On June 18, 2025, the Los Angeles County Superior Court entered judgment in favor of an online retailer, dismissing a privacy claim brought under the California Invasion of Privacy Act (CIPA). Plaintiff, a self-described privacy advocate and “tester,” alleged that the retailer’s website unlawfully collected her IP address through tracking software, in violation of Penal Code section 638.51(a). The court sustained the defendant’s demurrer without leave to amend, finding the complaint failed to state a viable claim.
No Reasonable Expectation of Privacy in IP Addresses
The court held that website users do not have a reasonable expectation of privacy in their IP addresses when accessing a website. The act of visiting a website necessarily involves voluntarily transmitting an IP address to the site operator, a process fundamental to internet communication. The court cited both federal and California precedent establishing that IP addresses are considered “addressing information,” not protected content, and that users knowingly disclose this information to service providers.
Section 638.51 did not intend to criminalize the process by which all websites communicate with all users who choose to access them.
Statutory Exemptions Apply
The court found that the statutory definitions in Penal Code section 638.50 and the exemptions in section 638.51(b) permit website operators to collect IP addresses in the ordinary course of business to operate and maintain electronic communication services. The court reasoned that criminalizing such routine collection would undermine the basic functionality of the internet.
Assuming that a pen register captures outgoing IP addresses, “the collection of incoming IP addresses by [a website operator] is exempt” from penalty under 18 U.S.C. section 3121(b)(1), because defendants “necessarily capture such data …to operate the website.” (Columbia Pictures Industries v. Bunnell (C.D. Cal. May 29, 2007, CV 06-1093FMCJCX) 2007 WL 2080419 at p. *11.) The federal statute is mirrored by Penal Code section 638.51, subdivision (b)(1), which authorizes a provider of an electronic communications service to use a pen register to “operate, maintain, and test [an] … electronic communications service.” (See also Capitol Records, Inc. v. Thomas Rasset (D. Minn. June 11, 2009, No. 06-1497) 2009 WL 1664468, at p. 3 [“the Pen Register Act cannot be intended to prevent individuals who receive electronic communications from recording the IP information sent to them. If it did apply to those cases, then the Internet could not function because standard computer operations require recording IP addresses so parties can communicate with one another over the Internet”].)
No Cognizable Injury or Standing
Plaintiff failed to allege any concrete injury resulting from the collection of her IP address. IP addresses alone do not reveal specific personal information and plaintiff, as a “tester,” could not claim a subjective expectation of privacy in this context.
Distinguishing Precedent
The court distinguished Greenley v. Kochava, which involved the collection of extensive personal and geolocation data via mobile apps. Here, the only data at issue was the plaintiff’s IP address.
Casillas v. BOP LLC, No. 24STCV15581, 2025 WL 2161288, at *3 (Cal.Super. June 18, 2025).
