Judge Daniel S. Murphy, Case Number: 24STCV12891, Date: 2024-07-29 Tentative Ruling

On May 22, 2024, Plaintiff Anne Heiting filed this action against Defendant Taylor Fresh Foods, Inc., asserting a single cause of action for violation of the California Invasion of Privacy Act (CIPA).

The complaint alleges that Defendant’s website employs tracking software created by TikTok (TikTok Software) to identify certain user information. (Compl. ¶ 11.) This digital process called “fingerprinting” allegedly “gathers device and browser information, geographic information, referral tracking, and url tracking by running code or ‘scripts’ on the Website to send user details to TikTok.” (Id., ¶ 13.) Plaintiff alleges that the TikTok Software is a “trap and trace device” in violation of Penal Code section 638.51. (Id., ¶¶ 16-17.)

On June 24, 2024, Defendant filed the instant demurrer to the complaint. Plaintiff filed her opposition on July 16, 2024. Defendant filed its reply on July 24, 2024.

A demurrer for sufficiency tests whether the complaint states a cause of action. (Hahn v. Mirda (2007) 147 Cal.App.4th 740, 747.) When considering demurrers, courts read the allegations liberally and in context. (Taylor v. City of Los Angeles Dept. of Water and Power (2006) 144 Cal.App.4th 1216, 1228.) In a demurrer proceeding, the defects must be apparent on the face of the pleading or by proper judicial notice. (Code Civ. Proc., § 430.30, subd. (a).) A demurrer tests the pleadings alone and not the evidence or other extrinsic matters. (SKF Farms v. Superior Court (1984) 153 Cal.App.3d 902, 905.) Therefore, it lies only where the defects appear on the face of the pleading or are judicially noticed. (Ibid.) The only issue involved in a demurrer hearing is whether the complaint, as it stands, unconnected with extraneous matters, states a cause of action. (Hahn, supra, 147 Cal.App.4th at 747.)

Before filing a demurrer or a motion to strike, the demurring or moving party is required to meet and confer with the party who filed the pleading demurred to or the pleading that is subject to the motion to strike for the purposes of determining whether an agreement can be reached through a filing of an amended pleading that would resolve the objections to be raised in the demurrer. (Code Civ. Proc., §§ 430.41, 435.5.) The Court notes that Defendant has complied with the meet and confer requirement. (See Bours Decl.)

“Except as provided in subdivision (b), a person may not install or use a pen register or a trap and trace device without first obtaining a court order pursuant to Section 638.52 or 638.53.” (Pen. Code, § 638.51(a).) Subdivision (b) of section 638.51 lists five purposes for which “[a] provider of electronic or wire communication service may use a pen register or a trap and trace device.” (Id., § 638.51(b).) Section 638.52 prescribes the procedure for law enforcement to make a written application for authorization to install a pen register or trap and trace device. Section 638.53 provides for oral application and oral approval of same.

“‘Trap and trace device’ means a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.” (Pen. Code, § 638.50(c).) “‘Wire communication’ and ‘electronic communication’ have the meanings set forth in subdivision (a) of Section 629.51.” (Id., § 638.50(a).) Section 629.51(a) defines “electronic communication” as “any transfer of signs, signals, writings, images, sounds, data, or intelligence of any nature in whole or in part by a wire, radio, electromagnetic, photoelectric, or photo-optical system.” (Id., § 629.51(a)(2).)

Plaintiff alleges that when she visited Defendant’s website on January 7, 2024, Defendant deployed the TikTok Software “to identify Plaintiff using electronic impulses generated from Plaintiff’s device.” (Compl. ¶ 2.) Specifically, the TikTok Software allegedly “identif[ies] the source of electronic communication[s] by capturing incoming electronic impulses and identifying dialing, routing, addressing, and signaling information generated by users.” (Id., ¶ 17.) The complaint alleges that “the software is designed to capture the phone number, email, routing, addressing and other signaling information of website visitors.” (Id., ¶ 26.) Defendant did not obtain Plaintiff’s consent or a court order to use the TikTok Software to track Plaintiff on her visit to Defendant’s website on January 7, 2024. (Id., ¶¶ 19-20.)

On its face, the complaint alleges the two elements necessary to establish a violation of Penal Code section 638.51: (i) Defendant installed a prohibited device (pen register or trap and trace) (ii) without a court order. (See Pen. Code, § 638.51(a); Greenley v. Kochava, Inc. (S.D.Cal. 2023) 684 F. Supp. 3d 1024, 1050-51.)

Defendant argues that section 638.51 is “intended to regulate physical trap and trace devices attached to telephone lines, and . . . does not apply to standard website data collection.” (Dem. 9:27-28.) Defendant contends that a whole reading of the statute reveals this intention, citing to In re United States (C.D.Cal. 1995) 885 F.Supp. 197 (Digital Analyzer).

In that case, law enforcement applied for the use of a “cellular telephone digital analyzer” on the phones of subjects in a criminal investigation. (Digital Analyzer, supra, 885 F.Supp. 197 at pp. 198-99.) This digital analyzer would “detect the electronic serial number (‘ESN’) assigned to a particular cellular telephone, the telephone number of the cellular telephone itself, and the telephone numbers called by the cellular telephone.” (Id. at p. 199.)

The district court held that an application was not required because “[n]umbers dialed by a telephone are not the subject of a reasonable expectation of privacy, and their interception does not violate the 4th Amendment.” (Digital Analyzer, supra, 885 F.Supp. 197 at p. 199.) The court further found that “the prohibitions against the use of pen registers and trap and trace devices (in 18 U.S.C. § 3121) without court order [did not] appear to apply to the proposed use of digital analyzers to detect non-communicative signals.” (Ibid.) The court reasoned that although “[t]he statutory definition of a ‘trap and trace device’ does not include the limitation in the definition of a pen register described above, limiting the devices to those that are attached to a telephone line[,] . . . it appears from the construction of related sections of the statutes governing trap and trace devices that they include only devices that are attached to a telephone line.” (Id. at p. 200.) “Specifically, 18 U.S.C. § 3123(b) requires that an order for use of both pen registers and trap and trace devices include ‘the number and, if known, physical location of the telephone line to which the pen register or trap and trace device is to be attached.’” (Ibid.)

CIPA contains an analogous provision in Penal Code section 638.52(d)(3), requiring a court order authorizing the use of a pen register or trap and trace device to specify, if known, the “physical location of the telephone line to which the pen register or trap and trace device is to be attached.” Defendant argues that this provision “evidence[s] a clear legislative intent to apply only to physical devices capable of recording telephone numbers, not IP addresses or other similar device information.” (Dem. 10:28-11:3.)

However, neither CIPA nor the modern version[1] of the federal statutes cited in Digital Analyzer limit the definition of “pen register” or “trap and trace device” to physical devices attached to telephone lines. Instead, these provisions currently define pen register and trap and trace as a “device or process” without referencing physical attachment to anything. (See Pen. Code, § 638.50; 18 U.S.C. § 3127.) And as pertinent here, a trap and trace device is broadly defined as a “device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication.” (Pen. Code, § 638.50(c).) “Electronic communication” is itself broadly defined as “any transfer of signs, signals, writings, images, sounds, data, or intelligence of any nature in whole or in part by a wire, radio, electromagnetic, photoelectric, or photo-optical system.” (Id., § 629.51(a)(2).)

Digital Analyzer, decided in 1995, could not have accounted for modern advancements in technology or the statutory amendments that took place after 1995, broadening the definitions of “pen register” and “trap and trace device.” A plain reading of the modern definitions shows that they are not limited to physical devices attached to telephone lines. “[T]he Court cannot ignore the expansive language in the California Legislature's chosen definition.” (Greenley, supra, 684 F.Supp. 3d at p. 1050.) “A process can take many forms. Surely among them is software that identifies consumers, gathers data, and correlates that data through unique ‘fingerprinting.’” (Ibid.) Greenley, cited by Plaintiff, is more on point because it concerns the precise statutory provision at issue here, Penal Code section 638.51. Furthermore, like this case, Greenley concerns the sufficiency of a civil complaint seeking recovery for illegal usage of a pen register or trap and trace device. By contrast, Digital Analyzer concerned an application by law enforcement to use a pen register or trap and trace device under federal law.

Given the realities of modern technology and the broadened definitions of “pen register” and “trap and trace device,” the Court is not convinced that a single provision governing ex parte orders to authorize the use of such devices (Pen. Code, § 638.52(b), (d)) limits application of the whole law to physical devices on a telephone line. If that were the case, the Legislature would not have defined “trap and trace device” with reference to “a wire or electronic communication.” (See Pen. Code, § 638.50(c).) If a trap and trace device must be attached to a telephone line, there would be no reason to include “electronic communication”—which encompasses a broad range of transfers plainly not limited to telephone lines—as part of its definition. Therefore, the Court agrees with Plaintiff and Greenley that software can be a “process” that constitutes a pen register or trap and trace device if it accomplishes the type of tracking defined in section 638.50.

Defendant attempts to distinguish Greenley on the fact that in Greenley, the offending software was still “installed in a telephone.” (See Greenley, supra, 684 F.Supp. 3d at p. 1050.) By contrast, the complaint here alleges that the TikTok Software was installed on Defendant’s website and only began tracking upon Plaintiff’s visit to the website. (Compl. ¶¶ 11-14.) However, as the court in Greenley acknowledged, “courts should focus less on the form of the data collector and more on the result.” (Greenley, supra, 684 F.Supp. 3d at p. 1050.) The plaintiff in Greenley sufficiently alleged that the pen register allowed the defendant to “surreptitiously intercept location data from an app user,” “‘fingerprinting’ each unique device and user, as well as connecting users across devices and devices across users,” and collecting geolocation data, search terms, click choices, purchase decisions and/or payment methods. (Id. at p. 1035.) Similarly, Plaintiff has alleged that the TikTok Software collects data in a manner meeting the definition of “trap and trace device” under section 638.50(c). (See Compl. ¶¶ 1-2, 12-15, 26.)

Defendant’s argument is also contradicted by the plain language of the statute, which states that “a person may not install or use” a trap and trace device without a court order. (Pen. Code, § 638.51(a).) Embedding software on a website that conducts the type of tracking defined in section 638.50(c) constitutes the “use” of a trap and trace device. Nothing in the statute suggests that “use” is limited to installation on a telephone. If that were the case, the Legislature would not have used the phrase “install or use.” (See Kray Cabling Co. v. County of Contra Costa (1995) 39 Cal.App.4th 1588, 1593 [“The use of this disjunctive reflects a legislative intent that either event, standing alone, may trigger the statute”].)

In sum, the Court finds that Plaintiff has pled sufficient facts to support a reasonable inference that Defendant utilized a trap and trace device to track Plaintiff’s information without a court order in violation of Penal Code section 638.51.

Defendant argues that Plaintiff’s position would subject every website to liability because websites necessarily gather certain information, such as IP addresses, in order to simply function. Defendant argues that website visitors necessarily consent to sharing their IP addresses. Defendant cites to Licea v. Hickory Farms LLC, 2024 WL 1698147, at *4, where the court viewed the plaintiff’s interpretation of the law “as one rendering every single entity voluntarily visited by a potential plaintiff, thereby providing an IP address for purposes of connecting the website, as a violator.” The court noted that “nothing in the complaint establishes an IP address as equivalent to the ‘unique fingerprinting’ relied upon by the Southern District when finding embedded software into a mobile phone, thereby providing unique location and other information normally within the domain of law enforcement officers with a warrant.” (Id., at *3.)

By contrast, the allegations here suggest that the TikTok Software tracks data beyond that which is necessary for the proper functioning of a website. (See Compl. ¶¶ 1-2, 12-15, 26.) Unlike the complaint in Licea, the complaint here alleges that the TikTok Software gathers unique location information and other information besides IP addresses. (Ibid.) Plaintiff alleges that she did not consent to the collection of such data. (Id., ¶ 19.) “If merely visiting a website constitutes consent to the use of a [trap and trace device], then Section 638.51(a) would be a dead letter. It could never be violated. That is not an acceptable consequence.” (Levings v. Choice Hotels Intern., Inc., 2024 WL 1481189, at *2.)

Because Plaintiff has alleged that the TikTok Software collects data beyond that which is necessary for the proper functioning of a website, Plaintiff is not attempting to subject every website to liability for simply existing. On the other hand, it would be absurd if simply visiting a website waived any violation of section 638.51, thereby rendering all websites immune from prosecution. Therefore, the Court finds that Plaintiff has pled sufficient ultimate facts to support a violation of section 638.51. (See Levings, supra, 2024 WL 1481189, at *2.)

“A provider of electronic or wire communication service may use a pen register or a trap and trace device for any of the following purposes: . . . (5) If the consent of the user of that service has been obtained.” (Pen. Code, § 638.51(b)(5).)

Defendant argues that it is the “user” of the TikTok Software, and it has clearly consented to the use of the TikTok Software on its website. However, In re Doubleclick Privacy Litig. (S.D.N.Y. 2001) 154 F.Supp.2d 497, cited by Defendant, is distinguishable because that case concerned a federal statute that included a specific definition of “user” which plainly applied to website operators. (Id. at pp. 508-09.) The consent exception itself was also different, applying “with respect to a communication of or intended for that user.” (Id. at p. 507.) By contrast, the CIPA exception simply states “[i]f the consent of the user of that service has been obtained.” (Pen. Code, § 638.51(b)(5).) The statute does not define “user” or “service,” and Defendant cites no law interpreting either term in the context of CIPA.

Defendant’s argument would mean that no visitor to a website utilizing trap and trace software could ever have a viable claim because every operator of such a website necessarily consents to the use of the software on its own website. As pointed out in Levings, an interpretation wherein section 638.51 “could never be violated” is “not an acceptable consequence.” (Levings, supra, 2024 WL 1481189, at *2.)

Given CIPA’s express purpose to “protect the right of privacy of the people of this state” (Pen. Code, § 630), it would be absurd that a website operator who utilizes a trap and trace device to track an individual’s information can “consent” to the use of such device, and thereby escape liability, even though the individual whose privacy is being invaded has not consented.

Defendant argues that unless its interpretation is adopted, normal functions such as recording IP addresses or caller ID would be criminalized because that information is always recorded without obtaining the consent of each individual website visitor or incoming caller. However, as discussed above, Plaintiff alleges that the TikTok Software collects data beyond that which is necessary for ordinary operation. Regardless of whether website visitors and telephone callers necessarily consent to the collection of their IP addresses and caller IDs, Plaintiff has sufficiently alleged that she has not consented to the type of tracking conducted by the TikTok Software, which goes beyond IP addresses and caller IDs.

For pleading purposes, it may be reasonably inferred that Defendant, as a website operator, is the “provider of electronic or wire communication service,” and Plaintiff is the “user of that service.” (See Pen. Code, § 638.51(b)(5).) Because Plaintiff alleges that she did not provide her consent to have her information tracked by a trap and trace device, the exception in section 638.51(b)(5) does not apply.

Defendant argues that section 638.51 does not provide for a private right of action. This is correct, because the private right of action is provided in section 637.2(a), which states that “[a]ny person who has been injured by a violation of this chapter may bring an action against the person who committed the violation.” Defendant contends that section 637.2 “does not afford a carte blanche private right of action for all purported CIPA violations.” (Dem. 18:11-14.) However, on its face, section 637.2(a) provides a right of action for any “violation of this chapter.” Absent authority to the contrary, the Court assumes that “a violation of this chapter,” as used in section 637.2(a), includes a violation of section 638.51. Thus, an individual who has suffered a violation of section 638.51 may maintain a civil action under section 637.2.

Defendant contends that Plaintiff has not alleged an injury-in-fact. However, the allegations, when read as a whole and interpreted liberally, support a reasonable inference that Plaintiff had her information tracked without her consent, thus resulting in harm to her personal autonomy. (See Davis v. Facebook, Inc. (In re Facebook Inc. Internet Tracking Litig.) (9th Cir. 2020) 956 F.3d 589, 598 [“A right to privacy ‘encompass[es] the individual's control of information concerning his or her person’”].) “It is not a necessary prerequisite to an action pursuant to this section that the plaintiff has suffered, or be threatened with, actual damages.” (Pen. Code, § 637.2(c).) Thus, for pleading purposes, Plaintiff has adequately alleged an injury as required by section 637.2(a).

[1] The federal definition of “pen register” was amended in 2001 to remove the reference to attachment to telephone lines and replaced with the broader definition of “a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted.” (18 U.S.C. § 3127(3).) The definition of “trap and trace device” was amended to include the phrase “or process.” (Id., § 3127(4).)