pen register CIPA data privacy consumer data

Use of Pen Registers Is Focus of Recent Consumer Privacy Claims

As readers of our blog know, the use of website user tracking software has been the subject of many recent consumer privacy lawsuits. The latest iteration of consumer privacy cases involves the use of “pen registers” that allegedly track website user activity in violation of the California Invasion of Privacy Act (“CIPA”). Violations of this statute carry a fine of up to $5,000 per violation.

Plaintiffs Make “Pen Registers” Their Newest Target

In Greenley v. Kochava, No. 22-cv-01327-BAS-AHG, 2023 U.S. Dist. LEXIS 130552 (S.D. Cal. Jul. 27, 2023), the Southern District Court of California recently denied Kochava’s motion to dismiss plaintiff’s pen register CIPA claims, reasoning that the expansive language used to define pen register in the statute “indicates courts should focus less on the form of the data collector and more on the result.” The Court further determined that the term “process,” as used in the definition of pen register, can include “software that identifies consumers, gathers data, and correlates that data through unique fingerprinting.’” Accordingly, the Court found that plaintiff had adequately alleged that the software at issue was a pen register.

A “pen register” is defined as a “device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” Unlike “trap and trace” software, which captures incoming transmissions, pen registers only capture outbound transmissions. With certain limited exceptions, installation or use of a pen register requires a court order or user consent. When coined, “pen register” was a device used to record telegraph signals on a piece of paper using a fountain pen. As the Greenley case makes clear, the definition of “pen register” has expanded significantly over the years, with enterprising plaintiffs’ attorneys now arguing that it encompasses software used to track the online activity of Internet users.

Recent Pen Register Lawsuits and How to Protect Your Business

Of particular importance in Greenley is the fact that defendant Kochava is a software provider, not a third-party user of the software. This is a salient point which the Court noted when it reasoned that “it is Defendant’s interception, packaging, and reselling of Plaintiff’s data that constitute the privacy violations in this case. Third-party apps are merely the vessel for Defendant’s SDK [software] to collect data.”

Whereas recent wiretapping cases often failed to survive dismissal motions, pen register claims are likely to see more success due to CIPA’s definition of what constitutes a pen register and the overall breadth of the statute. Although pen register claims are similar to other consumer privacy claims, there is one critical distinction: under CIPA, a cause of action arises simply by installing or using a pen register, even if the contents of the communication are not recorded. Although Greenley was brought directly against a software company, recent lawsuits also have targeted website operators, rather than the developers of alleged pen registers.

In light of the Greenley decision, online businesses should anticipate the filing of more pen register lawsuits in the near future. As such, it is imperative that businesses evaluate their data collection technologies and practices, and how consent to use that data is obtained from website visitors.

The attorneys at Klein Moynihan Turco have a wealth of experience in all aspects of consumer privacy and marketing law. Our first-rate litigation defense team will use this experience to ensure that your business gets the possible representation in the event that you are named as a defendant in a lawsuit.

If you need assistance with defending a lawsuit or updating your privacy practices and procedures, please email us at or call us at (212) 246-0900.

The material contained herein is provided for informational purposes only and is not legal advice nor is it a substitute for seeking legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.

Attorney Advertising

Photo by Markus Spiske on Unsplash

Similar Blog Posts:

Do Your Privacy Policy Changes Require Consumer Notice And Consent?

Does The Use Of Chatbots Constitute Wiretapping?

Website/App Provider In Hot Water For Ambiguous Privacy Policy


David Klein

David Klein is one of the most recognized attorneys in the technology, Internet marketing, sweepstakes, and telecommunications fields. Skilled at counseling clients on a broad range of technology-related matters, David Klein has substantial experience in negotiating and drafting complex licensing, marketing and Internet agreements.
FTSA TCPA Telemarketing telemarketer note pad lawsuit

FTSA Lawsuit Update

Readers of our blog may recall a recent piece in which we discussed a Florida Telephone Solicitation Act (“FTSA”) lawsuit pending in the United States

Read More »

Trending Topics

FTSA TCPA Telemarketing telemarketer note pad lawsuit

FTSA Lawsuit Update

Readers of our blog may recall a recent piece in which we discussed a Florida Telephone Solicitation Act (“FTSA”) lawsuit pending in the United States

Read More »