Navigating “Pen Register” Law in the Digital Age: Court Rules the Law Applies to Website Tracking Technologies
On February 20, 2025, the United States District Court for the Southern District of New York recognized that online tracking technologies that collect IP addresses may fall under California’s “Pen Register” law, known as Section 638.51 of the California Invasion of Privacy Act (“CIPA”), which prohibits the use of physical recording devices for telephone communications without a court order. Carol Lesh v. Cable News Network, Inc., No. 24 CIV. 03132 (VM), 2025 WL 563358, at *1 (S.D.N.Y. Feb. 20, 2025) (“Decision”). This Decision follows two recent California cases that similarly concluded that online trackers collecting IP addresses are pen registers under CIPA,[1] and underscores an evolving legal landscape where courts may increasingly apply traditional wiretap and surveillance laws to online tracking software. Companies collecting data, such as IP addresses, should carefully reassess their tracking practices, terms of use, and privacy policies to mitigate potential legal risks.
FACTUAL BACKGROUND
Plaintiff Carol Lesh brought the class action against Cable News Network, Inc. (“CNN”), alleging that CNN’s use of tracking software that collects users’ IP addresses violates Section 638.51(a). According to the complaint, CNN’s website utilizes tracking technologies (“Trackers”) for marketing and advertising purposes that are deployed through a multi-step process. When a user visits CNN’s website, the Trackers are automatically installed on their browser, collecting and sharing the user’s IP address and also storing a small data file (a “cookie”) on the user’s browser so that when the user subsequently visits the website, the Trackers retrieve the cookie and send both the cookie ID and IP address to third-party providers. This information is then used for marketing and advertising purposes.
THE DECISION DENIED A MOTION TO DISMISS PEN REGISTER CLAIMS
Following removal to and transfer from the Northern District of California, CNN moved to dismiss the complaint on four separate grounds.
First, CNN argued that collecting IP addresses does not violate CIPA because individuals do not have a recognized privacy interest in their IP addresses under the Fourth Amendment. The court, however, disagreed, observing that CIPA provides broader privacy protections than the Fourth Amendment. The court further affirmed that the limits of the Fourth Amendment have no bearing on an individual’s standing to bring a claim because CIPA expressly grants a private right of action to individuals harmed by unauthorized data collection.
Second, CNN argued that the CIPA’s restrictions on “pen registers”—defined as a “device or process that records or decodes dialing, routing, addressing, or signaling information”—apply only to telephone communications and not websites. The court, however, rejected this argument, ruling that the statute defines “pen registers” broadly to include not only physical devices but also any modern tracking technologies that collect and transmit “addressing information.” The court further emphasized that CIPA’s definition of pen registers encompasses a variety of “electronic communications” because CIPA was intended to protect against digital surveillance and is not limited to telephone lines.
Third, CNN attempted to rely on an exception in CIPA (Section 638.51(b)(5)) that permits the use of “pen registers” or “trap and trace devices” if the “user of the service” has given consent by claiming that CNN had consented to its own use of tracking technologies, arguing that consent obtained from one party to the communication is sufficient under the statute. The court, however, found the argument “illogical,” observing that Plaintiff, who is also a user of CNN’s website, never consented to the use of trackers to collect her IP address.
Fourth, as a last resort, CNN sought to rely on its website’s Terms of Use. Relying on archived screenshots from the Wayback Machine, CNN argued that users were notified via a pop-up that they agreed to the Terms of Use, which disclosed the use of third-party trackers and included a waiver of class action claims. The court found it too early to determine whether Plaintiff was adequately notified of CNN’s Terms of Use and consented to them. Analyzing CNN’s pop-up, the court found that it effectively functioned as a hybrid “clickwrap-browsewrap” agreement that merely informed users that continuing to browse signified consent but did not require a user to explicitly “Agree” before proceeding. The Court found that further factual development was required to determine whether this pop-up constitutes constructive or actual notice of the Terms.
TAKEAWAY
Although this court’s Decision denying CNN’s motion to dismiss Plaintiff’s “pen register” claims does not necessarily mean Plaintiff will succeed on the merits, the Decision shows that the bar to survive dismissal may be relatively low. Importantly, this Decision underscores that businesses collecting and sharing users’ IP addresses without clear consent from users may face legal exposure under decades-old wiretap and surveillance laws that were not originally intended to apply to online tracking technologies. Companies engaging in online tracking practices should re-evaluate their defensive strategies, including prioritizing obtaining affirmative user consent prior to collecting information. In addition, companies should review their terms of use and policy policies to ensure compliance with CIPA and other privacy laws.
[1] See Shah v. Fandom, Inc., No. 24-CV-01062-RFL, 2024 WL 4539577, at *2-4 (N.D. Cal. Oct. 21, 2024) (holding that software trackers “that identifies consumers, gathers data, and correlates that data” are “pen registers” within the meaning of CIPA); Mirmalek v. Los Angeles Times Communications LLC, No. 24-CV-01797-CRB, 2024 WL 5102709, at *3 (N.D. Cal. Dec. 12, 2024) (same).