In 2025, courts continued to issue significant decisions concerning the application of wiretap and privacy laws to pixels, session replay, and other website technologies. Over the past year, we have featured posts discussing claims regarding website analytics and advertising tools brought under the federal Wiretap Act, the California Invasion of Privacy Act (“CIPA”), the Video Privacy Protection Act (“VPPA”), and other laws. A selection of posts highlighting important developments in this area is below.
- California Court Holds Plaintiffs’ Consent Defeats Claims Involving Use of Website Pixel. A California federal judge dismissed claims alleging that a website pixel disclosed viewing and browsing data in violation of the VPPA, federal Wiretap Act, CIPA, and other laws, holding that the plaintiff consented to the use of cookies and pixels by interacting with the website’s cookie banner, creating an account, and making purchases. Lakes v. Ubisoft, Inc., 777 F. Supp. 3d 1047 (N.D. Cal. Apr. 2, 2025).
- Court Grants Summary Judgment: Website Vendor Cannot Read “Session Replay” Data “In Transit” Under CIPA. A California federal court dismissed CIPA Section 631 claims on summary judgment after concluding that session replay software does not satisfy the statute’s real-time interception element because user click, keystroke, and mouse movement data become readable only after transmission when the software has stored and reassembled the information. Torres v. Prudential Financial, Inc., 2025 WL 1135088 (N.D. Cal. Apr. 17, 2025).
- Courts Hold CIPA’s Pen Register Provision Does Not Apply to Internet Communications or to Alleged Data Collection “About Visitors’ Devices”. Two California trial courts dismissed CIPA § 638.51 “pen register” or “trap and trace” claims after concluding that the statute does not extend to internet communications or website tools that collect only device-identifying information. Aviles v. LiveRamp, Inc., 2025 WL 487196 (Cal. Super. Jan. 28, 2025); Sanchez v. Cars.com Inc., 2025 WL 487194 (Cal. Super. Jan. 27, 2025).
- Court Applies Popa to Dismiss CIPA Pen Register Claim for Lack of Article III Standing. Applying the Ninth Circuit’s decision in Popa v. Microsoft, a federal court in California dismissed a CIPA § 638.51 pen register claim for lack of Article III standing, holding that the plaintiffs alleged only the collection of generic device and browser metadata—none of which constituted the kind of “embarrassing, invasive, or otherwise private” information necessary to establish a concrete injury. Khamooshi v. Politico LLC, 2025 WL 2822879 (N.D. Cal. Oct. 2, 2025).
- Third Circuit Affirms Dismissal of CIPA and CMIA Claims. The Court of Appeals for the Third Circuit affirmed dismissal of claims under CIPA and the California Confidentiality of Medical Information Act (“CMIA”). The court rejected the CIPA claim by holding that the third party pixel provider was a direct recipient of the plaintiff’s browser communication and therefore not an illegal “interceptor,” and rejected the CMIA claim because the browsing data at issue reflected ordinary website navigation rather than “medical information” as required by the statute. Cole v. Quest Diagnostics Inc., 2025 WL 7451061 (3d Cir. Nov. 25, 2025).