Posts

IHOP Invasion of Privacy Lawsuit

California Invasion of Privacy Act Lawsuit Against IHOP

IHOP Invasion of Privacy Lawsuit

The Los Angeles consumer protection lawyers at Tauler Smith LLP recently won a pre-trial demurrer hearing in a trap & trace complaint against IHOP. The California Invasion of Privacy Act lawsuit against IHOP was filed by a California consumer who alleged that the restaurant chain installed a trap and trace device on its website to unlawfully monitor website visitors without consent. IHOP argued that the case should be dismissed before trial, but the court overruled the Defendant’s demurrer and said that the case against IHOP can proceed.

To learn more about the lawsuit against IHOP, keep reading this blog.

Trap & Trace Lawsuit Against IHOP Heard in California Court

The Defendant in the recent digital privacy lawsuit is IHOP Restaurants, LLC. IHOP, or International House of Pancakes, is a popular pancake house restaurant chain with nearly 2,000 locations in the United States and internationally.

The civil suit against IHOP is being adjudicated in the Los Angeles County Superior Court and presided over by Judge Michael Small. A California consumer filed the lawsuit because IHOP allegedly installed a trap & trace device on their website to effectively spy on site visitors. This would constitute a clear violation of the California Invasion of Privacy Act (CIPA), which is codified in California Penal Code Section 638.51.

Cal. Penal Code § 638.51 is known as the “trap and trace” provision because it prohibits companies from utilizing trap & trace devices to collect data from consumers without permission. The statute explicitly states that a person or company “may not install or use a pen register or a trap and trace device without first obtaining a court order.”

TikTok Software

According to the legal complaint, IHOP’s website uses a trap & trace device created by TikTok to gather private information about site visitors without their consent. As soon as consumers access IHOP’s website, their personal information is allegedly collected via the TikTok software.

Demurrer Hearing

The Defendant filed a demurrer to dismiss the lawsuit, with an additional motion to strike a request for punitive damages.

The lawsuit against IHOP alleges that IHOP installed TikTok software on its website and that IHOP uses this software to “trap and trace” private information about consumers. The Los Angeles County Superior Court rejected IHOP’s demurrer and ruled that the allegations against IHOP are sufficient to state a cause of action for a violation of the CIPA.

Lawsuit: IHOP’s Website Software Is a Trap & Trace Device

What exactly is a trap & trace device? The California Invasion of Privacy Act (CIPA) defines a trap and trace device as “a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication.”

The precedent in these cases is clear: courts have repeatedly held that communications or chat features on websites do qualify as “electronic communications” for the purposes of the Trap & Trace Statute. In this case, the court also ruled that the TikTok software allegedly installed by IHOP on its website “falls within the ambit of the definition of a ‘trap and trace device’ in Section 638.50.” That’s because the TikTok software is a device that captures identifying information about visitors to the IHOP website.

Telephone Lines and Websites

In its demurrer, IHOP argued that the reach of the CIPA should be limited to devices that are capable of being physically attached to telephone lines, which relies on a definition of “trap and trace device” that would exclude the invasive TikTok software allegedly installed on the IHOP website.

The court rejected IHOP’s interpretation of the statute because the definition of “trap and trace devices” found in the CIPA is extremely broad: it encompasses more than just devices that capture an originating phone number, and therefore applies to more than just telephone lines.

TikTok Software = Trap & Trace Device

The L.A. County Superior Court went even further than many previous courts to rule that the California Legislature contemplated that the CIPA might cover “the development of new devices and techniques for the purpose of eavesdropping upon private communications.” The court added that the TikTok software allegedly utilized by IHOP is precisely such a “new technique” for capturing the confidential information of consumers without their consent.

IHOP Not Exempt from Liability for Utilizing Trap and Trace Devices

There are a few exceptions to the CIPA prohibition against the use of trap & trace devices. A company may utilize trap & trace devices if:

  1. The device is being used to operate, maintain, and test a wire or electronic communication service.
  2. The consent of the user has been obtained prior to use.

In its ruling on the demurrer, the L.A. County Superior Court found that neither of these exceptions applies to IHOP’s use of TikTok trap & trace software on the company website.

Court Rejects IHOP’s Arguments for Exemption

IHOP attempted to argue that it should be exempt from liability under Section 638.51(b)(5) as a “provider of electronic or wire communication services,” with the website being the service it provides. The court found this argument unpersuasive because IHOP failed to show how it might need the TikTok software to operate and maintain its website.

IHOP also tried to argue that it should be exempt from liability because the company has consented to the use of the trap & trace software installed on its website. The court quickly rejected this argument because the consent exception of the CIPA obviously applies to website visitors, not to the owners and operators of a website.

Private Right of Action Against IHOP for Violating the CIPA

In its demurrer, IHOP also argued that there is no private right of action under the California Invasion of Privacy Act (CIPA). If true, this would mean that consumers would not be able to file civil suits against companies that violate the CIPA. But the court rejected this argument because the CIPA specifically provides for statutory damages.

In fact, the CIPA allows victims to file suit against a company that violated the CIPA for either:

  • $5,000 per violation; or
  • Treble damages equaling three times the amount of actual damages sustained by the victim.

Significantly, the statute calls for plaintiffs who bring trap & trace complaints to be awarded whichever amount is greater.

Plaintiffs Eligible for Punitive Damages in California Invasion of Privacy Cases

Buried within IHOP’s demurrer was also a motion to strike the punitive damages part of the complaint and essentially deny any request for a punitive damages award at the conclusion of the trial.

Although the court granted the motion to strike, it also reiterated that the California Invasion of Privacy Act (CIPA) does allow for punitive damages to be awarded against a defendant. To receive punitive damages for a violation of the Trap and Trace Law, the plaintiff must prove that the defendant acted maliciously or fraudulently when using trap and trace software to collect customer information.

Contact an Experienced Los Angeles Consumer Protection Lawyer

Are you a California resident who visited the IHOP website? Did you visit any other websites operated by companies that might be using trap & trace devices to monitor users? If so, you may be eligible to file a lawsuit in a California court to receive monetary compensation. The Los Angeles consumer protection attorneys at Tauler Smith LLP represent plaintiffs in invasion of privacy claims, and we can help you.

Call 310-590-3927 or email us to schedule a free consultation and learn about your legal options.

Entravision Sued for Trap & Trace Violation

Entravision Sued for Violating California Trap & Trace Law

Entravision Sued for Trap & Trace Violation

International media company Entravision was sued for violating the California Trap & Trace Law. The plaintiff in the lawsuit is a California consumer who alleged that her data was unlawfully collected when she visited the Entravision website. According to the complaint, Entravision uses TikTok software to record and gather personal data from every person who visits the website, which exposes this confidential information to the communist Chinese government.

The plaintiff is being represented by the Los Angeles consumer protection attorneys at Tauler Smith LLP. Entravision’s defense attorneys tried to get the lawsuit dismissed, but the L.A. County Superior Court overruled the Defendant’s demurrer motion. As a result, the invasion of privacy claim against Entravision may now be heard at trial.

Entravision Accused of Using TikTok Software to Collect Data from Website Visitors

Entravision Communications Corporation is a global media, marketing, and technology company. Entravision’s headquarters is located in Santa Monica, California, and the company owns several television and radio stations in many of the top Hispanic markets throughout the country. Entravision is also the largest affiliate group of Univision, with Univision owning television stations operated by Entravision.

The digital privacy lawsuit was filed against Entravision Communications Corporation in the Superior Court of California, County of Los Angeles. The judge in the case, the Honorable Elaine W. Mandel, recently presided over a pre-trial demurrer hearing.

The plaintiff, a California consumer, sued Entravision Communications for allegedly violating the California Trap and Trace Law. Entravision was accused of using TikTok software on its company website to unlawfully collect the personal data of website visitors. Moreover, the plaintiff alleged that Entravision utilized the trap and trace software with willful and conscious disregard of the privacy rights of site visitors.

Cal. Penal Code § 638.51: California Trap and Trace Law

The California Trap and Trace Law is codified in Cal. Penal Code Section 638.51, which is part of the California Invasion of Privacy Act (CIPA). The CIPA broadly applies to two types of technology commonly used on some websites: pen registers and trap & trace devices. These devices are often used to record information that identifies the source of an electronic communication, including online communications on websites.

In this case, Entravision is accused of using TikTok software to identify website users through browser information, geographic information, and URL tracking data. That personal information is then sent to TikTok. Moreover, all of this is allegedly done without the consent of website visitors.

Court Rejects Demurrer: Privacy Lawsuit Against Entravision Can Proceed

A demurrer tests the sufficiency of a complaint and ensures that courts do not waste time hearing a complaint that does not allege essential facts about the case. In this case, Entravision filed a demurrer and argued that the lawsuit against the media company should be dismissed during the pre-trial stage. The Los Angeles County Superior Court rejected the Defendant’s demurrer and ruled that the case should proceed.

Entravision made five (5) arguments in support of its demurrer motion, all of which were rejected by the court.

  1. Failure to Allege Facts to Support Cause of Action

Entravision argued that the plaintiff’s complaint should be dismissed for failing to allege facts sufficient to constitute a cause of action. The court ruled that the plaintiff sufficiently showed that Entravision collects data from every visitor to its website. Along with the plaintiff’s evidence that she visited the website, this was enough to establish her claim for unlawful collection of private data.

  1. Websites Are Not “Pen Registers”

Entravision argued that the plaintiff did not show that Entravision used a pen register as defined by Section 638.51 of the Cal. Penal Code. Specifically, the Defendant contended that only physical telephone lines qualify as “pen registers” under the statute.

The court rejected the Defendant’s argument and held that both federal and state law on trap & trace devices may apply to websites, not just telephones. The court pointed to the California Invasion of Privacy Act (CIPA), which does not limit the definition of either “pen register” or “trap and trace” device to physical devices attached to telephone lines. This broad interpretation of the statute means that the plaintiff in this case did not need to allege the use of a physical pen register device by Entravision.

  1. Exemption from Liability

Entravision argued that it should be exempt from liability under the California Trap and Trace Law because the company is an electronic communications service provider. Cal. Penal Code § 638.51(b)(1) states that a provider of electronic or wire communication service is allowed to use a pen register or a trap and trace device to operate, maintain, and test its service.

The court rejected the Defendant’s argument because the question of whether Entravision is exempt under the law should be determined at trial, not during the pre-trial demurrer stage.

  1. Not a Prohibited “Device” or “Process”

Entravision argued that the plaintiff failed to plead that the Defendant used a device or process prohibited by the California Trap and Trace Law.

The court rejected the Defendant’s argument because the TikTok software allegedly used by Entravision does qualify as a “process” that captures incoming electronic impulses to identify the source of an electronic communication on the company’s website. Moreover, since users are never informed that the Entravision website is collecting their private data and sharing it with the Chinese government, this would be considered a violation of the Trap & Trace Law.

  1. Failure to Plead “Oppression, Fraud, or Malice”

Entravision argued that punitive damages in the case should be dismissed because the plaintiff failed to plead “oppression, fraud, or malice.”

The court rejected this argument because the plaintiff alleged that a reasonable jury might find the Defendant’s conduct so “vile or contemptible” that it justifies punitive damages. This aligned with the plaintiff’s contention that Entravision intentionally invaded consumers’ privacy without their knowledge or consent and that this conduct constituted “criminal activity.”

The court also held that punitive damages are not subject to demurrers.

Call the Los Angeles Consumer Protection Attorneys at Tauler Smith LLP

Do you live in California? Did you visit the Entravision website for any reason? If so, it’s possible that your personal information was unlawfully collected. The Los Angeles consumer protection lawyers at Tauler Smith LLP represent individuals whose privacy has been invaded by California companies. Call 310-590-3927 or email us today.

MSC Cruises Trap & Trace Lawsuit

Trap & Trace Lawsuit Against MSC Cruises

MSC Cruises Trap & Trace Lawsuit

The California consumer protection lawyers at Tauler Smith LLP are representing a consumer who filed a trap & trace lawsuit against MSC Cruises. The cruise ship company has been accused of utilizing trap & trace technology on its website to collect customer information without permission. The Superior Court of Los Angeles County recently ruled on a demurrer filed by the Defendant in the case: the court overruled the demurrer, which means that the case against MSC Cruises could proceed to trial.

For additional information about the MSC Cruises trap and trace complaint, keep reading.

Lawsuit: MSC Cruises Violated the California Invasion of Privacy Act (CIPA)

MSC Cruises is the world’s largest privately held cruise company. The global cruise line operates a website that invites customers to “sail to over 250 of the world’s most sought-after travel destinations.” Site visitors can register and book cruises directly on the website.

The civil lawsuit filed against MSC Cruises in L.A. County Superior Court alleges that the cruise ship company violated the California Invasion of Privacy Act (CIPA) by utilizing trap and trace software on their website.

What Is the California Invasion of Privacy Act?

The California Invasion of Privacy Act (CIPA) is codified in Penal Code § 638.51, which states that “a person may not install or use a pen register or a trap and trace device without first obtaining a court order.”

Pen Registers

As set forth by the statute, a “pen register” is a device or process that records certain information transmitted by an instrument that also transmits a wire or electronic communication. This information includes dialing, routing, addressing, or signaling information. Importantly, a pen register does not record or decode the contents of a communication.

There are exceptions to California’s digital privacy law on pen registers. For example, the pen register prohibition in the CIPA does not apply to a device used for billing purposes, cost accounting, or other similar purposes that exist in the ordinary course of business.

Trap & Trace Devices

The California Invasion of Privacy Act (CIPA) defines a “trap and trace device” as “a device or process that captures incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.”

The last clause in the definition is what MSC Cruises focused on for one of its pre-trial arguments: the Defendant argued that the TikTok Software on its website only intercepts the content of communications, which would not fit the definition of a trap and trace device. However, the court found the opposite to be true: that the civil suit against MSC Cruises sufficiently alleged that the TikTok Software used on the company’s website collects data such as device, browser, and geographic information about site visitors. This is precisely the type of data which would show where users are located and thus violate the CIPA.

MSC Cruises Accused of Using TikTok Software on Its Website

Alarmingly, MSC Cruises is accused of collaborating with the Chinese government to use TikTok software to gather personal information about website visitors without their knowledge or consent. According to the complaint, MSC Cruises installed software created by TikTok on the company’s website. The TikTok Software was allegedly created for the purpose of identifying website visitors, collecting data about the visitors, and then matching the information with existing customer data that the social media platform already possessed.

The complaint alleges that the TikTok Software uses a de-anonymization process that runs codes or “scripts” on the MSC Cruises website to identify users and then send user details to TikTok. This includes data such as browser information, geographic information, referral tracking, and URL tracking.

The digital privacy complaint states that visitors of the MSC Cruises website do not consent to have their data collected and shared with TikTok. That’s because the TikTok Software allegedly starts working the moment a user lands on a website page. According to the trap & trace lawsuit, the software collects and shares the information “regardless of the cookie banner which appears on the site.” In other words, a site visitor does not have an opportunity to opt out of the collecting and sharing of their personal data because this occurs as soon as visitors land on a page or click on a page.

Pre-Trial Motion: Court Rules in Favor of Plaintiff in MSC Cruises Trap & Trace Lawsuit

The Plaintiff, a California consumer represented by Tauler Smith LLP, filed her CIPA complaint against MSC Cruises in Los Angeles County Superior Court. A short time later, the Defendant filed a demurrer with the court. Basically, this meant that the Defendant asked the court to dismiss the complaint. The court heard arguments from both sides, then ruled in favor of the Plaintiff.

Trap & Trace Software

MSC Cruises filed a demurrer with the L.A. County Superior Court on the grounds that the complaint failed to allege a violation of the California Invasion of Privacy Act (CIPA). Specifically, the Defendant argued that it had not utilized a “pen register” or a “trap and trace device” as defined by the statute because the CIPA only explicitly covers telephone-based communications, not website-based communications.

The court rejected the Defendant’s argument and found that the Plaintiff’s trap and trace complaint alleged facts sufficient for a violation of the CIPA. First, the court stated that the plain language of Section 638.51 does not limit the statute to telephone-based communications. Beyond that, the court noted that the Plaintiff did not need to provide a detailed description of the TikTok Software used by MSC Cruises at this stage of the legal proceedings; instead, all that is needed is facts alleging that the software installed on the cruise ship website captures user information which would reasonably lead to the source of the users’ communications with the website.

Consent to Trap & Trace Devices

In its demurrer filed with the court, MSC Cruises also argued that users of its website consented to the capture of their personal data through automated technologies simply by visiting the website. However, the court found that the Plaintiff’s complaint clearly alleged that the TikTok Software captured user data without users’ consent or knowledge. Moreover, this data capture occurred as soon as a user landed on the website – and without users submitting the information to the website voluntarily.

Call a Los Angeles Consumer Protection Attorney Today

Are you a California resident? Did you visit the MSC Cruises website to book a cruise vacation or for any other reason? If so, your personal data may have been compromised. The Los Angeles consumer protection lawyers at Tauler Smith LLP represent victims of consumer privacy violations, and we help them get financial compensation. Call 310-590-3927 or send an email to discuss your legal options.

Taylor Farms CIPA Claim

CIPA Claim Against Taylor Farms

Taylor Farms CIPA Claim

Tauler Smith LLP won an important pre-trial argument in a CIPA claim against Taylor Farms. The lawsuit, which was heard in the Los Angeles County Superior Court, stemmed from allegations that Taylor Farms violated the California Invasion of Privacy Act (CIPA) by using trap & trace software on the produce distribution company’s website to collect customer data without permission. The court ruled that the Plaintiff pled sufficient facts to support a reasonable inference that the Defendant violated the consumer protection statute. This was a major victory for the Los Angeles consumer protection attorneys at Tauler Smith.

Taylor Farms Accused of Using Tracking Software to Collect Customer Information Without Consent

Taylor Farms, which operates under the name Taylor Fresh Foods, Inc., is one of the leading producers of fruits and vegetables in the United States. The company distributes produce to numerous supermarket chains and restaurants, including Chipotle and McDonald’s.

The complaint against Taylor Farms alleged that the company’s website utilized tracking software created by TikTok to identify certain confidential user information, including device and browser information, geographic information, referral tracking, and URL tracking. The use of trap and trace software is a violation of the California Invasion of Privacy Act (CIPA), codified in Penal Code § 638.51. The CIPA has an express purpose to “protect the right of privacy” of California consumers. When a website operator utilizes a trap and trace device to track a site visitor’s information without consent, they have invaded the privacy of that individual.

Digital “Fingerprinting”

According to the lawsuit, the TikTok Software’s digital process is known as “fingerprinting.” This allows companies to gather user data by running code or “scripts” on their websites and then send user details to TikTok. The data is matched with information that the Chinese-owned social media company has already amassed about hundreds of millions of Americans.

What Is a “Trap and Trace Device”?

Section 638.51 of the California Invasion of Privacy Act (CIPA) stipulates that, under most circumstances, “a person may not install or use a pen register or a trap and trace device without first obtaining a court order.”

What is a trap and trace device? The statute defines a trap and trace device as “a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.”

Trap & Trace Lawsuit Against Taylor Farms

Taylor Farms was sued for allegedly violating the California Invasion of Privacy Act (CIPA) by using trap & trace software on the company’s website. The lawsuit alleged that the site deployed TikTok Software to identify visitors by using electronic impulses generated from users’ devices. Without either visitors’ consent and or a court order to use the TikTok Software to track visitors of the website, this would be a violation of consumer privacy under the CIPA.

After the lawsuit was filed, Taylor Farms filed a formal objection in the form of a demurrer. The company argued that the original complaint failed to state a cause of action and should therefore be dismissed.

Court: Denied Demurrer in CIPA Complaint Against Taylor Fresh Foods

L.A. Superior Court Judge Daniel S. Murphy heard arguments and then issued a ruling denying the Taylor Farms demurrer. The ruling stated that the Plaintiff’s complaint alleged the two elements necessary to establish a violation of the CIPA:

  1. The Defendant installed a prohibited pen register or trap & trace device.
  2. The Defendant installed the trap & trace device without a court order.

Significantly, the court said that the allegations in the digital privacy complaint against Taylor Fresh Foods, Inc. “support a reasonable inference that Plaintiff had her information tracked without her consent, thus resulting in harm to her personal autonomy.” This outstanding pre-trial outcome represented yet another consumer protection court victory for the Tauler Smith law firm.

The California Invasion of Privacy Act Applies to Websites and Software

In a filing with the court, Taylor Farms argued that the California Invasion of Privacy Act (CIPA) only regulates physical trap & trace devices and therefore does not apply to IP addresses or “standard website data collection.” The court strongly rejected this argument.

In its ruling, the court said that the CIPA does not limit the definition of “pen register” or “trap and trace device” to physical devices attached to telephone lines. In fact, said the court, the statute’s definitions make no reference to a physical attachment. Moreover, a trap & trace device is broadly defined as applying to “electronic communications,” which the court noted “encompasses a range of transfers plainly not limited to telephone lines.”

Additionally, the court agreed with the Plaintiff’s cited case of Greenley v. Kochava, in which the U.S. District Court for the Southern District of California held that a software development kit installed in a third-party mobile application constituted a violation of the CIPA’s pen register prohibition. In that case, the court said that unlawful trap and trace technology can involve software that identifies consumers and gathers data through unique “fingerprinting.”

Section 638.51 Applies to Websites

In its demurrer filing, the Defendant also argued that the CIPA should not apply to websites because such an interpretation would subject every website to liability. Again, the court strongly rejected the Defendant’s argument. The court stated that the TikTok Software allegedly gathered unique location information and tracked user data that went well beyond the type of data which might be necessary for the proper functioning of a website.

In fact, the court said that the Defendant’s interpretation of the CIPA would lead to the “absurd result” of immunizing all websites from prosecution under the law. In other words, the CIPA would basically cease to exist because anyone who visited a website would automatically consent to the use of a trap and trace device and other tracking software.

Who Is the “User” of a Website in a Trap and Trace Claim?

The court also rejected an argument by the Defendant that Taylor Farms was the “user” of the TikTok Software allegedly installed on its website and therefore consented to the use of a pen register or trap & trace device. This argument would mean that no website visitor could ever bring a viable claim under the California Invasion of Privacy Act (CIPA) because every website operator necessarily consents to the use of the software on their own site. In other words, the CIPA “could never be violated.”

Again, the court found that it would be absurd to accept an interpretation of the CIPA which would mean every website operator could escape liability even when website user privacy is invaded.

Contact the Los Angeles Consumer Protection Lawyers at Tauler Smith LLP

If you are a California resident who visited a company’s website, it’s possible that your data was shared with third parties like TikTok. The California consumer protection attorneys at Tauler Smith LLP represent plaintiffs in consumer privacy claims, and we can help you. Call 310-590-3927 or email us to schedule a free consultation.

Pen Registers

What Are Pen Registers?

Pen Registers

A number of recent lawsuits have been filed based on something known as “the pen register theory.” But what are pen registers? One of the surveillance tools commonly used by law enforcement to spy on suspects is the pen register, which allows police to capture phone numbers that were dialed on outgoing calls. Increasingly, these devices are being used by businesses to reveal the content of communications on websites, which poses a very real privacy concern for consumers. Worse yet, many companies with websites are now collaborating with TikTok to identify people who may wish to remain anonymous – exposing confidential information about consumers to third parties without authorization. The good news is that California law protects consumers against invasion of privacy by companies utilizing pen registers and other tracking devices.

To learn more about pen registers and how you can stop companies from using them to unlawfully collect your data, keep reading.

What Is the Definition of a Pen Register?

Both federal and California statutes have defined pen registers in the context of surveillance, especially as it relates to surveillance by law enforcement or other government actors. Recently, the term has been defined in other contexts, including when the devices are used by companies that operate websites targeting consumers.

Generally speaking, a pen register is a device that records any phone numbers that have been dialed from a particular telephone line. In legal cases involving allegations of privacy violations by companies using pen registers, courts have defined a pen register broadly so that it includes programs and software that monitors internet communications.

Differences Between Pen Registers and Trap & Trace Devices

Pen registers differ from trap and trace devices in a significant way: pen registers show the phone numbers that have been dialed by a particular phone, while trap and trace devices show the phone numbers that have called a particular phone. Another way to think of the difference is that pen registers capture data from outgoing communications, and trap and trace devices capture data from incoming communications that identify the originating phone number or geolocation.

Whether the privacy violation involves a pen register or a trap and trace device, the basis for a lawsuit typically remains the same: if a website owner fails to obtain affirmative consent from a site visitor prior to the use of tracking software, it may be a serious violation of California’s consumer fraud and consumer privacy laws such as the California Invasion of Privacy Act (CIPA) and the California Consumer Privacy Act (CCPA).

Invasion of Privacy Concerns Raised by Use of Pen Registers and Trap & Trace Devices

The use of pen registers to monitor customers raises concerns about invasion of privacy. Similarly, data sharing via tracking and tracing software can impose significant dangers on web users. For example, one of the major fears with automatic tracking software is that user activity will be tracked across every page on the website, regardless of how private the information might be. This means that highly personal information could be compromised, particularly if a website user is filling out forms on the site.

Pen Register Lawsuits & Trap and Trace Lawsuits in California

The California Invasion of Privacy Act (CIPA) can serve as the basis for a consumer protection lawsuit, particularly when the plaintiff is alleging a digital privacy violation. For a while, the main CIPA claim filed in California courtrooms involved wiretapping lawsuits against companies that violated the privacy rights of website visitors. That’s because this type of unauthorized data collection violated Section 631(a) of the CIPA, which explicitly prohibits third parties from illegal wiretapping or eavesdropping on communications. Recently, however, a lot of CIPA class action lawsuits are being based on either the pen register theory or the trap and trace theory.

When website owners gather data from site visitors without first getting consent, it may constitute a violation of California’s strict privacy laws – specifically Section 638.51 of the California Invasion of Privacy Act (CIPA). This has led to a new wave of CIPA litigation in California courtrooms that involves both pen register claims and trap and trace claims. Many companies that do business in California are now facing class action lawsuits because of the way they use certain analytic tools on their websites. The statutory penalties for violations of the CIPA have proven costly for companies that don’t follow the law – and they have given potential plaintiffs ample reason to talk to a consumer protection attorney about their legal options.

Contact the Los Angeles Consumer Protection Attorneys at Tauler Smith LLP

Too many companies in California and elsewhere in the United States are invading the privacy of customers who visit their websites, which in many instances involves data breaches and even the unauthorized sharing of personal data. The California consumer protection lawyers at Tauler Smith LLP represent plaintiffs in class actions and individual lawsuits. We have experience with trap & trace lawsuits and pen register lawsuits. Call us or email us to schedule a free consultation.

Pen Registers vs. Trap and Trace Devices

Pen Registers vs. Trap and Trace Devices

Pen Registers vs. Trap and Trace Devices

Invasion of privacy has become a major concern for consumers who frequent websites and make purchases online. That’s because many companies are now using pen registers and trap devices, which may include website cookies, web beacons, script, software code, and other types of software to track user data. While both federal and California law provide strong protections for consumers in these situations, pen registers vs. trap and trace devices is still a distinction that needs to be understood before speaking to a consumer fraud lawyer. What exactly is the difference between a pen register and a trap & trace device? And what legal recourse do you have when a company uses one of these tracking tools to monitor your online activity?

To learn more about the differences between pen registers and trap & trace devices, keep reading this blog.

What Is a Pen Register?

Long before the invention of the internet, pen registers were being used by law enforcement as a crime-fighting tool. A pen register is a physical device that gives government actors the ability to track outgoing phone numbers that have been dialed from a telephone line. If the police suspect illegal activity, they may obtain a court order that allows them to secretly install a pen register on the phone line.

Importantly, courts have ruled that the laws regulating the use of pen registers also extend to online communications. The California Invasion of Privacy Act (CIPA) defines a pen register as “a device or process that records or decodes dialing, routing, addressing or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted.” The types of information commonly collected by pen registers includes phone numbers, email addresses, and internet data such as IP addresses. A pen register does not identify the contents of a communication, which is its main difference from a trap and trace device.

Pen Register Lawsuits in California

Law enforcement has historically used pen traps to record both outgoing and incoming telephone numbers after obtaining a phone-tapping warrant. After the passage of the Patriot Act in 2001, police were able to use the same warrants to monitor Internet communications. Eventually, California lawmakers responded to the increasingly broad government monitoring of American citizens by updating the definition of consumer communications in the California Invasion of Privacy Act (CIPA). This has now prompted many consumers to bring pen register lawsuits against companies that use software to identify website visitors and acquire their personal data.

When a company’s website utilizes certain tools to track interactions and communications with site visitors, it may be a violation of the CIPA. This is especially likely when a website visitor has a reasonable expectation of privacy. As a result, California courtrooms have seen a surge in class action lawsuits filed under a relatively new legal theory: pen register claims and trap and trace claims, both based on the CIPA.

Penalties for Pen Register Violations

When a company uses website session replay software or chatbot features without the consent of site visitors, it may be considered a violation of both federal and California digital privacy laws.

Federal Pen Register Law

Federal law originally addressed pen registers in the Electronic Communications Privacy Act. The statute was later addressed by the USA PATRIOT Act, which was passed in 2001 in response to the September 11 attacks.

California Pen Register Law

California law addresses pen registers in the California Invasion of Privacy Act (CIPA), which imposes statutory penalties of $2,500 for each pen register violation.

Wiretapping Claims vs. Pen Register Claims

California’s consumer privacy laws prohibit companies from recording, transcribing, or otherwise surveilling communications without permission. This is unlawful whether the surveillance involves phones or websites. In the context of websites, wiretapping may involve secretly recording chats that were supposed to remain confidential, or it may involve data acquisition from forms that were filled out by site visitors. The California Invasion of Privacy (CIPA) gives consumers the right to file civil suits when their online conversations have been illegally wiretapped.

Although CIPA wiretapping claims and CIPA pen register claims are similar, there are a few key differences. For instance, a plaintiff bringing a wiretapping claim must show that there was no consent for the monitoring and that their communications were actually captured by the website. By contrast, a plaintiff bringing a pen register claim merely needs to show that the pen register was utilized without either consent or a court order.

What Is the Difference Between Pen Registers and Trap & Trace Devices?

One of the reasons that legal statutes often refer to both pen registers and trap and trace devices in the same sections is that many internet monitoring programs can be utilized to record both incoming and outgoing calls.

Whether the customer information is acquired via pen registers or trap and trace devices, the end result is a serious invasion of customer privacy. The businesses that violate the California Trap and Trace Law often help third parties acquire as much information as possible about website visitors so that the data can then be monetized and sold. That’s why these companies will go to such great lengths to obtain, collect, and organize large pools of data from website visitors without their knowledge or consent.

Talk to a California Consumer Protection Lawyer Today

Tauler Smith LLP is a Los Angeles law firm that represents consumers in both individual lawsuits and class actions across California. Our knowledgeable consumer protection lawyers know how to win pen register lawsuits and trap & trace lawsuits because we have experience with invasion of privacy cases. We will hold website operators accountable for using unauthorized tracking devices on their websites.

Call 310-590-3927 or send an email for a free consultation.

United HealthCare Trap and Trace Class Action

Trap and Trace Class Action Against United HealthCare

United HealthCare Trap and Trace Class Action

Los Angeles law firm Tauler Smith LLP recently filed a trap and trace class action against United HealthCare. The national health insurance provider has been accused of collaborating with controversial social media company TikTok to unlawfully collect data from website visitors. These actions would constitute clear violations of the California Invasion of Privacy Act (CIPA), which prohibits companies from using website tracking software to gather personal information about customers. The plaintiffs in the digital privacy class action are pursuing substantial monetary damages for the alleged privacy breaches.

For more information about the lawsuit against United HealthCare, keep reading this blog. And to learn whether you might be eligible to join the class action, contact us directly.

What Is a Trap and Trace Device?

California Penal Code § 638.50(c), which is part of the California Invasion of Privacy Act (CIPA), places considerable restrictions on companies that use trap and trace devices. The statute defines a trap and trace device as “a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.” A person, company, or other entity that wishes to use a trap and trace device must first obtain a court order.

The CIPA, codified as Cal. Penal Code 630, often serves as the basis for lawsuits against companies accused of unlawfully wiretapping or eavesdropping on customer conversations. The statute was enacted for the purpose of curbing the invasion of privacy that often results from the use of certain technologies that pose a threat to the free exercise of personal liberties. The CIPA extends civil liability for surveillance that uses technology generally, and the Trap and Trace Law specifically imposes civil liability and statutory penalties against companies that unlawfully install pen registers or trap and trace software without first obtaining a court order.

Consumer Protection Class Action Filed Against United HealthCare

The recent consumer protection class action lawsuit involving the trap and trace law was filed in the Los Angeles County Superior Court. The defendant in the case is United HealthCare Services, Inc., a private insurance company that provides health insurance plans to consumers. According to the lawsuit, United HealthCare installed a data collection process on its website, https://www.uhc.com, for the purpose of tracking and tracing the identity and source of visitors to the site. United HealthCare allegedly worked with scandal-ridden social media company TikTok to unlawfully share the customer data.

“Fingerprinting”

The software that United HealthCare installed on its website was created by TikTok for the purpose of identifying site visitors. The TikTok software on the United HealthCare website runs code via a process known as “fingerprinting” that enables the company to collect as much data as it can about anonymous site visitors, including device and browser information, geographic information, and URL tracking. This information is then matched with existing data that TikTok has previously acquired from hundreds of millions of Americans who use the social media platform.

Similar allegations of unlawful data collection in collaboration with TikTok have been made in other trap & trace class action lawsuits recently filed in California courts.

“Advanced Matching”

United HealthCare has also been accused of using trap and trace devices to help TikTok collect website visitor information via a process known as “Advanced Matching.” This is a feature that allows TikTok to scan the website for recognizable form fields containing confidential customer information, such as email addresses, phone numbers, and routing information.

Class Action Lawsuit: United HealthCare Surveilled Website Visitors Without Consent

Visitors to the United HealthCare website have a reasonable belief that their web activity will be secure because the website intake page informs users that the information they share is “secure.” But the California class action lawsuit against the health care provider alleges that this is false: customers’ personal information and activity on the site is scanned and sent to TikTok so that its source can be identified through fingerprinting and deanonymization. The lawsuit accuses United HealthCare of giving TikTok access to consumer data without obtaining express or implied consent.

TikTok’s “Best Practices” Policy

Alarmingly, TikTok allegedly has a “best practices” policy encouraging companies like United HealthCare to capture this customer data “as early as possible” and “as frequently as possible.”  The class action lawsuit filed in the L.A. County Superior Court accuses United HealthCare of following TikTok’s best practices to help the social media company gather customer information as soon as a user visits the website: code on the site automatically sends information to TikTok to match the user with TikTok’s fingerprint.

By definition, there is no way for a site visitor to consent to the tracking of their activity because the TikTok software is deployed automatically when a user lands on the United HealthCare website. Site visitors have no way of knowing about the trap and trace devices, and United HealthCare does not even attempt to obtain visitors’ consent.

United HealthCare Accused of Unlawfully Sharing Customer Data with TikTok

Digital privacy is a growing concern for many Americans, particularly as more and more companies commit consumer fraud. One of the most troubling allegations against United HealthCare in the recent trap and trace lawsuit is that the company may be helping TikTok acquire personal information about website visitors. TikTok is owned by the Chinese government, and there are serious concerns that the social media company may be sharing user data with an adversarial foreign country. In fact, the U.S. Congress recently passed legislation that would require TikTok to be sold to a different entity or face a permanent ban in the United States. Additionally, the director of the National Security Agency (NSA) has identified TikTok as “a platform for surveillance” that poses a possible cybersecurity risk to the country.

The class action lawsuit against United HealthCare highlights a major problem with data collection on the United HealthCare website: user data is allegedly being shared with third parties who have the ability to harm California citizens through data aggregation. Moreover, the fact that this is a healthcare provider means that vulnerable American citizens could be targeted based upon their specific medical issues and uninsured status.

Plaintiffs Seek Monetary Damages for Violations of California’s Trap & Trace Law

The class action lawsuit against United HealthCare accuses the healthcare provider of violating California’s Trap and Trace Law. If United HealthCare is found liable in the civil suit, plaintiffs who visited the company’s website may be eligible for substantial monetary damages. That’s because the California Invasion of Privacy Act (CIPA) imposes both statutory damages meant to compensate victims and punitive damages meant to discourage future violators. The law also allows for successful plaintiffs to recover reasonable attorney’s fees and costs.

Did You Visit the United HealthCare Website? Contact the Los Angeles Consumer Protection Lawyers at Tauler Smith LLP

Did you visit the United HealthCare website and fill out any forms or provide any personal information? If so, you may be eligible to pursue monetary damages for an invasion of privacy violation. That’s because United HealthCare has been accused of using trap & trace technology to help third parties unlawfully collect the confidential information of website visitors.

The California consumer protection lawyers at Tauler Smith LLP are representing plaintiffs in a class action lawsuit against United HealthCare. For more information, call 310-590-3927 or email us.

California Trap and Trace Law

California’s Trap and Trace Law

California Trap and Trace Law

California’s trap and trace law protects consumers against the unauthorized tracking of their activity online. For law enforcement, securing a court order to intercept communications is difficult because there are strict limitations on this type of activity. Yet, for companies with websites, it has become far too easy to acquire customer data in the same invasive manner without any authorization or consent. Moreover, once a company has acquired certain information about a user, the company might try to use that information to deliver targeted advertising. In some cases, the customer data might even be sold to a third party. A qualified consumer fraud lawyer can help individuals better understand the nature of the protections provided by California’s consumer privacy laws.

The installation of tracking and tracing software on a website may be a violation of the California Trap and Trace Law. To learn more, keep reading.

What Is a Trap & Trace Device?

The California Invasion of Privacy Act (CIPA) defines a trap and trace device as “a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing or signaling information reasonably likely to identify the source of a wire or electronic communication.”

Trap and trace devices differ from wiretaps because they do not capture the content of communications in real time. Instead, a trap and trace device enables the collection of very particular information from a website visitor: the dialing, routing, addressing, or signaling information (also known as DRAS).

How Do Companies Use Trap and Trace Technology to Collect Consumer Data?

Website tracking software may permit companies to gather identifying information about website visitors, such as their phone number and email address. Tracking devices can also be used to gather other personal information about website users, including device and browser information, geographic information, referral tracking, and URL tracking.

How can trap and trace technology be used to identify the source of an electronic communication? One way that a trap and trace device might work is to capture incoming electronic impulses that identify the dialing, routing, addressing, and signaling information generated by website visitors. For example, as detailed in a recent digital privacy class action complaint against United HealthCare, website users might be asked to provide personal information like their gender, birthday, zip code, and tobacco use history. This data could then be scanned and sent to a third party like TikTok for deanonymization. Significantly, website visitors are never informed that the company is collaborating with a third party to collect customer data.

Tracking Software Is Deployed Automatically and Without Consent

When a company utilizes technology to track the interactions of website visitors, the company must first obtain a court order to do so. In many cases, however, companies do not get a court order to use trap and trace technology on their websites. In fact, the tracking & tracing software is often installed on certain companies’ websites and then deployed automatically: the software may start gathering personal information about users the moment they land on the site. This means that a user’s web activity is tracked before the user even has an opportunity to consent by “accepting cookies” or “managing preferences” on the website.

There are significant privacy concerns raised by the use of trap and trace technology on websites. The truth is that the personal information revealed by internet communications can be far more revealing than the same type of information captured by phone dialing information. That’s because when a trap and trace device captures a person’s internet addressing data, it may also reveal other important aspects of their communications, including geolocation data, purchase history, and other personal information. Moreover, a record of which website URLs a person visited on a website could be used to precisely identify the content of communications on the site.

Companies Accused of Selling Confidential Customer Data to TikTok and Other Third Parties

Companies as diverse as United HealthCare, WebMD, Smashbox, and DraftKings have been sued in recent months for alleged violations of California’s Trap and Trace Law. Many of the companies that utilize and deploy computer software on their websites attempt to make money by selling ads, and this is easier to accomplish when they are able to identify users who can then be commoditized and sold to the highest bidder.

Multiple trap & trace class action lawsuits have been filed against businesses accused of working with social media company TikTok to “fingerprint” website visitors so that their personal information can be collected and shared. For example, one type of trap & trace software allegedly utilized by TikTok allows companies to collect extensive data about anonymous website visitors and then match it with existing data that the social media platform has already acquired and accumulated about hundreds of millions of Americans. The technology can reportedly reconstruct a user’s identity, which then gives companies the ability to use the data to run advertising campaigns targeting the user.

CIPA Section 638.51: California Trap & Trace Law

As more and more websites have begun using technology to track site visitors, the number of lawsuits challenging this kind of technology has risen. Some California class action plaintiffs have started to file consumer protection lawsuits based on the trap and trace device theory, with dozens of lawsuits being filed in California state and federal courts over the last year. That’s because § 638.51 of the California Invasion of Privacy Act (CIPA) limits the ways in which companies can gather information about website users.

The statute that addresses trap and trace devices is broadly worded so that it applies to any device meant to locate a person, including websites. This means that a lot of individuals may qualify to join a class action lawsuit against companies that use these types of devices to acquire personal information about website visitors.

Class Action Lawsuits

Sections 631(a) and 632.7 of the California Invasion of Privacy Act (CIPA) specifically prohibit companies from wiretapping or eavesdropping on conversations with customers, and courts have extended these protections to consumers who visit websites. With respect to trap and trace class actions brought under the CIPA, federal courts have held that the law also applies to Internet communications. As a result, a number of lawsuits are now being filed under Section 638.51 of the consumer privacy statute.

Statutory Penalties

Each trap and trace violation carries a statutory penalty of $2,500, which serves as a strong deterrent for companies that operate websites targeting consumers in California.

Pen Register Lawsuits in California

Another type of legal claim filed under California Penal Code § 638.51 is a consumer protection lawsuit alleging privacy violations based on the pen register theory. The law explicitly prohibits anyone from using a pen register without first getting a court order.

A pen register is a physical machine commonly used by law enforcement to trace signals from someone’s phone or computer. In the context of a website, pen registers can be utilized to identify a website user’s location, browsing history, and purchase history. Pen registers track the phone numbers dialed from a particular phone line; by contrast, trap & trace devices track the numbers of incoming calls to a phone line. Importantly, trap and trace devices can also be utilized to identify the content of online communications, such as website forms that are completed by site visitors.

Call the Los Angeles Consumer Protection Lawyers at Tauler Smith LLP

Did a website track your personal information without consent? If so, you may be eligible to file a trap & trace lawsuit to recover statutory damages. The Los Angeles consumer protection lawyers at Tauler Smith LLP have experience handling consumer class action complaints filed in both federal and state courtrooms. Call 310-590-3927 or email us now for a free consultation.