In a sharply worded opinion, U.S. District Judge Vince Chhabria recently granted summary judgment in favor of the Eating Recovery Center (ERC) in a privacy lawsuit that has reignited debate over the California Invasion of Privacy Act (CIPA). The case, brought by a plaintiff identified as Jane Doe, accused ERC of violating CIPA by embedding Meta’s Pixel tracking code on its website, allegedly allowing Meta to intercept sensitive user data.
The lawsuit comes amid a growing number of cases in which consumers allege that companies violate California’s anti-wiretap law by sharing ad-targeting data with Meta, Google, and other third parties through website analytics tools.
The Case at a Glance
Jane Doe, a California resident diagnosed with anorexia, visited ERC’s website to explore treatment options. She later received targeted ads on Facebook and emails that appeared to reflect her specific health concerns. Doe claimed that ERC’s use of Meta’s Pixel enabled Meta to intercept her communications with the website, violating CIPA’s prohibition against reading or attempting to read communications “in transit” without consent.
The case hinged on two central questions:
- Were the intercepted data the “contents” of a communication?
- Were those contents accessed while “in transit”?
Judge Chhabria ruled that the communications were not intercepted “in transit,” as required by the statute. He emphasized that Meta’s filtering process, which sorts data before storing it, does not equate to “reading” the contents of a communication in transit. The judge likened this to sorting mail rather than reading it, concluding that the statute’s language does not support liability in this context.
While the court acknowledged that URL and event data could constitute the “contents” of a communication, it found that Meta did not access this data while it was in transit. The judge applied the “rule of lenity,” which requires courts to interpret ambiguous criminal statutes narrowly — even in civil cases — to avoid unjust punishment.
The Problem with CIPA’s Language
The ruling is notable not just for its outcome, but for Judge Chhabria’s scathing critique of CIPA itself. Enacted in 1967 to combat wiretapping and eavesdropping, CIPA was never designed with internet technologies in mind. Chhabria described the law as “a total mess,” stating that its language is “already-obtuse” and increasingly difficult to apply to modern digital contexts.
He noted that courts are issuing conflicting rulings, leaving companies uncertain about whether their online practices expose them to liability. This ambiguity is especially problematic given that CIPA imposes both criminal penalties and punitive civil damages.
Is Legislative Reform the Path Forward?
Judge Chhabria’s opinion is an explicit call to action for California lawmakers. He urged the legislature to “go back to the drawing board” — or better yet, “erase the board entirely and start writing something new.” The current state of CIPA, he argued, is untenable for both courts and companies navigating the digital landscape.
Earlier in 2025, California’s Senate considered a bill to modernize CIPA by allowing companies to access communications for “commercial business purposes,” including advertising and internal research. However, that bill stalled in the Assembly, leaving reform in limbo.
The ERC case underscores the urgent need to update legacy laws for the digital age. As technologies evolve and data flows become more complex, statutes like CIPA create significant confusion for businesses trying to comply. Until clarity arrives, businesses can work to mitigate risk by closely evaluating their website integrations using existing case law as a guide, even if an imperfect one.
Have questions about CIPA or other privacy laws? Contact us.
