Skip to site navigation Skip to main content Skip to footer content Skip to Site Search page Skip to People Search page

Bylined Articles

CIPA May Not Be Necessary To Protect Ad Tech Plaintiffs

By Justin Donoho
June 6, 2025
Law360

CIPA May Not Be Necessary To Protect Ad Tech Plaintiffs

By Justin Donoho
June 6, 2025
Law360

Read below

Multitudes of high-stakes lawsuits are increasingly being filed under the California Invasion of Privacy Act, or CIPA, against businesses of all types, seeking millions of dollars or more in statutory damages for these entities' uses of common website advertising technology on the theory that using such technology constitutes illegal wiretapping or illegal use of a pen register or trap and trace device.[1]

California S.B. 690 is designed to protect businesses from such advertising technology claims by amending CIPA. The bill, introduced March 24, unanimously passed the Senate on June 3, and now is being considered by the Assembly. 

The bill has been highly contested by various consumer advocacy groups since its introduction. These groups assert that CIPA is necessary — and other laws inadequate — to protect plaintiffs from unlawful surveillance.

This article addresses these arguments and concludes that any actual privacy harms resulting from the use of advertising technology are subject to remedies under existing law, such as the private right of action provided under the California Consumer Privacy Act, or CCPA.

The article further concludes by providing more productive alternative pathways for consumer advocacy groups to follow than opposing S.B. 690 when advocating for reform in advertising technology privacy law, as well as by providing steps advertising technology defendants can take right now to mitigate high-stakes advertising technology litigation risk.

Background on Advertising Technology and CIPA Advertising Technology Class Actions

Advertising technology consists of pixels and other pieces of code embedded in many websites in operation today; millions of companies and governmental organizations use them.[2]

This technology works by collecting information about a person's web-browsing behavior, sending it to the advertising technology developer, i.e., an online advertising agency, and then that advertising agency using artificial intelligence to analyze the collected data and serving targeted advertisements based on the analysis.

This web-browsing data feeds AI algorithms' analyses of the data to the profit of the advertising agencies. In exchange, the advertising agencies provide and enable free or heavily discounted access to web-searching tools, personal email services, news websites, social media, real-time traffic maps, digital assistants, cloud storage, home management systems, human resources technologies, educational technologies, medical diagnostic tools, generative AI and more.

Nowadays, and typically since the Edward Snowden disclosures in 2013, all of these transmissions between the web user, website and advertising agency take place over the encrypted HTTPS protocol.[3]

As for the information's storage at the advertising agency, this information is typically encrypted, anonymized, aggregated and otherwise technologically secured, at least among advertising technology's household names and international brands.[4]

Lesser-known advertising technology creators, by contrast, may sell unencrypted, personally identifiable information to data brokers, who then sell that information to the U.S. government for its surveillance purposes.[5]

This fact pattern may raise Fourth Amendment questions under U.S. Supreme Court jurisprudence as to whether and under what circumstances a consumer would have a reasonable expectation of privacy in web-browsing data forwarded via advertising technology to advertising agencies.[6]

However, CIPA advertising technology class actions typically do not allege any unencrypted disclosure and instead typically allege companies' use only of reputable advertising technology brands and HTTPS encryption.

Plaintiffs have filed a legion of class actions nationwide, alleging that advertising technology embedded in defendants' websites secretly captured plaintiffs' web browsing data and sent it to advertising agencies.

In advertising technology class actions, the key issue is often a claim brought under a state or federal wiretap act, a consumer fraud act, or the Video Privacy Protection Act; because plaintiffs often seek millions — and sometimes even billions — of dollars, even from midsize companies, on the theory that hundreds of thousands of website visitors, times $5,000 per claimant in statutory damages under CIPA, for example, equals a huge amount of damages.

In the last 18 months, over 1,500 businesses have faced lawsuits raising CIPA advertising technology claims.[7] In addition, many advertising technology class actions have been filed nationwide, not only under CIPA but also under the federal Wiretap Act and other states' wiretap acts similar to CIPA, among other statutes.

Plaintiffs have filed these types of lawsuits against healthcare providers, retailers, manufacturers, universities, nonprofits and many other entities. Several of these cases have resulted in multimillion-dollar settlements and several have been dismissed on the grounds that CIPA and other alleged wiretap acts do not apply to advertising technology.

For example, last year, in Licea v. Hickory Farms LLC, the Los Angeles County Superior Court found that advertising technology is not a pen register under CIPA, stating, that such "a broad based interpretation would potentially disrupt a large swath of internet commerce."[8]

Similarly, in 2023, in Licea v. Cinmar LLC, the U.S. District Court for the Central District of California dismissed a CIPA wiretap claim "because Plaintiffs do not adequately allege that their conversations were intercepted [by advertising technology] in transit."[9]

However, the vast majority of advertising technology class actions remain undecided, with sufficient motions to dismiss having been denied under the lenient Rule 12(b)(6) standard.

Lottery like economics are what may be driving advertising technology class actions, not any merits to the claims seeking exorbitant statutory damages. If a plaintiff has a minuscule chance of winning a multimillion or billion-dollar lawsuit, that results in an expected value attractive enough for some plaintiffs, despite the lack of merits.

Rationale for S.B. 690

Against this background, on March 24, S.B. 690 was introduced "to protect businesses from vexatious litigation by exempting 'commercial and business purpose' from civil and criminal liability" under CIPA.[10]

As proponents of the bill argued on April 29, before the Senate Committee on Public Safety, CIPA was enacted in 1967, long before the internet was developed, whereas the CCPA, by contrast, is the statute that should be used with respect to California consumers as "the guiding statute for online privacy protections including data protections."[11]

Consumer advocates have raised two primary arguments against S.B. 690. The first is that CIPA, though enacted in 1967, was envisioned by the Legislature to cover future types of surveillance.[12]

This argument raises the question of whether using advertising technology constitutes surveillance. On the one hand, the term surveillance has sometimes been associated with advertising technology ever since Harvard University professor Shoshana Zuboff coined the term "surveillance capitalism" in 2019 in reference to the widespread use of advertising technology.[13]

On the other hand, surveillance in the traditional sense of "keeping close watch over someone or something (as by a detective),"[14] as defined by Merriam-Webster, may not have been seen by the 1967 Legislature to jibe with CIPA advertising technology lawsuits, which typically do not allege that any human being or entity — even the advertising agency — has accessed the web-browsing information, has it stored, or could retrieve it from the advertising agency's algorithms in a decrypted, or readable, format.

Consumer advocates' other primary argument is that CIPA is a "powerful statutory hook" necessary to improve privacy practices at American organizations.[15] The CCPA, however, provides just such a statutory hook in any instances where privacy may become compromised from advertising technology's encrypted HTTPS transmissions and its encrypted, anonymized, aggregated and otherwise secure storage facilities.

Specifically, the CCPA provides that between $100 and $750 in incidental or actual damages is recoverable by:

[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.[16]

Beyond the CIPA and CCPA, advertising technology plaintiffs also typically raise many additional statutory and common-law theories.

Conclusion

This article concludes that the CCPA may sufficiently protect any advertising technology plaintiff who suffers any actual harm.

The question remains whether any privacy reform beyond the CCPA is necessary with respect to advertising technology as it is typically practiced, by reputable brands, in the undecipherable, unharmful fashion described above. If so, although S.B. 690 may halt such reform currently being attempted via the recent explosion in CIPA advertising technology class actions, consumer advocacy groups would still have other strategies of moving advertising technology privacy law forward beyond the CCPA.

These strategies may include, for example, joining the debate on whether Fourth Amendment and common-law jurisprudence suffices or requires another equilibrium adjustment of the type recently seen in U.S. v. Carpenter for purposes of determining what constitutes a "reasonable expectation of privacy" in the context of advertising technology,[17] or urging the U.S. Congress and other states to follow California's and Europe's leads in regulating advertising technology with comprehensive legislation like the CCPA or Europe's General Data Protection Regulation and Digital Services Act.[18]

Meanwhile, companies using advertising technology on their websites have several tools at their disposal to mitigate advertising technology litigation risk. These include adding or updating arbitration agreements to mitigate the risks of mass arbitration; collaborating with IT, cybersecurity and risk/compliance departments to identify and manage AI risks; and updating notices to third parties and vendor agreements.[19]

References

[1] California Senate Bill 690, Report to the Committee on Public Safety at 10 (April 25, 2025).

[2] Customer Data Platform Institute, "Trackers and Pixels Feeding Data Broker Stores" (reporting that pixels are used in 47% of all websites, including 55% of websites hosted by the S&P 500, 58% in the retail industry, 42% in the financial industry, and 33% in the healthcare industry).

[3] Nicole Perlroth, This Is How They Tell Me the World Ends at 178-79 (Bloomsbury 2023); Electronic Frontier Foundation, available at https://www.eff.org/encrypt-the-web ("The web has largely switched from non-secure HTTP to the more secure HTTPS protocol … As of 2021, about 90% of all web page visits use HTTPS"); Christopher Soghoian, "Snowden's Leaks Have Finally Forced Companies to Enhance Their Security," MIT Tech Review (Dec. 17, 2013), available at https://www.technologynologyreview.com/2013/12/17/14482/snowdens-leaks-have-finally-forced-companies-to-enhance-their-security.

[4] Byron Tau, Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New American Surveillance State at 193-95 (Crown 2024); Joint Congressional Hearing (April 10, 2018), available at https://www.congress.gov/event/115th-congress/senate-event/LC64510/text; Perlroth at 178-79 (note 3 above); Nishant Bhajaria (lead privacy engineer at several big tech firms including two of the world's largest online ad agencies), Data Privacy: A Runbook for Engineers (Manning 2022) (setting forth best practices for privacy engineering); Orin Kerr, The Digital Fourth Amendment at 196 (Oxford 2025) ("The biggest companies that have the largest influence are pushing the Internet ecosystem toward keeping fewer records rather than more").

[5] Tau (note 4, above) at 184-93; Kerr (note 4, above) at 187-200.

[6] Compare Carpenter v. United States , 585 U.S. 296 (2018) (finding a reasonable expectation of privacy in "cell-site location information"), and Emily Nicolella, "Evolving Privacy Protections for Emerging Machine Learning Data Under Carpenter v. United States," 17 FIU L. Rev. 453 (2023) (arguing for an evolution of Fourth Amendment jurisprudence to include a "reasonable expectation of privacy" in personal data collected by adtech), with Popa v. Harriet Carter Gifts, Inc. , 2025 WL 896938, at *7 (W.D. Pa. Mar. 24, 2025) (disposing of adtech class action due to data privacy policy provided via browsewrap on the basis that "a reasonably prudent person has a lower expectation of privacy on the internet than on, for example, a telephone, which lacks the entire system of trackers, cookies, and algorithms commonly, if not ubiquitously, implicated in the use of a website"); Kerr at 187-200 (note 4, above) (arguing that no further "equilibrium adjustment" to the Fourth Amendment beyond the type performed by the Supreme Court in Carpenter is necessary in the context of adtech and data brokers' sales to the government).

[7] Committee Report at 10-11 (note 1, above).

[8] Licea v. Hickory Farms LLC, 2024 WL 1698147, at *4 (Cal. Super. Ct., L.A. Cty., Mar. 13, 2024).

[9] Licea v. Cinmar, LLC , 659 F.Supp.3d 1096, 1110 (C.D. Cal. 2023) (emphasis added on dispositive phrase of CIPA); see also, e.g., Barbour v. John Muir Health (Cal. Super. Jan. 5, 2023, 2023 WL 2618967, at *5 (dismissing CIPA claim in adtech case, stating, "Plaintiffs have not alleged Defendant's 'interception' while 'in transit'"); Vita v. New England Baptist Hospital , 494 Mass. 824, 826-27 (Mass. 2024) (ordering dismissal of adtech class action brought under Massachusetts wiretap act because rule of lenity applies); T.D. v. Piedmont Healthcare, Inc. , 2024 WL 3972984, at *4 (N.D. Ga. Aug. 28, 2024) (ordering dismissal of adtech class action brought under federal wiretap act because plaintiff "could not have intercepted the same transmission it received on its website, nor could it have acted with a tortious or criminal purpose in seeking to drive marketing and revenue").

[10] Committee Report at 7 (note 1, above).

[11] Id.

[12] Committee Report at 7 (note 1, above).

[13] Shoshana Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (PublicAffairs 2019).

[14] See Webster's.

[15] Committee Report at 16 (note 1, above).

[16] Cal. Civ. Code § 1798.150.

[17] See note 6, above.

[18] Anu Bradford, Digital Empires: The Global Battle to Regulate Technology (Oxford 2023) (advocating for evolving the American market-driven regulatory model based largely on "surveillance capitalism," more toward the European rights-driven model in order to compete with China's state-driven model).

[19] Justin Donoho, "Three Best Practices to Mitigate High-Stakes AI Litigation Risk," Journal of Robotics, Artificial Intelligence & Law, Volume 7, No. 6, November/December 2024 (discussing these risk mitigation techniques).

Reprinted with permission of Law360.