In a big win for businesses, a California federal court just held that a “tester” plaintiff—someone who visits websites to initiate litigation—cannot bring a claim under the California Invasion of Privacy Act (CIPA). Rodriguez v. Autotrader.com, Inc., No. 2:24-cv-08735, 2025 WL 65409 (C.D. Cal. 1.8.25) Tester plaintiffs have started to focus on consumer protection statutes in hopes of broadening CIPA’s application to include internet communications, which would provide them a treasure trove of potential targets. However, the recent decision in Rodriguez provides a defense for businesses facing lawsuits by tester plaintiffs and bolsters another unrelated defense: setting privacy expectations with consumers.
I previously wrote about CIPA claims and the uptick in litigation claiming wiretap violations based on a website’s use of trackers.
Here, the plaintiff alleged violations of CIPA by Autotrader.com for its:
- Operation of a pen register on its website using tracking technology that could collect a user’s IP address
- Disclosure of website search terms to third parties (akin to illegal wiretapping)
The court dismissed these claims, stating that a tester plaintiff who “actively seeks out privacy violations” does not expect privacy. Because a tester plaintiff in a CIPA case visits the website and intentionally enters information into the website expecting their information to be “accessed, recorded, and disclosed,” the individual cannot claim an injury. The tester essentially expects the injury to occur.
What should your business do as a result of this decision? Be prepared and consider:
- Reviewing your website and its Privacy Policy and Terms of Use;
- Evaluate the types of tracking tools your website uses and their necessity/value (e.g., pixels, web beacons, cookies, etc.). Often, businesses discover that the website cookies and pixels are actually just left over from past initiatives or that certain cookies were installed but never used.
- Consider using a scanning tool and analyze the scan results to learn what tracking technologies your website uses.
- Determining what third parties do with the data collected via your website tracking tools;
- Include appropriate disclosures in your Privacy Policy and cookie banner/preferences (e.g., to whom is the data disclosed, the use of the data, and a hyperlink to the Privacy Policy in the cookie banner).
- For example, cookie banners should state that data is disclosed to third parties for targeted ad purposes, if that is the case, instead of only stating that the website uses cookies to improve user experience.
- Providing an opt-out option (and symmetry of choice)
- While opt-in consent is not required by applicable consumer privacy laws (such as the California Consumer Privacy Act as amended by the California Privacy Rights Act), allowing users to make informed choices about website tracking could prevent CIPA claims against your business.