A recent lawsuit against U.S. Bank highlights the legal gray area banks enter when they engage in internet data collection practices, particularly concerning third-party trackers, and especially when operating in California.
The case, which entered federal court this month, was filed by California resident Tawnya Rodriguez and accuses U.S. Bank of an “outrageous privacy bait and switch scheme.”
The lawsuit claims that U.S. Bank allows online advertising tech firm Magnite to see how visitors use the bank’s website, and Magnite allegedly uses that data to compile and sell personal details about visitors for marketing purposes. This, Rodriguez argues, results in a “grave intrusion upon visitor privacy,” in violation of California law.
Magnite allegedly uses a tracking pixel and related browser cookies to collect information on the user once they visit the U.S. Bank website, but before any pop-up or cookie banner advises users of the cookie and before the site seeks their consent.
U.S. Bank did not immediately respond to a request for comment from American Banker. Magnite also did not immediately respond.
The lawsuit against U.S. Bank mirrors other California cases
The lawsuit asserts, among other claims, that U.S. Bank’s conduct violates a 1967 California law, originally written to address wiretapping and related practices. The lawsuit specifically alleges U.S. Bank uses the equivalent of a so-called trap and trace device.
Trap and trace devices record which numbers have called a specific phone — essentially a log of incoming calls. They do not, however, record the actual content of calls — a distinction that has turned out to be crucial in recent, related cases.
The lawsuit against U.S. Bank alleges that Magnite’s tracking practices constitute a trap and trace device, in violation of the California Invasion of Privacy Act of 1967 (CIPA).
Other legal teams have made similar arguments that CIPA covers internet tracking activities, to varying degrees of success in federal court.
In Shah v. Fandom, a case involving the parent company of gaming publication Gamespot, a California man argued that the company violated CIPA using the equivalent of a so-called pen register in its internet tracking practices. Rather than record the numbers of incoming calls as trap and trace devices do, pen registers record what numbers a telephone is dialing.
As of this month, that case appears to be on its way to a class action settlement.
However, in Mitchener v. CuriosityStream, a case against TikTok’s parent company, another California man alleging privacy violations saw his case dismissed from the same court. The man’s legal team argued TikTok violates CIPA by acting as the equivalent of a trap and trace device.
The court dismissed that case this month in a win for TikTok.
The varying outcomes — based on a variety of facts and specific arguments — make it hard to predict how the case against U.S. Bank might turn out, though a handful of precedents provide some hints.
Specific arguments and facts are crucial to CIPA cases
In Shah v. Fandom, the U.S. District Court for the Northern District of California effectively said in October that CIPA applies to the internet tracking practices in that case.
The court ruled that IP addresses constitute “addressing information” under CIPA and emphasized that it broadly interprets the law to protect privacy and apply to new technologies.
The court also found that, while users might consent to disclosing their IP address to a website for its basic function — i.e. to load the website — this “does not necessarily consent to disclose their IP address to the third parties operating the trackers.”
At the same time, judges in the Northern District of California have also taken a more restrictive view.
In Mitchener v. CuriosityStream, the court dismissed a CIPA claim alleging TikTok software acted as a “trap and trace device.” The court dismissed the case “with prejudice,” which prevents Mitchener from tweaking and re-filing his lawsuit — an indicator that the fundamental argument was flawed.
In Mitchener, as in Shah, the court focused on the delineation between the content of communication and the metadata about the communication.
In its Mitchener decision, the court said CIPA’s trap and trace definition specifically targets dialing, routing, addressing or signaling information, not the content of a communication.
The court also said that internet users generally have “no expectation of privacy” in metadata like IP addresses or general geographic location, according to the order.
This ruling serves as a “flashing red warning sign” for plaintiffs that their facts must precisely fit the statute’s definition,
Similarly, the Ninth Circuit Court of Appeals — a higher court than the California district court that ruled on Shah and Mitchener — ruled in July in a case titled Gutierrez v. Converse that the shoe company’s website chat feature, operated by third-party partner Salesforce, did not violate CIPA.
In fact, the specific section of CIPA that Gutierrez had argued Converse violated — one related to wiretapping — “does not apply to internet communications,” according to the ruling.
The various outcomes make one thing clear: The specific arguments and facts of each of these CIPA cases are deeply important to the outcome of the case.
The upshot for banks: Internet tracking is a broad gray area of legality
As the case law over internet tracking practices and their relationship to CIPA evolves, the story for banks could become less straightforward.
The Gramm-Leach-Bliley Act (GLBA) of 1999, a federal law, proscribes how U.S. banks may use and disclose customer data, including browser history of those using banking products and services.
As such, many state laws exempt banks and other GLBA-regulated entities from state-level internet privacy acts, leaving banks only having to worry about the federal regulation.
However, GLBA does not cover data gathered from individuals who are not yet customers. For example: Information a consumer enters when signing up for a financial education newsletter on a bank’s website, or general marketing data on prospects, would not fall under GLBA regulation.
Additionally, California does not have a blanket exemption for banks and credit unions in its internet privacy law, titled the California Privacy Rights Act (CPRA).
This is a crucial distinction from many other state laws. While some states completely exempt financial institutions from their data privacy regulations, CPRA applies at the data level, not the company level.
In other words, even if the company is regulated by federal banking laws, if the company handles data that is not regulated by those laws, California law applies to that data.
This means banks operating in California must comply with state rules for marketing activities and other non-financial functions, including tracking the purpose of data collection and responding to user requests for access or deletion of data that is not covered by GLBA.
To be clear: The lawsuit against U.S. Bank concerns CIPA, a California law passed in 1967 that predates GLBA and concerns wiretapping. The lawsuit does not mention CPRA, which passed in 2020 and explicitly concerns internet tracking practices.
However, taken together, the various rulings by federal courts that CIPA does apply to some internet tracking but not others, and CPRA’s coverage of banks’ marketing data, create a legal environment that is likely to make banks wary of overstepping the bounds when it comes to tracking non-customers online without their informed consent.