Dozens of lawsuits have started challenging businesses’ use of website tools to collect IP addresses under the “pen register” and “trap and trace device” provision of the California Invasion of Privacy Act (“CIPA”). As we reported last month, a California court dismissed one of these lawsuits because of a critical problem with this new theory: every website on the internet requires IP addresses to function. For this same reason, a second California court agreed that CIPA’s pen register provision “does not prohibit the use of technology on a website to collect visitors’ IP addresses.” See Rodriguez v. Plivo Inc., 2024 WL 5184413 (Cal. Super. Oct. 2, 2024).
The lawsuit made allegations typical of pen register complaints. Plaintiff Rebeka Rodriguez claimed that Defendant Plivo Inc. used a website tool (which she called “tracking software”) that constitutes an unlawful pen register. A “pen register” within the meaning of CIPA is a device that collects information about a communication known as “record information,” which courts have routinely held in other contexts includes IP addresses. According to Rodriguez, the website tool at issue was an unlawful pen register because Plivo allegedly used the tool to collect her IP address when she visited the website.
The Court sustained Plivo’s demurrer (without leave to amend) and dismissed Rodriguez’s complaint, because “Plaintiff’s IP address is not the type of information that parties are prohibited from collecting by CIPA.” Not only did Rodriguez “voluntarily provide the information,” but she also “could not have accessed Defendant’s website” in the first place without providing her IP address. That is because “the IP address enables a device to communicate with another device—such as a computer’s browser communicating with a server.” The Court also remarked that the website tool at issue did not collect the type of “sensitive data” that courts have held are collected by unlawful pen registers.