- within Litigation and Mediation & Arbitration topic(s)
- in United States
- within Litigation, Mediation & Arbitration, Transport and Privacy topic(s)
Duane Morris Takeaways: On October 17, 2025, in Doe v. Eating Recovery Center LLC, No. 23-CV-05561, ECF 167 (N.D. Cal. Oct. 17, 2025), Judge Vince Chhabria of the U.S. District Court for the Northern District of California granted summary judgment to Eating Recovery Center, finding no violation of the California Invasion of Privacy Act (CIPA) where the Meta Pixel collected website event data. Specifically, the Court held that Meta did not "read" those contents while the communications were "in transit." In so holding, the Court applied the rule of lenity, construed CIPA narrowly, and urged the California Legislature "to step up" and modernize the statute for the digital age. Id. at 2.
This decision is significant because Judge Chhabria candidly described CIPA as "a total mess," noting it is often "borderline impossible" to determine whether the law – enacted in 1967 to criminalize wiretapping and eavesdropping on confidential communications – applies to modern internet transmissions. Id. at 1. As the Court observed, CIPA "was a mess from the get-go, but the mess gets bigger and bigger as the world continues to change and as courts are called upon to apply CIPA's already-obtuse language to new technologies." Id. This is a "must read" decision for corporate counsel dealing with privacy issues and litigation.
Background
This class action arose after plaintiff, Jane Doe, visited Eating Recovery Center's (ERC) website to research anorexia treatment and later received targeted advertisements. Plaintiff alleged that ERC's use of the Meta Pixel caused Meta to receive sensitive URL and event data from her interactions with ERC's site, resulting in targeted ads related to eating disorders.
ERC had installed the standard Meta Pixel on its website, which automatically collected page URLs, time on page, referrer paths, and certain click events to help ERC build custom audiences for advertising. Id. at 3. Plaintiff alleged that ERC's use of the Pixel allowed Meta to intercept her communications in violation of CIPA, Cal. Penal Code § 631(a). She also brought claims under the California Medical Information Act (CMIA), the California Unfair Competition Law (UCL), and for common law unjust enrichment. The UCL claim was dismissed at the pleading stage.
ERC later moved for summary judgment on the remaining CIPA, CMIA, and unjust enrichment claims. In a separate order, the Court granted summary judgment on the CMIA and unjust enrichment claims, finding that plaintiff was not a "patient" under the CMIA and that there was no evidence ERC had been unjustly enriched. See id., ECF 168 at 1-2.
The Court's Decision
With respect to the CIPA claim, the parties disputed two elements under CIPA § 631(a): (1) whether the event data obtained by Meta constituted "contents" of plaintiff's communication with ERC, and (2) whether Meta read, attempted to read, or attempted to learn those contents while they were "in transit." ECF 167 at 6.
The Court first held that URLs and event data can constitute the "contents" of a communication because they can reveal substantive information about a user's activities – such as researching medical treatment. Id. at 7. The court thus deviated from other courts that have held differently on this particular issue when considering additional facts or allegations not addressed by this court (such as encryption, and inability to reasonably identify the data among lines of code). However, the Court concluded that Meta did not read or attempt to learn any contents while the communications were "in transit." Instead, Meta processed the data only after it had reached its intended recipient (i.e., ERC, the website operator).
In reaching that conclusion, Judge Chhabria relied on undisputed testimony about Meta's internal filtering processes: "Meta's corporate representative testified that, before logging the data that it obtains from websites, Meta filters URLs to remove information that it does not wish to store (including information that Meta views as privacy protected)." Id. at 8.
This evidence supported the finding that Meta's conduct involved post-receipt filtering rather than contemporaneous "reading" or "learning." Id. at 9. The Court emphasized that expanding "in transit" to include post-receipt processing would improperly criminalize routine website analytics practices. Because CIPA is both a criminal statute and a source of punitive civil penalties, the Court applied the rule of lenity to adopt a narrow interpretation. Id. at 11-12. The Court further cautioned that an overly broad reading would render CIPA's related provision (§ 632, prohibiting eavesdropping and recording) largely redundant. Id. at 10.
Finding that Meta did not read, attempt to read, or attempt to learn the contents of Doe's communications while they were in transit, the court granted summary judgment to ERC on the CIPA claim. Id. at 12.
The opinion concluded by reiterating that California's decades-old wiretap law is "virtually impossible to apply [] to the online world," urging the Legislature to "go back to the drawing board on CIPA," and suggesting that it "would probably be best to erase the board entirely and start writing something new." Id.
Implications For Companies
The Doe decision narrows one significant avenue for CIPA liability, particularly for routine use of website analytics and advertising pixels. The Northern District of California has now drawn a distinction between data "read" while in transit and data processed after receipt, significantly reducing immediate CIPA exposure for standard web advertising tools.
At the same time, the court's reasoning underscores that pixel-captured data may be considered by some courts as "contents" of a communication under CIPA, although there is a split of authority on this issue. Companies could therefore face potential exposure under other California privacy statutes, including the CMIA, the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA), depending on the data involved and how it is used.
Organizations should continue to inventory the data they share through advertising technologies, minimize sensitive information in URLs, and ensure clear and accurate privacy disclosures. Because the court expressly invited legislative reform, companies should also monitor ongoing case law and potential statutory amendments.
Ultimately, Doe v. Eating Recovery Center reflects a pragmatic narrowing of CIPA's "in transit" requirement while reaffirming that CIPA was not intended to cover common website advertising technologies or, in any event, should not be interpreted as such given the harsh statutory penalties involved and the rule of lenity — like the Supreme Judicial Court of Massachusetts concluded regarding Massachusetts' wiretap act, as we previously blogged about here. While this case is a big win for website operators, companies relying on third-party analytics should treat this decision as guidance—not immunity—and continue adopting privacy-by-design principles in their data collection and vendor management practices.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.
