We continue to report on privacy litigation risks and why you need to be using Captain Compliance if you want to avoid expensive litigation especially the California litigation cases then you should first do a free privacy audit from our team to see what your risks are. One of the headline Jane Doe v. Eating Recovery Center (ERC) ruling and the broader “CIPA Gold Rush.”
The Ghost in the Browser: The $5 Billion “Mess” of the California Invasion of Privacy Act
In 1967, California Governor Ronald Reagan signed the California Invasion of Privacy Act (CIPA). At the time, the state’s primary concern was physical surveillance: private investigators clipping “alligator clips” onto telephone lines and the rise of “bugs” planted in hotel rooms. The law was designed to protect the sanctity of the “wire.” Fast forward to late 2025. U.S. District Court Judge Vince Chhabria sits in a San Francisco courtroom, staring at a legal complaint that seeks to apply that same 1967 law to a snippet of JavaScript code—the Meta Pixel. The result was a ruling that has become a defining moment for privacy attorneys, effectively declaring that the state’s primary privacy statute is a “total mess.”
Case Analysis: Jane Doe v. Eating Recovery Center
The plaintiff in this case, proceeding under the pseudonym Jane Doe, was a woman battling a severe eating disorder. In her search for professional help, she visited the website of the Eating Recovery Center (ERC). To Doe, the website was a digital clinic. She interacted with sensitive features, including online assessment quizzes designed to help patients determine if they need inpatient care, insurance verification forms requiring her name and provider, and medical inquiry forms where she described her history with the disorder.
What Doe did not know was that ERC used the Meta Pixel. As she typed, the Pixel captured her inputs and transmitted them to Meta’s servers. According to Doe, the consequences were immediate: her Facebook feed became a barrage of advertisements for “weight loss supplements” and “eating disorder treatment centers”—ads triggered by the very data she thought she was sharing in confidence.
Doe’s attorneys argued that ERC and Meta had committed a felony under CIPA Section 631(a). Their theory was that the “conversation” was between Doe and ERC, and Meta was a “third-party eavesdropper” who “tapped the wire” of that conversation. However, the defense’s counter-argument, which ultimately won the case, rested on a hyper-technical reading of how the internet works. Under CIPA, a wiretap only occurs if the data is intercepted “while the same is in transit.”
Judge Chhabria’s ruling focused on the “micro-second gap.” The defense argued that the Meta Pixel does not “catch” the data as it travels across the internet. Instead, the Pixel code executes inside the user’s browser. It essentially says to the browser: “Send one copy of this data to ERC, and send a second, identical copy to Meta.” Chhabria ruled that since these are two separate transmissions initiated by the browser, the data sent to Meta was never “intercepted” from the transmission sent to ERC. They were parallel paths. Therefore, at no point was a single communication “read” by an unauthorized third party while “in transit.”
The CIPA Industrial Complex: The Macro-Economic Context
The ERC case did not happen in a vacuum. It is one of over 2,500 CIPA lawsuits filed in California in the last 24 months. Since CIPA allows for statutory damages of $5,000 per violation, a website with high traffic could theoretically face a $500 million liability. This has created a “settlement machine” where companies pay five-figure sums to avoid the existential threat of a billion-dollar judgment.
Professional plaintiffs now work with law firms to visit thousands of websites specifically to trigger tracking pixels. Once the data is sent to a third party, a lawsuit is generated. For a small or mid-sized business, a CIPA lawsuit is a nightmare. Even if they believe they are right, the cost of litigating a federal case can exceed $200,000 in legal fees. Plaintiffs’ firms often offer a “quick settlement” of $15,000 to $30,000.
CIPA Litigation Brings Out Modern Technical Realities
The following points summarize the current state of digital privacy litigation under CIPA as highlighted by recent court commentary:
-
The “In-Transit” Loophole: Current law distinguishes between data intercepted during transmission and data that is simply sent to two places at once. If the browser sends the data to Meta and the website simultaneously, judges are increasingly finding that no “interception” occurred.
-
The Timing Defense: Liability often hinges on whether the tracking code executes before or after the data reaches the destination server. This millisecond difference determines if a company is liable for a felony-level privacy violation.
-
Consent Requirements: Under California law, “all-party consent” is required for recording or eavesdropping. However, the court found that if a user’s browser is the one doing the “sending,” the website owner might not be seen as a “tapper” of the wire.
-
Functional Analytics vs. Eavesdropping: Courts are struggling to distinguish between “tools” (like a tape recorder used by one party) and “eavesdroppers” (a third party listening in for their own benefit).
-
Legislative Obsolescence: The primary takeaway from the ERC ruling is that 1960s wiretap laws are structurally incapable of addressing 21st-century data harvesting.
Other Similar Cases in the CIPA Landscape
The ERC case is the most recent high-profile win for the defense, but other cases have shaped this battlefield:
-
In re Kaiser Permanente Privacy Litigation: A massive class-action involving similar allegations that Kaiser shared patient data with Google and Meta via tracking pixels. Unlike the ERC case, parts of this litigation have survived initial motions because of the specific way health data is classified under different California statutes like the CMIA.
-
Lizarhola v. H&M: This case represents the shift toward “Pen Register” claims. The plaintiff argued that H&M’s use of software to track the IP addresses and locations of website visitors was the digital equivalent of a physical pen register (a device that records outgoing phone numbers).
-
Greenley v. Kochava: A pivotal case where a court found that a data broker could be held liable under CIPA for “shadow-tracking” users across multiple apps, setting the stage for the current wave of “SDK” (Software Development Kit) litigation.
-
Byars v. Hotjar: A case involving “session replay” software. The court looked at whether a service that records a user’s mouse movements and clicks is “eavesdropping.” The defense successfully argued that Hotjar was merely a “service provider” or an extension of the website, rather than an independent third-party listener.
The Ethics of Health Privacy: Beyond the Technicality
While the ERC case was dismissed on a technicality, it raised a profound ethical question: Should “Health Data” have a higher standard of protection than “Commercial Data”? Under the Health Insurance Portability and Accountability Act (HIPAA), medical providers are strictly regulated. However, a website like the Eating Recovery Center often falls into a “grey zone.” If you are a prospective patient who hasn’t yet seen a doctor, does the website owe you the same duty of confidentiality as a surgeon?
The dismissal of the ERC case under CIPA does not mean the company is in the clear. Many legal experts believe the future of these cases lies in the California Confidentiality of Medical Information Act (CMIA) or the California Consumer Privacy Act (CCPA), which focus on the content and intent of the data rather than the technical method of transmission.
Future of CIPA Litigation
The Jane Doe v. Eating Recovery Center ruling marks the end of the “First Phase” of the CIPA wars. It proved that the “Pixel” theory has a fatal technical flaw under current California law. However, for businesses and consumers, the “Total Mess” continues.
In 2026, we expect to see the “Pen Register” offensive take center stage. As Section 631(a) (wiretapping) becomes harder to prove, lawyers are turning to Section 638.1. Every single website on the modern internet uses IP tracking for security. If this theory holds, virtually every website operator in California is currently at risk.
Judge Chhabria’s parting words in the ERC case remain the most prescient: “It would probably be best to erase the board entirely and start writing something new.” Until that happens, the internet in California will continue to be a battlefield where 60-year-old laws are weaponized against modern innovation, and where true privacy victims often see their cases dismissed on the timing of a microchip.
Would you like me to create a breakdown of the specific “Pen Register” laws that are expected to be the next big legal trend, or should we look at how to audit a website for these specific CIPA risks?
