The surge of lawsuits under Section 638.51 of California’s Invasion of Privacy Act (CIPA)—which governs “pen registers” and “trap and trace devices”—has burdened online businesses over the past two years. Hundreds, if not thousands, of companies have been sued or threatened with claims carrying significant statutory damages. Conflicting rulings on early motions have fueled this trend, encouraging more filings. However, several pending appellate decisions may provide relief, or at least guidance.
At issue is whether Section 638.51—originally enacted to help law enforcement track incoming and outgoing telephone calls to a target—applies to common website technologies like cookies, pixels, and analytics tools, particularly their collection of IP addresses and device metadata.
State Court Appeals
Two California Courts of Appeal are now addressing this question. In Variety Media, LLC v. Superior Court, the Second District is reviewing whether Section 638.51 “applies to routine, ubiquitous software processes implemented by virtually all commercial websites.” Variety argues the statute’s plain text, its legislative history, and California’s comprehensive regulatory scheme governing the use of such technologies (the CCPA) demonstrate it does not. The case has drawn multiple amicus briefs, including one from ZwillGen which provides the technical and historical context of such software processes.
Similarly, in Reuters News & Media, Inc. v. Superior Court, the Sixth District is reviewing whether web tracking technologies that collect IP address and device metadata are “pen registers” as defined under CIPA. Reuters also argues that the plaintiff lacks statutory standing because he has no privacy interest in his device’s IP address and basic device information.
If either court limits Section 638.51’s reach, it could slow these lawsuits; if not, filings will likely continue.
Federal Court Appeal
Meanwhile, in Drummer v. CoStar Group, Inc., a federal district court certified for appeal whether sharing IP addresses and similar data constitutes a cognizable privacy injury sufficient to confer standing. See 2026 WL 712922 (C.D. Cal. Feb. 13, 2026). The majority of district courts confronting standing arguments in Section 638.51 cases have concluded it does, primarily based on the use of such information to create or augment user profiles. Some district courts, however, have reached the opposite conclusion.
If the Ninth Circuit rules in a way similar to how it ruled in Popa v. Microsoft Corp.—which found no privacy injury from third-party technology’s capture of over 30 different categories of website visitors’ information including mailing address, device information, and text entered on the website—it may limit the future viability of Section 638.51 cases in federal court. See 2025 WL 2448824, at *2 (9th Cir. Aug. 26, 2025). But if the Ninth Circuit affirms the district court’s decision, it could spur more federal class actions.
Either way, these cases represent pivotal opportunities for appellate courts to reconcile Section 638.51 with the realities of the modern internet. They also may be cause for companies that have received Section 638.51 lawsuits or demand letters to re-think their response strategy, particularly as it relates to the timing for potential decisions by the courts.