The Rise Of The Pen Register And Trap And Trace Device Theory In Privacy Lawsuits
In recent years, lawsuits challenging technology that tracks website users have grown. The latest claims that California class action plaintiffs have introduced and begun to file are under the pen register and trap and trace device theory, under Section 638.51 of the California Invasion of Privacy Act (CIPA).
California Litigation Prior to the Use of the Pen Register and Trap and Trace Device Theory
In the past two years, there has been an increase of putative class action lawsuits targeting businesses with websites that utilize technology to track users’ website interactions. Most of these claims have been filed under the CIPA, alleging violations of Section 631, with the statutory penalty of $5,000 per violation.
Most of these claims were dismissed due to the plaintiffs’ lack of standing given the absence of a concrete injury. Now, plaintiffs are beginning to turn to the pen register and trap and trace theory as the basis for their claims.
The Pen Register and Trap and Trace Device Theory
Plaintiffs are claiming the use of certain software (e.g., website cookies, web beacons, pixels, script, or software code) that tracks a user’s location, search terms, browsing history or purchase history is comparable to a “pen register.” A pen register was a physical machine used in law enforcement to trace signals from phones and computer. State laws have prohibited the use of pen registers without a court order.
Using this new claim, in a July 2023 decision, the Southern District of California denied a motion to dismiss, allowing the putative class action lawsuit to move forward. Following this decision, over 50 cases have been filed in California state and federal courts under the CIPA pen register provision.
Under the CIPA Section 638.51, the installation or use of pen register or a trap and trace device without first obtaining a court order is prohibited. The CIPA defines pen register and trap and trace device under Section 638.50.
- Pen register is defined as “a device or process that records or decodes dialing, routing, addressing or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.”
- Trap and trace device is defined as “a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing or signaling information reasonably likely to identify the source of a wire or electronic communication.”
The statutory damages under the CIPA pen register provision are $2,500 per violation.
The CIPA pen register provision allows a provider of electronic or wire communication service to use a pen register if the consent of the user of that service has been obtained. Courts have yet to interpret the CIPA pen register consent provision. However, in past rulings, the courts have determined that a user’s affirmative consent has led other CIPA claims to fail.
Businesses should reevaluate their use of tracking tools and consider proactively updating their privacy policy and related disclosures to hedge claims under CIPA. Contact one of the privacy experts in McGrath North’s Privacy and Cybersecurity team for all questions related to the CIPA and how the current state of class actions and individual suits may impact your business.
Related Attorneys
