CIPA in Crisis: The Northern District’s Rebuke in Doe v. Eating Recovery Center LLC
- East West General Counsel
- Oct 28
- 3 min read
On October 17, 2025, Judge Vince Chhabria of the Northern District of California issued an opinion that many privacy practitioners have anticipated for years. In Doe v. Eating Recovery Center LLC, 2025 WL 2971090 (N.D. Cal. Oct. 17, 2025), the court granted summary judgment in favor of the defendant and took direct aim at the statutory morass known as the California Invasion of Privacy Act (“CIPA”). Calling the statute “a total mess,” the court urged the California Legislature to “erase the board entirely and start writing something new.”
1. The Case and Its Context
CIPA, enacted in 1967 to combat wiretapping of telephone conversations, has recently been weaponized against website operators using standard analytics and advertising tools such as the Meta Pixel. Plaintiffs’ lawyers have attempted to characterize these pixels as “interceptions” of website communications under Penal Code §§ 631 and 632.
In Doe, the plaintiff alleged that Eating Recovery Center (“ERC”) violated CIPA by deploying the Meta Pixel on its website. The court, however, found no evidence that ERC “read, attempted to read, or attempted to learn the contents” of Doe’s communications “while in transit,” as CIPA requires. The claims therefore failed as a matter of law.
2. A Statute Out of Time
Judge Chhabria’s frustration was unmistakable. He acknowledged that the CIPA’s “already-obtuse language” predates the Internet by nearly three decades and was never intended to regulate passive website tracking. As he put it, the statute “was a mess from the get-go, but the mess gets bigger and bigger as the world continues to change.”
The court further emphasized a crucial but often overlooked point: CIPA is a criminal statute that carries punitive civil penalties. Accordingly, the Rule of Lenity applies even in civil litigation. Ambiguities must be resolved in favor of defendants. Under that narrower interpretation, ERC’s alleged online activity simply does not fit within the statute’s prohibitions.
3. Legislative Paralysis
The opinion reflects a growing judicial consensus that CIPA’s text cannot bear the weight of modern privacy litigation. Yet the Legislature has been slow to respond. Senate Bill 690, which sought to clarify that CIPA does not apply to ordinary commercial website tracking, unanimously passed the Senate in June 2025 but stalled in the Assembly. The earliest possible reconsideration will be 2026, leaving courts — and businesses — in limbo.
Judge Chhabria’s opinion effectively invites lawmakers to start over, observing that companies currently “have no way of telling whether their online activities will subject them to liability.”
4. Practical Takeaways for Businesses
Until statutory reform occurs, CIPA litigation will remain unpredictable. The Doe ruling offers persuasive authority for defendants, but conflicting decisions across California mean exposure persists. In this environment:
Review and test consent management tools to ensure banner functionality aligns with disclosures.
Maintain internal documentation demonstrating data minimization and vendor due diligence.
Monitor legislative developments, particularly any reintroduction or revision of SB 690.
Consider early motion practice where CIPA claims rest solely on pixel or cookie use, as Doe strengthens the narrow-construction argument.
5. The Path Forward
The Doe decision represents more than a defense victory — it is a judicial appeal for legislative clarity. Unless and until the Legislature modernizes CIPA, courts will continue to wrestle with how a 1960s wiretap law applies to twenty-first century data flows. For now, Judge Chhabria’s ruling signals that at least some judges are prepared to halt the expansion of criminal liability into the realm of routine web analytics.
Comments