Readers of this blog may recall our prior piece about recent lawsuits alleging that the use of tracking software on certain websites violates the California Invasion of Privacy Act (“CIPA”). While earlier lawsuits focused on wiretapping and the use of “pen registers,” more recent filings have focused on CIPA’s prohibition on the use of “trap and trace” devices, discussed below. 

Trap and Trace vs. Pen Register  

CIPA defines a “trap and trace device” as a “device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.” Unlike a “pen register,” which captures outgoing transmissions, a trap and trace device captures incoming transmissions. Traditionally, trap and trace devices and pen registers were used by law enforcement for surveillance purposes. Absent limited exceptions, such as the subject individual’s consent or a court order, use of a trap and trace device or pen register is unlawful. Note that CIPA provides for statutory damages of $5,000 per violation.  

By way of example, in Sorensen v. Golden Corral Corporation, Plaintiff alleged that Defendant installed software created by TikTok to identify website visitors, and that, absent consumer notice and consent, the utilization of this software on Defendant’s website constitutes an illegal trap and trap device. Specifically, Plaintiff alleged that the TikTok software collected consumer: (1) device and browser information; (2) geographic information; (3) phone numbers; and (4) email addresses. According to the Complaint, this information was transmitted to TikTok to match Plaintiff’s information with data that TikTok had already acquired. As Plaintiff alleged, use of the TikTok software constituted an illegal trap and trace device in violation of Section 638.51 of CIPA. 

Consistent with the original intent of the law, the language of CIPA clearly is aimed at law enforcement’s use of trap and trace devices and pen registers. However, enterprising plaintiffs’ attorneys, as evidenced by the Sorensen case, have recently tried to expand CIPA’s scope and apply it to the use of third-party tracking software found on websites. The general framework of these lawsuits alleges that tracking technology is used to capture consumer interactions while visiting certain websites, and that the use of such technology constitutes an illegal trap and trace device or pen register. California courts continue to struggle with claims that use of unauthorized third-party tracking software to capture a website visitor’s IP address without adequate notice and consent constitutes use of a pen register under CIPA. In fact, when faced with nearly identical factual allegations, one California court issued contradictory decisions just three weeks apart. 

Trap and Trace CIPA Lawsuits 

Like pen register allegations, allegations that the use of third-party tracking software constitutes an illegal trap and trace device are likely to confound the courts. Until courts offer concrete interpretive guidance, plaintiffs’ attorneys will continue to bring trap and trace claims under the guise of CIPA violations. Given the foregoing, if your company uses third-party tracking software on its website, it is critical to evaluate: (1) your data collection technology and practices; (2) the type of data you collect and when data collection begins and ends; (3) how consent to collect and use such consumer data is obtained; and (4) with whom your company shares this information.  

[View source.]