The California Invasion of Privacy Act, commonly referred to as CIPA, is an older statute that is now being deployed aggressively in litigation challenging routine website tracking practices. Plaintiffs increasingly argue that common tracking technologies, including advertising pixels and certain analytics tools, function as prohibited "pen registers" or "trap and trace" devices under CIPA's pen register provisions. A recent order from the United States District Court for the Southern District of California, Camplisson v. Adidas America, Inc. No. 25-cv-603, 2025 U.S. Dist. LEXIS 228012, 2025 WL 3228949 (S.D. Cal. Nov. 18, 2025), illustrates the direction of this litigation. In that case, the court denied a motion to dismiss a putative class action alleging that tracking pixels installed on a retail website constituted unlawful pen registers and trap-and-trace devices under CIPA.
CIPA was enacted to protect privacy in communications. The statute includes criminal prohibitions and, in certain sections, a private right of action that authorizes statutory damages. Cal. Penal Code § 637.2 authorizes a private action by any person "injured by a violation" of certain CIPA provisions and provides statutory damages of the greater of $5,000 per violation or three times actual damages. While many earlier CIPA cases focused on the recording of communications, a substantial wave of recent cases has targeted CIPA's pen register and trap-and-trace provisions.
CIPA defines "pen register" broadly as a "device or process" that records or decodes "dialing, routing, addressing, or signaling information" transmitted by an instrument or facility from which electronic communication is transmitted, excluding the contents of the communication. Cal. Penal Code § 638.50. Cal. Penal Code § 638.51 prohibits installing or using a pen register or trap-and-trace device without a court order, subject to exceptions. One of the most litigated exceptions is consent, which applies "[i]f the consent of the user of that service has been obtained." Id.
Plaintiffs' argument is straightforward: (1) A website causes a pixel, cookie, or similar script to execute on a visitor's device. (2) The tool collects identifiers and metadata, often including IP addresses, device identifiers, and event signals tied to user behavior. (3) The tool transmits that information to one or more third parties, frequently for analytics or targeted advertising. (4) Because the tool is a "device or process" collecting "addressing" or "routing" style information, it qualifies as a pen register. (5) If the visitor did not provide valid consent before the tool operated, the website operator violated Cal. Penal Code § 638.51.
Courts differ on the breadth of this theory. At the pleading stage, however, many cases turn on what is alleged to be collected, whether the information is tied to an identifiable person or device, whether it is transmitted to third parties, and whether consent was obtained in a manner a court will treat as legally effective.
In Camplisson, plaintiffs alleged that Adidas deployed two tracking pixels, TikTok Pixel and Microsoft Bing, on its website. The order describes tracking pixels as embedded code that can track user activity and support targeted advertising. The order summarizes allegations that TikTok Pixel collected metadata, including timestamps, IP addresses, unique identifiers, device details, and browser information, and that it could use "fingerprinting" techniques to match data to individuals. Plaintiffs also alleged that users were not actively notified of the trackers, and that the Terms and Conditions and a Privacy Policy were available only via links in the footer in small font.
Adidas argued that plaintiffs failed to allege a concrete injury and therefore lacked Article III standing. The court rejected that argument at the pleading stage and treated the alleged conduct as implicating a substantive privacy interest rather than merely a technical statutory violation. This approach fits within the Supreme Court's standing framework. In Spokeo, Inc. v. Robins, the Supreme Court explained that a statutory violation alone is not necessarily sufficient, but intangible harm can still be concrete when it bears a close relationship to harms traditionally recognized at law. Spokeo, Inc. v. Robins, 578 U.S. 330, 338-39, 136 S. Ct. 1540 (2016). In TransUnion LLC v. Ramirez, the Supreme Court reiterated the importance of "close relationship" to historically recognized harms, including privacy-related harms such as public disclosure of private information and intrusion upon seclusion. TransUnion LLC v. Ramirez, 594 U.S. 413, 426-27, 141 S. Ct. 2190 (2021).
The Camplisson order also addresses the Ninth Circuit's decision in Popa v. Microsoft, which rejected standing based on session replay allegations where the plaintiff did not identify "embarrassing, invasive, or otherwise private" information captured by the tool. Popa v. Microsoft Corp., 153 F.4th 784, 791 (9th Cir. 2025). The Camplisson court distinguished Popa on the pleadings, emphasizing allegations of broader identification and addressing information, and the alleged transmission to third parties.
The order quotes CIPA's definition of "pen register" and notes its breadth. The court also cites Ninth Circuit authority that CIPA provisions are interpreted in light of the statute's privacy-protecting purposes, including Javier v. Assur. IQ, LLC, 2022 U.S. App. LEXIS 14951, 2022 WL 1744107, at *1-2 (9th Cir. May 31, 2022) and Matera v. Google Inc., No. 15-CV-04062-LHK, 2016 U.S. Dist. LEXIS 107918, 2016 WL 8200619, at *20 (N.D. Cal. Aug. 12, 2016). The court treated the alleged recording of IP addresses and related information as plausibly within the scope of "addressing" information and therefore sufficient to plead a pen register claim under CIPA. The order also cites other decisions supporting the plausibility of pen register theories in the context of modern tracking. See, e.g., Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024, 1050 (S.D. Cal. 2023) (finding "a private company's surreptitiously embedded software" that "identifies consumers, gathers data, and correlates that data through unique 'fingerprinting'" can be a pen register); Zarif v. Hwareh.com, Inc., 789 F. Supp. 3d 880 (S.D. Cal. 2025) (same); Moody v. C2 Educ. Sys. Inc., 742 F. Supp. 3d 1072, 1076 (C.D. Cal. 2024) ("Plaintiff's allegations that the TikTok Software is embedded in the Website and collects information from visitors plausibly fall within the scope of §§ 638.50 and 638.51."); but see Kishnani v. Royal Caribbean Cruises Ltd., No. 25-CV-01473-NW, 2025 U.S. Dist. LEXIS 120002, 2025 WL 1745726, at *4 (N.D. Cal. June 24, 2025) (finding a tracker's fingerprinting did fall within the language of § 638).
The important point is procedural. At the motion-to-dismiss stage, a court may accept the theory if the alleged technology plausibly fits the statutory definition, even though the ultimate merits may depend on further technical and evidentiary development.
Adidas argued that there was consent. The court rejected consent arguments at the pleading stage, including the theory that Adidas itself was the relevant "user" and could consent to use of the tracking tools. The court focused on the alleged installation and operation of trackers on visitors' browsers and treated the visitors' consent as the relevant question.
Adidas also argued that visitors consented through the site's Terms and Conditions and Privacy Policy. The court analyzed online contract assent under Ninth Circuit browsewrap principles and cited Nguyen v. Barnes & Noble Inc., 763 F.3d 1171, 1177 (9th Cir. 2014) and Berman v. Freedom Fin. Network, LLC, 30 F.4th 849, 856 (9th Cir. 2022). A key concept in those cases is inquiry notice. A user is bound only when notice is reasonably conspicuous, and the user takes some action that unambiguously manifests assent. The court emphasized that burying links in the footer often fails the conspicuousness requirement and that Adidas lacked an affirmative assent mechanism such as a click-through or checkbox. The website must put "a reasonably prudent user on inquiry notice of the terms of the contract." Nguyen at 1177. "Whether a user has inquiry notice of a browsewrap agreement, in turn, depends on the design and content of the website and the agreement's webpage." Id. Still, "[u]nless the website operator can show that a consumer has actual knowledge of the agreement, an enforceable contract will be found based on an inquiry notice theory only if: (1) the website provides reasonably conspicuous notice of the terms to which the consumer will be bound; and (2) the consumer takes some action, such as clicking a button or checking a box, that unambiguously manifests his or her assent to those terms." Berman at 856.
For organizations operating websites accessible in California, CIPA risk assessment typically depends on a small number of concrete factual questions.
From a litigation standpoint, counsel and technical teams should understand which tools load on initial page view, what identifiers they collect (e.g., IP address, unique IDs, device data), and whether any third parties receive the information. In Camplisson, allegations about IP addresses, unique identifiers, and fingerprinting were material to the court's analysis.
Consent arguments are weaker when tracking begins on first page load, before any interaction with a consent banner or settings tool. This timing issue is frequently highlighted in privacy cases that involve consent-based defenses, and it was part of the problem described in Camplisson.
Tools used for targeted advertising often involve transmitting information to third-party platforms. Those allegations can heighten perceived intrusiveness and influence standing, plausibility, and the risk of damages. In Camplisson, plaintiffs alleged the TikTok tool could share data with third parties.
Many companies still rely on passive notice through footer links. That approach is vulnerable under Ninth Circuit precedent when there is no affirmative action that clearly indicates assent.
There is no single compliance step that eliminates risk, particularly while the law is still developing. That said, several practices materially improve the defense posture in CIPA tracking cases.
- Organizations should identify every third-party script, pixel, and SDK running on the website, by page type and by firing conditions. This should include advertising pixels, analytics, A B testing tools, chat widgets, heatmaps, and session replay, where applicable. The goal is to know what runs, when it runs, and what data is collected and shared.
- If the business chooses to deploy advertising or non-essential analytics tools, implementing a mechanism that obtains affirmative consent before those tools fire is typically a stronger position than relying on a privacy policy link. The Camplisson court's browsewrap discussion underscores the weakness of a passive footer notice without affirmative assent.
- If you intend to rely on terms or privacy disclosures for consent, design the interface so that notice is conspicuous and the user's action clearly indicates assent, consistent with Nguyen and Berman.
- CIPA pen register claims focus on dialing, routing, addressing, and signaling information. Practical minimization measures, such as limiting IP retention, disabling unnecessary identity resolution features, and reducing cross-site correlation where possible, can reduce both legal exposure and reputational risk.
- If litigation arises, the ability to show what scripts were configured to fire, what disclosures were presented, and what a user did or did not consent to can materially affect outcomes. In consent-based disputes, contemporaneous records are often decisive.
CIPA is increasingly being used to challenge ordinary website tracking. Camplisson reflects a judicial willingness, at least at the pleading stage, to treat certain pixel-based tracking allegations as plausible "pen register" claims and to scrutinize consent arguments closely when notice is relegated to a footer link, and there is no affirmative assent mechanism. Given statutory damages exposure, these claims can create outsized exposure even where the alleged individual harm is modest. For most organizations, the most productive near-term steps are operational. Identify what tracking tools actually do, ensure non-essential tracking does not run before meaningful consent, and implement a defensible assent process that can be proven with records.
