"The Language of [the California Invasion of Privacy Act] Is a Total Mess," Which Gets "Bigger as the World Continues to Change"

From Judge Vince Chhabria's opinion Friday in Doe v. Eating Recovery Center LLC (N.D. Cal.):

The California Invasion of Privacy Act (CIPA) was enacted in 1967 to criminalize wiretapping and eavesdropping on confidential communications. Although it is a criminal statute, CIPA also authorizes victims to bring civil actions against those who violate the statute, allowing recovery of civil penalties of $5,000 per violation or three times the amount of actual damages—whichever is greater. See Cal. Penal Code § 637.2(a).

The language of CIPA is a total mess. It was a mess from the get-go, but the mess gets bigger and bigger as the world continues to change and as courts are called upon to apply CIPA's already-obtuse language to new technologies. Indeed, we have reached the point where it's often borderline impossible to determine whether a defendant's online conduct fits within the language of the statute.

This is such a case. The plaintiff seeks to impose CIPA liability on a website operator for using a third party to perform data analytics and targeted advertising. In particular, liability here turns on whether the third party "read" or "attempt[ed] to read" or attempted "to learn" the contents of an internet communication between the plaintiff and the website operator while that communication was "in transit." If so, the website operator could be liable to the plaintiff under CIPA for enabling the third party to engage in that conduct.

As discussed in this ruling, the statutory language at issue here is ambiguous. One could imagine an interpretation under which the website operator would be liable. But CIPA is a criminal statute. When courts are called upon to interpret ambiguous criminal statutes in California, the rule of lenity applies—even when the statute is being invoked in a civil action. Harrott v. County of Kings (Cal. 2001). Courts are also supposed to narrowly construe civil statutes that impose punitive civil penalties. See Hale v. Morgan (Cal. 1978). So the Court will adopt a narrower but equally reasonable interpretation of CIPA—one that does not encompass the conduct at issue in this case.

The state of affairs with CIPA is untenable. Courts are issuing conflicting rulings, and companies have no way of telling whether their online business activities will subject them to liability. That seems particularly true of Penal Code Section 631(a), the CIPA provision at issue here. The California Legislature needs to step up. It would be bad enough if CIPA were merely a civil statute that allowed plaintiffs to recover actual damages for violations. But CIPA imposes criminal liability and punitive civil penalties. Under these circumstances, it is imperative for the Legislature to bring CIPA into the modern age and to speak clearly about how the kinds of activities at issue in this case should be treated. Until that happens, courts should generally resolve CIPA's many ambiguities in favor of the narrower interpretation.

Here's a short excerpt from the particular fact pattern that led to this critique, and the court's longish analysis of the pattern:

The Meta Pixel is a piece of code that can be installed on a website to track how visitors interact with that website. When visitors take certain actions on a website, the Pixel transmits information related to those actions to Meta, which in turn uses the information to provide various services for the website operator. A common reason website operators use the Pixel is to target ads to people likely to purchase their products or services.

At a high level, the process for collecting and using Pixel data involves three steps. First, certain information about a visitor's activity on the website, which Meta refers to as "event data," is captured and shared with Meta. Website operators choose what data to send to Meta, and Meta filters that data to lower the risk of storing personally identifiable information. Next, Meta attempts to match event data with Meta user accounts. Event data about a particular visitor can be matched with that visitor's Meta account only if the visitor is logged into their Meta account at the time they are visiting the website. Finally, event data can be used by Meta in various ways, depending on the website operator's preferences. Event data can potentially be used: (1) to identify Meta users to send ads to; (2) to provide aggregated data to website operators about actions users take on their websites; and (3) as an input into Meta's machine learning algorithms for optimizing Meta's content delivery.

With respect to ad targeting, Meta uses event data matched with Meta accounts to create "audiences" to send (or not send) ads to, based on criteria selected by the website operator. For instance, a website operator can define a group it wants to show ads to (an "inclusive custom audience") or a group it specifically does not want to send ads to (an "exclusive custom audience"). Meta can also send ads to Meta users with relevant traits similar to those in a previously created custom audience (a "lookalike audience")….

[A] CIPA provision [Cal. Penal Code § 632(2)] … imposes liability on anyone who … "willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state." Doe argues that … Meta read, attempted to read, or attempted to learn the contents of her communications with ERC while they were in transit (and without her consent)….

As discussed below, the event data that Meta obtained when Doe visited ERC's website is, as a matter of law, the contents of a communication. The harder question is whether the communications were in transit when Meta read, attempted to read, or attempted to learn their contents. This question is hard because the statute was not drafted with the internet in mind. It is also hard because, even aside from the internet issue, the statute is just badly drafted. The Court concludes, albeit without a great deal of confidence, that Meta's conduct did not satisfy the "in transit" requirement as a matter of law….

It's unclear how to apply the transit requirement to instantaneous internet communications. Courts (including probably this one) have been all over the map on the issue. Some seem to say that merely intercepting the communication while it's being made is enough, as long as the interception happens simultaneously or near-simultaneously. Others say that you also have to "read" the communication while it's in transit—that is, you have to do something more than just intercept the contents of the communication or redirect them to yourself during the virtually infinitesimal amount of time it takes for the communication to travel from the website visitor to the website operator….

Doe's first argument is that … Meta read her communications while they were in transit. Meta's corporate representative testified that, before logging the data that it obtains from websites, Meta filters URLs to remove information that it does not wish to store (including information that Meta views as privacy protected). Doe asserts that this step, which occurs after Meta obtains the data but before the data is stored, amounts to reading the communication while in transit.

There are a couple of reasons why that is wrong as a matter of law. First, Meta's automated effort to avoid storing material that it should not be storing can't reasonably be considered "reading" or "learning" the contents of the communication. Reading or learning the contents of a communication requires "some effort at understanding the substantive meaning" of the communication. A filtering process that simply sorts out certain data—which may be better analogized to sorting mail than to reading it—can't fairly be characterized as an effort at understanding the meaning of the communication.

Second, the filtering operation indisputably takes place after the communication has already traveled from the website visitor to the website operator. The parties agree that event data is transmitted to Meta about 0.2 seconds after the visitor's action is transmitted to the website. The filtering of the data necessarily happens after this because the event data is encrypted while being sent to Meta. Encrypted data is sent in packets that have to be reassembled before anything can be done with the data. Thus, Meta has to receive the packets of data and reassemble them before it can filter and log the data.

Doe doesn't dispute that this is how the technology works; rather, she disputes how it should be characterized. Doe argues that the communication remains in transit until after it goes through Meta's filtering process and is logged by Meta. But the only commonsense meaning of transit, at least in the context of this statute, is the transit from the person sending the communication to its intended recipient.

It's worth pausing here to acknowledge how strange this outcome is. Regardless of whether it is receiving the communication a second before or after it reaches the website, Meta is effectively engaging in the same conduct. Arguably, then, the purpose of the statute can only be effectuated by reaching the same result in both instances. This argument would have a place if the language were ambiguous.

But "in transit" is not ambiguous. And that's the problem with cases involving the tracking of online activity—the statutory language was drafted with very different technology in mind, and it does not map properly onto the internet.…

[T]here is reason to question whether the Legislature intended for CIPA to apply to the type of conduct implicated by this case at all. Recall that CIPA was enacted in 1967. Its language—with words like "read" and "intercept" and "in transit"—is ill-suited for application to internet communications. The Legislature has never, in over four decades, amended Section 631 to adapt its language to the digital age. And California has since adopted other statutes that more clearly speak to the practice of data sharing….

Did the Legislature really intend to subject companies like ERC to criminal liability for using third-party software to track website activity? Did it really mean to criminalize the use of web traffic data? Given the statute's ambiguity and its imposition of criminal liability, perhaps courts should not be so quick to assume that the answer is yes. But regardless of whether CIPA could, in some circumstances, impose criminal liability on website operators and data analytics firms for the transmission of information about web traffic and the subsequen[t use of that information, it would not be appropriate to interpret the "in-transit" requirement of Section 631(a) so broadly as to cover the conduct at issue here….

As difficult as it is to apply CIPA to the physical world, it's virtually impossible to apply it to the online world. Hopefully, the Legislature will go back to the drawing board on CIPA. Indeed, it would probably be best to erase the board entirely and start writing something new.

But until that happens, courts should not contort themselves to fit the type of conduct alleged in this case into the language of a 1967 criminal statute about wiretapping. Because the evidence is undisputed that Meta did not read, attempt to read, or attempt to learn the contents of Doe's communications with ERC while those communications were in transit, ERC is entitled to summary judgment on Doe's CIPA claim….

James Francis Monagle and Nicholas Pontzer (Mullen Coughlin LLC) represent defendant.