Apple has won a significant procedural and legal victory in a proposed privacy class action that accused the company of collecting and transmitting user data from Apple’s first party apps even when consumers believed they had opted out. In a detailed order, U.S. District Judge Edward J. Davila dismissed every remaining claim in the case, including a newly added “pen register” claim under California’s Invasion of Privacy Act and related wiretapping and consumer theories. The court allowed plaintiffs one more chance to amend, but signaled skepticism that the claims can be repled in a viable form.
The ruling matters beyond Apple. It is one of the clearest recent examples of how courts are wrestling with attempts to repurpose legacy telephone surveillance statutes, including pen register and trap and trace provisions, into modern tracking litigation. At the same time, the case illustrates a recurring reality in digital privacy lawsuits: plaintiffs may frame a product setting as a promise, but courts will still ask whether a user’s expectations were objectively reasonable and whether the alleged data flows constitute “confidential communications” or “interception” under the relevant statutes.
Apple while victiorious here most business owners have not been able to spend the type of money that Apple has had to defending this case. Are privacy news breakdown below showcases what the plaintiffs alleged, what the judge rejected, how the pen register and trap and trace theory has evolved in recent years, and what to watch next if you want to avoid expensive privacy lawsuits around pen register claims.
The Case at a Glance
Caption: In re: Apple Data Privacy Litigation
Court: U.S. District Court, Northern District of California
Judge: Edward J. Davila
Core allegation: Apple collected app interaction data from Apple’s proprietary apps even after users disabled certain settings that plaintiffs believed would block collection.
According to reporting on the case, the plaintiffs sought to represent a class of users who turned off the “Share Device Analytics” setting on iPhone or iPad devices and contended that Apple’s continued collection and transmission of usage data contradicted user expectations.
Plaintiffs were represented by Lynch Carpenter LLP and Bursor & Fisher, P.A. Apple was represented by Covington & Burling LLP.
Legal Procedural Timeline
| Date | Event |
|---|---|
| November 2022 | Original lawsuit filed alleging Apple collected private data from interactions with Apple proprietary apps and misled users about the effect of privacy settings. |
| October 2023 | Plaintiffs filed an amended complaint (later referenced in the litigation history) that included broader theories, including reliance on Apple’s app tracking related setting. |
| September 2024 | Court dismissed claims tied to the “Allow Apps to Request to Track” setting and allowed the case to proceed, if at all, primarily around the “Share Device Analytics” setting. |
| April 2025 | Plaintiffs filed an amended consolidated complaint. |
| October 9, 2025 | Motion hearing referenced in the court’s order, including discussion of plaintiffs’ shifting “pen register” theory. |
| January 20, 2026 | Judge Davila issued a 21 page order granting Apple’s motion to dismiss the remaining claims and granting leave to amend one final time. |
| February 19, 2026 (30 days after order) | Deadline for any amended complaint under the court’s order. |
What Plaintiffs Alleged Apple Was Doing
At a high level, the plaintiffs alleged that Apple collected data tied to how users interacted with Apple’s own apps, including apps like the App Store and Apple’s media services, and that Apple’s settings created the impression that certain collection would not occur if users opted out.
In practical terms, this type of claim usually turns on three questions:
- What information was collected? Was it content, metadata, device identifiers, event logs, or a mix?
- What did users reasonably believe the settings would do? Did the setting promise a full stop or a narrower limitation?
- What statutes actually apply? Many privacy statutes were written for older technology and do not map neatly onto modern telemetry and analytics collection.
Judge Davila’s order focused on these issues through the lens of several distinct legal theories, including California’s Invasion of Privacy Act provisions and Pennsylvania’s wiretap law, plus consumer and quasi-contract claims.
The “Pen Register” Claim and Why the Court Rejected It
One of the most closely watched aspects of the case was plaintiffs’ addition of a claim under CIPA Section 638.51, which prohibits installing or using a pen register or trap and trace device without a court order (subject to certain exceptions).
The statute defines a pen register as a device or process that records or decodes “dialing, routing, addressing, or signaling information” transmitted by an instrument or facility, but not the contents of a communication.
Plaintiffs attempted to argue that Apple’s apps, or processes inside them, operated as a pen register by recording certain addressing or signaling information. The court rejected the claim for multiple reasons:
1) Plaintiffs identified the wrong “thing” as the pen register
The court found that plaintiffs’ complaint alleged Apple’s apps themselves constituted the pen register, but plaintiffs tried to reframe the theory in briefing by arguing it was actually a set of processes within the apps. The court treated this as an improper attempt to amend the complaint through argument.
2) A pen register must be separate from the source of the communication
Even if plaintiffs had pled the “internal process” theory, the court held that the pen register definition necessarily contemplates a device or process separate from the source of the transmitted communications. Because Apple’s first party apps, and the processes underlying them, are part of the source of the communications at issue, the court concluded they do not qualify as a pen register under the statute.
3) The theory produced contradictions inside the complaint
The order also highlights a structural problem: plaintiffs alleged both that Apple’s apps recorded confidential communications and that the same system was capturing non-content routing information under the pen register theory. The court noted that plaintiffs did not clearly plead these as alternatives, and that incorporating inconsistent allegations into each cause of action can support dismissal.
4) The court signaled the claim may be fundamentally hard to plead
While the court granted leave to amend because it was the first time plaintiffs asserted the pen register claim, the order expressly stated the court doubted plaintiffs could plead a viable claim given the deficiencies identified.
How the Pen Register and Trap and Trace Theory Became a Flashpoint in Privacy Litigation
To understand why this claim matters, it helps to understand the broader litigation trend. In the past few years, plaintiffs have increasingly invoked CIPA’s pen register and trap and trace provisions, originally designed for telephone surveillance, to challenge digital tracking technologies. The argument typically goes like this: modern routing and addressing data like IP addresses, device identifiers, and event-level metadata can be treated as “dialing, routing, addressing, or signaling information,” and therefore recording that information can trigger CIPA liability absent consent or a court order.
That argument gained visibility after decisions such as Greenley v. Kochava, which plaintiffs cite as support for applying Section 638.51 to modern tracking contexts.
But the case law has been inconsistent. Some courts have been skeptical that routine digital analytics fits cleanly into statutes written decades ago, while others have allowed claims to proceed when plaintiffs allege collection beyond what is necessary for ordinary site or app functionality.
The Apple ruling is important within that trend because it rejects, on pleading and statutory interpretation grounds, an attempt to treat a first party app as the pen register. It also underscores that plaintiffs cannot shift theories midstream without aligning the complaint’s factual and legal structure.
What About “Trap and Trace” and the Broader CIPA Context?
CIPA Section 638.51 covers both “pen registers” and “trap and trace devices.” In general terms, the pen register concept focuses on outgoing routing or addressing information, while trap and trace focuses on incoming information likely to identify the source of a communication. Plaintiffs in digital cases often use these concepts interchangeably when challenging tracking stacks.
In Judge Davila’s order, the core statutory interpretation point is not limited to one label. The court’s logic rests on the requirement that the alleged pen register device or process must be separate from the instrument or facility that transmits the communication. That reasoning, if adopted elsewhere, can pose a meaningful barrier to plaintiffs who attempt to characterize the primary application itself as the prohibited device or process.
Separately, the order reflects another theme in CIPA litigation: courts are often reluctant to treat ordinary internet communications as “confidential communications,” particularly when the nature of the interaction suggests a user should reasonably expect data to be recorded or transmitted in some form.
Other Claims the Court Dismissed
The order did not only address the pen register count. The court also dismissed:
- CIPA Section 632 eavesdropping or recording of confidential communications claims.
- Pennsylvania wiretap claims under the state’s Wiretapping and Electronic Surveillance Control Act.
- California constitutional invasion of privacy claims.
- California UCL claims.
- Implied contract and unjust enrichment claims, including issues around pleading those theories alongside express contract allegations.
The court also dismissed any claims tied to Apple’s Game Center without prejudice, allowing plaintiffs to attempt to plead that Game Center collected their data if they can do so consistently and plausibly.
The “Reasonable Expectations” Problem in Settings-Based Privacy Claims
A major friction point in many privacy suits is the gap between how consumers interpret settings and how courts interpret them. A setting name may sound absolute, but the underlying system may still transmit data for security, diagnostics, fraud prevention, and service integrity. In this case, the court concluded that plaintiffs’ assumption that turning off “Share Device Analytics” meant none of their usage data would be sent to Apple was not objectively reasonable in the way plaintiffs framed it.
This does not mean courts will always accept broad data collection. It does mean plaintiffs must plead, with specificity, what was collected, why it qualifies as protected content or protected communications, and why the user’s expectations were reasonable given the context and disclosures.
Why the Plaintiffs’ Law Firms Matter
The plaintiffs were represented by Lynch Carpenter LLP and Bursor & Fisher, P.A., firms that are active in complex consumer class actions, including privacy and digital deception claims. Apple was represented by Covington & Burling LLP.
That detail matters for two reasons:
- Litigation strategy: These cases often evolve through multiple amendments, with plaintiffs testing new legal theories as courts narrow the viable paths.
- Market signaling: When experienced class action firms press a pen register or trap and trace theory in a high-profile context and face dismissal, the reasoning tends to influence pleading strategies in other cases.
What Happens Next
The court granted plaintiffs one final opportunity to amend, requiring any amended complaint to be filed within 30 days of the January 20, 2026 order.
From here, plaintiffs typically face a narrowing set of options:
- Replead with more technical specificity: Identify a separate device or process that is plausibly distinct from the source of the communication, and align the theory across claims.
- Focus on deception and economic injury: If plaintiffs cannot win on wiretap or pen register theories, they may attempt to strengthen consumer protection or unfair competition allegations, but those often require detailed reliance and loss allegations.
- Appeal posture: If the amended complaint is dismissed again, plaintiffs may seek appellate review, which can further shape how these statutes apply to digital telemetry.
Apple’s Trap & Trace Lawsuit Lessons
Even though Apple’s motion succeeded, the case highlights operational risks that privacy teams should treat as recurring:
- Settings semantics: If a toggle sounds absolute, plaintiffs will argue it is absolute. If the backend behavior is narrower, disclosures must be clear and consistent.
- Data mapping: These suits turn on what is actually transmitted. Inventory first party data flows with the same rigor used for third party tags.
- Legacy statute risk: Pen register and trap and trace theories remain in flux. Even when defendants win, litigation costs are real.
For organizations that want to reduce exposure, the practical baseline is a combination of (1) clear disclosures aligned to actual data behavior, (2) defensible consent and preference signaling, (3) data minimization, and (4) evidence ready records of what is collected and why. In the privacy software market, you need to use software from our team here at Captain Compliance to operationalize consent, preference management, and audit-ready compliance workflows for web and app environments.
Judge Davila’s dismissal is a meaningful win for Apple and an instructive setback for plaintiffs attempting to expand pen register and trap and trace theories into first party app analytics. The ruling reinforces that plaintiffs must plead coherent theories, identify a qualifying device or process under the statute.
