and privacy policies. They should make sure that they are collecting data with user consent and that they are transparent about how they are using data. Among other things:
- Companies should be transparent about data collection. Businesses should clearly disclose what data they collect from users and how they use that data. This can be done through a privacy policy that is easy to find and understand.
- Businesses should also obtain user consent before collecting data from them. This can be done through a pop-up window or checkbox that explains what data is being collected and how it will be used.
- Companies should allow users to opt out of having their data collected. This can be done through a mechanism in the privacy policy or cookie management tools.
By following these recommendations and carefully consulting with counsel, companies can help to mitigate the risk of lawsuits under CIPA.
"A Claim That Does Not (Pen) Register, but Can Still Carry a Punch," by Harrison Brown and Ana Tagvoryan was published in Westlaw Today on June 5, 2024.