June 21, 2024

From Song Beverly to CIPA: Wave of Privacy Litigation in California Targets IP Addresses

Nicolas Dolce, Myriah Jaworski, Chirag Patel

Clark Hill PLC

+ Follow Contact

Send

Embed

An Internet Protocol (IP) address is a unique identifier assigned to a device that is connected to a computer network. In the internet ecosystem, the IP allows a network host to communicate with a network participant and route that participant to different destinations (i.e., websites).

California’s state privacy act, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA), does not take a position on whether an IP address, standing alone, is personally identifiable information (PII). Rather, FAQs to the CCPA/CPRA regulations make clear that the PII analysis is contextual and based on whether the IP address can be linked to a consumer or household. In some use cases, an IP address may be associated with a home, location, email address, or payment information. In other contexts, such as for fraud detection of website traffic, an IP address may not be linked to any other data elements. Courts, too, have struggled with whether IP addresses are PII, often coming to different conclusions depending on the factual circumstances surrounding the collection and use.

Yet, the ever-active plaintiffs’ privacy bar in California, through a wave of new privacy class action filings, has taken an affirmative position: IP addresses are PII, the collection of which (according to plaintiffs’ counsel) is prohibited by certain state laws.

Specifically, in a new wave of class actions filed in California state courts recently under the California Song-Beverly Credit Card Act (the “Act”), Plaintiffs argue that businesses are improperly collecting IP addresses during online credit card transactions and that this information is then used to target marketing efforts to consumers, in violation of the Act.

The Song-Beverly Act – which, like other state privacy laws leveraged by the plaintiffs’ bar was enacted long before the rise of the internet economy – prohibits retailers from requesting from consumers’ “personal identification information” during or before the credit card transaction and creating a record of that transaction (generally, a receipt) that includes the personal identification information provided.

The Act expressly defines “personal identification information” as any information concerning the cardholder that is not set forth on the credit card, including the cardholder’s address and telephone number. According to the Plaintiffs’ filings, because an IP address is “not set forth on the credit card,” and does not “concern the cardholder,” the collection of an IP address during online credit card transactions is in violation of the Act.

The Act provides a few exceptions to this general prohibition. For example, retailers are permitted to require reasonable forms of positive identification, such as a driver’s license or photo ID card, so long as no information is recorded. Specifically, the Act allows retailers to request personal identification information in connection with a credit card transaction where (1) the retailer “is contractually obligated to provide personal identification information in order to complete the credit card transaction” or (2) the collection “is required for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders.” And, the law makes no reference to credit card transactions conducted over the internet, likely because it was enacted in 1971, prior to the rise of online retail and at a time when most credit card transactions occurred on paper.

For online and e-commerce transactions, the collection of an IP address is a necessary part of the transaction – not necessarily to complete the transaction per se, but necessary to allow the consumer to engage with the website in the first instance. As one federal district court has explained that without “recording the IP information sent to” website operators, “the Internet could not function because standard computer operations require recording IP addresses so parties can communicate with one another over the Internet.”

But, in other contexts, California courts have held that the collection of zip codes – which can function much like IP addresses – during the credit card transaction is in violation of the Act. It remains to be seen whether the role of IP address in identity verification and shipping will be deemed necessary under the Act, or in violation of it. The breadth of the Act is currently unsettled.

As with other privacy class actions, plaintiffs in Song-Beverly filings seek the recovery of statutory damages, attorneys’ fees, and costs; presumably for class sizes totaling all California consumer purchases during a relevant time frame. As California is the fourth largest economy in the world, and first in the nation, the putative class sizes could be enormous depending on the retailer.

These new Song-Beverly Act filings follow two years of a tidal wave of litigation under the California Invasion of Privacy Act (“CIPA”) statute – the State’s wiretapping and eavesdropping law. Filed in both state and federal court, and private arbitration proceedings, CIPA claims follow two main theories of liability: (1) liability for aiding and abetting in the “interception” of communications by chatbots deployed on websites; and (2) liability for the collection (or “trapping”) of PII by cookie or pixel (usually Google Analytics, Meta or TikTok Pixel) without a court order or affirmative consent prior to the deployment of the tracking technology. These CIPA claims include IP address as a form of allegedly wrongfully collected or intercepted PII.

While Song-Beverly filings target retailers who allow for online credit card transactions, the CIPA claims more broadly targeted all businesses (including some business-to-business companies and non-profit hospital systems) with websites available to California consumers.

With an ever-creative and motivated plaintiffs’ bar, businesses that operate in or make products available to California consumers online should inventory their online data collection practices and use of tracking technologies to determine whether it could conceivably be covered by the Song-Beverly Act or CIPA.

The collection of IP addresses, while seemingly innocuous or necessary to facilitate online interactions, may in certain contexts provide the basis for liability.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.