![\"\"](\"https:\/\/blogs.duanemorris.com\/classactiondefense\/wp-content\/uploads\/sites\/56\/2025\/10\/privacy.jpg\")
<\/a><\/figure>\n<\/div>\n\n\nBy Gerald L. Maatman, Jr., Justin Donoho, Hayley Ryan, and Tyler Zmick<\/strong><\/p>\n\n\n\n Duane Morris Takeaways: <\/strong>On October 17, 2025, in Doe v. Eating Recovery Center LLC, No. 23-CV-05561, ECF 167 (N.D. Cal. Oct. 17, 2025), Judge Vince Chhabria of the U.S. District Court for the Northern District of California granted <\/a>summary judgment to Eating Recovery Center, finding no violation of the California Invasion of Privacy Act (CIPA) where the Meta Pixel collected website event data. Specifically, the Court held that Meta did not \u201cread\u201d those contents while the communications were \u201cin transit.\u201d In so holding, the Court applied the rule of lenity, construed CIPA narrowly, and urged the California Legislature \u201cto step up\u201d and modernize the statute for the digital age. Id. at 2.<\/em><\/p>\n\n\n\n This decision is significant because Judge Chhabria candidly described CIPA as \u201ca total mess,\u201d noting it is often “borderline impossible” to determine whether the law \u2013 enacted in 1967 to criminalize wiretapping and eavesdropping on confidential communications \u2013 applies to modern internet transmissions. Id. at 1. As the Court observed, CIPA \u201cwas a mess from the get-go, but the mess gets bigger and bigger as the world continues to change and as courts are called upon to apply CIPA\u2019s already-obtuse language to new technologies.\u201d Id. This is a \u201cmust read\u201d decision for corporate counsel dealing with privacy issues and litigation.<\/em><\/p>\n\n\n\n Background<\/strong><\/p>\n\n\n\n This class action arose after plaintiff, Jane Doe, visited Eating Recovery Center\u2019s (ERC) website to research anorexia treatment and later received targeted advertisements. Plaintiff alleged that ERC\u2019s use of the Meta Pixel caused Meta to receive sensitive URL and event data from her interactions with ERC\u2019s site, resulting in targeted ads related to eating disorders.<\/p>\n\n\n\n ERC had installed the standard Meta Pixel on its website, which automatically collected page URLs, time on page, referrer paths, and certain click events to help ERC build custom audiences for advertising. Id<\/em>. at 3. Plaintiff alleged that ERC\u2019s use of the Pixel allowed Meta to intercept her communications in violation of CIPA, Cal. Penal Code \u00a7 631(a). She also brought claims under the California Medical Information Act (CMIA), the California Unfair Competition Law (UCL), and for common law unjust enrichment. The UCL claim was dismissed at the pleading stage.<\/p>\n\n\n\n ERC later moved for summary judgment on the remaining CIPA, CMIA, and unjust enrichment claims. In a separate order, the Court granted summary judgment on the CMIA and unjust enrichment claims, finding that plaintiff was not a \u201cpatient\u201d under the CMIA and that there was no evidence ERC had been unjustly enriched. See id., <\/em>ECF 168 at 1-2.<\/p>\n\n\n\n The Court\u2019s Decision<\/strong><\/p>\n\n\n\n With respect to the CIPA claim, the parties disputed two elements under CIPA \u00a7 631(a): (1) whether the event data obtained by Meta constituted \u201ccontents\u201d of plaintiff\u2019s communication with ERC, and (2) whether Meta read, attempted to read, or attempted to learn those contents while they were \u201cin transit.\u201d ECF 167 at 6.<\/p>\n\n\n\n The Court first held that URLs and event data can constitute the \u201ccontents\u201d of a communication because they can reveal substantive information about a user\u2019s activities \u2013 such as researching medical treatment. Id<\/em>. at 7. The court thus deviated from other courts that have held differently on this particular issue when considering additional facts or allegations not addressed by this court (such as encryption, and inability to reasonably identify the data among lines of code). However, the Court concluded that Meta did not read or attempt to learn any contents while the communications were \u201cin transit.\u201d Instead, Meta processed the data only after it had reached its intended recipient (i.e<\/em>., ERC, the website operator).<\/p>\n\n\n\n In reaching that conclusion, Judge Chhabria relied on undisputed testimony about Meta\u2019s internal filtering processes: \u201cMeta\u2019s corporate representative testified that, before logging the data that it obtains from websites, Meta filters URLs to remove information that it does not wish to store (including information that Meta views as privacy protected).\u201d Id<\/em>. at 8.<\/p>\n\n\n\n This evidence supported the finding that Meta\u2019s conduct involved post-receipt filtering rather than contemporaneous \u201creading\u201d or \u201clearning.\u201d Id<\/em>. at 9. The Court emphasized that expanding \u201cin transit\u201d to include post-receipt processing would improperly criminalize routine website analytics practices. Because CIPA is both a criminal statute and a source of punitive civil penalties, the Court applied the rule of lenity to adopt a narrow interpretation. Id<\/em>. at 11-12. The Court further cautioned that an overly broad reading would render CIPA\u2019s related provision (\u00a7 632, prohibiting eavesdropping and recording) largely redundant. Id<\/em>. at 10.<\/p>\n\n\n\n Finding that Meta did not read, attempt to read, or attempt to learn the contents of Doe\u2019s communications while they were in transit, the court granted summary judgment to ERC on the CIPA claim. Id<\/em>. at 12.<\/p>\n\n\n\n The opinion concluded by reiterating that California\u2019s decades-old wiretap law is \u201cvirtually impossible to apply [] to the online world,\u201d urging the Legislature to \u201cgo back to the drawing board on CIPA,\u201d and suggesting that it \u201cwould probably be best to erase the board entirely and start writing something new.\u201d Id<\/em>.<\/p>\n\n\n\n Implications For Companies<\/strong><\/p>\n\n\n\n The Doe<\/em> decision narrows one significant avenue for CIPA liability, particularly for routine use of website analytics and advertising pixels. The Northern District of California has now drawn a distinction between data \u201cread\u201d while in transit and data processed after receipt, significantly reducing immediate CIPA exposure for standard web advertising tools.<\/p>\n\n\n\n At the same time, the court\u2019s reasoning underscores that pixel-captured data may be considered by some courts as \u201ccontents\u201d of a communication under CIPA, although there is a split of authority on this issue. Companies could therefore face potential exposure under other California privacy statutes, including the CMIA, the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA), depending on the data involved and how it is used.<\/p>\n\n\n\n Organizations should continue to inventory the data they share through advertising technologies, minimize sensitive information in URLs, and ensure clear and accurate privacy disclosures. Because the court expressly invited legislative reform, companies should also monitor ongoing case law and potential statutory amendments.<\/p>\n\n\n\n Ultimately, Doe v. Eating Recovery Center<\/em> reflects a pragmatic narrowing of CIPA\u2019s \u201cin transit\u201d requirement while reaffirming that CIPA was not intended to cover common website advertising technologies or, in any event, should not be interpreted as such given the harsh statutory penalties involved and the rule of lenity \u2014 like the Supreme Judicial Court of Massachusetts concluded regarding Massachusetts\u2019 wiretap act, as we previously blogged about here<\/a>. While this case is a big win for website operators, companies relying on third-party analytics should treat this decision as guidance\u2014not immunity\u2014and continue adopting privacy-by-design principles in their data collection and vendor management practices.<\/p>\n","protected":false},"excerpt":{"rendered":" By Gerald L. Maatman, Jr., Justin Donoho, Hayley Ryan, and Tyler Zmick Duane Morris Takeaways: On October 17, 2025, in Doe v. Eating Recovery Center LLC, No. 23-CV-05561, ECF 167 (N.D. Cal. Oct. 17, 2025), Judge Vince Chhabria of the U.S. District Court for the Northern District of California granted summary judgment to Eating Recovery … <\/p>\n