District Judge Rules Privacy 'Tester' Lacks Standing to Sue Under Calif. Privacy Act

In case 24-08735, plaintiff Rebeka Rodriguez said she visited Autotrader.com and performed a search that revealed sensitive information. Rodriguez alleged Autotrader.com accessed, recorded and disclosed that information using illegal pen register and wiretapping technologies, in violation of CIPA.

"As a tester [who] visited and entered information into Defendant's website expecting the information to be accessed, recorded, and disclosed, she cannot claim an injury when her expectations were ultimately met," said Judge Gary Klausner.

A tester is someone who visits a site "not because she [or] he is interested in the product or service featured on the site,” but merely to see if it deploys third-party tracking technologies before notice is given, said David Klein of the law firm Klein Moynihan.

Usama Kahf, privacy partner at Fisher Philips, said it's sometimes hard to tell whether someone is a tester or not. Name recognition is key. If it's the same person you've seen multiple times, you'll know," he said. But without that, it can be hard to tell up front, Kahf added.

Friday's ruling is "significant" because it provides a basis for dismissing claims that testers bring, Kahf said. Before the ruling, courts were "all over the place," but "now we have a pretty good decision, albeit a very short one," dismissing with prejudice these CIPA violation claims.

Matthew Pearson, Womble Bond Dickinson partner who focuses on privacy, said, in an email to Privacy Daily, "Put simply, because the plaintiff visited the website looking for privacy violations, she could not claim to be surprised when she found one (or, at least, claimed to find one)."

Klein agreed. "It's about time,” he said. “This is the proper decision for what's going on out there. Namely, abuse of these well-meaning statutes that were crafted decades ago to apply to the unlawful recording of telecommunications conversations between people in dual-party consent states.”

“These statutes were not intended to apply to legitimate internet commerce; in fact, they were drafted several decades ago before the internet even existed. What the plaintiffs’ bar is attempting to do here is put a square peg in a round hole … to scare well-meaning online businesses into settling for a lot of money, employing a law that is inapplicable to the facts at hand,” Klein continued.

Kahf said the decision was a "very strong indication" that other courts will likely follow, though it has no bearing on state courts. Though state "standing requirements are similar to [those] in federal court," state courts have not latched on to the idea that testers do not have real injuries, he said.

But the ruling did not come out of the blue. “It's a defense and an argument that my firm has been making for a long time now,” said Klein. “There are no damages, because there's no privacy violation.”

Pearson, however, somewhat disagreed. "Judge Klausner’s ultimate holding in Rodriguez v. Autotrader.com is not novel," since "multiple courts have found that plaintiffs suing for the alleged use of a pen register in violation of CIPA lack injury-in-fact for Article III standing purposes," he said. "His rationale for that holding, however, was novel."

"The circuit court reinforces a focus on real privacy violations rather than 'gotchas,'" said Odia Kagan, chair of the GDPR Compliance & International Privacy Practice Group at Fox Rothschild. In an email, Kagan said, "The logic here is that a key component in privacy violations is that this is something that you did not know about, could not anticipate, and therefore, could not avoid. When you are a tester you are seeking this out, and therefore, choose not to avoid it."

Overall, the ruling was a step in the right direction, Klein said. “This is just a clear-cut, concise argument that the court understood, agreed with, and relied on to dismiss Plaintiff’s CIPA claims,” he said. “Judge Klausner either saw it for what it was -- using the statute in a way that wasn't intended and/or is very knowledgeable about technology and what is an invasion of privacy and what is not. The difference comes down to what's a real website visit by a well-intended consumer, as opposed to one by a tester that visits solely to set up a company for purposes of bring a CIPA lawsuit.”

Kagan agreed. "For future litigation this means closer scrutiny on class action representatives and plaintiffs and ensuring that they have really suffered some harm rather than going out and systematically seeking out violations."

While "only time will tell" if the ruling will reduce the number of CIPA claims filed in California, Pearson said, "it will make it more difficult for plaintiffs’ counsel to find individuals willing to put their name on CIPA lawsuits going forward."

But Kahf said the question now is how plaintiffs will pivot, as this kind of litigation is "like playing a game of Whack-a-Mole." He said he suspects counsel "will just drop the tester plaintiffs' allegations and make it more difficult for you to determine whether they are a tester plaintiff or not."

Given that the decision "harms some of the firms that have a smaller number of tester plaintiffs," Kahf said the case could be appealed, but larger firms are "shopping around" for more tester plaintiffs to "try to hide the ball."

Pearson agreed. "The ruling in Rodriguez could shift plaintiffs’ counsel’s approach in these cases," he said. "Plaintiffs’ counsel have repeatedly filed these kinds of lawsuits using the same named plaintiffs. Some identify as testers; others are just repeat players. Under Judge Klausner’s rationale, these repeat players could be barred from bringing suit because they no longer have a reasonable expectation of privacy in the information they know is being collected."