We recently reported on the Licea decision, in which a Los Angeles Superior Court judge dismissed a claim against a website operator brought under Section 638.51 of the California Privacy Invasion Act (CIPA), which prohibits the use of “pen registers” and “trap and trace” devices without a court order. Yesterday, a different L.A. court judge went the other way, overruling a hotel chain’s demurrer seeking dismissal of what appears to be a nearly identical claim. The case is Levings v. Choice Hotels International, Inc., Case No. 23STCV28359 (Cal. Sup. Ct. L.A. County Apr. 3, 2024); a copy of the order is available here.
The Levings complaint alleges that the hotel chain “secretly used ‘pen register’ software to access Plaintiff’s device and install tracking software in violation of California law.” That’s about it in terms of the details of defendant’s alleged misconduct. The complaint provides a high-level summary of the right to privacy, the role of IP addresses, the practice of linking IP addresses to particular individuals (what plaintiff refers to as “identity resolution”), and CIPA’s “pen register” provisions. The complaint then asserts that the hotel chain “knowingly and intentionally deployed a software device and process to decode and record the routing, addressing, and signaling information transmitted by Plaintiff’s electronic device communication as part of Defendant’s identity resolution efforts,” which allegedly “constitutes illegal installation of a ‘pen register’ in violation of California law.”
The hotel chain demurred and separately moved to strike Licea’s claim for punitive damages. The demurrer pointed out that the complaint failed to specify the “device or process that was used by Choice Hotels that would meet the definition of a pen register,” and argued that recording an “IP address, is not, in itself, sufficient to support a claim for the illegal use of a pen register.” The hotel chain further contended that the user had consented to the collection of his IP address by visiting the website.
The court overruled the demurrer. The court held that the allegation that the hotel chain had “deployed a software device and process” was enough to plead “ultimate facts,” and that “a detailed description of the software and the precise mechanism it employs are evidentiary facts which need not be included.” The court also rejected the consent theory, observing that “[i]f merely visiting a website constitutes consent to the use of a pen register, then Section 638.51(a) would be a dead letter.”
Interestingly, and unlike the judge in the Licea case, the Levings judge did not recognize the flip-side implications: that if merely visiting a website constitutes a violation of the pen register statute, then Section 638.51(a) would “potentially disrupt a large swath of internet commerce without further refinement as the precise basis of liability.” Licea v. Hickory Farms LLC, Case No. 23STCV26148 (Cal. Sup. Ct. L.A. County Mar. 13, 2024); see also Smith v. LoanMe, Inc., 11 Cal. 5th 183, 190, 483 P.3d 869, 872 (2021) (“If the language is clear, courts must generally follow its plain meaning unless a literal interpretation would result in absurd consequences the Legislature did not intend.”) (emphasis added).
On the bright side for the hotel chain, the court granted the motion to strike the punitive damages claim, holding that the plaintiff was limited to the statutory damages set forth in the statute.
The vastly different approaches courts have taken to this new breed of CIPA claim highlights the considerable uncertainty in this area, the need for appellate and legislative clarity, and the importance of educating courts about the technology and the implications of their statutory interpretations.