BlogLine

Data Breach Litigation Trends (and Common Defense Strategies) Part 1: Stay with the old CIPA claims, in with the new technologies

3/28/24

By: Danielle A. Ocampo

From “PenTrap” registry to 1988 video record protection laws, plaintiffs are becoming more creative than ever applying old laws and legal theories to new technologies. As recent as March 13^th, California courts took an initial stance on whether internet activity on a mobile device subjects company website owners to “pen register” liability.

FMG’s Data Security, Privacy and Technology practice defends businesses nationwide against an increasing number of privacy class action litigation suits. In two parts, we discuss two top-of-mind litigation trends, CIPA and VPPA liability and possible “how-to” defense strategies: 

California Invasion Privacy Act (CIPA) Wiretapping and “PenTrap” Violations

Definitions 

The California Invasion of Privacy Act (CIPA) imposes civil and criminal liability for wiretapping and use of pen register or a trap and trace devices.¹ “Wiretapping” involves using any machine or instrument to intentionally tap or make a connection, whether physical, electrical, or otherwise with any telegraphic, telephone wire, line, cable, or instruments of any internal telephonic communication system to unauthorizedly read, attempt to read or learn the contents of the communication in transit.² A “pen register” is a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted, but not the communications’ contents.³ Similarly, a trap and trace device is a device or process that captures incoming electronic or other impulses that identify the originating number or dialing, routing, or signaling information that will reasonably likely identify the source of the wire or electronic communication, but again not the contents.⁴ Wiretapping requires all-party consent for any recordation, while a pen register and trap and trace devices require court orders absent consent.⁵   

The Trend: Is Tracking Technology “Trap and Trace”?  

Overall, plaintiffs’ complaints recycle CIPA demands that are vague and do not fit squarely within the laws. The common fact patterns start where plaintiffs visit a defendant’s website that uses a third-party chatbot, a web beacon, or session replay tracking software. Plaintiffs attempt to expand the scope of CIPA’s theories of liability by claiming that these technologies are pen registers or trap and trace devices. For instance, one class of plaintiffs alleged that a TikTok web beacon embedded on a defendant’s website deployed numerous signaling mechanism to trap and trace users by monitoring users’ activity (e.g., page views, searches, purchases), decoding users’ devices, and learning the race and ethnicity of each user. This “process” records information used for the sole purpose of identifying the sources of electronic communications on the defendant’s site without user consent for defendant’s own independent gain. 

Plaintiffs assert that CIPA extends liability to defendants for the installation of a trap and trace device without users’ consent.⁶ The law does not require a prerequisite harm whether actual or threatened.⁷ Another class of plaintiffs alleged that a third party was able to eavesdrop on users’ interaction with a chat feature on defendant’s site where defendant paid the third party to embed this chat technology. This third-party chat software was not only able to gather and analyze customer data for targeted marketing campaigns, but it was also able to intercept chat transcripts and provide them to social media platforms like Meta for targeted advertising based on users’ website visits and interactions. As such, plaintiffs sought statutory damages and injunctive relief. However, there is no real justification as to why these laws would apply to businesses’ use of pixels, google analytics, chat boxes, or the like. 

California Court Takes on the Internet  

On March 13, 2024, the Los Angeles County Superior Court of California granted Hickory Farm’s demurrer challenging Plaintiff Jose Licea’s complaint for a lack of sufficient facts to establish CIPA liability.⁸ Licea alleged that defendant’s use of “pen register” technology with an IP address on a mobile phone fell within the scope of CIPA as applied to telephonic devices. First, the Court noted that Licea only alleged a “device” without a specific reference to a mobile phone or cellular device. The Court further reasons that, even if Licea did specifically reference a qualifying device, the Court agreed with the argument that consent was given “under the guise of visiting a website, where an IP address may be voluntarily disclosed.” 

More notably, the Court strongly disputed, for public policy reasons, the dangers of Plaintiff’s potential interpretation of privacy laws applying to every single entity’s website voluntarily visited by a potential plaintiff. For the Court, an IP address for the purposes of connecting a visitor to a website would be a broad-based interpretation that would disrupt internet commerce, marking every website owner as a violator. The Court declined to consider where the precise basis of CIPA liability as to internet commerce should lay, but granted Plaintiff leave to amend his complaint. 

Common CIPA Defense Strategies 

While the Licea order may be an indication of how the courts will treat CIPA liability under a public policy lens, there are still no substantive decisions on CIPA liability because these cases tend not survive as applied to these technologies. It is generally encouraged to try to reach a settlement early on because Plaintiffs are filing suits to capitalize on the lack of guidance from courts. However, increased CIPA litigation will equip companies with more ways to defend themselves. Some common defense strategies include:  

• Filing a motion/demurrer based on lack of Personal Jurisdiction or Improper Venue. This is especially useful to assert that the long-arm statute does not apply to CIPA, especially where CA residents are suing non-CA based companies. CIPA may apply extraterritorially because the alleged conduct of data collection and interacting with the national website occurred in CA. However, even if the law does apply, the question becomes does the court have jurisdiction over an out-of-state company based on, for example, non-California specific products targeted towards Californians or low volumes of sales from California? 
• Scrutinizing the definitions of each element. For example, asserting that the communication was not a “contents” per se because the type of communication was not an intended message (e.g., email messages, text messages);  
• Asserting that CIPA does not apply to the internet because the internet is not a telephonic device as CIPA requires or the Plaintiff did not allege a qualifying telephonic device was used; or
• Consent was obtained. 

California courts have yet to be consistent with applying the law. However, despite the Licea order’s dismissal based on a lack of supporting facts, the strongest defense will likely be a dismissal due to lack of personal jurisdiction or venue.  

Even when a motion to dismiss is granted, the courts tend to give plaintiffs a leave to amend, especially under a R. 12(b)(6) motion. For some judges, not all prior law is irrelevant where the statutes are broadly worded and the legal questions around privacy are not new in different related contexts. Asserting lack of personal jurisdiction and/or improper venue with factually intensive arguments about website activity make for stronger arguments than focusing on R. 12(b)(6)’s lenient and liberal standards. 

For more information contact Danielle Ocampo at danielle.ocampo@fmglaw.com or your local FMG attorney.

______________________________________________________________________________________

1. CA Penal Code §§630-638.5 et. seq. ↩︎
2. Id. At §631(a) ↩︎
3. Id. At §638.50(b) ↩︎
4. Id. At §638.50(c) ↩︎
5. Id. ↩︎
6. Id. at §637.2. ↩︎
7. Id. ↩︎
8. Licea v. Hickory Farms LLC Complaint; Licea v. Hickory Farms LLC Minute Order (3/13/24)  ↩︎