Mintz Privacy Team Secures Landmark Ruling in California Invasion of Privacy Act Case

On May 27, 2026, Judge Gary Roberts of the Los Angeles, California Superior Court ruled, in a notable decision, that the California Invasion of Privacy Act’s pen register and trap and trace device provisions apply only to telephone communications and not to software on commercial websites.  The Court dismissed, with prejudice (notably), claims against Mintz client NetScout Systems, Inc. premised on deployment of a data collection software development kit (or SDK) on its website.  The Court adopted NetScout’s position that these CIPA provisions do not apply to the internet broadly and are limited to telephone communications at best.  While many organizations confront the dilemma of fighting or paying for an early settlement, NetScout chose to fight, challenging Plaintiffs’ lawyers’ widening application of a statute intended to address telephone technologies alone. 

Why this matters: This decision represents a significant win for companies facing litigation over their use of pixels, web beacons, and other internet data collection technologies.  It provides companies with persuasive authority they can use in response to similar lawsuits and a roadmap for defeating these types of claims.  Moreover, it seriously weakens the argument that affirmative consent is required before companies may collect data on the Internet.  As the Court explained in its written ruling, “the internet was in widespread use when these provisions were enacted in 2015.  If the Legislature had intended for section 638.51 to apply to commercial websites, it would have so stated either in the statute itself or in the surrounding materials.”

Summary Analysis: The California legislature inserted the pen register and trap and trace provisions (California Penal Code §§ 638.50 through 638.53) as a package in 2015 to amend CIPA, well after internet data collection technologies had emerged and had become widely deployed.  Since 2023, Plaintiffs’ lawyers have premised claims against companies nationwide on alleged violations of California Penal Code § 638.51 , which Plaintiffs’ lawyers argue prohibits installation or use of a pen register or trap and trace device, with limited exceptions, without a court order.  Many lawsuits have been filed against companies over ordinary web browsing and data collection, to the point that the California legislature considered proposed amendments to eliminate these claims, which were not passed during the last legislative session.  This makes the need for defensive arguments more important for companies with websites accessible in California.

NetScout argued that the California legislature did not intend for the pen register and trap and trace provisions in California Penal Code § 638.51 to apply to ordinary web browsing activities based upon the legislative history surrounding the California legislature’s decisions to enact the CCPA in 2018, CIPA’s pen register and trap and trace device provisions, and define the key term “electronic communications” in 2010.  After in-person oral argument on NetScout’s demurrer, the Court adopted NetScout’s argument and concluded:

Thus, applying the ordinary rules of statutory construction and considering both the structural context of Penal Code section 638.51 and the legislative history, the Court concludes that this statute applies to telephone communications and not to software on a commercial website.

The Mintz team representing NetScout includes Scott Lashway, the Co-Chair of Mintz’s Privacy & Cybersecurity Practice, Matthew Stein, and Nadia Zivkov. Mara O’Malley provided strategic advice on the briefing.

If you have questions or would like more information, contact your relationship partner at Mintz or Scott Lashway ([email protected]).

Subscribe To Viewpoints