All insights
Jurisdiction ComparisonJuly 3, 2026 8 min read

The Pen-Register Split: Why the Same Tracker Survives in One California Court and Fails in Another

CIPA's trap-and-trace theory has produced opposite results blocks apart. A map of where the pixel-as-pen-register argument has lived and died — and what separates the rulings.

Risk intelligence, not legal advice. The patterns below are indicators that have appeared in real litigation or enforcement — not proof of a violation, and not a substitute for counsel.

Of all the website-tracking theories in circulation, the CIPA pen-register argument may be the most jurisdiction-dependent. The same conduct — a tracking pixel that records a visitor's IP address and routing metadata — has been allowed to proceed in one courthouse and dismissed with prejudice in another, sometimes within the same county and the same year. For anyone assessing exposure, where a case is filed has come to matter as much as what the website did.

This is a map of that divide, as it stands in mid-2026. It is risk intelligence, not legal advice, and the terrain is still moving.

Why jurisdiction matters so much here

CIPA's Section 638.51 bars the unauthorized use of a "pen register" or "trap and trace device," which the statute defines as a device or process that captures the "dialing, routing, addressing, or signaling information" of a communication, but not its contents. The provision was written for telephone surveillance. The entire dispute is whether that telephone-era language can stretch to cover web trackers — and judges have answered that interpretive question differently, which is exactly the kind of disagreement that produces a forum-driven split rather than a clean rule.

Because the question is statutory interpretation rather than fact-finding, early rulings calcify quickly into competing lines of authority that later courts cite against each other.

The plaintiff-friendly line: "device or process," read broadly

The theory's foothold came from federal court. In Greenley v. Kochava (S.D. Cal. 2023), the court read CIPA's "device or process" language expansively, reasoning that software performing data "fingerprinting" could qualify as a pen register because the statute focuses on the type of information captured, not the physical form of the tool. Moody v. C2 Educational Systems (C.D. Cal. 2024) similarly let a pen-register theory survive a motion to dismiss.

That line has not disappeared. In late 2025, the Southern District of California allowed claims to proceed in Camplisson v. Adidas America on the view that common trackers — including the TikTok pixel and Microsoft Bing trackers — could fall within the wiretapping and pen-register framing, enough to clear the pleading stage. The through-line in these decisions is a textual one: the statute says "process," websites use processes, and at the motion-to-dismiss stage the plaintiff gets the benefit of the doubt.

The defense-friendly line: a telephone statute, not a website statute

Against that sits a growing and increasingly confident line of dismissals, concentrated in — though not limited to — California state courts.

Several federal courts declined to extend the theory: Kishnani v. Royal Caribbean Cruises (N.D. Cal., June 2025) and Mitchener v. Talkspace Network (C.D. Cal., June 2025) both dismissed pen-register claims. State courts went further. In Price v. Headspace (Cal. Super., April 2025), a California state court dismissed the theory. In January 2026, an Orange County Superior Court judge sustained a demurrer without leave to amend in Blalock v. EquipmentShare.com, expressly rejecting the reasoning in Greenley and related cases that had pushed the pen-register provisions into internet tracking. By April 2026, a Los Angeles judge dismissed a near-identical pen-register claim (Heiting v. Wildflower Brands) with prejudice, describing the provisions as designed for telephone surveillance rather than commercial websites. The state-court decision in Blaker v. NetScout Systems (May 2026) reinforced the point, holding that Section 638.51 reaches telephonic communications rather than software on a commercial website.

The reasoning in this line is purposive and historical: the Legislature built these provisions around telephone metadata, the argument runs, and reading them onto routine web analytics distorts the statute beyond recognition.

Where the same conduct lands differently

The practical picture in mid-2026 looks like this:

  • California state courts have trended sharply toward dismissal, increasingly treating the pen-register theory as inapplicable to websites as a matter of law.
  • Federal courts in California are genuinely split — the Greenley/Moody line and at least one 2026 Southern District ruling have let claims proceed, while other district judges have dismissed.
  • Standing is an independent filter in federal court: where only generic device or browser metadata was collected, some judges have found no concrete injury sufficient for Article III, an analysis that has no exact state-court analogue.

The upshot is uncomfortable but real: an identical pixel configuration can clear the pleading stage in one federal courtroom and be dismissed as a matter of law in a state court down the street. Defendants increasingly weigh removal and forum questions accordingly, and plaintiffs file with the split firmly in mind.

What this means for assessing a site

Because the legal question is so forum-sensitive, the durable move is to focus on the underlying behavior rather than predict an outcome. The facts that matter across every version of the theory are observable:

  • Whether trackers transmit IP address and routing metadata on load.
  • Whether search-bar inputs are routed to third parties under the trap-and-trace variant.
  • What identifiers accompany those requests, and whether anything fires before consent.
  • How sensitive the collected data is — which drives the standing analysis in federal court.

A scan cannot tell you which courtroom your case would land in, and the law here may look different in a year. But it can show you whether your pages exhibit the exact pattern at the center of the split, which is the part within your control. For the statutory background, see our CIPA explainer; for the consent-timing dimension, see our coverage of the millisecond problem.

[Jurisdiction map: California courts shaded by whether pen-register website theories have survived or been dismissed] [Timeline of key Section 638.51 website rulings, 2023 to 2026]

Sources

See what your own pages do

The behaviors above are observable on the wire. LawsuitGuard loads your site in a real browser, maps every tracker and when it fires, and shows the evidence behind each finding.

Run a free scan

Keep reading