Websites cannot load without the transmission of an IP address, which tells websites where to deliver the webpages displayed on a user’s browser. Yet a number of lawsuits have started challenging this routine transmission of IP addresses under a lesser-known provision of the California Invasion of Privacy Act (“CIPA”) that prohibits the use of “pen registers” or “trap and trace devices.” Cal. Penal Code § 638.51. A California court recently held that this pen register provision “did not, and does not, criminalize the process by which all websites communicate with all users who choose to access them.” See Casillas v. Transitions Optical, Inc., 2024 WL 4873370 (Cal. Super. Sept. 9, 2024).
Pen register lawsuits like this one are similar to the website wiretapping lawsuits that have targeted hundreds of businesses in recent years. Plaintiff Miltita Casillas claimed that Defendant Transitions Optical used a website tool (which she called a “tracking beacon”) to transmit data concerning her visit to Transitions’ website. However, the type of data allegedly collected in a pen register suit is different: whereas a “wiretap” must collect the “contents” of a communication, a “pen register” or “trap and trace device” collects information about a communication, called “record” information (ex. the length of a phone call). Casillas contended that the website tool was an unlawful pen register because it collected her IP address, which courts have routinely held is record information.
The Court sustained Transitions’ demurrer (without leave to amend) and dismissed Casillas’ complaint, ruling that “obtaining IP addresses from ordinary user access does not violate the pen register statute.” “[N]o cause of action” arises when a website operator captures a user’s IP address, the Court reasoned, because that is “what happens every time any user accesses any website.” Indeed, Transitions “necessarily” must do so “to operate the website.” In support of its decision, the Court also remarked that Casillas did not have a “legally protected privacy interest in her computer’s IP address” because she “voluntarily shares her computer’s IP address every time she accesses a website,” which “necessarily results in the website obtaining [her] IP address.”
This decision highlights the latest trend in lawsuits targeting businesses’ use of website tools under CIPA’s pen register and trap-and-trace device provision. It also acknowledges that CIPA is not intended to prohibit “[w]hat makes the internet possible”—specifically, a website operator’s collection of IP addresses.