Businesses across the world have incorporated Meta Pixel into their website functionality to enhance targeted advertising and tracking strategies. A recent wave of litigation involving plaintiffs issuing California Invasion of Privacy Act (“CIPA”) demands letters (as well as comparable statutes of other states and under federal law) has created legal challenges for businesses — small and large — that use Meta Pixel and similar data collecting technologies to optimize their website advertising. Plaintiffs’ counsel send these CIPA demand letters and file lawsuits with the purported intent to have website owners comply with the CIPA’s statutory language; however, the statute’s notoriously “badly drafted” language creates major challenges for website owners that engage in what are generally considered standard business advertising practices.[1]

What Is Meta Pixel?

Meta Pixel technology adds an additional line of code to a website so that a website may track certain users’ behavior on its websites or across websites. Once the Meta Pixel collects the information, it is sent to Meta, and custom audiences are created to optimize advertising efforts.

What Is the CIPA?

CIPA is a criminal and civil statute that purportedly offers a civil remedy to individuals who have had their communications intercepted by a third party. Drafted in the 1960s, the statute focuses on the era’s cutting edge communication method at the time — telephones —  and sought to prevent eavesdropping and wiretapping.

Doe v. Eating Recovery – A Recent Case Critiquing CIPA and Website Claims Under It

In Doe v. Eating Recovery Ctr. LLC, No. 23-CV-05561-VC (N.D. Cal., Oct. 17, 2025), the defendant, Eating Recovery Center (”ERC”), relied on Meta Pixel technology to collect data for advertising its eating disorder treatment services. After using the ERC website one time, Plaintiff proceeded to get fifteen advertisements for ERC services over the following year, which prompted the plaintiff to file suit under the CIPA.

The United States District Court for the Northern District of California addressed CIPA issues in Plaintiff’s complaint regarding the notoriously ambiguous Penal Code sections 631(a)(2)-(4). The plaintiff argued that the defendants violated Section 631(a)(2) by Meta reading, attempting to read, or attempting to learn the contents of her communication with the ERC website while the communications were “in transit.” The court’s decision turned on the meaning of “content” and “in transit” in Section 631(a)(2) and whether those terms, as used in the statute, covered the conduct at issue.

First, the court analyzed whether the information the Meta Pixel collected constituted “content” within the meaning of CIPA Section 631(a)(2). The Meta Pixel collected data containing information like URLs featuring search terms and communications, the time a user spends on each page, and the steps a website user uses to get to each page. The court, relying on existing case law, found that these actions constituted “content” under CIPA Section 631(a)(2).

Next, the court addressed whether Meta read, attempted to read, or attempted to learn the information while it was “in transit.” The data Meta receives is encrypted and transmitted to Meta shortly after the information is transmitted from the website’s user to the website’s operator. After Meta receives the data, it implements a filtering process to remove data that Meta determines potentially invades the website user’s privacy.

In its decision, the court referenced Judge Breyer’s logic in Torres v. Prudential Financial, stating that if the information was stored before it was read or attempted to be read, such conduct does not equate to reading the information while it was “in transit.”[2] The court agreed that, under these circumstances, where the information is transferred after the communication between the website’s user and the website’s operator, and the information has to be reassembled before the information can be interpreted, the intercepting party has not read or attempted to read the collected information.

The court also emphasized that conduct like filtering out private information is incompatible with the definition of reading or learning. Reading or learning information requires active steps towards understanding information, whereas Meta’s decision to filter out information represents an attempt to actively avoid understanding the user’s private information.

Notably, the court emphasized a long line of cases that interpret criminal statutes – such as CIPA – narrowly. The court quoted a U.S. Supreme Court case, Bittner v. United States, 598 U.S. 85, 103 (2023), holding that “[i]n the context of a statute that imposes both criminal and civil penalties based on the same statutory term, ‘the rule of lenity, not to mention a dose of common sense, favors a strict construction.’” Eating Recovery Ctr., No. 23-CV-05561-VC at 11.

In concluding its opinion, the court set out an assessment of the recent wave of demands and claims asserted under CIPA and called the California Legislature to action. It stated:

As difficult as it is to apply CIPA to the physical world, it’s virtually impossible to apply it to the online world. Hopefully, the Legislature will go back to the drawing board on CIPA. Indeed, it would probably be best to erase the board entirely and start writing something new. But until that happens, courts should not contort themselves to fit the type of conduct alleged in this case into the language of a 1967 criminal statute about wiretapping.

Id. at 12.

How Can Businesses Using Pixel Technologies Protect Themselves?

Businesses using technologies like Meta Pixel for targeted advertising or other business purposes should confirm the technology they use is encrypted and that information transmitted through the pixels used is anonymized. Furthermore, businesses would also benefit from implementing a filtering process intended to remove certain sensitive data that is not beneficial for their goals, as this could lower the risk associated with collecting data for business purposes under Section 631(a). Additionally, a strong website banner that requires user consent to the use of cookies, pixels, tags, and other tracking technologies prior to the user interacting with the website can help protect businesses against being the next recipients of a CIPA demand letter or lawsuit.

[1] Doe v. Eating Recovery Ctr. LLC, No. 23-CV-05561-VC, at *6 (N.D. Cal., Oct. 17, 2025).

[2] Torres v. Prudential Financial, 2025 wk 1135088, AT *5-7 (N.D. Cal. Apr. 17, 2025).