Tyler R. Dowdall
Partner Tarter Krinsky & Drogin LLP
Commercial Real Estate and Business Litigation
Electric signals pulse through an antique machine, turning a spool with paper, triggering a fountain pen to transcribe information. The marks on the paper tell the secret of the outgoing telegraph. The device is a pen register. 165 years later, your client receives a demand letter threatening litigation if a settlement isn't paid because their website uses a tracking pixel for marketing purposes. The letter claims that the marketing pixel is a pen register. What?!
The pen register was invented in 1840, and it recorded telegraph signals onto a strip of paper. It used a lever and electromagnet hooked up to a fountain pen or pencil. Once telephones started using pulse dialing, the pen register was used to record numbers dialed from a phone.
Similarly, a "trap and trace" device allows incoming numbers to be recorded. Together, a "pen trap" device is a powerful law enforcement tool which enabled law enforcement to record incoming and outgoing numbers from a telephone. The conversations aren't recorded, but the phone numbers are. For decades, use of a Pen Trap device wasn't considered an unconstitutional search on the theory that the dialed numbers had to be voluntarily given to the phone company, and therefore there was no reasonable expectation of privacy. As recently as 1979, in Smith v. Maryland, 442 U.S. 735, 744 the Supreme Court stated that a pen register was not a search because the " petitioner voluntarily conveyed numerical information to the telephone company."
The concepts of rights of privacy began to evolve, and in 1986 Congress passed the Electronic Communications Privacy Act, which included restrictions on how a Pen Trap could be used, such as a requirement that law enforcement agencies obtain a warrant. The ECPA also permitted civil remedies for its violation, for the greater of $50 to $500 (or actual damages) for a first offense, or $100 to $1000 for a second offense.
Over time, the definition of a pen register and trap and trace device have evolved to keep up with evolving technology. In 2001, the Patriot Act expanded the definition of a Pen Trap device to include the internet and clarified that the theory of an antiquated fountain pen making marks on a strip of paper applied equally to electronic signals sent through a computer. Accordingly, software surveillance programs couldn't be used to monitor internet traffic absent a warrant. Without this crucial expansion of the definition of a pen register, all electronic communications would be subject to unfettered governmental surveillance. The civil penalties for a violation ($50-$500) did not lead to a wave of litigation - until now.
Surprise! California's approach is different. Instead of a violation being $50, the California Invasion of Privacy Act pegs damages at $5,000. Now we understand the demand letter! But it doesn't ask for the statutory damages - it's threatening far more - including injunctive relief. Is this demand going to shut down the website?
Penal Code Section §638.51 prohibits the use of a Pen Trap device without a court order. There is an exception for communications companies for operating the service to protect the provider and users, or with user consent. A violation of §638.51 is a misdemeanor, punishable by up to one year in the county jail, and/or a fine of $2,500. Under Penal Code section §637.2, a civil action may be filed to recover the greater of treble damages, or "Five thousand dollars ($5,000) per violation." Now, the demand letter makes more sense.
But still, it's so frustrating to be on the receiving end of the letter. How could it be that commonly used tracking pixels are creating such liability, and how do I make sure that this doesn't happen to my client again?
First, the plaintiff knows that the costs of defense greatly exceed the costs of settlement. There have been recent successes by attorneys to defeat demurrers and Motions to Dismiss as the judiciary is beginning to recognize that the tracking of people on the internet is not all that different from tracking their incoming and outgoing calls. Plaintiff's counsel likely doesn't want to litigate, they want a quick payout and an agreement to stop tracking people without their permission.
Second, though this may appear to be a novel theory of liability, it was born 24 years ago and can drive, vote, and drink. The idea that a marketing pixel is a Pen Trap device may seem offensive, but on balance, Congress and the California legislature have both said that tracking people without their permission violates their privacy rights. The permission component is crucial - website visitors need to affirmatively consent to the use of the pixels (similar to the now-ubiquitous cookie pop-up banners).
Third, there may be indemnity claims. Many e-commerce sites use third-party vendors to handle marketing and hosting and are unaware that their vendors are installing tracking pixels. A valid indemnity agreement may be leveraged to fund an early settlement and avoid litigation. These claims may also help educate e-commerce vendors and may lead to business practice changes that stop further proliferation of these claims.
Fourth, defend! There may be a jurisdictional defense if a plaintiff only visited the website and the client is located out of state. There may be valid consent outside of consent on the website itself (for example, social media users may consent to the use of tracking pixels, thereby nullifying any claim against a site using such social media pixels), and the lack of actual damages may lead to a lack of jurisdiction to hear the claim.
Finally, try to get ahead of this issue. Notify your clients of the rapid increase in CIPA claims, the downside risk and annoyance of paying settlements, and the options to mitigate against such claims.