The California Invasion Of Privacy Act In The Digital Age: Recent Developments Offer Defendants New Tools To Fight Back

Alleged violations of California's Invasion of Privacy Act (CIPA) have become one of the most frequently invoked claims of modern privacy litigation. What began in 1967 as a statute to stop telephone wiretapping is now being leveraged by plaintiffs' lawyers to target companies for using routine website analytics and pixel tracking tools. The result is a wave of high-stakes class actions threatening $5,000 in statutory damages per website visit. But recent decisions in the Ninth Circuit have begun to shift the momentum, giving defendants powerful new arguments to defeat these claims early.

Applying a 1960s Statute to Modern Technology

CIPA was enacted for an analog world of switchboards and landlines, making it ill-suited to govern 21st-century data collection. Courts have struggled to interpret the statute in the context of routine digital tracking, and while some early cases allowed claims to proceed, a growing number of recent decisions reflect judicial skepticism toward efforts to stretch CIPA beyond its intended purpose.

In recent years, plaintiffs' attorneys have repurposed CIPA to target website operators that use tracking technologies, such as pixel or SDK tracking tools to monitor user interactions. These suits allege that by transmitting website visitor data to third parties, companies are effectively “eavesdropping” on online communications or operating an unlawful “trap and trace” device in violation of CIPA.

Each alleged violation of CIPA can expose defendants to statutory damages of $5,000 per instance—creating immense potential exposure in putative class actions involving thousands or millions of website visits.

Judicial Struggles in a New Technological Landscape

Early on, courts struggled to apply a 1960s-era statute to modern data analytics tools. While some early cases permitted some claims to proceed past the pleading stage, more recent decisions reflect growing judicial skepticism toward attempts to stretch CIPA beyond its intended scope.

Recent Defense-Friendly Decisions

Over the past year, courts in the Ninth Circuit have provided defendants with several key tools to combat these claims:

1. The Information that Pixels Collect Does Not Violate CIPA

Recent cases have held that the data transmitted by tracking pixels—typically URLs, IP addresses, or device identifiers—does not constitute “embarrassing, invasive, or otherwise private” information sufficient to establish injury.

In Khamooshi v. Politico LLC, 2025 WL 2822879 (N.D. Cal. Oct. 2, 2025), the court relied on the Ninth Circuit's decision in Popa v. Microsoft Corp., F.4th, 2025 WL 2448824 (9th Cir. Aug. 26, 2025), to conclude that the alleged data was not the type of information traditionally protected by privacy torts such as CIPA. Similarly, in Mitchener v. CuriosityStream, Inc., 2025 WL 2272413 (N.D. Cal. Aug. 6, 2025), the court found that the “collection of basic contact information by software, or where the plaintiffs merely visited the website, are not concrete harms.” Id.  (citation omitted). Accordingly, the Khamooshi  and Mitchener  courts dismissedplaintiffs' claims with prejudice. 

2. CIPA Section 631(a) Does Not Extend to Internet Communications

Other courts have held that certain of CIPA's provisions — originally intended to cover telephone surveillance — do not apply to Internet activity alleging “eavesdropping”. For example, in Valenzuela v. Super Bright LEDs, Inc., 2023 WL 8424472 (C.D. Cal. Nov. 27, 2023), the court found that Section 631(a) does not extend to internet communications, and that the party exception shielded website operators. Likewise, in Licea v. Vitacost.com, Inc., 2023 WL 5086893 (C.D. Cal. Jul. 24, 2023), the court rejected similar claims, emphasizing both statutory limitations and timing deficiencies. Both the Valenzuela  and Licea  courts granted early motions to dismiss the plaintiffs' claims.

3. “Tester” Plaintiffs Lack Standing

Finally, courts have recently rejected claims brought by self-appointed “tester” plaintiffs who visit websites solely to manufacture litigation. In Rodriguez v. Autotrader.com, Inc., 2025 WL 1122387, at *2 (C.D. Cal. Mar. 14, 2025), the court found that the plaintiff lacked standing because she intentionally sought out the alleged violation: “It was no accident that [Plaintiff] visited the Website and allegedly had her privacy violated. Rather, she visited the Website ‘fully expect[ing]' it to violate her privacy ‘so that she could file this action.'” Similarly, in Byars v. Sterling Jewelers, Inc., 2023 WL 2996686, at *4 (C.D. Cal. Apr. 5, 2023), the court dismissed CIPA claims for lack of standing because, among other things, the plaintiff had no reasonable expectation of privacy and therefore no injury in fact.

Key Takeaways

• CIPA's original focus was telephonic wiretapping, not website analytics. Courts are increasingly reluctant to stretch its scope to cover internet communications.
• Recent Ninth Circuit decisions provide powerful defenses: lack of concrete injury, statutory inapplicability to internet communications, and absence of privacy expectations for tester plaintiffs.
• Potential exposure remains high, given the $5,000 statutory damages per violation, but these rulings mark a turning point in how courts assess modern CIPA claims.

Conclusion

As CIPA litigation continues to evolve, website operators, retailers, and companies using tracking technologies should consult experienced counsel familiar with both privacy law and emerging case law trends. Strategic early motion practice and a clear understanding of CIPA's statutory limits can dramatically reduce exposure and position defendants for early dismissal or favorable resolution.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.