Website Tracking Just Got More Dangerous: What the 2025 Camplisson Court Decision Means for Your Business

If your company operates a website—and let’s face it, that’s basically every business in 2026—you need to understand a federal court decision that just made your legal exposure significantly worse. We are observing threat letters being sent, lawsuits being filed—including class actions—and arbitration cases being initiated (when the terms of Service require arbitration) by the Swigart Law Firm, TAULER SMITH LLP, as well as pro se claimants like Vivek Shaw and others.

The Bottom Line Up Front

A Southern District of California judge just ruled that common website tracking tools like the TikTok Pixel and Microsoft Bing trackers may violate California’s wiretapping law, even when they’re doing exactly what thousands of businesses use them for every day. The case is Camplisson v. Adidas Am., Inc., 2025 WL 3228949 (S.D. Cal. Nov. 18, 2025), and it’s going to fuel a new wave of class action lawsuits.

What Is CIPA and Why Should You Care?

The California Invasion of Privacy Act (CIPA) has been around since 1967. Originally designed to stop telephone wiretapping, it’s now being weaponized against standard business practices online.

Under CIPA § 638.51, it’s illegal to use “pen registers” and “trap and trace devices” without getting a court order or user consent. These terms come from old-school law enforcement surveillance—pen registers captured outbound phone numbers, trap and trace devices captured inbound ones. The statute defines a pen register as a device that records addressing or routing information transmitted from a communication device, but not the actual content of the communication.

Here’s what makes this painful: CIPA provides for statutory damages of $5,000 per violation. That means a plaintiff doesn’t need to prove any actual harm. They just need to prove you violated the statute. One visitor to your website could potentially trigger thousands of dollars in statutory damages, and multiply that across a class action with thousands of website visitors.

The Camplisson Case: What Happened

Visitors to Adidas’s website sued the company in a class action, claiming that two tracking pixels—the TikTok Pixel and Microsoft Bing—violated CIPA. According to the plaintiffs, these trackers collected IP addresses, browser information, unique identifiers, and other personally identifiable information without consent. The trackers also allegedly used “device fingerprinting” to associate collected data with specific devices for tracking purposes.

Adidas moved to dismiss the case, making two main arguments:

1. The trackers weren’t pen registers because they only captured specific outgoing information, not all communications from a device
2. The information collected through fingerprinting was substantive content, not just addressing or routing data

The court rejected both arguments.

The judge relied on what the court called CIPA’s “intentionally broad language” and found that limiting pen registers only to processes that collect all information would undermine CIPA’s privacy protection purpose. The court also noted that most other courts have recognized that website trackers can plausibly constitute pen registers.

To understand where this is headed, we need to know this: the court held that simply alleging that tracking pixels recorded personally identifiable information—including IP addresses—was sufficient to state a claim at the pleading stage. The case survives dismissal and moves forward.

While many believe these lawsuits are frivolous and simply a shakedown of businesses for nuisance-value settlements, the inconsistency in court rulings creates business risk.

The Consent Defense Failed Too

There are many defenses to these actions, but one of the main ones is consent. Adidas argued that website visitors had consented to the tracking through the site’s terms and conditions and privacy policy. The court did not agree that the consent defense warranted dismissal as a matter of law.

The judge found two flaws in Adidas’s consent mechanism:

1. The terms and privacy policy weren’t sufficiently conspicuous—visitors had to scroll down to the footer to find them
2. There was no pop-up window or similar method requiring visitors to affirmatively demonstrate their agreement

Historically, people placed terms of service and privacy policies in the footer of their websites, but California courts have ruled that such terms are not enforceable unless they are part of a clickwrap agreement. Modern compliance requires a banner to be displayed before any cookies or tracking pixels are loaded, which may include, or be followed by, a follow-up acceptance of the terms of service as a clickwrap agreement.  Without proper notice and affirmative consent, the court ruled that visitors never actually agreed to the tracking. This is a critical teaching point: burying your privacy disclosures in a footer is not enough, even if they’re technically accessible.

Here is What You Need to Know: The Courts Are Split on This Issue

Here’s what makes this particularly dangerous—courts are all over the map on this issue.

The plaintiffs’ bar got their green light from two earlier decisions: Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024 (S.D. Cal. 2023), and Moody v. C2 Educ. Sys., Inc., 742 F. Supp. 3d 1072 (C.D. Cal. 2024). Both courts suggested that tracking software could potentially qualify as pen registers under California law, at least enough to survive a motion to dismiss.

That opened the floodgates to a wave of class actions targeting website tracking tools.

Last year, several courts pushed back with defendant-friendly rulings that dismissed CIPA claims outright:

• Price v. Headspace, Inc., 2025 WL 1237977 (Cal. Sup. Ct. Apr. 1, 2025)
• Kishnani v. Royal Caribbean Cruises Ltd., 2025 WL 1745726 (N.D. Cal. June 24, 2025)
• Mitchener v. Talkspace Network LLC, 2025 WL 1822801 (C.D. Cal. June 27, 2025)
• Mitchener v. CuriosityStream, Inc., 2025 WL 227413 (N.D. Cal. Aug. 6, 2025)

All four of these decisions held that the TikTok Pixel does not fall within CIPA § 638.51’s scope. These rulings suggested the tide might be turning against plaintiffs.

But Camplisson explicitly rejected this line of cases, creating a direct circuit split on the fundamental question of whether common tracking technologies violate California’s wiretapping statute.

Until further notice, legal uncertainty is at maximum levels, which means litigation risk is through the roof.

What This Means for Your Business

The Camplisson decision makes three things clear:

First, expect a surge in demand letters and class action filings. Plaintiffs’ lawyers now have fresh ammunition, and they’re going to use it. If you operate a website with any tracking technologies, you’re a potential target.

Second, the legal landscape is fundamentally unstable. Different courts are reaching opposite conclusions on identical issues. That means you can’t predict with confidence how your case will be decided if you get sued.

Third, half-measures won’t protect you. Adidas presumably thought that having terms and conditions with a privacy policy disclosure was sufficient. The court disagreed. The standard for what constitutes adequate notice and consent just got significantly higher.

Three Things You Can Do To Protect Yourself Right Now

If you’re serious about managing this litigation and class action risk, here’s what you can do today to reduce risk

1. Do an Analysis of Your Website for Pixel and Cookie Tracking

We offer this tool to analyze your risk. This tool will perform a risk analysis of your website on pixel and cookie loading, enforceability of terms of service and privacy agreement, among other risk reduction strategies.

 Website Privacy & Compliance Scanner | Traverse Legal

2. Implement Affirmative Consent Mechanisms

Stop relying on browsewrap agreements whose terms are accessible only via a footer link. You need clickwrap or similar mechanisms that require visitors to take a clear affirmative action—clicking a button, checking a box—after being presented with your privacy disclosures. Test these mechanisms before deployment to confirm that no tracking technologies fire until after consent is obtained.

3. Update Your Privacy Disclosures

Your privacy policy and other consumer-facing disclosures must clearly and conspicuously identify every tracking technology deployed on your website. This includes pixels, cookies, session replay tools, video content that may collect data—everything. These disclosures need to accurately reflect your actual data practices, not aspirational statements about what you think you might do.

The Unfortunate Truth

Website tracking litigation isn’t going away. If anything, Camplisson just poured gasoline on the fire. The split in judicial authority means businesses face maximum uncertainty and maximum exposure.

The companies that will weather this storm are the ones that take proactive compliance seriously. That means working with experienced privacy counsel to audit current practices, remediate gaps, and implement robust consent mechanisms that will actually hold up in court.

The alternative is waiting until you’re named in a class action and trying to explain to your CFO why you’re looking at millions in potential statutory damages, litigation costs, and settlement exposure.

Now is the time to get your house in order. The plaintiffs’ bar is already drafting their next wave of complaints.

For assistance with CIPA compliance, digital tracking audits, or privacy litigation defense, consult with experienced privacy counsel who can evaluate your specific risk profile and implement appropriate protective measures.