The California Invasion of Privacy Act (CIPA) is driving a wave of litigation that could significantly impact businesses with consumer-facing websites. Hundreds of lawsuits have been filed recently alleging that businesses operating in California violated CIPA due to very common software and business practices found on their websites. Initially intended to regulate law enforcement’s use of “trap and trace” devices, plaintiffs now argue that CIPA’s outdated language applies to website tracking tools, such as cookies, pixels, and beacons.
Background on Trap and Trace Provisions
California’s Penal Code Section 638.51 prohibits installing or using a trap and trace device without a court order. A trap and trace device identifies the origin of incoming signals, similar to caller ID but more advanced. Originally, this provision applied only to law enforcement tracking incoming telephone numbers. However, plaintiffs now claim that common online tools also violate the statute by capturing information like IP addresses, geographic data, and browsing habits—data they argue is akin to “dialing, routing, addressing, or signaling information” regulated under CIPA.
The recent lawsuits target businesses across sectors, asserting that website visitor tracking constitutes illegal data collection. Plaintiffs argue that the law’s broad definitions of “trap and trace” devices include online tracking technologies, even though these provisions were designed decades ago with telephones, not the internet, in mind. Many businesses argue this a misapplication of an old law that has no proper application to the internet.
Key Legal Issues and Litigation Trends
Several critical rulings highlight the evolving nature of trap and trace litigation:
- Greenley v. Kochava: This pivotal case helped launch the new wave of litigation by allowing claims that software used to track user data (including clicks and purchase history) could be considered a “pen register” under CIPA. This interpretation emboldened plaintiffs to pursue similar cases, leading to a spike in lawsuits asserting that online tracking tools fall under the statute’s reach. 2023 WL 4833466 (S.D. Cal. July 27, 2023).
- Licea v. Hickory Farms: In contrast, this decision dismissed a plaintiff’s attempt to apply CIPA to website analytics. The Los Angeles Superior Court rejected claims that tracking IP addresses alone constituted a CIPA violation, reasoning that such interpretation would disrupt legitimate online commerce. This ruling offers a line of hope for defendants, suggesting that not all tracking technology will fall under CIPA’s restrictions. Case No. 23STCV26148 (Cal. Sup. Ct. L.A. County Mar. 13, 2024).
- Potential Nationwide Impact: CIPA’s expansive language, combined with the possibility of high statutory damages, makes this law appealing to serial privacy litigants looking for settlement payouts or court judgments. As similar privacy laws take hold across the U.S., these novel CIPA claims could inspire related actions in other states, raising stakes for companies nationwide.
Possible Defenses for Businesses
Despite the surge in lawsuits, businesses have several potential defenses to CIPA trap and trace claims. One common defense is user consent. Many businesses argue that visitors consent to tracking through cookie notices or privacy policies. While California requires explicit disclosure, clear opt-in mechanisms may help mitigate liability.
Another defense involves public policy arguments. Courts have signaled hesitancy to interpret CIPA in a way that broadly restricts website analytics. In Licea v. Hickory Farms, the court noted that applying the statute this way could have unintended economic consequences for online businesses, a policy argument that could sway other judges. Further case law is needed to fully clarify CIPA’s application to the internet.
Jurisdictional challenges also provide a potential defense. Since CIPA primarily applies within California, businesses with limited ties to the state may contest the court’s jurisdiction over the case. Non-California companies might argue they should not be subject to lawsuits if their activities were primarily conducted outside the state.
Businesses may raise defenses based on standing and lack of injury. Plaintiffs often face difficulties in demonstrating actual harm under CIPA, especially when the data being tracked does not involve sensitive personal information. Courts may dismiss cases where plaintiffs fail to establish the required “injury-in-fact,” which is necessary to meet standing requirements under privacy laws.
Risk Mitigation Strategies
To minimize litigation risk, California-based businesses and those targeting California consumers can take proactive steps. Companies should conduct regular audits of tracking technologies to ensure their practices comply with CIPA’s evolving interpretations. By evaluating the types of tracking tools deployed on their websites or apps, businesses can stay ahead of any legal changes that may impact their operations.
Another key step is to implement enhanced privacy disclosures. Clear privacy policies and opt-in agreements, with language specifically addressing tracking practices, help businesses to ensure that consumers are fully informed of the tracking practices in place. Doing so may reduce the likelihood of claims related to unauthorized data collection.
Businesses should also consider limiting data sharing with third parties. Given concerns from plaintiffs about data being shared with entities like social media platforms, companies can mitigate risks by reviewing their partnerships and minimizing unnecessary third-party data transfers. This can help prevent potential privacy violations and related litigation.
With several high-stakes cases pending, businesses should monitor litigation trends closely. Tracking emerging court rulings to assess whether their practices align with judicial guidance on CIPA compliance helps businesses reduce the risk of legal challenges.
How to Respond to a Lawsuit
Facing a lawsuit under California’s trap and trace provisions can be daunting. Here are basic steps for businesses to respond effectively:
- Understand the Response Timeline
Once a complaint is served, defendants typically have 30 days to file a response in California state court (or 21 days in federal court). Missing this deadline can result in a default judgment, which may lead to unfavorable outcomes, including penalties. Businesses should immediately review the filing and engage legal counsel to ensure a timely response.
- Evaluate Potential Defenses
A thorough assessment of potential defenses is critical. Key defenses to explore include:
-
- Consent of the User: Many websites have privacy policies and cookie banners that users interact with, potentially signaling consent. Demonstrating user awareness and agreement to tracking practices may strengthen a defense.
-
- Applicability of CIPA: Arguing that CIPA’s trap and trace provisions do not apply to routine tracking technologies or website analytics can be effective. Courts have occasionally agreed that IP tracking and website functionality fall outside CIPA’s original scope.
-
- Jurisdictional Challenges: If your business is not based in California or has limited California ties, a jurisdictional defense may be available.
-
- Lack of Harm: Many plaintiffs face difficulty establishing concrete harm from tracking practices, which can lead to dismissals.
If a solid defense applies or the Plaintiff’s claims are weak, you can consider filing a motion to dismiss, demurrer or motion for summary judgment to have the court throw out the lawsuit.
- Consider Settlement Options
Defending against class actions or individual lawsuits can be costly. Settlement is one way to resolve the case efficiently. Early settlement negotiations may include agreeing to enhanced privacy practices and a payment to the plaintiff. Businesses should weigh the benefits of an early settlement against the likelihood of dismissal based on defenses. Be sure to discuss this with legal counsel before agreeing to or signing anything.
The broad application of California’s trap and trace provisions to website tracking tools remains a contentious issue. Businesses are advised to consult legal counsel to tailor compliance measures in light of evolving CIPA interpretations.
JMBM has defended many businesses against these lawsuits. If your business has been sued or received a complaint letter, please contact us.
Stuart Tubis is a civil litigator representing clients in a wide range of matters, particularly Americans with Disabilities Act (ADA) and Unruh Civil Rights Act claims. He counsels businesses on the full spectrum of accessibility compliance and represents their interests in civil litigation and Department of Justice investigations. Stuart has a background in technology, which helps in resolving the growing area of website accessibility issues. His experience extends to all aspects of litigation, including pleadings, discovery, motion practice, negotiations, arbitration, trial advocacy, settlement and alternative dispute resolution.
Contact Stuart at STubis@jmbm.com or 415.984.9622.
This update is provided to our clients, business associates and friends for informational purposes only. Legal advice should be based on your specific situation and provided by a qualified attorney.