Quick Hits
- Businesses are facing a wave of lawsuits advancing novel legal theories targeting the use of website visitor tracking tools such as cookies, pixels, and web beacons.
- The suits allege these tools unlawfully track website visitors’ online activity and collect their information, such as visitors’ geographic and device information, and share that information with third parties for marketing purposes.
- Companies may want to determine whether their websites use the tools in question. If so, they may want to examine the extent to which the statute and its exceptions may apply and whether the website can be tweaked to buttress available defenses.
These lawsuits make generalized allegations that business websites use software or tools to collect various types of device and browsing information from website visitors and that businesses then share such information with other entities such as social media companies. The claims invoke an obscure provision of the California Invasion of Privacy Act (CIPA) meant to restrict law enforcement’s use of trap and trace devices—i.e., devices that record the incoming telephone numbers on a specific telephone line.
Recently, more than 400 such lawsuits have been filed. The suits come amid rising privacy and cybersecurity concerns and greater scrutiny from regulators and lawmakers, as evidenced by the growing patchwork of state comprehensive data privacy laws. As with other novel legal theories that start in California and spread elsewhere, similar lawsuits may be filed in other states with similar statutes.
Although it seems clear that the California trap and trace law was never meant to apply to website tracking or analytics tools in this manner, some courts are nonetheless refusing to dismiss these claims at the motion to dismiss stage. Businesses may want to take notice of such suits and the possibility that they will be forced to defend them, including any measures they can take preemptively to minimize the possibility of such suits and/or maximize the likelihood of prevailing should such a suit be filed.
California’s Trap and Trace Law
California Penal Code Section 638.51 provides that “a person may not install or use a pen register or a trap and trace device without first obtaining a court order.” The law broadly defines a “trap and trace device,” in turn, as “a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.”
The challenge in defending against claims under Section 638.51 is the broad scope of the phrases “device or process” and “dialing, routing, addressing, or signaling information.” Notably, unlike comprehensive state privacy laws that are specifically designed to regulate collection and sharing of information through websites, the trap and trace law’s plain language criminalizes the mere collection of such information regardless of how the information is subsequently used.
The law includes multiple exceptions permitting the use of trap and trace devices, including “[t]o operate, maintain, and test a wire or electronic communication service” or with the consent of the “user” of the “electronic communication service,” which are ambiguous and undefined terms as discussed below. The law carries both criminal penalties and potential statutory damages of the greater of $5,000 per violation or three times the amount of actual damages, whichever is greater, and provides a private right of action to enforce violations.
Website Tracking Tools
Notwithstanding this flood of lawsuits, the law’s plain language and legislative history confirm that the law was not meant to apply to website analytics or tracking tools in such a manner. Rather, the law was enacted to provide an avenue for law enforcement to obtain information needed during their investigations, as evidenced by the fact that only peace officers may seek a court order for the use of a trap and trace device. The law was also intended to govern third-party interceptions of those communications rather than information received by the intended recipient of a communication.
In addition to arguing that the statute does not apply to these technologies at all, companies may have additional arguments to dismiss the claims, including:
- The website software constitutes a permissible use “[t]o operate, maintain, and test a wire or electronic communication service.”
- Because the website owner is the “user” of an “electronic communication service,” only the consent of the website owner is required for installing these technologies in their websites. There is a 2001 court decision adopting this argument in the context of a federal statute with similar terms. Alternatively, the website visitor may be deemed to have consented to the tools through acceptance of the website’s terms and conditions and/or an affirmative “opt in” consent.
- The court lacks personal jurisdiction over companies not based in California and with otherwise little connection to the state.
- The plaintiff cannot establish an injury sufficient to impart standing.
Despite these arguments, several courts have been reluctant to dismiss trap and trace claims after an initial motion to dismiss due to questions about the vague statutory definitions. In contrast, in March 2024, a court in the Los Angeles County Superior Court of California, Central District dismissed a trap and trace claim, finding software that tracks the IP addresses of website visitors does not violate the statute because website users do not have a legally protected interest in an IP address. The court further found that “public policy strongly disputes” the plaintiff’s interpretation of the law, noting “[s]uch a broad based interpretation would potentially disrupt a large swath of internet commerce.”
Next Steps
While the viability of the trap and trace lawsuits faces serious questions, businesses may want to take note of the wave of these lawsuits and assess their potential to be faced with similar claims. That process may include reviewing their websites’ analytics or tracking tools, whether data is collected and shared with third parties, and whether opt-in consent for tracking tools may be appropriate in certain high-risk states.