Recent California Invasion of Privacy Act Cases on Pen Registers and Trap-and-Trace Devices

The California Invasion of Privacy Act (CIPA) continues to be a source of litigation for claims related to websites across the country. 

Previously, CIPA cases focused more on claims related to chatbots, chat features, social media pixels, and ad-trackers on websites. Although these remain subjects in active CIPA litigation, recent cases rely on claims that third-party cookies and IP tracking beacons act as pen registers or trap-and-trace devices.

CIPA prohibits using these devices without a court order. Below is a list of these recent cases divided into two categories: those favorable to businesses, and those unfavorable for businesses. 

Favorable Cases

1. Marielita Palacios v. The Haberdash Group Inc. (Cal. Sup., Feb. 27, 2025)

a.    Facts: Defendant was a New York based Delaware corporation that operated a website to sell its products. The plaintiff, a CA resident, allegedly visited the defendant’s website sometime in the last year but did not allege making a purchase. The plaintiff alleged that the defendant’s website secretly installed tracking spyware without authorization and used that spyware to monitor and report the browsing behavior of these visitors after leaving the website. 

b.    Issue: Defendant filed motion to quash service of summons based on lack of personal jurisdiction.

c.    Holding (Personal Jurisdiction): The court continued defendant’s motion to quash to allow plaintiff to conduct limited jurisdictional discovery. It explained that, for purposeful availment, the plaintiff did not provide any evidentiary support for claiming that the defendant made 8% of its sales to Californians, directed any advertising at California, had substantial sales in CA, or regularly sells in CA. 

However, the court did find that the nature of the claim is sufficiently related to the defendant’s contacts with CA because the website is accessible to CA residents, and because the California resident plaintiff would not have been connected to the defendant without the website.

2. Gabrielli v. Insider Inc. (SDNY, Feb. 18, 2025) 

a.    Facts: The plaintiff brought an action against Insider alleging that third-party cookies collected his IP address through which they obtained information on the geographic location of the owner of that IP address, in violation of CIPA’s pen register provisions. The Court granted Insider’s Motion to Dismiss. 

b.    Analysis: Having third-party cookies on a website that monitored a plaintiff’s web browsing activity across websites and built detailed profiles on that plaintiff might be a CIPA violation, but general geographic data from an IP address did not justify the same conclusion. 

c.    Holding (Standing): The plaintiff’s allegations did not satisfy Article III standing because he did not allege facts showing that disclosure of his information alleged a concrete injury that bore a close relationship to the traditionally recognized privacy harm.

• Public Disclosure of Private Fact: The plaintiff did not allege that anyone could identify him with the collected IP addresses.
• Intrusion Upon Seclusion: The plaintiff cannot allege that the defendant “intentionally intruded” upon the seclusion of the plaintiff’s private affairs because IP addresses are required for the plaintiff to access the defendant’s website.  The plaintiff also did not deny that he voluntarily provided his IP address when he accessed the website. 
• Unjust Enrichment: The plaintiff did not allege that the defendant profiting off the disclosure of the plaintiff’s IP address bears a close relationship to the traditional understanding of unjust enrichment. 
• Per se Statutory Violation of CIPA: CIPA § 638.51 does not codify a substantive privacy right because it merely limits the manner in which data can be collected or a person’s right to control their information. Instead, it requires that a defendant obtain a court order before collecting a plaintiff’s data. 

3.  Zhizhi Xu v. Reuters News & Media (SDNY, Feb. 13, 2025)

a.    Facts: The plaintiff brought a class action against Reuters alleging unlawful collection of IP addresses and dissemination to third parties which then used the IP addresses for targeted advertising. However, he did not allege receiving targeted advertisements or suffering any concrete harm. The court granted Reuters’ Motion to Dismiss due to the plaintiff’s failure to allege facts satisfying an injury for standing purposes.

b.    Holding (Standing): The court granted Reuters’s motion to dismiss because Xu failed to establish Article III standing. While the plaintiff alleged that Reuters collected IP addresses for targeted advertising purposes, he failed to allege that he received any such advertising or that Reuters collected sensitive or personally identifying data that could be used to steal the plaintiff’s identity or inflict similar harms. 

Further, IP addresses that constituted addressing information did not disclose the contents of the communication any more than phone numbers did. Additionally, a website user did not have a reasonable expectation of privacy when voluntarily providing those IP addresses—as a website user would when accessing a website. 

4. Jose Licea v. Blue Apron LLC (Cal. Sup., Feb. 5, 2025)

a.    Facts: The plaintiff alleged that the defendant aided and abetted the interception of confidential search terms entered into the defendant’s website. The defendant’s website also allegedly installed pen register/trap-and-trace software on the plaintiff’s device. 

b.    Holding (Personal Jurisdiction): The defendant’s motion to quash was granted on failure to establish personal and specific jurisdiction. The plaintiff presented no evidence that the defendant specifically targeted CA consumers or made substantial sales in CA through its website. 

The plaintiff also asserted that CA sales occur as a regular course of the defendant’s business and the defendant knew its website interacted with CA consumers, but this assertion was weak given that the defendant had no physical facilities in CA. Further, the only connection to CA was that the plaintiff was a CA resident. The plaintiff did not, however, allege the claims arose from the distribution or sale of the defendant’s products in CA. 

5. Anne Heiting v. FKA Distributing Co. (N.D. Cal., Feb. 3, 2025)

a.    Facts: The plaintiff alleged that she visited FKA’s website (homedics.com) which ran TikTok software.  The software instantly gathered data on a website visitor’s device, browser, and geographic location and sent this data back to TikTok. TikTok then allegedly matched this information to its existing data  to identify individual users. 

b.    Holding (Standing): FKA’s motion to dismiss was granted for the plaintiff’s failure to establish standing. While the TikTok software as alleged could qualify as a pen register, the plaintiff failed to allege an injury or facts from which to infer an injury, such as the date and frequency with which she visited the site, the information she provided, the information defendant collected, her awareness of that collection or tracking, or de-anonymization practices. 

6. Aviles v. LiveRamp Inc.  (Cal. Sup., Jan. 28, 2025)

a.    Facts: Plaintiff alleged that LiveRamp’s website deployed a tracking beacon that collected IP addresses and device information, but failed to articulate how this practice deviated from how the internet normally works. 

b.    Holding (Pen Register/Trap-And-Trace): The Court sustained LiveRamp’s demurrer with leave to amend for inadequately alleging that LiveRamp’s tracking beacons acted as pen registers or trap-and-trace devices. It explained that beacons did not record outgoing information like how pen registers or trap-and-trace devices recorded outgoing numbers. 

7. Monica Sanchez v. Cars.com Inc. (Cal. Sup. Jan. 27, 2025)

a.    Facts: Tester plaintiff brought action against Cars.com for allegedly installing a tracking beacon that recorded and transmitted her IP address to a third-party service provider in violation of the trap-and-trace and pen register CIPA provisions.

b.    Holding (Standing): The court sustained the demurrer filed by Cars.com Inc. without leave to amend for failing to state a claim. The court explained that the legislative history of CIPA suggested that “pen register” and “trap and trace devices” referred to telephone-tracking technology, not internet communications like IP address collection. 

Additionally, the court noted that the plaintiff’s allegations did not satisfy the elements for an invasion of privacy claim (identification of a specific, legally protected privacy interest; and a reasonable expectation of privacy). Specifically, a plaintiff did not have a reasonable expectation of privacy for information they voluntarily provided as a website user did when they chose to visit a website. 

8. Eric Carreiro & Justin Foley v. EHM Productions, Inc. (Cal. Sup., Dec. 11, 2024)

a.    Facts: The plaintiffs alleged that the defendant installed and stored third-party tracker cookies on  class members’ browsers without their consent.

b.    Holding (Demurrer)

•  Demurrer sustained on standing and invasion of privacy
  
  1.    Standing: The plaintiffs did not allege any facts showing they were injured. The plaintiffs alleged that the defendant misappropriated personal information, and this caused stress, anxiety, and concern over increased risk of identity theft. However, this was not enough to allege that the plaintiffs had a credible threat of real and immediate harm. 
  
  2.    Invasion of Privacy: The plaintiffs did not allege that the defendant created an impression that it would not collect data, which excluded it from the line of cases it used to support the argument that the plaintiffs had an objectively reasonable expectation of privacy in IP addresses. 
   
• Demurrer denied on Pen registers: The court declined to decide this issue because how pen registers and tracking devices work were factual issues outside the scope of a demurrer. 

9. Rebeka Rodriguez v. Plivo Inc. (Cal. Sup. 24STCV08792, Oct. 2, 2024): 

a.    Facts: The plaintiff alleged that the defendant’s website secretly deployed pen register/trap-and-trace software on its website that got installed on website visitors’ devices and used the software to monitor and report on visitors’ online habits. 

b.    Holding (Pen Register/Trap-And-Trace): A website user cannot pursue a CIPA claim based on IP address collection alone, as IP addresses do not constitute outgoing communications data nor contain inherently private information, such as religious beliefs, sexual orientation, or medical history.

10. Marielita Palacios v. Fandom Inc. (Cal. Sup. 24STCV11264, Sept. 24, 2024): 

a.    Facts: The plaintiff alleged that the defendant’s website installed code onto her computer that recorded the device’s IP address when she simply accessed the website. This code then sent the IP address to third-party software developers each time the plaintiff visited the website. The plaintiff alleged that her IP address was collected. 

b.    Holding (Pen Register/Trap-And-Trace): Software that collected the IP address of website visitors was not a pen register because it did not collect outgoing information.

11. Miltita Casillas v. Transitions Optical Inc. (Cal. Sup. 23STCV30742, Apr. 23, 2024):

 a.    Facts: The plaintiff brought a single claim against the defendant for allegedly using tracking software on its website that relied on a user’s IP address to monitor visitors and track the plaintiff’s browsing habits. 

b.    Holding (Demurrer): A CIPA claim was inadequately pleaded if the plaintiff failed to specify how they interacted with the website, what specific data was recorded, or what software allegedly violated CIPA.

c.    Dicta (Cookie Banners & Privacy Policy): The court used the website’s “clearly labeled Privacy Policy” and cookie pop-up banner as evidence to combat the plaintiff’s allegation that she did not consent to the data collection. 

12. Jose Licea v. Hickory Farms LLC (Cal. Sup. 23STCV26148, Mar. 13, 2024): 

a.    Facts: The plaintiff visited the defendant’s website and alleged that it secretly accessed his device and installed a pen register/trap-and-trace tracking software to track his browsing habits. 

b.    Holding (Demurrer): A website user’s CIPA claim was inadequate without specifying what device was used when accessing the website or how their information was acquired. Additionally, penalizing a business for individuals who voluntarily visited and provided an IP address to connect to the business’s website contravened public policy.

Unfavorable Cases

1. Vishal Shah v. Capital One Financial Corp. (Cal. N.D., Mar. 3, 2025) 

a.    Facts: The plaintiff alleged that the defendant’s website contained third-party tracking software that duplicated communications made on the website and sent them to a third-party. 

These communications included the plaintiff’s and the class members’ employment info, bank account info, citizenship status, credit card eligibility, status as an existing user or customer, and other information collected through cookies. This info was allegedly used for third-party and fourth-party marketing and sales (Google, Microsoft, DoubleClick, New Relic, Adobe, Everest, Skai/Kenshoo, Snowplow, Biocatch, Tealium, Meta). 

b.    Holding (Motion to Dismiss [MTD])

• MTD denied on disclosure of data: The plaintiffs sufficiently alleged that the defendant disclosed the plaintiff’s personal information by specifying that they provided the above information which was then transmitted to third parties. 
• MTD denied on negligence: Under the Gramm-Leach-Bliley Act , the plaintiffs sufficiently pled a valid duty of care in placing their trust in the defendant to protect the plaintiffs’ personal info and that the economic loss doctrine does not apply since the plaintiffs pled non-economic injuries.  
• MTD granted on negligence per se: The plaintiffs improperly brought a negligence per se claim because that cannot be a standalone cause of action. 
• MTD granted on invasion of privacy: The plaintiffs did not allege an intrusion that was highly offensive as a matter of public policy. The plaintiffs only alleged that personal information was disclosed, but this disclosure did not rise to an “egregious breach of social norms.”
• MTD granted on California Comprehensive Computer Data Access and Fraud Act (CDAFA)  and Consumer Protection Law (UCL) violations: Personal information did not constitute property for the purposes of CDAFA and UCL.
• MTD denied on California Consumer Privacy Act (CCPA) violation: The plaintiffs alleged that the defendant knowingly collected, used, and sold the plaintiffs’ personal info to third parties without the plaintiff’s consent, that the defendant allowed trackers on its website, and these trackers transmitted the plaintiffs’ personal info. 
• MTD denied on CIPA violation: This claim hinged on whether the plaintiffs consented. The plaintiffs’ allegations were sufficient to show that they did not consent. 

2. Katherine Chabolla v. ClassPass Inc. et al (9th Cir., Feb. 27, 2025)

a.    Facts: The plaintiff brought a putative class action for ClassPass’s alleged practice of charging for an auto-renewed subscription. 

b.    Holding: The Court affirmed the district court’s denial of ClassPass’s motion to compel arbitration because the website did not provide a reasonable conspicuous notice of the terms of use which included the arbitration provisions. 

The website’s terms of use operated more like a sign-in wrap agreement by providing users a link to the Terms of Use but did not requiring users to read the terms before purchasing the subscription. With respect to the enforceability of sign-in wrap agreements, the website pages did not provide reasonably conspicuous notice given the placement of such notices, overall design of the website, and small font size of the notice on certain pages.  

3. Carol Lesh v. Cable News Network (SDNY, Feb. 20, 2025)

a.    Facts: CNN’s website used third-party trackers that collected the IP addresses of visitors to its website and stored cookies on the visitor’s browser. The plaintiff alleged that this occurred when she visited the defendant’s website and that she did not give her consent. 

b.    Holding (Standing): The plaintiff’s allegations were sufficient to survive the defendant’s motion to dismiss by adequately alleging that CNN’s trackers were pen registers and the plaintiff was injured by the unauthorized collection of her IP address for advertising purposes. 

The plaintiff alleged the tracker was essentially a device that collected information in the form of IP addresses, and the IP addresses were transmitted electronically. Further, CIPA did not explicitly restrict its definition of pen registers to telephonic information. Additionally, the plaintiff alleged that the IP address was used to ascertain her city, latitude-longitude coordinates, and zip code which thereby showed an unauthorized injury.  

c.    Dicta (Pen registers): Under the definition of pen registers in CIPA, these trackers qualified as a “device or process” because they constituted “software that identifies consumers, gathers data, and correlates that data.” Further, the collected IP addresses qualified as “addressing information” because IP addresses contained info related to a device’s geographic location (state, city, and zip code). 

IP addresses were also “transmitted by an instrument or facility from which a wire or electronic communication is transmitted” because the tracker prompted the browser to send the IP address.  

4. Taliah Mirmalek v. Los Angeles Times Communications LLC (Cal. N.D., Dec. 12, 2024)

a.    Facts: The plaintiff, a CA resident, brought a class action against the defendant alleging that it implemented third-party trackers to install and use pen register devices that collected the IP address of website visitors. The plaintiff alleged that she was injured when the defendant caused the plaintiff’s IP address to be disclosed to third parties without her consent and used for targeted advertisements and website analytics.

b.    Holding (Standing): The plaintiff’s allegations sufficiently alleged that the trackers were a “device or process” under the pen register definition, the trackers recorded addressing information like pen registers, that the defendant was responsible for the trackers operating on the Website, that the plaintiff had standing, and that the provider exception did not apply to the defendant. 

c.    Dicta (CCPA/CPRA): CCPA did not preempt CIPA because it offered greater protections (CCPA stated that the law providing greater protections govern) and the two laws did not conflict.

5. Carol Price v. Entravision Communications (Cal. Sup. 24SMCV02630, Nov. 21, 2024)

a.    Facts: The plaintiff alleged that the defendant used TikTok-created trap-and-trace software on its website which collected her private data. 

b.    Holding (Demurrer): Plaintiff’s allegations were sufficient to survive the demurrer because they sufficiently alleged the use of a pen register and the existence and use of a pen register/trap-and-trace process.

 c.    Dicta (Pen Register/Trap-And-Trace): The definition of pen register or trap-and-trace was not restricted to devices that physically attach to anything (including telephone lines). 

6. Jane Heiting v. IHOP Restaurants, LLC (Cal. Sup. 24STCV14453, Oct. 28, 2024): 

a.    Facts: The plaintiff alleged that she visited the defendant’s website which installed a TikTok-created trap-and-trace device and gathered private information about her without her consent. Specifically, the plaintiff alleged that the trap-and-trace software captured incoming electronic signaling information from herself to the defendant’s website that identified her as the source.

b.    Holding: Software capturing incoming user information could be a trap-and-trace device under CIPA, and a business installing such software on its website might be liable.

7.   Vishal Shah v. Fandom, Inc. (Cal. N.D., Oct. 21, 2024)

a.    Facts: The plaintiff alleged that the defendant’s website incorporated software that installed trackers and cookies on a visitor’s browser and collected the visitor’s IP address for targeted advertising based on where the user lived. 

b.    Holding (Standing): The plaintiff sufficiently alleged that there was a CIPA violation through its allegations that the tracking software acted like pen registers and that the plaintiff had standing. Like pen registers, IP addresses did not transmit the contents of a communication. 

This was enough for CIPA because CIPA’s definition did not restrict pen registers to traditional phone pen registers. Further, a website user who voluntarily disclosed their IP address by accessing a website did not necessarily mean they also consented to the disclosure of their IP address to third parties operating those trackers. 

The court ruled that the plaintiff had standing due to the allegations that the trackers allowed third parties to obtain “personally identifying, non-anonymized information” and IP addresses that revealed the user’s geographic location, that the plaintiff was unaware of the tracking and did not consent to it, and that the plaintiff was tracked across multiple websites.

8. Lillian Jurdi v. MSC Cruises (USA) LLC (Cal. Sup. 24STCV14098, Sept. 17, 2024): 

a.    Facts: The plaintiff alleges that the defendant installed software created by TikTok to identify its visitors, collect data on each visitor, and match it with existing data. The collected data includes browser information, geographic information, referral tracking and url tracking by running scripts on the defendant’s website that sends the visitor’s details to TikTok. 

The plaintiff also alleges that the collection occurs when the visitor lands on the website page, regardless of the cookie banner.

 b.    Holding (Demurrer): A CIPA claim could proceed if it described a website’s tracking software as identifying its users, collecting data, and matching that data with existing data.

c.    Dicta (Pen Register/Trap-And-Trace)

• The plain language of PC § 638.51 did not limit the statute to telephone-based communications.
• TikTok software that collected data about each visitor’s device, browser, and geographic information without the visitor’s consent or knowledge when landing on the website and showed where each visitor was located sufficiently described a pen register/trap-and-trace device.
• The plaintiff sufficiently alleged that the website intercepted visitor’s data by alleging that, when visited the defendant’s website in 2024, the defendant used a de-anonymization process to identify the plaintiff and did not get the plaintiff’s consent when sharing the plaintiff’s data with TikTok.
• When information collected is “generated by users,” this meant that visitors’ devices generated the data, not that users submitted their data to be voluntarily traced. The plaintiff therefore did not allege consent.

9. Emily Heerde v. Learfield Communications LLC (C.D. Cal., July 19, 2024)

a.    Facts: The plaintiffs brought a class action alleging the defendant’s website and the Meta pixels embedded in the website  transmitted their Facebook IDs and information about the videos they requested. 

The plaintiffs also allege that the search bar on the website was powered by Google, and each of their searches were transmitted to the defendant and third parties (Google, Meta, Oracle, Trade Desk) in violation of CIPA and the Federal Wiretapping Act. 

b.    Holding (MTD): 

• MTD granted on VPPA violation: The plaintiffs failed to allege that their personal identifying information was disclosed because they failed to identify what information on their Facebook pages were viewable and could be used to identify the plaintiffs.
   
• MTD denied on CIPA § 631, 2nd and 4th clauses:
  
  1.    Users has a reasonable expectation of privacy in “unique search terms.”
  
  2.    Search terms constituted “contents” of a communication.
  
  3.    Party exception applied only where a defendant was the “known and intended recipient” of a plaintiff's communications.
  
  4.    Communication was intercepted in transit because the plaintiffs alleged that, after they entered their search terms, the terms were replicated and sent in parallel to the tracking entities.
   
• MTD granted on CIPA claim: The plaintiff’s PC § 635 claim was dismissed because she did not allege an injury resulting from the defendant’s possession or assembly of its website as a purported eavesdropping device. 
   
• MTD denied on privacy claims: The plaintiff adequately alleged that privacy invasion claims by pleading that a reasonable fact finder could find the words used in their search terms as sensitive or confidential and this intrusion could be highly offensive as alleged.
   
• MTD denied on Federal Wiretapping Act claims: For same reasons as above. 

10.  In re Betterhelp Inc. (N.D. Cal., July 15, 2024)

a.    Facts: The plaintiffs brought a class action against the defendant’s website alleging a CCPA data breach claim. The plaintiffs alleged that the retargeting cookies used on the website amounted to sharing the plaintiffs’ health data by communicating that the plaintiff used or had interest in therapy. The defendant’s website connected visitors with therapy and therapy-related services. 

b.    Holding (MTD): The plaintiffs’ claim was allowed to proceed because the plaintiffs sufficiently alleged that the cookies collecting a user’s interactions with the defendant’s therapy-related website could be a data breach of sensitive information when those cookies shared that information with third parties.