Eanet, PC Eanet, PC

Recent Trends in CIPA Litigation

Recent Trends in CIPA Litigation

The California Consumer Privacy Act (CCPA) has introduced expansive privacy rights for consumers. Hundreds of lawsuits have been filed over the past several years claiming statutory damages under CIPA.

Plaintiffs have had to oppose motions to dismiss complaints on common website technologies, such as software developer kits (SDK), third-party tracking pixels and software, and application programming interfaces (API).

Recent Decisions

Adidas

One case concerned Adidas, which owns and uses its website that lets customers purchase and access information about the brand's products. As part of its website, Adidas installed tracking pixels TikTok Pixel and Microsoft Bing ("trackers"). Tracking pixels are small, almost-invisible images embedded in a website or an email to track a user's activities. When a user visits a website, the website's code installs the tracker into the user's browser and can, at that point, track user interactions on its platform to place targeted advertisements. The tracked data can include the user's operating system, the type of website or email used, the time when the website was accessed, the user's IP address, and whether there are cookies that previously have been set by the server hosting the pixel image.

The California federal district court held that allegations of Adidas installing tracking pixels on website visitors' browsers that recorded their personally identifiable information were sufficient, without more, to plausibly allege use of a pen register device and therefore to avoid dismissal at the pleading stage. Camplisson v. Adidas Am., Inc. (U.S. District Court for the Southern District of California, November 18, 2025).

VITAS Healthcare

In another case, a woman called a healthcare provider to discuss sensitive details about the provider's hospice care for her grandmother. She was unaware that the healthcare provider used a software to listen to the contents of the call and generate data about the call's purpose and resolution. In its Terms of Service, the software creator reserved the rights to employ the data from those calls for its own business and product development functions.

The district court asked, Does the woman have a viable claim that the use of that software by the healthcare provider and the software developer violated California privacy laws?

In weighing this question, the Court had to determine if the software developer is a third party separate from the healthcare provider or an extension of the healthcare provider itself. The district court held that the developer of software is a third party when the developer is able to use data for its own purposes—separate from the interests of the parties to the call. The Court said that the software developer in this case was capable of using the data for its own purposes, and because the use of its software wasn’t disclosed to the caller, it could be in violation of California privacy laws. Also, because the healthcare provider helped the software developer in getting access to the client calls, it may also be held liable. As such, the defendant's Motion to Dismiss was denied. Tate v. VITAS Healthcare Corp.(US District Court for the Eastern District of California, January 8, 2025).

The CIPA broadly prohibits the interception of wire communications and disclosure of the contents of such intercepted communications. Section 631(a) of CIPA creates four avenues for relief:

  1. Where a person "by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection . . . With any telegraph or telephone wire, line, cable, or instrument";
  2. Where a person "willfully and without consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit";
  3. Where a person "uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained"; and
  4. Where a person "aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above."

In this case, the plaintiffs invoke the fourth avenue of relief, alleging the defendants violated Section 631(a) of the CIPA by "aiding others (including [Meta] and Google) to secretly record the contents of Plaintiffs' and California [s]ubclass [m]embers' wire communications."

The defendants contended that the plaintiffs' CIPA claim should be dismissed because they didn’t: (1) allege the "contents" of their communications that were allegedly intercepted; (2) to allege their communications were intercepted in transit; and (3) to plead "aiding and abetting" with specificity. While a URL that includes "basic identification and address information" isn’t "content," the court explained that a website user's request to a search engine for specific information could constitute a communication such that divulging a URL containing that search term to a third party could amount to disclosure of the contents of a communication. In their motion to dismiss, Defendants argue "routine website tracking tools do not transmit the 'contents' of communications in potential violation of the CIPA." Specifically, Defendants argue that "tracking 'keystrokes, mouse clicks, [and] pages viewed are not 'content' under CIPA." Defendants further argue that Plaintiffs do not specify what search terms they entered on Defendants' Web Properties that subsequently became part of a "full-string URL."

The court agreed with the plaintiffs that they alleged the "contents" of their communications that were allegedly intercepted in violation of CIPA. Their alleged communications with the defendants' Web Properties, which were intercepted and disclosed to Meta, went beyond keystrokes, mouse clicks, and pages viewed on the defendants' Web Properties. Specifically, the plaintiffs detailed the searches they conducted regarding their personal health conditions, treatment options, and doctors.

As a result, the Court found that the plaintiffs' allegations sufficient to plead the "contents" of their communications that were purportedly intercepted by Defendants within the meaning of CIPA. Doe v. Tenet Healthcare Corp. (U.S. District Court for the Eastern District of California, June 9, 2025).

The Gap

Finally, Efren Ramos filed a putative class action in California federal court, claiming that the Gap invades customers' privacy through the use of third-party tracking software. The clothing retailer sends its customers periodic marketing emails that contain hyperlinks to products on its website. The plaintiff claimed that the Gap contracted with a third party, Bluecore, to embed "invisible pixels" and URLs in the Gap’s marketing emails. These are connected to" the hyperlinked images and text in the marketing emails so that when a customer clicks on an image or text in an email, the URL is transmitted to Bluecore. Also, the plaintiff alleged that each URL is unique so that Bluecore knows "exactly when a customer opens one of its Emails along with the exact images and words that a consumer clicked on before being routed to Defendant's website . . . ." Ramos alleged this is how Bluecore knows, for example, that the plaintiff clicked on a specific shirt in one of the Gap’s marketing emails. Bluecore also captures other information like the customer's email address, email open rates, and content click rates before redirecting the recipient to the Gap’s website.

With all this information, the plaintiff said that "Bluecore is able to create . . . a replica of how Defendant's recipients are seeing and interacting with the Emails' Content in real time." The plaintiff asserted that the Gap violated the California Invasion of Privacy Act ("CIPA"). The Gap moved to dismiss the complaint.

The district court held that a party to the communication can’t be held liable under § 631(a). Although the plaintiff appeared to ground her Complaint on a theory that the Gap "aided and abetted" Bluecore's wiretapping, the opposition to the motion to dismiss outlined two theories of direct liability against the Gap. The court found both theories confusing and unsupported. As a result, the court granted the Gap’s Motion to Dismiss. Ramos v. GAP, Inc. (U.S. District Court for the Northern District of California, July 29, 2025).

Takeaway

These cases demonstrate the increase in the already high volume of CIPA pre-suit demand letters and class action lawsuits. In addition, many others have gone to arbitration or settled before litigation started.

California businesses should be aware of this trend and speak to an experienced privacy attorney, like those at Eanet, PC. Our attorneys can review and audit your company’s current compliance standards and help with any issues to reduce the risk of a CIPA action or other privacy lawsuit.

Related Posts
  • Should You Ignore a Website Privacy Violation Demand Letter? (No!) Read More
  • Disney’s $2.75M CCPA Settlement: What California Businesses Must Fix in Their Opt-Out Process Read More
  • Website Tracking & California’s Wiretapping Law: Why Businesses Face Growing Legal Uncertainty Read More
/