On January 29, 2026, Judge Eumi K. Lee, in the Northern District of California, denied iHeartMedia’s motion to dismiss a class action lawsuit alleging violations of the California Invasion of Privacy Act (CIPA) through the use of third-party internet trackers. Plaintiff claims that iHeartMedia’s website installs trackers on users’ browsers, collecting and disseminating personal data without consent. The court’s decision provides important guidance for businesses operating in California, especially those leveraging online tracking technologies for advertising and analytics.
Article III Standing: Privacy Harm Recognized
The court found that plaintiff sufficiently alleged a “concrete and particularized” injury, satisfying Article III standing requirements. The alleged harm centers on the loss of control over personal information and the broad dissemination of user data to third parties. The court emphasized that the creation and sale of comprehensive, non-anonymous user profiles—built from IP addresses, device metadata, and unique identifiers—constitutes an invasion of privacy analogous to traditional privacy harms recognized at common law.
The court distinguished this case from less intrusive tracking scenarios, noting that the scope of data collection and dissemination here is far more extensive than in prior cases involving session-replay technology. The ruling aligns with recent decisions in the Ninth Circuit, which have held that the use of internet trackers to generate detailed user profiles is sufficient to allege a privacy injury.
CIPA Pen Register Claims: Trackers Qualify
A central issue was whether third-party internet trackers meet the definition of a “pen register” under CIPA. The statute defines a pen register as any device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by electronic communication, excluding the content of the communication. The court rejected iHeartMedia’s argument that trackers do not qualify because they collect information about the source rather than the recipient of communications.
Citing a growing body of case law, the court held that internet trackers record addressing information transmitted by users’ devices in connection with outgoing requests to websites, satisfying CIPA’s technical requirements.
TREVOR HARRIS, v. IHEARTMEDIA, INC., No. 25-CV-06038-EKL, 2026 WL 247875 (N.D. Cal. Jan. 29, 2026).
