In a recent wave of CIPA lawsuits and demand letters, the usual suspects have accused website operators of “secretly installing tracking software on the devices of all visitors,” in an alleged violation of California law. Here, as in previous CIPA lawsuits, the plaintiffs allege that the use of online tracking technologies, such as pixels, cookies and web beacons, amounts to the use of a ‘pen register’ (PR) or ‘trap and trace’ device. (TTD) that “capture” a visitor’s IP address resulting in the “illegal interception” of communications signaling information under Section 638.51 of CIPA.
CIPA Section 638.51 – Pen Registers and Trap and Trace Devices
Like most statutes within CIPA, the PR/TTD restrictions appear to be written by a combination of ChatGPT and the ‘Have You Ever Had a Dream’ child. Specifically, the term “pen register” has evolved from a mechanical device used to record telegraph signals on paper, to devices used by law enforcement officers to keep track of numbers dialed from specific telephone lines. Meanwhile, “trap and trace” devices are similarly defined as “a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information that reasonably identifies the source of a number can identify. wired or electronic communications, but not the content of a communication.” CIPA section 638.50. These apparently broad definitions are then combined with the prohibition in section 638.51 that no person may use PR/TTDs unless he or she has first obtained a court order or is the communications service provider using it to operate its service.
So has California quietly criminalized the entire Internet – where every website operator routinely obtains the IP addresses of website visitors – without obtaining a search warrant? That’s apparently the theory underlying these latest claims about intent.
Recent lawsuits and allegations
As we previously detailed, there has been an explosion of CIPA lawsuits brought by Scott Ferrell and others since the U.S. Court of Appeals for the Ninth Circuit issued the unpublished ruling. Javier to Assurance IQ decision. Plaintiffs’ lawyers were further encouraged by the 2023 decision Greenley vs. Kochavawhich applied the pen register provisions of CIPA to the suspect’s use of software development kits (SDKs). The court ruled in this case that software capable of identifying consumers, collecting data and correlating this data through unique ‘fingerprints’ can be considered a pen register, at least at the rejection request stage, since it would qualify as a lawsuit under the statute’s definition. Crucially, however, the Groenley The case specifically focused on the actions of a third-party data broker who allegedly placed “spyware” code into the proprietary app developer’s SDK. In other words, a third-party ‘eavesdropper’ would have intercepted data and programmed the SDK to automatically route app user data to it without permission.
This is an important distinction because, in typical Ferrell fashion, he takes a fringe case that focuses on alleged third-party interception and then applies it to first party website operators at the destination. In fact, his latest complaint under Section 538.51 won’t even disclose the allegedly offensive “beacon by name, the details of its deployment, or the scope of its operation” to deter “copycat” lawsuits. And he claims this while filing the same copycat complaint over and over again. If only irony was an affirmative defense in California. But fortunately, there are still plenty of arguments to refute these unfounded claims.
Your website is not a Trap and Trace device
As noted above, the underlying theories in these cases would effectively criminalize the Internet, as each website collects and stores visitors’ IP addresses and other signaling information. Many of the same companies making these claims use Google Analytics and other “tracking technologies” on their own websites that “capture” visitors’ IP addresses and share them with third parties. This is the CIPA equivalent of “I learned it from watching you!”
Additionally, California has a comprehensive privacy law that gives consumers control over their personal information: the California Consumer Privacy Act (CCPA). The CCPA deliberately focuses on how companies can do this collect and use consumer information obtained online, expressly including their IP address and device IDsetc. It also sets out what disclosures are required and how such disclosures should be made to consumers. Therefore, plaintiffs’ arguments in these cases are based on the absurd premise that CIPA quiet replaces the CCPA disrupts the careful and comprehensive balance between consumers’ privacy rights and businesses’ ability to collect those rights And use the exact information at stake.
Ultimately, if you dig a little deeper into these trap-and-trace claims, they may not apply to website operators for several reasons. In fact the only purpose of these sections of CIPA authorize state and local law enforcement agencies to use pen registration and trap and trace devices under state law, and to permit the issuance of emergency pen registers and trapping and tracking equipment. In other words, this statute was not adopted to limit any party to a communication, including website operators, to continue to use the information exchanged in the normal course of a communication. Otherwise, anyone who uses caller ID on their phone without a court order is immediately entitled to prison.
This is the only reasonable conclusion when analyzing the statutory definition sections, which expressly limit the key terms ‘wire communications’ and ‘electronic communications’ to their application to the interceptions of wire and electronic communications. This means that these definitions expressly do not apply to stored communications or stored content. And as we have successfully argued in similar CIPA cases, once a consumer reaches the destination website, receipt occurs, not interception.
Secondly, and relatedly, the only entities capable of using a pen register or trap-and-trace device under the relevant CIPA sections are “peace officers” under court orders or “providers of electronic or wire communications services” under any of the listed statutory exceptions, as with the “consent of the user of that service.” In other words, the only entities covered by this statute are non-parties on the communication, if any, that further supports the express legal definitions to which the scope is limited interceptionsinstead of receptions by parties involved in the communication.
Third, consent is only a defense for the communications service providerand not the possible recipient of the communication. If plaintiffs’ lawyers argue that companies provide the communications service in question and had to obtain consent, then there is a separate statutory exemption for the use of pen registers or trap and trace devices “to [or] retain … [the] communications service.” So in these scenarios, plaintiffs’ lawyers have no reason to complain about the way companies run their websites, which is exactly what they do.
Fourth, the statutes incorporated by reference into the relevant CIPA sections further state that this law does not apply to the operation of websites, and in fact only applies to by telephone communication on the go. Specifically, Section 638.52 only considers court orders that “shall specify … the telephone line to which the pen register or trap-and-trace device is to be connected.” Another section only allows verbal approval to install PR/TTDs if the same grounds under section 638.52 are met. Simply put, Internet communications do not even fall within the scope of the relevant chapter of the California Penal Code. The point is, don’t concede that this statute tacitly applies to Internet data exchanges when the CCPA was expressly enacted to govern this area.
Ultimately, if you find yourself receiving a wiretap request or complaint, know that you have options to combat it. If you have any questions or need assistance with privacy, data processing, cybersecurity or related litigation, please contact Adam Bowser or Andrea Gumushian.
