“Tester” Beware: California Wiretap and Pen Register Claims Challenging Website’s Third-Party Tracking Software Doomed by No Expectation of Privacy

In Rodriguez v. Autotrader.com, Inc., the District Court for the Central District of California dismissed, with prejudice, a class action lawsuit claiming that Autotrader.com violated the California Invasion of Privacy Act (CIPA) by allowing third-party tracking software to be installed on a website visitor’s browser before the visitor had any opportunity to consent to or decline the website’s privacy policy.

The plaintiff’s complaint alleged that she was a “tester” – i.e., someone who seeks out legal violations and files lawsuits to ensure compliance – who visited the Autotrader.com website and made a search query purportedly containing confidential and private information. The complaint alleged that once a query is entered in the search bar, it is routed to unknown third parties and shared with other third parties like Google, Facebook, Pinterest, and various other advertising services. The complaint asserted that the use of the tracking technology violated California’s wiretapping and eavesdropping statute, CIPA § 631(a), as well as CIPA § 638.51, which prohibits the use of pen registers and trace devices.

In January 2025, the district court dismissed the plaintiff’s CIPA § 631 claims without prejudice for lack of standing because the complaint merely alleged that the plaintiff made a search query containing confidential and private information but “fail[ed] to describe the contents of her query.” The court reasoned that “[w]hether the right to privacy is implicated depends on ‘the sort of information revealed.’” “Not all information will qualify,” wrote the court, as “the information must be sufficiently personal or sensitive that its disclosure is harmful.” Because the plaintiff had not shown that the information shared was “sufficiently personal or sensitive,” the court held that “she fail[ed] to demonstrate that she suffered an injury in fact.”

In March 2025, after the plaintiff amended the complaint to identify the personal or sensitive contents of her search queries, the district court again dismissed the CIPA § 631 claims for lack of standing but this time with prejudice. The court explained that the plaintiff was “a tester that seeks out invasions of privacy” and, in fact, visited the website “‘fully expect[ing]’ it to violate her privacy ‘so that she could file this action.’” As such, “[h]aving expected an invasion of privacy, she cannot claim that she had a reasonable expectation to privacy, and therefore lacks an injury in fact sufficient to establish standing.” Thus, for CIPA claims, no expectation of privacy means no injury in fact.

The “tester” plaintiff’s complaint also alleged that the website tracking technology constituted an unlawful use of pen registers and trace devices under CIPA § 638.51. To state a claim under § 638.51, a plaintiff must allege that a defendant installed and used, without first obtaining a court order, a “pen register” or trap and trace device, i.e., “‘device[s] or process[es]’ that record or capture ‘dialing, routing, addressing, or signaling information’ from a ‘wire or electronic communication,’” “‘but not the contents of a communication.’” Though the defendant did not challenge the section 638.51 claim on standing grounds, the court ordered briefing on the issue.

Ultimately, on April 4, 2025, the district court dismissed the pen register claim too, with prejudice, because “as a tester that visited and entered information into Defendant’s website expecting the information to be accessed, recorded, and disclosed, she cannot claim an injury when her expectations were ultimately met.” Moreover, that the plaintiff claimed to have “dual motivations for using Defendant’s website, acting not just as a tester, but also as a legitimate user that simply wanted to use the website’s services … does not change the fact that she expected her privacy to be invaded, thereby negating any injury in fact.”

Though the plaintiff in Rodriguez v. Autotrader.com, Inc. admitted she was a “tester,” and thus knew that the website contained the tracking devices, the district court’s standing analysis should be helpful in fending off other website tracking lawsuits, especially by repeat filers, when it can be shown that the plaintiff knew or had an expectation that his or her communications would be accessed.