Businesses that run consumer-facing websites have spent the past several years contending with a steady stream of California Invasion of Privacy Act (CIPA) demands and class actions aimed at everyday digital tools such as cookies, pixels, and analytics scripts. A recent decision from the Southern District of California, Camplisson v. Adidas Am., Inc., 2025 WL 3228949 (S.D. Cal. Nov. 18, 2025), suggests that this wave is not fading. If anything, it may pick up further in 2026.
CIPA is a California privacy statute that, among other things, limits the interception of communications and the deployment of certain surveillance-style technologies without proper authorization. In the current round of cases, plaintiffs have increasingly trained their focus on CIPA’s prohibition on using “pen registers” and “trap and trace” devices absent a court order or user consent. They argue that common website tracking technologies function like modern equivalents of these wiretap-adjacent tools. The stakes are high because CIPA allows statutory damages of up to $5,000 per violation, even without proof of actual harm.
In Camplisson, website users brought a putative class action alleging that Adidas violated CIPA by using two tracking pixels on its website, the TikTok Pixel and Microsoft Bing. According to the complaint, the trackers were placed on visitors’ browsers without consent and collected data including IP addresses, browser information, unique identifiers, and other personal information. Adidas moved to dismiss on two primary grounds; first, it argued that the alleged tracking tools do not qualify as a “pen register” as a matter of law, and second, it contended that users had consented.
The court declined to accept either argument at the pleading stage. Emphasizing what it characterized as CIPA’s deliberately broad language, the court reasoned that a narrow reading of “pen register” limited to tools that capture all outgoing information could undermine the statute’s privacy-protective purpose. The court also held that the consent allegations were deficient based on how the website presented its terms and privacy disclosures. In particular, visitors allegedly had to scroll to the footer to locate links to the online terms and privacy policy, and the website did not present a pop-up, or similar mechanism, requiring users to affirmatively consent before the pixels fired.
From a forward-looking perspective, Camplisson hands plaintiffs a new citation for the proposition that standard website pixels can plausibly qualify as pen registers when they capture identifiers such as IP address information and other alleged personal information. It also offers a template for pleading around consent by highlighting the user’s practical path to notice on the website, and whether any meaningful opt-in occurred before tracking began. Together, those concepts are likely to drive additional pre-suit demand letters and new filings, particularly against companies that primarily rely on footer-based links for notice or that allow pixels to run before any affirmative consent. Longer term, unless appellate courts bring greater clarity or the legislature modernizes this decades-old statutory framework, businesses should plan for continued uncertainty and inconsistent results from courts.