CIPA Standing Roundup: Article III standing in Pen Register and Trap and Trace Cases Following Popa v. Microsoft Corporation
In late August of this year, the Ninth Circuit in Popa v. Microsoft Corporation held that “there existed no free-roaming privacy right at common law” and clarified that an alleged violation of a statutory privacy right on its own does not automatically constitute a concrete injury sufficient for Article III standing.[1] Instead, the Ninth Circuit explained, courts assessing whether a plaintiff has Article III standing to sue for such a violation must “assess whether an individual plaintiff has suffered a harm that has traditionally been actionable in our nation's legal system” by look[ing] to the specific underlying harm experienced by the plaintiff and compar[ing] it, in detail, to a specific common-law tort.”[2] Applying this standard, the Ninth Circuit found that the plaintiff in Popa lacked Article III standing to assert her claims under Pennsylvania’s wiretapping statute or for common law intrusion upon seclusion. She failed to show how the alleged tracking of her interactions with the pet food website she visited "caused her to experience any kind of harm that [wa]s remotely similar to the highly offensive interferences or disclosures actionable at common law” as privacy intrusion torts.
In the wake of Popa, district courts have grappled with applying it in cases involving other privacy statutes. Recently, in Gabrielli v. Haleon and Khamooshi v. Politico LLC, two district courts applied Popa’s standing analysis to pen register and trap and trace claims under the California Invasion of Privacy Act (“CIPA”). These courts reached different conclusions, finding standing in one case but not the other. A close review of the decisions sheds some potential light on the differing results and suggests that, in assessing Article III standing for CIPA pen register and trap and trace claims in the wake of Popa, courts will pay attention to the nature of the data involved and the plaintiff’s interaction with the website at issue. Below, we provide a background on pen register and trap and trace claims under CIPA and look at the Article III standing analysis for such claims before and after Popa.
Background on Pen Register and Trap and Trace Claims
Section 638.51 of CIPA prohibits the installation or use of a pen register or a trap and trace device without first obtaining a court order. Section 638.50(b) defines a pen register as a device or process that records or decodes “dialing, routing, addressing, or signaling information” transmitted by an instrument or facility from which a wire or electronic communication is sent, but does not include the contents of the communication itself. Section 638.50(c) defines a trap and trace device as a device or process that captures incoming electronic impulses likely to identify the originating number or other dialing information, revealing the source of a wire or electronic communication but not the communication’s content.
Over the past year, businesses with consumer-facing websites have been the target of a wave of lawsuits under this statute, stemming from the use of widely adopted online advertising technologies like web beacons, cookies, and pixels. The plaintiffs’ theory in these cases is that these advertising technologies are unlawful pen registers or trap and trace devices because they can capture, for example, visitor IP addresses before visitors can consent. Some cases also allege violations through collection of other types of information, such as browser and device data, browsing activity, or geolocation information.
Article III Standing in Pen Register Cases Pre-Popa
To have Article III standing for a claim in federal court, a plaintiff must show an “injury in fact,” or an invasion of a legally protected interest that is “concrete and particularized.”[3] Before Popa, two key cases shaped the Article III analysis in cases involving CIPA claims: In re Facebook, Inc. Internet Tracking Litigation and TransUnion LLC v. Ramirez.
In 2020, the Ninth Circuit’s opinion in In re Facebook, Inc. Internet Tracking Litigation held that CIPA and other privacy statutes “codify a substantive right to privacy, the violation of which gives rise to a concrete injury sufficient to confer standing” for two reasons.[4] First, violations of the right to privacy have long been actionable at common law, and second, the legislature intended to protect these historical privacy rights when they enacted these statutes.[5]
In 2021, the U.S Supreme Court issued its order in Transunion explaining that to have standing, a plaintiff must demonstrate “a concrete injury even in the context of a statutory violation.”[6] Under Transunion, intangible injuries may be concrete if they have a “close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts,” such as “reputational harms, disclosure of private information, and intrusion upon seclusion.”[7] This conclusion departed from the Ninth Circuit’s finding in Facebook that a violation of certain privacy statutes was alone sufficient to show a concrete injury.
Following Facebook and TransUnion, district courts framed the standing analysis applicable to assert pen register and trap and trace claims in different ways, with varying outcomes. For example, one district court held that “violations of plaintiffs’ statutory rights under CIPA, even without more, constitute injury in fact because instead of a bare technical violation of a statute, a CIPA violation involves a violation of privacy rights.”[8] Other courts reasoned that, “[w]hile in certain circumstances intrusion on privacy alone can be a concrete injury, the nature of the injury turns on whether a plaintiff has a legitimate expectation of privacy.”[9] In Mitcherner v. CuriosityStream and Kishnani v. Royal Caribbean Cruises Ltd., for example, a district court dismissed, with prejudice, two substantively identical complaints asserting trap and trace claims for lack of standing because the plaintiffs had alleged only the capture of their IP address, information over which internet users have no reasonable expectation of privacy.[10]
Enter Popa v. Microsoft Corporation
Popa involved claims under Pennsylvania’s Wiretapping and Electronic Surveillance Control Act and for common law intrusion upon seclusion based on the use of session-replay technology. Relying on In re Facebook, Inc. Internet Tracking Litigation and other cases, the plaintiff in Popa argued that a plaintiff necessarily enjoys Article III standing when suing under a statute that protects a substantive right to privacy. The Ninth Circuit rejected this argument.
The court explained that, at common law, there existed no free-roaming privacy right but rather four discrete torts that protected specific kinds of privacy harms: 1) intrusion upon seclusion; 2) appropriation of another person’s name or likeness; 3) publicity given to another person’s private life, and 4) publicity that places one in a false light.[11] To have standing, a plaintiff must identify a harm similar to the harms protected by these torts.[12] In this case, the website the plaintiff interacted with involved pet supplies, and she “at most” alleged the disclosure of her pet-store preferences and her street name, along with some device and browser data. Because the information collected by the session-replay technology did not include “any embarrassing, invasive, or otherwise private information,” the plaintiff could not show she experienced a harm like the “highly offensive” interferences or disclosures actionable at common law. Indeed, the court found that the alleged monitoring of the plaintiff’s interactions with the website was instead more like a store clerk “observing shoppers in order to identify aisles that are particularly popular or to spot problems that disrupt potential sales.” As a result, the plaintiff lacked standing to assert her claims.
Notably, in reaching this conclusion, the Ninth Circuit observed that it “need not revisit” Facebook because Facebook’s alleged compilation of personally identifiable browsing history had occurred “no matter how sensitive’ or personal users’ browsing histories were,” and thus that decision did not stand for the proposition that any statutory privacy violation is per se actionable.[13]
Post-Popa Article III Standing in CIPA Pen Register and Trap and Trace cases[14]
Following Popa, two courts in the Northern District of California have applied Popa’s Article III standing analysis to pen register and trap and trace claims, reaching opposite results.
In Gabrielli v. Haleon US Inc., No. 25-CV-02555-WHO, 2025 WL 2494368 (N.D. Cal. Aug. 29, 2025), a district court applied the standing framework in Popa to find that the plaintiff had standing to assert his trap and trace claim. There, the plaintiff’s claim was premised on the defendant’s use of third-party cookies, which allegedly collected information such as browsing history, website interactions, and user input data. Two allegations were key to the court’s holding. First, plaintiff alleged that the defendant’s websites ignored the plaintiff's rejection of cookies—an act that deprived him of control over his personal information. Second, defendant’s websites were related to healthcare, such that information users—and indeed, plaintiff—input on these websites was “likely more sensitive” than the data associated with the plaintiff’s visit to a pet food website in Popa.
In Khamooshi v. Politico LLC, No. 24-CV-07836-SK, 2025 WL 2822879 (N.D. Cal. Oct. 2, 2025), a district court concluded that Popa “controls” and held that Plaintiffs lacked Article III standing to assert a pen register/trap and trace claim under CIPA. The court reached this conclusion because, as in Popa, the plaintiffs failed to allege the collection of any “embarrassing, invasive, or otherwise private information.” Plaintiffs had broadly alleged the collection of IP addresses, browser and device data, browsing activity, geolocation information, and “device fingerprints.” The court held that while some types of browsing activity and geolocation information implicate protectable privacy interests, others do not, and “absent specific allegations about the type of browsing and geolocation information disclosed, these categories of information are insufficient to support a concrete privacy injury." The court also rejected the plaintiffs’ argument that they had suffered an economic harm sufficient for Article III standing
Takeaways
The above opinions out of the Northern District of California are the first to address Article III standing in pen register and trap and trace cases under CIPA following the Ninth Circuit’s opinion in Popa. While it remains to be seen how other district courts will interpret and apply Popa, it appears likely that a plaintiff’s allegations about the nature of their website interactions and the sensitivity of the data collected will continue to be relevant factors to the Article III standing analysis in these cases. As the courts continue to grapple with Article III standing in CIPA and other privacy cases in the wake of Popa, we recommend that website operators consult with qualified legal counsel to fully understand potential risks in this developing legal landscape.
***
[1] Popa v. Microsoft Corp., No. 24-14, 2025 WL 2448824, at *6 (9th Cir. Aug. 26, 2025)
[2] Id. at *4 (emphasis in original).
[3] Spokeo, Inc. v. Robins, 578 U.S. 330, 339 (2016), as revised, (May 24, 2016)
[4] In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 598 (9th Cir. 2020)
[5] Id.
[6] TransUnion LLC v. Ramirez, 594 U.S. 413, 442 (2021)
[7] Id.
[8] Conohan v. Rad Power Bikes Inc., No. CV 25-0106 PVC, 2025 WL 1111246, at *5-*6 (C.D. Cal. Apr. 3, 2025), citing Licea v. Cinmar, LLC, 659 F. Supp. 3d 1096, 1103 (C.D. Cal. 2023).
[9] Mitchener v. CuriosityStream, Inc., No. 25-CV-01471-NW, 2025 WL 2272413, at *3 (N.D. Cal. Aug. 6, 2025); see also Kishnani v. Royal Caribbean Cruises Ltd., No. 25-CV-01473-NW, 2025 WL 1745726, at *5 (N.D. Cal. June 24, 2025); Khamooshi v. Politico LLC, No. 24-CV-07836-SK, 2025 WL 1408896, at *4 (N.D. Cal. May 13, 2025); Xu v. Reuters News & Media Inc., No. 24 CIV. 2466 (PAE), 2025 WL 488501, at *5 (S.D.N.Y. Feb. 13, 2025)(same)
[10] Mitchener , 2025 WL 2272413, at *3; Kishnani , 2025 WL 1745726, at *5 .
[11] Popa, 2025 WL 2448824, at *6, citing Nabozny v. Optio Sols. LLC, 84 F.4th 731, 735 (7th Cir. 2023).
[12] Id.
[13] Id. at *8, citing In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 598 (9th Cir. 2020)
[14] This summary is limited to cases analyzing Article III standing. As of this writing, one case has found that Popa does “not implicate statutory standing under CIPA." Deivaprakash V. Conde Nast Digital, No. 25-CV-04021-RFL, 2025 WL 2779193, at *1-2 (N.D. Cal. Sept. 30, 2025).