California Labor &
Employment Law Blog
Tsunami of CIPA Class Actions Storming California Businesses
Apr 5, 2024

Tsunami of CIPA Class Actions Storming California Businesses

Topics: Court Decisions, Privacy

California businesses are experiencing a tsunami of demands and complaints alleging class action status that applies the well-established 1960’s California Invasion of Privacy Act (CIPA) to the internet’s new technology. CIPA is a pre-internet era law aimed to curb unlawful telephone wiretapping and other electronic surveillance such as pen registers. A pen register is a device that traces outgoing signals from a telephone or computer and that is often used by law enforcement to provide lists of phone numbers contacted by a suspect’s phone, or to trap and trace individuals in violation of their privacy expectations. Increasingly, plaintiff’s counsel argue that many businesses’ (or their vendors’) websites use technology (i.e. cookies, pixels) to track users’ website interactions in violation of the CIPA.

These lawsuits, first brought under Penal Code Section 631(a)’s wiretap prohibition, are evolving to claims under Section 631.51, which prohibits most uses of a pen register device to trap and trace. In addition to fines and penalties for several types of wiretapping, including aiding, agreeing with, employing, or conspiring with a third party to engage in prohibited wiretapping or “eavesdropping” activities, there are statutory damages of $5,000 per violation and a plaintiff is not required to prove actual damages. 

The Court in Byars v. Hot Topic, Inc., 2023 WL 2026994 (C.D. Cal.  Cal. Feb. 14, 2023) made the sensible decision to dismiss a Section 631(a) case because the website owner and its vendor were the intended recipients of the plaintiff’s communications and, therefore, could not be held to have illegally “eavesdropped” on the communications from the plaintiff, creative plaintiff’s counsel expanded the reach of their CIPA complaints to allege violations of the “pen register” provisions of Section 638.51.  

The Court’s decision declining to dismiss a CIPA claim alleged under 638.51 in Greenley v. Kochava, Inc., No. 22-CV-01327-BAS-AHG, 2023 WL 4833466, at *1 (S.D. Cal. July 27, 2023) appears to be the catalyst for the newest claims. In Greenley, the plaintiff alleged that the defendant data broker provided software development kits to app developers in violation of section 638.51 of CIPA because the tracking tools were used by the defendant to track users’ data and defendant sold the data to third-party advertisers. The Greenley court concluded that the allegations of defendant’s use of tracking software for its own purposes constituted a process that recorded routing information and sufficiently described a violation of the “trap and trace” prohibitions of Section 638.51 and allowed the lawsuit to survive a motion to dismiss.  

California businesses that use software to gather data should immediately take measures to insulate themselves from CIPA litigation and, down the road, from enforcement actions by California’s Privacy Police (the fledgling California Privacy Protection Agency). Consent is the front line of defense in CIPA cases, so a review of websites that gather information through cookies should be undertaken to ensure that consent is obtained and that the websites’ privacy policies are up to date. Moreover, when faced with a pre-litigation demand, businesses should ensure that they are properly represented by counsel, as a pre-litigation settlement with a single claimant will not protect the enterprise from other class action claimants making the same claim. And, for California businesses who are covered employers under the California Privacy Rights Act, it is equally important to review their privacy policies and notices with regard to employees’ and applicants’ personal data, as enforcement actions are imminent.  

CDF’s Privacy Practice Group will continue to monitor developments related to privacy issues, the CCPA, the CPRA and the California Privacy Protection Agency’s enforcement actions. Please contact a member of CDF's Privacy Practice Group (Dan Forman, Dalia Khatib, or Linda Wang) to discuss compliance with privacy laws, any investigation by the California Privacy Protection Agency or with any questions about the CCPA & CPRA. Our Privacy Practice Group is available to assist with policies, notices, general compliance for employers and defense of investigations and litigation.

About CDF

For over 25 years, CDF has distinguished itself as one of the top employment, labor and immigration firms in California, representing employers in single-plaintiff and class action lawsuits and advising employers on related legal compliance and risk avoidance. We cover the state, with five locations from Sacramento to San Diego.

> visit primary site

About the Editor in Chief

Sacramento Office Managing Partner and Chair of CDF’s Traditional Labor Law Practice Group. Mark has been practicing labor and employment law in California for thirty years. His practice has a special emphasis on the representation of California employers in union-management relations and handling federal and state court litigation and administrative matters triggered by all types of employment-related disputes. He is also adept at providing creative and practical legal advice to help minimize the risks inherent in employing workers in California. He recently named “Sacramento Lawyer of the Year” in Employment Law-Management for 2021 by Best Lawyers®.
> Full Bio   > Email   Call 916.361.0991

CDF Labor Law LLP © 2024

Editorial Board About CDF What We Do Contact Us Attorney Advertising Disclaimer Privacy Policy Cookie Policy