On March 6, 2026, the Superior Court of California, County of Los Angeles, sustained the demurrer of Palo Alto Networks, Inc. and dismissed a complaint alleging that the company’s deployment of a Software Development Kit (“SDK”) on its website violated the California Invasion of Privacy Act (“CIPA”) by functioning as a “trap and trace device.” The court held that CIPA’s trap and trace provisions do not extend to website communications, and dismissed the action without leave to amend.
Background
Plaintiff Lawrence Schallert filed suit against Palo Alto Networks, Inc. alleging that the company deployed an SDK on its website that captured electronic impulses identifying website visitors without their consent. Schallert alleged that this software functioned as a “trap and trace device” in violation of Penal Code section 638.51, which generally prohibits the installation or use of a pen register or trap and trace device without a court order. Palo Alto Networks demurred, arguing that the complaint failed to state facts sufficient to constitute a cause of action.
The Court’s Analysis
The court began its analysis by noting that neither party had cited binding California authority holding that CIPA applies to websites. The court then turned to the statutory text. Under Penal Code section 638.50, subdivision (c), a “trap and trace device” is defined as “a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.” While this definition does not expressly limit trap and trace devices to telephone lines, the court found that other provisions of CIPA do impose such a limitation.
Specifically, the court pointed to Penal Code section 638.52, which requires a court order authorizing the installation of a trap and trace device to include, among other things, the identity of the person “in whose name is listed the telephone line” to which the device is to be attached, and the “number and … physical location of the telephone line” to which the device is to be attached. Reading these provisions together, the court concluded that the scope of a trap and trace device under CIPA is limited to telephone lines.
The court also found support in the legislative history. Assembly committee analyses of the underlying bill, AB 929, described the legislation as authorizing law enforcement agencies to seek emergency orders for pen registers and trap and trace devices specifically in the context of “telephone surveillance.” Similarly, committee comments described a trap and trace device as a tool that allows law enforcement to “record what numbers have called a specific telephone line.”
Because the plaintiff’s claim rested entirely on the allegation that the SDK on the defendant’s website constituted a trap and trace device, and because the court found CIPA does not extend to website communications, the court concluded that the plaintiff failed to state a cause of action. The court further found that the plaintiff had not met the burden to show how the complaint could be amended to cure this deficiency, and therefore sustained the demurrer without leave to amend.
Schallert v. Palo Alto Networks, Inc., No. 25STCV17109 (Cal. Super. Ct., Los Angeles Cnty., Mar. 6, 2026).
