Future LLC, a magazine and website publisher and owner of the TechRadar.com website, faces allegations that it collected website visitors’ IP addresses without consent in violation of the California Invasion of Privacy Act (CIPA). The class action complaint alleges that the TechRadar website launched three trackers -the TripleLift Tracker, GumGum Tracker, and Audiencerate Tracker – and installed them on the website visitors’ internet browsers. These trackers are used by Future to track IP addresses in order to conduct targeted advertising and collect website use analytics. This suit, as well as others like it, alleges that because these trackers capture “routing, addressing, or signaling information,” the trackers constitute a “pen register” under Section 638.50(b) of CIPA.

CIPA prohibits the installation or use of a pen register or a trap and trace device without first obtaining a court order. Class action plaintiff Digvijay Motiani claims that Future’s actions on the TechRadar website are in violation of this requirement.

This class action was filed in the U.S. District Court for the Southern District of New York and is one of the first trap and trace cases filed outside of California. However, since November 2023, over 50 similar actions have been filed in California state court, even though the purpose of CIPA is to authorize state and local law enforcement to use pen registers and trap and trace devices under state law.

Law enforcement agencies have historically used pen registers to track the telephone numbers of outgoing calls from a particular telephone line and “trap and trace” devices to record incoming telephone numbers. CIPA specifically defines a trap and trace device as “a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.” If the California State Legislature intended on the inclusion of website tracking technologies (such as web beacons and pixels), the Legislature could have imported the definition of “electronic communication” from California Penal Code § 629.51(a)(2). Further, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively the CCPA), specifically addresses consumers’ privacy rights related to website tracking, requires businesses to disclose the use of such trackers, and allows consumers to opt-out of such tracking. The TechRadar website Privacy Policy specifically addresses this requirement:

For internet and mobile users (online third parties). If you do not wish for us or our online third-party partners (such as advertising networks) to sell or share your personal information with others, please click on the “Do Not Sell or Share My Personal Information” link in the footer of the relevant website. If you access this site and/or app from other devices or browsers or clear your cookies on your devices or browsers, you will need to indicate your preferences again from those devices or browsers. Alternatively, to opt out of “sales” or “sharing” of personal information, you can toggle your cookies off in the cookie preference center or enable Global Privacy Control (“GPC”) on your browser. To learn more about GPC, please visit here.

Motiani seeks to represent a class of California residents who accessed the website in California and had their IP addresses collected by the trackers. Montiani seeks statutory damages of $5,000 per CIPA violation, restitution, attorneys’ fees and costs, and pre-and post-judgment interest. We will continue to track these lawsuits and their resulting effects on the use of website tracking technologies. For now, if the CCPA applies to your business, review your website Privacy Policy and your tracking technology disclosures to confirm compliance with your statutory obligations and detail the use of any trackers on your website to provide consumers complete transparency.