For the past two years, hundreds of class action lawsuits alleging violations of the California Invasion of Privacy Act (CIPA) have plagued California retailers and consumer-facing service providers. These lawsuits claim, among other things, that the use of conventional web analytic tools such as website session replay, chatbot, and Meta Pixel amounts to a violation of CIPA’s wiretapping and eavesdropping provisions.
The sudden surge in these lawsuits followed a Ninth Circuit unpublished decision that held that CIPA “applies to Internet communications.”[1] Relying on that decision, several plaintiffs’ firms circulated hundreds – if not thousands – of pre-suit demand letters threatening CIPA class action litigation under two provisions of CIPA, Section 631(a) and Section 632.7.[2]
Now, a recent decision from the United States District Court for the Southern District of California[3] has prompted plaintiffs’ firms to turn to an obscure provision of CIPA – Section 638.51 – to advance a new theory for civil liability based on businesses’ use of common Internet technologies.
The Wiretap’s Baby Brother: The Pen Register and Trap and Trace Device
Section 638.51 prohibits the installation or use of a pen register or a trap and trace device without first obtaining a court order. Section 638.50(b) defines a pen register as a device or process that records or decodes dialing, routing, addressing, or signaling information (often referred to as DRAS) transmitted by an instrument or facility from which a wire or electronic communication is transmitted. Similarly, Section 638.50(c) defines a trap and trace device as a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing or signaling information reasonably likely to identify the source of a wire or electronic communication.
Unlike a wiretap, which allows real-time interception of the content of the communications, pen registers and trap and trace devices (pen-traps) are limited to the collection of DRAS.
Pen-traps were traditionally devices used by law enforcement agencies to record all outgoing and/or incoming telephone numbers from a particular telephone line. Then, with the passage of the 2001 USA PATRIOT Act, the pen-trap definition was expanded to include a device or process to keep up with the advancement and evolution of Internet technologies and communications. In 2015, the California legislature unanimously adopted this updated and expanded definition.[4]
Greenley, We Have a Problem.
In Greenley, the plaintiff claimed that the defendant’s software that was installed in third-party mobile applications constituted an illegally installed pen register. The defendant moved to dismiss, arguing that its software was not a pen register. After noting that no other court had interpreted CIPA’s pen register provision, the court articulated that it could not “ignore the expansive language in the California Legislature’s chosen decision,” which the court held was specific as to the type of data a pen register collects – DRAS – but “vague and inclusive as to the form of the collection tool – ‘a device or process.’” The court concluded that the language suggests that “courts should focus less on the form of the data collector and more on the result.” Having this legal framework in mind, the court applied the plain meaning to the word “process” and concluded that “software that identifies consumers, gathers data, and correlates that data through unique ‘fingerprinting’ is a process that falls within CIPA’s pen register definition.” Accordingly, the court denied Kochava’s motion to dismiss.
The Ubiquity of Pen-Trap “Processes”
To appreciate the problematic implications of Greenley’s plain meaning interpretation of process, one need look no further than to his or her own cellphone or Internet-connected computer. Cellphones, for example, automatically create and maintain a list of phone numbers that were dialed from or received on that device. Likewise, Internet-connected computers that send and receive emails record “To:” and “From:” address information. Under Greenley, these commonplace practices, which record dialing and addressing information, could be defined as a process that falls within CIPA’s definition of a pen-trap.
In fact, under this approach, virtually every device that communicates over the Internet utilizing the Internet Protocol – which is a set of rules for routing and addressing packets of data so they can travel across networks and arrive at the correct destination – would be deemed a pen-trap.
ATDS All Over Again?
In truth, California’s interpretation of a pen register under CIPA is eerily reminiscent of the Federal Communication Commission’s interpretation of an automatic telephone dialing system (ATDS) under the Telephone Consumer Protection Act. Before the FCC’s interpretation was nullified by the U.S. Court of Appeals, D.C. Circuit in ACA International v. FCC, 885 F.3d. 687 (D.C. Cir. 2018), an ATDS was interpreted as anything with the capacity (whether being used or not)“to store or produce telephone numbers to be called, using a random or sequential number generator” and “to dial such numbers.” Thus, not unlike California’s current interpretation of a pen register, the FCC’s interpretation of an ATDS necessarily included every smartphone. The “TCPA,” the D.C. Circuit found, “cannot reasonably be read to render every smartphone an ATDS subject to the Act’s restrictions, such that every smartphone user violates federal law whenever she makes a call or sends a text message without advance consent.”
The same is true with regard to a pen register under CIPA. CIPA “cannot reasonably be read to render every smartphone [a pen register] subject to the [CIPA’s] restrictions,” but unless and until a defendant successfully challenges California’s interpretation, it may very well be.
In our next post, we will discuss how companies can better position themselves to avoid and, if necessary, defeat these CIPA class actions.
[1] Javier v. Assurance IQ, LLC, No. 20-CV-02860-CRB, 2023 WL 3933070 (N.D. Cal. June 9, 2023).
[2] Section 631 makes third-party wiretapping illegal. Section 632.7 prohibits the interception or receipt and recording of certain wireless communications without consent.
[3] Greenley v. Kochava, Case No. 22-cv-01327-BAS-AHG, 2023 WL 4833466 (S.D. Cal. July 27, 2023).
[4] Added by Stats 2015 ch 204 (AB 929),s 2, eff. 1/1/2016.
[View source.]
