Owners and operators of online platforms and websites are under attack for violating a California law enacted before the World Wide Web was invented. The latest California “Gold Rush” for plaintiffs’ lawyers is the surge of lawsuits and arbitration demands against online businesses for violating the California Invasion of Privacy Act (CIPA) by using ad-optimizing tracking “pixels” and other website-based tracking tools provided by social media platforms such as Meta and TikTok. These claims usually start with a letter to a business that operates a website and has no idea they are doing anything illegal. Unless the demand for compensation is paid, a lawsuit or arbitration demand usually soon follows.
The CIPA was enacted in 1967 restricting the use of pen registers and trap and trace devices without first obtaining a court order or consent from the person being tracked. Although originally intended to apply to law enforcement activities, recent class action and individual lawsuits assert these restrictions also apply to the tracking cookies and pixels frequently deployed on consumer-facing websites. Some courts have agreed, stating that the CIPA’s definitions of “pen register” and “trap and trace device” may be broad enough to include the tracking software. If a court finds that an online business used such a device without first obtaining user consent, that business may be liable for statutory damages of at least $5,000 per violation. Moreover, recent complaints have alleged that each individual visit to a website constitutes a separate violation, creating massive potential liability exposure for website owners.
Courts in California are not clear on what types of tracking software are invasive enough to qualify as a pen register or trap and trace device under the CIPA. In 2023, a federal court in California held that software which collected users’ geolocation, search terms, click choices, purchase decisions, and/or payment methods could be subject to the CIPA. However, this January, another federal court suggested that software which merely tracks IP addresses may qualify for an exemption for devices used “to operate, maintain, and test a wire or electronic communication service”. In March 2024, a California state court agreed that the use of software limited to collecting IP addresses was likely exempt from liability. Yet, a decision in the same court three weeks later held that software which records information from a user’s device and uses that information to install a tracking code could be subject to the CIPA.
Courts in other states, particularly New York, are also considering whether website owners can be held liable under the CIPA. At least one federal court in New York has held that the CIPA applies to tracking tools on online platforms, though exempting from liability tracking software that only collects IP addresses. Some New York courts have also suggested that a claimant must show concrete harm resulting from the CIPA violation.
While courts struggle to balance protecting the privacy of consumers and legitimate online business practices, there are simple preventative measures that website operators can take to avoid time-consuming and costly lawsuits. Businesses should create inventories of the tracking software used on their platforms and ensure their existing privacy policies include sufficiently accurate and transparent disclosures about the use of third-party tracking software.
Additionally, businesses should consider configuring their websites so that non-essential tracking software cannot begin tracking users until after a user has provided consent. User consent can be obtained through a cookie banner or pop-up window requiring users to affirmatively opt-in to the website’s use of non-essential tracking software. Maintaining an opt-in mechanism to obtain user consent remains the best defense against future lawsuits under the CIPA and similar statutes.
If you are facing a lawsuit based on your website’s use of tracking software, or would like guidance in taking measures to reduce the risk of being the target of a CIPA violation claim, please contact any of the following members of our Privacy & Data Security and Litigation teams: Kevin DeBré, ; Brian Hall, , or Michael Bernet, .
