On October 9, 2025, the Northern District of California denied Mashable, Inc.’s motion to dismiss a class action alleging violations of the California Invasion of Privacy Act (CIPA). Mashable operates a digital news and entertainment website that publishes articles and multimedia content online. The plaintiff alleged that Mashable disclosed the IP addresses and device identifiers of its website visitors to Microsoft and other third parties in violation of CIPA.
Case History
The plaintiff alleged that Mashable’s website embedded third-party trackers from Microsoft and others which collected users’ IP addresses and device information, transmitting that data to third parties for advertising and profiling. The plaintiff argued these trackers function as “pen registers” under CIPA. The Pen Register Act (the chapter of CIPA at issue) prohibits installing or using any device or process that records addressing information from electronic communications without a court order.
Mashable’s Arguments
Mashable moved to dismiss, contending that the Pen Register Act, applies only to person-to-person communications such as phone calls or emails, not to general website activity. It further argued that the complaint did not plausibly allege a violation and that the CIPA statute is ambiguous and should be interpreted narrowly under the rule of lenity– a legal principle that requires courts to interpret ambiguous criminal statutes in favor of defendants. Mashable also asserted that pending Senate Bill 690 indicates the California Legislature’s disagreement with the plaintiff’s interpretation of the Pen Register Act.
Court’s Reasoning and Decision
The court rejected Mashable’s arguments and found that the Pen Register Act’s language is intentionally broad, covering any “device or process” that records addressing information. Pen Register is defined as a “device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” Hinging on the inclusion of “process” in the definition, the court held that this definition was intended to encompass software trackers embedded in websites, not just traditional telephone hardware. According to the court, “[w]hat matters under the statute is not the form of the tool, but rather the function.”
The court further held that a user’s visit to a website, which involves transmitting an HTTP request containing IP and device data, constitutes an “electronic communication” under the statute. The court likened an IP address to a telephone number, as “quintessential ‘addressing’ information…[that] identifies the device sending the communication and determines where the packet is to be routed.”
In addition, the court found that Mashable’s role in embedding trackers and using the resulting data was sufficient to plead “installation” and “use” under CIPA, even if third-party vendors operated the trackers. The court held that, even if the trackers were operated by a third party, Mashable embedded the trackers onto its website and used the data captured from them to facilitate targeted advertising.
Moreover, the court found the statute clear enough in its “language, structure, history and purpose” to apply to the conduct alleged and declined to apply the rule of lenity. It also held that S.B. 690 is not persuasive evidence because it has not passed and “[the] Court must apply the statute as it currently exists.”
Implications
This decision significantly broadens the scope of CIPA compliance risk for website operators in California. By holding that the Pen Register Act applies to modern web tracking technologies, such as embedded third-party trackers that collect and transmit IP addresses and device identifiers, the court clarified that CIPA is not limited to traditional telephone or direct person-to-person communications. Any website embedding third-party advertising or analytics tools that record user “addressing” information could face similar exposure, even if the trackers are managed and operated by external vendors. Importantly, the court’s dismissal of the rule of lenity and disregard for pending legislative amendments further signal that California courts are leaning toward expansive interpretations of digital privacy statutes.
Takeaways
Website operators, especially those with significant California user bases, should reassess their use of tracking technologies and the sharing of user data with third parties. Compliance strategies should include conducting thorough audits of all embedded trackers, understanding what information is collected, ensuring appropriate disclosures, and evaluating the legal basis for any data-sharing practices. The court’s emphasis on function over form warns that simply relying on vendor installation or technical outsourcing does not insulate companies from liability under CIPA. In this environment, proactive reviews of privacy practices and ongoing legal monitoring are critical, not only to limit exposure in potential CIPA litigation, but also to align with evolving regulatory and judicial expectations.
[View source.]
