This is the property of the Daily Journal Corporation and fully protected by copyright. It is made available only to Daily Journal subscribers for personal or collaborative purposes and may not be distributed, reproduced, modified, stored or transferred without written permission. Please click "Reprint" to order presentation-ready copies to distribute to clients or use in commercial marketing materials or for permission to post on a website. and copyright (showing year of publication) at the bottom.
News

Data Privacy

Jul. 7, 2026

Recent rulings narrow reach of CIPA, but broader privacy fight continues

Several recent state and federal rulings have limited the application of portions of the California Invasion of Privacy Act to online data collection, but attorneys say courts remain divided and appellate guidance or legislative action will likely be needed before the wave of CIPA lawsuits subsides.

Recent rulings narrow reach of CIPA, but broader privacy fight continues
Baker McKenzie partner Lothar Determann

A series of recent rulings has held that the California Invasion of Privacy Act -- the 1967 wiretap law behind a slew of lawsuits over online data collection practices -- wasn't intended to apply to the internet. But experts warn against declaring that the tide is turning in favor of the companies defending these cases.

"I haven't really seen a convincing macrotrend here that would give me confidence that one side has the upper hand," Stuart K. Tubis, a partner at Jeffer Mangels & Mitchell LLP, told the Daily Journal.

In late May, Los Angeles Superior Court Judge Gary D. Roberts dismissed a privacy lawsuit against network monitoring company NetScout Systems, ruling that CIPA's 2015 provisions against installing a pen register or trap and trace device without consent only apply to telephone communications.

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. partner Scott T. Lashway, who represents NetScout in the case, said he believes it's the first time a court has narrowed the provisions, which have driven much of the recent litigation around the statute, to only apply to phones.

"For the first time, based on our understanding, a trial court ruled that those provisions are in fact limited to telephone technologies and are not intended to regulate website technology or website software generally," Lashway said. The case is Blaker v. NetScout Sys., Inc., No. 25STCV31283 (L.A. Super. Ct., filed Oct. 27, 2025).

Lashway said the ruling will likely be challenged, but that he hopes other judges "accept the simplicity of it."

A pair of federal rulings narrowed the scope of the law as well. That month, U.S. District Judge Rita F. Lin dismissed claims brought under CIPA's pen register provision against Meta for allegedly finding a backdoor way to link Android users' browsing data with their social media accounts. The judge ruled that browsing data doesn't fall within the scope of the provision, which primarily applies to routing information like an address, phone number, or IP address. However, Lin allowed eavesdropping and wiretapping claims brought under CIPA to move forward. The case is In re: Meta Android Privacy Litigation, 3:25-cv-04674 (N.D. Cal., filed June 3, 2025). 

A month later, U.S. Magistrate Judge Laurel Beeler granted summary judgment to Papa John's and call center operator Cognizant in a lawsuit brought under CIPA's two-party consent requirement, ruling that the provision doesn't apply to the voice over internet protocol system the defendants used. The case is Guerra v. Papa John's International Inc., 3:23-cv-01933 (N.D. Cal., filed April 21, 2023).

According to Baker McKenzie partner Lothar Determann, some courts have been "uncomfortable" with the number of lawsuits being brought under CIPA given the lack of apparent harm to individuals whose data is tracked by websites. But for the most part, Determann said, courts continue to issue mixed rulings.

"I think it's difficult to say that there are trends," Determann, author of the International Association of Privacy Professionals' California Privacy Law handbook, said.

Determann said that will likely continue until more cases reach the summary judgment phase, or even trial. But defendants continue to settle, he said, because no company wants to be the one that makes it all the way to trial and loses. Since each settlement is relatively small and juries have shown reluctance to side with tech companies recently, in most cases, defense attorneys can't advise their clients in good faith to head to trial.

"Until businesses really reach a breaking point, this will continue for a while," Determann said.

Determann said he advises companies to double down on their compliance efforts in order to reduce the risk of a lawsuit. Some simple compliance steps include notifying users of data collection practices, limiting data collection to necessary information and deleting old data, according to Determann, although he said no amount of compliance can completely prevent a lawsuit.

But complicating matters is the California Consumer Privacy Act of 2018. The law prohibits companies from asking for consent to collect data from someone who's opted out of data collection within the past year. That can come into conflict with other privacy laws, Determann said, which require opt-in consent whenever a user opens a website.

"And if you try to do all of this for one website... then you inevitably make some mistakes here and there," Determann said.

In the meantime, the claims continue to come in.

"We're aware of one company having received 6,000 private arbitrations in one day," Lashway said. "There is a flood of this work that's being driven by a relatively small handful of plaintiffs' counsel who have focused their practices in this space."

According to UC Irvine law professor Ari E. Waldman, website operators saw a wave of similar lawsuits under the federal Electronic Communications Privacy Act in the early days of the internet. But while those cases were largely unsuccessful, Waldman said plaintiffs have found a friendlier audience for their claims under CIPA.

"The difference is that this is taking place in California," Waldman said.

But while that's encouraged more plaintiffs to bring claims, plenty of California courts continue to side with defendants on the claims. Defendants, he said, are largely making the same argument they did during the federal internet privacy litigation: that plaintiffs are using outdated laws not intended to apply to new technology in order to attack companies. Waldman said he's skeptical of that argument but said some judges have been swayed by it.

"Judges, too, have problems recognizing that modern technology is subject to the same laws that we've always had," Waldman said.

Waldman said he expects some clarity next year, as appellate courts begin to rule on CIPA cases. But until then, he expects courts will struggle to find a way to address the harms of potential privacy violations without being too restrictive to companies.

"Courts are just trying to figure it out," Waldman said. "They're trying to find a happy medium where individual harms can be recognized without floodgates of litigation."

Courts still must determine how the term intercept applies to internet data tracking and whether the technical infrastructure of a website counts as a pen register, Waldman said.

"These are mixed questions of law and technology," Waldman said.

Tubis said he expects the cases to persist until the appellate courts or legislature answer those questions.

"We need a higher-level court opinion or legislative action," Tubis said.

The legislature could act before the courts. Last week, SB 690, which would restrict the ability to bring lawsuits against website operators under the pen register and trap and trace provisions to the attorney general, passed the Assembly's Privacy and Consumer Protection Committee.

But Determann said he's not convinced that legislation will solve the issue entirely since new laws tend to come with complications and often raise new legal questions.

"I think it's still early times," Determann said, "even though this statute is older than I am."

#392804

Daniel Schrager

Daily Journal Staff Writer
daniel_schrager@dailyjournal.com

For reprint rights or to order a copy of your photo:

Email Jeremy_Ellis@dailyjournal.com for prices.
Direct dial: 213-229-5424

Send a letter to the editor:

Email: letters@dailyjournal.com