By: James K. Paulick, Esq.
The latest litigation development in California Invasion of Privacy Act (“CIPA”) claims in California is the use of the “pen register” and “trap and trace” provisions of California’s wiretap act in Greenley v. Kochava, 22-cv-01327, 2023 WL 4833466 (S.D. Cal. July 27, 2023). Many commentators and pundits seem to believe this could be another watershed moment for CIPA. However, upon second glance, this case appears to be a very specific set of facts that are not the “bread and butter” of CIPA claims and should not result in a flurry of additional CIPA class actions.
However, data brokers should be on the lookout and follow the Greenley case closely as it develops past the motion to dismiss stage – and all businesses who are worried about CIPA should obviously keep an eye on how the judge in Greenley rules from here on out – especially on motions for summary judgment.
About the Case
The Greenley case involves allegations that Kochava, a data broker, provided a software developer kit (“SDK”) that had embedded code that surreptitiously intercepted personal data any time a user ran an app that was developed with Kochava’s SDK, in violation of CIPA’s “pen register” and “trap and trace” provisions found at California Penal Code 638.50-51.
An SDK is a software environment that assists developers in integrating their software to a particular vendor’s systems. In other words, it’s a tool that isn’t specific to a particular app – rather, it’s a framework that aims to be embedded and integrated into as many apps as possible. The peculiar and unique goal, as it appears from pleadings and general information available, is that Kochava’s SDK is geared toward analytics, i.e. visibility into how apps are being used, and all of the attendant personal data that can be gathered by one’s use of an app, such as geolocation data.
What is a “Pen Register” or a “Trap and Trace”
For additional background, a “pen register” is a device or process that “records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of the communication.”
A “trap and trace” is a “device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.”
In the classic sense, similar to the “Goodfellas” movie, this is a tool that law enforcement uses to, in the case of a pen register, gain information about all of the outgoing phone calls made through a telephone, and inversely, a “trap and trace” would enable law enforcement to see a list of all phone numbers who made inbound calls to the device being traced” (for example everyone who called Henry Hill). Notably, consent to do the above is a complete defense under section 638.51.
Potential Implications
How exactly this prohibition actually applies in the Greenley case is entirely unclear from the opinion, because the analysis regarding whether the Defendant created a “pen register” or “trap and trace” by tracking geolocation does not develop into a perfectly cohesive and cogent argument. Although it is alleged in Greenley that Kochava tracked “locations, spending habits, and personal characteristics” and then “shared such data with third-party companies,” how this activity adds up to the equivalent of a pen register or a trap and trace device is devoid of any solid ground. Further review of future developments in the case will hopefully provide some answers.
How this applies to businesses who are currently agonizing over how to avoid the heretofore “ordinary” CIPA claims through the use of analytics and chat functions is unclear at this point. However, as alluded to in the beginning of this article, it doesn’t appear that this secondary “strain” of CIPA cases is wholly applicable to the average company that might be exposed to the traditional analytics/chat class action liability.
Importantly, not only is Kochava sued under CIPA as a private cause of action by Plaintiff Greenley, Kochava is also facing a complaint by the FTC for engaging in unfair data practices for the same essential allegations in the Greenley case. (see https://www.ftc.gov/system/files/ftc_gov/pdf/26AmendedComplaint%28unsealed%29.pdf). The FTC alleges that their SDK permitted the geolocation tracking of users, without their knowledge, to the extent that anyone privy to the data collected could, over the course of months, track exactly where an individual went, and this activity all took place without users’ knowledge or consent.
It appears to us that this case represents the far extreme set of facts that give rise to a CIPA case, along with an FTC complaint to boot. It is unlikely this is a bellwether case that will result in hundreds of new complaints, or amended complaints, alleging violations of the “pen register” or “trap and trace” provisions of the California wiretap law. Rather, it may result in a modicum increase in complaints and allegations against data brokers who are really operating on the edge of objective reasonableness, rather than the more common set of retailer defendants who are facing CIPA claims against the use of website analytics, session replay software and chat/chat-bot functionality.
However, time will be the only one to tell if this case will have the same “sea change” impact as Javier v. Assurance IQ (as discussed in previous articles here and here) wherein CIPA cases were given their initial approval by the Ninth Circuit Court of Appeals.
Companies should still stay alert; be completely aware of their use of analytics software, tracking pixels/cookies and chat bots; and keep in line with the latest recommendations for mitigation, such as consent forms/banners and updated privacy policies. Companies should also aways take a “privacy by design” approach, and only collect the minimal amount of personal data necessary for their business pursuits to minimize data breach exposure and to avoid being an easy target for the plaintiffs’ bar for CIPA-like cases.
For assistance with complying with CIPA or other privacy/wiretap related law, please contact James K. Paulick at jpaulick@leechtishman.com or 424.738.4400 for an initial consultation. Jim is Counsel with Leech Tishman and a member of the Corporate Group, where he leads the Data Privacy & Cybersecurity Group.
