Search Menu

Website Tracking Technologies – Invasion of Privacy and Computer Fraud? Print PDF

03.11.2024

In the past several years, states, led by California, have enacted comprehensive privacy laws in an effort to protect the personal information of consumers.  California’s Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA) (collectively, CCPA), provides companies with specific compliance metrics and requirements relating to the personal information of consumers. However, only businesses that meet certain revenue and information-processing thresholds are subject to CCPA.  Therefore, in order to reach a broader range of defendants, over the past few years plaintiffs’ attorneys have developed new theories for civil liability relating to data privacy that apply to all businesses. 

One litigation trend is an influx of actions under state and federal invasion of privacy and computer access/fraud laws (particularly in California, but also in Pennsylvania, Massachusetts, Florida and Illinois).  These laws generally permit any person to bring an action alleging a violation against any person or business, without regards to revenue and/or information-privacy thresholds, and successful plaintiffs are entitled to damages (in California, there are statutory penalties of $5,000 per violation or treble damages, whichever is greater).

Just about every business uses third-party marketing/web analytics tools (e.g. Meta Pixel, Google Analytics, chat bots) to analyze the behavior of visitors to its website.  These tools involve tracking, reviewing and reporting data to measure such behavior, which ultimately can enable a business to retain customers, attract more business, and increase revenues. One category of new complaints has alleged that consumer websites are illegal “pen registers” or “trap and trace devices” due to the use of these common analytics tools.

A “pen register” is generally defined as a device or process that records or decodes dialing, routing, addressing or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.  A “trap and trace” is generally defined as a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication. These devices have traditionally been used by law enforcement for surveillance purposes (pen registers are caller ID tools and trap and trace devices are generally wiretaps). 

State invasion of privacy statutes generally prohibit the use of a pen register or trap and trace device without a court order, unless the person consents to the use or in order to protect the user’s property. Conventionally, plaintiffs alleging violations of these statutes targeted law enforcement.  However, more recently plaintiffs have argued that the tracking technologies in web analytics tools (e.g. cookies, web beacons, scripts, pixels) that monitor website visitor locations, searches, browsing activity and/or purchase history are pen registers and/or trap and trace devices, and that the website users did not consent to have such information recorded.  Businesses’ first line of defense is that such technologies are not pen registers or trap and trace devices.  To hedge their bets, they also generally take the position that if the technologies are found to be pen registers or trap and trace devices, they have obtained proper consent from customers (assuming they can support this argument).  

A recent development in one of these cases, Greenley v. Kochava Inc., has clearly emboldened plaintiffs’ attorneys and raised concerns for online retailers.[1] In this case, Kochava provided software development kits to clients for smartphone apps, and as part of their agreements with clients, Kochava was granted permission to track various information from the users of the related app, such as their geolocation data, spending habits and other personal characteristics.  Kochava then sold this information to third parties. Among other things, the complaint alleged that the plaintiffs’ use of the apps that contain Kochava software violated the California Invasion of Privacy Act (CIPA) as well as the California Computer Data Access and Fraud Act (CDAFA).   Kochava filed a motion to dismiss the complaint. 

As to the CIPA claim, the plaintiffs argued that the apps provided Kochava with the plaintiffs’ personal information and constituted an illegal pen register in violation of CIPA. In its motion to dismiss, Kochava contended that the software development kit did not constitute a pen register, because the statute intended that it cover only a physical device used to track the phone numbers dialed on a telephone’s outgoing calls. The court disagreed, finding that in the current environment, pen registers can take the form of software, a finding that if upheld, will expand the interpretation of the statute’s definition.  Further, Kochava argued that users consented to access to and use of their information by consenting to sharing their location with a third-party app developer when they downloaded the application, and also by failing to opt out by contacting Kochava and requesting data deletion. The court was not convinced, reasoning that because consent is limited to the conduct authorized, and the plaintiffs were not aware of Kochava’s activities, there could be no consent (and the plaintiffs could not opt out from an activity they were not aware of). 

As to the CDAFA claim, the plaintiffs argued that through the apps Kochava knowingly and without permission accessed computers and took and used data from such computers.  In its motion to dismiss, Kochava again reasoned that users consented as in their CIPA argument, and that the act’s requirement that access was “without permission” should be limited to “conduct that circumvents a device barrier or ‘hacks’ a computer system”.  The court rejected the consent argument for the same reasons as under the CIPA claim.  In addition, citing other cases, the court gave a broader interpretation of “without permission”, finding that code hidden in embedded software may use or take computer data “without permission.”  Therefore, the code in the app that provided users’ personal information to Kochava was “without permission.”

The Greenley court denied the motion to dismiss, and the case is now pending with other potential plaintiffs and defendants very interested in the outcome. If the court ultimately finds against the defendant, and other cases follow suit, aggressive plaintiffs’ attorneys will likely  attempt to further broaden the interpretation and application of laws (in California and other states) that were originally intended to cover outdated technologies. Under a broad interpretation of the invasion of privacy act definitions, an example of a pen register could be a person’s email software/application that records a list of addresses contacted (i.e. the sent folder), and an example of a trap and trace could be a person’s cell phone that logs incoming numbers (i.e. the call log).  Further, under the computer access/fraud laws, any code hidden in embedded software could violate “without permission” requirements. Accordingly, at a minimum, businesses should examine the tracking and other website technologies that they are using (directly or through third-party services) on an application-by-application basis to determine whether any targeted technologies are in use.  If so, regardless of their footprint in California, businesses should also perform an analysis with legal counsel to determine and mitigate the potential risks of a class action complaint as a result of such use, including by:

  • Identifying and explaining in clear detail the use of tracking technologies in its privacy policy. This should include a specific reference to and description of any third parties that may ultimately have access to the user’s personal information;
  • making sure their websites have a cookie banner disclosing the use of the tracking technologies and highlighting a link to the corresponding provisions of the privacy policy and a consent method. No tracking technology should be utilized until the user consents by clicking on the accept button on the cookie banner; and
  • retaining a record of the consent in a manner that shows that a user would not have been able to access the website without accepting the applicable tracking technology policies.

The foregoing information is provided only for general reference. It does not constitute legal advice.  Legal advice may be provided based only on specific facts.  Please consult us before relying on any general information stated herein.  We are happy to discuss any questions you may have.

[1] Greenley v. Kochava, Inc., Case No. 22-cv-01327-BAS-AHG (S.D. Cal July 27, 2023).

We use cookies to enhance your browsing experience. Please know that by continuing to explore our website, you consent to the use of cookies in accordance with our Privacy Policy.