Hello, I’m Keerti – the latest addition to the Troutman Amin team as a Law Clerk and this is my first blog here at CIPAWorld. We are diving straight into a CIPA claim that thought it had game, only to get dismissed with prejudice before things got moving. Let’s break it down.
Another one bites the dust in the Northern District of California. In Christopher Mitchener v. CuriosityStream, Inc. 2025 WL 2272413 (Aug. 6, 2025), the plaintiff came in swinging with a California Invasion of Privacy Act (“CIPA”) claim, insisting that TikTok software embedded on CuriosityStream’s platform was acting as a “trap and trace device.” The theory was that the software was scooping up “addressing information” from communications between the plaintiff and the defendant. Essentially, where the messages were coming from and going to.
The plaintiffs standing was an issue from the jump. The court noted that the complaint failed to identify any specific personal information that was actually disclosed. Without alleging concrete, individualized harm from the alleged data collection, the plaintiff couldn’t clear the Article III standing hurdle, even before getting into the weeds of the statute.
But here’s the rub: CIPA’s definition under § 638.50(c) is laser focused. A “trap and trace device” is something that captures dialing, routing, addressing, or signaling information – not the content of a communication. And that distinction ended up being fatal. The court made it clear: if what’s being collected is “content information” – things the plaintiff is directly typing or sharing during a communication – then it’s outside the ambit of the statute. No trap and trace, no CIPA claim.
The court drove the point home with a passage that’s worth bookmarking:
“If Defendant only collects information regarding the ‘metadata’ of the communication, Plaintiff’s right to privacy is not invaded because he has no expectation of privacy as to that type of data (e.g., his IP address or general geographic location). If Defendant instead collects content information from communication between the parties (e.g., information provided from Plaintiff to Defendant directly), then the TikTok software is not a trap and trace device and § 638.50 does not apply.”
That was the end of the road for the plaintiff. This wasn’t a “just amend your complaint and try again” situation. The court found the defects, both the standing problem of having no concrete and particularized injury to plaintiff and the fact that the software itself is not a trap and trace device. The Court went straight to the core of the claim, and no amount of rewording or repleading could fix them. Motion to dismiss? Granted. Leave to amend? Denied. The First Amended Complaint? Dismissed with prejudice.
For anyone thinking about running a “trap and trace” theory under CIPA, this case is a flashing red warning sign. You need to match the statute’s definition exactly and prove the data being collected fits within it. Courts will closely scrutinize whether you’re talking about metadata where there’s no expectation of privacy or actual routing/addressing information. If it’s the wrong type of data, you’re not getting past the starting gate.
The bigger picture? We’ll likely keep seeing plaintiffs test creative “trap and trace” theories as they target various types of tracking software. But as this ruling makes crystal clear, if your facts don’t fit the statute and you can’t show a real privacy invasion, you’re not just losing – you’re getting bounced before the case even gets rolling.
Bottom line: if you’re chasing a “trap and trace” claim without rock-solid facts, you’re not just stepping on a rake – you’re handing the court the handle and asking them to swing.
CIPAWorld 