We continue to learn more about the courts’ perspective on claims under the California Information Privacy Act (“CIPA”). Last month, in Moody v. C2 Educational Systems Inc., the U.S. District Court for the Central District of California, denied a motion to dismiss a CIPA complaint related to trap and trace technology.^[1]

In Moody, the plaintiff alleged the defendant violated the CIPA trap and trace law under § 638.51 when plaintiff visited defendant’s website and TikTok software used on that website collected plaintiff’s information without plaintiff’s express or implied consent. The court adopted a broad interpretation of CIPA when it explained that, though CIPA § 638.52 refers to pen registers and trap and trace devices as physically attached to telephone lines, the definitions under § 638.50 do not state any such requirement. Rather, § 638.50 “simply refers to device(s) or process(es) that record or capture certain information from a wire or electronic communication.”

The court proceeded to cite Greenley v. Kochava, Inc. when explaining that § 638.50’s language indicates courts should focus less on the form of the data collector and more on the result, so Greenley concluded that tracking software could plausibly constitute a pen register under CIPA §§ 638.50 and 638.51.^[2] Given their references to “wire or electronic communications,” the court in Moody reasoned that defendant failed to explain why the definitions under § 638.50 should be so limited that a pen register or trap and trace device must be a physical device attached to a telephone line. The court ultimately concluded that plaintiff’s allegations suggesting that defendant’s use of the TikTok software on defendant’s website violated CIPA’s prohibition on trap and trace devices are plausible, since the TikTok software used by defendant’s website may qualify as a pen register or trap and trace device under California law.

The court’s broad interpretation of CIPA is a first, but other courts have ruled differently in similar cases. For example, in Licea vs. Hickory Farms LLC, Plaintiff alleged defendant violated the CIPA prohibition on the use of pen registers when the defendant used pen register technology in conjunction with an IP address via a mobile phone.^[3] In March 2024, the trial court granted the defendant’s demurrer because the plaintiff’s complaint did not establish an IP address as equivalent to the “unique fingerprinting” in Greenly v. Kochava. The court distinguished the location information in embedded software in Greenly v. Kochava from the IP address in the case at hand. Additionally, the court noted that the operative complaint otherwise lacked any “actually acquired qualifying information for the establishment of a violation.” Finally, the court observed that defendant had received consent to collect the plaintiff’s IP address when the plaintiff voluntarily disclosed it by visiting the defendant’s website.

With these differing perspectives in mind, there are certain steps companies can take to protect themselves against potential CIPA lawsuits in the future, including:

• Understanding the use of cookies and online tracking technologies on company websites, platforms, and applications (this includes having the knowledge of what information these cookies and online tracking technologies, collect, process, retain, and share with third parties, as applicable, and knowing whether there are third-party cookies or online tracking technologies on the company website);
• Confirming and updating company privacy notices, privacy policies, and terms of service to ensure they sufficiently address all data collection, processing, and use by the company; and
• Considering a requirement on all website visitors to affirmatively consent to the company’s use of any tracking technology on all websites and applications.