Login | March 14, 2025

Trap and trace: More old tech law applied to new circumstances

RICHARD WEINER
Technology for Lawyers
Published: February 21, 2025

Well, here we go again with old tech laws being applied to new-ish circumstances.
At least, that’s according to some California defense lawyers.
The California Invasion of Privacy Act (CIPA) has given rise to numerous recent lawsuits attacking website visitor tracking under laws that were originally intended to stop law enforcement from using “trap and trace” devices.
As we continually point out, California tech law is important to know because most tech companies are in California, and so their technology laws affect most of us in one way or another, and many technology-based lawsuits are going to use California law even if the plaintiff lives in Akron.
Trap and trace devices and California Penal Code §638.51 date from a time when the highest form of technology was the telephone.
A trap and trace device, or pen register, is a kind of wiretapping. It’s illegal under CIPA absent a court order (like any wiretap).
A spate of recent lawsuits have proposed that the normal course of communicating with a website, which involves the exchange of IP addresses between the user and the website, is a trap and trace device that falls under that penal code section and is illegal under CIPA.
If this newly-minted cause of action would be successful, every company that has a website would be under threat. And there have been hundreds of such lawsuits filed in California.
The first case to hold that website communication was a pen register was the 2023 case Greenly v. Kochava, which held that information packet exchanges could be a pen register under the statute.
However, at least one court has seen through this nonsense and recently held that pen register provision “did not, and does not, criminalize the process by which all websites communicate with all users who choose to access them.”
See Casillas v. Transitions Optical, Inc., 2024 WL 4873370 (Cal. Super. Sept. 9, 2024).
The court above distinguished between the normal operation of a website and a pen register, in that there was no content of any conversation that took place between two people to be recorded.
So, granted, this may not affect you or your clients. But you never know….
Thanks for the analyses to the folks at Jeffer Mangels Butler & Mitchell LLP and Covington & Burling LLP.


[Back]