
The California Information Privacy Act (CIPA) has become a go‑to vehicle for plaintiffs’ counsel attacking website tracking technologies, such as cookies, pixels, beacons, chat bots, and video or session replay tools.
Over the last few years, website operators have been hit with a wave of demand letters claiming CIPA violations. But the tide may be shifting – marking smoother sailing for website operators. A recent decision from a California court narrows CIPA to telephonic communications and significantly undercuts the viability of CIPA claims against commercial websites.
As we have previously discussed, plaintiffs have argued that website tracking technologies amount to illegal wiretapping or eavesdropping without the website visitor’s consent using a variety of laws to support such claims, most commonly CIPA. Statutory damages under CIPA are steep, amounting up to $5,000 per violation or three times actual damages, whichever is higher—making these claims particularly attractive for the plaintiffs’ bar.
On May 27, 2026, in Blaker v. NetScout Systems, Inc., Case No. 25STCV31283, the Los Angeles County Superior Court dismissed a CIPA lawsuit with prejudice, holding that CIPA’s legislative intent was limited to telephonic communications—not internet websites.
Blaker v. NetScout Systems, Inc. – Plaintiff’s Allegations
In Blaker, the plaintiff alleged NetScout’s deployment of X’s (f/k/a Twitter) a tracking Software Development Kit (SDK) on NetScout’s website captured electronic impulses to identify website visitors for analytics purposes, without their consent, violating CIPA. Specifically, the plaintiff alleged that the SDK was deployed before displaying any privacy notice or obtaining visitor consent, asserting “[t]he surveillance begins the instant a visitor’s browser connects to the [w]ebsite.”
The plaintiff further asserted that while a traditional SDK may not by itself be a tracking technology, the information aggregated by the SDK in this instance created a “highly unique digital fingerprint” that reliably identified and tracked individual visitors even without traditional identifiers like cookies. The plaintiff claimed the SDK effectively generated surveillance trackers that enabled comprehensive monitoring of users’ online activities and detailed behavior profiling without meaningful user awareness or consent. The plaintiff also asserted that each visit to NetScout’s website, and the resulting automatic activation of tracking technologies to capture electronic impulses, constituted a separate violation of CIPA.
Blaker v. NetScout Systems, Inc. – NetScout’s Response
NetScout responded that the complaint failed to state a legally valid claim and that the pleading raised pure questions of law. The Los Angeles County Superior Court agreed.
NetScout argued that the plaintiff failed to allege NetScout employed a “pen register” or “trap and trace device” within the meaning of CIPA, contending those terms are expressly tied to telephones, not SDKs running on websites.
Breakdown of the Court’s Analysis
Using the statutory text and legislative history, the court tackled the question that has fueled years of CIPA litigation: does CIPA reach beyond telephone lines? The court’s answer was no.
Focusing on the definitions of “pen register” and “trap and trace device,” the court concluded that internet websites fall outside CIPA’s scope. The court emphasized terms such as “dialing,” “originating number,” and “routing” explicitly concern telephone use.
- “Trap and trace device” is a “device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.”
- “Pen register” is “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.”
The court remarked “the internet was in widespread use when these provisions were enacted in 2015. If the Legislature had intended for section 638.51 [of the California Penal Code] to apply to commercial websites, it would have so stated either in the statute itself or in the surrounding materials.” Applying ordinary rules of statutory construction, Penal Code section 638.51’s structure, and the legislative history, the court held that CIPA applies only to telephonic communications and not to software on a commercial website.
The court also noted there was no need for the plaintiff to amend the complaint because any amendment would be futile given the ruling and CIPA’s inapplicability to commercial websites.
Looking Ahead
This decision is a significant moment for businesses defending against CIPA demand letters and lawsuits over website tracking. That said, it is a trial‑court decision from the Los Angeles County Superior Court, other courts may chart a different course. This decision does not bind other California courts or appellate courts.
Still, the ruling is an important signal that some of the more aggressive, expansive CIPA theories, especially those trying to retrofit device-specific statutes to modern website technology, may hit a statutory wall.
Notably, plaintiffs are already layering alternative theories and causes of action, including California’s Shine the Light Law, the Unfair Competition Law, and traditional privacy torts which means website practices will continue to be scrutinized. Practical steps for businesses include:
- Audit website tracking technologies and partners. Inventory all tracking tools (including SDKs and pixels), identify the data collected, and map data sharing with third parties.
- Provide clear notice. Update privacy policies and online terms so they accurately describe tracking, analytics, advertising, and sharing practices in language a typical user can understand.
- Consider banners and just‑in‑time disclosures. Deploy a banner or similar mechanism for first‑time visitors to disclose data collection and sharing practices, and link prominently to your privacy policy and preferences tools.
Taft will continue to monitor developments related to CIPA litigation and similar trends. If you have questions about this decision, or about website tracking technologies more broadly, Taft’s Privacy, Security & AI attorneys are available to assist. As always, please sign up to receive emails of our latest posts here on Privacy and Data Security Insights, and follow us on LinkedIn for the latest in privacy, security and artificial intelligence legal news.
