A California court just gave companies facing website tracking claims under the California Invasion of Privacy Act (CIPA) a very helpful ruling. In Blaker v. NetScout Systems, Inc., Case No. 25STCV31283 (May 27, 2026), the plaintiff claimed that NetScout violated California’s trap-and-trace law by using a software development kit (SDK) on its website that allegedly captured visitor communications without notice or consent. The court rejected that theory, finding that CIPA’s pen register and trap-and-trace provisions apply to telephone communications only, not ordinary software on a commercial website.
That distinction matters because many recent CIPA claims try to take laws originally aimed at telephone surveillance and apply them to common website technologies, including SDKs, pixels, analytics tools, and other tracking tools. The court looked closely at the statute and found that the broader words plaintiffs often rely on, such as “addressing” and “signaling information,” have to be read alongside the statute’s more telephone-focused terms, like “originating number,” “dialing,” and “routing.” The court also pointed to related provisions that refer specifically to the “telephone line” where a pen register or trap-and-trace device would be attached, which made it hard to square the plaintiff’s website theory with the statute as a whole. Additionally, since the internet was already widely used when these provisions were enacted in 2015, the court said lawmakers could have said the law applied to commercial websites if that is what they intended.
For businesses, this is a big decision because it gives defendants a clear, common-sense response to one of the main theories behind these CIPA website tracking cases: a website tool is not automatically the same thing as a telephone trap-and-trace device. The ruling is also notable because the court sustained NetScout’s demurrer without leave to amend, meaning the plaintiff was not given another chance to rework the complaint. This does not mean every CIPA website tracking case goes away, but it gives companies a strong new argument to push back when plaintiffs try to stretch telephone surveillance laws to cover routine website technology.
