Court decisions addressing “pen register” claims brought under the California Invasion of Privacy Act (“CIPA”) have started trickling in after last year saw an uptick in these claims targeting businesses’ use of website tools.  Two more California courts recently joined a growing trend dismissing pen register claims, but they did so on new grounds: one confirmed that CIPA’s pen register provision was not intended to cover “internet communications,” and another held that a website tool that allegedly collected “identifying information about visitors’ devices, from visitors’ devices” does not constitute a “pen register” or “trap and trace device.”  See Aviles v. Liveramp, Inc., 2025 WL 487196 (Cal. Super. Jan. 28, 2025); Sanchez v. Cars.com Inc., 2025 WL 487194 (Cal. Super. Jan. 27, 2025).

In both cases, the plaintiffs asserted that a defendant used a website tool (which plaintiffs called a “PR/TT beacon”) that constituted an unlawful pen register or trap-and-trace device under CIPA.  See Cal. Penal Code § 638.51.  A “pen register” or “trap and trace device” under CIPA includes certain devices that collect outgoing (pen register) or incoming (trap and trace) information about a communication, known as “record information.”  Plaintiffs contended the website tools at issue constituted pen register or trap and trace devices because the tools allegedly collected their IP addresses and additional information when they visited the defendants’ respective websites.

In the first case, brought by Plaintiff Monica Sanchez against Defendant Cars.com Inc., the Court sustained Cars.com’s demurrer without leave to amend.  Analyzing the “plain language and legislative intent of the statute” to determine “whether internet communications constitute ‘pen registers’ or ‘tra[p] and trace devices’” under CIPA, the Court concluded they do not.  Instead, those statutory terms “refer[] to devices or processes that are used to record or decode . . . [certain] information from telephone numbers, not internet communications such as websites.”  Drawing on legislative history, the Court explained that when enacting what would become CIPA’s pen register provisions, the California legislature “adopted the same authorization provision” courts have relied on under the federal Pen Register Act.  Thus, like the federal statute, the California law “applied only to mechanical, telephone number-tracing technology, not technology used to collect the IP address from a desktop computer.” 

In the second case, brought by Plaintiff Jerry Aviles against Defendant LiveRamp, Inc., the Court likewise sustained Defendant LiveRamp’s demurrer, although gave leave to amend.  In sustaining the demurrer, the Court held that plaintiff failed to plead the use of either a pen register or trap and trace device.  Plaintiff failed to plead the use of a pen register because he did not allege that the website tool “collect[ed] the outgoing addressing information from visitors’ devices or browsers.”  Plaintiff failed to plead the use of a trap and trace device because he did not allege “that Defendant installed software on Plaintiff’s device or browser that collected incoming contact information to Plaintiff’s device.”  Absent such allegations, “Plaintiff ha[d] not alleged anything above and beyond how the internet normally works.”

While other courts have dismissed CIPA pen register claims, these California decisions provide additional reasons these statutes do not apply broadly to routine internet technology.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Rachel Bercovitz Rachel Bercovitz

Rachel Bercovitz is an associate in the firm’s Washington, DC office, where she is a member of the Litigation and Data Privacy and Cybersecurity groups. She maintains an active pro bono practice, with a particular focus on gun violence prevention.

Read more about Rachel BercovitzEmail
Photo of Matthew Verdin Matthew Verdin

Matthew Verdin focuses on defending clients in the technology and financial services sectors. He has a strong record of delivering wins on behalf of clients in class actions and complex litigation, particularly in privacy and consumer protection lawsuits. Matthew is particularly successful in…

Matthew Verdin focuses on defending clients in the technology and financial services sectors. He has a strong record of delivering wins on behalf of clients in class actions and complex litigation, particularly in privacy and consumer protection lawsuits. Matthew is particularly successful in securing dismissals at the pleadings stage. For example, he won dismissal at the pleadings stage of over a dozen wiretapping class actions involving the alleged use of website analytics tools to collect data about users’ website visits. He also advises companies on managing litigation risk under federal and state wiretapping laws.

Matthew is also dedicated to pro bono legal services. Recently, he helped a domestic violence survivor win a case in the California Court of Appeal. Matthew’s oral argument led to the court ordering renewal of his client’s restraining order just one day later.

Read more about Matthew VerdinEmail
Show more Show less