For the past several years, plaintiffs’ lawyers have been testing the outer limits of California’s Invasion of Privacy Act (CIPA), wielding a statute originally designed to combat telephone wiretapping as a blunt instrument against virtually every form of routine website analytics. If your company operates a website and uses third-party tracking tools, you have almost certainly felt the pressure of this litigation wave, whether through demand letters, threatened class actions, or the quiet anxiety of wondering whether your analytics stack creates exposure.
That landscape just shifted meaningfully in your favor.
On May 27, 2026, Los Angeles County Superior Court issued what is being recognized as a significant ruling in Blaker v. NetScout Systems, Inc., sustaining NetScout’s demurrer and dismissing all claims with prejudice. The court held that CIPA’s pen register and trap and trace provisions apply to telephone communications, not to software operating on commercial websites.
What Was at Stake
The plaintiff alleged that NetScout deployed a software development kit (SDK) supplied by a third-party vendor on its commercial website and that this tool collected and transmitted visitor data in violation of California Penal Code § 638.51. That statute prohibits the installation or use of a pen register or trap and trace device without a court order or consent and carries statutory damages of up to $5,000 per violation with no requirement to show actual harm. For plaintiffs’ firms, it has been an attractive vehicle precisely because of that damages structure: file enough claims against enough companies, and the economics work even if the legal theory is a stretch.
Since 2023, this theory has been applied to TikTok and Meta pixels, identity resolution tools, session replay software, and standard web analytics—essentially any third-party technology that captures information about who is visiting a site and how they interact with it. The volume of litigation grew significant enough that the California legislature took notice. SB 690, introduced in 2025, would have clarified that these provisions were not intended to reach ordinary commercial web analytics. The bill is still pending, leaving the courts to resolve the question.
How the Court Got There
Judge Roberts grounded his analysis in the text of the statute. The pen register and trap and trace provisions were added to CIPA in 2015, well after the internet had become a fixture of commercial life. The court observed that § 638.51 repeatedly references a “telephone line” and is built around telephony-specific concepts such as “dialing,” “routing,” and “originating number.” These are not incidental word choices. They reflect what the legislature was actually targeting.
The court drew a pointed inference from the timing of the statute’s enactment: commercial websites, third-party tracking technologies, and other analytics tools were not new or obscure in 2015. If the legislature had intended § 638.51 to cover them, it could have said so outright. It did not.
It’s also worth noting that the court dismissed the claims with prejudice, meaning it refused to grant leave to amend. The court’s conclusion was not that the complaint was drafted poorly; it was that no set of facts could state a valid claim under this theory. The defect was in the legal theory itself.
Why the Ruling Is Significant
It gives defendants a powerful early exit. One of the most frustrating features of CIPA pen register litigation has been that even obviously weak claims can survive long enough to generate settlement pressure. The NetScout ruling gives defendants solid persuasive authority to challenge these claims at the demurrer or motion to dismiss stage, before significant litigation costs accumulate.
It pushes back on statutory overreach. CIPA was enacted in 1967. Its pen register provisions were added in 2015. Neither was designed with a company’s website analytics dashboard in mind. Applying a telephone wiretapping statute to SDKs and web pixels stretches the language well past its breaking point, and courts are increasingly saying so.
It weakens the affirmative consent argument. A core premise of plaintiffs’ CIPA pen register claims is that companies must obtain affirmative, opt-in consent before deploying any third-party data collection tool on their websites. If § 638.51 doesn’t apply to websites at all, that premise collapses. Companies that have been managing significant operational and marketing trade-offs to defend against this theory should take note.
What to Keep in Mind Going Forward
The NetScout ruling is a state superior court decision. It is persuasive authority, not binding precedent, and plaintiffs’ lawyers will continue filing claims while the issue works its way toward appellate review. The pen register theory was also never the only approach available to plaintiffs; there are several other CIPA claim approaches that remain actively litigated and are not directly addressed by this ruling.
Questions about your company’s CIPA exposure or website tracking practices?
If you want to assess whether your current technology stack creates risk, please reach out. We’re happy to help.