The Los Angeles Superior Court granted defendant’s motion for judgment on the pleadings in a case alleging that a website operator’s use of analytics software—which collects and links various user identifiers—constituted the use of a “pen register” or “trap and trace device” under CIPA, and therefore required a court order or user consent.
Statutory Interpretation and Legislative Intent
While CIPA defines “pen register” and “trap and trace device” in terms that could, on their face, encompass electronic communications, the court found ambiguity as to whether these provisions were intended to apply to website tracking tools.
The court reviewed legislative history and related statutory provisions, noting that CIPA’s structure and amendments have consistently focused on telephonic communications. The court emphasized that when the California Legislature has intended to regulate internet-based activity, it has done so explicitly in other statutes. The absence of any reference to website communications in the relevant CIPA provisions was interpreted as a deliberate choice not to include website analytics within the statute’s scope.
Divergent Case Law and Policy Considerations
The court acknowledged that other courts have reached differing conclusions on this issue, with some federal decisions finding that certain tracking software could fall within CIPA’s definitions. However, the court found persuasive the reasoning that an expansive reading of CIPA to cover routine website analytics would disrupt internet commerce and conflict with the California Consumer Privacy Act (CCPA), which already regulates online data collection through a comprehensive opt-out and notice regime.
The court also cited pending legislation (Senate Bill 690) and legislative statements clarifying that CIPA was not intended to apply to website tracking tools, and that such conduct is instead governed by the CCPA and the California Privacy Rights Act (CPRA).
If the California Legislature wanted to apply § 638.52 to the website tracking tools, it could do so by amending such provision. The Legislature’s drafting in related provisions confirms that it knows how to regulate internet-based activity when it wishes to do so. Specifically, the Legislature has expressly referenced “internet” or “online” communications and services when extending protections beyond traditional telephonic technologies. For example, the California Legislature added Cal. Penal Code § 632.01 in 2017. This provision punishes anyone who violates § 632(a) and then intentionally discloses or distributes, in any manner, in any forum, including, but not limited to, Internet Web sites and social media … the contents of a confidential communication with a health care provider ….” (See Cal. Penal Code § 632.01.) “When the Legislature has carefully employed a term in one place and has excluded it in another, it should not be implied where excluded.” (internal quotations and citations omitted) (Bradsbery v. Vicar Operating, Inc. (2025) 110 Cal.App.5th 899, 910.)
*4 As indicated by Ink America, websites have used the software at issue here when the Legislature enacted penal code § 638.52 in 2015 and when it was amended in 2016 and 2022. The absence of any comparable reference to website communications in Penal Code § 638 indicates a deliberate choice not to sweep ordinary website analytics within CIPA’spenregister and trap and trace provisions. Additionally, pending Legislation, Senate Bill 690, shows a Legislative intent that CIPA was not intended to apply to the website tracking tools at issue. In describing SB 690’s purpose, Senator Anna Caballero stated:
“I rise today to present SB 690, a Bill to protect California businesses from a wave of abusive and predatory lawsuits that are threatening jobs, innovation, and the very ability to do business in our state. [] California already has the strongest privacy law in the nation, the California Consumer Protection Act, or CCPA. Back in 2018, this Legislature passed CCPA to give consumers real control over their data using a modern opt out approach. Suing under CIPA for activity that’s already governed by the CCPA goes against legislative intent, creates confusion, punishes compliance, and doesn’t make Californians any safer. A private settlement doesn’t create stronger protections for consumer or clearer rules for business.”
SB 690’s stated purpose indicates that CIPA was not intended to apply to website tracking tools. Instead, such conduct is intended by the Legislature to be covered by the CCPA and CPRA. The CCPA provides certain defined rights and compliance obligations for data collection via internet connectivity. Under the CCPA, consumers have the right to: (1) know what personal information a business collects (Civ. Code § 1798.110), (2) delete the personal information collected (Civ. Code § 1798.106), (3) opt-out of the sale of personal information (Civ. Code § 1798.120), (4) limit disclosure and use of sensitive information (Civ. Code § 17898.121), and (5) to non-retaliation for exercising their CCPA rights (Civ. Code § 1798.125).
Notably, the CCPA expressly contemplates businesses will collect and use personal data so long as a regulatory framework is followed. (Civ. Code §§ 1798.100 et seq.) Importantly, the CCPA does not require that users provide express consent prior to the collection of data. (Ibid.) This regime does not require prohibit such data collection or require a court order. Plaintiff’s expansive reading of CIPA, criminalizing web based analytical tools, would seemingly render CCPA void. Specifically, if website analytic tools are interpreted to fall within the ambit of Penal Code § 638.51, using them without a court order would violate CIPA. However, CCPA presumes that such tools will be employed so long as the proper procedures such as notice, opt-out, and deletion are followed.
In Licea v. Hickory Farms, LLC (2024) 2024 WL 1698147, the court found that “public policy strongly disputes Plaintiff’s potential interpretation of privacy laws as one rendering every single entity voluntarily visited by a potential plaintiff, thereby providing an IP address for purposes of connecting the website, as a violator. Such a broad-based interpretation would potentially disrupt a large swath of internet commerce without further refinement as the precise basis of liability, which the court declines to consider.” This Court finds that reasoning persuasive and adopts it here.
Rodriguez v. Ink America Intern. Group LLC, No. 25STCV15350, 2025 WL 4034985 (Cal.Super. Dec. 10, 2025).
