ARTICLE
20 August 2024

CIPA And Trap And Trace Devices

KM
Klein Moynihan Turco LLP

Contributor

Klein Moynihan Turco LLP  logo
Klein Moynihan Turco LLP (KMT) maintains an extensive practice, with an international client base, in the rapidly developing fields of Internet, telemarketing and mobile marketing law, sweepstakes and promotions law, gambling, fantasy sports and gaming law, data and consumer privacy law, intellectual property law and general corporate law.
Readers of this blog may recall our prior piece about recent lawsuits alleging that the use of tracking software on certain websites violates the California Invasion of Privacy Act ("CIPA").
United States Consumer Protection

Readers of this blog may recall our prior piece about recent lawsuits alleging that the use of tracking software on certain websites violates the California Invasion of Privacy Act ("CIPA"). While earlier lawsuits focused on wiretapping and the use of "pen registers," more recent filings have focused on CIPA's prohibition on the use of "trap and trace" devices, discussed below.

Trap and Trace vs. Pen Register

CIPA defines a "trap and trace device" as a "device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication." Unlike a "pen register," which captures outgoing transmissions, a trap and trace device captures incoming transmissions. Traditionally, trap and trace devices and pen registers were used by law enforcement for surveillance purposes. Absent limited exceptions, such as the subject individual's consent or a court order, use of a trap and trace device or pen register is unlawful. Note that CIPA provides for statutory damages of $5,000 per violation.

By way of example, in Sorensen v. Golden Corral Corporation, Plaintiff alleged that Defendant installed software created by TikTok to identify website visitors, and that, absent consumer notice and consent, the utilization of this software on Defendant's website constitutes an illegal trap and trap device. Specifically, Plaintiff alleged that the TikTok software collected consumer: (1) device and browser information; (2) geographic information; (3) phone numbers; and (4) email addresses. According to the Complaint, this information was transmitted to TikTok to match Plaintiff's information with data that TikTok had already acquired. As Plaintiff alleged, use of the TikTok software constituted an illegal trap and trace device in violation of Section 638.51 of CIPA.

Consistent with the original intent of the law, the language of CIPA clearly is aimed at law enforcement's use of trap and trace devices and pen registers. However, enterprising plaintiffs' attorneys, as evidenced by the Sorensen case, have recently tried to expand CIPA's scope and apply it to the use of third-party tracking software found on websites. The general framework of these lawsuits alleges that tracking technology is used to capture consumer interactions while visiting certain websites, and that the use of such technology constitutes an illegal trap and trace device or pen register. California courts continue to struggle with claims that use of unauthorized third-party tracking software to capture a website visitor's IP address without adequate notice and consent constitutes use of a pen register under CIPA. In fact, when faced with nearly identical factual allegations, one California court issued contradictory decisions just three weeks apart.

Trap and Trace CIPA Lawsuits

Like pen register allegations, allegations that the use of third-party tracking software constitutes an illegal trap and trace device are likely to confound the courts. Until courts offer concrete interpretive guidance, plaintiffs' attorneys will continue to bring trap and trace claims under the guise of CIPA violations. Given the foregoing, if your company uses third-party tracking software on its website, it is critical to evaluate: (1) your data collection technology and practices; (2) the type of data you collect and when data collection begins and ends; (3) how consent to collect and use such consumer data is obtained; and (4) with whom your company shares this information.

The attorneys at Klein Moynihan Turco ("KMT") have a wealth of experience with: (1) defending clients against federal and state consumer privacy claims; and (2) advising clients on how to comply with various federal and state privacy laws. KMT's attorneys can review your company's current data collection practices and help protect against future trap and trace allegations. In addition, our outstanding litigation defense team will use its robust experience to provide you with the best possible representation if your company is named as a defendant in a CIPA lawsuit.

Similar Blog Posts:

Back to the Future – CIPA Wiretap Case Survives Dismissal

Swigart Law Group CIPA Demands

Help! I Was Served With a CIPA Lawsuit  

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More