As more U.S. states enact comprehensive consumer privacy legislation, plaintiffs are turning to laws from the 1960s to pursue claims against companies that use website tracking technologies. Most notably, there has been a significant uptick in privacy litigation claiming that the use of website technology, such as session replay, chatbots, tracking pixels, and other analytics software, violates the California Invasion of Privacy Act (“CIPA”).
How We Got Here
Since 2022, a wave of class action lawsuits has been filed regarding Meta’s pixel, a tracking tool often used by companies for targeted advertising by tracking user activity. Many of these cases allege a violation of the Video Privacy Protection Act of 1988 (“VPPA”), a federal law prohibiting videotape service providers from knowingly disclosing personally identifiable information concerning their consumers. These lawsuits allege that companies which stream online video content on their websites while using the Meta pixel violated the VPPA by transmitting personally identifiable information about a website user to Meta. While many courts dismissed the VPPA Meta pixel cases, some of these cases (such as Ambrose v. Boston Globe Media Partners LLC[1]) have survived the motion to dismiss stage, leading the parties to settle instead.
Lawsuits involving the Meta pixel, along with similar technology, are also being filed under alleged violations of strong state wiretapping laws, such as the CIPA. The CIPA, which was enacted in 1961, intended to protect California residents from then-new technologies used for different kinds of wiretapping. In these modern-day cases, plaintiffs claim that the use of many web analytics tools amount to a violation of CIPA’s wiretapping and eavesdropping provisions.
Relying on a Ninth Circuit court decision which held that CIPA also applies to “internet communications”[2], plaintiffs’ firms circulated hundreds of demand letters threatening CIPA class action litigation under CIPA’s Section 631(a) – which prohibits third-party wiretapping – and Section 632.7 – which prohibits the interception or receipt and recording of certain wireless communications without consent. The statutory penalty is $5,000 per violation, making it an attractive avenue for plaintiffs’ firms.
Where We Are Now (Thanks to Greenley v. Kochava[3])
An even more recent decision from the United States District Court for the Southern District of California has prompted plaintiffs’ firms to turn to yet another theory and to file suits under alleged violations of CIPA Section 638.51. Section 638.51 prohibits the installation or use of a “pen register” or a “trap and trace device” without first obtaining a court order. A “pen register” is defined as a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted.
The plaintiff in Greenley v. Kochava claimed that the defendant’s software that was installed in third-party mobile applications constituted an illegally installed pen register by tracking a user’s “geolocation, search terms, click choices, purchase decisions, and/or payment methods,” collecting this tracked information, and then selling it to third-party advertisers. Deciding on a motion to dismiss, the Greenley court stated that while CIPA’s definition of a pen register was specific as to the type of data a pen register collects, it was “vague and inclusive as to the form of the collection tool – ‘a device or process.’” With this in mind, the Greenley court held that “software that identifies consumers, gathers data, and correlates that data through unique ‘fingerprinting’ is a process that falls within CIPA’s pen register definition.” Accordingly, the court denied the defendant’s motion to dismiss.
Following the Greenley court’s decision, over 50 new cases have already been filed in California state and federal courts under the CIPA pen register provision.
Where to Go from Here
Accordingly, businesses should evaluate their use of tracking software and technology, along with the disclosures in their privacy policy and potential consent mechanisms. The CIPA pen register provision allows a provider of electronic or wire communication services to use such a pen register if the consent of the user has been obtained. Although California courts have not yet interpreted consent in the context of the CIPA’s pen register provision, courts have found a user’s affirmative consent to be a successful defense in other CIPA claims.
[1] Ambrose v. Boston Globe Media Partners LLC, No. 1:22-cv-10195-RGS.
[2] Javier v. Assurance IQ LLC et al., 2022 WL 1744107, *1 (9th Cir. 2022).
[3] Greenley v. Kochava, Inc., No. 22-CV-01327-BAS-AHG, 2023 WL 4833466 (S.D. Cal. July 27, 2023).