A Los Angeles County trial court granted a Motion for Judgment on the Pleadings disposing of a CIPA (California Invasion of Privacy Act) complaint against a website operator before formal discovery or other expensive litigation occurred. Rodriguez v. Ink America International, LASC 25STCV153 (Dec. 10, 2025).
The Plaintiff claimed that the website caused a user’s computer to install web beacons to allow third parties to collect identifying information about the user, and that the analytical tools constituted a pen register in violation of CIPA, Penal Code section 638.51.
The Court focused on the question of whether the tracking mechanism falls under the definition of “pen register” or “trap and trace device” under CIPA. The Court analyzed previous conflicting opinions as to whether CIPA applied in this context and concluded that CIPA was ambiguous and that the Penal Code only applies to offenses that come clearly within the language of the statute. The Court concluded that the legislative history demonstrated that CIPA did not apply to the analytical tools at issue because CIPA targeted telephonic-style surveillance, not commercial websites and pointed out that the California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA) defines consumer’s rights as to personal data collection.
Learnings and Next Steps:
Rodriguez opens the door to a strong defense against CIPA claims early in proceedings. However, it does not carry the precedent value of a Court of Appeal decision and might be the subject of an appeal. Moreover, plaintiff’s counsel may be able to creatively allege future charges to circumvent the order’s intent.
Therefore, businesses operating websites that reach California consumers should continue to vigilantly:
- Consult privacy counsel to assess practices, privacy and consent language and to remain updated on the ever-changing landscape of privacy laws - legislative, regulatory and new court decisions;
- CCPA/CPRA Compliance – ensure that privacy notices, opt-outs, and disclosures are up to date and that procedures are in place to address requests for data from consumers and employees;
- Conduct Website Audit to understand the data that is collected, all analytical tools and whether data is shared with third parties;
- Contract review with third parties that may receive or share data collected to ensure compliance with CCPA/CPRA and provide protection against claims by website users.
If your business has a website, feel free to reach out to Linda Wang, Dan M. Forman, or the members of CDF’s Privacy Practice group for a consultation.
