Over the past year, there has been an explosion of lawsuits targeting website analytics and tracking tools. One recent decision brought businesses another victory in challenging lawsuits alleging violations of the California Invasion of Privacy Act’s (CIPA)’s prohibition against use of “pen registers” and “trap and trace devices.” Cal. Penal Code § 638.51. In a recent ruling, a federal judge in the Central District of California dismissed one such lawsuit, holding that the claim could not be asserted in federal court.
Case Background
Converse has been previously targeted by – and has defeated – other CIPA claims. This includes one decision from earlier in the year where the Ninth Circuit Court of Appeals affirmed dismissal of a complaint filed against Converse alleging violation of CIPA. There, a website visitor claimed that Converse’s use of a website chat vendor amounted to wiretapping. This was because, according to the Plaintiff, the third-party tech vendor intercepted and potentially read her chat correspondence (which, in turn, supported a CIPA aiding and abetting claims against Converse). The Ninth Circuit disagreed, siding with the district court which had held even if the vendor involved could hypothetically access the messages involved, there was no proof it actually attempted to or effectuated such access.
This recent case filed against Converse differed in its focus. Plaintiff asserted that Converse violated CIPA by sharing data with a social media company’s pixel through a software development kit (SDK). Plaintiff’s complaint alleged that this SDK collected data which in effect could be used as an electronic fingerprint to facilitate the social medial company engaging in profiling of the user based on their activity on Converse’s website. Plaintiff claimed this software qualified as a “trap and trace device” under California law and subjected Converse to damages under CIPA.
Court Rejects Plaintiff’s Trap and Trace Theory for Lack of Injury
But the court did not rule on the merits of that allegation. Instead, the judge dismissed the case after holding that Plaintiff did not establish standing – the legal doctrine that generally requires plaintiffs in federal court to prove a concrete and particularized injury – under Article III of the U.S. Constitution. Under Supreme Court and Ninth Circuit precedent, an alleged statutory violation is insufficient to satisfy Article III’s standing requirement without a showing of actual harm similar to historically recognized injuries. For privacy claims, courts plaintiffs have typically pointed to intrusion upon seclusion or public disclosure of private facts as historically recognized injuries.
In layman’s terms, the Plaintiff needed to show a real-world harm personal to her, not merely a purported statutory violation. The Court rejected Plaintiff’s comparisons to the common law privacy torts of intrusion upon seclusion and public disclosure of private facts as adequate to establish such harm because plaintiff’s allegations of “fingerprinting” did not allege “highly offensive” disclosures or interferences.
Some recent CIPA decisions, including this one, reflect judicial concern that the plaintiff’s bar has significantly overreached in bringing a prolific number of claims under California law in a distortion of legislative intent. That being said, wiretap claims in litigation and arbitration are anticipated to comprise a majority of all privacy claims brought in 2026 – and Privacy World will be there to keep you in the loop. Stay tuned.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.
