The California Invasion of Privacy Act (CIPA), enacted in 1967, was designed to protect California residents from unauthorized surveillance, eavesdropping, and the recording of private communications. Initially, the statute focused on preventing and penalizing eavesdropping on telephone conversations.
Although the internet didn’t exist when CIPA was passed, plaintiffs’ attorneys are now using this law to bring class action lawsuits against website operators, alleging violations of California consumers’ privacy rights. Defendants face significant liability exposure, as CIPA imposes statutory damages of up to $5,000 per violation.
In recent years, CIPA cases have largely focused on wiretap claims. These lawsuits allege that website operators and/or third parties to whom they transmit users’ online activity and personally identifiable information are liable for collecting and disclosing this data without sufficient notice or consent, in violation of CIPA sections 631 and/or 632.
Many courts have interpreted and adapted the statute to apply to internet tracking technologies such as session replay software and data collection scripts. This has set a precedent, opening the door to a wave of data privacy lawsuits targeting these practices.
More recently, a new wave of CIPA litigation has emerged, alleging violations under a different part of the statute—the “pen register” and “trap and trace” provisions (contained in sections 638.50 and 638.51).
What are pen registers and trap and trace devices?
Traditionally, pen registers were used by law enforcement to record outgoing signals from telephone calls (i.e., the phone numbers dialed), while trap-and-trace devices captured incoming data (i.e., the phone numbers received). Neither records the substance of the communication.
CIPA Section 638.51 explicitly prohibits the installation or use of pen registers or trap-and-trace devices without consent or a court order. However, the definition of what constitutes a pen register isn’t so clear-cut anymore. Pen registers and trap-and-trace devices are defined as “device[s] or process[es]” that record or capture “dialing, routing, addressing, or signaling information” from a “wire or electronic communication,” but not “the contents of a communication,” (see CIPA Section 638.50). Note that the inclusion of the word “process” is critical because it expands the scope of what qualifies as a pen register.
Today, the majority of modern-day lawsuits and decisions have focused more on the pen register portion of the statute than on trap-and-trace devices.
However, the concept of pen registers has evolved beyond physical devices attached to phone lines. It now includes the collection of data from internet users, such as software tools that capture users’ device and browser data (including IP addresses) for targeted advertising and analytics.
Such practices have raised privacy concerns, as collecting and analyzing this data can reveal extensive information about users' online activities and create a detailed portrait of their behavior, interests, and communications. Although these technologies are widespread, the question of whether users impliedly consent to their usage remains up for debate.
These practices echo the original functions of pen registers and trap-and-trace devices, prompting courts to evaluate whether these tools violate privacy protections under CIPA.
Pen register cases and decisions
As courts continue to interpret CIPA’s pen register clause in light of modern technology, we’ve seen courts go both ways – some denying motions to dismiss pen register claims and allowing the cases to proceed, and others granting the motions and dismissing the claims.
These outcomes are increasingly influencing the landscape of privacy lawsuits in California. The two primary issues addressed by the courts are (1) whether the nature of the technology could constitute a pen register and (2) whether website users consent to the use of these technologies by virtue of visiting the website.
Favorable decisions for plaintiffs
Greenley v. Kochava
The springboard for the wave of pen register claims came in 2023 when Judge Cynthia Bashant of the Southern District of California denied the defendant’s motion to dismiss in the case, Greenley v. Kochava, Inc (Case No. 22-cv-01327).
There, the court considered whether a data broker that provided a software development kit (a form of embedded software) to customers that used it on their websites to collect IP address, geolocation data, and other information constitutes a pen register. The court held that the statute’s “expansive” language suggests a broad scope, and that the legislature’s chosen definition “indicates courts should focus less on the form of the data collector and more on the result.”
The Court opined that under its plain meaning, a “process” can “take many forms,” including “software that identifies consumers, gathers data, and correlates that data through unique ‘fingerprinting.’”
Shah v. Fandom
In Shah v. Fandom (Case No. 24-cv-01062), the plaintiff alleged that the defendant, a popular online gaming platform, violated Section 638.51 by causing users’ web browsers to download third-party software trackers, and unbeknownst to users, shared their IP addresses with these third-parties.
While distinct from Greenley in that this case targeted the website operator itself, the court held that deploying this technology could also constitute unauthorized pen registers within the meaning of CIPA, reasoning that, “Courts are instructed to interpret CIPA in the manner that fulfills the legislative purpose of CIPA by giving greater protection to privacy interests" and noting that, "California courts do not read California statutes as limiting themselves to the traditional technologies or models in place at the time the statutes were enacted.”
The Court also addressed the argument that collecting IP addresses is necessary for operation of a website, finding that, "A user who consents to disclose their IP address…as part of accessing its website does not necessarily consent to disclose their IP address to the third parties operating the Trackers."
The Court went on to opine that, “To the extent that Fandom believes the statute may impose too many burdens when applied to the realities of modern technologies…the question of whether the statute’s scope should be narrowed ultimately rests with the Legislature, not the courts.”
Moody v. C2 Educational Systems Inc.
Various other courts have applied this same reasoning. For example, in Moody v. C2 Educational Systems Inc. (Case No. 24-cv-04249), the Court found plaintiff’s allegations that the TikTok software embedded in the defendant’s website, a nationwide tutoring platform, plausibly falls within the scope of Section 638.50/51.
Similar to Shah and Greenley, the court held that the technology’s functionality, rather than its specific form, was the critical factor in determining its compliance with CIPA.
Other noteworthy cases
Another noteworthy example is Mirmalek v. L.A. Times Communications (Case No. 24-cv-01797), In this case, the court ruled that “under the inclusive language of CIPA’s definition of a pen register,” the plaintiff sufficiently stated a claim in alleging that the defendant installed trackers to record addressing information in the form of IP addresses.
And just last week, the Court in Rodriguez v. Autotrader.com (Case No. 24-cv-08753) rejected the argument that plaintiffs implicitly consent to the use of tracking software to collect IP addresses and other information.
While this legal theory has yet to reach the point of establishing any conclusive precedent as to the contours of what constitutes a pen register (as the cases have not been litigated to final resolution), courts seem to consistently find that the statute can apply beyond mere telephonic surveillance.
Favorable decisions for defendants
Not all recent cases have gone in favor of plaintiffs. Two rulings in particular highlight the hurdles plaintiffs face in applying CIPA as pen register cases: Licea v. Hickory Farms LLC (Case No. 23STCV26148) and Casillas v. Transitions Optical, Inc (Case No. 23STCV30742).
In Licea, the Superior Court of California ruled in favor of the defendant in part on public policy grounds, finding that a broad “interpretation of privacy laws as one rendering every single entity voluntarily visited by a potential plaintiff, thereby providing an IP address for purposes of connecting the website, as a violator” would “potentially disrupt a large swath of internet commerce.”
The Court distinguished Greenley by noting that “the defendant in that case was a third-party data broker, not a website operator.” This distinction could prove significant in future cases.
And in Casillas, the LA County Superior Court also ruled that “obtaining IP addresses from ordinary user access does not violate the pen register statute.” According to the court, the plaintiff had no privacy interest in her IP address, and by voluntarily accessing the defendant’s website, had no reasonable expectation that her IP address was in fact private.
Building stronger data privacy cases
Cases like Greenley, Shah, and others highlight how courts are laying a foundation for applying CIPA’s pen register provisions to modern technology. At the same time, it’s also evident that not all courts are aligned on this front.
Attorneys must provide enough evidence to establish violations and build a compelling narrative as to the privacy interests at stake. Doing so will ensure that companies employing tracking technology are held accountable, comply with privacy laws, and increase transparency concerning the use of such technologies.
This is where Darrow can help.
We use advanced anomaly detection algorithms combined with human insight to uncover potential pen register violations that might otherwise go unnoticed. Our Legal Intelligence Platform sifts through vast amounts of data, identifying patterns and anomalies that signal potential CIPA violations. Our team of in-house attorneys then partner with plaintiff’s attorneys to build and litigate class actions backed by strong, compelling evidence.
Our attorneys also support our partners throughout the entire litigation process, from evidence collection to strategy development, ensuring they have the tools and expertise needed to succeed in court. This combination of legal tech, AI, and legal expertise allows plaintiffs’ attorneys to tackle even the most complex CIPA cases.
Interested in working with us on your next data privacy case? Contact us.
This might interest you:
Partner with Darrow to grow your practice
