Greetings CIPAWorld!

I’m back with another exciting case to put on your radar. So, what’s the scoop? On the surface, Vishal Shah v. Fandom, Inc. might seem like a straightforward dispute over some lines of code on a gaming website, gamespot.com. See Vishal Shah v. Fandom, Inc., No. 24-cv-01062-RFL, 2024 U.S. Dist. LEXIS 193032 (N.D. Cal. Oct. 21, 2024). However, it delves into a more significant issue: the conflict between privacy rights and business practices. The U.S. District Court for the Northern District of California’s ruling is central to interpreting how the California Invasion of Privacy Act (“CIPA”) applies to internet tracking practices.

CIPA, as many of you know, is all about safeguarding personal information. Central to this case is Cal. Penal Code § 637.7 which prohibits installing or using a “pen register” without a court order. The statute broadly defines a pen register as “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted.” Id. Although drafted initially with telephone technology in mind, Plaintiff, in this case, argues that this definition encompasses Fandom’s tracking code, which allegedly captures and shares users’ IP addresses without consent. Yikes.

Fandom, of course, pushed back, claiming that IP addresses are “content,” not “addressing information,” meaning CIPA’s rules wouldn’t apply. But this position runs headfirst into the Ninth Circuit’s take in In re Zynga Priv. Litig., 750 F.3d 1098, 1108 (9th Cir. 2014), where the Court held that “IP addresses constitute addressing information and do not necessarily reveal any more about the underlying contents of the communication.” The Court in Vishal Shah ran with this logic, saying IP addresses are a lot like phone numbers—basically, they serve as “addressing information” under CIPA.

So why does this matter?

I’m glad you asked. The Court wasn’t shy about interpreting CIPA in a way that aligns with its goal of protecting privacy. It pointed to the California Supreme Court’s instruction in Flanagan v. Flanagan, 41 P.3d 575, 581 (Cal. 2002), to read CIPA broadly. The Court also cited Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024, 1050 (S.D. Cal. 2023), emphasizing that CIPA’s definition of a pen register isn’t about the tech used but rather the data collected. This approach fits California’s goal of updating privacy statutes with digital and tracking technology.

Next, Fandom argued that users gave implied consent to IP address collection just by visiting the site. It seems like a straightforward argument. However, the Court didn’t buy it. It explained that “consent is generally limited to the specific conduct authorized,” meaning just showing up on a website doesn’t count as agreeing to let third parties collect your IP address. The Court highlighted that the real issue is whether the user specifically agreed to this kind of tracking, and that’s something Fandom hadn’t shown.

Fandom also claimed that collecting IP addresses is just part of how websites work—no big deal, right? The Court agreed that it’s a common practice, but it drew a line when it came to sharing that information with third parties without user consent. According to the Court, “Plaintiffs have plausibly alleged that they did not expect their IP addresses to be disseminated to the companies operating the Trackers, and did not impliedly or expressly agree to such dissemination by visiting gamespot.com.”

So, what is the big picture here?

The Court took a step back to remind us of the legislative intent behind CIPA, referencing Cal. Penal Code § 630: “[t]he Legislature by this chapter intends to protect the right of privacy of the people of this state.” The Court emphasized that California courts are supposed to interpret CIPA broadly and apply it to new tech where it fits the statutory framework. See Matera v. Google Inc., No. 15-cv-04062, 2016 WL 8200619, at *19 (N.D. Cal. Aug. 12, 2016). So when Fandom argued that allowing the lawsuit to continue could “unsettle the basic operating rules of the Internet,” the Court’s response was clear—its job is to apply the law as it’s written. If that creates friction, it’s up to the Legislature to address it.

Ultimately, the Court denied Fandom’s Motion to Dismiss, allowing the case to proceed. So be cautious. This ruling is a reminder that websites collecting and sharing IP addresses with third parties—without clear, informed user consent—may violate CIPA. Vishal Shah is much bigger than a video game website; it’s a glimpse into the ongoing debate over online data privacy and user rights in the digital age.

Remember,

Keep it legal, keep it smart, and stay ahead of the game.

Talk soon!