The Southern District of New York is becoming a less favorable venue for serial plaintiffs asserting that website tracking technologies constitute illegal pen registers or trap and trace devices under Section 638.51 of the California Invasion of Privacy Act (“CIPA”). We previously blogged about the surge of these class actions here and here. Notwithstanding that CIPA is a California statute, plaintiff firms have been filing these cases in New York federal courts—alleging jurisdiction under the Class Action Fairness Act (“CAFA”). Last week, however, the S.D.N.Y. dealt a significant blow to these CIPA claims—holding that the collection of a plaintiff’s IP addresses does not implicate a legally protected privacy interest sufficient to satisfy the injury in fact requirement of Article III standing. See Gabrielli v. Insider, Inc., 2025 WL 522515 (S.D.N.Y. Feb. 18, 2025). 

In Gabrielli, the plaintiff alleged that he visited the Business Insider website, which caused a third-party tracker operated by Audiencerate to be installed on his browser (the “Tracker”).  The Tracker sent plaintiff’s IP address to Audiencerate, and it was used for targeting marketing purposes. Defendant Insider moved to dismiss—arguing that plaintiff lacked standing to pursue this claim, because he had not suffered any injury stemming from the disclosure of his IP address. The court agreed. 

First, the court noted that IP addresses are not “personally identifying”—they do not identify the actual individual user. Rather, they merely show that a device from a general area had visited the website. The court noted that this is consistent with the “general understanding that in the Fourth Amendment context a person has no reasonable expectation of privacy in an IP address.”

Second, the court noted that plaintiff voluntarily provided his IP address when he accessed defendant’s website. Indeed, “an IP address is necessary to access Insider’ website because an IP address enables an individual’s web browser to communicate with the website server.” Thus, plaintiff cannot argue that defendant intruded upon his private affairs. 

Third, the court rejected plaintiff’s argument that alleging a violation of CIPA satisfies the “concrete injury requirement” for standing. The court held that Section 638.51 of CIPA “does not codify a substantive privacy right that bears a close relationship to a traditionally recognized harm”; instead, it merely requires companies to “obtain a court order before using certain statutorily defined mechanisms” to collect IP addresses that are voluntarily provided by users.  The court did not find that plaintiff suffered any concrete harm from defendant’s alleged “procedural violation” of Section 638.51. 

This is a very significant win for businesses, and is consistent with recent rulings in several California state court cases (see our recent blog post here).  However, California federal courts have been less willing to dismiss these claims, at least at the pleading stage. Until state or federal appellate courts in California weigh in, we expect to continue seeing these cases. Given this, businesses that utilize third-party tracking technology should speak with trusted counsel on ways to mitigate their risks.