Browser Privacy: Pixels, Pen Registers, and the New Wave of Website Litigation

You put a tracking pixel on your website to run better ads. Now you have a class action lawsuit.

The California Invasion of Privacy Act was enacted in 1967 to stop telephone wiretapping. In the hands of today's plaintiff's bar, it has become something else entirely: a vehicle for extracting large settlements from businesses that installed standard marketing tools — Meta Pixel, Google Analytics, TikTok Pixel — that millions of websites use every day.

The firms leading this campaign are primarily California-based and have industrialized the process. Pacific Trial Attorneys, run by Scott J. Ferrell, is known for sending FedEx demand letters threatening immediate litigation unless a settlement is reached before the lawsuit is filed. Tauler Smith LLP has been a frequent filer of CIPA data collection claims. These firms, and others like them, have turned cookie banners and tracking pixels into a revenue model.

The Legal Theory — and Why It Has Traction

The plaintiff's bar is pursuing two main theories under CIPA, often in the same complaint.

The first is wiretapping. Under California Penal Code section 631, plaintiffs argue that embedding a Meta Pixel or similar tool on your website allows a third party — Meta, Google, TikTok — to intercept communications between you and your website visitors in real time, without their consent. Courts have been divided on whether this theory holds up, but enough judges have allowed these cases to survive dismissal to keep the filings coming.

The second theory is newer and, in some respects, more dangerous. Under California Penal Code section 638.51, it is illegal to install a "pen register" without a court order or user consent. Historically, a pen register was a physical device law enforcement used to record phone numbers dialed from a telephone line. The plaintiff's bar now argues that tracking pixels are the digital equivalent — that software recording a visitor's IP address, browser data, device identifiers, and navigation path is recording "routing and addressing information" just as a pen register would. Two federal courts gave this theory enough credibility to survive dismissal, and the floodgates opened. In 2025, a federal court in the Northern District of California denied Meta's own motion to dismiss a pen register claim in the tax filing cases, finding that the Pixel plausibly qualified as a pen register under CIPA regardless of whether it also captured the contents of communications.

CIPA's statutory damages provision is what makes this litigation so attractive: $5,000 per violation, with no requirement to prove actual harm. A class of website visitors can generate theoretical exposure in the hundreds of millions of dollars.

The same conduct is also being pursued under other statutes. The Video Privacy Protection Act — a 1988 law written to protect video rental records — is now being used against websites that embed video content alongside tracking tools, with plaintiffs arguing that viewing data is being shared with Meta or Google without consent. Similar wiretapping claims are being filed under Pennsylvania's, Illinois's, Florida's, and Maryland's state wiretap acts, allowing plaintiff's firms to target businesses in courts outside California.

The Defenses

The law here is genuinely unsettled, and that uncertainty runs in both directions.

Consent is the primary defense. If your website has a properly drafted and conspicuously displayed cookie consent banner — one that actually discloses what tracking tools you use and gives visitors a real choice — the wiretapping and pen register claims lose much of their force. A link buried in a footer privacy policy is not consent. A banner that actually functions and documents the user's choice is meaningfully different.

Standing is the second line. Federal courts have dismissed several of these cases for lack of Article III standing, finding that a user's IP address being shared with an analytics platform is not the kind of concrete injury that gives rise to a federal lawsuit. That argument has traction in some circuits and less in others.

The "party to the communication" defense addresses the wiretapping theory directly. A party to a communication cannot wiretap its own communication. Where a website analytics vendor is acting as the website operator's service provider — not as an independent third party using the data for its own purposes — courts have found that the vendor is an extension of the operator and not a wiretapper. This defense works better in some factual scenarios than others.

Legislative history and statutory purpose are also in play. Several courts have dismissed CIPA pixel claims on the ground that the California legislature never intended a 1967 telephone wiretapping statute to reach standard website analytics software, and that extending the pen register provision to cover IP address collection reads the statute beyond its text. Courts are not uniform on this, but it is a live argument.

What to Do if You Get a Letter

If you receive a demand letter — especially one arriving by FedEx with a short settlement deadline — do not respond to opposing counsel directly, do not begin pulling or destroying records, and do not assume the demand reflects your actual exposure.

These letters are designed to induce quick, cheap settlements before you understand what you are actually facing. The firms sending them are banking on the fact that you will see a large number, assume the worst, and write a check.

Jonathan Phillips defends browser privacy and website wiretapping claims in federal and state courts across the country. He will tell you whether the theory being advanced against you has merit in your specific jurisdiction, what the actual class certification risks are, and whether the settlement demand reflects reality or just pressure.