Web User-Tracking Lawsuits Find New Tack in Pen-Register Theory

California class-action plaintiffs trying to target website user-tracking software they call a powerful surveillance tool are turning to a new theory of harm now that their claims filed under the state’s wiretap laws have run into headwinds.

Since November, a small group of plaintiffs—represented by the same attorney—have brought more than 50 class actions in California state courts against a bevy of website operators, alleging they violated state law by installing software that acts as an illegal “pen register.” Website operators targeted in the complaints include retailers Anine Bing Corp., Stitch Fix Inc., and Primer Labs Inc.

Under the California Invasion of Privacy Act, pen registers—devices or processes that record or decode the dialing and routing information of communications, but not the contents—can only be installed pursuant to a court order. The complaints claim the code used by the accused websites operates in a similar manner, monitoring a user’s activity and decoding device data to help identify sensitive information such as their location, race, age, and ethnicity.

It’s the latest evolution in lawsuits challenging a rapidly growing suite of technologies that track online users, including tracking-pixel and session-replay technologies from companies such as Meta Platforms Inc. and Google Inc. So far, cases brought against retailers over practices such as violations of wiretap laws have struggled to find firm legal footing, often failing to get past dismissal motions based on jurisdiction or failure to prove information was collected without consent.

Attorneys say that the new wave of pen-register lawsuits may find better traction.

The pen-register law is “a much broader statute than the wiretapping they’ve been using so far,” said Crowell & Moring LLP partner Jason Stiehl. “It touches on another portion of the same kind of wiretap universe in California, that doesn’t have some of these hurdles that have allowed defendants to get out of cases under the the other kind of wiretapping concepts.”

A New Theory

Previous user-tracking lawsuits largely based their arguments on two provisions: one that prohibits willful wiretapping seeking communications in transit, and another that bans recording customer calls without consent. Such complaints require plaintiffs to show not just that a monitoring device was deployed, but that it actually captured data and that its use violated an expectation of privacy.

The California law requires that plaintiffs prove a pen register was deployed without a court order or consumer consent—or without meeting one of the statute’s other exceptions. Breaking the law can trigger statutory damages of $5,000 per violation. Courts have yet to define the contours of what actions constitute separate violations, Stiehl said.

“What’s creative about it, is that a lot of the arguments that we’ve been making to defeat these things—like lack of standing or consent, or the in-transit argument that have been kind of successful out of California—go out the window, because none of those are elements of the pen register statute,” said Stiehl.

The new crop of lawsuits have all been filed by one plaintiffs’ counsel, Scott Ferrell. He has a prolific track record when it comes to CIPA-related cases, including those alleging violations of the law by chatbot and session-replay technologies. Ferrell’s known for filing dozens of identical complaints against retailers for statute violations.

His pen-register approach has caught the eye of other attorneys. Other user-tracking lawsuits, such as pixel-tracker cases in the health-care space, saw a similar progression, said Wynter Deagle, partner at Sheppard Mullin.

“You start with a almost a scattershot filing of the same complaint against a number of defendants,” she said. “And then once it catches on a little bit, you do start to see more interest from other plaintiffs lawyers.”

Sheppard Mullin has represented clients against Ferrell.

Ferrell declined to speak on the record for this story.

Kochava Provides Precedent

The wave of California class-actions aren’t the first cases to bring a CIPA claim using a pen-register theory.

In July the US District Court for the Southern District of California mostly denied a motion to dismiss a plaintiff’s claim in Greenley v. Kochava accusing a data broker of using its software development kit—sold to a variety of third-party apps—to collect user data. The court rejected Kochava Inc.'s claim that the software wasn’t a pen register, instead noting, “Today, pen registers take the form of software.”

“As a result, private companies and persons have the ability to hack into a person’s telephone and gather the same information as law enforcement,” Judge Cynthia Bashant wrote in her opinion. “Perhaps for this reason, the California legislature does not limit its prohibition on installing pen registers to law enforcement.”

The federal court also noted that California’s law uses “expansive language” that doesn’t limit what devices constitute a pen register.

“The pen-register theory is not even in its infancy yet,” said Joshua Swigart, Swigart Law Group founder who served as plaintiffs’ counsel in Greenley v. Kochava.

While Greenley was brought directly against a software company that developed a tracking tool, the recent wave of complaints target website operators, not the developers of the alleged pen registers.

An abstract provided by the Ferrell, the plaintiffs’ counsel in the new wave, and reviewed by Bloomberg Law names ContentSquare as the software provider of these firms. However, Ferrell noted there are “dozens” of such providers.

Fight Ahead

Swigart said that while articulating the existence of a pen register may be technically simple under the statute, the real fight for defendants in these cases will be proving whether there was consent—an exception to the requirement for a court order. In Greenley, the court held that Kochava wasn’t covered by the consent given to the third-party websites, making its interception of the data a plausible CIPA violation.

The consent questions could be more complicated for complaints directed against website operators.

“One of the arguments might be who actually is controlling the pen register, who’s aware of it. Because that’s not really clear,” said Stiehl.

Both Deagle and Swigart noted that other California wiretapping complaints have not entirely died out. For instance, health care-related pixel tracking complaints have had increased success, due in part to pressure from federal regulators and the risks associated with the sensitive nature of health data.

To keep ahead of potential complaints, companies need to take stock of the tracking software they’re using and make sure marketing and legal departments are on the same page about what it does and whether its potential return-on-investment is worth the risk, Deagle said.

“This is the latest iteration,” she said, but that “doesn’t mean it’s the last.”

“The good housekeeping that we’re suggesting is becoming more and more important, because, as we’ve seen, this is a very heavily focused and evolving area of law that is very attractive for claims because of the statutory damages.”

“The risk level has changed,” Deagle added.

Some predicted the wave of pen-register complaints is poised to grow.

“You will see more cases piled on this pen-register theory this year for sure,” said Swigart. “It’s going to be more interesting what happens when these cases are filed in the federal court and they’re ruled on more quickly and made public.”