The United States District Court for the Southern District of New York recently issued opinions dismissing Xu vs. Reuters News & Media Inc. (putative class action) and Gabrielli v. Insider, Inc., cases in which plaintiffs asserted claims for illegal use of a pen register under the California Invasion of Privacy Act (“CIPA”), Cal. Pen. Section 638.51(a). The decisions issued in Xu and Gabrielli sound a cautiously positive note regarding businesses’ defense prospects in certain CIPA matters and signal that this may be a trend to watch.
Enacted in 1967, the CIPA’s original application was, among other things, to prohibit intercepting, wiretapping, and eavesdropping on confidential communications over telephone lines without a court order. At that time, the use of a pen register installed on a telephone or other communications device was a standard method for logging the outgoing telephone numbers dialed out from that specific telephone line, without recording the communications themselves. Now, decades later, plaintiffs’ attorneys in numerous recent cases seek to stretch the notion of pen registers far beyond telephonic communications to include online processes that capture and share the internet protocol (“IP”) addresses of visitors to specific websites.
In Xu and Gabrielli, plaintiffs argued (albeit unsuccessfully) that defendants’ collection and sharing of their IP addresses with third parties through the use of online trackers installed on plaintiffs’ browsers for targeted advertising and marketing strategies constituted a violation of their privacy rights under the CIPA. The district courts, however, dismissed both cases for lack of Article III standing, holding that plaintiffs had not suffered concrete and particularized injuries. In reaching this conclusion, the courts noted that IP addresses cannot typically be used, without additional data points, to identify particular individuals. At best, IP addresses alone may convey high-level geographical information, such as a zip code, and function on their basic level as a link between a browser and website arising from a website visitor’s voluntary request. Accordingly, implicit in the courts’ findings is that, in the context of CIPA pen register claims, website visitors have no reasonable expectation of privacy in their IP addresses.
Notably, Section 638.51(a), which plaintiffs relied upon in both cases, was not added to the CIPA until 2015. An examination of that section’s legislative history reveals that as recently as a decade ago—with the internet and its associated online ecosystems fully operative—the California legislature still indicated that the newly added pen register provision applied only to telephonic communications.
The claims in Xu and Gabrielli fit squarely into the now-commonplace strategy whereby plaintiffs allege that companies’ use of website cookies and other online tracking technologies, chat bots, session replay, and artificial intelligence software violates users’ privacy protections. Despite the setback to such claims in these opinions and propelled by disparate rulings in recent California cases under similar facts, plaintiffs’ counsel will likely continue to file claims under state and federal laws whose enactment predated our current technologies and their related privacy issues and concerns.
As we continue to track the outcomes of various privacy-related litigations, we advise our clients to be mindful of these attempts to assert private rights of action outside of state comprehensive privacy laws and to carefully review their privacy notices and website tracking technologies to ensure that they comply with the CIPA and related data privacy laws, rules, and regulations.
If you would like to discuss any of these laws, decisions, or trends with our privacy team, please contact Eric Gordon at egordon@fzlz.com or Carole Klinger at cklinger@fzlz.com.