In a first-of-its-kind ruling, Los Angeles County Superior Court Judge Gary Roberts held that the California Invasion of Privacy Act’s pen register and trap-and-trace provisions apply only to telephone communications, not to software used on commercial websites.
The Case
The plaintiff alleged that NetScout Systems, Inc. deployed an SDK (software development kit) supplied by X Corp. on its website, and that this software collected and transmitted visitor data. The key factual dispute was whether an SDK on a commercial website falls within CIPA’s pen register and trap-and-trace provisions or whether those provisions apply only to telephone communications.
The Court’s Reasoning
The court reached its conclusion through careful statutory construction. Judge Roberts examined the structure of Penal Code § 638.51 and found multiple indicators that the provisions were designed for telephonic surveillance:
- The statute repeatedly references a “telephone line”
- It uses telephony-specific terms like “dialing,” “routing,” and “telephone communications”
- The legislative framework centers on recording calls and tracking phone numbers
The court also considered when the provisions were enacted. They were added in 2015, when the internet was already widespread and commercial websites were common. If the legislature had intended to subject ordinary web analytics to CIPA’s strict requirements, the court reasoned, it could have expressly included commercial websites in the statutory text. The legislature did not do so, the court concluded, signaling that the provisions were not meant to extend to website tracking.
The court sustained NetScout’s demurrer and dismissed the claims with prejudice, denying leave to amend. The dismissal was with prejudice because the defect was not a pleading problem that could be fixed—rather, it was a question of statutory scope.
Why It Matters
The NetScout decision is being hailed as a “first-of-its-kind” ruling that could reshape privacy litigation in California. For companies hit with CIPA claims, the decision provides a powerful tool to challenge lawsuits early.
Even so, courts still expect transparent disclosures and respect for opt-out preferences under the CCPA/CPRA. CIPA is not the only risk companies face. Proactive compliance remains essential as digital tracking litigation continues to surge.
