On October 24, 2025, the Superior Court of California in Santa Clara County overruled a demurrer in a class action alleging that the installation of certain web trackers on a news website violated the California Invasion of Privacy Act (CIPA).
The lawsuit centers on the use of three specific trackers—ADNXS, PubMatic, and Sharethrough—installed on visitors’ browsers when accessing the defendant’s website. According to the complaint, these trackers collect users’ IP addresses, device types, browser information, and unique identifiers. Plaintiff alleges that this data is used to build detailed user profiles, which are then sold to advertisers, resulting in profit for the website operator and third-party data brokers.
Plaintiff contends that these trackers function as “pen registers” under CIPA, a term traditionally associated with devices that record dialing or routing information from communications. The complaint asserts that the trackers were installed and used without user consent or a court order, in violation of Penal Code section 638.51.
Standing and Privacy Interests
Defendant argued that plaintiff lacked standing because there is no reasonable expectation of privacy in IP addresses and basic device information. The court disagreed, noting that the allegations went beyond mere collection of IP addresses. The complaint described a process by which users are deanonymized and linked to comprehensive profiles, which are then monetized. The court found these allegations sufficient to establish an invasion of privacy injury for standing purposes, even if actual damages were not alleged.
Definition of “Pen Register”
A central issue was whether the trackers qualify as “pen registers” under CIPA. The court found that the plaintiff’s allegations—that the trackers are software processes recording addressing and routing information—fit within the statutory definition. The court also cited recent federal district court decisions supporting the view that web trackers collecting such information can be considered pen registers.
Party to the Communication Defense
The defendant argued that, as a party to the communication (i.e., the website operator), it could not be liable under the relevant CIPA provision, which it claimed was intended to target only third-party eavesdroppers. The court rejected this argument, finding no basis in the statute to create such an exception, and noting that other CIPA provisions have been interpreted to apply to both parties and non-parties.
Legislative Developments and Other Statutes
Defendant argues that the California Senate is currently working towards passing “a bill [(“SB 690”)] that would amend the CIPA to clarify that the Act does not, and was never intended to, criminalize or penalize the use of common commercial web tracking software.” (MPA, p. 18:15-17.) However, at the same time, Defendant concedes that SB 690 has not become law. Thus, the Court cannot rely on it when interpreting the CIPA as the current language of the statute and interpretations of it presently control. Defendant provides no authority that permits the Court to rely on an unenacted law or amendments thereto, or to rely on the statements of individual politicians regarding unenacted laws. Moreover, as noted by Plaintiff, the retroactive language was removed from SB 690; therefore, even if it is eventually enacted, it will not impact the instant case.
Defendant argues that the California Consumer Privacy Act (“CCPA”) should define the statutory scheme for privacy law. (MPA, p. 20:10-19.) However, CCPA explicitly states that “law relating to consumers’ personal information should be construed to harmonize the provisions of this title.” (See Civ. Code § 1798.175.) Moreover, it states that “in the event of conflict between other laws and the provisions of this title, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.” (Ibid, [emphasis added].) Therefore, it does not appear that CCPA and CIPA are in conflict with one another. Even if there was a conflict, the explicit language of the CCPA states that the law which affords the greatest protection should control. For this case, that law is the CIPA.
Rule of Lenity
Finally, the court declined to apply the rule of lenity (which resolves statutory ambiguities in favor of defendants in criminal cases), finding no “egregious ambiguity” in the statutory language.
Xu v. Reuters News & Media, Inc., No. 25CV459918, 2025 WL 3035016 (Cal.Super. Oct. 24, 2025).
