Collecting IP Addresses? “Not An Invasion of Privacy,” Says New York Federal Court in CIPA Pen-Register Action

On February 18, 2025, US District Judge Edgardo Ramos of the United States District Court of the Southern District of New York granted the defendant’s motion to dismiss against a plaintiff bringing claims under California Invasion of Privacy (CIPA) Section 638.51, which prohibits the use of a pen register absent a court order, for lack of Article III standing. The court held in Gabrielli v. Insider, Inc.,2025 WL 52515 (S.D.N.Y. Feb. 18, 2025) that the disclosure of an IP address does not bear a close relationship to the common law public disclosure of private facts and intrusion upon seclusion invasion of privacy torts—or to the traditional understanding of unjust enrichment—and cannot establish standing under TransUnion v. Ramirez,594 U.S. 419 (2021). The court also held that alleging a violation of CIPA Section 638.51 is the kind of statutory violation that is “a bare procedural violation, divorced from any concrete harm” and likewise cannot confer standing under Spokeo v. Robins,578 U.S. 330 (2016). 

CIPA Section 638.51

California Penal Code Section 638.51 (“Section 638.51”) prohibits a person from “install[ing] or us[ing] a pen register . . . without first obtaining a court order[.]” California Penal Code Section 638.50(b) defines a “pen register” as “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” In other words, pen registers trace outgoing signals from a phone or computer, like which phone numbers are being dialed by a certain phone. Pen registers are typically used in law enforcement investigations.

Greenley v. Kochava, Inc. and the Wave of Pen Register Lawsuits

It is no secret that the plaintiffs’ bar has taken a particular interest in several of CIPA’s provisions to bring waves of class actions against website operators based on novel theories applying this decades-old statute to commonplace online tools like cookies and pixels. In 2024, plaintiffs’ attorneys set their sights on a new theory, arguing that the collection and disclosure of the IP addresses or similar information about website visitors violates CIPA’s “pen register” provision, Section 638.51.

These cases began with the United States District Court for the Southern District of California’s denial of a defendant’s motion to dismiss in Greenley v. Kochava, where the court determined a software developer kit (SDK) that allegedly collected app user location data “surreptitiously” was a “pen register.” 684 F. Supp. 3d 1024, 1050 (S.D. Cal. 2023). The court opined that “pen registers [now] take the form of software[,]” and allow “private companies and persons [to] have the ability to hack into a person’s telephone and gather the same information as law enforcement.” Id. The decision relied on what the court viewed as the statute’s “expansive language” in defining a pen register as either a “device or process.” Id. Relying on the plain language of “process,” the court noted that “[a] process can take many forms. Surely among them is software that identifies consumers, gathers data, and correlates that data through unique ‘fingerprinting.’” Id. Following Greenley, at least four California district courts have similarly denied motions to dismiss Section 638.51 claims.¹

Gabrielli v. Insider, Inc.

The Gabrielli plaintiff’s complaint alleged that, after he visited the defendant’s website, the defendant used a third-party tracker operated by an adtech and marketing tech provider to collect his IP address and share it with that provider without his consent. The plaintiff alleged a single claim under CIPA Section 638.51(a). Insider moved to dismiss for lack of Article III standing under Federal Rules of Civil Procedure 12(b)(1) and failure to state a claim under 12(b)(6). 

Because standing is a threshold issue, the court first addressed whether the plaintiff alleged a concrete injury under Article III. Insider relied on TransUnion LLC v. Ramirez, 594 U.S. 413 (2021) to argue that the plaintiff here had not. In TransUnion, the Supreme Court held that “[o]nly those plaintiffs who have been concretely harmed by a defendant’s statutory violation may sue that private defendant over that violation in federal court.” Id. at 427. Thus, courts must inquire whether “plaintiffs have identified a close historical or common-law analogue for their asserted injury.” Id. at 424.

Insider here argued that the plaintiff had not met this burden because mere disclosure of an IP address to a third party was not sufficiently private under the torts of public disclosure of private facts or intrusion upon seclusion. See Motion to Dismiss at 7-12, Gabrielli v. Insider, Inc., No. 24-cv-01566 (S.D.N.Y. Aug. 1, 2024), ECF No. 24. Insider further argued that a mere violation of Section 638.51 alone cannot confer standing because the statute does not necessarily prohibit the collection of information but instead regulates only the manner in which information is collected (contrast to other sections of CIPA, which require consent before the collection of contents of a communication in the first instance). Id. at 14-16. Therefore, Insider argued, the plaintiff had identified at most a mere procedural violation of the statute. See Reply in Support of Motion to Dismiss at 2, id., ECF No. 30.

In opposition, the plaintiff argued that he suffered the intangible harm of an invasion of privacy in three ways. First, he argued that Insider’s conduct bore a close relationship to public disclosure of private facts and intrusion upon seclusion because the common-law understanding of privacy recognizes an individual’s control of information concerning his or her person, which the plaintiff argued included his IP address. Gabrielli, 2025 WL 522515, at *3. Second, he argued that Insider’s “use[] [of] this information to profit from targeted advertising and marketing strategies” bore a close relationship to unjust enrichment because the information (i.e., IP address) shared with the third party was used by Insider to maximize its revenue. Id. Third, he argued that, because CIPA codifies substantive privacy rights, a bare statutory violation satisfies the concrete injury requirement for standing. Id. at 8. The court rejected all three arguments.  

Alleged Invasion of Privacy Was Not a Concrete Injury

Addressing the plaintiff’s invasion of privacy theory of injury, the court first analyzed whether the defendant’s conduct was analogous to the tort of public disclosure of private facts, which penalizes “giv[ng] publicity to a matter concerning the private life of another, … if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public.” Id. at 4 (citation omitted). The answer was no. According to the court, the plaintiff did not allege “that anyone could actually identify him from the IP addresses allegedly collected by the Tracker”—only that the information “could show that a device from a general area had visited the Website.” This information, per the court, is “only ‘as granular as a zip code,’” which was not sufficiently similar to a “matter concerning the private life of another . . . that would be highly offensive to a reasonable person.” Id. (citation omitted).

Next, the court analyzed whether the defendant’s alleged conduct was analogous to intrusion upon seclusion, which requires an “intentional[] intru[sion], physical or otherwise, upon the solitude or seclusion of another …  or his private affairs or concerns[.]” Id. at *6. Again, the answer was no—and the reason was simple: The plaintiff “sought to access the Website,” and Insider needed the plaintiff’s IP address to communicate with him. Id.

The Defendant’s Unjust Enrichment Was Not a Concrete Injury

Addressing the plaintiff’s allegations that the defendant profited from the sharing of his IP address, the court analyzed whether the defendant’s alleged profiting was analogous to two types of unjust enrichment—(i) “at the expense of another” in the form of an observable economic loss or (ii) “in violation of the other’s legally protected rights.” The court determined that the plaintiff alleged neither. Id. at 7 (citations omitted). The court rejected the first theory because the plaintiff failed to allege that he “suffered any observable loss” due to the alleged sharing of his IP address. With respect to the second theory, the court distinguished an earlier Southern District case, Boelter v. Hearst Communications, Inc., 192 F. Supp. 3d 427 (S.D.N.Y. 2016), which involved the disclosure of more sensitive information (like full names, titles of magazines subscribed to, home addresses, gender, age, ethnicity, income, religion, parental status, and political affiliation). Unlike the disclosure of those types of information, disclosure of an IP address was not the violation of the plaintiff’s legally protected right. Gabrielli, 2025 WL 522515, at 6-7.

Alleged Violation of Section 638.51 Did Not Create a Concrete Injury

Finally, the court rejected the plaintiff’s argument that alleging a bare violation of CIPA Section 638.51 was sufficient to confer Article III standing. The plaintiff relied on two Ninth Circuit cases, In re Facebook, Inc. Internet Tracking Litigation and Campbell v. Facebook, Inc., 951 F.3d 1106 (9th Cir. 2020), which hold that a violation of a statute codifying a historically recognized substantive privacy right, such as CIPA, establishes a concrete injury. The Gabrielli court held that, unlike other provisions of CIPA, Section 638.51 did not codify such a right “but instead requires that [the defendant] obtain a court order before using certain statutorily defined mechanisms to collect [the plaintiff]’s voluntarily provided information.” 2025 WL 522515, at *8. Insider’s alleged failure to seek a court order was, under Spokeo v. Robins², “a bare procedural violation, divorced from any concrete harm.” Id.

What Does This Mean for My Business?

Gabrielli offers new support to defendants facing alleged privacy violations to seek dismissal when plaintiffs have not suffered a particularized and concrete harm arising out of the purported violation beyond the mere disclosure of non-sensitive web browsing information. This case can be cited along with other cases dismissing similar privacy lawsuits for lack of a cognizable harm under Article III, such as Popa v. PSP Grp., LLC, 2023 WL 7001456, at *5 (W.D. Wash. Oct. 24, 2023) (holding that the plaintiff’s browsing information and mouse clicks and movements on the defendant’s website “reveals nothing more than the type of products that interested Ms. Popa and thus is not the type of private information that the law has historically protected”). Defendants can also look forward to forthcoming appellate decisions on this issue, starting with a pending decision in Popa, which was argued and submitted to the US Court of Appeals for the Ninth Circuit (Case No. 24-14) on January 16, 2025.

¹ See Zarif v. Hwareh.com, Inc., 2025 WL 486317, at *10 (S.D. Cal. Feb. 13, 2025), Rodriguez v. Autotrader.com,--- F. Supp. 3d ---, 2025 WL 65409, at *5 (C.D. Cal. Jan. 28, 2025), Mirmalek v. Los Angeles Times Commc’ns LLC,2024 WL 5102709, at *3 (N.D. Cal. Dec. 12, 2024), and Shah v. Fandom, Inc., --- F. Supp. 3d ---, 2024 WL 4539577, at *3 (N.D. Cal. Oct. 21, 2024).

² Our Mayer Brown colleagues successfully litigated Spokeo, Inc. v. Robins.