Judge: Colin Leis, Case: 24STCV11310, Date: 2025-04-15 Tentative Ruling
Case Number: 24STCV11310 Hearing Date: April 15, 2025 Dept: 74
Palacios v.
Gorgias Inc.
Demurrer and Motion to Strike
BACKGROUND
Plaintiff
Marielita Palacios (Plaintiff) filed her initial Complaint against defendant
Gergias Inc. dba www.gorgias.com (Defendant) on May 6, 2024. Plaintiff filed
the operative First Amended Complaint (“FAC”) against Defendant on September
30, 2024, alleging a single cause of action under the California Invasion of
Privacy Act (“CIPA”) Penal Code section 638.51.
Defendant
demurs to the Complaint on the grounds that Plaintiff fails to state a
sufficient cause of action against Defendant.
REQUEST FOR JUDICIAL NOTICE
Defendant’s Request for Judicial
Notice
The
court takes judicial notice of request 1.
(Evid. Code § 452(c).) The court
declines to
take judicial notice of requests 2-8
as legislative committee reports and analysis are not “decisional,
constitutional, and public statutory law.”
(Evid. Code §§ 451 (a), 452(a).)
The court takes judicial notice of requests 9-26 for their existence,
but not for their contents. (Evid. Code
§ 452(d).)
Plaintiff’s Request for Judicial
Notice
The
court takes judicial notice of request 1 for its existence, but not its
contents. (Evid. Code § 452(d).) The court declines to take judicial notice of
requests 2-3. (Evid. Code §§ 451 (a),
452(a).)
LEGAL STANDARD
Demurrer
As
a general matter, in a demurrer proceeding, the defects must be apparent on the
face of the pleading or via proper judicial notice. (Donabedian v. Mercury Ins. Co. (2004)
116 Cal.App.4th 968, 994.) “A demurrer
tests the pleading alone, and not the evidence or facts alleged.” (E-Fab, Inc. v. Accountants, Inc. Servs.
(2007) 153 Cal.App.4th 1308, 1315.) As
such, the court assumes the truth of the complaint’s properly pleaded or
implied factual allegations. (Id.) The only issue a demurrer is concerned with
is whether the complaint, as it stands, states a cause of action. (Hahn v. Mirda (2007) 147 Cal.App.4th
740, 747.)
Where
a demurrer is sustained, leave to amend must be allowed where there is a
reasonable possibility of successful amendment.
(Goodman v. Kennedy (1976) 18 Cal.3d 335, 348.) The burden is on the plaintiff to show the
court that a pleading can be amended successfully. (Ibid.; Lewis v. YouTube, LLC
(2015) 244 Cal.App.4th 118, 226.)
However, “[i]f there is any reasonable possibility that the plaintiff
can state a good cause of action, it is error to sustain a demurrer without
leave to amend.” (Youngman v. Nevada
Irrigation Dist. (1969) 70 Cal.2d 240, 245).
DISCUSSION
Defendant demurs to the FAC on the grounds
that it fails to state sufficient facts to constitute a cause of action against
Defendant.
First Cause of Action for Violation
of California Invasion of Privacy Act
Penal
Code section 638.51(a) provides, “(a) Except as provided in subdivision (b), a
person may not install or use a pen register or a trap and trace device without
first obtaining a court order pursuant to Section 638.52 or 638.53.”
(Pen. Code § 638.51(a).) Pen. Code
section 638.50, subsections (b) and (c) provide guidance as to the definition
of “Pen register” and “Trap and Trace Device.”
A pen register is a “device or process that records or decodes dialing,
routing, addressing, or signaling information transmitted by an instrument or
facility from which a wire or electronic communication is transmitted, but not
the contents of a communication. (Pen.
Code § 638.50(b).) A trap and trace
device is a “device or process that captures the incoming electronic or other
impulses that identify the originating number of other dialing, routing,
addressing or signaling information reasonably likely to identify the source of
a wire or electronic communication, but not the contents of a
communication.” (Pen. Code § 638.50(c).)
Penal
Code section 638.50 primarily concerns itself with telephonic
communications. Legislative discussions
surrounding pen registers and trap and trace devices have primarily centered on
telephonic uses. (Pub. S., document of Sen.
Bill No. AB 929 (2015-2016 Reg. Sess.) July 08, 2015; Senate Rules, document of
Sen. Bill. No. AB 929 (2015-2016 Reg. Sess.).)
Despite the intention of the original drafters to target telephonic tracking,
the statute itself does not specify that it only applies to telephonic
communications. Two main questions exist
regarding whether Penal Code section 638.50 applies to IP addresses (1) whether
IP addresses could reasonably fit under the current legislative structure and
(2) whether IP addresses were intended by the legislature to be covered.
Applicability
to IP Address
The
statute is primarily focused on the type of information that is recorded or
decoded. The statute specifically
targets data used for “dialing, routing, addressing or signaling information
reasonably likely to identify the source.”
The remaining question is whether an IP address functions to dial,
route, address or signal the sending device, and if it can be reasonably used
to identify the source.
An
IP address, or Internet Protocol address, is a unique label for each device
connected to the internet. Very simply,
there are multiple forms of IP address.
An individual IP address may be Static or Dynamic. A Static IP address always stays the same,
typically identifying a single device or user.
Dynamic IP addresses are assigned to a user for a lease period. Lease periods can vary. An average home user, for example, will have
an IP address connected to the user’s device and an IP address connected to the
user’s internet router. When a device
connects to the internet, a dynamic IP address is assigned to the device. Plaintiff’s complaint states that the IP
address contains the device’s geographical location. (Complaint ¶ 35, 36.) For a demurrer, the Court must accept all
factual allegations in the complaint as true unless contradicted by judicially
recognizable facts. (E-Fab, Inc.,
supra, 153 Cal.App.4th at 1315.)
The
IP address is essentially a routing address.
When a device searches the internet, it sends a request to servers
providing the servers with its IP address to enable the server to return the
information. Applying Penal Code section
638.50, an IP address is the type of data that a pen register is intended to
capture. As defendant points out, an IP
address is used for essentially every interaction on the internet. (Mot. at p. 17.) To say that an IP address is used for every
interaction on the internet and therefore the law is against public policy
ignores that this law similarly applies to phone numbers, which are used for
every phone call. The Court concludes
that an IP address is “dialing, routing, addressing or signaling information”
under Penal code section 638.50.
Defendant
also challenges that a pen register or trap and trace typically is placed on a
known phone number, and then “catches” the incoming or outgoing call
information. This is sufficiently
similar to the tapping of all incoming calls to police emergency lines. Based
on Plaintiff’s allegations, the website discloses the IP Addresses of the
website’s users. (See People v. Suite
(1980) 101 Cal.App.3d 680, 686.) Essentially, Plaintiff is alleging that the IP
address of the website is catching all incoming electronic impulses, the same
as a trap and trace device.
Thus,
the Court proceeds to the second question, which is whether the IP address is
reasonably likely to identify the source.
Federal courts have considered a process which “identifies consumers,
gathers data, and correlates that data through unique ‘fingerprinting’” is a
pen register. (Greenley v. Kochava
(2023) 684 F.Supp.3d 1024, 1050.) In Greenley,
the third-party data collection app recorded “personal information,”
geolocation data, cellular communications, consumer’s usernames, emails and
ID’s, search terms used by device user, and activities within apps. (Id. at 1035.) This information is unquestionably reasonably
identifiable. Based on Plaintiff’s
complaint, Defendant’s website receives the IP address, which can be used to
determine the device’s state, city, and zip code. (Complaint ¶ 36, 37.) Plaintiff does not address the process by
which an individual may deduce the geolocation data from an IP address. Plaintiff also states that Defendant’s trap
and trace is able to “digitally fingerprint” each visitor. (Complaint ¶ 52, 58-73.) Based on Plaintiff’s allegations, the trap
and trace information Defendant receives is sufficiently expansive to be
reasonably identifiable under Penal Code section 638.5.
Finally,
the question is whether the website capturing Plaintiff’s IP address is the
same as a trap and trace device on Plaintiff, or simply that Plaintiff’s IP
address was captured by a trap and trace device on the website. Penal Code section 638.51 provides that “a
person may not install or use a pen register or trap and trace device without
first obtaining a court order.” The typical
case for a pen register or trap and trace is a device/process installed by a
police officer on a telephone line. Under the Penal Code, an officer must get a court
order to place the pen register or trap and trace. The pen register or trap and trace
application must identify the person to whom the pen register or trap and trace
is to be attached. The focus is on the person to whom the device is attached,
not the person who has their information collected. (Penal Code § 638.52.) Nevertheless, Penal Code section 638.55
provides redress for the individual whose information is targeted, not just the
person upon whose device the pen register or trap and trace was placed. (Penal Code § 638.55(c).) Thus, reading the legislative scheme under the
California Invasion of Privacy Act (CIPA) as a whole, Defendant’s website
constitutes a trap and trace process/device.
Legislative
Scheme
The
foregoing expansive reading of CIPA may be at odds with the Legislature’s
intent given the recent California Consumer Privacy Act (CCPA) and California
Privacy Rights Act (CPRA), which aim to specifically provide California users
with additional protections and control over the data companies collect. The CCPA requires that consumers have the (1)
right to know about the personal information a business collects, (2) right to
delete the personal information collected, (3) right to opt-out of the sale of
personal information, and (4) right to non-discrimination for exercising their
CCPA rights. (Civ. Code § 1789.100 et
seq.) The CCPA includes protections
for personal identifiers, such as IP addresses.
(Civ. Code § 1798.140(v)(1)(A).) The
CPRA, which amends the CCPA, added additional privacy protections, including
the right to correct inaccurate information and the right to limit the use and
disclosure of sensitive personal information.
The
CCPA and CPRA indicate a legislative intent, outside of CIPA, to regulate and protect
Californians’ internet privacy while also considering the necessity of collection
and processing of user data. CCPA limits
its applicability to a business which (1) had gross annual revenues in excess
of twenty-five million dollars, (2) buys, sells or shares the personal
information of 100,000 or more consumers or households, or (c) derives 50% or
more of its annual revenues from selling or sharing consumers’ personal
information. (Civ. Code §
1798.140(d).) CCPA is intended to preempt
all city, county, city, municipality or local agency rules and to supplement
federal and state law. (Civ. Code §§
1798.180, 1798.196.)
CCPA
was intended to supplement California’s current consumer privacy rights with
additional guidance in the understanding of the internet age. Plaintiff alleges that Defendants harvest
Plaintiff’s individual data for marketing campaigns, advertising and “boosting”
revenue. (Complaint ¶ 75.) If Defendant were a business covered by the
CCPA, it would be obliged to inform the Plaintiff of any information which was
being sold or shared and given an ability to opt-out. No portion of CCPA would limit Defendant’s
ability to use Plaintiff’s personal data for itself. Additionally, defendant’s failure to comply
with the CCPA would not permit Plaintiff a private right of action. (Civ. Code § 1798.199.90.)
It
is incongruous to interpret CIPA to prohibit websites from tracking user’s
data, including IP addresses and web browser utilization information, for their
own purposes where CCPA does not even provide a civil remedy for a user whose
data is improperly sold. When
interpretating statutes, Courts consider societal changes and new technologies
to determine how legislators would have acted, if they had anticipated the
circumstances. (Worldmark v. Wyndham Resort Development Corp. (2010) 187
Cal.App.4th 1017, 1036.) Similarly, “statutes
relating to the same subject matter must be read together and reconciled
whenever possible.” (Womack v. San Francisco Community College
Dist. (2007) 147 Cal.App. 854, 860-861 (quoting Kalina v. San Mateo Community College Dist. (1982) 132 Cal.App.3d
48, 53).)
Given
these cannons of statutory interpretation, the Court finds that the Legislature
did not intend to include websites utilizing user data for their own purposes
under Penal Code section 638.51.
CONCLUSION
The
Court sustains Defendant’s demurrer without leave to amend.
The
motion to strike is moot.
Defendant
to give notice.