The beginning of the end for California Invasion of Privacy Act Litigation?

The tide may be turning for plaintiffs using the California Invasion of Privacy Act (CIPA) to sue companies using internet-based technologies on public-facing websites, who face attacks from both the Legislature and the bench. The plaintiffs' bar has filed thousands of cases creatively alleging that common website technologies, including chatbot functions, session replay software, analytics and advertising pixels or cookies, and search bar URLs are all examples of illegal wiretapping conducted without a court order or plaintiffs' consent. Plaintiffs have also alleged that technologies that collect the IP address of website visitors act as "pen register" or "trap and trace" devices requiring prior consent. But these cases may swiftly go the way of the dodo following two recent state-court opinions dismissing CIPA claims and a proposed bill that would effectively nullify the application of the "pen register" and "trap and trace" statutes to legitimate commercial uses.

In Sanchez v. Cars.com, 2025 WL 487194 (Cal. Super. Jan. 27, 2025) and Aviles v. LiveRamp, Inc., 2025 WL 487196 (Cal. Super. Jan. 28, 2025), Superior Court Judges Tiana J. Murillo and Judge Joseph Lipner respectively rejected the pen register and trap and trace theories holding that it is a basic, not illegal, function of the internet to collect IP addresses of website visitors and that CIPA should not be interpreted to cover internet-based technologies without clear legislative intent. While other courts have previously dismissed pen register and trap and trace claims, these dismissals are on new grounds. If other courts apply this reasoning, it would mark a defendant-favorable development and potentially curb the rate of CIPA litigation.

Not to be outdone by the courts, on March 24, 2025, California State Senator Anna Caballero introduced bill SB690, which proposes to amend CIPA to exempt communication intercepts for a commercial purpose. A "commercial purpose" is defined as the processing of personal information either performed to further a business purpose or subject to a consumer's opt-out rights. The bill would also exclude any device that is used in a manner that is "consistent with a commercial business purpose" from the definitions of a pen register and trap and trace device. If SB690 is enacted, internet technologies that are currently being targeted would fall under the "commercial purpose" exemption.

Under CIPA's current pen register and trap and trace provisions, "a person may not install or use a pen register or trap and trace device without first obtaining a court order." Cal. Pen. Code, Section 638.51(a). A pen register is defined in the statute as "a device that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which the wire or electronic communication is transmitted, but not the contents of the communication." Cal. Pen. Code Section, 638.50(b). A trap and trace device captures "incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of the wire or electronic communication." Cal. Pen. Code, Section 638.50(c). Neither a pen register nor a trap and trace device are used to collect the contents of a communication, but instead collect "record information" about that communication, sometimes referred to as metadata.

In both Sanchez and Aviles, the plaintiffs asserted that the defendants' use of a website tool (which plaintiffs called a "PR/TT beacon") constituted an unlawful pen register or trap-and-trace device under CIPA. See Cal. Penal Code § 638.51. The plaintiffs contended the PR/TT beacon constituted pen register or trap and trace devices because the tools allegedly collected IP addresses and additional information when they visited the defendants' respective websites.

In Sanchez v. Cars.com, Judge Murillo sustained Cars.com's demurrer, without leave to amend. Analyzing the "plain language and legislative intent" of CIPA to determine "whether internet communications constitute pen registers or trap and trace devices," the Court concluded that they do not. Instead, those terms "refer to devices or processes that are used to record or decode dialing, routing, addressing, or signaling information from telephone numbers, not internet communications such as websites." 

In examining the legislative history, the Sanchez Court explained that when enacting what would become CIPA's pen register provisions in 2015, the California legislature "adopted the same authorization provision" as its federal counterpart, the Pen Register Act. Courts have consistently interpreted that provision of the Pen Register Act to find that the Act "applied only to mechanical, telephone number-tracing technology, not technology used to collect the IP address from a desktop computer." (See, Cal. Pen. Code, Section 638.52 and 18 U.S.C. Section 1322(a)-(b)). Because CIPA is a penal statute, case law further supports interpreting it "to include only those offenses coming clearly within import of the language, and [not to] be given application beyond [its] plain intent."   

In Aviles, the Court also sustained Defendant LiveRamp's demurrer, although with leave to amend. In sustaining the demurrer, Judge Lipner held the plaintiff failed to plead the use of either a pen register or trap and trace device because he did not allege that the website technology "collect[ed] the outgoing addressing information from visitors' devices or browsers."  Plaintiff similarly failed to plead the use of a trap and trace device because he did not allege "that Defendant installed software on Plaintiff's device or browser that collected incoming contact information to Plaintiff's device."  Absent such allegations the Aviles Court concluded, "Plaintiff ha[d] not alleged anything above and beyond how the internet normally works." 

Although these two cases demonstrate California Superior Court judges adopting further reasons as to why CIPA should not apply to internet technologies, they do not altogether eliminate the ongoing risk of CIPA litigation. However, that risk could be more comprehensively addressed by SB690, which would exclude commercial uses of these technologies from CIPA if enacted. Even then, SB690 in its current form will only benefit those defendants whose litigation is active as of January 1, 2026, giving little comfort to those defendants with trials scheduled this year.