By William M. Miller, Guest Contributor
“At a minimum, any business with a website should review their terms and conditions and privacy policies to make sure that they are up-to-date, as well as consider adding active consents (like a click box) where the consumer approves the recording of their IP address and other user information.”
In the past year or so, companies doing business in California have been getting sued under a novel legal theory using an antiquated provision from the California Invasion of Privacy Act (CIPA) originally meant to prevent individuals and law enforcement from unauthorized monitoring of incoming (trap and trace) and outgoing (pen registers) telephone calls.
Enterprising plaintiff’s lawyers are attempting to argue, with at least some success, that websites that track IP addresses or other user information violate the CIPA, which carries with it criminal penalties and a private right of action, under which individuals may seek $5,000 in statutory damages per violation.
Class Actions and Alleged Violations
These lawsuits, which are often brought as class actions, generally contain allegations that a company’s website violates the “trap and trace” law by gathering user information, which includes device and browser information as well as geographic and other tracking software.
The allegations are not that any software is downloaded on a plaintiff’s device; instead, the law is violated simply by running code or “scripts” on a plaintiff’s device.
At first glance, it seems obvious that a law that specifically makes reference to monitoring telephone lines should be limited to telephones and was not intended to apply to the standard gatekeeping and monitoring software that are a part of almost every commercial website.
Unfortunately, the ambiguity in Penal Code §638.50 provides at least an opening for plaintiff’s lawyers to make a sufficient claim to pass initial scrutiny by several courts.
The Penal Code defines a “trap and trace” as use of “a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of the communication.”
Defendants’ Key Arguments
When moving to dismiss these “trap and trace claims,” defendants have been focusing on several arguments.
First, defendants argue that the plaintiffs’ reading of the law simply does not make sense. To wit, the premise of the plaintiff’s argument is that a trap and trace device is anything that identifies an incoming number. If that were true, it would mean that the California state legislature meant to ban all caller identification, which has been standard on consumer cellular and home telephones for more than two decades.
Obviously, not every person with a cell phone is a criminal under California law. As a result, defendants have argued that the “trap and trace” law should be limited by its own terms, which require that a trap and trace device specify both the number of the telephone line on which the trap and trace device is installed and the identity of the person who owns the line.
Limited in this way, the trap and trace law only prohibits a person from putting a monitoring device on an individual’s phone line without their consent, which was clearly the original intent of the law and would not extend to a website owner monitoring the user traffic on their own website.
Second, some defendants have argued that recording an IP address, the digital equivalent to a phone number, is a requirement for a user to be able to interface with a website and therefore cannot possibly be prohibited.
Plaintiff’s counsel arguing for the expansion of the “trap and trace” law were emboldened by a California District Court case in 2023 wherein the court refused to dismiss a CIPA claim that alleged the defendant’s app used embedded software in cell phones to gather user data, which it then sold to third parties looking for user data.
Differentiating Cases and Public Policy
However, a subsequent state court in California distinguished that case on its facts by finding that recording an IP address was not the same as embedding software in a mobile phone “thereby providing unique location and other information within the domain of law enforcement officers with a warrant.”
Significantly, the court observed, “public policy strongly disputes Plaintiff’s potential interpretation of privacy laws as one rendering every single entity voluntarily visited by a potential plaintiff, thereby providing an IP address for the purposes of connecting to the website, as a violator.”
Unfortunately, such beneficial language will not have the chance of being adopted by the appellate court, as the matter was dismissed shortly after the court sustained the defendant’s demurrer.
The Role of CCPA and Recommendations
Finally, California has a comprehensive statutory scheme in the California Consumer Privacy Act (CCPA), which provides detailed requirements for most California businesses regarding providing notice to users of what data is being collected, whether that data is being retained and/or sold, and what users can do to opt out of having their data retained, collected, and/or sold.
As a result, there is no evidence that the California legislature intended that Penal Code §638.50 et seq. should apply, requiring website owners to get an additional consent or that they should be prevented from collecting user data, even that which is permitted under the CCPA.
Despite these apparently compelling reasons why these types of complaints should be dismissed soon after they are filed, as noted above, both the state and federal courts have been reluctant to dismiss these matters at the pleading stage.
Hopefully, some of these decisions will make their way to the appellate courts and provide some firm guidance on these issues, and potentially defeat them outright.
Until that time, the question is what a business can do to attempt to avoid these matters entirely, or insulate itself from liability to the greatest degree possible. At a minimum, any business with a website should review their terms and conditions and privacy policies to make sure that they are up-to-date, as well as consider adding active consents (like a click box) where the consumer approves the recording of their IP address and other user information.
