In July 2023, a Southern District of California District Court denied a motion to dismiss in Greenley v. Kochava, 2023 WL 4833466 (S.D. Cal. July 27, 2023), in which the plaintiff argued a SDK developer violated California laws that prohibited use of a “pen registry” and “tap and trace” device by building into the SDK code that forwarded location information to the SDK developer.

This raised the question for many people: What is a “pen registry” or “tap and trace” device?? Cursory searches using an online search engine and ChatGPT both provide similar answers: “a pen register is a device or system used to record or capture data about outgoing and incoming telephone numbers dialed or otherwise transmitted from a particular telephone line.”

California law, however, is not as limited and broadly defines a “pen register” as “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” Cal. Penal Code § 638.50. A “trap and trace” device has a similar definition for incoming signals. Id. In short, a pen register is a “device or process” that records phone numbers or other “routing” information that is outgoing from a device while a “tap and trace” records incoming phone numbers/routing information.

The facts of Greenley are certainly unique. The court found consumers did not know they were sharing their information with the SDK developer because there was no evidence end users knew the SDK developer was in any way involved with the application users had downloaded. The SDK developer in turn sold customized data feeds to its clients, to allow those clients the opportunity to target specific individuals with ads when they were in geographic locations such as retail stores or restaurants. As the court summarized: “Defendant coded its SDK for data collection and embedded it in third-party apps; the SDK secretly collected app users’ data; and then Defendant packaged that data and sold it to clients for advertising purpose.”

Despite this uniqueness, many companies have found themselves the recipient of a demand letter that claims their website employs a “pen registry” or “track and trace device” and being forced to choose between settling the dispute or facing a lawsuit in California. Several websites have indeed faced those lawsuits and, in the past couple of weeks, two California courts resolved motions to dismiss those lawsuits. The two courts reached different conclusions, however, allowing one case to proceed past the pleading stage (and thus providing plaintiffs with a second decision to cite in support of their claim) while dismissing another case (but allowing the plaintiff leave to amend).

On March 13, a California Superior Court in Los Angeles County dismissed a plaintiff’s pen registry/tap and trace claims against an online retailer who specialized in gift baskets. The court addressed, and distinguished, Greenly in two ways. First, the court found “nothing in the complaint establishes an IP address as equivalent to the ‘unique fingerprinting’ relied upon by the Southern District when finding embedded software into a mobile phone, thereby providing unique location and other information normally within the domain of law enforcement officers with a warrant.” Second, the court found “public policy strongly disputes Plaintiff’s potential interpretation of privacy laws as one rendering every single entity voluntarily visited by a potential plaintiff, thereby providing an IP address for purposes of connecting the website, as a violator. Such a broad based interpretation would potentially disrupt a large swath of internet commerce without further refinement as the precise basis of liability, which the court declines to consider.”

On April 3, another California Superior Court in Los Angeles County allowed a nearly identical complaint to proceed past the pleading stage. Here, the plaintiff alleged a hotel website also violated the same pen registry / tap and trace laws by capturing an IP address when the plaintiff allegedly visited the website. The court the plaintiff’s allegation that the hotel chain had “deployed a software device and process” was sufficient and that “a detailed description of the software and the precise mechanism it employs are evidentiary facts which need not be included.” The court did not address the Greenley decision or address the public policy arguments that the earlier court had raised. Instead, it rejected the defendant’s argument that the plaintiff had consented to the use of such a “device or process” by noting if merely visiting a website could establish consent, then the exception would swallow the rule. This is in stark contrast to the March decision, which found allowing the claim to proceed would swallow the common use of the internet.

These early decisions are reminiscent of how early courts handled chat-based wiretapping claims and illustrate how additional decisions can tip this theory one way or another. Some early courts found section 632.7 only required one wireless device (i.e., a smart phone) create a cause of action before most courts decided the plain language of the statute required the presence of two wireless devices to give rise to a claim. In contrast, even after more than a year of wiretapping decisions, courts in the Southern District of California last month reached different conclusions on whether nearly identical factual allegations had plausibly plead whether a third-party chat-API provider was entitled to the party exemption under wiretapping law.

It remains to be seen whether additional courts will add their authority to one side or another. The plaintiffs’ bar, and potential-defendant websites, will be watching closely.

[View source.]