As lenders and debt collectors increasingly rely on digital tools to monitor borrower activity, questions are emerging about the legality of tracking technologies that log website visits, IP addresses, and online financial behavior. Courts are reassessing whether digital tracking violates CIPA, as recent class-action lawsuits challenge the scope of Pen Register laws in modern data collection. Understanding these rules is essential for borrowers with mortgages, personal loans, or other financial obligations to protect themselves from intrusive surveillance and unauthorized data collection.
Now, let us learn how the privacy rules surrounding Pen Registers have evolved over time, providing a deeper understanding of your rights. But first, let’s understand what pen registers are.
What are Pen Registers?
As per CA Penal Code Section 638.50, Pen Registers and Trap-and-Trace Devices were originally designed for telephone surveillance, allowing law enforcement to track outgoing and incoming call data without recording the actual conversations. These tools were primarily used to monitor suspected criminal activity, providing insights into who was communicating with whom.
However, with the rise of digital communications, the Pen Register statutes have broadened, and now it includes online tracking technologies such as:
- Cookies – Small data files that track a user’s website visits and behavior.
- Pixels & Beacons – Invisible tracking tools that collect user interactions on websites.
- Session Replay Technology – Software that records user activity on a website, including clicks, scrolling behavior, and text entered into fields.
Under California’s Pen Register privacy rules, these practices now fall under illegal digital surveillance if done without proper consent. Borrowers need to understand these changes to protect their privacy and ensure creditors or financial institutions are not unfairly monitoring them.
Case Studies for a Better Understanding of the New Pen Register Rule
Greenley v. Kochava (2023)
This case set a precedent by recognizing that software tracking user interactions, such as clicks and purchase history, could be classified as a “pen register” under CIPA. The court ruled that software identifying consumers, gathering data, and using unique fingerprinting techniques falls under the statute’s definition of “process.” This broadened the legal interpretation of pen registers in the digital age.
Casillas v. Transitions Optical, Inc. (2024)
A contrasting ruling provided businesses with legal clarity on standard website operations. The Casillas v. Transitions Optical, Inc. (2024) case reaffirmed that the routine transmission of IP addresses when users access websites does not violate CIPA’s pen register provision. The court dismissed the plaintiff’s claim, emphasizing that websites must collect IP addresses for basic functionality and that users voluntarily share this information.
Carol Lesh v. Cable News Network, Inc. (2025)
In this case, the court also ruled that online tracking technologies collecting IP addresses could fall under CIPA’s pen register law. CNN faced claims that its tracking software transmitted IP addresses and cookies to third parties without user consent. The court denied CNN’s motion to dismiss, affirming that the California Invasion of Privacy Act (CIPA) applies to digital tracking, not just telephone communications, signaling that companies need clear user consent before tracking online behavior.
Key Legal Changes It Led To: California’s Pen Register Laws
Expanded Definition of Pen Registers
California privacy rulings broadened the definition of pen registers, meaning digital tracking technologies could now be treated like traditional wiretapping tools. This increases the potential for legal challenges against companies that collect and analyze borrower data without explicit consent.
Legalities of IP Address Collection
While Greenley v. Kochava expanded CIPA’s scope, Casillas v. Transitions Optical confirmed that standard website functions, including IP address transmission, remain lawful. However, without clear permission, companies cannot track and share borrower data beyond basic site functions. So, loan companies, mortgage brokers, and financial advisors must be transparent about what data they collect and how they use it.
Heightened Compliance for Online Tracking
Businesses using tracking technologies must reassess their privacy and data collection policies. The CNN ruling suggests that companies that collect borrower data (like banks and debt collectors) will need to be upfront about what they’re tracking and get your permission first. It reinforces the importance of transparent data policies, privacy disclosures, and opt-in mechanisms before their data is shared with third parties.
Increased Litigation Risk for Lenders & Financial Services
Borrowers engaging with financial institutions online may see stronger protections against unauthorized data collection. Lenders must ensure compliance with evolving privacy laws to avoid potential lawsuits. Businesses must adapt their privacy and data collection strategies to avoid legal action under the California Invasion of Privacy Act (CIPA) laws.
Protect Your Privacy & Take Action Against Debt Collection Harassment
The Fair Debt Collection Practices Act (FDCPA) and California’s Invasion of Privacy Act (CIPA) protect borrowers from unlawful debt collection tactics and unauthorized data tracking.
If you’re facing debt collection harassment or suspect that lenders are misusing your personal data, reach out to our debt collection harassment attorney at Zemel Law LLC. Our legal team can help you understand your rights, stop harassment, and take legal action if necessary. Contact us today for a free consultation. Protect your privacy—take action now!
