In a striking opinion, a federal judge in the Northern District of California has issued a scathing critique of the California Invasion of Privacy Act (“CIPA”) while ruling in favor of website operator accused of violating CIPA by deploying a Meta Pixel on its website:
“The language of CIPA is a total mess. It was a mess from the get-go, but the mess gets bigger and bigger as the world continues to change and as courts are called upon to apply CIPA’s already-obtuse language to new technologies. Indeed, we have reached the point where it’s often borderline impossible to determine whether a defendant’s online conduct fits within the language of the statute.”
Background Facts
Eating Recovery Center (“ERC”) is a company that treats people for eating disorders. Jane Doe, a California resident who visited ERC’s site while exploring treatment options for anorexia, alleged that Meta unlawfully intercepted her “communications” with ERC and that ERC aided and abetted Meta in violation of CIPA.
ERC had installed the standard version of the Pixel on its website between 2019 and 2024. The Pixel captured certain information about website visitors by default, including (1) the specific URL of each page browsed by the visitor; (2) the amount of time the visitor spent on the page; (3) the path the visitor took to get to that page, i.e., the URL of the page they came from; and (4) certain actions, such as button clicks or inputted answers, on some page. This data was used to create custom audiences for targeted advertising.
During the period at issue, ERC stated on its website that communications with ERC were “100% confidential,” that it would not collect visitors’ personal information while they visited the website, and that it would “NEVER share or sell [visitors’] personal information to a third party of any nature.” Jane Doe is a California resident who was diagnosed with anorexia in 2021. In June 2022, she visited ERC’s website, apparently to consider treatment options. On the same day she first visited ERC’s website, Doe began receiving ads on Facebook from ERC and other mental health services.
Key Questions
Judge Chhabria’s analysis centered on two key questions: First, should the data obtained by Meta be considered the “contents” of Doe’s communication with ERC? Second, did Meta read, attempt to read, or attempt to learn this information while it was “in transit”?
“Contents” of Communication
The Court held that URL-related data received by Meta is enough to satisfy the “contents of communication” requirement under CIPA. Judge Chhabria relied on several previous decisions holding that detailed URLs that reveal the specific document, product, or service that a user is viewing count as contents of communications. Like in those cases, the URLs here revealed enough information to be deemed contents of communications: they revealed that Doe researched anorexia, explored treatment options and locations, and at least clicked through to a self assessment form. The Court considered this sufficient to convey “a significant possibility that Doe had anorexia at the time she visited the ERC website.”
Interception in “Transit”
According to Judge Chhabria, the harder question was whether the communications were “in transit” when Meta read, attempted to read, or attempted to learn their contents. This question is hard because the statute was not drafted with the internet in mind. It is also hard because, even aside from the internet issue, the statute is just badly drafted. The Court concludes, albeit without a great deal of confidence, that Meta’s conduct did not satisfy the “in transit” requirement as a matter of law.
Doe’s first argument was that Meta read her communications while they were in transit. Meta’s corporate representative testified that, before logging the data that it obtains from websites, Meta filters URLs to remove information that it does not wish to store (including information that Meta views as privacy protected). Doe asserts that this step, which occurs after Meta obtains the data but before the data is stored, amounts to reading the communication while in transit.
The Court rejected this argument for a few reasons: First, because Meta’s automated effort to avoid storing material cannot reasonably be considered “reading” or “learning” the contents of the communication. According to Judge Chhabria, a filtering process that simply sorts out certain data is better analogized to sorting mail than to reading it. Second, the filtering operation indisputably takes place after the communication has already traveled from the website visitor to the website operator. The parties agreed that event data is transmitted to Meta about 0.2 seconds after the visitor’s action is transmitted to the website. The filtering of the data necessarily happens after this because the event data is encrypted while being sent to Meta. Doe argued that the communication remains in transit until after it goes through Meta’s filtering process and is logged by Meta. But in the Court’s view, the “only commonsense meaning of transit, at least in the context of this statute, is the transit from the person sending the communication to its intended recipient.”
Judge Chhabria also pointed out the absurdity of this outcome, noting that regardless of whether Meta receives the communication a second before or after it reaches the website, it is effectively engaging in the same conduct. Arguably, then, the purpose of the statute can only be effectuated by reaching the same result in both instances. But the phrase “in transit” is not ambiguous, leading to a situation where language that was drafted with very different technology in mind does not map properly onto the internet.
Next Doe argued that, under CIPA, it is enough to intercept communication with the intent to learn its contents later. Judge Chhabria observed that while this may be a plausible interpretation when considering the language in isolation, in context, the better conclusion is that a defendant must do something more than just intercept the communication while it is in transit to be held liable. This is because Section 632 of CIPA, which immediately follows the provision at issue here, makes it unlawful to “eavesdrop upon or record” a “confidential communication” without the consent of all parties to the communication. Intercepting the contents of a communication and recording those contents (as Doe alleges Meta does) would seem to be covered by Section 632. If the same conduct were covered by Section 631(a), this would render Section 632 superfluous when applied to the type of internet communication at issue here.
But, according to Judge Chhabria, an even more important reason to avoid reading any portion of CIPA too broadly is that it is a criminal statute. Even though most CIPA cases are private civil actions, the interpretations courts adopt while adjudicating those actions could affect the extent to which people or companies are subject to criminal liability. Therefore, the Court held that it would not be appropriate to interpret the “in-transit” requirement of Section 631(a) so broadly as to cover the conduct at issue here.
Standing
ERC also argued that Doe does not have standing to bring this case, but the Court rejected this argument, noting that whether there is Article III standing in privacy cases based on browsing activity depends on whether the activity is private or personal enough. Here, the URLs at issue “convey information that is personal enough to confer Article III standing.” The Court noted that while “[t]here may not be standing to sue based on a disclosure that a plaintiff was shopping for a football jersey, but there’s standing to sue based on a disclosure that a plaintiff was likely shopping for eating disorder services.”
An Unusual Call to Action
Of particular note is Judge Chhabria’s observation of the widespread confusion and uncertainty caused by CIPA lawsuits filed against website operators:
“Courts are issuing conflicting rulings, and companies have no way of telling whether their online business activities will subject them to liability . . .Under these circumstances, it is imperative for the Legislature to bring CIPA into the modern age and to speak clearly about how the kinds of activities at issue in this case should be treated. Until that happens, courts should generally resolve CIPA’s many ambiguities in favor of the narrower interpretation.”
Judge Chhabria concludes the order by calling upon the California legislature to “erase” CIPA entirely:
“Hopefully, the Legislature will go back to the drawing board on CIPA. Indeed, it would probably be best to erase the board entirely and start writing something new. But until that happens, courts should not contort themselves to fit the type of conduct alleged in this case into the language of a 1967 criminal statute about wiretapping.”
Of course, CIPAWorld followers already know that Senate Bill 690 (“SB 690”), which was introduced in the California Senate earlier this and passed with unanimous approval, seeks to exempt the use of website tracking technologies such as pixels, cookies, and session replays from CIPA, if these technologies are deployed for a “commercial business purpose.” But with SB 690 still pending as a two-year bill, it remains to be seen whether other courts will follow Judge Chhabria’s lead and favor a “narrower interpretation” of CIPA.
You can read the order here: Jane Doe v. Eating Recovery Center LLC, Case No. 23-cv-05561-VC (N.D. Cal. Oct. 17, 2025).
CIPAWorld 