CIPA Case Highlights Courts' Strictness on 'Trap and Trace,' Law Firm Says
A federal court's dismissal of a California Invasion of Privacy Act (CIPA) case claiming a TikTok tool was a "trap and trace device" shows plaintiffs' claims must match the statute's definitions exactly, or they risk having the case tossed before getting "to the starting gate," Troutman Amin's Keerti Jaya said in a blog post Monday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
In Mitchener v. CuriosityStream, plaintiff Christopher Mitchener alleged that TikTok software, embedded on subscription-based streaming service CuriosityStream’s platform, was a “trap and trace device” since it was "scooping up 'addressing information' from communications between the plaintiff and the defendant" or "essentially, where the messages were coming from and going to," the blog said.
"A 'trap and trace device' is something that captures dialing, routing, addressing, or signaling information -- not the content of a communication," which is a "distinction [that] ended up being fatal," Jaya said. "The court made it clear: if what’s being collected is 'content information' -- things the plaintiff is directly typing or sharing during a communication -- then it’s outside the ambit of the statute. No trap and trace, no CIPA claim."
CIPA's "laser-focused" definition signaled the "end of the road" for the plaintiff's case. "The court found the defects, both the standing problem of having no concrete and particularized injury to plaintiff and the fact that the software itself is not a trap and trace device," said the blog. "The Court went straight to the core of the claim, and no amount of rewording or repleading could fix them," as the case was dismissed with prejudice.
Jaya quoted a section of the U.S. District Court for Northern California's decision: “If Defendant only collects information regarding the ‘metadata’ of the communication, Plaintiff’s right to privacy is not invaded because he has no expectation of privacy as to that type of data (e.g., his IP address or general geographic location) ... ." The court continued, "If Defendant instead collects content information from communication between the parties (e.g., information provided from Plaintiff to Defendant directly), then the TikTok software is not a trap and trace device."
Jaya called the case a "red warning sign" about the need to "match the statute’s definition exactly and prove the data being collected fits within it." Though "we’ll likely keep seeing plaintiffs test creative 'trap and trace' theories as they target various types of tracking software ... this ruling makes crystal clear, if your facts don’t fit the statute, and you can’t show a real privacy invasion, you’re not just losing -- you’re getting bounced before the case even gets rolling."
"Bottom line: if you’re chasing a “trap and trace” claim without rock-solid facts, you’re not just stepping on a rake -- you’re handing the court the handle and asking them to swing."