Judge: Armen Tamzarian, Case: 24STCV18596, Date: 2025-02-28 Tentative Ruling
Case Number: 24STCV18596 Hearing Date: February 28, 2025 Dept: 52
Defendant Glasscanopy, Inc.’s
Demurrer and Motion to Strike Portions of First Amended Complaint
Demurrer
Defendant Glasscanopy, Inc. dba www.glasscanopy.com
demurs to both causes of action alleged in the first amended complaint by
plaintiff Monica Sanchez.
Summary
of Allegations
Plaintiff’s first amended complaint
alleges two causes of action under the California Invasion of Privacy Act
(CIPA): violations of (1) Penal Code section 638.51(a) and (2) Penal Code
section 631(a).
Plaintiff alleges she visited
defendant’s website. She alleges
defendant’s website installs a “pen register” or “trap and trace device” she
refers to as a “PR/TT beacon” (FAC, ¶ 33) or a “cookie in the user’s browser
cache” (¶ 45). When plaintiff visited
the website, it “caused the PR/TT beacon to be installed on Plaintiff’s and
other users’ browsers.” (¶ 54.) “Defendant uses the PR/TT to collect the IP
addresses of visitors,” including plaintiff.”
(¶ 56.) An IP address is the
equivalent of a phone number for a device that accesses the internet. (¶¶ 34-37.)
Plaintiff further alleges, “The operators of the PR/TT beacons … use the
IP address of Website visitors, including those of Plaintiff and other
visitors, to serve targeted advertisements and/or conduct Website analytics.” (FAC, ¶ 57.)
The first amended complaint alleges, “Defendant and its partners use the
PR/TT beacon to ‘digitally fingerprint’ each visitor. While IP addresses alone do not provide exact
personal information, they can reveal a user’s approximate location, which can
be used to infer details about the user’s demographics, interests, or
behaviors. When combined together with
third-party tracking cookies, which store information about the user’s browsing
habits and preferences, companies can create highly detailed user profiles. This level of tracking, especially without
clear user consent, can invade a user’s privacy because the sharing or selling
of the user data to multiple companies can result in unwanted targeted
advertising, reduced anonymity, and potential exposure to data breaches.” (¶ 58.)
“At no time prior to the installation and use of the PR/TT beacon on
Plaintiff’s and other users’ browsers, or prior to the use of the PR/TT beacon,
did Defendant procure Plaintiff’s or other users’ consent for such conduct. The PR/TT beacon deploys prior to any efforts
to notify visitors or obtain their consent to being tracked.” (¶ 59.)
Plaintiff further alleges the “PR/TT beacon will collect and track a
unique IP address, the Website user’s operating system name, operating system
version number, browser name, browser version number, browser language, screen
resolution, geolocation data, email address, mobile ad IDs, embedded social
media identities, customer and/or loyalty IDs, cookies and device signature –
as well as the connections between them.”
(¶ 89.)
Plaintiff also alleges violations stemming from another manner of using
defendant’s website: typing terms into a search bar. She alleges she “utilized the Search Bar to
perform a confidential search.” (FAC, ¶
121.) She alleges defendant “re-routed
Plaintiff’s Search Terms … to the Third-Party Search Engine Provider.” (¶ 121.)
She alleges she “was not provided with any notice or given an
opportunity to provide consent to the tracking tools intercepting” her search
terms. (¶ 126.) Plaintiff alleges defendant uses “tracking
tools … to analyze Website data in the form of user Search Terms and marketing
campaigns, conduct targeted advertising, and ultimately boost Defendant’s
and/or advertisers’ revenue, all through the surreptitious collection of user
data including Plaintiff’s data.” (¶
131.)
Standing
Plaintiff alleges sufficient facts
for standing. “Generally, ‘[a]
litigant’s standing to sue is a threshold issue to be resolved before the
matter can be reached on the merits.’ ”
(Buckland v. Threshold Enterprises, Ltd. (2007) 155 Cal.App.4th
798, 813.) “Standing requirements vary
from statute to statute, and must be assessed in light of intent of the statute
at issue.” (Ibid.)
Both of plaintiff’s causes of action derive from Penal Code section 637.2. Its subdivision (a) provides, “Any person who
has been injured by a violation of this chapter may bring an action against the
person who committed the violation… .” Subdivision
(c) provides, “It is not a necessary prerequisite to an action pursuant to this
section that the plaintiff has suffered, or be threatened with, actual damages.” For purposes of standing, an “injury”
generally means “an ‘ “invasion of [plaintiff’s] legally protected interests” ’
” that “ is ‘ “sufficient to afford them an interest in pursuing their action
vigorously.” ’ [Citation.] The latter consideration is met where the
injury is ‘ “ ‘(a) concrete and particularized, and (b) actual or imminent, not
conjectural or hypothetical.’ ” ’ ” (Limon
v. Circle K Stores Inc. (2022) 84 Cal.App.5th 671, 704.)
Plaintiff alleges an invasion of legally protected interests: privacy
rights under the CIPA. Plaintiff’s
allegations are equivalent to those held sufficient for standing in recent
federal decisions. (In re Facebook,
Inc. Internet Tracking Litigation (9th Cir. 2020) 956 F.3d 589, 598-599; Moody
v. C2 Educational Systems Inc. (C.D. Cal. 2024) 742 F.Supp.3d 1072, 1078 (Moody);
Greenley v. Kochava, Inc. (S.D. Cal. 2023) 684 F.Supp.3d 1024, 1037-1040
(Greenley).)
Defendant
argues that, for both causes of action, plaintiff lacks standing because she
fails to allege invasion of any legally protected privacy interest. Defendant cites numerous cases for the
proposition that internet users have no reasonable expectation of privacy in their
IP addresses or search terms they voluntarily share with a website. None of these authorities, however, applied
this principle to reject standing or to reject a claim for violating the
statutes plaintiff relies on. Defendant primarily
cites criminal cases about suppressing evidence based on the Fourth Amendment. (People v. Stipo (2011) 195
Cal.App.4th 664, 668-669; U.S. v. Rosenow (9th Cir. 2022) 50 F.4th 715,
737-738; U.S. v. Forrester (9th Cir. 2008) 512 F.3d 500, 509-512.) That is irrelevant. Plaintiff alleges violations of two
statutes. Neither is related to the
Fourth Amendment or limited to protecting confidential information.
Regardless
of whether plaintiff has a reasonable or legally protected privacy interest in
her IP address or search terms in other contexts, she has such an interest
here. She brings two causes of action
for violating statutes that protect these interests. Penal Code section 638.50, subdivision (b) prohibits
using “a device or process that records or decodes dialing, routing,
addressing, or signaling information”, while subdivision (c) prohibits using “a
device or process that captures the incoming electronic or other impulses that
identify the originating number or other dialing, routing, addressing, or
signaling information reasonably likely to identify the source of a …
communication, but not he contents of a communication.” An IP address is “addressing”
information. It is used “ ‘for the
specific purpose of directing the routing of information.’ ” (U.S. v. Rosenow, supra, 50 F.4th at
p. 738, italics added.)
Penal
Code section 631(a), meanwhile, prohibits eavesdropping on or recording “the contents
or meaning of any message, report, or communication while [it] is in
transit.” (Italics added.) In contrast, Penal Code section 632(a)—which
plaintiff does not allege defendant violated—prohibits eavesdropping upon or
recording a “confidential communication.”
(Accord Greenley, supra, 684 F.Supp.3d at p. 1052-1053.)
1st Cause
of Action: Penal Code § 638.51(a)
Plaintiff
alleges sufficient facts for this cause of action. “Section 638.51 prohibits the use of pen
registers and trap and trace devices, which are ‘device[s] or process[es]’ that
record or capture ‘dialing, routing, addressing, or signaling information’ from
a ‘wire or electronic communication,’ ‘but not the contents of a communication.’ [Citations.]
To state a claim under § 638.51, a plaintiff must allege that a
defendant installed and used a pen register or trap and trace device without
first obtaining a court order.” (Moody,
supra, 742 F.Supp.3d at p. 1075.) A
“pen register” records outgoing “information transmitted by an instrument”
(Pen. Code, § 638.50(b)), while a “trap and trace device” “captures the
incoming electronic or other impulses that identify the originating number or
other dialing, routing, addressing or signaling information” (id., subd.
(c)).
Defendant
argues plaintiff’s allegations fail because “a PRTT device works by tracking a
target device and monitoring all contacts that flow to or from that device”,
while plaintiff only alleges the browser beacon tracked when plaintiff visited
defendant’s website. (Memo, p. 9.) Defendant cites authority giving examples
where PRTT devices tracked all incoming and outgoing routing information. (E.g., U.S. v. Forrester, supra, 512
F.3d 500 at p. 504; U.S. v. Torres (9th Cir. 1990) 908 F.2d 1417, 1420.) But the statutory definitions of “pen
register” and “trap and trace device” do not require that the device record or
capture all outgoing or incoming addressing information.
The
plain language of Penal Code section 638.50, subdivisions (b) and (c) does not
limit prohibited devices to those that track some minimum volume of information. Persuasive authority explains that the crucial
element is that the defendant installs the software process onto plaintiff’s
device, regardless of how much information is captured: “Unlike a caller ID
system, which is installed on the call recipient’s device, the Website installs
the tracking software on the visitor’s browser. The software then remains on the visitor’s
browser unless the visitor decides to delete it. Given the location and degree of control that
the visitor has over the software, it only seems natural that the visitor, not
Defendant, would be software’s user in these circumstances. And according to the plain allegations of the
FAC, Plaintiff did not consent to the software’s installation and use.” (Rodriguez v. Autotrader.com, Inc.
(C.D. Cal., Jan. 8, 2025, No. 2:24-CV-08735-RGK-JC) --- F.Supp.3d ---, 2025 WL
65409, at *6.)
Defendant
also contends “a ‘pen register’ is limited to a device recording telephonic
information.” (Memo, p. 10.) Persuasive federal authority has rejected the
argument that this statute is limited to physical devices or “software
installed on a telephone, not on a website.”
(Moody, supra, 742 F.Supp.3d at p. 1076.) “[S]oftware may qualify as a pen register or
trap and trace device under California law.”
(Ibid.)
Defendant further argues various exceptions
under Penal Code section 683.51(b) apply. That subdivision states: “A provider
of electronic or wire communication service may use a pen register or trap and
trace device for any of” several purposes, including “[t]o operate, maintain,
and test a wire or electronic communication service.” The statute does not define “provider of
electronic or wire communication service.”
The parties do not identify any cases interpreting that portion of Penal
Code section 683.51(b). The court finds
authority on the federal Stored Communications Act persuasive. “The fact that an entity communicates
electronically with its customers does not mean that it ‘provides an electronic
communication service.’ ” (Cottle v.
Plaid Inc. (N.D. Cal. 2021) 536 F.Supp.3d 461, 490.) “[W]ebsites and services that permit users to
communicate directly with one another are considered ECS [electronic
communication service] providers. For
instance, an email provider is ‘undisputedly’ an ECS provider.” (Casillas v. Cypress Insurance Company
(9th Cir. 2019) 770 Fed.Appx. 329, 330.)
Defendant’s position would mean every website
is a “provider of electronic or wire communication service.” The reasonable interpretation of that phrase
is one who provides internet (or other communication) service, not one who
provides miscellaneous services via the internet. The first amended complaint does not explain
the nature of defendant’s website, but plaintiff does not allege the website
permits users to communicate with one another.
Finally, defendant contends the allegations
fall within the exception for when “the consent of the user of that service has
been obtained.” (Pen. Code, §
638.51(b)(5).) This exception does not
apply because, as discussed above, defendant is not “[a] provider of electronic
or wire communication service.” (Id.,
subd. (b).) Even if defendant is such a
provider, the first amended complaint repeatedly alleges plaintiff did not
consent. (FAC, p. 2; ¶¶ 59, 63, 91, 95,
107, 111, 125, 126, 128-130, 145, 148.) Defendant
contends that, by visiting its website, plaintiff consented to disclosing her
IP address and search terms to defendant.
But that does not necessarily mean she consented to installing the PR/TT
beacon, recording her IP address, or sharing her IP address with third
parties.
Moreover, plaintiff alleges the PR/TT “did more than just collect Plaintiff’s IP address. Based on the existence of multiple PR/TT
beacons and tracking cookies deployed on the Website, Plaintiff is informed and
believes, and thereon alleges, that the PR/TT beacon will collect and track a
unique IP address, the Website user’s operating system name, operating system
version number, browser name, browser version number, browser language, screen
resolution, geolocation data, email address, mobile ad IDs, embedded social
media identities, customer and/or loyalty IDs, cookies and device signature –
as well as the connections between them.”
(FAC, ¶ 89.)
2nd Cause of Action: Penal Code § 631(a)
Plaintiff
alleges sufficient facts for this cause of action. Penal Code section 631 prohibits: “(1) ‘intentional
wiretapping;’ (2) ‘attempting to learn the contents or meaning of a communication
in transit over a wire;’ and (3) ‘attempting to use or communicate information
obtained as a result of engaging in either of the previous two activities.’
” (Valenzuela v. Nationwide Mutual
Insurance Co. (C.D. Cal. 2023) 686 F.Supp.3d 969, 975.) It also “imposes liability on anyone who ‘aids,
agrees with, employs, or conspires with any person or persons’ in violating the
three clauses described above.” (Ibid.) “Section 631 does not prohibit a party to a
conversation from recording the conversation with a device and later
sharing the recording with a third party.
[Citation.] However, a third
party listening in on communications at the time they are received via a
device is a violation of Section 631.
[Citation.] Further, when a first
party intends to communicate with a second party, and computer code
automatically directs the communication to an additional third party, the third
party is not construed as a party to the communication, and so the party
exception does not shield the third party.”
(Id. at p. 976.)
Plaintiff
alleges facts constituting aiding and abetting or conspiring with third parties
who intercepted the contents of a communication in transit. Plaintiff alleges defendant’s website “does
not notify visitors that their Search Terms will be surreptitiously intercepted
by Third Party Search Engine Provider’s search engine when conducting a search
on the Website.” (FAC, ¶ 106.) “Plaintiff utilized the Search Bar to perform
a confidential search. Defendant was the
intended recipient of the Search Terms typed into the Search Bar by Plaintiff. Defendant re-routed Plaintiff’s Search Terms
along with those for all users of the Website, meant for Defendant, to the
Third-Party Search Engine Provider. The Search Terms on the Search Bar were
routed through the Third-Party Search Engine Provider’s servers, which occurred
simultaneously with Plaintiff’s use of the Website’s Search Bar function.” (¶¶ 121-122.)
Defendant
argues plaintiff must allege “what she searched for.” (Memo, p. 14.) Greenley rejected this argument under
the more stringent federal pleading standard: “[P]leading a CIPA violation does
not require identifying a specific communication that was intercepted.” (Greenley, 684 F.Supp.3d at p. 1050.) Moreover, plaintiff alleges her search terms
“contain[ed] private information.” (FAC,
¶ 104.) Defendant offers no reason why
suing someone for invasion of privacy requires publicly disclosing the private
information that was intercepted. That would
undermine the purpose of the CIPA.
Defendant
also contends plaintiff does not allege contemporaneous interception. She expressly alleges the search terms were
transmitted to third parties “simultaneously with [her] use of the Website’s
Search Bar function.” (FAC, ¶ 122.)
Motion to Strike
Defendant moves to strike plaintiff’s
prayer for punitive damages. Defendant
argues plaintiff cannot recover punitive damages because plaintiff also seeks
statutory penalties under CIPA. A “plaintiff cannot recover both punitive
damages and statutory penalties, as this would constitute a prohibited double
penalty for the same act.” (De Anza
Santa Cruz Mobile Estates Homeowners Assn. v. De Anza Santa Cruz Mobile Estates
(2001) 94 Cal.App.4th 890, 912.)
Even if plaintiff cannot ultimately recover all
these types of damages, that does not warrant striking the prayer for punitive
damages. “ ‘ “That a given set of facts
fortuitously supports liability on two legal theories is not a principled
reason to deny a party the right to pursue each theory.” ’ ” (Bowser v. Ford Motor Co. (2022) 78
Cal.App.5th 587, 624.) The Court of
Appeal has applied this rule to the same provision for statutory damages
plaintiff relies on. (Clauson v.
Superior Court (1998) 67 Cal.App.4th 1253, 1256 (Clauson) [“We agree
with plaintiffs that they are entitled to seek in their second amended
complaint both punitive damages for invasion of privacy and statutory
wiretapping and eavesdropping penalties.
… Once the verdict is returned,
plaintiffs, if they prevail, may then elect whether to accept the Penal Code
section 637.2, subdivision (a) statutory penalties or the punitive damages
award”].)
Defendant
attempts to distinguish Clauson because there, the plaintiff brought both
a common law claim for invasion of privacy and a statutory claim for
wiretapping. Defendant contends
plaintiff cannot pray “for two different remedies without different types of
claims to support those different remedies.”
(Reply, p. 5.) Defendant cites no
authority for that proposition.
Clauson
applies two general principles: (1) a plaintiff cannot recover duplicative
remedies (see, e.g., Moore v. Teed (2020) 48 Cal.App.5th 280, 294 [“ ‘[D]ouble or duplicative recovery
for the same items of damage amounts to overcompensation and is therefore
prohibited’ ”]), and (2) absent some form of estoppel, a plaintiff need not
choose between them in advance (see, e.g., Roam v. Koop (1974) 41
Cal.App.3d 1035, 1039 [“Ordinarily a plaintiff need not elect, and cannot be
compelled to elect, between inconsistent remedies during the course of trial
prior to judgment”]). Neither of these
principles is limited to plaintiffs who bring two different types of claims. Many causes of action permit multiple
remedies that would be inconsistent or duplicative. For example, “ ‘[P]laintiffs cannot receive
both specific performance and damages for breach of contract.’ ” (Speirs v. BlueFire Ethanol Fuels, Inc.
(2015) 243 Cal.App.4th 969, 989.) There
is no reason plaintiff cannot pursue both remedies at this stage.
Defendant’s reply brief also contends plaintiff does
not allege sufficient facts for malice, oppression, or fraud as required for
punitive damages. Defendant’s moving
papers did not make that argument. Defendant
wrote, “Leaving aside for a moment whether
Plaintiff has alleged or is capable of alleging the malice or oppression
necessary to support a punitive damages claim ab initio, even if that quantum
of pleading is present, Plaintiff cannot seek two forms of penalty against
Defendant at once.” (Memo, pp.
3-4.) A moving party cannot “leave
aside” a basis for a motion, then raise it in the reply brief. The court will not consider this basis for
striking the prayer for punitive damages.
Disposition
Defendant
Glasscanopy, Inc.’s demurrer is overruled. Defendant’s motion to strike is denied. Defendant
shall answer plaintiff’s first amended complaint within 15 days.