A PYMNTS Company

Federal Judge Dismisses Privacy Claim Over Pixel Use, Slams California Statute

By  |  October 29, 2025

A federal district judge slammed California’s decades-old privacy law as unfit for the digital age and urged the state legislature to “step up” and bring the California Invasion of Privacy Act (CIPA) “into the modern age.”

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    In a scathing 12-page order, Judge Vince Chhabria of the Northern District of California dismissed claims brought under the law by a Jane Doe defendant against Eating Recovery Center (ERC) over its use of a third-party tracking pixel for analytics.

    “The language of CIPA is a total mess,” Chhabria wrote. “It was a mess from the get-go, but the mess gets bigger and bigger as the world continues to change and as courts are called upon to apply CIPA’s already-obtuse language to new technologies.”

    CIPA was passed in 1967 to address the increasing use of wiretapping to eavesdrop on private phone conversations. Although a criminal statute, it also allows plaintiffs to bring private civil actions.

    “The state of affairs with CIPA is untenable,” Chhabia declared. “Courts are issuing conflicting rulings, and companies have no way of telling whether their online business activities will subject them to liability… It would be bad enough if CIPA were merely a civil statute that allowed plaintiffs to recover actual damages for violations. But CIPA imposes criminal liability and punitive civil penalties.”

    Read more: With Congress Still MIA on AI, State Legislators Expand Their Efforts at Regulation

    Tracking pixels are invisible bits of code inserted into websites that collect data on user behavior and transmit it to a third party for analytics and ad targeting. Their widespread use has been the focus of a proliferating collection of lawsuits in recent years brought under various state and federal privacy laws, including CIPA. In the ERC case, the defendant used a pixel from Meta Platforms that is used by 47% of websites, according to a 2024 Lokker report.

    According to Judge Chhabria, CIPA is at best an awkward fit for assigning liability for pixel use.

    “[W]e have reached the point where it’s often borderline impossible to determine whether a defendant’s online conduct fits within the language of the statute,” he wrote. “[L]iability here turns on whether the third party “read” or “attempt[ed] to read” or attempted “to learn” the contents of an internet communication between the plaintiff and the website operator while that communication was “in transit.” If so, the website operator could be liable to the plaintiff under CIPA for enabling the third party to engage in that conduct.”

    In addition to his criticism of the law, Chhabria took the unusual step for a federal judge in calling directly on a state legislature to change it.

    “As difficult as it is to apply CIPA to the physical world, it’s virtually impossible to apply it to the online world,” he wrote in a concluding paragraph. “Hopefully, the Legislature will go back to the drawing board on CIPA. Indeed, it would probably be best to erase the board entirely and start writing something new. But until that happens, courts should not contort themselves to fit the type of conduct alleged in this case into the language of a 1967 criminal statute about wiretapping.”