Recent CIPA decisions suggest website privacy class actions will continue

The Central District of California emboldens plaintiffs’ lawyers

First, in Moody, the plaintiffs allege that C2, an online tutoring provider, installed a TikTok pixel on its website, which enabled “fingerprinting” of website visitors in violation of CIPA’s decades-old prohibition on trap and trace and pen register devices.¹ The fingerprinting, according to plaintiffs, occurs when the site collects data from visitors and matches that data to data in TikTok’s database, thus identifying the previously anonymous website visitor. 

In denying C2’s motion to dismiss on July 25, 2024, the Central District of California rejected C2’s argument that a trap and trace or pen register device must be a physical device attached to a telephone line. The Court reasoned that CIPA’s definition refers only to “devices or processes” that record or capture information. Thus, CIPA does not require the use of a physical device. In support of its holding, the court cited Greenley v. Kochava, a Southern District of California case that created a firestorm of CIPA claims in 2023.² Greenley analyzed the CIPA pen register definition, stating that because the statutory definition is “vague and inclusive as to the form of the collection tool . . . courts should focus less on the form of the data collector and more on the result.” The Greenley holding emboldened plaintiffs eager to test the contours of the CIPA definition and led to a series of inconsistent opinions addressing similar factual scenarios. Similar to Greenley, the C2 holding that CIPA is not limited to physical devices will encourage plaintiffs’ lawyers to file even more CIPA complaints based on cookies, web beacons, pixels, and other website tracking devices.

The Ninth Circuit weakens the user consent defense

Next, on August 20, 2024, the Ninth Circuit issued an opinion that effectively weakens the common defense in CIPA claims that a user consented to data collection via a website policy or cookie policy.³ The plaintiffs are a group of internet browser users that chose not to sync their browser with their email accounts. They allege that they believed their decisions to keep their browsers and email accounts separate meant their personal information would not be collected because the browser-specific privacy policy stated that users did not need to provide personal information to use the browser. The Ninth Circuit reversed the district court’s dismissal at summary judgment. 

In doing so, the appellate court applied a reasonable person standard to determine whether, considering the various browser agreements, a reasonable person would think they were consenting to data collection. The reasonable person standard, the Ninth Circuit clarified, must consider the level of sophistication attributable to the general public. Read together, the multiple browser agreements contained conflicting language as to whether the browser collected user information. Thus, the reasonable user could not have agreed to the collection, according to the court. 

The Ninth Circuit’s opinion suggests that businesses will need to take a more coordinated, cohesive approach to various user-facing policies in the future. Additionally, it underscores that a compliant privacy notice is not a definite defense to a CIPA claim. 

Takeaways and Conclusion

These two decisions could lead to yet another surge in CIPA claims. Broad interpretations of the trap and trace and pen register definitions, like in the C2 case, make it easier for plaintiffs to survive a motion to dismiss. And the Ninth Circuit’s recent opinion will likely make it more difficult for defendants to successfully assert consent as a defense to a CIPA claim absent affirmative consent prior to the operation of any tracking technologies. 

Applying CIPA to modern analytical tools such as pixels and cookies leads to an absurd result – and potential liability for any company with a website accessible to California residents – because CIPA may be read to require companies to obtain “opt-in” consent prior to collecting and using data while California’s ostensibly comprehensive privacy law only requires an opt-out. Thus, the two above decisions effectively impose privacy obligations on website operators that go beyond what the California Consumer Privacy Act (CCPA) requires. 

The most effective means to defend against these claims is to require all users to specifically opt in to the use of ad pixels and cookies, such as through a “cookie door.” In other words, no cookies or pixels would drop or activate until after a user affirmatively clicks a box or slides a toggle bar. Companies would then keep a record of user consent in case of litigation.

Companies should also consider: 

• ensuring they have a compliant, plain-language privacy notice;
• implementing a clear, concise and accurate cookie banner or door, which avoids so-called “dark patterns” designed to manipulate, entice or trick the user into consenting;
• regularly reviewing the website’s cookies, pixels, and web beacons to ensure they are accurately represented in the policy and function (or are configured) as intended; and
• removing any unnecessary tracking tools. 

Until the California state legislature decides to synchronize their modern privacy legislation with their otherwise outdated privacy law, companies operating in the Golden State will continue to face these inconsistent standards, as well as litigation risk from “gotcha” lawsuits. 

__________


If you have any questions about this Legal Briefing, please feel free to contact any of the attorneys listed or the Eversheds Sutherland attorney with whom you regularly work.

_{1  Moody v. C2 Educational Systems Inc., No. 2:24-cv-04249-RGK-SK, 2024 U.S. Dist. LEXIS 132614 (C.D. Cal. July 25, 2024).
2  No. 22-cv-01327-BAS-AHG, 684 F. Supp. 3d 1024 (S.D. Cal. July 27, 2023). 
3  Calhoun v. Google, LLC, No. 22-16992, 2024 U.S. App. LEXIS 20978 (9th Cir. Aug. 20, 2024).}