By Leeza Arbatman and Scott C. Hall
In the wake of an explosion in digital privacy litigation, courts and legislatures are redrawing some of the boundaries of what qualifies as unlawful data collection under decades-old statutes. Claims brought under California’s Invasion of Privacy Act (CIPA) and the federal Video Privacy Protection Act (VPPA) have tested how far traditional wiretap and video privacy laws can stretch to cover modern tracking technologies like pixels, session replay tools, and embedded analytics software. As these suits proliferate, courts are being asked to decide whether routine digital tracking amounts to interception, surveillance, or unauthorized disclosure of personal information.
Recent developments reflect both the tightening and expansion of privacy liability. In California, courts remain split on whether modern tracking tools qualify as “pen registers” or violate CIPA’s wiretap provisions, while a pending bill—SB 690—aims to sharply curtail such claims going forward. At the federal level, VPPA decisions have moved in divergent directions, with a growing Circuit split on what makes someone a “consumer” and what counts as “personally identifiable information.” Together, these trends show a legal landscape in flux, shaped as much by statutory interpretation as by shifting expectations around digital privacy and surveillance.
California CIPA Developments
Recent decisions illustrate the divergent paths CIPA claims are taking in California and beyond. While some courts continue to reject CIPA suits targeting ordinary website tracking, others are permitting such claims to proceed—especially where plaintiffs allege unauthorized use of third-party tracking software or more invasive data collection. The result is a patchwork of outcomes that often turn on the specific tracking technologies and legal theories alleged.
What Counts as a “Pen Register” or “Trap and Trace Device” Under § 638.51?
Courts are divided on whether modern web-tracking tools fall within the scope of California Penal Code § 638.51, which prohibits unauthorized use of devices that capture dialing or routing information, but not communication content.
In some recent decisions, courts have permitted claims to proceed where plaintiffs plausibly alleged that tools like TikTok scripts or IP trackers functioned like pen registers or trap-and-trace devices:
- Lillian Jurdi v. MSC Cruises (USA) LLC, No. 24STCV14098 (Cal. Super. Ct. Sept. 17, 2024): TikTok tracking scripts that collected geographic information, referral tracking, and URAL tracking could qualify as such devices.
- Shah v. Fandom, Inc., No. 3:23-cv-4883 (N.D. Cal. Oct. 21, 2024): IP tracking that relayed user location data supported a pen register claim, as did the fact that users could not reasonably expect that trackers would be installed on websites and transmit their IP addresses every time they visited.
- Heiting v. IHOP Restaurants, LLC, No. 24STCV14453 (Cal. Super. Ct. Oct. 28, 2024): TikTok scripts plausibly captured incoming user data that identified that user like a trap-and-trace device.
- Lesh v. CNN, No. 1:23-cv-7374 (S.D.N.Y. Feb. 20, 2025): Court noted in dicta that IP tracking might fit the definition, particularly where it collected location-related data associated with user communications.
Others have rejected such claims, holding that § 638.51 targets telephone surveillance and doesn’t extend to routine online tracking:
- Sanchez v. Cars.com, 2025 WL 487194 (Cal. Super. Ct. Jan. 27, 2025): The pen register statute does not extend to internet communications.
- Rodriguez v. Plivo, 2024 WL 5184413 (Cal. Super. Ct. Oct. 2, 2024): Basic location data revealed by an IP address is not sensitive enough to sustain a pen register claim.
- Palacios v. Fandom, No. 24STCV11264 (Cal. Super. Ct. Sept. 24, 2024): IP addresses are not outgoing communications, as required to plausibly allege violation of the pen register statute.
- Aviles v. LiveRamp, No. 23STCV28190 (Cal. Super. Ct. Jan. 28, 2025): Tracking beacon collected only IP addresses and device information so did not qualify as a pen register.
Session Replay and “Reading” in Transit under § 631(a)
Courts assessing CIPA § 631(a) claims based on session replay tools have focused on whether the software “reads” communications during transmission. The statute prohibits unauthorized interception, but not all data capture qualifies—liability generally requires real-time comprehension or decoding.
Several decisions highlight this distinction between passive recording and active interception:
- Heerde v. Learfield Communications LLC, No. 2:23-cv-5258 (C.D. Cal. July 19, 2024): Court allowed the § 631(a) claim to proceed past the pleading stage where plaintiffs alleged that search terms were transmitted in real time to third parties, constituting interception in transit.
- Torres v. Prudential Financial, Inc., 2025 WL 1135088 (N.D. Cal. Apr. 17, 2025): Court granted summary judgment for defendants. The session replay software recorded keystrokes and mouse movements for later viewing but did not “read” the data as it was being transmitted. The absence of real-time decoding or interpretation defeated the CIPA claim.
- Williams v. DDR Media, LLC, 757 F. Supp. 3d 989 (N.D. Cal. 2024): After discovery, the court found that the tracking software hashed inputs and did not retain or analyze their contents. Because it neither read nor attempted to understand the meaning of the communications during transmission, no liability under § 631(a) attached and summary judgment was granted for the third-party vendor and defendant who partnered with it.
Privacy Expectations in IP Addresses and Standing
Defendants continue to win dismissal where courts find no reasonable expectation of privacy in IP addresses or where plaintiffs fail to allege a concrete injury.
- Gabrielli v. Insider Inc., No. 1:23-cv-7433 (S.D.N.Y. Feb. 18, 2025): Dismissed for lack of standing; IP tracking alone didn’t show harm or privacy invasion.
- Zhizhi Xu v. Reuters News & Media, No. 1:23-cv-7425 (S.D.N.Y. Feb. 13, 2025): Standing denied where plaintiff didn’t allege that IP tracking resulted in targeting or other harm.
- Heiting v. FKA Distributing Co., No. 3:23-cv-5329 (N.D. Cal. Feb. 3, 2025): No standing where plaintiff failed to specify frequency of visits, data shared, or whether the tracking led to any deanonymization or harm.
- Casillas v. Transitions Optical Inc., No. 23STCV30742 (Cal. Super. Ct. Apr. 23, 2024): Dismissed for lack of allegations about howplaintiff interacted with the site or what data was collected.
- Ingrao v. AddShoppers, Inc., 2024 WL 4892514 (E.D. Pa. Nov. 25, 2024): Held that email addresses and general internet activity are not sensitive enough to support standing under CIPA or similar statutes.
The Ninth Circuit Weighs in with Three Decisions
Amidst these varying district court cases, the Ninth Circuit weighed in on three CIPA cases, affirming dismissal of CIPA claims in two cases, but reversing dismissal in a third case. These decisions will likely be used by both plaintiffs and defendants going forward in bringing and defending against CIPA claims:
- Thomas v. Papa John’s, 2025 WL 1704437 (9th Cir. June 18, 2025): Affirmed dismissal of CIPA claims based on session replay code because plaintiff alleged that Papa John’s directly violated § 631(a) by eavesdropping, as opposed to aiding and abetting eavesdropping by a third party. The panel held that a party to a conversation cannot be liable for eavesdropping on its own conversation.
- Mikulsky v. Bloomingdale’s, 2025 WL 1718225 (9th Cir. June 20, 2025): Reversed dismissal of CIPA claims based on session reply code on defendant’s sufficient facts to allege that defendant aided or conspired with third-party session reply providers to capture the “contents” of plaintiff’s communications on defendant’s website (including names, addresses, credit card information, and product selections), and not merely “record” information (such as mouse clicks or movements) regarding the characteristics of those communications.
- Guiterrez v. Converse, 2005 WL1895315 (9th Cir. July 9, 2025): Affirmed dismissal of CIPA claims based on chat feature provided on Converse website by Salesforce because plaintiff provided no evidence that her chats were read by Salesforce, despite evidence that Salesforce could read those chats. Note concurrence by Judge Bybee questioning whether CIPA was intended to cover internet communications at all: “If theCalifornia legislature wanted to apply § 631(a) to the internet, it could do so by amending that provision or adding to CIPA’s statutory scheme . . . California has failed to update § 631(a) to account for advances in technology since 1967. It is not our job to do it for them.” Id. at *3.
The VPPA Circuit Split in the Digital Age
Background
The VPPA prohibits video service providers from knowingly disclosing a consumer’s personally identifiable information (PII) related to video viewing without consent. Congress enacted the statute in 1988 after Judge Robert Bork’s video rental history was disclosed during his Supreme Court confirmation process. Although the titles—such as Hitchcock thrillers and family films—were unremarkable, the episode sparked public concern over the ease with which viewing habits could be exposed. Following what became known as the “Bork Tapes” episode, Congress passed the VPPA to protect disclosure of consumers’ video viewing information without their consent.
The Second Circuit Expands, Then Narrows, the VPPA
In Salazar v. National Basketball Association, 118 F.4th 533 (2d Cir. 2024), the plaintiff subscribed to the NBA’s email newsletter and later viewed videos on NBA.com while logged into Facebook. He alleged that the NBA used Meta’s tracking pixel to share his personal information and viewing history and Facebook ID with Meta for targeted advertising. The Second Circuit held that the email newsletter constituted a “good or service” under the VPPA even though it was non-video content. This holding significantly expanded the definition of a “subscriber” under the statute and led to a surge in VPPA claims.
More recently, however, in Solomon v. Flipps Media, Inc., 2025 WL 1234567 (2d Cir. May 1, 2025), the Second Circuit held that sending a Facebook user’s ID and a URL containing a video title to Meta does not trigger VPPA liability. Applying an “ordinary person” standard, the court ruled that this data combination does not constitute PII because it doesn’t, on its own, reveal an individual’s viewing history without additional tools or expertise. Solomon is a major victory for defendants and is expected to significantly curb pixel-based VPPA claims in the Second Circuit. The decision aligns the Second Circuit with the Third and Ninth Circuits, reinforcing a narrower interpretation of the statute.
The Sixth Circuit’s VPPA Limitation: Salazar v. Paramount Global
In Salazar v. Paramount Global, 133 F.4th 642 (6th Cir. 2025), the Sixth Circuit rejected a VPPA claim based on Meta Pixel use, narrowing the definition of “consumer” under the statute. The plaintiff alleged that 247Sports.com disclosed his video viewing history to Facebook while he was logged into his account and subscribed to the site’s newsletter. The court held that unauthorized disclosure of viewing history to Facebook constituted a concrete injury, analogizing it to common-law privacy harms. However, it concluded that Salazar did not have a “consumer” relationship with the defendant, as required under the VPPA—Salazar’s newsletter subscription didn’t qualify as a subscription to goods or services in the nature of audiovisual materials.
The Seventh Circuit’s Expansion of VPPA Viability: Gardner v. Me-TV National Limited Partnership
In Gardner v. Me-TV National Limited Partnership, 132 F.4th 1022 (7th Cir. 2025), the Seventh Circuit expanded the scope of VPPA liability by holding that plaintiffs who created free MeTV accounts to access personalized video features qualified as “subscribers” under the statute. The plaintiffs alleged that MeTV embedded Meta’s tracking pixel in its videos, transmitting their viewing history and personal data to Facebook for targeted advertising. The court found that exchanging email addresses and zip codes for personalized video access made the plaintiffs “subscribers,” emphasizing that “data can be worth more than money” in the digital economy. It adopted a broad reading of “consumer,” holding that the VPPA covers anyone who subscribes to any service from a video tape service provider, regardless of whether thesubscription is tied directly to video content. The court rejected MeTV’s argument that the plaintiffs merely subscribed to an “information service,” explaining that the statute focuses on who provides the subscription—not the specific type of content accessed. Gardner marks a significant expansion of VPPA exposure, particularly for ad-supported platforms that collect user data in exchange for personalized video features.
Takeaways
Together, Solomon v. Flipps Media, Salazar v. Paramount Global, and Gardner v. Me-TV illustrate the deepening Circuit split over how broadly the VPPA applies in the context of modern digital tracking. The Circuits have taken different positions on who qualifies as a “consumer” and what constitutes “personally identifiable information” traceable to a person. These cases underscore the uncertainty that remains around the VPPA’s reach in the age of ad-supported streaming and pixel-based analytics, with the permissibility of such claims now hinging heavily on jurisdiction.
SB 690: California’s Legislative Response to CIPA Abuse
Amidst the wave of CIPA litigation, the California legislature has introduced a bill to curb increasingly abusive litigation practices over website data collection that have surged over the past few years.
What the Bill Does
SB 690 amends CIPA to exempt from liability the use of recording or tracking technologies that serve a “commercial business purpose.” The exemption applies to Penal Code Sections 631, 632, 637.2, and 638.51, provisions that have been the focus of extensive litigation and have generated significant uncertainty for businesses attempting to navigate compliance. The bill aims to clarify the permissible use of common and now universally used web technologies that assist with analytics, advertising, and personalization of digital experiences. If passed, the bill will rein in what many see as an increasingly unmanageable and unpredictable wiretapping litigation landscape.
Who’s Affected
- Defendants Favored: Website operators, analytics providers, and ad tech firms gain protection from CIPA suits arising out of standard business activities.
- Plaintiffs’ Bar Constrained: Routine lawsuits over standard tracking implementations lose statutory footing.
- Businesses See Reduced Exposure and Litigation Cost: Currently, CIPA permits $5,000 per statutory
violation, and litigation costs on top of that create hefty financial repercussions for CIPA violations.
Status and Outlook
SB 690 passed the California Senate unanimously and also found strong support in the Assembly. As amended, the bill applies prospectively only—it will not affect pending cases filed before the effective date. However, the Assembly voted to advance the bill as a two-year bill, meaning that it can carry over into the 2026 legislative session and will likely delay enactment of the bill. This may prompt a further surge of CIPA filings over the next few months as plaintiffs race to file before the new limitations take effect.
Conclusion
As courts and lawmakers confront the realities of digital tracking and data analytics, the legal contours of privacy litigation are rapidly evolving. The mixed rulings under CIPA reveal a judiciary still grappling with how to apply legacy statutes to modern technologies, while the VPPA decisions reflect growing disagreement over the statute’s scope in a data-driven economy. At the same time, SB 690 signals a legislative push to restore predictability and limit liability for businesses engaging in routine online practices. For companies operating in the digital space, this moment represents both risk and opportunity: a chance to reassess compliance strategies as privacy law realigns, and a need to stay alert as courts and legislatures continue to reshape the rules of engagement.
If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com or Mari Clifford at mclifford@coblentzlaw.com for further information or assistance.
