Good morning, CIPA World.
February 17, 2026 felt like one of those quiet days on the docket — until it wasn’t.
Two federal courts. Two cookie cases. Two motions to dismiss. Same statute. Same day.
But completely different outcomes.
And if you read them back-to-back (like I did ), they don’t contradict each other. They reveal where CIPA litigation is actually heading.
Let me tell you the story.
It starts in San Diego, in the United States District Court for the Southern District of California, in Nelson v. Reddit, Inc..
The plaintiff says Reddit embedded LiveRamp tracking technology on its website. When users visited, their browsers transmitted HTTP requests, IP addresses were captured, cookies were placed, and identifying information was sent to a third party for profiling and ad delivery.
The theory was simple but powerful: that tracker functioned as a “pen register” under California Penal Code § 638.50, and using it without consent violated § 638.51.
Reddit responded the way defendants have been responding for the last two years. This isn’t a pen register. It doesn’t collect outgoing addressing information. There was no “content.” We’re a party to the communication. The statute only applies to person-to-person exchanges. And if there’s any doubt, rule of lenity.
The court was not persuaded.
What’s striking about the opinion isn’t its tone, it’s how unsurprising it feels. The court aligned itself with what is quickly becoming the dominant view: the statutory definition of a pen register is technology-neutral. It speaks in terms of “dialing, routing, addressing, or signaling information.” It does not say “telephone only.” It does not say “human-to-human only.” It does not require interception of content.
Capturing IP addresses tied to outbound HTTP requests? At least plausibly within the statutory definition.
And importantly, the court refused to import a “content” requirement from § 631 wiretap jurisprudence into the pen register provision. That distinction matters. A lot.
By the end of the opinion, the motion to dismiss was denied. The pen register claim lives on.
Now we travel north.
Same day. Different courtroom. The United States District Court for the Northern District of California in D’Antonio v. Smith & Wesson Inc..
This case feels familiar. Plaintiffs visit a website. They see a cookie banner. They click “Reject All.” They believe they have opted out. Cookies are placed anyway. Third parties allegedly track browsing behavior.
The complaint is broader here – invasion of privacy, intrusion upon seclusion, wiretapping, pen register, fraud, unjust enrichment, contract claims, trespass to chattels. It’s the full menu.
And interestingly, the court lets the privacy tort claims survive. Why? Deception.
The opinion leans into the idea that deceit can be the “plus factor” that turns routine commercial tracking into something potentially “highly offensive.” The allegation that the company promised not to track after a rejection, yet did so anyway, carried real weight at the pleading stage.
But when the court reached the CIPA claims, the story shifted.
The judge did not reject the idea that cookies could be pen registers. In fact, the opinion acknowledges that the statutory text does not limit pen registers to telephones.
Instead, the problem was something more surgical.
The plaintiffs did not allege that they themselves engaged in any actual communication with the website beyond clicking “Reject All.” They didn’t allege they filled out a form, submitted data, logged in, transmitted information, or anything that could clearly qualify as an outbound electronic communication.
And that mattered.
Because without a communication, there is no “dialing, routing, addressing, or signaling information” tied to a communication. And without that, the pen register claim cannot stand, at least as pled.
The claim was dismissed with leave to amend.
And that’s where these two opinions quietly converge.
This is no longer about whether internet tracking technology can ever qualify as a pen register. Courts are increasingly comfortable with that possibility.
The battleground has moved.
Now the big question is: what counts as a communication?
Is merely loading a webpage enough? Is an HTTP request itself sufficient? Must the plaintiff allege a form submission? A login? A message? A transaction?
The Southern District opinion implicitly treats routine web requests as communications. The Northern District demands something more specific, at least in how it’s pled.
That difference is not doctrinal chaos. It is doctrinal refinement.
For plaintiffs, the lesson is clear. You cannot just say you “visited” a website. You must identify the communication and tie the tracking to its routing or signaling data.
For defendants, the opportunity is equally clear. Press on the absence of a specific alleged communication. Force precision. Make them connect the dots.
If you zoom out, what happened on February 17 wasn’t a split. It was evolution.
CIPA litigation is growing up. The easy arguments are fading. The fights are becoming technical, fact-specific, and deeply tied to how internet communications actually work.
And the next major wave of motion practice is going to turn not on whether cookies can be pen registers — but on what exactly constitutes a communication in the age of HTTP requests and embedded trackers.
That question is far from settled.
And CIPA World will be watching.
CIPAWorld 