California businesses are experiencing a tsunami of demands and complaints alleging class action status that applies the well-established 1960’s California Invasion of Privacy Act (CIPA) to the internet’s new technology. CIPA is a pre-internet era law aimed to curb unlawful telephone wiretapping and other electronic surveillance such as pen registers. A pen register is a device that traces outgoing signals from a telephone or computer and that is often used by law enforcement to provide lists of phone numbers contacted by a suspect’s phone, or to trap and trace individuals in violation of their privacy expectations. Increasingly, plaintiff’s counsel argue that many businesses’ (or their vendors’) websites use technology (i.e. cookies, pixels) to track users’ website interactions in violation of the CIPA.
These lawsuits, first brought under Penal Code Section 631(a)’s wiretap prohibition, are evolving to claims under Section 631.51, which prohibits most uses of a pen register device to trap and trace. In addition to fines and penalties for several types of wiretapping, including aiding, agreeing with, employing, or conspiring with a third party to engage in prohibited wiretapping or “eavesdropping” activities, there are statutory damages of $5,000 per violation and a plaintiff is not required to prove actual damages.
The Court in Byars v. Hot Topic, Inc., 2023 WL 2026994 (C.D. Cal. Cal. Feb. 14, 2023) made the sensible decision to dismiss a Section 631(a) case because the website owner and its vendor were the intended recipients of the plaintiff’s communications and, therefore, could not be held to have illegally “eavesdropped” on the communications from the plaintiff, creative plaintiff’s counsel expanded the reach of their CIPA complaints to allege violations of the “pen register” provisions of Section 638.51.
The Court’s decision declining to dismiss a CIPA claim alleged under 638.51 in Greenley v. Kochava, Inc., No. 22-CV-01327-BAS-AHG, 2023 WL 4833466, at *1 (S.D. Cal. July 27, 2023) appears to be the catalyst for the newest claims. In Greenley, the plaintiff alleged that the defendant data broker provided software development kits to app developers in violation of section 638.51 of CIPA because the tracking tools were used by the defendant to track users’ data and defendant sold the data to third-party advertisers. The Greenley court concluded that the allegations of defendant’s use of tracking software for its own purposes constituted a process that recorded routing information and sufficiently described a violation of the “trap and trace” prohibitions of Section 638.51 and allowed the lawsuit to survive a motion to dismiss.
California businesses that use software to gather data should immediately take measures to insulate themselves from CIPA litigation and, down the road, from enforcement actions by California’s Privacy Police (the fledgling California Privacy Protection Agency). Consent is the front line of defense in CIPA cases, so a review of websites that gather information through cookies should be undertaken to ensure that consent is obtained and that the websites’ privacy policies are up to date. Moreover, when faced with a pre-litigation demand, businesses should ensure that they are properly represented by counsel, as a pre-litigation settlement with a single claimant will not protect the enterprise from other class action claimants making the same claim. And, for California businesses who are covered employers under the California Privacy Rights Act, it is equally important to review their privacy policies and notices with regard to employees’ and applicants’ personal data, as enforcement actions are imminent.
CDF’s Privacy Practice Group will continue to monitor developments related to privacy issues, the CCPA, the CPRA and the California Privacy Protection Agency’s enforcement actions.
