Readers of our blog are well aware of the rash of recent lawsuits alleging that a company’s use of tracking software on its website constitutes a “pen register,” as defined under the California Invasion of Privacy Act (“CIPA”). Emboldened by a federal court decision denying a company’s motion to dismiss, the Plaintiffs’ Bar is targeting companies that use tracking technology on their websites to bring pen register CIPA claims under Section 638.51. However, two contradictory decisions from the same California State court illustrate the inherent difficulty that courts grapple with in applying decades old legislation to constantly evolving technology.
Two Contradictory CIPA Decisions: Which is Right?
In Licea v. Hickory Farms LLC, Case No. 23STCV26148 (Cal. Sup. Ct. L.A. County Mar. 13, 2024), plaintiff sued defendant, an online gift retailer. Plaintiff alleged that the company’s website recorded his IP address, which the company then allegedly aggregated with other data that plaintiff shared online. Plaintiff asserted defendant’s use of this technology constituted an unlawful pen register in violation of Section 638.51 of CIPA.
Defendant sought dismissal and argued that the pen register statute only extends to devices that record phone numbers. The court sustained the dismissal of plaintiff’s pen register claim and cited, among other things, the public policy issues presented by embracing the expansive definition of pen registers as proposed by plaintiff. In its holding, the Court stated “public policy strongly disputes Plaintiff’s potential interpretation of privacy laws” because it would render every company that provides an IP address for purposes of connecting a website liable. The Court further stated “[s]uch a broad based interpretation would potentially disrupt a large swath of internet commerce without further refinement as the precise basis of liability, which the court declines to consider.”
Less than a month later, the Court reached a different conclusion in Levings v. Choice Hotels International Inc., Case No. 23STCV28359 (Cal. Sup. Ct. L.A. County Apr. 3, 2024). Faced with substantially similar allegations as those brought in Licea, the Court denied dismissing plaintiff’s pen register claim. Unlike the judge in Licea, the judge in Levings was not concerned with the public policy consequences of accepting such a broad definition of pen register. Rather, the judge held that accepting defendant’s argument that plaintiff consented merely by visiting defendant’s website would essentially swallow the statutory definition of a pen register. In rejecting defendant’s consent theory, the judge stated “[i]f merely visiting a website constitutes consent to the use of a pen register, then Section 638.51(a) would be a dead letter.”
The Muddled CIPA Pen Register Landscape
These different approaches, within the same court no less, highlight the need for appellate and/or legislative clarification. Until then, however, more pen register lawsuits are certain to follow. As such, it is imperative that businesses immediately evaluate their data collection technologies and practices, and how consent to use consumer data is obtained from website visitors.
[View source.]