California Judge Rules CIPA Witetap Law Doesn’t Apply to Websites

In March, I wrote about a growing class of data privacy litigation. These cases seek to enforce the California Invasion of Privacy Act (CIPA) against websites collecting user data. These cases allege that websites violate the CIPA when recording data from users’ sessions, even if the website does not share the data. Recently, a California judge ruled that the CIPA’s pen register and trap and trace device provisions only apply to telephone communications and do not extend to websites. A recent Mintz memo discusses the opinion:

“This decision represents a significant win for companies facing litigation over their use of pixels, web beacons, and other internet data collection technologies. It provides companies with persuasive authority they can use in response to similar lawsuits and a roadmap for defeating these types of claims. Moreover, it seriously weakens the argument that affirmative consent is required before companies may collect data on the Internet. As the Court explained in its written ruling, “the internet was in widespread use when these provisions were enacted in 2015. If the Legislature had intended for section 638.51 to apply to commercial websites, it would have so stated either in the statute itself or in the surrounding materials.”

CIPA, originally passed in 1967, didn’t contemplate the internet and served to protect telephone conversations. It is only recently that plaintiffs sought to use the wiretapping law to allege violations by website owners. This marks one of the first cases to reach a dispositive outcome in court. It was also dismissed with prejudice. While this ruling only indicates the views of one court at the trial level, the opinion does not bode well for future plaintiffs.