Eanet, PC Eanet, PC

Website Tracking & California’s Wiretapping Law: Why Businesses Face Growing Legal Uncertainty

Plaintiff Brings Action for Web Privacy Violations Under California Wiretapping Law

The California Invasion of Privacy Act (CIPA) was enacted in 1967 to criminalize wiretapping and eavesdropping on confidential communications. Although it’s a criminal statute, CIPA also allows victims to bring civil actions against those who violate the statute. The Act allows the recovery of civil penalties of $5,000 per violation or three times the amount of actual damages—whichever is greater.

In a recent case, a plaintiff sought to impose CIPA liability on a website operator for using a third party to perform data analytics and targeted advertising.

Background

Eating Recovery Center (ERC) treats people for eating disorders. It used the Pixel on its website to increase the efficacy of its internet advertising and to try to help people in need of ERC's services. ERC installed the standard version of the Pixel, that is, without configuring it to transmit event data other than what the Pixel captures by default. This default event data includes, for each visitor to ERC's website:

  1. the specific URL of each page browsed by the visitor;
  2. the amount of time the visitor spent on the page;
  3. the path the visitor took to get to that page, i.e., the URL of the page they came from; and
  4. certain actions, such as button clicks or inputted answers, on some pages.

The data was used to create custom audiences for targeting ERC ads to Meta users. During this period, ERC said on its website that communications with ERC were "100% confidential," that it wouldn’t collect visitors' personal information while they visited the website, and that it would "NEVER share or sell [visitors'] personal information to a third party of any nature."

The plaintiff was a California resident who was diagnosed with anorexia in 2021. In June 2022, she visited ERC's website, apparently to consider treatment options. That same day, she started getting ads on Facebook from ERC and other mental health services. She filed this proposed class action lawsuit in October 2023, asserting CIPA violations.

The parties filed cross-motions for summary judgment. The plaintiff argued that the Court should grant summary judgment for her on her CIPA. ERC argued that it was entitled to summary judgment on all remaining claims.

CIPA is Ambiguous

U.S. District Court Judge Vince Chhabria pulled no punches in his recent opinion in Doe v. Eating Recovery Ctr. LLC:

The language of CIPA is a total mess. It was a mess from the get-go, but the mess gets bigger and bigger as the world continues to change and as courts are called upon to apply CIPA's already-obtuse language to new technologies. Indeed, we have reached the point where it's often borderline impossible to determine whether a defendant's online conduct fits within the language of the statute.

Here, the plaintiff sought to impose CIPA liability on a website operator for using a third party to perform data analytics and targeted advertising. In particular, liability depends on whether the third party "read" or "attempt[ed] to read" or attempted "to learn" the contents of an internet communication between the plaintiff and the website operator while that communication was "in transit." If so, the website operator could be liable to the plaintiff under CIPA for enabling the third party to engage in that conduct.

Judge Chhabria emphasized that it’s imperative for the Legislature to “bring CIPA into the modern age and to speak clearly about how the kinds of activities at issue in this case should be treated.” Until that happens, courts should generally resolve CIPA's many ambiguities in favor of the narrower interpretation, he said.

Two CIPA provisions, §§ 631 and 632, can potentially be construed to create liability for website operators who use tracking software on their websites. Section 631—specifically, Section 631(a)—is the provision asserted by the plaintiff in this case. Section 631(a) contains four clauses, each of which can give rise to liability. It imposes liability on anyone who:

  1. ". . . intentionally taps, or makes any unauthorized connection . . . with any telegraph or telephone wire, line, cable, or instrument";
  2. "willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state";
  3. "uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained"; or
  4. "aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section."

The plaintiff argued that Meta violated the second clause because it read, attempted to read, or attempted to learn the contents of her communications with ERC while they were in transit (and without her consent). Thus, she argued that ERC was liable under the fourth clause for aiding Meta and/or conspiring with Meta to violate the second clause. She also contended that Meta violated the third clause, which involves using information acquired in violation of the second clause, and that ERC is also liable for that under the fourth clause. But the judge explained that there can be no violation of the third clause without a violation of the second clause. So, the threshold question was whether Meta violated the second clause of Section 631(a).

The event data that Meta obtained when the plaintiff visited ERC's website is, as a matter of law, the contents of a communication, the judge found. The harder question was whether the communications were in transit when Meta read, attempted to read, or attempted to learn their contents. This question is hard because the statute wasn’t drafted with the internet in mind. It’s also hard because, even aside from the internet issue, the statute is just poorly drafted, Judge Chhabria chided. However, the judge concluded, “albeit without a great deal of confidence,” that Meta's conduct didn’t satisfy the "in transit" requirement as a matter of law.

Meta obtained the following information related to the plaintiff's interactions with ERC's website:

  1. the specific URL of each page the plaintiff browsed;
  2. the time the plaintiff spent on each page;
  3. the path the plaintiff took to get to that page; and
  4. certain actions, such as button clicks.

The captured URLs and the information related to those URLs are sufficient to qualify as contents of a communication under the second clause of Section 631(a), Judge Chhabria found. He noted that the Ninth Circuit Court of Appeals distinguished URLs that include "search term[s] or similar communication[s]," which can constitute the contents of a communication, from those that include only basic identification and address information.

The plaintiff researched anorexia, explored treatment options and locations, and at least clicked through to a self-assessment form. Especially considering that the data associated with the URLs obtained by Meta conveyed far more than basic identification and address information—it conveyed a significant possibility that the plaintiff had anorexia at the time she visited the ERC website.

There’s an even more important reason to avoid reading the second clause of Section 631(a)—and, for that matter, any portion of CIPA—too broadly: it is a criminal statute, and Judge Chhabria wrote that “[a]s difficult as it is to apply CIPA to the physical world, it's virtually impossible to apply it to the online world. Hopefully, the Legislature will go back to the drawing board on CIPA.”

Indeed, it would probably be best to “erase the board entirely and start writing something new,” the judge concluded. But until that happens, courts shouldn’t contort themselves to fit the type of conduct alleged in this case into the language of a 1967 criminal statute about wiretapping. As a result, the motion for summary judgment as to the CIPA claim was denied. Doe v. Eating Recovery Ctr. LLC (U.S. District Court for the Northern District of California, 10/17/2025).

Bottom Line

CIPA’s language is ambiguous. But courts continue to issue conflicting rulings. As a result, companies have no way of telling whether their online business activities will subject them to liability.

Contact Eanet, PC with any questions regarding this matter.

Related Posts
  • Will Your Business Be Ready for California’s 2026 Privacy Rules on Cybersecurity and AI? Read More
  • CA AG Secures $530,000 Settlement with Sling TV Under CCPA Read More
  • California Appeals Court Applies “Ministerial Exception” in Wage Case Read More
/