Judge Charles R. Breyer, in the Northern District of California, denied a motion to dismiss a putative class action alleging that the use of website trackers—software that collects users’ IP addresses and device identifiers—violates the California Invasion of Privacy Act (CIPA), specifically its Pen Register Act provisions. The ruling clarifies that CIPA’s reach extends to modern web tracking technologies, and that businesses embedding such trackers may face liability under California law.
The plaintiff, a California resident, alleged that a digital publisher’s website embedded third-party trackers operated by companies such as Microsoft, Wunderkind, and PubMatic. These trackers collected users’ IP addresses and device information, enabling cross-site recognition and targeted advertising. The plaintiff claimed this conduct violated CIPA’s Pen Register Act, which prohibits installing or using a “pen register” (defined as any device or process that records dialing, routing, addressing, or signaling information from electronic communications) without a court order or user consent.
The defendant moved to dismiss, arguing that (1) the Pen Register Act applies only to person-to-person communications (like phone calls or emails), not website activity; (2) the complaint failed to allege a violation; and (3) the statute is ambiguous, requiring dismissal under the rule of lenity.
Applicability to Website Trackers
The court rejected defendant’s argument that CIPA’s pen register provisions are limited to traditional communications. It emphasized that the statutory definition of “pen register” includes any “device or process” that records addressing information, and that the legislature’s use of broad, technology-neutral language was intentional. The court cited a growing body of decisions in the district holding that website trackers collecting IP addresses and device identifiers fall within the statute’s scope.
Sufficiency of the Pleadings
The court found that the complaint adequately alleged the installation and use of pen registers. It held that website visits involve “electronic communications” under the statute, and that embedding third-party trackers and using the resulting data for advertising purposes is sufficient to state a claim. The court also rejected the argument that the defendant could not be liable because it was a party to the communication or because third parties operated the trackers, noting that embedding the trackers and using the data constitutes “installation” and “use” under the statute.
Legislative Developments and Rule of Lenity
The court declined to consider the impact of pending Senate Bill 690, which seeks to limit CIPA’s application to website analytics and advertising, noting that the bill is not law and would not apply retroactively. The court also found that the rule of lenity did not require dismissal, as the statutory language is not grievously ambiguous.
DAWN FREGOSA, v. MASHABLE, INC., No. 25-CV-01094-CRB, 2025 WL 2886399 (N.D. Cal. Oct. 9, 2025).
