In the past month, California judges have issued encouraging decisions for defendants in cases asserting that website tracking technologies constitute illegal pen registers or trap and trace devices under the California Invasion of Privacy Act (“CIPA”). The plaintiffs’ legal theory in these cases is that these tracking technologies capture the IP addresses of website visitors, which plaintiffs contend is not permissible under CIPA absent consent. In both Sanchez v. Cars.com and Aviles v. LiveRamp, Inc., California superior courts rejected this theory, holding that it is normal—and not illegal—for websites to track the IP addresses of their visitors. While these defense-friendly decisions are positive developments, they come on the heels of some recent California federal court decisions that have gone the other way. Therefore, the use of these tracking technologies still presents significant litigation risk. Here is the current lay of the land.

Pen Register and Trap and Trace Claims under CIPA § 638.51

CIPA section 638.51 provides that “a person my not install or use a pen register or a trap and trace device without first obtaining a court order.” Cal. Penal Code § 638.51(a). Whereas wiretaps capture the content of a conversation, pen registers and trap and trace devices capture routing information. Historically, pen registers and trap and trace devices are tools used by law enforcement to capture incoming and outgoing call logs. Because the statute imposes a $2,500 fine per violation, this statute is an attractive claim for class action lawyers. 

In the past year or so, creative plaintiff’s lawyers have argued that certain tracking technologies (such as the Meta and TikTok pixels) are pen registers or trap and trace devices, because they capture the internet equivalent of telephone numbers—namely, IP addresses and, sometimes, geolocation data. 

As we have blogged about previously, these claims are particularly problematic for defendants because the collection and tracking of IP address data is ubiquitous on the internet. See our prior post on this claim here.  

California State Courts Are Pushing Back on Plaintiffs’ Pen Register/Trap and Trace Theory

Recently, two California superior courts rejected plaintiffs’ assertions that a web beacon that tracks the IP addresses of website visitors constitutes an illegal pen register or trap and trace device.

Sanchez v. Cars.com, Inc., 24STCV13201

In Sanchez, a “tester” plaintiff alleged that Cars.com unlawfully installed a pen register on its website by embedding a beacon that sent a website user’s IP address to the beacon’s software provider. 

The court dismissed the claim, finding that Section 638.51 is only meant to apply to telephone-tracking technologies, and not internet communications such as websites. In addition, the court rejected the notion that plaintiffs have a reasonable expectation of privacy in their computers’ IP addresses. The court reasoned that IP addresses are “a basic function of accessing the internet.”  Thus, website visitors should know that their IP addresses are being collected and shared with third parties.   

Aviles v. LiveRamp, Inc., 24STCV19869

The plaintiff in Aviles also asserted that the defendant unlawfully installed a pen register or trap and trace device on its website by embedding a beacon that sent a website user’s IP address to the beacon’s software provider. The court flatly rejected this claim, explaining that it was perfectly normal for websites to track the IP addresses of website visitors, and that “[w]ithout alleging that Defendant installed software on Plaintiff’s device or browser that collected incoming contact information to Plaintiff’s device, Plaintiff has not alleged anything above and beyond how the internet normally works.” Importantly, the court noted that the California state court’s own website contains a notice that the website may collect and record the IP addresses of visitors, and stressed how normal this tracking is.

California Federal Courts Have Refused to Dismiss Trap and Trace/Pen Register Claims

The recent news from the California federal courts, however, is less encouraging. One judge in the Central District of California refused to dismiss pen register claims in two separate cases—holding that tracking pixels may qualify as illegal pen registers or trap and trace devices under CIPA. See Moody v. C2 Educational Systems Inc., 2024 WL 3561367 (C.D. Cal. July 25, 2024); Rodriguez v. Autotrader.com, Inc., 2025 WL 65409 (C.D. Cal. Jan. 8. 2025). While the court noted that it was “persuasive” that some state courts had “concluded differently”—these non-binding state court decisions were not persuasive enough to support dismissal. The court also rejected defendants’ argument that a business should be shielded from liability because the collection of IP addresses is “necessary for websites to operate.”  The court noted that the tracking software collected information beyond what is necessary to operate or maintain a website—e.g., users’ system information, browser information, geolocation data, and email addresses. 

Last fall, the Northern District of California also refused to dismiss a pen register/trap and trace claim in Shah v. Fandom, Inc., 2024 WL 4539577 (N.D. Cal. Oct. 21, 2024). The court held that the IP address information collected by the third-party trackers constituted “addressing” information under the statute. While the defendant argued that allowing the lawsuit to proceed would “unsettle the basic operating rules of the internet”, the court was not swayed. The court reasoned that the question of whether the statute’s scope should be narrowed is one for the state’s legislature, not the courts.

These broad readings of the pen register/trap and trace statute are extremely problematic for businesses. If the mere disclosure of a user’s IP address constitutes a CIPA violation, then virtually every website operator is subject to CIPA liability. While this may be welcome news for class action lawyers, it threatens to turn every website operator into a criminal and to unsettle the basic operating rules of the internet.  

What’s Next for Businesses?

With these conflicting state and federal court decisions, we expect that the plaintiff’s bar will continue to pursue these claims, especially in federal court. Given this, businesses that utilize third-party tracking technology would be wise to speak with trusted counsel on how to mitigate their risks. It is vital that businesses understand what tracking technologies they use on their websites, and ensure that their privacy policies accurately reflect this. Business should also consider taking measures to obtain affirmative consent from users prior to firing these tracking technologies.   

We will continue to monitor developments in this area of the law.