A California judge recently provided a ray of hope for website operators worldwide battling the latest surge of plaintiffs’ claims asserted under the California Invasion of Privacy Act, dismissing a claim that standard IP address tracking deployed on a retailer’s website constituted an unlawful “pen register” and “trap and trace” device. The case is Licea v. Hickory Farms LLC, Case No. 23STCV26148 (Cal. Sup. Ct. L.A. County Mar. 13, 2024); a copy of the order is available here.
California Invasion of Privacy Act
Passed in 1967, CIPA aims to protect individuals’ privacy rights, including by prohibiting surreptitious wiretapping, eavesdropping, and recording. Cal. Penal Code § 630 et seq. While the statute initially targeted telegraph and telephone communications, certain sections have been expanded or interpreted to encompass Internet activity.
Over the last few years, website users, led by a handful of plaintiffs’ firms, have invoked the 57-year-old statute to test a variety of claims against website operators. In dozens of class action lawsuits and an untold number of arbitrations and demand letters, plaintiffs have claimed that garden-variety website and mobile app technology, including pixels, cookies, chat software, and session recording tools, violate CIPA.
Various sections of CIPA have been cited in support of these claims—most notably, Section 631(a), which prohibits third parties from surreptitiously accessing the contents of communications while in transit; Section 632, the “classic” CIPA section prohibiting the recordation of telephone calls without consent; and Section 632.7, which prohibits the interception and recording of communications transmitted between cellular and cordless telephones without the consent of all parties. Though many of these cases have been dismissed at the pleadings stage, a few have managed to gain enough traction to keep these varietals of CIPA claims going.
Section 638.51: Pen Register and Trap and Trace Devices
The latest CIPA theory being tested by plaintiffs’ firms arises from Section 638.51, which provides that “a person may not install or use a pen register or a trap and trace device without first obtaining a court order.” Cal. Penal Code § 638.51. The statute imposes a $5,000 per violation penalty, making this an attractive route for class action lawyers.
Historically, “pen registers” and “trap and trace” devices were tools used to capture data related to telephone calls. A pen register records outgoing phone numbers, while a trap and trace device records incoming phone numbers. The terms are often used together, especially now in the context of Internet communications, where the distinction between outgoing and incoming communications is less clear than in traditional telephony.
CIPA defines a “pen register” as “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” Cal. Penal Code § 638.50. A “trap and trace” device has a similar definition for incoming signals. Id.
Plaintiffs have latched onto these broad definitions, contending that any device that tracks online activity—even just an IP address—falls within their scope. In Greenley v. Kochava, 2023 WL 4833466 (S.D. Cal. July 27, 2023), a district court allowed a Section 638.51 claim to proceed against an SDK developer, noting that the “expansive” definition “indicates courts should focus less on the form of the data collector and more on the result” such that a “process” can include “software that identifies consumers, gathers data, and correlates that data through unique ‘fingerprinting.’” While Greenley involved a claim against the software developer that allegedly captured the data, not the consumer-facing website operator that used the software, the plaintiffs’ bar has heralded Greenley as supporting their new theory that garden-variety website technologies constitute pen registers and trap and trace devices.
Licea v. Hickory Farms
Jose Licea is a self-proclaimed “tester” and serial litigant who reviews companies for alleged privacy law violations. Licea sued Hickory Farms, an online gift retailer, alleging that the company’s website recorded his IP address, which the company then aggregate with other data about Licea that he shares online. He claimed this technology constitutes an unlawful pen register or trap and trace device in violation of Section 638.51, explicitly citing Greenley in support of his claim.
The retailer demurred, arguing, among other things, that the statute covers only devices used to record phone numbers, not online devices that record of IP address. The court sustained the demurrer. The court distinguished Greenley, finding that “nothing in the complaint establishes an IP address as equivalent to the ‘unique fingerprinting’ relied upon by the Southern District when finding embedded software into a mobile phone, thereby providing unique location and other information normally within the domain of law enforcement officers with a warrant.” The court further held that, even if “a qualifying device was pled,” the complaint failed to allege a lack of consent to the retailer’s collection of an IP address.
In the most refreshing part of the decision, the court recognized the problem with embracing the proposed expansive definition of pen registers and trap and trace devices:
The court also finds public policy strongly disputes Plaintiff’s potential interpretation of privacy laws as one rendering every single entity voluntarily visited by a potential plaintiff, thereby providing an IP address for purposes of connecting the website, as a violator. Such a broad based interpretation would potentially disrupt a large swath of internet commerce without further refinement as the precise basis of liability, which the court declines to consider.
Conclusion
The Licea v. Hickory Farms decision is a blow to plaintiffs’ lawyers pressing the latest CIPA litigation tactic. That said, it’s a trial level, state court decision, so it has limited precedential value. Moreover, the court granted the plaintiff leave to amend, so the case is not over. Given the velocity, variety, and complexity of consumer privacy claims and court decisions evaluating them, it is critical to keep pace with the technology and legal precedent in order to mitigate risk and defend against the surge of claims.