It’s not every day that you have a federal judge call a law “badly drafted” and tell a legislature it needs to “step up” and “go back to the drawing board.” But that’s where we’re at with the California Invasion of Privacy Act (“CIPA”).
In recent years, organizations of all types and sizes and in all industries nationwide have received countless demand letters and complaints claiming their websites violate CIPA. This law was not intended to apply to websites or the Internet—it was passed in 1967, a generation before the Internet was created. But plaintiffs have argued that CIPA’s broad language means it does.
In this crossfire, courts have struggled to figure out how CIPA applies in the digital age. Does CIPA apply to websites? Is a chatbot a “wiretap”? Is a browser cookie a “pen register” or a “trap and trace device”? The result has been nothing short of chaos and confusion. Court rulings are inconsistent even when addressing the exact same allegations and claims. And online companies and website operators remain unsure as to whether what they and virtually every other website in the country is doing is a criminal offense, exposing them to steep statutory and punitive damages.
We now know that this situation is incredibly frustrating for judges too. On October 17, 2025, Judge Chhabria of the Northern District of California issued an order blasting CIPA’s language for being “a total mess.” Indeed, he called it “a mess from the get-go” that “gets bigger and bigger as the world continues to change and as courts are called upon to apply CIPA’s already-obtuse language to new technologies.”
The Relevant Case At A Glance
This case, Doe v. Eating Recovery Center LLC, No. 23cv5561 (N.D. Cal.), is like so many other CIPA lawsuits. The plaintiff claimed the defendant, a company that treats people for eating disorders, violated CIPA because the defendant’s website had the Meta Pixel. The Meta Pixel was intended to increase the defendant’s internet advertising so it could help more people with eating disorders. After visiting the defendant’s website, the plaintiff began receiving Facebook ads for mental health services.
The plaintiff filed a class action lawsuit claiming, among other things, the defendant’s use of the Meta Pixel violated CIPA’s prohibition against unlawful wiretaps. After two years of litigation, the court issued its order granting the defendant’s motion for summary judgment. Judge Chhabria concluded that CIPA had not been violated because “Meta did not read, attempt to read, or attempt to learn the contents of [plaintiff’s] communications with [the company] while those communications were in transit.”
Should CIPA Be Scrapped Entirely?
While Judge Chhabria’s statutory analysis and reasoning is interesting (to lawyers, at least) and worth a read, his thoughts about CIPA are searing and memorable. Judge Chhabria called CIPA “virtually impossible to apply” in the “online world” because it “was not drafted with the internet in mind.” It was written with “very different technology in mind, and it does not map properly onto the internet.”
But “even aside from the internet issue, the statute is just badly drafted,” according to Judge Chhabria. As a result, Judge Chhabria declared that “we have reached the point where it’s often borderline impossible to determine whether a defendant’s online conduct fits within the language of the statute.” He observed that courts are therefore “issuing conflicting rulings” and “companies have no way of telling whether their online business activities will subject them to liability.”
Judge Chhabria called on other judges not to “contort themselves to fit” a website’s operation “into the language of a 1967 criminal statute about wiretapping.” Instead, “courts should generally resolve CIPA’s many ambiguities in favor of the narrower interpretation” because CIPA imposes criminal penalties.
Judge Chhabria also called on the Legislature to “step up” and “go back to the drawing board on CIPA. Indeed, it would probably be best to erase the board entirely and start writing something new.” (Emphasis added.) “Under these circumstances, it is imperative for the Legislature to bring CIPA into the modern age and to speak clearly about how the kinds of activities at issue in this case should be treated.”
It is not common to see a federal judge issue a court order that calls a state law “badly drafted,” describes an entire field of litigation a “total mess,” or tells a state legislature it needs to “step up,” “go back to the drawing board,” and erase a law “entirely” and write “something new.” But Judge Chhabria managed to fit all that in a twelve-page order.
No Relief In Sight
Unfortunately, there is no reason to believe the California Legislature will answer Judge Chhabria’s call to “step up” anytime soon. In April 2025, the Legislature introduced SB690, which was intended to revise CIPA. SB690 was supposed to end the overwhelming amount of “vexatious litigation” that used CIPA to “prey on small business owners and non-profits who cannot afford to defend themselves even though they are in compliance with existing law.”
But the Legislature failed to deliver. By the summer of 2025, the bill was done for due to the overwhelming amount of lobbying from special interest groups. The bill would not advance in the 2025 legislative session, although there’s a possibility it could be taken up again in 2026.
So What Now?
Judge Chhabria’s Order underscores the uncertainty that companies face when using
digital tracking technologies to monitor website visitor activity, collect analytics, or engage in
targeted advertising. In the face of these circumstances, website operators should continue to do
the following:
- Review and Reevaluate Data Collection Practices: Businesses using third-party tools, like the Meta Pixel or pixels associated with other social media companies or data brokers, should consult with experienced counsel to review and reassess their data collection and sharing practices to minimize risks.
- Prepare for Ambiguity: Given the lack of clear legal guidance, businesses should anticipate potential challenges when interpreting privacy laws like CIPA and be prepared for evolving court decisions.
- Advocate for Legislative Change: Businesses should consider joining calls for legislative reform to clarify the application of CIPA to online activities.
For more information on data privacy, please contact Jason Kelly, Esq., AIGP, CIPP/US/E at jason@annagueymccann.com.
