Many businesses are familiar with the California Invasion of Privacy Act (CIPA) as over the past few years, CIPA claims based on recording communications with website visitors have resulted in significant payouts. However, in recent months a new wave of CIPA claims is taking the business world by storm. Relying on protections likely written to prevent overreach by law enforcement, enterprising plaintiffs are blanketing the business community with demands and lawsuits for capturing some of the most basic Internet data. What is a responsible business to do?
What is CIPA?
The California Invasion of Privacy Act prohibits a variety of conduct that one might consider “wiretapping.” Although prior claims under CIPA focused primarily on capturing communications using tools like session replay software and chatbots, new CIPA claims focus on prohibitions against the use of pen registers and trap and trace devices. Cal. Pen. Code § 638.50(b) defines a “pen register” as “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” A “trap and trace device” is “a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.” Cal. Pen. Code § 638.50(c).
Subject to limited exceptions, CIPA prohibits a person from installing or using a pen register or trap and trace device without first obtaining a court order. A plaintiff can obtain up to $5,000 in statutory damages per violation, plus attorneys’ fees and costs, which makes bringing CIPA claims a lucrative business.
What are the Plaintiffs Claiming?
Under the pen register and trap and trace approach, plaintiffs argue that websites improperly use those technologies when they capture information like IP addresses, device IDs, and other indicators that can be used to identify the device or person interacting with the website. In particular, plaintiffs have been targeting websites using third-party social media and identity resolution tools like the TikTok and Meta pixels and services provided by Kochava and Content Square. Given the ubiquity of these types of tools online, the vast majority of websites are at risk and a California plaintiff need only simply visit the website to create a claim.
Plaintiffs largely rely on one of the few cases in this space to support their theory that pen register and trap and trace prohibitions extend to online tools. Greenley v. Kochava (2023 WL 4833466, S.D.Cal. July 27, 2023) involved the use of the Kochava software development kit (SDK) by app developers to collect geolocation data, customer emails, customer IDs, search terms used, activities within an app, and other data for advertising and analytics purposes. This activity “fingerprints” each unique device and user and connects users across devices and devices across users. The Kochava plaintiff alleged this SDK constituted the use of a pen register. The court agreed, without meaningful analysis, that pen registers include “software that identifies consumers, gathers data, and correlates that data through unique ‘fingerprinting’.” Likely the basis for this conclusion is that fingerprinting involves collecting routing or signaling information as the user and their devices seek to access various web pages or communicate with others via the Internet (e.g., URLs, email addresses, IP addresses). Accordingly, the court allowed the plaintiff’s claim based on the pen register theory to survive the motion to dismiss.
How do I Reduce my Risk?
Until courts start to meaningfully push back on plaintiffs’ claims, businesses will need to consider whether moving to a consent-based framework for potentially violative tools is worth the potential harm. Cal. Pen. Code 638.51(b)(5) allows “a provider of electronic or wire communication service” to use a pen register “if the consent of the user of that service has been obtained.” Plaintiffs’ attorneys in this space also recognize consent as a viable defense. However, based on prior case law under CIPA’s other provisions, consent likely must be obtained prior to use of the technology. This means that placing consent language in a privacy policy the consumer may interact with after the tools have launched is likely not effective.
Of course, moving to an opt-in model for these types of tools will have a significant impact on a business’s ability to effectively target marketing to consumers and understand its website audience. For this reason, businesses often seek risk-modulated strategies like geofencing so that the opt-in model is used for visitors from California but not from other states (although geofencing is never 100% accurate), moving to an opt-in model for the types of tools most targeted by plaintiffs while allowing other tools like general analytics to continue to run without opt-in, and improving cookie banner disclosures to put the website visitor on notice and provide the opportunity to leave the website before meaningful data collection occurs. Each business, in consultation with its legal counsel, will need to determine for itself an appropriate strategy.
While this may all seem like bad news, perhaps some relief is on the horizon. On March 13th, in Licea v. Hickory Farms, LLC (Los Angeles Super. Ct., Case No. 23STCV26148), a judge upheld a demurrer filed by Hickory Farms on various grounds including that the CIPA pen register statute was not intended to cover a simple IP address acquisition and that public policy counsels against extending the pen register statute to cover every connection to a website. The court also seemed to accept that visiting a website could serve as consent for the acquisition of an IP address. The court allowed 45 days for the plaintiff to amend the complaint. Time will tell if this decision is the start of an effective new defense or an outlier pushing back on these claims. In the meantime, businesses need to be thoughtful about their online tools and carefully weigh their options against potential risks.
A Partner at M&S, Josh advises clients on a range of proactive and responsive matters, helping them achieve their business goals while complying with federal and state privacy and other consumer protection laws.