On May 27, 2026, a California superior court delivered a positive ruling during the ongoing wave of website tracking litigation brought under CIPA—Judge Gary Roberts of the Los Angeles County Superior Court sustained NetScout Systems, Inc.’s demurrer and dismissed…with prejudice…a lawsuit alleging that the company’s website software development kit (“SDK”) violated California’s pen register and trap and trace provisions. The court concluded that the statute applies to telephone communications, not software operating on commercial websites.
While this is only a Superior Court decision and therefore carries limited precedential weight, it nevertheless represents an important victory for defendants confronting increasingly aggressive attempts to apply decades-old privacy statutes to modern internet technologies.
The plaintiff alleged that NetScout deployed an SDK supplied by X Corp. on its website and that the software transformed website pages into a “surveillance mechanism” that captured visitors’ electronic communications without their knowledge or consent. According to the complaint, visitors were not notified of the SDK’s operation and were not given an opportunity to opt out before the technology activated.
In Blaker v. Netscout Systems, Case 25STCV31283, plaintiff argued that the SDK constituted a prohibited “pen register” or “trap and trace device” under Penal Code section 638.51.The court began with a straightforward observation–neither side presented binding California authority directly resolving whether CIPA’s pen register and trap and trace provisions apply to website technologies. Faced with an issue of first impression, the court turned to statutory construction and legislative intent.
Although the statutory definitions of “pen register” and “trap and trace device” are broad enough that plaintiffs have argued they encompass website tracking technologies, Judge Roberts concluded that the broader statutory framework points in a very different direction.
The court focused heavily on Penal Code section 638.52, which governs the court-order process for authorizing pen registers and trap and trace devices. That provision repeatedly refers to a “telephone line,” requiring judicial orders to identify the person associated with the telephone line, the number of the telephone line, and the location of the telephone line to which the device will be attached.
According to the court, those references cannot be ignored when construing section 638.51. Reading the statutory scheme as a whole, the Legislature appeared to have intended these provisions to regulate telephonic communications rather than internet browsing activity. The court explained that adopting plaintiff’s interpretation would place various portions of the statutory framework in conflict with one another.
The court also found it significant that the Legislature enacted these provisions in 2015, at a time when internet tracking technologies and commercial websites were already ubiquitous. If lawmakers had intended the statute to apply to website analytics tools, pixels, SDKs, or similar technologies, the court reasoned, they could have said so expressly. As the court put it:
“the internet was in widespread use when these provisions were enacted in 2015. If the Legislature had intended for section 638.51 to apply to commercial websites, it would have so stated either in the statute itself or in the surrounding materials.”
The court further observed that the statutory language repeatedly refers to concepts traditionally associated with telephony, including an “originating number,” “dialing,” and “routing” information. Applying the canon of ejusdem generis, the court held that the more general references to “addressing or signaling information” should be interpreted in light of those more specific telephone-oriented terms.
Ultimately, the court reached a clear conclusion:
“Thus, applying the ordinary rules of statutory construction and considering both the structural context of Penal Code section 638.51 and the legislative history, the Court concludes that this statute applies to telephonic communications and not to software on a commercial website.”
Perhaps just as important as the court’s statutory analysis was its decision to deny leave to amend.
The court found that amendment would be futile because the problem was not deficient pleading but rather the limited scope of the statute itself. Since the court concluded that section 638.51 simply does not reach website software, no amended complaint could cure the defect. The demurrer was therefore sustained without leave to amend.
Notably this is a Los Angeles County Superior Court ruling and therefore is not binding on other courts. Plaintiffs will undoubtedly continue filing these claims, and other judges remain free to disagree. But the ruling helps undermine one of the broader narratives driving website-tracking litigation; namely, that every collection of website interaction data necessarily requires affirmative consent under statutes that were never written with internet technologies in mind.
The ruling also highlights why settling every CIPA lawsuit/demand may not always be in the industry’s best interest. Many companies choose to settle these cases early to avoid litigation costs. But when novel legal theories repeatedly go unchallenged, they become more attractive to the plaintiffs’ bar—as we have seen over and over throughout the last few decades in TCPAWorld. If you’re facing a CIPA lawsuit/demand, Queenie’s always ready to fight. Give Troutman Amin, LLP a call.
Xoxo
Queenie