Companies with consumer-facing websites can expect to see continued litigation in 2026 under the California Invasion of Privacy Act (CIPA) and, the Florida Security of Communications Act (FSCA) over their use of website analytics tools. We previously commented on plaintiffs’ efforts to recover liquidated damages under CIPA by alleging that modern tools such as cookies and pixels used to serve targeted advertising and conduct website analytics constitute “trap and trace” devices or “pen registers” under the law. That trend is showing no signs of slowing, helped in part by inconsistent court holdings from California federal courts, including several decisions in CIPA cases at the end of 2025. On the other side of the country, plaintiffs are beginning to pursue similar claims under FSCA following a federal court decision that upended Florida’s legal precedent.
California Invasion of Privacy Act
Plaintiffs typically allege one of two theories under CIPA based on a defendant’s use of website analytics tools. Under the so-called wiretapping theory, plaintiffs allege that website technologies, which broadly include software developer kits, pixels, cookies, web beacons, session replay technology, and analytics tools, illegally intercept communications in transit without consent. Trap and trace (aka pen register) claims, on the other hand, allege that website technologies capture information about the transmission of a communication but not the communication itself.
Decisions from late 2025 and early 2026 suggest that California courts generally accept the premise that at least at the pleadings stage, cookies and pixels used to track website users may constitute pen registers and trap and trace devices under CIPA and thereby give rise to potential claims for liquidated damages.
On the other hand, defendants have had some success defeating CIPA claims through early jurisdictional challenges, including by arguing that plaintiffs generally are unable to allege an injury in fact sufficient to establish Article III standing.
A Ninth Circuit decision issued in August 2025 is particularly instructive on the question of standing in website wiretapping claims. In that case, the plaintiff asserted a wiretapping claim against a technology company under a Washington state statute similar to CIPA. The plaintiff alleged, on behalf of a putative class, that the defendant’s use of session-replay technology constituted wiretapping violations because the technology tracked “the date a user visited the website, the device the user accessed the website on, the type of browser the user accessed the website on, the operating system of the device used to access the website, the country where the user accessed the website from, a user’s mouse movements, a user’s screen swipes, text inputted by the user on the website, and how far down a webpage a user scrolls.”1
The Ninth Circuit affirmed the lower court’s dismissal for lack of standing because the plaintiff did not allege an actual injury in fact. Citing Supreme Court opinions in Spokeo, Inc. v. Robins and TransUnion LLC v. Ramirez, the court explained that allegations supporting an inference of a statutory violation by a defendant do not establish standing unless they are accompanied by factual allegations of actual injury to the plaintiff. When that alleged injury is intangible, the plaintiff must show that it is analogous to an injury “that has traditionally been actionable in our nation’s legal system,” such as intrusion upon seclusion or public disclosure of private facts.
With respect to the CIPA claim at issue, the Ninth Circuit reasoned that the type of information the defendant purportedly collected was not the type of private information protected by common law privacy torts. Rather, the court noted that the defendant’s alleged monitoring at issue “seems most similar to a store clerk’s observing shoppers in order to identify aisles that are particularly popular or to spot problems that disrupt potential sales.”
Following the Ninth Circuit’s decisions, defendants in CIPA claims have made similar arguments in numerous motions to dismiss. The results have been mixed.
In at least four decisions issued during the last month of 2025 and in early 2026, courts in the Central, Northern, and Southern districts of California expressly rejected the defendants’ standing arguments. In Casillas v. Six Flags Entertainment Corp. and Wiley v. Universal Music Group, Inc., the complaints alleged that the defendants’ websites collected users’ “browsing history, visit history, website interactions, user input data, demographic information, interests and preferences, shopping behaviors, device information, referring URLs, session information, user identifiers, and/or geolocation,” even where users expressly denied consent for certain cookies on the website’s cookie consent banner.2 The courts held that allegations of the defendants’ disregard for the plaintiffs’ withholding of consent were sufficient to show an injury to traditionally recognized privacy rights and thereby establish standing.
In Ramirez v. LasikMD USA, Inc.,3 the Southern District of California found the plaintiff had standing for CIPA and federal wiretapping claims where a medical provider’s website allegedly included a tracking pixel that, without the plaintiff’s consent, transmitted medical information and personally identifying information to a third party to be used for targeted advertising. The court found that unauthorized disclosure of medical information could qualify as the type of harm traditionally recognized as forming the basis for claims such as disclosure of private information and intrusion upon seclusion. In this case, the defendant also argued that it could not be liable under the party exemption to the wiretapping statutes, which holds that the intended recipient of the communication cannot be liable. The court disagreed, however, observing that the party exemption does not apply where communications are intercepted for criminal or tortious purposes. Thus, because the allegations could constitute a claim for disclosure of private information or intrusion upon seclusion, the party exemption did not apply.
In Paul de Ayora v. Inspire Brands, Inc.,4 the Northern District of California found that the plaintiff had standing to pursue his CIPA claim where the defendant allegedly collected “historical data and information about where Plaintiffs came from via referring URLs.” The court distinguished the Ninth Circuit decision, concluding that the data collected was “beyond what would be observable to a store clerk tasked with monitoring shoppers.”
In another Central District of California decision, Lewis v. Magnite, Inc., though the court did not directly address standing, it did find that the plaintiff adequately alleged the traditional privacy tort of intrusion upon seclusion against a developer of a website tracker. There, the plaintiff alleged that the defendant collected “users’ exact clicks, including the location within the page, videos the users watched, ads with which they engaged, as well as additional context contained in the page.”5
But defendants can find some comfort in two December 2025 decisions from the Central District of California. In Rodriguez v. Brushfire Records, the court found that the plaintiff, a self-avowed website privacy “tester,” lacked standing because she failed to allege an injury in fact against a website that allegedly used the same tracker developed by the defendant in Lewis v. Magnite, Inc.6 Although the plaintiff’s status as a tester was not dispositive, the court found she failed to adequately allege a traditionally actionable injury such as intrusion upon seclusion because the complaint focused on “vague and generalized allegations of the type of data that the Magnite tracking pixel is capable of collecting” rather than the actual data collected.
In yet another Central District CIPA case, the court found that the collection of “IP addresses, browser and device type, screen resolution, installed fonts, color depth, time zone, operating system, pages visited, session duration, scroll depth and/or mouse movement, referring URLs, unique identifiers (such as cookies and ad IDs), and geolocation based on IP” was not sufficiently offensive to establish an actionable infringement on reasonable expectations of privacy.7
In addition to these subject matter jurisdictional challenges, at least one defendant has successfully challenged personal jurisdiction under Federal Rule of Civil Procedure 12(b)(2). In Rounds v. Development Dimensions Int’l, Inc., yet another December 2025 decision from the Central District of California, for example, the court found that the plaintiff failed to establish specific personal jurisdiction because the complaint did not allege that the defendant, the website operator, purposely directed violative conduct toward California.8 The court observed that the third-party data broker, which was not a named defendant, may have sufficiently exploited the California consumer base for commercial gain to hypothetically establish personal jurisdiction for itself, but the third party’s conduct could not establish personal jurisdiction over the defendant.
Finally, on January 20, 2026, the Northern District of California dismissed claims arising under CIPA and a similar Pennsylvania law, the Wiretapping and Electronic Surveillance Control Act, based on allegations that mobile apps that tracked users’ activities were illegal pen registers.9 The court granted the defendant’s motion to dismiss, observing that pen registers are necessarily “separate from the source of the transmitted communications.” The court concluded that third-party tracking technology embedded in a website may qualify as a pen register because it intercepts communications between the user and the website, but mobile apps “are a part of the source of the transmitted communications, which is enough to disqualify them from being pen registers.”
These cases suggest that plaintiffs are more likely to survive motions to dismiss where they allege that defendants collected more sensitive information or neglected to conform to a plaintiff’s wishes with respect to cookies and other tracking technology. The results have been somewhat unpredictable with respect to more surface-level allegations.
Florida Security of Communications Act
As if the uncertain CIPA case law were not challenging enough, plaintiffs have now set their sights on Florida’s FSCA statute. Although Florida courts previously rejected FSCA wiretapping claims alleging privacy violations based on websites’ third-party analytics tools, a March 2025 decision from the Middle District of Florida upended that trend, opening the door for a possible flood of FSCA claims.10
In W.W. v. Orlando Health, Inc., the plaintiff alleged that the defendant’s website intercepted her communications concerning her healthcare treatment and subsequently used that information for advertising purposes. An earlier Florida state court decision had held that the FSCA does not apply to session replay technologies, which, broadly speaking, record users’ clicks, page views, and other aspects of user interaction. In Orlando Health, however, the court distinguished the prior decision, holding that the defendant’s tracking technologies intercepted the content of website visitors’ communications, rather than merely a user’s clicks or keystrokes typically collected by session replay technology.
The plaintiff in Orlando Health alleged that the defendant’s website used third-party pixels that intercepted and transmitted the plaintiff’s communications with the website – including information such as the plaintiff’s health conditions, desired treatment, and preferred doctors – to the third parties. In turn, according to the plaintiff, this information was used for serving targeted advertisements to the plaintiff. In its motion to dismiss for failure to state a claim, the defendant argued that the plaintiff’s FSCA claim must be dismissed because the plaintiff failed to allege that the defendant intercepted the “contents” of her communications. The court distinguished tracking a party’s movement across a website, for example via their mouse clicks, and the plaintiff’s allegations that the pixels intercepted her communications. The court also invoked the legislative intent of FSCA, noting that the Florida Legislature specifically intended to protect private medical information. Accordingly, the court concluded that the plaintiff adequately alleged that the contents of her communications were intercepted in accordance with the FSCA. Importantly, the same reasoning applied to the plaintiff’s federal wiretapping claim.
Since this decision was issued, plaintiffs have reportedly filed hundreds of wiretapping claims in Florida small-claims court. The incentive is similar to CIPA claims, as the statute provides for liquidated damages of up to $1,000 per violation. Florida state courts appear receptive to FSCA claims arising out of the use of website tracking technology. Moreover, a decision from the Southern District of Florida in Cobbs v. PetMed Express, Inc., in which the court allowed CIPA claims to proceed based on allegations that the website transmitted detailed browsing information to third parties, suggests that Florida’s federal courts, like their sister courts in California, may allow CIPA and federal wiretapping claims to survive challenges on the pleadings.11
What’s Next
Given the inconsistent holdings on standing challenges to CIPA claims in California and the potential upside of recovering liquidated damages on behalf of putative classes, plaintiffs’ lawyers will continue to target companies that operate websites accessible in California. That is particularly true of companies whose websites may collect more detailed or sensitive information about users or where the websites use nonessential cookies after users opt out. This trend appears poised to spread, as the success seen by plaintiffs alleging FSCA and other wiretapping claims in Florida may spark additional litigation.
Regular website audits are key to mitigating against risk of website wiretapping claims, whether under CIPA, FSCA, or other state or federal laws. A robust website compliance program can include clear opt-in consent under a properly functioning cookie banner or door before initiating cookies or pixels, as well as website privacy notices containing up-to-date, plain-language descriptions of cookies, pixels, or other tracking methods, specifically any tracking technology deployed by third parties.
1 153 F.4th 784 (9th Cir. 2025).
2 --- F. Supp. 3d ---, No. 2:25-cv-06824-CBM-PD, 2025 WL 3684543 (C.D. Cal. Dec. 15, 2025); No. 25-cv-03095-PCP, 2025 WL 3654085 (N.D. Cal. Dec. 17, 2025).
3 No. 24-cv-2221-CAB-DDL (S.D. Cal. Jan 26, 2026).
4 No. 25-cv-03645-AGT, 2025 WL 3707561 (N.D. Cal. Dec. 22, 2025).
5 No. 2:25-cv-03448-MWC-SSCx, 2025 WL 3687546 (C.D. Cal. Dec. 4, 2025).
6 No. 2:25-cv-09797-CAS-PDx, 2025 WL 3692144 (C.D. Cal. Dec. 15, 2025).
7 No. EDCV 25-01982-KK-SPx, 2025 WL 378963 (C.D. Cal. Dec. 29, 2025).
8 No. 8:25-cv-01975-DOC-ADS (C.D. Cal. Dec. 15, 2025).
9 No. 5:22-cv-7069-EJD (N.D. Cal. Jan. 20, 2026).
10 No. 6:24-cv-1068-JSS-RMN, 2025 WL 722892 (M.D. Fla. Mar. 6, 2025).
11 No. 9:25-cv-80458-AMC (S.D. Fla. Jan. 14, 2026).
[View source.]
