Websites cannot load without the transmission of an IP address, which tells websites where to deliver the webpages displayed on a user’s browser.  Yet a number of lawsuits have started challenging this routine transmission of IP addresses under a lesser-known provision of the California Invasion of Privacy Act (“CIPA”) that prohibits the use of “pen registers” or “trap and trace devices.”  Cal. Penal Code § 638.51.  A California court recently held that this pen register provision “did not, and does not, criminalize the process by which all websites communicate with all users who choose to access them.”  See Casillas v. Transitions Optical, Inc., 2024 WL 4873370 (Cal. Super. Sept. 9, 2024).

Pen register lawsuits like this one are similar to the website wiretapping lawsuits that have targeted hundreds of businesses in recent years.  Plaintiff Miltita Casillas claimed that Defendant Transitions Optical used a website tool (which she called a “tracking beacon”) to transmit data concerning her visit to Transitions’ website.  However, the type of data allegedly collected in a pen register suit is different: whereas a “wiretap” must collect the “contents” of a communication, a “pen register” or “trap and trace device” collects information about a communication, called “record” information (ex. the length of a phone call).  Casillas contended that the website tool was an unlawful pen register because it collected her IP address, which courts have routinely held is record information.

The Court sustained Transitions’ demurrer (without leave to amend) and dismissed Casillas’ complaint, ruling that “obtaining IP addresses from ordinary user access does not violate the pen register statute.”  “[N]o cause of action” arises when a website operator captures a user’s IP address, the Court reasoned, because that is “what happens every time any user accesses any website.”  Indeed, Transitions “necessarily” must do so “to operate the website.”  In support of its decision, the Court also remarked that Casillas did not have a “legally protected privacy interest in her computer’s IP address” because she “voluntarily shares her computer’s IP address every time she accesses a website,” which “necessarily results in the website obtaining [her] IP address.”

This decision highlights the latest trend in lawsuits targeting businesses’ use of website tools under CIPA’s pen register and trap-and-trace device provision.  It also acknowledges that CIPA is not intended to prohibit “[w]hat makes the internet possible”—specifically, a website operator’s collection of IP addresses.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy co-chairs the firm’s Class Actions Litigation Practice Group and serves on the leadership committee for the firm’s Technology Industry Group. She defends clients in complex, high-stakes class action disputes and has achieved significant victories across various industries, including technology, entertainment, consumer…

Kate Cahoy co-chairs the firm’s Class Actions Litigation Practice Group and serves on the leadership committee for the firm’s Technology Industry Group. She defends clients in complex, high-stakes class action disputes and has achieved significant victories across various industries, including technology, entertainment, consumer products, and financial services. Kate has also played a key role in developing the firm’s mass arbitration defense practice. She regularly advises companies on the risks associated with mass arbitration and has a proven track record of successfully defending clients against these challenges.

Leveraging her success in class action litigation and arbitration, Kate helps clients develop strategic and innovative solutions to their most challenging legal issues. She has extensive experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), along with common law and constitutional rights of privacy, among others.

Recent Successes:

Represented Meta (formerly Facebook) in a putative nationwide advertiser class action alleging violations under the California Unfair Competition Law (UCL) related to charges from allegedly “fake” accounts. Successfully narrowed claims at the pleadings stage, defeated class certification, opposed a Rule 23(f) petition, won summary judgment, and defended the victory on appeal to the Ninth Circuit. The Daily Journal selected Covington’s defense of Meta as one of its 2021 Top Verdicts, and Law.com recognized Kate as a Litigator of the Week Shoutout.
Defeated a landmark class action lawsuit against Microsoft and OpenAI contending that the defendants scraped data from the internet for training generative AI services and incorporated data from users’ prompts, allegedly in violation of CIPA, the Computer Fraud and Abuse Act (CFAA), and other privacy and consumer protection laws.

Kate regularly contributes to the firm’s blog, Inside Class Actions, and was recently featured in a Litigation Daily interview titled “Where Privacy Laws and Litigation Trends Collide.” In recognition of her achievements in privacy and antitrust class action litigation, the Daily Journal named her as one of their Top Antitrust Lawyers (2024), Top Cyber Lawyers (2022), and Top Women Lawyers in California (2023). Additionally, she received the Women of Influence award from the Silicon Valley Business Journal and was recognized by Daily Journal as a Top Attorney Under 40.

Read more about Kathryn CahoyEmail
Show more Show less
Gina Perrucci

Gina Perrucci is a litigator with a focus on class actions and commercial litigation. She works with enterprise clients across technology, financial services, and life sciences industries in complex, high-stakes matters in state and federal court involving breach of contract and consumer protection…

Gina Perrucci is a litigator with a focus on class actions and commercial litigation. She works with enterprise clients across technology, financial services, and life sciences industries in complex, high-stakes matters in state and federal court involving breach of contract and consumer protection claims. Gina also advises on Internet privacy litigation under federal and state wiretapping laws.

Read more about Gina PerrucciEmail
Show more Show less
Photo of Matthew Verdin Matthew Verdin

Matthew Verdin focuses on defending clients in the technology and financial services sectors. He has a strong record of delivering wins on behalf of clients in class actions and complex litigation, particularly in privacy and consumer protection lawsuits. Matthew is particularly successful in…

Matthew Verdin focuses on defending clients in the technology and financial services sectors. He has a strong record of delivering wins on behalf of clients in class actions and complex litigation, particularly in privacy and consumer protection lawsuits. Matthew is particularly successful in securing dismissals at the pleadings stage. For example, he won dismissal at the pleadings stage of over a dozen wiretapping class actions involving the alleged use of website analytics tools to collect data about users’ website visits. He also advises companies on managing litigation risk under federal and state wiretapping laws.

Matthew is also dedicated to pro bono legal services. Recently, he helped a domestic violence survivor win a case in the California Court of Appeal. Matthew’s oral argument led to the court ordering renewal of his client’s restraining order just one day later.

Read more about Matthew VerdinEmail
Show more Show less