<\/p>\n
A recent lawsuit against U.S. Bank highlights the legal gray area banks enter when they engage in internet data collection practices, particularly concerning third-party trackers, and especially when operating in California.<\/p>\n
The case, which entered federal court this month, was filed by California resident Tawnya Rodriguez and accuses U.S. Bank of an “outrageous privacy bait and switch scheme.”<\/p>\n
The lawsuit claims that U.S. Bank allows online advertising tech firm Magnite to see how visitors use the bank’s website, and Magnite allegedly uses that data to compile and sell personal details about visitors for marketing purposes. This, Rodriguez argues, results in a “grave intrusion upon visitor privacy,” in violation of California law.<\/p>\n
Magnite allegedly uses a tracking pixel and related browser cookies to collect information on the user once they visit the U.S. Bank website, but before any pop-up or cookie banner advises users of the cookie and before the site seeks their consent.<\/p>\n
U.S. Bank did not immediately respond to a request for comment from American Banker. Magnite also did not immediately respond.<\/p>\n
The lawsuit asserts, among other claims, that U.S. Bank’s conduct violates a 1967 California law, originally written to address wiretapping and related practices. The lawsuit specifically alleges U.S. Bank uses the equivalent of a so-called trap and trace device.<\/p>\n
Trap and trace devices record which numbers have called a specific phone \u2014 essentially a log of incoming calls. They do not, however, record the actual content of calls \u2014 a distinction that has turned out to be crucial in recent, related cases.<\/p>\n
The lawsuit against U.S. Bank alleges that Magnite’s tracking practices constitute a trap and trace device, in violation of the California Invasion of Privacy Act of 1967 (CIPA).<\/p>\n
Other legal teams have made similar arguments that CIPA covers internet tracking activities, to varying degrees of success in federal court.<\/p>\n
In Shah v. Fandom, a case involving the parent company of gaming publication Gamespot, a California man argued that the company violated CIPA using the equivalent of a so-called pen register in its internet tracking practices. Rather than record the numbers of incoming calls as trap and trace devices do, pen registers record what numbers a telephone is dialing.<\/p>\n
As of this month, that case appears to be on its way to a class action settlement.<\/p>\n
However, in Mitchener v. CuriosityStream, a case against TikTok’s parent company, another California man alleging privacy violations saw his case dismissed from the same court. The man’s legal team argued TikTok violates CIPA by acting as the equivalent of a trap and trace device.<\/p>\n
The court dismissed that case this month in a win for TikTok.<\/p>\n
The varying outcomes \u2014 based on a variety of facts and specific arguments \u2014 make it hard to predict how the case against U.S. Bank might turn out, though a handful of precedents provide some hints.<\/p>\n
In Shah v. Fandom, the U.S. District Court for the Northern District of California effectively said in October that CIPA applies to the internet tracking practices in that case.<\/p>\n
The court ruled that IP addresses constitute “addressing information” under CIPA and emphasized that it broadly interprets the law to protect privacy and apply to new technologies.<\/p>\n
The court also found that, while users might consent to disclosing their IP address to a website for its basic function \u2014 i.e. to load the website \u2014 this “does not necessarily consent to disclose their IP address to the third parties operating the trackers.”<\/p>\n
At the same time, judges in the Northern District of California have also taken a more restrictive view.<\/p>\n
In Mitchener v. CuriosityStream, the court dismissed a CIPA claim alleging TikTok software acted as a “trap and trace device.” The court dismissed the case “with prejudice,” which prevents Mitchener from tweaking and re-filing his lawsuit \u2014 an indicator that the fundamental argument was flawed.<\/p>\n
In Mitchener, as in Shah, the court focused on the delineation between the content of communication and the metadata about the communication.<\/p>\n
In its Mitchener decision, the court said CIPA’s trap and trace definition specifically targets dialing, routing, addressing or signaling information, not the content of a communication.<\/p>\n
The court also said that internet users generally have “no expectation of privacy” in metadata like IP addresses or general geographic location, according to the order.<\/p>\n