California Invasion of Privacy Act Lawsuits: An Update

Over the past year, lawsuits under the California Invasion of Privacy Act (“CIPA”) have gained significant momentum, and there’s no sign of them slowing down. Both state and federal courts in California are seeing a rise in class actions, as plaintiffs’ attorneys continue to target companies with inadequate website consent mechanisms. While pleading challenges have progressed in many cases, courts have applied legal principles inconsistently, creating uncertainty and a patchwork of rulings. One constant, however, is the plaintiffs’ focus on company websites that lack clear opt-in consent for tracking technologies.

Update on Earlier Cases

In a previous article, we highlighted three pivotal cases that began shaping how courts handle CIPA claims:

• Greenley v. Kochava Inc., 684 F. Supp. 3d 1024 (S.D. Cal. 2023): The court denied the defendant’s motion to dismiss, finding the plaintiff sufficiently alleged that the defendant’s surreptitiously embedded website software constituted a “pen register” under CIPA. Id. at 1050. This case was settled on June 3, 2024, and a joint motion to dismiss without prejudice was filed on October 14, 2024.

• Licea v. Hickory Farms LLC, No. 23STCV26148, 2024 WL 1698147 (Cal. Super. Mar. 13, 2024): The court sustained the defendant’s demurrer, finding the plaintiff failed to demonstrate the use of a CIPA “pen register.” Id. at *4. The case was voluntarily dismissed with prejudice on March 25, 2024, suggesting a likely settlement.

• Levings v. Choice Hotels Intern., Inc., Case No. 23STCV28359, 2024 WL 1481189 (Cal. Super. Apr. 3, 2024): The court overruled the defendant’s demurrer, finding that the defendant’s website deployed a software device and process sufficient to describe the use of “pen register” as defined under CIPA. Id. at *4. The case was voluntarily dismissed with prejudice on July 30, 2024, again indicating a likely settlement.

Recent Developments

Recent court decisions underscore the ongoing unpredictability of CIPA litigation. Voluntary dismissals, involuntary dismissals due to jurisdictional issues, and denials of motions to dismiss are all present, contributing to a complex and evolving legal landscape for companies with websites accessed by California consumers.

A key development is the United States Court of Appeals for the Ninth Circuit’s recent decision in Calhoun v. Google, LLC, 13 F.4th 1141 (9th Cir. 2024). In this case, a California district court granted summary judgment in favor of Google, but the appellate court reversed, holding that the district court applied an incorrect standard. The appellate court emphasized that the proper standard is whether a reasonable user would understand that the platform was collecting and sharing personal data, even though the plaintiff had opted not to “sync” the platform with their browser. Id. at 1148. The district court had erroneously applied a higher threshold, expecting users to possess the expertise of an experienced business lawyer or navigate complex legal jargon to comprehend their consent. Id. at 1151. As a result, the case was remanded to the district court to apply the correct standard.

The Calhoun decision, along with ongoing proceedings in other cases, suggests that courts are increasingly scrutinizing what constitutes informed consent when it comes to website data collection. We also anticipate that forthcoming rulings will further clarify the definitions of “pen registers” or “trap and trace devices” under CIPA, which remain critical issues for businesses using tracking technologies.

Rise in Class Actions and Federal Cases

There has been a notable uptick in CIPA demand letters and class action filings against companies, many of which are spearheaded by attorneys from both California and other jurisdictions. In some cases, plaintiffs have expanded their claims to include violations of other states’ wiretapping statutes.

A notable federal case, Heiting v. Taro Pharms. USA, Inc., No. 2:23-cv-08002, 2024 U.S. Dist. LEXIS 135780 (C.D. Cal. July 31, 2024), saw a California district court dismiss some CIPA claims while allowing others to proceed, stating that the plaintiff plausibly pled that the third party intercepted her communications in transit to the defendant and, therefore, provided a reasonable argument that CIPA had been violated. Id. at *9. The ruling is currently pending certification for Ninth Circuit review, adding to the complexity of the landscape.

Website Consent Mechanisms Offer Companies Protection

Despite the increase in CIPA claims, companies with robust website consent mechanisms are seeing fewer lawsuits. Websites that use “cookie pop-up” notices to inform users of tracking technologies — and provide options to accept, reject, or manage them — are generally better positioned to avoid litigation. These mechanisms provide transparency and empower users to make informed decisions about tracking technologies, serving as a vital defense in CIPA cases.

Companies that only deploy essential tracking technologies (often called “functional” or “essential” cookies) before obtaining user consent are finding themselves in a more defensible position, reducing the likelihood of being targeted in CIPA-related lawsuits.

For more information on CIPA lawsuits, responding to demand letters, or ensuring website compliance with tracking technology regulations, please contact AGG partners Jackie Cooney, Damon Eisenbrey, or Chesley McLeod.