The California Invasion of Privacy Act continues to be a focal point for privacy litigation, particularly concerning website tracking practices. A recent case, Gabrielli v. Insider Inc. sheds new light on whether collecting and sharing an IP address violates the law.
No harm, no lawsuit
California resident Jonathan Gabrielli filed a lawsuit in federal court in New York against Insider, Inc., the operator of the online publication Business Insider, alleging that Insider violated the CIPA by installing software that collected and shared his IP address with a third party without his consent.
Judge Edgardo Ramos, an Obama appointee, dismissed the CIPA claim and distinguished the case from previous privacy lawsuits. According to Judge Ramos, Mr. Gabrielli failed to demonstrate that the disclosure of his IP address, without more, is closely related to a private matter that would be considered highly offensive to a reasonable person. An IP address is necessary for access to a website because an IP address enables a web browser to communicate with a website’s server. However, the judge said, an IP address alone does not identify an individual user and, at most, provides general geographic information, which is insufficient for legal standing.
Takeaways for website operators
Although CIPA lawsuits remain a growing concern, the Insider case suggests that at least in the federal courts in the Southern District of New York, plaintiffs must demonstrate concrete harm beyond mere data collection to establish viable claims. The court’s ruling may help establish and clarify that collecting IP addresses is not enough to establish a concrete injury under the CIPA. The decision should be helpful to those who perform routine data collection practices for website operation.
Nevertheless, to minimize the risk of CIPA violations and potential lawsuits, website operators should do the following:
- Proactively update privacy policies to clearly disclose their data collection practices.
- Obtain user consent where necessary.
- Ensure that they are being transparent about any data shared with third parties.
Despite the Insider ruling, CIPA lawsuits remain a legal risk for common practices performed as part of website operations. Website operators should stay vigilant and monitor ongoing legal developments in privacy litigation.
