There is a specific Los Angeles plaintiff firm that, more than any other single name in the US privacy bar, illustrates how a state wiretapping statute written for telephone party-line abuse in 1967 became the most consequential consumer-privacy enforcement vehicle in the country. The firm is Custodio & Dubey LLP, founded by Miguel Custodio Jr. and Vineet Dubey, with offices in Los Angeles, Fullerton, and Rialto and a second-brand presence under the CD Law name. Their docket is, by most reasonable estimates, one of the highest-volume California Invasion of Privacy Act (“CIPA”) tracking-pixel practices in the country.
For privacy and compliance leads, Custodio & Dubey is interesting not as a curiosity but as a signal. Where the firm files, what it pleads, which industries it targets, and how courts respond on motions to dismiss are leading indicators of the next 18 months of US privacy litigation risk. The firm’s playbook is also an unusually clean illustration of how plaintiffs’ counsel turned routine ad-tech instrumentation — Meta Pixel, Google Analytics, retargeting tags, session-replay scripts — into a litigation product.
This is the closer look in-house teams should have on the firm itself, the case law that surrounds its docket, the doctrinal pressure points that determine whether a CIPA tracking-pixel case survives or dies, and the practical posture every consumer-facing website should take in 2026.
Who Custodio & Dubey Are, and Why the Volume Pattern Matters
The two named partners are not new to high-volume California consumer litigation. Miguel Custodio Jr. and Vineet Dubey have been representing California consumers in statutory-damages cases for years across a portfolio that has included false advertising, unfair business practices, ADA web accessibility, and Proposition 65. The firm’s CIPA tracking-pixel docket is the latest and largest expression of a model the partners have been refining since well before the 2022–2023 Meta Pixel litigation wave.
The shape of that model became publicly visible in 2018, when Custodio & Dubey was reported to have filed 386 individual claims on behalf of a single plaintiff — a pattern that drew sharp commentary from the defense bar but is not unusual in California’s high-volume private-attorney-general ecosystem. The legal mechanism that makes this pattern possible is the combination of statutory damages (the plaintiff does not need to prove actual loss), a fee-shifting provision (the plaintiff’s counsel collects fees from the defendant if the plaintiff prevails), and a low pleading bar at the motion-to-dismiss stage. Once that combination exists in a statute, the economics of high-volume claims work themselves out.
CIPA’s two operative provisions for tracking-pixel litigation make this calculus especially favorable.
Penal Code §631 — the wiretapping theory. Section 631(a) prohibits, among other things, reading or attempting to read the contents of a communication “in transit” without consent of all parties. Plaintiffs’ counsel in the post-2022 wave have argued that when a third-party tracking pixel — Meta Pixel, Google Analytics, a marketing automation tag — fires on a webpage and transmits the user’s interactions back to the third party, the third party is “reading” the contents of the user’s communication with the website operator. The statute carries $5,000 per violation, plus attorneys’ fees.
Penal Code §638.51 — the pen register theory. Section 638.51 prohibits the use of a “pen register” or “trap and trace device” without a court order. Plaintiffs’ counsel have argued, with surprising success in some California trial courts, that any client-side script that captures identifiers, IP addresses, or routing metadata about a website visitor functions as a “pen register” within the broad statutory definition. The statute carries $2,500 per violation.
The firm’s pleading style reliably layers a §17200 Unfair Competition Law claim on top of one or both CIPA theories, and frequently adds a California Constitutional right-to-privacy claim, a common-law intrusion-upon-seclusion claim, and — where the facts support it — a CCPA-grounded claim. This layering is not stylistic. It expands the discovery surface, increases settlement leverage, and gives plaintiffs’ counsel multiple paths to survive a motion to dismiss even when the headline CIPA theory is weak.
The Targeting Pattern
Custodio & Dubey’s tracking-pixel docket clusters in industries with high session-level data sensitivity, high web-traffic volume, and conventional reliance on third-party ad-tech instrumentation. The recurring targets:
- E-commerce retailers with Meta Pixel, Google Ads conversion tags, and retargeting pixels firing across product, cart, and checkout pages.
- Healthcare providers, telehealth platforms, and wellness brands where the act of browsing condition-related content can itself be evidence of a sensitive inference. This is the same fact pattern that produced In re Meta Pixel Healthcare Litigation — and the firm’s healthcare-side filings frequently borrow that case’s pleading architecture.
- Financial services and fintech sites, particularly those that use third-party analytics to track funnel conversion through account-opening or loan-application flows.
- Media and publishing properties that monetize via behavioral ad targeting and that rely on a deep stack of third-party tags.
- Travel, ride-share, and on-demand platforms, where geolocation combined with session-level interaction data becomes the asserted “communication” that the third party is alleged to have read.
The common thread is not the industry; it is the technical configuration. A site that loads a third-party script that captures user inputs, button clicks, scroll depth, form fields, or URL parameters and transmits that data to a vendor for analytics or advertising is the unit of analysis the firm targets. The merits will turn on consent, scope, and the specific behavior of the script — but the filing decision is made on the technical fingerprint of the site, not the substantive privacy harm.
The California Case Law That Surrounds the Docket
Custodio & Dubey does not file into a vacuum. Their docket sits inside a specific California case-law ecosystem that compliance leads need to read alongside the firm’s individual filings.
Javier v. Assurance IQ, LLC (9th Cir. 2022) is the foundational appellate decision that opened the door to the modern tracking-pixel wave. The Ninth Circuit held that a chatbot session-replay tool could plausibly violate CIPA §631 even though the website operator was a “party” to the communication, because the third-party vendor capturing the session was not. The decision did not resolve the merits — it reversed a motion to dismiss — but it established the doctrinal foothold every subsequent tracking-pixel complaint has stood on.
Williams v. What If Holdings, LLC (N.D. Cal. 2022) extended the Javier reasoning to a chatbot tool that used Meta Pixel-adjacent technology. It is one of the most-cited cases in tracking-pixel pleadings filed by Custodio & Dubey and by the broader plaintiffs’ bar.
In re Meta Pixel Healthcare Litigation (N.D. Cal., consolidated MDL) is the single most consequential pixel case in the country. The MDL aggregates dozens of cases against hospital systems and healthcare providers whose websites embedded the Meta Pixel and transmitted patient interaction data to Meta. The case is not directly Custodio & Dubey’s, but the firm’s healthcare filings borrow heavily from its pleading architecture and its theory of harm.
Smith v. Google LLC (N.D. Cal. 2024) and the post-2024 line of decisions on the “party to the communication” defense are where defendants have started winning back ground. A growing body of district court decisions has held that the website operator and its analytics vendor can together constitute a single “party” for §631 purposes when the vendor is a service provider acting on the operator’s behalf and not capturing data for its own independent uses. This is the most important defense-side doctrinal development of 2024–2025, and it is the doctrinal lever every defendant in a Custodio & Dubey case should be reaching for.
Rojas v. Hi.Q, Inc. and Doe v. Microsoft Corp. continue to test the §638.51 pen register theory in California. Defendants have had mixed results; the theory remains alive enough that filing it is defensible, contested enough that defending against it is expensive.
The pattern that emerges from this body of law is not that CIPA tracking-pixel claims always win, or always lose. It is that the law is unsettled enough at the motion-to-dismiss stage that plaintiffs survive often enough to make the economics work. That is the business model.
The Doctrinal Pressure Points That Determine Case Outcomes
For in-house teams trying to assess their exposure or defend a filed case, the doctrinal levers that matter most are narrower than the headline statutes suggest.
The “party to the communication” defense. When the analytics vendor is contractually a service provider acting only at the website operator’s direction, courts increasingly accept that the operator and vendor are a single “party” for §631 purposes. The strength of this defense turns on the actual contract, the actual data flows, the vendor’s terms of service, and whether the vendor is using the data for its own product improvement, advertising network, or model-training purposes. A clean service-provider posture — strict-purpose-limitation contract, no vendor-side reuse, no data co-mingling — is the single best defensive position a defendant can build.
The consent defense. CIPA is a two-party consent statute, but California courts have accepted that consent can be implied from a properly disclosed cookie banner, privacy notice, or terms-of-use acceptance — provided the disclosure is specific enough that a reasonable user would understand what was being captured and by whom. The standard is closer to “informed” than “merely notified.” Generic banners that say “this site uses cookies” do not carry the day. Specific, layered disclosures that name the vendors, describe the categories of data, and provide a clear mechanism to opt out of non-essential tracking are the standard now emerging in defense-side rulings.
The “contents of communication” defense. §631 requires that the third party have read or attempted to read the contents of a communication. URL paths, IP addresses, basic device metadata, and routing information are arguably not “contents.” Form-field inputs, button-click data, search queries, and session-replay reproductions of user interactions arguably are. The line is fuzzy, and the firm’s pleadings exploit the fuzziness. Defense-side counsel have had measurable success arguing that the specific data captured by the challenged tag does not rise to “contents” within the statute’s meaning.
Article III standing. Federal court defendants have an additional weapon in the form of standing arguments under TransUnion v. Ramirez and Spokeo v. Robins. The argument is that a bare statutory violation, without concrete harm, does not satisfy Article III. Defendants have had real success removing these cases to federal court and then moving to dismiss for lack of standing. That said, the Ninth Circuit’s decisions in Patel v. Facebook and similar lines have weakened the argument considerably, and California state court — where Custodio & Dubey predominantly files — does not have an Article III standing requirement at all.
Arbitration clauses and class waivers. A meaningful chunk of the defense-side wins in this space have come not from merits arguments but from arbitration. Properly drafted, properly disclosed arbitration clauses with class-action waivers convert the statutory-damages-times-class-size economics of the case into individual-arbitration economics, which are usually unattractive to plaintiffs’ counsel. Whether a particular arbitration clause is enforceable against a particular plaintiff is a fact-specific question, but the strategic value of having a clean clause in place is large.
The Expansion Beyond CIPA
The most important development in 2025–2026 is that CIPA is no longer the only statute carrying the tracking-pixel theory. Plaintiffs’ counsel — including, increasingly, Custodio & Dubey-adjacent firms — are testing analogous wiretap and intrusion theories under the laws of other two-party-consent states.
Pennsylvania Wiretap Act filings have proliferated against defendants whose website traffic includes Pennsylvania residents. The statute is structurally similar enough to CIPA that the pleading work translates well, and Pennsylvania has its own active plaintiffs’ bar that has begun filing alongside California counsel.
Massachusetts Wiretap Act decisions in 2024 and 2025 have generated a parallel litigation lane, and the state’s robust private right of action has attracted plaintiff filings. Massachusetts courts have been somewhat more skeptical of the pure wiretapping theory but have allowed cases to proceed on related grounds.
Florida Security of Communications Act filings have begun to appear, particularly against healthcare and retail defendants whose Florida traffic is meaningful.
Washington’s My Health My Data Act, while not a wiretap statute, has created a separate vehicle with statutory damages for cases involving health-related browsing data captured by third-party tags. This is the statute most likely to absorb the next wave of pixel-style filings against healthcare, wellness, and adjacent defendants.
The strategic point for in-house teams is that “we are not a California business” is no longer a viable basis for ignoring the tracking-pixel risk. The same instrumentation that creates CIPA exposure creates exposure under at least three or four parallel state regimes, and the plaintiffs’ bar is filing in all of them.
A Hardened Compliance Posture for Consumer-Facing Sites
The defense-side playbook for tracking-pixel litigation has matured considerably since 2023. A short, prioritized list of the work that actually moves the needle.
Audit every script that loads on the site, in every region. Not a self-report from marketing. An actual technical audit, performed by someone who knows what to look for, that produces a complete inventory of every third-party script, every domain it contacts, every category of data it captures, and the contractual basis on which the vendor processes that data. This audit is the foundation of every other defense.
Implement consent management that meets the new bar. A California-grade consent banner now means: granular categorization of cookies and tags (strictly necessary, functional, analytics, advertising), per-vendor disclosure with vendor name and processing purpose, a clear opt-out mechanism that actually blocks the disclosed tags, and a re-consent flow when the tag list materially changes. Generic IAB TCF v2.2 implementation is necessary but not sufficient; the disclosure has to be specific to the actual instrumentation on the site.
Reform vendor contracts to cement the service-provider posture. Every analytics, advertising, and adtech vendor whose script touches the site needs a contract that (i) identifies the vendor as a service provider under the CCPA, (ii) prohibits the vendor from using the data for any purpose other than the operator’s instructions, (iii) specifically prohibits combination with other-source data, model training, or independent advertising-network use unless separately authorized, and (iv) provides audit and termination rights. A vendor that resists these terms is a litigation liability regardless of the underlying privacy notice.
Configure the tags themselves to minimize captured data. Server-side Google Analytics 4 implementations, Meta CAPI with hashed user data and explicit consent gating, and Google Consent Mode v2 with proper signal propagation all reduce the attack surface materially. The tagging configuration is now part of the legal posture, not just an analytics decision.
Segment by jurisdiction. The same site can serve different consent and tag configurations to California users, Washington users, EU users, and other-jurisdiction users. The technology to do this is mature; the policy work to get it right is what teams underinvest in.
Update privacy notices and pre-collection disclosures. Specific naming of vendors, specific descriptions of data categories, specific reference to CIPA and equivalent state statutes where the user is in a covered jurisdiction. The privacy notice is no longer a generic compliance artifact; it is a litigation document.
Maintain an arbitration and class-waiver posture, where viable. This is a business and consumer-relations decision as much as a legal one, but for organizations whose risk tolerance allows it, a clean arbitration clause is the single most efficient backstop against high-volume CIPA litigation.
Build the litigation-ready evidentiary record. Document the audit, the consent configuration, the vendor contracts, the tagging configuration, and the privacy notice, with timestamped versions. When the demand letter arrives, the speed and quality of the defendant’s evidentiary record determine the early-stage settlement posture.
What Custodio & Dubey’s Docket Predicts
The firm’s 2026 filings concentrate around three areas worth watching closely. The first is healthcare and wellness, where the Meta Pixel Healthcare MDL has created a template that travels easily to telehealth, mental-health, fertility, and adjacent verticals. The second is financial services, where the convergence of CFPB enforcement attention, state attorney-general activity, and CIPA litigation is producing a multi-front compliance picture for any consumer-facing fintech. The third is consumer-facing AI products — chatbots, voice assistants, AI-driven shopping tools — where the act of capturing the user’s prompt and transmitting it to a third-party model provider raises CIPA questions that have not yet been fully litigated. Expect filings in this third category to accelerate through 2026 and 2027.
The firm itself is unlikely to slow down. The economics that make the model work — statutory damages, fee shifting, low pleading bar, broad statutory scope, parallel state vehicles — are all moving in the plaintiffs’ direction. CIPA is not going to be amended out of existence; the California legislature has consistently declined to do so, and the political coalition that would push for amendment is fragmented. The Ninth Circuit and California appellate courts have settled some of the doctrinal questions in favor of plaintiffs and only some in favor of defendants.
The right read for in-house teams is not that Custodio & Dubey is a uniquely aggressive firm. It is that the firm is doing what the statute allows — at scale, with good economic discipline, and with a docket that maps cleanly to the technical configuration of the modern consumer web. Other firms are doing the same. The gap between defendants who have done the audit-and-harden work and defendants who have not is now the single largest variable in how this litigation lands.
Custodio & Dubey LLP CIPA Lawsuit
Custodio & Dubey LLP’s docket is a useful X-ray of where US privacy litigation is going. The firm has not invented new law. They have systematized, at scale, the application of an old statute to new technology, and they have built the operational infrastructure to do it efficiently. The compliance response is not to wait for the next demand letter. It is to read the firm’s filings, understand the doctrinal levers, and harden the posture of the consumer-facing site before the demand arrives.
The audit is cheap. The harden-up work is moderately priced. The litigation is expensive. The relative economics of those three are the entire business case for getting in front of this now.
