ARTICLE
1 July 2026

Changing Tides: A Los Angeles Court Delivers A Major CIPA Defense Win

TS
Taft Stettinius & Hollister

Contributor

Established in 1885, Taft is a nationally recognized law firm serving individuals and businesses worldwide, in both mature and emerging industries.
The California Information Privacy Act (CIPA) has become a go‑to vehicle for plaintiffs’ counsel attacking website tracking technologies, such as cookies, pixels, beacons, chat bots...
United States California Privacy
Taft Stettinius & Hollister are most popular:
  • within Antitrust/Competition Law, Food, Drugs, Healthcare and Life Sciences topic(s)
  • with readers working within the Aerospace & Defence industries

The California Information Privacy Act (CIPA) has become a go‑to vehicle for plaintiffs’ counsel attacking website tracking technologies, such as cookies, pixels, beacons, chat bots, and video or session replay tools.

Over the last few years, website operators have been hit with a wave of demand letters claiming CIPA violations. But the tide may be shifting – marking smoother sailing for website operators. A recent decision from a California court narrows CIPA to telephonic communications and significantly undercuts the viability of CIPA claims against commercial websites.

As we have previously discussed, plaintiffs have argued that website tracking technologies amount to illegal wiretapping or eavesdropping without the website visitor’s consent using a variety of laws to support such claims, most commonly CIPA. Statutory damages under CIPA are steep, amounting up to $5,000 per violation or three times actual damages, whichever is higher—making these claims particularly attractive for the plaintiffs’ bar.

On May 27, 2026, in Blaker v. NetScout Systems, Inc., Case No. 25STCV31283, the Los Angeles County Superior Court dismissed a CIPA lawsuit with prejudice, holding that CIPA’s legislative intent was limited to telephonic communications—not internet websites.

Blaker v. NetScout Systems, Inc. – Plaintiff’s Allegations

In Blaker, the plaintiff alleged NetScout’s deployment of X’s (f/k/a Twitter) a tracking Software Development Kit (SDK) on NetScout’s website captured electronic impulses to identify website visitors for analytics purposes, without their consent, violating CIPA. Specifically, the plaintiff alleged that the SDK was deployed before displaying any privacy notice or obtaining visitor consent, asserting “[t]he surveillance begins the instant a visitor’s browser connects to the [w]ebsite.”

The plaintiff further asserted that while a traditional SDK may not by itself be a tracking technology, the information aggregated by the SDK in this instance created a “highly unique digital fingerprint” that reliably identified and tracked individual visitors even without traditional identifiers like cookies. The plaintiff claimed the SDK effectively generated surveillance trackers that enabled comprehensive monitoring of users’ online activities and detailed behavior profiling without meaningful user awareness or consent. The plaintiff also asserted that each visit to NetScout’s website, and the resulting automatic activation of tracking technologies to capture electronic impulses, constituted a separate violation of CIPA.

Blaker v. NetScout Systems, Inc. – NetScout’s Response

NetScout responded that the complaint failed to state a legally valid claim and that the pleading raised pure questions of law. The Los Angeles County Superior Court agreed.

NetScout argued that the plaintiff failed to allege NetScout employed a “pen register” or “trap and trace device” within the meaning of CIPA, contending those terms are expressly tied to telephones, not SDKs running on websites.

Breakdown of the Court’s Analysis

Using the statutory text and legislative history, the court tackled the question that has fueled years of CIPA litigation: does CIPA reach beyond telephone lines? The court’s answer was no.

Focusing on the definitions of “pen register” and “trap and trace device,” the court concluded that internet websites fall outside CIPA’s scope. The court emphasized terms such as “dialing,” “originating number,” and “routing” explicitly concern telephone use.

  • Trap and trace device” is a “device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.”
  • Pen register” is “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.”

The court remarked “the internet was in widespread use when these provisions were enacted in 2015. If the Legislature had intended for section 638.51 [of the California Penal Code] to apply to commercial websites, it would have so stated either in the statute itself or in the surrounding materials.” Applying ordinary rules of statutory construction, Penal Code section 638.51’s structure, and the legislative history, the court held that CIPA applies only to telephonic communications and not to software on a commercial website.

The court also noted there was no need for the plaintiff to amend the complaint because any amendment would be futile given the ruling and CIPA’s inapplicability to commercial websites.

Looking Ahead

This decision is a significant moment for businesses defending against CIPA demand letters and lawsuits over website tracking. That said, it is a trial‑court decision from the Los Angeles County Superior Court, other courts may chart a different course. This decision does not bind other California courts or appellate courts.

Still, the ruling is an important signal that some of the more aggressive, expansive CIPA theories, especially those trying to retrofit device-specific statutes to modern website technology, may hit a statutory wall.

Notably, plaintiffs are already layering alternative theories and causes of action, including California’s Shine the Light Law, the Unfair Competition Law, and traditional privacy torts which means website practices will continue to be scrutinized. Practical steps for businesses include:

  • Audit website tracking technologies and partners. Inventory all tracking tools (including SDKs and pixels), identify the data collected, and map data sharing with third parties.
  • Provide clear notice. Update privacy policies and online terms so they accurately describe tracking, analytics, advertising, and sharing practices in language a typical user can understand.
  • Consider banners and just‑in‑time disclosures. Deploy a banner or similar mechanism for first‑time visitors to disclose data collection and sharing practices, and link prominently to your privacy policy and preferences tools.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More