California Federal Court Narrows CIPA “In-Transit” Liability for Common Website Advertising Technology

Judge Urges Legislature to “Erase the Board Entirely” and Rewrite Privacy Law for the Digital Age

A California federal court has significantly limited potential liability under the state’s decades-old wiretap law for companies using common website analytics and advertising tools.

In Doe v. Eating Recovery Center LLC, No. 23-CV-05561 (N.D. Cal. Oct. 17, 2025), Judge Vince Chhabria of the U.S. District Court for the Northern District of California granted summary judgment to Eating Recovery Center (“ERC”), holding that the use of the Meta Pixel on ERC’s website did not violate the California Invasion of Privacy Act (“CIPA”) because Meta did not “read” user communications while they were “in transit.”

Judge Chhabria’s opinion goes further than most. He called CIPA “a total mess,” criticized its “already-obtuse language,” and urged the California Legislature “to step up” and modernize the statute for the realities of the internet era.

Background: CIPA Meets Modern Ad Tech

The plaintiff, identified as Jane Doe, alleged that after visiting ERC’s website to research anorexia treatment options, she later received targeted social-media advertisements. She claimed that ERC’s use of the standard Meta Pixel caused Meta Platforms, Inc. to receive sensitive URL and event data reflecting her activity on the site.

Doe asserted violations of CIPA § 631(a), the California Medical Information Act (CMIA), the Unfair Competition Law (UCL), and unjust enrichment. Only the CIPA, CMIA, and unjust enrichment claims reached summary judgment.

In a separate order, the court disposed of the CMIA and unjust enrichment claims, holding that Doe was not a “patient” under the CMIA and that ERC was not unjustly enriched. The CIPA claim, however, raised a more consequential question for countless businesses that rely on embedded tracking code.

The Court’s Decision

The case turned on two contested elements under § 631(a):
(1) whether the event data constituted “contents” of a communication; and
(2) whether Meta read, attempted to read, or learned those contents while the communication was “in transit.”

URLs as “Contents”

Judge Chhabria held that URLs and associated click events can qualify as contents, reasoning that they may reveal substantive information about user intent and activity. This view diverges from some courts that have classified similar data as mere metadata.

No “Reading” While in Transit

The court nevertheless found no interception. Relying on testimony about Meta’s internal filtering processes, Judge Chhabria concluded that Meta processed data only after ERC received it, not contemporaneously.

“Before logging the data that it obtains from websites,” the court noted, “Meta filters URLs to remove information it does not wish to store (including information that Meta views as privacy-protected).”

That post-receipt filtering meant Meta was not “reading” communications “in transit.” Expanding that term, the court cautioned, would criminalize ordinary website analytics and advertising functions.

Rule of Lenity and Statutory Redundancy

Because CIPA is a criminal statute that carries punitive civil penalties, the court applied the rule of lenity, adopting a narrow reading. A broader interpretation, it reasoned, would also make the statute’s companion provision—§ 632, governing eavesdropping and recording—largely redundant.

In the end, the court held that Meta did not read or attempt to learn the contents of Doe’s communications while they were in transit, granting summary judgment to ERC.

A Statute “Virtually Impossible” to Apply Online

In unusually direct language, Judge Chhabria described CIPA as “virtually impossible to apply … to the online world.” He called the statute “a mess from the get-go” and urged lawmakers to revisit the law entirely:

“It would probably be best to erase the board entirely and start writing something new.”

The opinion reflects growing judicial frustration with applying analog-era privacy laws—enacted in 1967 to curb wiretapping—to modern web interactions that involve ubiquitous tracking, analytics, and data exchange.

Implications for Businesses and Counsel

1. Narrower Path to CIPA Liability

The ruling draws a clear distinction between real-time interception and post-receipt processing. Website operators that use standard analytics or advertising pixels now have a stronger defense against “in-transit” interception claims under § 631(a).

2. But “Contents” Remain Unsettled

The court’s acknowledgment that URLs and click data can be “contents” leaves an opening for plaintiffs in other contexts. Courts remain split on the content-versus-metadata distinction, and outcomes may depend on the nature of the data transmitted.

3. Exposure Under Other Laws

Even if CIPA claims become harder to sustain, companies could still face risk under other California statutes—CMIA and CCPA—especially when sensitive or health-related information is involved.

4. Compliance and Governance Steps

Organizations should continue to:

• Map and document data flows from tracking technologies.

• Eliminate sensitive identifiers from URLs and event strings.

• Ensure privacy notices accurately describe pixel use.

• Review vendor contracts for data-sharing limitations and indemnity.

• Implement privacy-by-design and data-minimization principles across marketing and analytics teams.

5. The Road Ahead

The court’s pointed call for reform will likely accelerate legislative debate over modernizing CIPA. If lawmakers take up the invitation, the statute could be rewritten to clarify “in-transit” communications and align with federal and state privacy frameworks.

Conclusion

Doe v. Eating Recovery Center is a pragmatic recalibration of CIPA in the context of modern web technologies. It narrows “in-transit” liability and underscores judicial skepticism toward stretching mid-20th-century statutes to fit digital advertising tools.

For corporate counsel, the decision offers welcome clarity but not carte blanche. Plaintiffs’ lawyers continue to pursue pixel-based privacy suits, and parallel statutes—particularly the CCPA and CPRA—remain active fronts.

The message from Judge Chhabria is clear: CIPA may survive in name, but without legislative intervention, its relevance in the digital age will continue to erode.