Recent Court Rulings May Signal Changes for CIPA Litigation, Privacy Lawyers Say

“The plaintiffs always claim that just simply asserting a statutory violation under CIPA is itself sufficient to establish standing,” said Usama Kahf, partner at Fisher Philips who represents businesses in these cases. “If the plaintiff doesn't have standing to sue just simply because they visit the website, but they didn't really suffer any actual injury, there wouldn't be an injury presumed from ... having their IP address and device information being shared. That would be significant [and] could shut down these claims." Some courts agree and others disagree, said Kahf.

CIPA was enacted in 1994 and prohibits tapping or recording of telephonic communication without the consent of all parties in the communication, unless there is a court order. When the law was crafted, there was no internet, email, chatbots or tracking pixels, said David Klein of Klein Moynihan, a firm that represents online companies: Now, "enterprising plaintiffs’ attorneys are using statutes like CIPA to go after regular Internet websites, email communications providers, chatbot technologies [and] companies that engage in recording website visits” without consent from consumers.

Recent allegations include that tracking pixels, from platforms like Meta or TikTok, are being placed onto third-party sites unbeknownst to visitors, said Klein. “Plaintiffs’ attorneys allege that this amounts to an unlawful wiretapping event in violation of CIPA for which statutory damages are due to unwitting consumers in dual party consent states, such as California.”

Now, Kahf said, many of the claims relate to trap and trace or pen-register devices. Klein explained that “a pen register records outgoing phone calls, originating from the calling party,” while “a trap and trace device records incoming phone calls.” Klein continued, “There's a lower standard to satisfy [about] what constitutes a violation of an unauthorized trap-and-trace device and pen register,” as opposed to wiretapping, “because you don't have to allege that the content of the conversations was actually recorded as well.”

Kahf said that so far on that issue, around seven cases have gone in favor of businesses, while in roughly three, the plaintiffs won. “Our sense was that the tide may be shifting, at least in state court, despite the fact that there were a number of federal district court decisions that allowed those claims to continue.”

For example, in the 2024 Los Angeles County Superior Court case Sanchez v. Cars.com, the plaintiff alleged that the car website recorded and transmitted her IP address to a third party through a tracking beacon Cars.com deployed on her device without her consent, in violation of CIPA. Essentially, Kahf said, “they're claiming that, if a customer walks into a store, and there is a surveillance camera in that store," the plaintiff can sue because a picture was taken.

Despite claims that “my face is private, my identity is private, I have a right to be anonymous,” the customer is “walking into [the] store,” he continued. As such, the customer lacks the right to be anonymous when walking into a store, argued Kahf. "In my view, it's the same thing" online, said the lawyer: you're 'walking' into a website with your computer and or cell phone."

What is also significant about Cars.com is that the judge essentially dismissed the case without giving leave to amend, Kahf said. “There's a liberal standard, in state court in California, of giving plaintiffs every opportunity to fix the issues in the complaint if they are fixable,” he said. “But if the court rules that the issues are just simply not fixable, ever, they're strong. That means that there's nothing you could allege as a plaintiff in front of this judge that will convince" the bench "that you have any viable claim for this pen register theory under CIPA.”

Matthew Pearson, a Womble Bond privacy lawyer who defends businesses in class-action cases, pointed to a U.S. District Court for Southern New York decision in the 2024 case Gabrielli v. Insider. There, the court ruled against the plaintiffs for lack of injury.

“What Gabrielli did was really delve into the technology, what can be gleaned from an IP address, and how that IP address and the information gleaned from it fits into an invasion of privacy claim,” Pearson said. The court said “it sounds like at most you could get a general location of where a person was when they visited the website, and the general location of where a person was when they visit a website does not identify that person.”

The Gabrielli case "took a look at what was actually being collected -- a public IP address -- and said, you don't just need to allege that a statute was violated, you need to allege that, if the statute was violated, you were injured by the violation.” The real shift was that the court said, "I'm not going to just accept that you allege this statute was violated …Did you suffer an injury in fact? And, what the Gabrielli court said was no, because that IP address cannot be tied back to a specific individual, and without tying it back to a specific individual, there can be no invasion of privacy.”

The trend is that courts are "seeing these statutes for what they are,” which is “that they were not intended to hamper website operators that are just trying to generally run their businesses," Klein said. Courts are siding with businesses "more and more and not entertaining these claims as much as they had in the past,” he said.

“The statute wasn't intended to apply to internet commerce,” Klein said. “Ordinary websites shouldn't be the victim of CIPA lawsuits simply because they use third-party technology to help run their online businesses.”

Because of this, Kahf predicted more businesses will be willing to fight, "as opposed to settling.” But the problem won’t be solved in the short-term, he said. “There's going to continue to be litigation.”

“The stakes are high on both sides,” Kahf said. “The plaintiffs don't want a decision on the appellate level that shuts down all these claims permanently, and the defense may be emboldened at this point to take it all the way, and there are some that will go all the way, [though] it may take several years. So the shift ... is in the willingness to immediately settle.”

Pearson said “the real takeaway here is the importance of understanding and being able to explain to the judge what the technology is actually doing and how it's doing it.” When complaints are filed, it "sound[s] scary. It sounds like all of this information is being gathered, and there's this dossier, and we know everything about everything on everybody."

“As we educate the judges on what the technology is, how it's being used and what the information being collected is, it becomes less and less scary, less and less novel,” Pearson said. “If you can make it understandable to a judge, and you can say no, here's what's actually going on, it's not this parade of horribles that plaintiffs had laid out in the complaint, it's actually this, that's where we get decisions like Gabrielli.”

Still, Pearson sees a long road ahead before there is a defining precedent or standard in how the litigation is handled, he said. Privacy litigation is like a game of Whac-A-Mole, said the lawyer. “I could beat that claim down all the way, and another one will come up.”