A recent court decision that halts a proposed pen register class-action lawsuit may signal a sea change in how courts approach privacy claims that are filed under the California Invasion of Privacy Act.
The proposed lawsuit filed with the U.S. District Court for the Southern District of New York by California resident Jonathan Gabrielli argued Business Insiders' use of Audiencerate's Tracker, a website advertising analytics tool, violated the CIPA when its pen register collected IP addresses without consent.
Pen registers are digital tools that collect phone numbers dialed from a specific phone line while also acting as internet communication monitors. Registers can trap and trace incoming calls, but are not supposed to reveal the information contained within monitored communications or identify the parties involved.
Judge Edgardo Ramos halted the potential litigation because there was no sufficient proof the IP address collection caused material harm to consumers. More specifically, Ramos ruled the plaintiff needed to "show the harm caused by the disclosure of their information bears a 'close relationship' to the traditionally recognized harm."
Womble Bond Dickinson Partner Matthew Pearson, who represented Business Insider, told the IAPP the opinion resets the tone for future disputes over pen registers, and could encourage courts to "go beyond the often-exaggerated allegations in the complaint and actually analyze the underlying technology."
Gabrielli has the right to appeal the Ramos decision.
CIPA violation allegations
The CIPA aims to protect consumers from unnecessary surveillance tools and practices by ensuring law enforcement and businesses obtain consent from individuals before collecting communications information.
Audiencerate's technology helps companies monitor performance by collecting consumer information such as IP addresses for advertising purposes. The lawsuit stated consumers suffered from an invasion of privacy under the CIPA due to the tracking technology’s ability to collect and sell information about consumers without explicit consent. Gabrielli claimed the company's use of the technology caused him and other Business Insider users tangible harm by infringing on their right to privacy.
Gabrielli's allegations highlighted consumers' concerns over the sharing of IP addresses and the potential geolocation data collected by companies. While IP addresses do not share individuals' exact location information, it does allow those with access to an IP address to view the individual's approximate location.
Loeb & Loeb Chief Privacy and Security Partner Jessica Lee, CIPP/E, CIPP/US, CIPM, said the dismissal serves as a "reminder that mere technical violations of data collection procedures, without demonstrable concrete harm or collection of truly private information, are insufficient to establish standing in federal court."
Ramos' opinion indicated IP addresses cannot be considered personal information due to its inability to identify individuals. He found consumers do not have a reasonable expectation of privacy as IP addresses do not contain enough identifiable information to be considered personal data. The decision noted the sharing of an IP address does not qualify as a "matter concerning the private life of another … that would be highly offensive to a reasonable person."
The opinion stated the plaintiff does not "deny that he voluntarily provided his IP address when he accessed Insider's website," as Gabrielli's engagement with the website provided the company with permission to access his IP address to effectively communicate with his device. Even if Gabrielli did not willingly provide the company with his IP information, the "collection of an IP address would not be considered" a substantial or harmful invasion of privacy, Ramos said.
Womble Bond Dickinson's Pearson said the decision "accurately demonstrates why collection and or disclosure of public IP addresses is not closely related" to traditionally recognized harm.
Organizational takeaways
While Ramos' decision to dismiss the case could set new precedent, Pearson said companies "are going to be left wondering whether what they are doing on their site is actually violating the law" until they get a substantive, merit-based ruling on the matter.
In the meantime, company standards around the protection of sensitive data remain in focus and potentially a key line of defense in any litigation. Lee suggested companies "continue to build out strong cookie governance programs so that they know specifically what is being collected from its websites and apps, who it is going to and why."
Lee added that companies collecting consumer data beyond IP addresses "need to make sure that they have provided all of the notices/choices that are required to have a strong defense in what may be an inevitable CIPA claim."
Lexie White is a staff writer for the IAPP.
