In our January 18, 2024 post, “The Next Chapter of CIPA Litigation: The Pen Register and Trap and Trace Device,” we discussed the new trend in California Invasion of Privacy Act (“CIPA”) litigation, where it came from, and where we think it is going. Since then, we have received numerous questions from companies that either have been sued under CIPA, have been threatened with a suit under CIPA, or are worried about being threatened in the future. In addition to the anticipated questions (e.g., “What is a pen-trap?”), we received several questions about the reach of CIPA and how a California Penal Code statute could apply to companies that have little, if any, presence in California.

In this article, we attempt to address this question. But as with most things CIPA-related, the answer is neither simple nor straightforward. It depends, generally speaking, on the answers to two questions: (1) Can CIPA, a California Penal Code statute, apply to a non-California company?; and if it can, (2) Can a California court exercise jurisdiction over that company?

Can CIPA Apply to Out-of-State Defendants?

It is well settled that “[u]nder California law, a presumption exists against the extraterritorial application [of] state law.”[1] That is, a California law is presumed to apply only to actions taken within California.[2] The only way to rebut this presumption is if the Legislature’s intention to have the law apply extraterritorially “is clearly expressed or reasonably to be inferred from the language of the act or from its purpose, subject matter or history.”[3]

The language of California Penal Code § 638.51 – the statute under which these pen register and/or trap and trace device (together, “Pen-Trap”) cases are being filed – contains no express geographical limitations, but it likewise does not “clearly express,” nor can it be “reasonably infer[red]” from its language, that the Legislature intended it to apply beyond California’s borders. It merely states:

“[A] person may not install or use a pen register or a trap and trace device without first obtaining a court order pursuant to Section 638.52 or 638.53.”[4]

Therefore, under California Supreme Court precedent, § 638.51 should apply to, and only to, Pen-Trap devices installed or used in California.

Where Did the Installation and/or Use of the Pen-Trap Occur?

California uses the terminology “place of the wrong” when identifying where the allegedly unlawful act took place. The “place of the wrong” is “the state where the last event necessary to make the actor liable occurred.”[5] Of course, determining the location of the “last event necessary to make the actor liable” for an alleged CIPA violation can be difficult.

As recently as November 2023, the U.S. District Court for the Northern District of California came close to holding, but did not actually hold, that for a CIPA wire-tapping claim, “there is a strong argument that the last event necessary” to make the defendant liable was when a third party, after being hired by the defendant, “intercepted the website users’ communications,” which, according to the court, occurred at the plaintiff’s browser. Put another way, under the Northern District’s rationale, the “place of the wrong” was the location of the user at the time he or she visited the defendant’s website.

The Northern District’s discussion tracked closely the rationale used in federal Wiretap Act cases. There, courts have routinely found that the unlawful wiretap occurs when and where the communication is “intercepted,” which, in turn, occurs where the communication is rerouted.[6] In Popa v. Harriet Carter Gifts, Inc., the U.S. Court of Appeals for the Third Circuit found that the rerouting occurred “at [the plaintiff’s] browser, not where the signals were received at [the defendant’s] servers.”[7]^,[8]

The recent surge in CIPA claims has not been driven by alleged online wiretapping, however. It has been driven by the alleged use of Pen-Trap devices. Specifically, companies are being sued (or are being threatened with being sued) for allegedly violating § 638.51 by “install[ing] or us[ing] a pen register or a trap and trace device without first obtaining a court order.”[9]

Thus, whereas the unlawful activity in the wiretapping statute was the “interception” of communications, the unlawful activity in Pen-Trap cases is the “installation” and/or “use” of a Pen-Trap device. Therefore, the “place of the wrong” is where the Pen-Trap device was installed and where it was used.

Under facts like those in Greenley v. Kochava, Inc., the place of installation and use is relatively clear.[10] There, a data broker provided software developer kits to software application developers in return for the developers allowing the defendant to surreptitiously collect data from the app users.[11] The alleged pen register was, therefore, encoded into the app and installed onto a user’s phone when the app was downloaded.

The facts in Greenley, however, seem to be an outlier. In this recent surge of CIPA claims, plaintiffs have alleged that the company has installed on its own website a web beacon that allows the company to capture electronic impulses from the website user in order to identify the source of the communication, including his or her identity and geolocation. They also have claimed that the company has installed on the website user’s browser trackers that send to third parties the website user’s information.[12]

Regardless of the merits of these two claims, the differences between them could, in fact, have an impact on whether CIPA applies to a non-California company. For example, where the plaintiff asserts that the company has installed a web beacon on its own website, the “place of the wrong” would be company- (not user-)specific (i.e., where the decision was made to utilize such a “device,” where the company’s server is housed, etc.). In contrast, where the plaintiff alleges that the company installed a tracker on his or her own browser, the “place of the wrong” may, in fact, be user-specific (i.e., where the user was when the tracker was installed on his or her browser).

Can California Courts Exercise Jurisdiction?

Even assuming that CIPA applies to out-of-state companies, that does not mean that those companies can be sued in California. The company must still be subject to personal jurisdiction in California.

California’s Long-Arm Statute

In California, courts can exercise personal jurisdiction over a defendant so long as doing so “compli[es] with due process requirements.”[13] Due process is normally satisfied where a “nonresident defendant has certain minimum contacts with the forum such that the maintenance of the suit does not offend traditional conceptions of fair play and substantial justice.”[14]

Jurisdiction under the “minimum contacts” analysis can be either general or specific.[15] General jurisdiction, which subjects a nonresident defendant to suit even on matters not related to the defendant’s contact with California, arises when the nonresident defendant’s “activities in the forum are substantial, continuous and systematic.”[16] The scenarios in which general jurisdiction has been found are fairly limited: (1) the “paradigm all-purpose forums” (i.e., “a corporation’s place of incorporation and principal place of business”)[17] and (2) the “exceptional case” where the “corporation’s operations in a forum other than its formal place of incorporation or principal place of business [are] so substantial and of such a nature as to render the corporation at home in that State.”[18]

In contrast, specific jurisdiction is present when the nonresident defendant’s “contacts with the forum give rise to the cause of action before the court.”[19] Put another way, “the cause of action” must “arise[] out of or ha[ve] a substantial connection with” the nonresident defendant’s in-state activities.[20]^,[21]

In analyzing specific jurisdiction in California, courts have espoused three requirements, all of which must be met:[22]

“(1) The non-resident defendant must purposefully direct his activities or consummate some transaction with the forum or resident thereof; or perform some act by which he purposefully avails himself of the privilege of conducting activities in the forum, thereby invoking the benefits and protections of its laws;

(2) the claim must be one which arises out of or relates to the defendant’s forum-related activities; and

(3) the exercise of jurisdiction must comport with fair play and substantial justice, i.e.[,] it must be reasonable.”[23]

The first element has been and likely will remain the main focus of the court’s personal jurisdiction analysis. It includes two separate prongs: (1) “purposeful availment” and (2) “purposeful direction.”[24] “Purposeful availment” is “most often used in suits sounding in contract” because it looks to whether the defendant “purposefully availed” itself of the protection of the forum state’s law (i.e., executing or performing a contract in the state).[25]

“Purposeful direction” is “most often used in suits sounding in tort” because it focuses on “the defendant’s actions outside the forum state that are directed at the forum, such as the distribution in the forum state of goods originating elsewhere.”[26]

CIPA claims, which are statutory in nature, do not fall neatly into either category. Nevertheless, because in most CIPA claims against nonresident defendants, actions are taken outside California (i.e., the decision to utilize trackers and cookies), “purposeful direction” is the better suited of the two tests.

What Is ‘Purposeful Direction’?

In Calder v. Jones, the United States Supreme Court set forth a three-part test, commonly referred to as the “Calder Effects Test,” to determine whether a nonresident defendant has directed its actions at the forum state.[27] Under the test, the defendant “must have (1) committed an intentional act, which was (2) expressly aimed at the forum state, and (3) caused harm, the brunt of which is suffered and which the defendant knows is likely to be suffered in the forum state.”[28]

As it relates to CIPA claims, the second factor is likely to be the most contested: Did the nonresident defendant, in deciding to implement trackers and cookies on its own website, “expressly aim” those trackers and cookies at California?[29]

As an initial matter, that the website user was located in California at the time the cookies and trackers were used, does not, in and of itself, establish that the nonresident defendant “aimed” its acts at California. As the Court stated in Walden v. Fiore, the relationship necessary to establish purposeful direction “must arise out of contacts that the ‘defendant himself ’ creates with the forum State,” and it is the “defendant’s contacts with the forum State itself, not the defendant’s contacts with persons who reside there,” that matter.[30] Therefore, that an individual, on his or her own initiative, visits a nonresident company’s website while the individual is within California’s borders does not, alone, subject that company to personal jurisdiction in California.[31]

Second, it goes without saying that “allow[ing] personal jurisdiction anywhere that a web platform can be accessed” would raise serious due process concerns.[32] As a result, the Ninth Circuit has drawn a line between merely operating a website and “operating a website in conjunction with ‘something more,’” with the former not constituting purposeful direction and the latter requiring further analysis.[33]^,[34]

What constitutes that “something more” is generally a fact-intensive question that must be decided on a case-by-case basis. For example, in Mavrix Photo, Inc. v. Brand Techs., Inc., the Ninth Circuit found that the defendant, an Ohio company that operated a gossip website, was subject to personal jurisdiction in California because, in displaying on its website the photographs owned by the plaintiff, a celebrity photo agency operating in California, the defendant “used [the plaintiff’s] copyrighted photos as part of its exploitation of the California market for its own commercial gain” by seeking to increase the “number of hits to [the defendant’s] website [that] came from California residents,” of which, the court noted, there was already a “substantial number,” in order to sell advertising on its website that was “directed to Californians.”[35] From this, the Ninth Circuit concluded that “it does not violate due process to hold [the defendant] answerable in a California court for the contents of a website whose economic value turns, in significant measure, on its appeal to Californians.”[36]

Nine years later, the Ninth Circuit decided AMA Multimedia, LLC v. Wanat, where it held that the defendant, an internationally available website that hosted adult videos and allowed users to search for, select, and watch them, was not subject to personal jurisdiction in California, despite the plaintiff, a producer and distributer of adult videos over the internet, alleging that the defendant had committed copyright infringement, trademark infringement, and unfair competition by posting on its website the plaintiff’s content.[37] The Ninth Circuit found three main facts, all of which it distinguished from those in Mavrix, to be determinative. First, the subject matter of the defendant’s website – adult videos – “lacks a forum-specific focus” because “the market for adult content is global, evidenced by the fact that … 80% of [the website’s] viewers were outside the United States.”[38] Second, although the website “features a significant portion of U.S.-based content from producers like [the plaintiff] and U.S.-based models, this does not mean [the website’s] subject matter is aimed at the U.S.,” because the website’s “content is primarily uploaded by its users, and the popularity or volume of U.S.-generated adult content does not show that [the defendant] expressly aimed the site at the U.S. market.”[39] Third, unlike in Mavrix, where the website’s advertising revenue was largely derived from driving California residents to the site, the website in AMA Multimedia merely targeted its advertisements based on the supposed location of the website user, regardless of where that website user was.[40]

In 2022, the Ninth Circuit was faced, yet again, with a personal jurisdiction battle in a dispute over online adult entertainment. Surprisingly, the court held that personal jurisdiction could be exercised over the Japanese website operator based on facts that, while present in AMA Multimedia, were unceremoniously rejected by the AMA Multimedia court.[41] First, the Ninth Circuit focused on the defendant’s decision to “host the website in Utah and to purchase content delivery network services for North America,” both of which, the court found, “reduced the time it takes for the site to load in the United States,” thereby increasing the likelihood that U.S. users would visit the site.[42] Second, the Ninth Circuit highlighted the website’s “legal compliance” pages, which the court found “are relevant almost exclusively to viewers in the United States.”[43] Based on these facts, the Ninth Circuit found that the defendants “both appealed to and profited from a United States audience, and thus expressly aimed the site at the United States.”[44]

And just last year, the Ninth Circuit decided Briskin v. Shopify, Inc. – the Ninth Circuit personal jurisdiction case most analogous to CIPA claims in that it involved the allegedly unlawful extraction, retention, and sharing of consumer data.[45] In Briskin, the Ninth Circuit specifically stated that “in a suit alleging the unlawful extraction, retention, and sharing of consumer data,” like CIPA claims, “the legal framework and principles that should be brought to bear are those from Mavrix, AMA, and Will Co.”[46]

Applying this legal framework, the court in Briskin found that the defendant, a Canadian web-based payment processor, was not subject to personal jurisdiction in California. First, the court found that the defendant’s website did not have a forum-specific focus, nor did it specifically appeal to or actively target a California audience.[47] The Ninth Circuit listed the facts on which it based this conclusion: (1) the defendant’s “platform is accessible across the United States, and the platform is indifferent to the location of either the merchant or the end consumer”; (2) there were no allegations that the defendant “alter[ed] its data collection activities based on the location of a given online purchaser”; (3) there were no allegations that the defendant “prioritize[d] consumers in California or specifically cultivate[d] them”; and (4) the plaintiff “would have suffered the same injury regardless of whether [the merchant from whom he purchased the product and who used the defendant’s service] was a California company and regardless of whether [the plaintiff] was physically located in California when he made his purchase.”[48]

Second, the defendant’s interactions with website users, like the plaintiff, were dependent on “the third-party decisions of its merchants.”[49] That is, the defendant’s “extraction and retention of consumer data depends on the actions of third-party merchants [that] are engaged in independent transactions that themselves do not depend on consumers being present in California.”[50]

Key Takeaways

Ultimately, the facts of the case and, at least in the early stages of the litigation, the theory under which the plaintiffs assert their claims will govern. But companies that neither reside nor operate in California and that do not “install” anything on users’ own devices should have a strong argument that CIPA does not apply to them. The same is true with regard to personal jurisdiction: If a non-California company merely operates a forum-non-specific website, that company should have strong defenses to personal jurisdiction in California.

When threatened with a suit, or actually sued, for the unlawful installation or use of a Pen-Trap device, non-California companies should ask themselves a series of questions, including (but certainly not limited to) the following:

To determine whether CIPA applies:

• Did the company “install” any trackers or cookies on users’ devices (i.e., phones, browsers, etc.)?
• If not, where are the company’s servers located (within or outside California)?

To determine whether a California court can exercise personal jurisdiction:

• Is the company website California-specific (i.e., is the subject matter of the website specifically tailored to Californians)?
• Does the company engage in activities to drive California residents to its website?
• Does the company specifically profit from California website viewers (as opposed to viewers generally)?
• Does the company profit from California-specific advertisements on its website?
• What percentage of the website’s users are associated with a California address?
• Where is the website hosted (i.e., within California or in a location specifically intended to increase the number of California users)?
• Are the website’s terms and conditions and/or privacy policies aimed at Californians or users as a whole?
• Does the website collect the same information on all users, or does it collect different information if the user is associated with a California address?

These are not always easy questions to answer, and even if answers can be obtained, it is not always easy to determine how those answers impact a company’s CIPA liability.

[1] O’Connor v. Uber Techs., Inc., 58 F. Supp. 3d 989, 1004 (N.D. Cal. 2014).

[2] A law is said to apply extraterritorially where it is “operative with respect to occurrences outside the state.” N. Alaska Salmon Co. v. Pillsbury, 174 Cal. 1, 4 (1916).

[3] Sullivan v. Oracle Corp., 51 Cal. 4th 1191, 1207 (2011) (internal quotations omitted).

[4] Cal. Penal Code § 638.51(a).

[5] Mazza v. Am. Honda Motor Co., 666 F.3d 581, 593 (9th Cir. 2012), overruled on other grounds by Olean Wholesale Grocery Coop., Inc. v. Bumble Bee Foods LLC, 31 F.4th 651 (9th Cir. 2022).

[6] See Luis v. Zang, 833 F.3d 619, 633 (6th Cir. 2016) (“The alleged intercept of a communication thus occurs at the point where [the defendant] – without any active input from the user – captures the communication and reroutes it.”).

[7] Popa v. Harriet Carter Gifts, Inc., 52 F.4th 121, 131 (3d Cir. 2022).

[8] A distinction must be drawn between the extraterritorial application of a California statute and the application of a California statute to an out-of-state defendant. The former requires the analysis above; the latter requires a choice-of-law analysis. In Kearney v. Salomon Smith Barney, Inc., 39 Cal. 4th 95 (2006), the California Supreme Court largely skirted this distinction, holding that applying CIPA’s call-recording statute “to a person who, while outside California, secretly records what a California resident is saying in a confidential communication while he or she is within California … cannot accurately be characterized as an unauthorized extraterritorial application of the statute, but more reasonably is viewed as an instance of applying the statute to a multistate event in which a crucial element – the confidential communication by the California resident – occurred in California.” Id. at 119 (emphasis added); see also Kight v. CashCall, Inc., 200 Cal. App. 4th 1377, 1390 (2011) (“[A]n actionable violation … occurs the moment the surreptitious recording or eavesdropping takes place.”).

[9] Cal. Penal Code § 638.51(a).

[10] Greenley v. Kochava, Inc., No. 22-CV-01327-BAS-AHG, 2023 WL 4833466, at *1 (S.D. Cal. July 27, 2023).

[11] Id.

[12] Because we disagree that web beacons, trackers, or cookies actually fall within the definition of pen registers and/or trap and trace devices, we refer to “cookies and trackers,” instead of Pen-Trap devices, when analyzing these issues.

[13] Pebble Beach Co. v. Caddy, 453 F.3d 1151, 1155 (9th Cir. 2006); see also Doe v. Unocal Corp., 27 F. Supp. 2d 1174, 1184 (C.D. Cal. 1998), aff’d and adopted, 248 F.3d 915 (9th Cir. 2001) (“California’s long-arm statute extends jurisdiction to the limits of due process.”).

[14] Doe, 27 F. Supp. 2d at 1184.

[15] Id.

[16] Id. at 1184.

[17] Daimler AG v. Bauman, 571 U.S. 117, 118 (2014).

[18] Id. at 139 n.19.

[19] Doe, 27 F. Supp. 2d at 1184.

[20] Id.

[21] For purposes of this article, we focus on specific jurisdiction, given that companies subject to general jurisdiction likely have little reason to question being hauled into California court.

[22] “If any of the three requirements is not satisfied, jurisdiction in the forum would deprive the defendant of due process of law.” Omeluk v. Langsten Slip & Batbyggeri A/S, 52 F.3d 267, 270 (9th Cir. 1995).

[23] Schwarzenegger v. Fred Martin Motor Co., 374 F.3d 797, 802 (9th Cir. 2004).

[24] Id.

[25] Id.

[26] Id. at 802-803.

[27] Calder v. Jones, 465 U.S. 783 (1984).

[28] Pebble Beach Co. v. Caddy, 453 F.3d 1151, 1156 (9th Cir. 2006).

[29] Many reading this may wonder why the “intentional act” prong is not likely to be contested. The reason lies in how the term has been interpreted. “Intentional act,” as used in this context, “refer[s] to an intent to perform an actual, physical act in the real world, rather than an intent to accomplish a result or consequence of that act.” Schwarzenegger, 374 F.3d at 806. In the context of Pen-Trap cases, the intentional act would be the installation and use of cookies/trackers. Thus, unless the trackers and cookies at issue were installed/utilized without the website owner’s knowledge and/or consent, their installation and use likely satisfies the “intentional act” prong.

[30] Walden v. Fiore, 571 U.S. 277, 284 (2014) (emphasis in original); see also Briskin v. Shopify, Inc., 87 F.4th 404, 416 (9th Cir. 2023) (“[I]t is the defendant’s contacts with the forum state, not the plaintiff’s, that matter, and it is the defendant’s contacts with the state itself, and not persons there, that must drive the inquiry.”).

[31] See Briskin, 87 F.4th at 416 (“Shopify did not expressly aim its conduct toward California simply because Briskin resided there, made his online purchase ‘while located in California,’ and sustained his privacy-based injuries in that state.”).

[32] Id. at 417.

[33] Id.

[34] The Ninth Circuit has also drawn a distinction between “passive” and “interactive” websites, but the former have largely become a thing of the past. Id.

[35] Mavrix Photo, Inc. v. Brand Techs., Inc., 647 F.3d 1218, 1229-1230 (9th Cir. 2011).

[36] Id. at 1230.

[37] AMA Multimedia, LLC v. Wanat, 970 F.3d 1201, 1205 (9th Cir. 2020).

[38] Id. at 1210.

[39] Id.

[40] Id. at 1211.

[41] Will Co. v. Lee, 47 F.4th 917, 926 (9th Cir. 2022).

[42] Id. at 925.

[43] Id.

[44] Id. at 926.

[45] Briskin, 87 F.4th at 422.

[46] Id.

[47] Id.

[48] Id. at 422-423.

[49] Id. at 423.

[50] Id.

[View source.]