Beware of demand letters from plaintiffs’ attorneys for allegations of illegal use of pen registers, trap and trace pixels, and search bar pixels—why? This “trap and trace” litigation is a growing trend for plaintiffs’ attorneys because they can leverage existing wiretap laws (particularly in California under the California Invasion of Privacy Act (CIPA)) to argue that common online tracking technologies like cookies, pixels, and website analytics tools essentially function as trap and trace devices, allowing them to file complaints against companies for collecting user data without proper consent, even though these technologies were originally designed for traditional phone lines, not the internet, opening up a large pool of potential plaintiffs and potentially significant damages.

Section 638.51 of CIPA is the crux of these trap and trace claims. This provision addresses the unauthorized interception of electronic communications and prohibits the installation or use of a pen register or a trap and trace device without first obtaining a court order. Section 638.50(b) defines a pen register as a device or process that records or decodes “dialing, routing, addressing, or signaling information” (DRAS) transmitted by an instrument or facility from which a wire or electronic communication is sent, but does not include the contents of the communication itself. Section 638.50(c) defines a trap and trace device as a device or process that captures incoming electronic impulses to identify the originating number or other dialing information, essentially revealing the source of a wire or electronic communication but not the communication’s content.

Recent decisions in the United States District Courts for the Southern, Central, and Northern Districts of California have encouraged many of these claims (or at least, have sparked a surge in pre-litigation settlement demands from plaintiffs’ attorneys for alleged CIPA violations related to a business’ use of common website technologies).

A violation of the CIPA wiretapping provision (section 631(a)) requires the plaintiff to show a real-time interception of a “communication,” which is often difficult for a plaintiff to prove. However, pen registers and trap and trace devices do NOT require real-time interception but are limited to the collection of DRAS.

When you think of pen registers and trap and trace devices, you probably think of devices law enforcement uses to record all outgoing and incoming telephone numbers from specific telephone numbers. However, the court’s ruling in Greenley v. Kochava, 684 F. Supp. 3d 1024 (S.D. Cal. 2023) gave rise to a different type of trap and trace claim related to website tracking technology.

In Greenley, the plaintiff claimed that Kochava (a company that offers real-time data solutions specializing in omnichannel measurement and attribution for marketers) installed an illegal pen register; of course, Kochava insisted that its software did not constitute a pen register. The court in the Southern District of California held that a software development kit used to collect user data from mobile apps could be considered a pen register under the Communications Act, meaning that the company collecting the data could be liable for violating privacy laws by collecting this information without proper consent, as the court interpreted the definition of pen register to include software processes that identify and track users through data collection and correlation, not just physical devices.

The court specifically stated that “software that identifies consumers, gathers data, and correlates that data through unique ‘fingerprinting’ is a process that falls within CIPA’s pen register definition.”

Under this interpretation, almost any device that communicates using the Internet Protocol, like cell phones and websites, could potentially be considered a pen register, significantly expanding the scope of surveillance technology.

In Moody v. C2 Education Systems Inc., No. 2:24-CV-04249-RGK-SK, 2024 WL 356167 (C.D. Cal. July 25, 2024), the plaintiff alleged that C2 Education Systems (an online tutoring program) violated CIPA by installing the TikTok marketing pixel and collecting the plaintiff’s information without prior consent. C2 disagreed and argued it was the website’s user and that C2 gave TikTok consent to install pixel technology on the website. CIPA has an exception for using pen registers and trap and trace devices “if the consent of the user of that service has been obtained.” While the court did find C2’s position persuasive, it did not “foreclose the possibility that Plaintiff is the relevant user under California law.” The court held that the plaintiff’s allegations about the pixel’s data collection capabilities were plausible enough to proceed with the case.

Additionally, in Shah v. Fandom, Inc., No. 24-CV-01062-RFL, 2024 WL 4539577 (N.D. Cal. Oct. 21, 2024), the court held that the definition of pen register specifies the type of data a pen register collects as “dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted.” However, the court also determined that CIPA is ambiguous about the collection tool, which is only described as “a device or process.” The court held that the plaintiffs sufficiently alleged that the website tracking technology could “at least” be a “process” because the software identifies the consumer, gathers data, and correlates that data. This broadened the definition of pen register beyond law enforcement’s common use of such devices.

While these cases are unsettled, their advancement past the pleading stage will likely lead to increased filings and demands related to website tracking technologies such as pen registers. Now is the time to assess your business’ website and address these emerging and increasing risks to deflect trap and trace litigation.