For years, companies treated cookies, pixels, tags, session-replay tools, software development kits, chatbot telemetry, and analytics scripts as part of the ordinary plumbing of the internet. Marketing wanted attribution. Product teams wanted funnel data. Security teams wanted fraud signals. UX teams wanted heat maps. Legal teams, when consulted at all, wanted a privacy policy, a cookie banner, and perhaps a vendor contract.

That assumption is now dangerous.

Plaintiffs, regulators, and privacy claimants are increasingly using old surveillance statutes—particularly the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code §§ 630–638.55—to characterize ordinary web-tracking technologies as unlawful wiretaps, eavesdropping devices, pen registers, or trap-and-trace devices. According to industry tracking, more than 1,500 CIPA lawsuits were filed in the 18 months preceding August 2025, with more than 1,000 in calendar year 2025 alone. The theory is not that the company secretly installed a microphone in the user’s home. The theory is that the company installed code in the user’s browser or device that captured communications, routing data, device identifiers, clickstream data, form-field interactions, IP addresses, referrer URLs, page views, location signals, search terms, and cross-site identifiers without valid consent.

That is a very different privacy litigation model. It does not require a data breach. It does not require identity theft. It often does not require proof of economic loss. It reframes the website itself as a surveillance instrument.

The recent Crypto.com decision is a good illustration of both the power and the limits of these claims.

In Ortiz v. Foris DAX, Inc., No. 25-cv-08950-EMC (N.D. Cal. May 21, 2026), Judge Edward M. Chen considered claims against Foris DAX, the operator of Crypto.com, alleging that the company placed third-party tracking cookies on users’ devices even after they selected a “Disable All” cookies option. The plaintiffs alleged that Crypto.com’s cookie banner stated that the site used cookies to operate the site, enhance user experience, analyze traffic, and conduct advertising and analytics, and that users could “Accept All,” “Disable All,” or customize settings. According to the complaint, the plaintiffs selected “Disable All,” but Crypto.com allegedly continued to place or use cookies, including third-party targeting cookies associated with Google, X, and Snapchat. The court described the plaintiffs’ theory as one of cross-tracking: identifiers placed through Crypto.com allegedly allowed third parties to connect a user’s activity on Crypto.com with activity on other websites containing the same third-party tracking ecosystem.

The court dismissed the common-law privacy tort claims, the CIPA § 631 wiretap claim, the fraud claim, and unjust enrichment, but allowed the CIPA pen-register claim under Cal. Penal Code § 638.51 to proceed. The dismissed claims were dismissed with leave to amend. That split result matters. The court found that the plaintiffs plausibly alleged a reasonable expectation of privacy because they clicked “Disable All,” but the complaint did not adequately plead that the intrusion was “highly offensive” because it did not specify what the plaintiffs actually did on the Crypto.com site beyond browsing. The court also dismissed the § 631 claim because the complaint did not sufficiently allege that the plaintiffs personally engaged in communications whose contents were intercepted, as opposed to alleging only categories of information the cookies were capable of collecting.

But the court refused to dismiss the CIPA pen-register theory. Cal. Penal Code § 638.51(a) provides that, subject to statutory exceptions, “a person may not install or use a pen register or a trap and trace device without first obtaining a court order.” Cal. Penal Code § 638.51(a). The statute defines a pen register as a “device or process” that records or decodes “dialing, routing, addressing, or signaling information” transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of the communication. Cal. Penal Code § 638.50(b). The Crypto.com court held that nothing in the statutory text limits “pen register” to telephones, noting that other CIPA provisions expressly refer to telephone communications when the Legislature wants such a limitation.

That is the hinge on which much of the modern litigation turns. A wiretap claim under § 631 usually requires allegations about the interception of the “contents” of a communication while in transit. A pen-register claim under §§ 638.50 and 638.51, by contrast, targets metadata: routing, addressing, signaling, source, destination, and similar non-content information. That distinction, borrowed from the telephony world, maps imperfectly but powerfully onto the web. The user’s URL path, referrer, IP address, device ID, cookie ID, browser fingerprint, advertising ID, page sequence, and event signals may not be the “contents” of a communication in the conventional sense, but they are exactly the kind of addressing and signaling data that plaintiffs now argue the pen-register provisions regulate. Courts are applying 1960s-era privacy concepts to cookies, pixels, SDKs, and website analytics, with mixed results and no definitive appellate rule yet under CIPA § 638.51.

The doctrinal path began, for practical purposes, with Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024 (S.D. Cal. 2023). In Greenley, the plaintiff alleged that Kochava provided software development kits to app developers and used them to collect and sell device data, including geolocation, app usage, purchase decisions, and payment information. The court rejected the argument that CIPA’s pen-register provisions were limited to physical telephone devices, observing that “pen registers [now] take the form of software” and that the statutory phrase “device or process” is broad enough to encompass software-based collection. Id. at 1050. Greenley triggered a wave of § 638.51 claims against digital companies, because the court accepted that software fingerprinting users could plausibly be a “pen register.”

Since then, courts have split. Some have declined to convert basic website telemetry into a pen register. In Licea v. Hickory Farms, LLC, No. 23STCV26148, 2024 WL 1698147 (Cal. Super. Ct. Mar. 13, 2024), the Los Angeles Superior Court sustained a demurrer where the plaintiff alleged only IP-address collection, holding that the complaint failed to establish that an IP address was equivalent to the “unique fingerprinting” technology in Greenley and that public policy disfavored a reading of CIPA that would treat “every single entity voluntarily visited by a potential plaintiff” as a CIPA violator. The court treated the user’s voluntary transmission of an IP address to the server as analogous to the third-party doctrine reasoning of Smith v. Maryland, 442 U.S. 735, 744 (1979), reasoning that the addressing information the user himself supplied to establish the connection was not protected by a reasonable expectation of privacy.

Less than a month later, a different judge in the same courthouse went the other way. In Levings v. Choice Hotels International, Inc., No. 23STCV28359, 2024 WL 1481189 (Cal. Super. Ct. Apr. 3, 2024), the court overruled the defendant’s demurrer to a CIPA pen-register claim premised on tracking software that allegedly accessed the plaintiff’s device, declining to adopt the Licea policy reasoning and concluding that treating mere website visitation as implied consent to tracking would let the consent exception swallow the rule.

Federal courts have also divided. In Moody v. C2 Educational Systems Inc., No. 2:24-CV-04249-RGK-SK, 2024 WL 3561367, 742 F. Supp. 3d 1072 (C.D. Cal. July 25, 2024), Judge R. Gary Klausner denied dismissal of a § 638.51 claim premised on TikTok pixel software that allegedly “fingerprinted” website visitors—capturing browser, device, geolocation, and form-field information and matching it against the TikTok database to identify anonymous visitors. The court rejected the argument that § 638.51 was limited to physical devices attached to telephone lines, reasoning that § 638.50’s definitions contain no such requirement. In Shah v. Fandom, Inc., No. 24-CV-01062-RFL, 2024 WL 4539577, 754 F. Supp. 3d 924 (N.D. Cal. Oct. 21, 2024), the court held that IP-address information collected by third-party trackers constituted “addressing” information under the statute and rejected the defendant’s argument that allowing the suit would “unsettle the basic operating rules of the internet,” reasoning that any narrowing of § 638.51’s scope was a question for the California Legislature, not the courts. See also Mirmalek v. Los Angeles Times Communications LLC, No. 24-cv-01797-CRB, 2024 WL 5102709 (N.D. Cal. Dec. 12, 2024) (rejecting telephone-only reading and emphasizing CIPA’s “expansive language”). Courts engaging the merits focus heavily on the type of data collected, whether the tracking is by the defendant or by a third party, whether the data is shared or sold, and whether consent was obtained before the tracking fired.

The newer cases sharpen the issue. In Camplisson v. Adidas America, Inc., No. 25-cv-00603-GPC-KSC, 2025 WL 3228949 (S.D. Cal. Nov. 18, 2025), Judge Gonzalo P. Curiel denied dismissal of a CIPA pen-register claim involving TikTok Pixel and Microsoft Bing tracking technologies, rejected a narrow telephone-only interpretation of pen register, and found that a footer-linked browsewrap privacy policy was insufficient consent where tracking allegedly began before any affirmative agreement. Disclosing that one is tracking, in other words, does not by itself constitute consent to track. Camplisson explicitly declined to follow a competing line of recent federal decisions—including Mitchener v. CuriosityStream, Inc., 2025 WL 227413 (N.D. Cal. Aug. 6, 2025)—that had held the TikTok Pixel falls outside § 638.51. In Wright v. TrueCare Property Holdings, LLC, No. 3:25-cv-00786 (S.D. Cal. Nov. 21, 2025), District Judge James E. Simmons, Jr. allowed a CIPA trap-and-trace claim premised on Meta Pixel tracking and Facebook ID matching to proceed, even as he dismissed parallel claims under the Electronic Communications Privacy Act, the Confidentiality of Medical Information Act, and the California constitution, holding that the plaintiff’s generalized allegations about “private and confidential health information” did not, without more, identify protected health information communicated through her six recorded website visits.

This is why the Crypto.com order is important. It rejects overpleaded privacy claims where the complaint merely describes what cookies can do, but it also embraces the broader statutory theory that internet tracking technologies may constitute pen registers. The court’s message is not that every cookie is a wiretap. The message is that a cookie, pixel, SDK, or analytics process may be treated as a regulated surveillance process when it records addressing, routing, or signaling information, especially where the user said no, the tracking fired anyway, or the data was shared into an advertising ecosystem.

There is an additional strategic reason plaintiffs like the pen-register theory. CIPA’s civil-remedy provision, Cal. Penal Code § 637.2 authorizes statutory damages in the greater amount of $5,000 per violation or three times actual damages. Cal. Penal Code § 637.2(a). Because websites fire thousands or millions of individual pixels and cookies, this per-violation damages structure makes class-wide exposure potentially enormous, particularly for sites with large California traffic. A cookie banner bug that would once have been treated as a compliance issue may now be pleaded as thousands or millions of statutory privacy violations.

The wiretap theory under § 631 remains alive as well, but it is more fact-sensitive. Section 631(a) prohibits, among other things, intentionally tapping or making an unauthorized connection with a line or instrument, and willfully reading or attempting to learn the contents or meaning of a communication while in transit without consent. Cal. Penal Code § 631(a). The plaintiffs’ theory in many § 631 cases is that a website visitor communicates with the website, and the website secretly allows a third-party vendor—Meta, Google, TikTok, Microsoft, a session-replay vendor, a chatbot provider, or an analytics company—to intercept the communication in transit. The defense response is that the website operator is a party to the communication, that the vendor is merely a service provider, that the data is not “content,” that no interception occurs “in transit,” and that the user consented through disclosures or continued use. A party to a communication cannot, in the conventional sense, “intercept” it.

Those defenses sometimes work. The Crypto.com court dismissed the § 631 claim because the complaint did not say enough about what the plaintiffs themselves communicated on the website. Federal forums have also acquired a powerful new Article III argument from the Ninth Circuit. In Popa v. Microsoft Corp., No. 24-14, 2025 WL 2448824 (9th Cir. Aug. 26, 2025), a panel composed of Circuit Judges Johnnie B. Rawlinson and Milan D. Smith, Jr. and District Judge Jed S. Rakoff (sitting by designation), in an opinion authored by Judge Rakoff, affirmed dismissal of a putative class action alleging that Microsoft’s Clarity session-replay tool, embedded on a Pet Supplies Plus website, violated Pennsylvania’s Wiretapping and Electronic Surveillance Control Act and the common-law tort of intrusion upon seclusion. Although Popa arose under WESCA rather than CIPA, its Article III holding—that a statutory privacy violation must be tethered to a “harm that has traditionally been actionable in our nation’s legal system” by comparison to a specific common-law tort—applies equally in CIPA cases filed in or removed to federal court. District courts in California have already used Popa to dismiss § 638.51 claims for lack of standing where the alleged tracking captures only routine, non-sensitive information. See, e.g., In re USA Today Co., Inc. Internet Tracking Litig., 2026 WL 932655 (N.D. Cal. Apr. 6, 2026).

State courts, of course, are not bound by Article III, and at least one recent state decision has narrowed CIPA on different grounds. In Rodriguez v. Ink America International Group LLC, the Los Angeles Superior Court held in December 2025 that § 638.51 “did not, and does not, criminalize the process by which websites communicate with users who choose to access them,” reasoning that an expansive reading of CIPA would effectively render the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., meaningless because routine analytics tools regulated under the CCPA cannot simultaneously be criminal pen registers under CIPA. Wiley v. Universal Music Group LLC, 2025 WL 3654085, similarly narrowed CIPA in a defense-favorable direction by scrutinizing cookie-banner representations and opt-out tooling. These decisions provide ammunition for defendants but have not, to date, broken the federal–state split.

Jurisdiction itself is no longer the safe harbor it once was. In Briskin v. Shopify, Inc., No. 22-15815, 2025 WL 1154075, 135 F.4th 739 (9th Cir. Apr. 21, 2025) (en banc), the Ninth Circuit held that California personal jurisdiction existed over Shopify where the plaintiff alleged that Shopify, with knowledge that the user was in California, installed JavaScript and a cookie on his device and used the resulting data to build consumer profiles. The en banc court rejected the prior panel’s “differential targeting” requirement and held that operating a nationally accessible interactive platform combined with the deliberate collection of sensitive user information whose location can be known to the operator satisfies the express-aiming requirement of specific jurisdiction. Out-of-state companies can no longer assume that “we are not based in California” ends the inquiry when their websites knowingly interact with California residents.

The Legislature has noticed, but legislative relief is not imminent. California Senate Bill 690, introduced by Senator Anna Caballero in early 2025, would amend CIPA §§ 631, 632, and 638.50 to exempt the processing of personal information for a “commercial business purpose”—defined by cross-reference to the CCPA’s “business purpose” and consumer opt-out concepts—from CIPA’s wiretap and pen-register prohibitions. S.B. 690, 2025–2026 Reg. Sess. (Cal. 2025). As introduced, SB 690 contained an explicit retroactivity clause applying its exemption to any case pending as of January 1, 2026, which would have effectively neutralized hundreds of active CIPA filings. That clause was stripped from the bill during its third reading on May 29, 2025, before the Senate passed the amended bill unanimously by a vote of 32–0. The bill thereafter stalled in the Assembly, and on July 2, 2025, Senator Caballero herself announced that SB 690 would be held as a two-year bill, citing “outstanding concerns around consumer privacy.” The bill is eligible for reconsideration in the 2026 session, which reconvened on January 5, 2026, but it cannot take effect before 2027, if it is ever enacted at all. For now, the current CIPA litigation environment remains fully intact, and the per-violation damages exposure is unchanged.

For companies, the immediate lesson is brutal but simple. Consent must be real, technically enforced, and synchronized with the code. A banner that says “Disable All” while third-party tags fire before the banner loads is not a consent mechanism; it is plaintiff’s Exhibit A. A privacy policy buried in a footer is not a reliable defense if tracking occurs before the user receives a meaningful choice. A vendor contract saying that the vendor is a service provider will not save the company if the implementation transmits identifiers, URLs, form events, or sensitive categories of information into an advertising ecosystem.

The legal distinction between “content” and “metadata” also does not solve the problem. Content-like information may support a § 631 interception claim. Metadata-like information may support a § 638.51 pen-register claim. Sensitive browsing contexts—healthcare, financial services, employment applications, children’s services, addiction treatment, reproductive health, crypto trading, insurance, education, and government benefits—raise the risk materially because the inference from a page visit may itself be revealing.

The technical audit, therefore, has to be litigation-grade. Companies should know which tags fire on first page load, which fire after consent, which fire after opt-out, which vendors receive data, which identifiers are transmitted, whether form fields are captured before submission, whether URLs contain sensitive query strings, whether hashed email addresses or account IDs are transmitted, whether pixels fire on authenticated pages, whether consent mode is actually implemented, whether global privacy control signals are honored, and whether “reject all” actually rejects all non-essential tracking.

The Crypto.com case is not the end of the story. It is a warning about where the story is going. Courts may reject vague complaints. They may require plaintiffs to identify their own interactions, the data actually captured, and the transmission path. They may dismiss routine tracking claims for lack of Article III standing where no concrete privacy injury exists. But many courts are unwilling to say, as a matter of law, that cookies, pixels, SDKs, and analytics scripts can never be pen registers or wiretaps.

That means the old model—write a privacy policy, deploy the trackers, and let marketing optimize the funnel—is dead. The new model is closer to surveillance-law compliance. Know the instrumentation. Know the data flow. Obtain consent before collection. Honor opt-outs technically, not cosmetically. Minimize third-party tracking. Remove pixels from sensitive pages. Document necessity. Test continuously.

Because in the new CIPA litigation environment, the question is no longer whether your website uses cookies. The question is whether a plaintiff can plausibly describe those cookies as an unauthorized surveillance device.

Recent Articles By Author

• Florida Sues OpenAI Over ChatGPT “Safety”
• 23andMe and the Incident Response Problem Written in DNA
• The Internet is Not a Can of Peas: The Problem With Texas’ App Store Age Verification Law

More from Mark Rasch