CIPA was originally enacted in 1967 to protect Californians from illegal wiretapping and other nefarious eavesdropping activities. It’s a penal statute that creates a private right of action whereby individuals can sue for statutory penalties without providing any actual harm. Recently, plaintiffs have filed hundreds, if not thousands, of individual and class action lawsuits in California courts asserting new, creative applications of CIPA to new technologies.
In the newest CIPA trend, Plaintiffs claim that the basic software used to enable website functionality and improve the user experience constitutes illegal use of “pen registers” and “trap and trace” devices.
What are trap and trace devices/pen registers?
CIPA’s prohibition against the use of trap and trace devices/pen registers was intended to criminalize improper eavesdropping of telegraph and rotary telephone devices.
A trap and trace device is a “device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.”[1]
Similarly, a pen register is a “device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.”[2];
Essentially, a pen register traditionally captures telephone numbers making outbound calls, while a trap and trace device does the same for incoming calls.
Do trap and trace devices/pen registers apply to the internet?
Despite the fact that CIPA Section 638.50 was enacted to prohibit the use of technology to capture telephone numbers, Plaintiffs are now capitalizing on CIPA’s broad, dated language to argue that Section 638.50 applies to internet activity, including standard IP address tracking. Even though CIPA was enacted long before the internet existed, Plaintiffs are seeing some success asserting these claims at the pleading stage.
Greenley v. Kochava opens the CIPA floodgates with frightening implications
One of the seminal cases relied on by plaintiffs asserting these claims is Greenley v. Kochava,[3] which held that software used to identify and track consumer data may run afoul of CIPA.
The Greenley case addressed whether a software developer kit fell within the purview of CIPA’s pen register prohibition. The plaintiff contended that the defendant’s software development kits allowed the defendant to “fingerprint” each device/user to collect information such as search terms, purchase decisions, click choices, payment methods, etc., which then allowed the defendant to target advertising towards specific users and sell user-specific data to third parties. The plaintiff further contended that these software development kits violated CIPA’s prohibition of the installation of a pen register without a court order.
The defendant argued that the pen register statute applied only to physical machines, such as a traditional telephone. The court disagreed, finding that pen registers can take the form of software designed to identify and gather consumer data.
This broad ruling has spawned a new wave of CIPA lawsuits, with plaintiffs claiming that widely used data analytics and tracking tools fall within the definition of pen registers and/or trap and trace devices.
One critical problem with this reasoning is that, essentially, any click on a website requires the recording of the user’s IP address to facilitate interactions with the website (unless the user is using a VPN). As such, Greenly, taken to its logical conclusion, could stand for the proposition that a large percentage of online activity is actionable under CIPA.
Further, because the use of data analytics software is ubiquitous, any business with a consumer-facing website could be liable under CIPA if data analytics software now qualifies as a trap and trace device.
Licea v. Hickory Farms rejects the argument that IP address tracking violates CIPA
Nonetheless, a new decision from the Los Angeles Superior Court is promising. In Licea v. Hickory Farms,[4] the court dismissed the plaintiff’s claim that IP address tracking on Hickory Farms’ website constituted an illegal pen register.
The court drew a bright line between the reasoning relied upon in Greenley and the case at bar, stating that “[t]he court finds validity in the argument that nothing in the complaint establishes an IP address as equivalent to the ‘unique fingerprinting’ relied upon by the Southern District when finding embedded software in a mobile phone, thereby providing unique location and other information normally within the domain of law enforcement officers with a warrant.”
While the Licea court granted the plaintiff leave to amend the complaint, this ruling strikes a decisive blow against those looking to assert CIPA trap and trace claims in connection with website data analytics.
Indeed, Judge Pfahler stated in the opinion, “[t]he court also finds public policy strongly disputes Plaintiff’s potential interpretation of privacy laws as one rendering every single entity voluntarily visited by a potential plaintiff, thereby providing an IP address for purposes of connecting the website, as a violator. Such a broad-based interpretation would potentially disrupt a large swath of internet commerce…” [5]
Take proactive steps to reduce CIPA litigation risk
As CIPA cases continue to rise, so does the uncertainty around what software does/does not violate CIPA. Companies with public-facing websites should expect the CIPA litigation waves to continue until there is clear action from the California legislature or clear authority from the California appellate and supreme courts.
As a result, businesses should take proactive steps to reduce the risk of CIPA litigation by:
- Ensuring that their terms of service and privacy policies are comprehensive and accurate, and
- Confirming that their user interface is configured in a manner that ensures transparent disclosures of data usage and users’ agreement to those disclosures.
Nixon Peabody’s Cybersecurity & Privacy team has a pulse on the rapidly evolving CIPA landscape, and we help businesses navigate the uncertainty presented by this concerning litigation trend. Our team looks forward to connecting with you about evaluating your risks and taking strategic measures to protect your business.
Please reach out to Stacy Boven, Myra Benjamin, or your Nixon Peabody attorney with any questions.
[1] California Pena Code Section 638.50.
[back to reference ]
[2] Id.
[back to reference ]
[3] Greenley v. Kochava, 2023 WL 4833466 (S.D. Cal. July 27, 2023)
[back to reference ]
[4] Licea v. Hickory Farms, Case No. 23STCV26148 (Cal. Sup. Ct. L.A. County Mar. 13, 2024)
[back to reference ]
[5] Id.
[back to reference ]