/>iA California federal court has refused to dismiss a class action lawsuit alleging that Condé Nast unlawfully installed online trackers on its websites, signaling yet another instance of courts applying a decades-old privacy statute to modern data collection practices.
The lawsuit alleges that when the plaintiff visited Condé Nast-owned publications’ websites such as The New Yorker and Wired, the company enabled third-party trackers from Google, Audiencerate, and Neustar to be installed on his browser without his consent. According to the complaint, these trackers collected his IP address, set cookies with unique identifiers, and facilitated the creation of advertising profiles that revealed sensitive details such as location, income, and browsing preferences.
At issue is whether Condé Nast’s alleged use of these tools constitutes a violation of the California Invasion of Privacy Act (CIPA), a statute enacted in 1967 to target wiretaps and eavesdropping devices. CIPA prohibits the installation or use of a “pen register” without court approval, which is defined broadly under CIPA as any device or process that records routing, addressing, or signaling information from an electronic communication. Condé Nast argued that online trackers are not “pen registers” because they do not decode or record the contents of communications. The company also claimed that it neither installed nor used the trackers, instead pointing to third parties as the data collectors.
However, U.S. District Judge Rita F. Lin determined that the plaintiff plausibly alleged that the trackers recorded information before transmitting it to third parties. She also noted that CIPA should be interpreted in line with its legislative purpose (i.e., protecting Californians’ privacy) even in the face of evolving technology.
On standing, Condé Nast maintained that the plaintiff suffered no injury. Judge Lin disagreed, citing allegations that the trackers enabled third parties to generate detailed user profiles and compromise anonymity. She also referenced the Ninth Circuit’s decision in In re Facebook, Inc. Internet Tracking Litigation, 956 F.3d 589 (9th Cir. 2020), which held that unauthorized collection of browsing history can itself constitute a concrete injury.
This case is part of a continuing trend: plaintiffs invoking CIPA to challenge website tracking practices that were once considered routine. For any company using third-party tracking tools, this ruling underscores the risks of relying on consent-less tracking. Courts are increasingly willing to treat digital tracking mechanisms as functional equivalents of traditional surveillance devices.
The bottom line: Courts continue to apply CIPA’s broad definitions to online tracking, even though the law predates the internet, and allegations that users did not consent to the installation of cookies and trackers remain a central vulnerability for defendants. Companies that deploy tracking pixels, cookies, or other website analytics tools should anticipate continued scrutiny under both CIPA and similar state privacy laws. As the case against Condé Nast moves forward, it will test the limits of applying mid-20th-century privacy protections to 21st-century digital advertising. One thing is clear: the debate over online tracking and consumer privacy is far from settled.
