
The tide may be turning for plaintiffs using the California
Invasion of Privacy Act (CIPA) to sue companies using internet-based
technologies on public-facing websites, who face attacks from both the
Legislature and the bench. The plaintiffs' bar has filed thousands of cases
creatively alleging that common website technologies, including chatbot
functions, session replay software, analytics and advertising pixels or
cookies, and search bar URLs are all examples of illegal wiretapping conducted
without a court order or plaintiffs' consent. Plaintiffs have also alleged that
technologies that collect the IP address of website visitors act as "pen
register" or "trap and trace" devices requiring prior consent. But these cases
may swiftly go the way of the dodo following two recent state-court opinions
dismissing CIPA claims and a proposed bill that would effectively nullify the
application of the "pen register" and "trap and trace" statutes to legitimate
commercial uses.
In Sanchez v. Cars.com, 2025 WL 487194 (Cal. Super. Jan. 27,
2025) and Aviles v. LiveRamp, Inc., 2025
WL 487196 (Cal. Super. Jan. 28, 2025), Superior Court Judges Tiana J.
Murillo and Judge Joseph Lipner respectively rejected the pen register and trap
and trace theories holding that it is a basic, not illegal, function of the
internet to collect IP addresses of website visitors and that CIPA should not
be interpreted to cover internet-based technologies without clear legislative
intent. While other courts have previously dismissed pen register and trap and
trace claims, these dismissals are on new grounds. If other courts apply this
reasoning, it would mark a defendant-favorable
development and potentially curb the rate of CIPA litigation.
Not to be outdone by the courts, on March 24, 2025, California
State Senator Anna Caballero introduced bill SB690, which proposes to amend
CIPA to exempt communication intercepts for a commercial purpose. A "commercial
purpose" is defined as the processing of personal information either performed
to further a business purpose or subject to a consumer's opt-out rights. The
bill would also exclude any device that is used in a manner that is "consistent
with a commercial business purpose" from the definitions of a pen register and
trap and trace device. If SB690 is enacted, internet technologies that are
currently being targeted would fall under the "commercial purpose" exemption.
Under CIPA's current pen register and trap and trace provisions,
"a person may not install or use a pen register or trap and trace device
without first obtaining a court order." Cal. Pen. Code, Section 638.51(a). A
pen register is defined in the statute as "a device that records or decodes
dialing, routing, addressing, or signaling information transmitted by an
instrument or facility from which the wire or electronic communication is
transmitted, but not the contents of the communication." Cal. Pen. Code Section,
638.50(b). A trap and trace device captures "incoming electronic or other
impulses that identify the originating number or other dialing, routing,
addressing, or signaling information reasonably likely to identify the source
of the wire or electronic communication." Cal. Pen. Code, Section 638.50(c).
Neither a pen register nor a trap and trace device are used to collect the
contents of a communication, but instead collect "record information" about
that communication, sometimes referred to as metadata.
In both Sanchez and Aviles, the plaintiffs
asserted that the defendants' use of a website tool (which plaintiffs called a
"PR/TT beacon") constituted an unlawful pen register or trap-and-trace device
under CIPA. See Cal. Penal Code § 638.51. The plaintiffs
contended the PR/TT beacon constituted pen register or trap and trace devices
because the tools allegedly collected IP addresses and additional information
when they visited the defendants' respective websites.
In Sanchez v. Cars.com, Judge Murillo sustained
Cars.com's demurrer, without leave to amend. Analyzing the "plain language and
legislative intent" of CIPA to determine "whether internet communications
constitute pen registers or trap and trace devices," the Court concluded that they
do not. Instead, those terms "refer to devices or processes that are used to
record or decode dialing, routing, addressing, or signaling information from
telephone numbers, not internet communications such as
websites."
In examining the legislative history, the Sanchez Court
explained that when enacting what would become CIPA's pen register provisions
in 2015, the California legislature "adopted the same authorization provision" as
its federal counterpart, the Pen Register Act. Courts have consistently
interpreted that provision of the Pen Register Act to find that the Act "applied
only to mechanical, telephone number-tracing technology, not technology used to
collect the IP address from a desktop computer." (See, Cal. Pen.
Code, Section 638.52 and 18 U.S.C. Section 1322(a)-(b)). Because CIPA is a
penal statute, case law further supports interpreting it "to include only those
offenses coming clearly within import of the language, and [not to] be given
application beyond [its] plain intent."
In Aviles, the Court also sustained Defendant LiveRamp's
demurrer, although with leave to amend. In sustaining the demurrer, Judge
Lipner held the plaintiff failed to plead the use of either a pen register or
trap and trace device because he did not allege that the website technology
"collect[ed] the outgoing addressing information from visitors' devices or
browsers." Plaintiff similarly failed to plead the use of a trap and
trace device because he did not allege "that Defendant installed software on
Plaintiff's device or browser that collected incoming contact information to
Plaintiff's device." Absent such allegations the Aviles Court concluded,
"Plaintiff ha[d] not alleged anything above and beyond how the internet
normally works."
Although these two cases demonstrate California Superior Court
judges adopting further reasons as to why CIPA should not apply to internet
technologies, they do not altogether eliminate the ongoing risk of CIPA
litigation. However, that risk could be more comprehensively addressed by
SB690, which would exclude commercial uses of these technologies from CIPA if
enacted. Even then, SB690 in its current form will only benefit those
defendants whose litigation is active as of January 1, 2026, giving little comfort
to those defendants with trials scheduled this year.
For reprint rights or to order a copy of your photo:
Email
jeremy@reprintpros.com
for prices.
Direct dial: 949-702-5390
Send a letter to the editor:
Email: letters@dailyjournal.com