Readers of our blog are well aware of the rash of recent lawsuits alleging that a company’s use of tracking software on its website constitutes a “pen register,” as defined under the California Invasion of Privacy Act (“CIPA”). Emboldened by a federal court decision denying a company’s motion to dismiss, the Plaintiffs’ Bar is targeting companies that use tracking technology on their websites to bring pen register CIPA claims under Section 638.51. However, two contradictory decisions from the same California State court illustrate the inherent difficulty that courts grapple with in applying decades old legislation to constantly evolving technology.
Two Contradictory CIPA Decisions: Which is Right?
In Licea v. Hickory Farms LLC, Case No. 23STCV26148 (Cal. Sup. Ct. L.A. County Mar. 13, 2024), plaintiff sued defendant, an online gift retailer. Plaintiff alleged that the company’s website recorded his IP address, which the company then allegedly aggregated with other data that plaintiff shared online. Plaintiff asserted defendant’s use of this technology constituted an unlawful pen register in violation of Section 638.51 of CIPA.
Defendant sought dismissal and argued that the pen register statute only extends to devices that record phone numbers. The court sustained the dismissal of plaintiff’s pen register claim and cited, among other things, the public policy issues presented by embracing the expansive definition of pen registers as proposed by plaintiff. In its holding, the Court stated “public policy strongly disputes Plaintiff’s potential interpretation of privacy laws” because it would render every company that provides an IP address for purposes of connecting a website liable. The Court further stated “[s]uch a broad based interpretation would potentially disrupt a large swath of internet commerce without further refinement as the precise basis of liability, which the court declines to consider.”
Less than a month later, the Court reached a different conclusion in Levings v. Choice Hotels International Inc., Case No. 23STCV28359 (Cal. Sup. Ct. L.A. County Apr. 3, 2024). Faced with substantially similar allegations as those brought in Licea, the Court denied dismissing plaintiff’s pen register claim. Unlike the judge in Licea, the judge in Levings was not concerned with the public policy consequences of accepting such a broad definition of pen register. Rather, the judge held that accepting defendant’s argument that plaintiff consented merely by visiting defendant’s website would essentially swallow the statutory definition of a pen register. In rejecting defendant’s consent theory, the judge stated “[i]f merely visiting a website constitutes consent to the use of a pen register, then Section 638.51(a) would be a dead letter.”
The Muddled CIPA Pen Register Landscape
These different approaches, within the same court no less, highlight the need for appellate and/or legislative clarification. Until then, however, more pen register lawsuits are certain to follow. As such, it is imperative that businesses immediately evaluate their data collection technologies and practices, and how consent to use consumer data is obtained from website visitors.
The attorneys at Klein Moynihan Turco have a wealth of experience in all aspects of consumer privacy and marketing law. Our first-rate litigation defense team will use this experience to ensure that your business gets the best possible representation in the event that you are named as a defendant in a lawsuit.
If you need assistance with defending a lawsuit or updating your privacy practices and procedures, please email us at info@kleinmoynihan.com or call us at (212) 246-0900.
The material contained herein is provided for informational purposes only and is not legal advice nor is it a substitute for seeking legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Attorney Advertising
Similar Blog Posts:
Do Your Privacy Policy Changes Require Consumer Notice And Consent?
Does The Use Of Chatbots Constitute Wiretapping?
Website/App Provider In Hot Water For Ambiguous Privacy Policy
