A Los Angeles County state court recently resisted attempts to expand the California Invasion of Privacy Act (CIPA) beyond its original intent. Enacted in 1967 to address traditional issues like wiretapping and eavesdropping, CIPA was not enacted to regulate website technologies or internet analytics. However, plaintiffs’ counsel has increasingly invoked the statute to challenge standard online tools, such as cookies and chat features, as unlawful “wiretaps” or “trap and trace” devices.
Rodriguez v. Ink America
The court’s decision in Rodriguez v. Ink America declined to adopt this interpretation by dismissing the plaintiff’s claims that Ink America’s use of website analytics should be considered an impermissible “pen register” or “trap and trace device” under CIPA. In doing so, the court made several important observations:
- CIPA Cannot Render the CCPA Meaningless.
The court found CIPA’s statutory language ambiguous when applied to modern internet technologies. It explained that if common website analytics tools were classified as criminal “pen registers” under CIPA, their use without a court order would be unlawful, contradicting the CCPA’s allowance for these tools with proper notice and opt-out rights. The court also noted that applying CIPA to conduct already regulated by the CCPA would penalize compliance and go against legislative intent. Expanding CIPA would lead to confusion rather than improved consumer protections, as private settlements do not necessarily produce clearer rules or stronger safeguards. Ultimately, the court held that the pen register statute does not criminalize the standard process of websites communicating with users who voluntarily access them.
- Service Provider Exception.
The court also ruled that website operators are considered “electronic communication service providers” under CIPA Section 638.50(b). Consequently, even if collecting an IP address is deemed a “pen register,” Section 638.51(b) provides an exception that permits the collection and use of such information to operate, maintain, test, or protect the service.
- CIPA Is Limited to Telephonic Surveillance.
The court reiterated that CIPA’s pen register provisions were designed to combat telephone-based surveillance, not the regular functioning of commercial websites or commonly used analytics software. Given the statute’s ambiguity as applied to the internet, the court declined to extend CIPA to routine website analytics practices.
Why This Decision Matters
Many prior courts have treated CIPA as applicable to modern web tracking. However, Rodriguez stands out because the court acknowledged the ambiguity of applying old statutory language to modern web technologies. It examined legislative intent and California’s broader privacy framework and ultimately dismissed the claims outright, without leave to amend.
Rodriguez signals important judicial skepticism toward efforts to transform ordinary website analytics into criminal wiretapping conduct under CIPA. While not the final word, it is a useful, defense-friendly decision that may help more courts reevaluate CIPA claims in the online context, particularly where plaintiffs’ theories would clash with the CCPA’s established compliance framework.
