Hi, CIPAWorld! Kelly Sandberg here, with a new case on Meta’s use of their modified “Meta Pixel” and how important it is to understand a statute’s language and application.
In the case of In re Meta Android Privacy Litigation, Plaintiffs asserted nine privacy claims against Meta, including a violation of the California Invasion of Privacy Act’s (“CIPA”) pen register based on Meta’s development and use of the modified code Meta Pixel. IN RE META ANDROID PRIVACY LITIGATION, No. 25-CV-04674-RFL, 2026 WL 1279416 (N.D. Cal. May 11, 2026). In short, the United States District Court for the Northern District of California granted Meta’s motion to dismiss in part regarding the CIPA pen register claim because Plaintiffs failed to specifically allege how Meta had recorded users’ IP addresses and properly apply CIPA’s statutory language of “dialing, routing, addressing or signaling.”
Meta operates multiple social media platforms that serve ads such as Facebook and Instagram. Meta can track a user’s behavior on these social media platforms and on other websites using “Meta Pixel.” Meta Pixel is a piece of code that can be integrated into a website and is alleged to have been found on millions of websites across the internet. This code can imperceptibly capture information regarding website visitors’ activity and communications by placing “cookies” on a user’s device to track their browsing behavior. Meta Pixel uses “_fbp” cookies that contain identifiers on an individual website, but this “_fbp” cookie cannot personally identify a user by itself. However, when combined with the use of a “c_user” cookie containing the user’s Facebook or Instagram ID, Meta can then confidently identify the user and their browsing behavior.
Meta had previously struggled to match users to their browsing behavior with these cookies because of the difference in frequency that social media user’s log into Facebook and Instagram via an app versus through a browser. This difficulty between tracking information between the dual use of the social media app and a browser arises because of a principle called “sandboxing.” Sandboxing occurs because apps cannot interact with each other and thus cannot transmit data between Meta user’s browsers and apps.
To overcome this issue, Meta modified the Meta Pixel to send browser cookies to a device’s “localhost” port. A device’s “localhost” port simulates communication channels by allowing for apps or services running on a device to communicate with each other without leaving the device. Additionally, Meta then modified their Facebook and Instagram apps to listen to Android users’ localhost ports for incoming data. This listened to data that was then combined with other personal identifiers and transmitted from an Android user’s device to Meta’s own servers.
CIPA prohibits the installation or use of a “pen register or a trap and trace device without first obtaining a court order.” Cal. Penal Code §638.51(a). In the action here, Plaintiffs alleged that Meta’s modified Meta Pixel operated as a pen register or trap and trace device by; 1) Meta Pixel recording of users’ IP addresses, and 2) the contents of the “_fbp” cookie.
First, the court discussed their previous determination that an IP address “fall[s] within the statutory definition of ‘addressing’ information.” Shah v. Fandom, Inc., 754 F. Supp. 3d 924, 929 (N.D. Cal. 2024) (citing In re Zynga Priv. Litig., 750 F.3d 1098, 1108 (9th Cir. 2014)). Although Plaintiffs were correct that the recording of IP addresses fell within a CIPA pen register claim, the allegations regarding the recording lacked specificity and was deemed conclusory. The complaint merely mentioned that IP addresses were recorded by Meta Pixel, without explaining how or when the IP addresses are recorded.
Second, the court determined that an “_fpb” cookie does not fall within the scope of the pen register provision because “[t]he contents of the _fbp cookie are not used by communication providers to route Plaintiffs’ communications, but instead by Meta to retrospectively compile the communications into detailed user profiles.” Basically, Plaintiffs misinterpreted how CIPA’s language of “dialing, routing, addressing or signaling” applied. The language did not apply to the “_fpb” cookie because Meta was the party directly receiving that gathered information rather than any intermediary receiving that information. The court stated that to interpret the statute as Plaintiff’s desired would “stretch CIPA’s already broad statutory language too far.”
The important takeaway here is understanding that your knowledge and application of statutory language is vital to a either a claim’s success or its demise.