The latest fad in California class-action litigation is as creative as it is ridiculous: claiming that every website operator who logs or shares a visitor’s IP address is committing a felony under the State’s Invasion of Privacy Act. Plaintiffs’ lawyers have flooded courthouses with suits alleging that routine server logs, analytics pixels, and third-party trackers violate the “pen register” and “trap-and-trace” provisions of the California Invasion of Privacy Act, Penal Code §§ 638.50–638.55.

The theory is that an IP address constitutes “addressing information” under the statute’s broad definition of a pen register. This is not serious statutory interpretation. It is an attempt to turn the basic mechanics of the internet into a crime. And it should fail—because the statute’s text, history and common sense all point in the opposite direction.

The Text

Start with the text. Section 638.51 prohibits the use of a “pen register” or “trap and trace device” without a court order. The statute defines a pen register as “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” An IP address is, literally speaking, “addressing information.” So far, so literal.

But the publisher’s address printed inside every book also counts as “addressing information.” As does every postal envelope, Rolodex, phone book, GPS navigation map, business card, and street sign. If the statute’s definition of a pen register were read with the wooden literalism plaintiffs demand, the California Legislature would have criminalized the Dewey Decimal system, the Yellow Pages, and the ordinary act of handing someone a return address on a Christmas card. That cannot be the law.

The History

Statutes may not be read in a vacuum to produce ridiculous results. They are read in context, with an eye toward the chief evil the Legislature was trying to remedy. In 1967 that problem was secret, law-enforcement-style telephone surveillance, not the digital handshake that occurs when a browser voluntarily transmits an IP address so a server can supply the webpage the user just requested. Common sense and basic statutory interpretation thus compel the same conclusion the superior courts have already reached: this is not surveillance, it is just how the internet works, and CIPA does not make it a crime.

Common Sense

If every IP log requires a court order—or exposes operators to $2,500 in statutory damages per violation plus potential criminal liability—then virtually every website in America is a scofflaw. News sites, retailers, nonprofits, even government pages would face crippling liability exposure. The economic fallout would hit consumers with higher prices and reduced innovation. California’s later-enacted Consumer Privacy Act already provides a comprehensive framework for data collection, notice and opt-out rights. Stretching a 1967 telephone-surveillance law to supplant it is judicial legislation, plain and simple.

Such a rule would turn the internet’s most basic housekeeping—blocking IP addresses to stop malicious bots, thwarting account takeovers, and balancing server loads—into a legal landmine that invites litigation from every single visitor. Compliance at scale would not be merely burdensome, it would be impossible. The inevitable result would be clunky login walls and consent pop-ups that obliterate the wide-open internet we all take for granted. At bottom, it ignores an elementary fact of digital life: when a user visits a site, she voluntarily sends her IP address across the network, exactly as she hands a return address to the postal carrier who delivers her mail. Information disclosed by design so that requested content can find its destination carries no reasonable expectation of privacy.

State Courts Resist Creative Interpretation

California superior courts have rightly called this theory what it is. In Rodriguez v. Ink America International Group LLC, No. 25STCV153 (Cal. Super. Ct. Dec. 10, 2025), Los Angeles Superior Court Judge Teresa A. Beaudet granted judgment on the pleadings, explaining that CIPA “did not, and does not, criminalize the process by which websites communicate with users who choose to access them.” The court recognized the service-provider exception in § 638.51(b), which expressly allows electronic-communication providers to use such tools to operate, maintain, test or protect their services. Website operators plainly qualify.

The same result obtained in Sanchez v. Cars.com, Inc., No. 24STCV13201, 2025 WL 487194 (Cal. Super. Ct. Jan. 27, 2025), where the demurrer was sustained without leave to amend. The court emphasized that the legislative history of CIPA’s pen-register provisions refers to telephone-tracking technology—not incidental internet communications like IP address collection. Visitors have no reasonable expectation of privacy in data they voluntarily disclose simply by typing in a URL. Identical reasoning has prevailed in Aviles v. LiveRamp, Inc., No. 24STCV19869, 2025 WL 487196 (Cal. Super. Ct. Jan. 28, 2025), and Licea v. Hickory Farms LLC, No. 23STCV26148, 2024 WL 1698147 (Cal. Super. Ct. Mar. 13, 2024). These decisions reflect the correct, narrow reading of the statute.

Some federal district courts have been far more indulgent. In Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024 (S.D. Cal. 2023), for instance, the court embraced the plaintiffs’ theory, holding that any software that correlates consumer data through “unique fingerprinting” could constitute a pen register under the statute’s supposedly “expansive” language. Those rulings are not binding on state courts, and they ignore both the historical context and the absurd consequences of the plaintiffs’ theory.

California’s Legislature could fix this tomorrow by clarifying that routine website operations fall outside CIPA’s pen-register provisions. Until then, state courts are doing their job: dismissing these suits at the earliest opportunity. The internet is not a crime scene. IP addresses are not contraband. Treating them as such does nothing to protect privacy and everything to punish the ordinary commerce that powers California’s economy—and the Nation’s.