Judge Fernando M. Olguin, in the Central District of California, denied a motion to dismiss a privacy lawsuit alleging violations of California’s Trap and Trace Law, part of the California Invasion of Privacy Act (CIPA), stemming from the use of TikTok software to collect visitor data without consent. The ruling clarifies the scope of privacy protections for website users and the potential liability for companies employing third-party tracking technologies.
Plaintiff claims that defendant’s website embedded TikTok software that functions as a “trap and trace device,” collecting detailed information about visitors—including device and browser data, geographic location, referral tracking, and personal identifiers—through fingerprinting and advanced matching technologies. This data was allegedly transmitted to TikTok, enabling precise identification of individuals. Importantly, the complaint asserts that website visitors were not informed of these practices and did not provide consent, nor was a court order obtained as required by California law.
Standing and Injury
The court found that plaintiff had Article III standing, rejecting arguments that the alleged harm was speculative or insufficiently concrete. The decision emphasized that the right to privacy, including control over personal information, is a historically recognized and actionable interest. The court noted that CIPA codifies this right, and the alleged unauthorized collection and disclosure of private information constitutes a concrete injury.
Personal Jurisdiction
Addressing defendant’s challenge to personal jurisdiction, the court applied the “purposeful direction” analysis, concluding that the defendant’s conduct was intentionally aimed at California residents. The website’s interactive nature and targeted data collection practices established meaningful contacts with the forum state. The court relied on recent Ninth Circuit precedent, which held that platforms expressly aiming their conduct at California—especially when collecting and exploiting personal data—are subject to jurisdiction in the state.
Sufficiency of the Claim
The court determined that plaintiff adequately alleged a violation of California’s Trap and Trace Law. The TikTok software was found to meet the statutory definition of a trap and trace device, as it captured and correlated identifying information from website visitors. The court rejected the defendant’s argument that the law does not apply to commercial websites and clarified that statutory exemptions, such as user consent, did not apply because the plaintiff (as the website user) did not consent to the data collection.
The court is also not persuaded by defendant’s contentions that California’s Trap and Trace Law “is not applicable to commercial websites like [defendant’s] that do not permit person-to-person communications” because the language in Cal. Penal Code § 638.50 requires communications. (Dkt. 24, Motion at 15). Courts have determined that the trap and trace provision should be construed broadly and that “courts should focus less on the form of the data collector and more on the result.” Greenley, 684 F.Supp.3d at 1050 (concluding that tracking software could suffice as a pen register under California’s Trap and Trace Law). In Conohan, for instance, TikTok software embedded in the defendant’s website to collect visitors’ information “plausibly [fell] within the scope” of California’s Trap and Trace Law. 2025 WL 1111246, at *6. Similarly, in Moody, the court found that plaintiffs allegations that TikTok software was embedded in the defendant’s website and collects information were sufficient to allege that the software “may qualify as a pen register or trap and trace device under California law[.]” 742 F.Supp.3d at 1076. In short, plaintiff has adequately alleged that the TikTok Software on defendant’s Website qualifies as a trap and trace device under Cal. Penal Code § 638.50(c).
Finally, the court is unpersuaded by defendant’s argument that even if the TikTok Software is a trap and trace device, there was no violation of Cal. Penal Code § 638.51 because defendant gave consent to TikTok. (See Dkt. 24, Motion at 19). California’s Trap and Trace Law permits the use of a trap and trace device “[i]f the consent of the user of that service has been obtained.” Cal. Penal Code § 638.51(b)(5). Defendant contends it is the “user,” i.e., the “party who receives the communication, not the sender[,]” (Dkt. 24, Motion at 20), and thus only defendant’s “consent matters.” (Id. at 21). This argument is unavailing. In Moody, the court determined that the plaintiff, who did not consent, was the relevant “user” of the defendant’s website that installed TikTok software, thereby “plausibly demonstrat[ing] that the consent exception does not apply.” 742 F.Supp.3d at 1077. Here, plaintiff similarly alleges that he is the user of the Website and did not give express or implied consent. (See Dkt. 1, Complaint at ¶¶ 9, 20, 22, 33). Thus, plaintiff’s allegations are sufficient to plausibly demonstrate that the consent exception does not apply.
Hassid v. Alex & Ani, LLC, No. CV 25-0679 FMO (JCX), 2026 WL 160535 (C.D. Cal. Jan. 20, 2026).
