What Is the Basis for These Claims?
The new CIPA cases focus on the alleged unlawful use of website tracking technologies, such as cookies, pixels, tags, and beacons, to collect and use personal information of people who visit these websites. Many of the lawsuits and arbitration demands center around a few key arguments.
Website tracking technologies are alleged to be unlawful “pen registers.” Plaintiffs allege that tracking technologies are used to “record” a user’s interactions with websites, which amounts to the use of a “pen register” or “trap and trace” device (although the bulk of the claims and related court decisions have focused on the definition of pen register rather than trap and trace). These technologies capture information, such as IP addresses, when users visit or leave a website, thereby recording “dialing, routing, addressing, or signaling information” transmitted from a device but not the content of the communication. Such activities, plaintiffs argue, amount to illegal pen registers under the CIPA.
Using tracking technologies without consent allegedly violates users’ right to privacy. Under California law, it is prohibited to use a pen register or trap and trace device without either a court order or explicit consent from the person being tracked. Plaintiffs allege that when websites deploy tracking technologies without obtaining consent beforehand, it constitutes a violation of the CIPA.
A frequently cited case in these lawsuits is Greenley v. Kochava. In this case, the court denied the defendant’s motion to dismiss and rejected the argument that a privacy company’s surreptitiously embedded software did not constitute a “pen register.” The court sided with the plaintiff, asserting that when software identifies consumers, gathers data, and correlates that data through unique “fingerprinting,” it constitutes a “process” through which a pen register can be deployed.
Despite many plaintiffs’ heavy reliance on Greenley, it is important to note that this case is still pending and has not yet set a definitive precedent on these legal points. Moreover, the specifics of Greenley distinguish it from many other claims. Defendant Kochava, a data broker, provided software development kits (SDKs) to its customers, meaning the data in question was not collected directly through Kochava’s own website but through software deployed on customers’ websites. Consequently, users who visited these websites were arguably unaware of the Kochava SDK’s presence, differentiating these circumstances from those involving direct website tracking.
This distinction is critical: it suggests that recent claims against website operators may not be directly analogous to Greenley. The indirect nature of data collection in Greenley, compared to direct website tracking claims, underscores how much each CIPA case may turn on its specific facts.
Recent Case Developments
Some companies have opted to settle these CIPA claims rather than litigate them. However, it is crucial to understand that settling early with one claimant does not shield a company from subsequent similar claims and could have the unintended consequence of inviting future lawsuits by plaintiffs’ counsel. For those who have chosen to fight, preliminary rulings have been mixed, and no claim has yet been fully litigated to final judgment.
Two significant cases in this area are Licea v. Hickory Farms and Levings v. Choice Hotels, both in the Los Angeles County Superior Court and involving nearly identical claims regarding defendants’ use of website tracking technologies. These cases, filed by the same law firm, have seen divergent outcomes in their initial rulings.
In Licea, the court sustained Hickory Farms’ demurrer, concluding that the plaintiff failed to demonstrate the use of a “pen register.” The court distinguished this case from Greenley partly by disagreeing that tracking IP addresses was analogous to the unique digital “fingerprinting” involved in Greenley.
Conversely, in Levings, the court overruled Choice Hotels’ demurrer, finding that the defendant had “‘deployed a software device and process’ which first recorded the information transmitted by Plaintiff’s device, and then used that information to install tracking code on Plaintiff’s device.” The court found this sufficient to describe the use of a pen register as defined under California law.
A key difference between these cases is their treatment of consent and the argument that voluntarily visiting a website implies consent to the use of website tracking technologies, even if such technologies are considered pen registers.
In Licea, the court indicated that even if the tool used to capture user information qualified as a pen register, the argument that users implied consent by visiting the website—where an IP address may be voluntarily disclosed—was persuasive. The court referenced prior cases such as Heeger v. Facebook, Inc. and U.S. v. Forrester to support this view.
In contrast, the court in Levings rejected the notion that simply visiting a website constitutes implied consent to collection of information. The court stated that accepting this argument “would allow the exception to swallow the rule whole.”
Given that neither case has progressed to a final judgment, defendants in other suits face potentially contradictory rulings on two critical issues:
- whether internet tracking tools qualify as pen registers
- whether visiting a website constitutes consent for the collection of user information
In Licea, the court expressed concern about the broader implications of interpreting web tracking technologies as pen registers, which could render nearly every online entity a potential criminal violator. The court noted that “public policy strongly disputes Plaintiff’s potential interpretation of privacy laws as one rendering every single entity voluntarily visited by a potential plaintiff, thereby providing an IP address for purposes of connecting the website, as a violator. Such broad-based interpretation would potentially disrupt a large swath of internet commerce without further refinement as [to] the precise basis of liability.” This point is potentially a harbinger of the debate that will escalate as more restrictions on website data gathering are considered by the courts and legislatures.
The preliminary rulings in Licea and Levings highlight the complex and evolving nature of privacy litigation in California. Companies must stay informed and be proactive in managing their compliance with privacy laws to mitigate risks associated with these legal challenges.
What Can Companies Do Now, Even If They Haven’t Yet Received a Complaint or Arbitration Demand?
As courts continue to grapple with whether website tracking technologies qualify as pen registers and whether visiting a website implies consent for data collection, companies must proactively review their technology and compliance practices.
Many US state laws, starting with California, include specific rules regarding the notices companies must provide on their websites, how they can use consumers’ information, and how such information can lawfully be shared with third parties. Companies should begin by ensuring that their websites and notices (e.g., website privacy policies) comply with the various states’ data protection laws.
Beyond legal compliance, companies should assess whether they are truly transparent about their website tracking technologies. For instance, does the company’s privacy notice include comprehensive information about cookies and tracking technologies, including which ones are used and how users can block them or opt out?
If possible, companies should consider deploying an opt-in mechanism for tracking technologies for California users. One of the key considerations in the cited cases is whether visiting a website constitutes consent for data collection. By asking for explicit consent (i.e., an opt-in for tracking technologies like cookies), companies could potentially provide an affirmative defense against allegations that an unlawful pen register was deployed, as consent is an exception to the prohibition on the use of pen registers.
Regardless, companies should remain vigilant for threatening letters, demands for arbitration, and service of claims related to the CIPA. Plaintiffs’ firms do not appear to discriminate based on company size or industry. If a company operates a website in the US and California consumers visit it, it is a potential target.