California courts have dismissed claims brought for violations of the California Invasion of Privacy Act (CIPA) by “tester” plaintiffs. These cases have been decided on the issue of standing, meaning that plaintiffs lack a sufficient connection to and harm from the law or action being challenged.
The state has seen a rash of legal actions attacking companies’ use of website tools under CIPA by what is known as “tester” plaintiffs who find websites to “test” for possible CIPA violations. These tester plaintiffs file complaints seeking monetary damages for alleged violations.
Recently, the United States District Court for the Central District of California in Rodriguez v. Autotrader.com, Inc., (April 4, 2025) held that a CIPA plaintiff’s status as a tester precludes the requisite standing because a tester “actively seeks out privacy violations.” As a result, he or she can’t claim an injury when her expectations were ultimately met.
Background
Rebeka Rodriguez was a plaintiff who claimed that she visited autotrader.com and conducted searches with sensitive information. Rodriguez said the website used prohibited wiretapping and pen registers to access, record, and disclose her information, thereby invading her privacy in violation of California Penal Code §§ 631 and 638.51.1
The parties didn’t dispute that the plaintiff's § 638.51 claim, which prohibits the use of pen registers to capture signaling information, requires the same disclosure of sensitive information and reasonable expectation of privacy as her § 631 claim. Instead, Rodriguz disputed whether her status as a tester foreclosed standing.
But the court observed that, to demonstrate standing to bring a claim for invasion of privacy under § 631, which prohibits wiretapping, a plaintiff must show that:
- The defendant improperly accessed or disclosed information that was "sensitive" and "could cause harm if disclosed"; and
- The plaintiff "had a reasonable expectation of privacy when she shared that information."
However, as a tester that actively seeks out privacy violations, Rodriguez had no expectation of privacy" when she visited the defendant's website, and therefore, lacked an injury in fact sufficient to establish standing. The curt reasoned that she “visited and entered information into Defendant’s website expecting the information to be accessed, recorded, and disclosed.” In other words, the plaintiff couldn’t claim an injury sufficient to confer standing “when her expectations were ultimately met.” She expected her privacy to be invaded, thereby negating any injury. A similar result was found in Byars v. Sterling Jewelers, Inc., in 2023.
As a tester that actively seeks out privacy violations, the court found that "she had no expectation of privacy" when she visited the defendant's website, and therefore, lacked an injury in fact sufficient to establish standing. Likewise, the court concluded that her § 638.51 claim also failed. As such, the court found that dismissal was warranted for lack of standing. Rodriguez v. Autotrader.Com, Inc. (U.S. Dist. Ct. 4/4/ 2025).
What Should California Businesses Do?
In light of the district court’s decision in the Rodriguez case, California businesses to the following:
- Employ privacy banners and clear user disclosures;
- Review the company’s website and its privacy policy and terms of use;
- Determining how third parties use the data collected from your website’s tracking tools;
- Provide an opt-out option;
- Look at using a scanning tool and examine the results to see the tracking technologies the website uses;
- Document expectations of privacy in user flows; and
- Leverage standing arguments in early motions to dismiss.
Bottom Line
Businesses in California should be aware that “tester” plaintiffs continue to bring actions against companies whose websites purportedly violate the California Invasion of Privacy Act (CIPA). The district court’s analysis of standing in Rodriguez should assist in defending these actions, particularly when brought by repeat filers.
Business should demonstrate that the plaintiff knew or had an expectation that his or her communications would be accessed, which negates the standing to bring legal action.