Three recent federal court cases consider whether the use of third party trackers embedded in websites can be the basis of class action lawsuits alleging violations of statutes enacted before the internet existed. These trackers send the user’s browsing information to third parties. In two cases, the plaintiffs alleged that such trackers constituted unauthorized “pen registers” under a California privacy statute; and in the third case, the plaintiffs sued under the federal Video Privacy Protection Act.

The Facebook Pixel

The plaintiffs in Martinez v. D2C, LLC sued the owner of the Spanish language media business Univision NOW. Univision’s website used Facebook’s “Pixel”, a tracker that allows website owners to pass on to Facebook their users’ website activity. The plaintiffs said that, by passing their video watching history to Facebook, Univision violated the federal Video Privacy Protection Act (VPPA). (We have previously covered the VPPA and the Facebook Pixel here and here).

The plaintiffs claimed to represent a class of about 36,000 Univision subscribers. In challenging this contention, the defendants’ expert pointed out that the Pixel would only transmit information if the user had the Facebook and Univision apps open at the time using the same browser and device, and then only if the web browser did not block the Pixel. In response, the defendants pointed to a study showing that 68% of Americans have a Facebook account, and 70% of Americans use Chrome and Edge, browsers whose default settings do not block the Pixel. It said that simple math left it with a class of at least 17,000 users.

The court disagreed. It said that there is a big difference between having a Facebook account and having Facebook open at any given time. It said that the plaintiffs had produced no evidence as to the percentage of Chrome and Edge users modify their default privacy settings; or how many had third party software that would block the Pixel. The court said: "Although it may be tempting to assumer numerosity based on the sheer size of Plaintiffs’ starting point of 35,845 members, such baseless assumptions cannot carry the day.” In fact, the court found reason to doubt that even the three named class representatives actually qualified as class members.

Web Trackers as Pen Registers Under California Law

A Broad Interpretation

Shah v. Fandom involved the California Invasion of Privacy Act (CIPA), a 1967 statute intended to prevent eavesdropping and to limit the use of “pen registers”, devices that record dialing, routing, addressing or signaling information of electronic communications. CIPA is a criminal statute that allows for a private right of action and statutory damages of $5,000 per violation. Needless to say, a class action in which thousands of class members may each receive $5,000 without having to prove actual damages is a daunting prospect for a website owner.

The plaintiffs were users of a videogame website that employed third party tracking software. The plaintiffs argued that the trackers recorded and sent their IP addresses to third parties without their consent. The defendant, Fandom, Inc., argued that transmitting such information is necessary to properly display the website on the user’s computer. The trackers also stored cookies on the user’s browser cache, cookies that provided information about the users to advertisers. Fandom did not contend that this was a functional requirement of a website.

The federal district court for the Northern District of California analyzed the broad language of the California statute and concluded that web trackers are pen registers. In doing so, it noted that the California Supreme Court regularly reads old statutes to apply to new technologies. The court was unfazed about the possible use of the statute to criminalize some basic functions of the internet. It said “[T]he question of whether the statute’s scope should be narrowed ultimately rests with the legislature, not the courts.”

Consent to the use of a pen register is a defense to alleged violations of the CIPA, but the defendant had no express consent mechanism built into its website, and it quickly backed off a tentative argument of implied consent. The court denied the defendant’s motion to dismiss in an order dated October 24, 2024.

The court did not exercise the caution recently shown in a recent Massachusetts Supreme Judicial Court opinion, discussed here, where the court refused to extend the language of an old criminal statute to civil litigation involving new technologies. Instead, Fandom left the door open to class action lawsuits alleging that web trackers constitute unauthorized pen registers. While it is a California decision, it has potential application to any owner of a website that attracts users in California.

A Narrow Interpretation

However, a more recent decision of the district court of the Southern District of New York exercised even greater caution than did the Massachusetts court. In Gabrielli v Insider Inc., the plaintiff complained that the use of a cookie that transmitted his IP address to third parties violated CIPA. In granting a motion to dismiss the class action complaint, the court said that website users have no reasonable expectation of privacy in their IP addresses, they suffer no concrete injury when this occurs, and, absent such an injury, federal courts lack jurisdiction to consider such claims because of the “cases and controversies” clause of the US Constitution.

The plaintiff argued that CIPA created substantive privacy rights that supported the court’s jurisdiction. The district court disagreed, saying that violation of the pen register portion of CIPA was a “bare procedural violation” because the defendant could institute a pen register with a court order. The court concluded that, since it lacked jurisdiction to hear the complaint, it would dismiss the complaint without leave to amend it.

State Court Decisions

These federal court cases do not present a complete picture, since CIPA has also been the subject of numerous lawsuits in California state courts. For example, in Licea v. Hickory Farms, the Superior Court for Los Angeles County, dismissed a complaint alleging that a web cookie was a pen register when the plaintiff alleged no more than a disclosure of the user’s IP address. However, in Levings v. Choice Hotels Internationals, a decision of the same court one month later, a tracking device was ruled to constitute a pen register.

Analysis

Even if the ruling in Gabriella were to gain currency nationwide, state courts will likely assert jurisdiction over allegations of violations of state privacy statutes. These decisions and the cases that they cite make it clear that exactly what information was transmitted, to whom it was transmitted and who put it to what use may all matter in deciding whether a law has been broken. Neither the Licea nor the Levings decision is particularly detailed, so clarity regarding web trackers as pen registers under CIPA may be lacking for some time.

Despite this lack of clarity, the risk involved in using third party cookies for advertising or other purposes should be apparent. There is a way to eliminate these risks: provide sophisticated, clear consent mechanisms by asking websites users for their informed consent to the use of whatever cookies or web trackers are being used. While different states and countries have varying rules regarding the appropriate way to obtain that consent, there are evolving best practices that should be followed. For example, business should limit the number of trackers that they use and configure them to limit or reduce the amount of personally identifiable information that they collect. In addition, websites should use cookie banners that disclose what data will be collected and to whom it will be provided, and provide a clear opt-out mechanism. These cookie banners should be sufficient to discourage class action lawyers from pouncing.