Case Information
*1 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA TALIAH MIRMALEK, Case No. 24-cv-01797-CRB Plaintiff, ORDER DENYING DEFENDANT'S
v. MOTION TO DISMISS PLAINTIFF'S COMPLAINT LOS ANGELES TIMES COMMUNICATIONS LLC, Docket No. 22 Defendant. I. INTRODUCTION
Taliah Mirmalek, individually and on behalf of all others similarly situated (“Plaintiff”),
has brought this putative class action against Los Angeles Times Communications LLC (“Defendant”), owner and operator of the website LATimes.com (the “Website”), alleging that Defendant caused three third-party trackers to install and use “pen register” devices to collect the IP addresses of Website visitors in violation of the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code § 638.51(a). Defendant removed to this Court pursuant to the Class Action Fairness Act of 2005 (“CAFA”), 28 U.S.C. §§ 1332, 1446, 1453, 1711–15. Now, Defendant moves to dismiss Plaintiff’s complaint under Rule 12(b)(6) for failure to state a claim. Under Civil Local Rule 7-1(b), the Court finds the matter suitable for disposition on the pleadings. For the reasons below, the Court DENIES Defendant’s motion to dismiss.
II. BACKGROUND
A. Factual Allegations
1. The Parties
Plaintiff is a citizen of California and was present in California when she accessed the Website. Compl. (Dkt. 1) ¶ 6. Plaintiff seeks to represent a class defined as “all California residents who accessed the Website in California and had their IP address collected by the Trackers.” Id. ¶ 94.
2. The Dispute Between the Parties
Plaintiff alleges that when users visit the Website, Defendant causes three trackers—the TripleLift Tracker, GumGum Tracker, and Audiencerate Tracker (collectively, the “Trackers”)— to be installed on Website visitors’ internet browsers. Id. ¶¶ 28, 38, 49. Plaintiff alleges that Defendant then uses these Trackers to collect Website visitors’ IP addresses without the users’ consent or a court order. Id. ¶¶ 64, 66. In relevant part, CIPA § 638.51(a) prohibits any “person” from “install[ing] or us[ing] a pen register or trap and trace device without first obtaining a court order,” or obtaining the consent of the user. Cal. Penal Code §§ 638.51(a), (b)(5). A “pen register” is a “device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” Cal. Penal Code § 638.50(b). Plaintiff alleges that because the Trackers capture Website visitors’ “routing, addressing, or signaling information,” the Trackers each constitute a “pen register” under Section 638.50(b) of CIPA. Compl. ¶ 24.
B. Procedural History
Plaintiff filed this putative class action on February 13, 2024, in the Superior Court of the State of California for the County of Alameda. Id. at 1. On March 22, 2024, Defendant removed this action, asserting that federal subject matter jurisdiction exists pursuant to the Class Action Fairness Act (“CAFA”) 28 U.S.C. §§ 1332(d), 1446, and 1453. Notice of Removal (Dkt. 1) at 1. On April 18, 2024, Plaintiff sought to remand the case on the ground that this action falls within the “mandatory home state exception” to CAFA, found in 28 U.S.C. § 1332(d)(4)(B), or, in the *3 alternative, under the “discretionary home state exception,” found in 28 U.S.C. § 1332(d)(3). Mot. to Remand (Dkt. 11) at 1–2. On May 23, 2024, the Court denied Plaintiff’s motion to remand. Dkt. 15.
Before the Court is Defendant’s motion to dismiss Plaintiff’s complaint under Rule 12(b)(6) for failure to state a claim and Defendant’s request for judicial notice in support of its motion to dismiss. Mot. to Dismiss (“Mot.”) (Dkt. 22); Request for Judicial Notice (Dkt. 23).
III. JUDICIAL NOTICE Courts regularly take judicial notice of public records, including court cases that have “a direct relation to matters at issue.” U.S. ex rel. Robinson Rancheria Citizens Council v. Borneo, Inc ., 971 F.2d 244, 248 (9th Cir. 1992); see also Harris v. County of Orange , 682 F.3d 1126, 1132 (9th Cir. 2012) (“We may take judicial notice of undisputed matters of public record ... including documents on file in federal or state courts.”). Thus, the Court GRANTS Defendant’s request for judicial notice of Rodriguez v. Plivo Inc ., Case No. 24STCV08972 (Cal.Super. Oct. 2, 2024), Palacios v. Fandom, Inc ., Case No. 24STCV11264 (Cal.Super. Sept. 24, 2024), and the complaint in Licea v. Hickory Farms LLC , Case No. 23STCV26148 (Cal.Super. Oct. 25, 2023). Dkt. 23. The Court DENIES Defendant’s request for judicial notice of Response to Request for Comment by Chairman of Californians for Consumer Privacy and Chief Proponent of the California Consumer Protection Act (Nov. 9, 2018). Id.
IV. LEGAL STANDARD
A. Motion to Dismiss
Under Rule 12(b)(6), the Court may dismiss a complaint for failure to state a claim upon which relief may be granted. The Court may base dismissal on either “the lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory.” Godecke v. Kinetic Concepts, Inc ., 937 F.3d 1201, 1208 (9th Cir. 2019) (cleaned up). A complaint must plead “sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (cleaned up). A claim is plausible “when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Id. “Threadbare *4 recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice” to survive a 12(b)(6) motion. Id. (citing Bell Atlantic v. Twombly , 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007)). When evaluating a motion to dismiss, the Court “must presume all factual allegations of the complaint to be true and draw all reasonable inferences in favor of the nonmoving party.” Usher v. City of Los Angeles , 828 F.2d 556, 561 (9th Cir. 1987). “[C]ourts must consider the complaint in its entirety, as well as other sources courts ordinarily examine when ruling on Rule 12(b)(6) motions to dismiss, in particular, documents incorporated into the complaint by reference, and matters of which a court may take judicial notice.” Tellabs, Inc. v. Makor Issues & Rights, Ltd ., 551 U.S. 308, 322, 127 S.Ct. 2499, 168 L.Ed.2d 179 (2007).
V. DISCUSSION
The California Invasion of Privacy Act (“CIPA”) prohibits “a person” from “install[ing] or us[ing] a pen register…without first obtaining a court order.” Cal. Penal Code § 638.51 (“Section 638.51”). A “pen register” is “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” § 638.50. To state a claim for a violation of CIPA’s pen register provision, a plaintiff must allege that a “[d]efendant installed a pen register without a court order.” Greenley v. Kochava, Inc ., 684 F. Supp. 3d 1024, 1050–51 (S.D. Cal. 2023); see Shah v. Fandom, Inc. , No. 24-CV-01062-RFL, 2024 WL 4539577, at *2 (N.D. Cal. Oct. 21, 2024) (denying a motion to dismiss because plaintiffs “adequately ple[d] each element of [the pen register] definition”).
Thus, at the motion to dismiss stage, the Court evaluates whether Plaintiff adequately alleges that 1) the third-party Trackers are “pen registers,” as defined by CIPA, 2) Defendant installed pen registers, and 3) Defendant did so without a court order.
A. “Pen Register” Status of Third-Party Trackers
First, Plaintiff adequately alleges that the third-party Trackers are “pen registers” within the meaning of CIPA. As stated, a “pen register” is “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a *5 communication.” Cal. Penal Code § 638.50. Plaintiff’s theory is that the third-party Trackers operate as pen registers under Section 638.50 because the Trackers are a process and/or device that collect users’ internet protocol (“IP”) addresses. See Compl. ¶ ¶ 24, 32, 33. Conversely, Defendant argues that CIPA’s pen register definition applies “only to telephone technology.” Mot. at 4.
As the Shah and Greenley courts held, “the Court cannot ignore the expansive language in the California Legislature’s chosen definition [of pen register],” which is “specific as to the type of data [collected],” but “vague and inclusive as to the form of the collection tool” (i.e. “device or process”). Greenley v. Kochava, Inc ., 684 F. Supp. 3d 1024, 1050 (S.D. Cal. 2023); see Cal. Penal Code § 638.50. In Greenley, the court evaluated whether a software development kit (a form of embedded software) is a pen register. The court explained that the Legislature’s chosen definition “indicate[d]” that “courts should focus less on the form of the data collector and more on the result.” Id. Thus, the court applied the plain meaning of a “process” to the statute to determine that the software development kit at issue constituted a pen register under CIPA. As the court instructed, “[a] process can take many forms.” Id. For example, as the Shah court held, a process includes software “that identifies consumers, gathers data, and correlates that data.” Shah , 2024 WL 4539577, at *2 (internal citation omitted). In Shah v. Fandom , the court held that software trackers are unauthorized “pen registers” within the meaning of CIPA because “they are processes that record users’ IP addressing information, but not the content of the electronic communications being transmitted from users’ computers or smartphones to [Defendant’s] website.” Shah , 2024 WL 4539577, at *2. There, the plaintiff filed a claim for a violation of CIPA’s pen register provision because the defendant allegedly caused users’ web browsers to download third-party software trackers, “which recorded and sent users’ internet protocol (IP) addresses to third parties without their consent.” Plaintiff asserts nearly identical allegations in her complaint.
Here, Plaintiff adequately alleges that the Trackers are a “device or process” as required by CIPA’s definition of a pen register. Plaintiff alleges that the third-party Trackers are “at least a process” because they are “‘software that identifies consumers, gathers data, and correlates that *6 data.’” Compl. ¶ 32 (quoting Greenley , 684 F. Supp. 3d at 1050). Further, Plaintiff alleges that the Trackers are a “device” because “in order for software to work, it must be run on some kind of computing device.” Id. (quoting James v. Walt Disney Co ., 701 F. Supp. 3d 942, 958 (N.D. Cal. 2023) (holding that software can constitute a device)). Thus, under the inclusive language of CIPA’s definition of a pen register, Plaintiff sufficiently alleges that the Trackers are a “device or process” under Section 638.50. Cal. Penal Code § 638.50.
Further, Plaintiff adequately alleges that the Trackers record addressing information in the form of IP addresses. Compl. ¶ 23. As CIPA states, a “pen
register…records…addressing…information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” § 638.50. As the Ninth Circuit held, “IP addresses ‘constitute addressing information and do not necessarily reveal any more about the underlying contents of communication than do phone numbers.’” In re Zynga Priv. Litig ., 750 F.3d 1098, 1108 (9th Cir. 2014) (quoting United States v. Forrester , 512 F.3d 500, 510 (9th Cir. 2008)). Here, Plaintiff alleges that the “IP address is a unique identifier for a device…contain[ing] geographic[]” information regarding a “device’s state, city, and zip code.” Compl. ¶ 23. Thus, Plaintiff sufficiently alleges that the Trackers record addressing information in the form of IP addresses. Further, Plaintiff adequately alleges that IP addresses are “transmitted by an instrument or facility from which a wire or electronic communication is transmitted.” Cal. Penal Code § 638.50. Plaintiff alleges that the instruments or facilities are users’ “computers or smartphones.” Compl. ¶¶ 104-5. Additionally, Plaintiff alleges that users’ devices transmit “electronic communication[s]” in the form of Hypertext Transfer Protocol (“HTTP”) or “GET” requests to load Defendant’s website. Id. ¶ 20. Specifically, Plaintiff describes that “to make Defendant’s Website load on a user’s internet browser, the browser sends an ‘HTTP’…or ‘GET’ request…to Defendant’s server. Id . Then, Defendant’s server sends an HTTP response with a set of instructions to load certain images, text, or music. Id. ¶ 21. Finally, the Trackers “record” the addressing information by “instruct[ing] the user’s browser to send…the user’s IP address” to the Tracker and by “stor[ing] a cookie with the user’s IP address in the user’s browser cache.” Id. ¶¶ *7 28-9. As the Shah court held, the “HTTP request transmitted from users’ computers or smartphones constitutes an electronic communication, and the Trackers record the addressing information associated with this communication.” Shah , 2024 WL 4539577, at *4. Therefore, Plaintiff adequately alleges that the Trackers record addressing information, as required by CIPA. B. Installation and Use of Pen Register Without a Court Order
Next, Plaintiff adequately alleges that Defendant installed the third-party Trackers without a court order. CIPA prohibits “a person” from “install[ing] or “us[ing] a pen register…without first obtaining a court order.” Cal. Penal Code § 638.51. Regarding the court order, Plaintiff alleges that “Defendant did not obtain a court order before installing or using the Trackers.” Compl. ¶¶ 91-2. Defendant does not argue otherwise. Regarding installation of a pen register, Plaintiff alleges that Defendant “has incorporated the code of the Trackers into the code of its Website.” Compl. ¶ 62. Plaintiff continues that “[u]pon installing the Trackers on its Website, Defendant uses the Trackers to collect the IP addresses of [Website] visitors.” Id. ¶ 64. Specifically, Plaintiff explains that “[w]hen Plaintiff visited the Website, the Website’s code—as programmed by Defendant—caused the Trackers to be installed on Plaintiff’s browser.” Id. ¶ 88. Thereafter, “Defendant, TripleLife, GumGum, and Audiencerate, then used the Trackers to collect Plaintiff’s IP address.” Id. Because Plaintiff alleges that Defendant “was responsible for integrating the third-party script into its own website,” Plaintiff’s “allegation that [Defendant] installed the Trackers is sufficient to state a claim.” Shah , 2024 WL 4539577, at *5.
C. Statutory Standing Under CIPA
Fourth, Plaintiff adequately alleges statutory standing under CIPA. “Only those plaintiffs who have been concretely harmed by a defendant’s statutory violation may sue that private defendant over that violation in federal court.” TransUnion LLC v. Ramirez , 594 U.S. 413, 427 (2021); see Rodriguez v. Fountain9, Inc ., 2024 WL 3886811, at *4 (Cal. Super. July 09, 2024) (holding that a plaintiff must “allege a concrete injury-in-fact” to establish statutory standing under CIPA). Plaintiff asserts that Defendant’s alleged CIPA violation injured her by “caus[ing] Plaintiff’s IP address to be disclosed to unconsented-to third parties” and by enabling “Defendant and third parties [to] use Plaintiff’s personal data” for their benefit. Dkt. 25 at 9, 11 (Plaintiff’s *8 Opp’n). Regarding the first injury, Plaintiff alleges that, without Plaintiff or users’ “consent for such conduct,” the Trackers “receive[] a user’s IP address each and every time a user interacts with the [W]ebsite.” Compl. ¶¶ 52, 66. Regarding the second injury, Plaintiff alleges that “Defendant then uses the IP address of Website visitors, including those of Plaintiff and Class Members, to serve targeted advertisements and conduct website analytics.” Id. ¶ 65. Further, Plaintiff alleges that the Tracker companies (TripleLife, GumGum, and Audiencerate) use this “third-party data…to determine where to place advertisers’ ads and who to place them in front of.” Id. ¶ 71. For example, Plaintiff alleges that GumGum collects IP addresses “to ascertain a user’s location and target that user with advertisements tailored to their location” and “to track a user’s Website activity over time…to target a user with advertisements relevant to the user’s personal browsing activity.” Id. ¶ 78. Thus, like the plaintiffs in Shah , Plaintiff has plausibly alleged that she was “injured by being tracked across multiple visits for marketing and advertising purposes, and that [she] did not expect or agree to such tracking.” Shah , 2024 WL 4539577, at *5. Therefore, Plaintiff sufficiently alleges statutory standing. D. Statutory Exceptions Defendant argues that Section 638.51(b)(1) and/or Section 638.51(b)(5) preclude Plaintiff from asserting her claim. Neither exception applies. Section 638.51(b) states that a “provider of electronic or wire communication service may
use a pen register” to (1) “operate, maintain, and test a wire or electronic communication service” or (5) “[i]f the consent of the user of that service has been obtained.” Cal. Penal Code § 638.51(b). Defendant argues that both provisions exempt Defendant from liability because Defendant’s collection of Website visitors’ IP addresses through installation of the Trackers is “necessary” to operate its Website and Defendant “consent[ed] to the [installation or use of the] complained-of trackers.” Mot. at 13, 22.
However, Section 638.51(b) does not apply because Defendant fails to establish that it is a “provider of electronic or wire communication service.” Cal. Penal Code § 638.51(b). Defendant asserts that “nothing in Section 638.51(b)…limits application of the exception to the “provider of electronic or wire communications service.” Dkt. 26 at 13. But Section 638.51(a) does. Section *9 638.51(a) explicitly states: “Except as provided in subdivision (b), a person may not install or use a pen register…without first obtaining a court order.” § 638.51(a). Defendant fails to establish that it is a “provider of [an] electronic or wire communication service.” § 638.51(b)(1). Thus, Section 638.51(b) does not apply to Defendant. Therefore, neither Section 638.51(b)(1) nor (5) preclude Plaintiff from asserting her claim.
E. Legislation
Finally, Defendant argues that the California Consumer Privacy Act (“CCPA”), not CIPA, December 12, 2024 “should control.” Mot. at 10. Specifically, Defendant asserts that CCPA should control because it was “enacted after CIPA’s pen register provisions and specifically regulates the data collection at issue here.” Id.
However, CCPA does not preempt CIPA. In fact, CCPA states that “law relating to consumers’ personal information should be construed to harmonize with the provisions of this title.” Cal. Civ. Code § 1798.175. CCPA explicitly states that “in the event of a conflict between other laws and the provisions of this title, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.” Id. Thus, CCPA and CIPA are complementary. Even if a conflict existed, Plaintiff may bring her claim under CIPA. Defendant argues that applying CIPA’s pen register provision to actions such as Defendant’s installation and use of third-party Trackers would “supplant…the detailed notice and ‘opt out’ framework of the CCPA.” Mot. at 10. Defendant asserts that such an application of CIPA would enforce a “far stricter ‘opt- in’ regime.” Id. However, as CCPA states, “the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.” Cal. Civ. Code § 1798.175. Thus, by Defendant’s own argument, CIPA should control.
VI. CONCLUSION For the foregoing reasons, the Court DENIES Defendant’s motion to dismiss. IT IS SO ORDERED .
*10 Dated:
______________________________________ CHARLES R. BREYER United States District Judge