KEYPOINT– The N.D.Cal. shared its frustration with the language of CIPA, the conflicting rulings on how it has been applied, and the need for the legislature to fix it, as part of its recent decision granting summary judgment and dismissing a CIPA claim.

Over the last 24 months, courts have been flooded with litigation involving alleged violations of the California Invasion of Privacy Act (CIPA), and its application to everyday website data technologies (so-called “tracking technologies”) that are commonplace on internet websites. On October 17, 2025, the U.S. District Court for the Northern District of California, issued an Order in Doe v. Eating Recovery Center, LLC, Case No. 23-cv-05561, granting a defendant’s motion for summary judgment and dismissing CIPA claim brought under § 631(a) (CIPA’s wiretapping or eavesdropping provision), arising from a defendant’s use of a third party pixel (Pixel) on its website.

Applying the principles of statutory construction, the doctrine of lenity, and commonsense, the Northern District of California found the defendant website operator did not violate CIPA § 631(a) because it was undisputed that the third party social media company, the alleged third party that received the event data about the plaintiff Doe’s interactions with a website, “did not read, attempt to read, or attempt to learn the contents of Doe’s communications while those communications were in transit.”

While the holding in the Eating Recovery Center matter is a welcomed result, the court’s frustration with the language of CIPA and the wave of litigation it has spurred — a concern shared by many businesses throughout the U.S. — is most noteworthy. In a strongly worded opinion, the court referred to CIPA in various parts of its decision as “a total mess,”[1] “virtually impossible to apply to the online world,”[2] “virtually impossible to understand what [it] actually means,”[3] and creating an “untenable” state of affairs.[4] The court also called on California Legislature to “step up” and “go back to the drawing board on CIPA” — a timely plea as the Legislature is currently considering doing just that.

Background Facts

In Doe, plaintiff claimed defendant violated § 631(a) (4) by aiding and/or conspiring to enable the third party to read, or attempt to read, or to learn the contents her communications with the defendant’s website while they were in transit and without her consent. To support the claim, plaintiff presented evidence as part of her motion for summary judgment showing defendant deployed the Pixel on her website, and when she visited that website to obtain information about treatment for an eating disorder, and the Pixel shared her information with the third party.

In response, the defendant filed a cross-motion for summary judgment claiming it could not be liable for a violation of CIPA § 631(a) because the event data transmitted to the third party did not constitute the “contents” of a communication to give rise to a § 631(a) claim and the third party did not read, attempt to read or attempt to learn the information while it was “in transit.”

The Court’s Decision

The court’s decision focused on these two issues: (1) whether the information captured by the Pixel qualified as the “contents” of a communication under CIPA; and (2) whether the third party read, viewed or learned the information while it was “in transit”.

The court made short work of the first issue, finding the event data that was shared with the third party was more than basic identification and address information, and constituted the contents of a communication because it involved the specific URL for each webpage plaintiff visited, the time she spent on each webpage, the path she took to get to a webpage, and the actions she took while on the webpage.

As to the second issue the court found that the information shared with information was not “in transit” when the third party attempted to read or learn it, to give rise to a § 631(a) claim. In doing so, the court rejected the plaintiff’s argument that the “in transit” requirement is satisfied because the third party filters the event data it receives to remove information it does not wish to store. The court found this position wrong as a matter of law, finding the automated effort to avoid storing information it should not be considering does not equate to reading or learning the contents of information. The court noted that reading or learning the contents of information requires evidence of some effort to understand the substantive meaning of the communication, which did not exist in the third party’s filtering process. The court also noted the “in transit” requirement also was not satisfied because even if the third party’s filtering constituted reading or learning of the “contents” of a communication, the filtering occurs only after the third-party received the data and therefore was not done while the data was “in transit.” Importantly, the court noted that while the differentiation in the timing between a website visitor’s actions and the transmission to the third party is trivial, the statutory language “in transit” is not and must be enforced to apply only in cases where the reading or learning occurs before the information is received by the website.

Finally, the court addressed a related argument made by the plaintiff — whether the third party “attempted” to learn the contents of the communication through its filtering. Specifically, the plaintiff contended that as long as the communication was intercepted in transit with the intent of the recipient later learning or reading its contents, § 631(a) is violated. The court rejected this argument, providing two related rationales. First, the court concluded § 631(a) liability requires something more than the interception of the communication. The court noted that in interpreting CIPA the language in context, § 632 makes it unlawful to eavesdrop or record a confidential communication without consent, which is the basis for the plaintiff’s claims. The court noted that reading the language of § 631(a) as broadly as the plaintiff suggest would render CIPA § 632 superfluous, at least in the context of internet communications. Further, noting that because CIPA is a criminal statute that also imposes punitive civil penalties, the rule of lenity applies. Under this rule of lenity, when a statute is ambiguous, as is the case with CIPA, a court is required to adopt the narrower construction, which in this case, necessitates something more than the interception of a communication for a violation to be found. Importantly, the court reached this conclusion despite agreeing with plaintiff that CIPA was intended to protect California consumers from new devices and techniques used for eavesdropping.

Takeaways and Legislative Update

The decision in Doe v. Eating Recovery Center LLC is another tool for companies to utilize when defending against the wave of demands and claims being asserted on CIPA for conduct that was never contemplated back in 1967 when the statute was enacted. More importantly the decision is a much-needed rally cry to the California Legislature to step up to the plate and adopt S.B. 690 during the 2026 Legislative term.

Senate Bill 690, if adopted, would change CIPA by exempting claims under CIPA § 631(a) (wiretapping or eavesdropping) and §638.51 (pen register and trap and trace) arising from the use of tracking technologies used for commercial business purposes. S.B. 690 was unanimously approved by the California Senate on June 3, 2025, and moved to the Assembly for passage. The Assembly’s Public Safety Committee voted to advance S.B. 690 as a two-year bill, which stalled the movement of the bill in 2025. The bill’s sponsor, however, noted that the bill will be revisited by the Assembly’s Privacy & Consumer Protection Committee during the 2026 session. While the bill, if enacted, may provide some relief against CIPA claims, wiretapping claims applied to lawsuits will continue to persist in other two-party consent states like Florida and Pennsylvania. Additionally, plaintiffs are gaining some traction using the “crime-tort” exception of the Federal wiretapping law, which could open the door to lawsuits on a national level (visit HERE for more details).

[1] Jane Doe v. Eating Recovery Center LLC, No. 23-5561, Dkt. 167, at 1 (N.D. Cal. Oct. 17, 2025).

[2] Id. at 12.

[3] Id. at 10.

[4] Id. at 2.