Surge in Website Privacy Claims: What You Need to Know About Trap and Trace and Search Bar Pixels

Over the past three years, the rise of class action complaints and private arbitration demands has highlighted the legal risks associated with technologies commonly found on websites. Each plaintiff's counsel has crafted unique arguments, but the central theme remains: tools like web pixels, beacons, cookies, and tracking software expose website owners to significant legal challenges. 

In the first part of our series, we explored the landscape of website privacy claims, focusing on chat, pixel, and VPPA cases. Below, we dive into the increasing prevalence of pen register and trap and trace pixel cases, as well as search bar pixel cases, which introduce additional layers of complexity to the risks of website privacy claims. Understanding these developments is crucial for businesses to protect themselves from potential liabilities in an increasingly privacy-conscious market.

Understanding CIPA Section 638.51

Recent decisions from the United States District Courts for the Southern, Central and Northern Districts of California have prompted plaintiffs’ firms to turn to an obscure provision of California Invasion of Privacy Act (CIPA) – Section 638.51 – to advance a new theory for civil liability related to businesses’ use of common website technologies.

CIPA Section 638.51 addresses the unauthorized interception of electronic communications. It specifically prohibits the installation or use of a “pen register” or a “trap and trace device” without first obtaining a court order. Section 638.50(b) defines a pen register as a device or process that records and decodes dialing, routing, addressing or signaling information (often referred to as DRAS) transmitted by a device from which a wire or electronic communication is sent. Section 638.50(c) defines a trap and trace device as one that captures incoming electronic or other impulses to identify the originating number or other dialing, routing, addressing or signaling information reasonably likely to identify the source of a wire or electronic communication.

Since violation of the wiretapping provision of CIPA in Section 631(a) requires the plaintiff to show a real-time interception of a “communication,” plaintiffs alleging violations under Section 631(a) have sometimes struggled to show that communication is intercepted “while in transit” or in real-time. On the other hand, pen registers and trap and trace devices do not require this real-time interception, but are limited to the collection of DRAS.

Emerging Pen Register and Trap and Trace Pixel Cases

Law enforcement has traditionally used pen registers and trap and trace devices to record all outgoing and incoming telephone numbers from specific telephone lines. In 2001, the federal PATRIOT Act recognized the need to update the law in the age of the Internet, expanding these definitions to include a device or process. In 2015, the California legislature adopted this updated definition into its own laws.

As is often the case, a single early court ruling denying a motion to dismiss is responsible for the surge of trap and trace claims. In Greenley v. Kochava¹, the plaintiff claimed that Kochava—a data analytics services provider offering mobile app tracking solutions and mobile advertising—installed an illegal pen register in third-party mobile applications. Kochava argued that its software did not qualify as a pen register. Noting that no other court had interpreted CIPA’s pen register provision, the Southern District of California court determined that it could not overlook the “expansive language in the California Legislature’s chosen decision” regarding the specific type of DRAS data a pen register collects. However, the court also held that the law was “vague and inclusive” concerning the form of the collection tool, described as a “device or process,” and that “courts should focus less on the form of the data collector and more on the result.” By applying the plain meaning of the term “process,” the court concluded that “software that identifies consumers, gathers data, and correlates that data through unique ‘fingerprinting’ is a process that falls within CIPA’s pen register definition.” This interpretation suggests that nearly any device communicating via Internet Protocol – including cellular phones and websites – could be deemed a pen register. Ultimately, the court denied Kochava’s motion to dismiss, setting off a wave of new claims.

Next came Moody v. C2 Educ. Sys. Inc.², where plaintiff alleged that defendant, an online tutoring program, violated CIPA Section 638.51 by installing a TikTok marketing pixel that collected plaintiff’s information without plaintiff’s express or implied consent. Defendant argued, among other things, that it is the user of the website, and it gave TikTok consent to install pixel technology. CIPA Section 638.51 allows for an exception for the use of pen registers and trap and trace devices “if the consent of the user of that service has been obtained.” The court found this argument persuasive, but nevertheless declined to “foreclose the possibility that Plaintiff is the relevant user under California law.” The court held that defendant’s marketing tool could plausibly be alleged as a pen register or a trap and trace device and denied defendant’s motion to dismiss.

Most recently, in Shah v. Fandom, Inc.³, the Northern District of California found that Section 638.51’s pen register definition specifies the type of data a pen register collects—“dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted,”—but is vague about the collection tool, described as “a device or process.” Citing the decision in Kochava, the court found that the plaintiffs sufficiently alleged that the website “tracker” used by the defendant is “at least a ‘process’ because it is ‘software that identifies consumers, gathers data, and correlates that data.’” The court also determined that:

1. The plaintiff had sufficiently alleged that the trackers record “addressing information” in the form of IP addresses.
2. The term “addressing information” pertains to the sender or the recipient of the communication at issue.
3. The statutory definition of a pen register is likewise not limited to the type most often utilized by law enforcement.
4. The defendant failed to prove consent at the motion to dismiss stage, particularly when arguing that website “trackers” cannot be pen registers because the user “necessarily and voluntarily discloses” its IP address by visiting the website. The defendant could not demonstrate that users consented to share IP their addresses with third parties.

With three of the four California federal district courts paving a pathway for pen register and website trap and trace cases to advance past the pleading stage, we anticipate an increase in new filings under this theory in the foreseeable future.

New Trend of Search Bar Pixel Cases

Another wave of recent cases alleges that technology sharing the contents of what is typed into a search bar with third parties violates certain laws, including CIPA, Federal Wiretap Act and other common law privacy rights. In Heerde v. Learfield Communications⁴, plaintiffs alleged that when visitors entered search terms into the search bars of certain college athletics websites, those search terms were simultaneously transmitted to the third parties via tracking pixels (such as the Meta Pixel) and used for targeted advertising in violation of CIPA. Defendants argued that the search terms do not constitute “contents” of communications under CIPA. However, the Central District of California court disagreed, holding that “search terms constitute ‘contents’ of a communication” and that sharing of these terms with Facebook via the Meta Pixel could potentially violate CIPA. This decision sparked a string of new complaints alleging that entering search terms on websites utilizing third-party pixels and beacons violates wiretapping laws.

Similarly, in Gershzon v. Meta Platforms⁵, California Department of Motor Vehicles (DMV) website users alleged that Meta used its Pixels to collect their personal information, including their names, email addresses and the contents of communications with the DMV in violation of CIPA. The Northern District of California court agreed, finding that the communications sent by website visitors through the search bar—integrated into the URL that returns search results—are considered “contents” of communications to third parties under CIPA. Plaintiffs are now also alleging that such data sharing should be considered theft, as it involves the unauthorized use of information related to their online activities, which they consider to be their “property.”

The Evolving Landscape of Privacy Law and Litigation

These developments highlight the growing scrutiny on how companies handle consumer data and the potential legal repercussions of failing to consider the possibility of private claims under privacy statutes, state common law rights of privacy, and state constitutional protections for privacy where applicable. Businesses must be vigilant in understanding and addressing these emerging risks, as the implications of unauthorized data sharing can lead to costly litigation.

The Cybersecurity and Data Privacy team at Buchanan delivers comprehensive strategies for managing data privacy and cybersecurity challenges. We specialize in both compliance and litigation, with extensive experience in handling website wiretapping issues, including tracking and tracing. Our team has defended clients in a variety of contexts, from mass arbitrations to class actions, in courts nationwide. Our approach focuses on understanding our clients' business and marketing objectives, working collaboratively to achieve those goals while mitigating data privacy risks. Additionally, we offer a flat fee website auditing service designed to identify potential areas of risk and exposure. For more information about our flat-fee auditing service, click here to view our brochure, and reach us at cyber@bipc.com.