DEIVAPRAKASH v. COND NAST DIGITAL (2025)

ORDER DENYING MOTION TO DISMISS

Re: Dkt. No. 11

Plaintiff Aaron Deivaprakash accuses Defendant Condé Nast Digital of facilitating third-party collection of his information and tracking of his Internet-browsing activity. He brings this action to recover against Condé under the California Invasion of Privacy Act (the “CIPA”), and Condé now moves to dismiss. (See Dkt. Nos. 1-1 (the “Complaint”), 11 (the “Motion”).)¹ For the reasons set forth below, the Court DENIES the Motion.

I. BACKGROUND

The following discussion of background facts is based on the allegations contained in the Complaint, the truth of which the Court accepts for purposes of resolving the Motion. See Boquist v. Courtney, 32 F.4th 764, 772 (9th Cir. 2022).

A. Condé Facilitates Internet Tracking and Data Collection

Condé owns and operates the newyorker.com and wired.com websites. (See Complaint ¶ 1.) When users visit the websites, code embedded in the websites by Condé installs three “trackers” on the users’ Internet browsers. (See id. ¶ 64.) The trackers collect the users’ IP addresses and metadata (e.g., browser type) and send that information to third parties operating the trackers. (See id. ¶¶ 2, 32.) The trackers also embed “cookies” in the users’ browsers that allow the third parties to monitor the users’ behavior across the Internet (beyond their use of Condé’s websites). (See id. ¶¶ 33, 77-78.) Through this monitoring, as users browse the Internet, the third parties compile comprehensive profiles reflecting the users’ geographic locations, incomes, and preferences, among other characteristics. (See id. ¶¶ 146-48.) The third parties share these profiles with each other, which: (1) improves their ability to identify users as they browse the Internet; and (2) correspondingly hinders users’ ability to remain anonymous. (See id. ¶¶ 161-67.) Advertisers then purchase the profiles so that they can present the users with targeted advertising, and these sales generate revenue for Condé. (See id. ¶¶ 12, 149-56.)

B. Third Parties Tracked Deivaprakash

Deivaprakash visited Condé’s websites multiple times between 2012 and 2024. (See id. ¶ 196.) The websites installed the trackers on his browser, and the trackers collected his information as he browsed the Internet, which the third parties used to develop a profile on him. (See id. ¶¶ 197-98.) Advertisers then purchased the profile and presented him with targeted advertising. (See id. ¶ 198.) Deivaprakash never consented to the installation or use of the trackers, and Condé never obtained a court order permitting their installation or use. (See id. ¶ 199.)

II. LEGAL STANDARD

A complaint “must contain ․ a short and plain statement of the claim showing that the pleader is entitled to relief.” See Fed. R. Civ. P. 8(a)(2). Failure to satisfy this requirement may result in dismissal. See id. 12(b)(6). To survive a Rule 12(b)(6) challenge, a plaintiff must allege “enough facts to state a claim to relief that is plausible on its face.” See Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). A claim

has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged. [This] standard is not akin to a probability requirement, but it asks for more than a sheer possibility that a defendant has acted unlawfully.

See Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (quotation marks and citations omitted).

In ruling on a motion to dismiss, a court may consider only “the complaint, materials incorporated into the complaint by reference, and matters [subject to] judicial notice.” See UFCW Loc. 1500 Pension Fund v. Mayer, 895 F.3d 695, 698 (9th Cir. 2018) (citation omitted). A court must also presume the truth of a plaintiff's allegations and draw all reasonable inferences in their favor. See Boquist, 32 F.4th at 773. However, a court need not accept as true “allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences.” See Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 1008 (9th Cir. 2018) (citation omitted).

III. DISCUSSION

The CIPA prohibits installing or using “pen registers” without prior court approval. See Cal. Penal Code § 638.51(a). Deivaprakash alleges that Condé violated the pen register provision when its websites installed the trackers on his Internet browser. Condé offers four reasons why that claim should be dismissed as insufficiently pled. However, none provides a valid basis for dismissal.

A. Deivaprakash Sufficiently Alleges That the Trackers Are Pen Registers

A pen register is “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” Id. § 638.50(b). Condé argues that the trackers do not satisfy this definition for three reasons.

First, Condé argues that the trackers do not record or decode any information; instead, they simply instruct users’ browsers to transmit the information in question to the third parties. (See Motion at 13-14; see also Complaint ¶ 32.) That characterization ignores Deivaprakash's explicit allegations that the trackers also collect and store users’ information, including cookies which “uniquely identify” each user. (See, e.g., Complaint ¶¶ 61 n.25, 67-70, 76, 109.) Deivaprakash further alleges that the trackers store these cookies “along with a unique user ID, the user's IP address,” and/or “Device Metadata,” which are alleged to be the routing, signaling, or addressing information at issue. (See id. ¶¶ 77, 108-109, 125.) Those allegations suffice.² See, e.g., Shah v. Fandom, Inc., 754 F. Supp. 3d 924, 929-30 (N.D. Cal. 2024) (trackers allegedly “capture[d] the outgoing information”); Mirmalek v. L.A. Times Commc'ns LLC, No. 24-cv-01797-CRB, 2024 WL 5102709, at *4 (N.D. Cal. Dec. 12, 2024) (“[T]he Trackers record the addressing information by instruct[ing] the user's browser to send ․ the user's IP address to the Tracker and by stor[ing] a cookie with the user's IP address in the user's browser cache.” (quotation marks omitted)).

Second, Condé argues that the trackers collect more than just dialing, routing, addressing, or signaling information. (See Motion at 14-17.) As an initial matter, the pen register definition does not automatically exclude devices that collect more than just these four categories of information; rather, only devices that go beyond these four categories to also collect the contents of a communication fall outside the definition. See Cal. Penal Code § 638.50(b). Condé appears to argue that the trackers also collect the contents of communications, but it bases that conclusion on an interpretation of a screenshot of “traffic from [Deivaprakash's] browser” when he used one of Condé’s websites (see Complaint ¶ 80; Motion at 16-17):

This screenshot does not provide an adequate basis to conclude as a matter of law under Rule 12(b)(6) that, despite Deivaprakash's allegations to the contrary, the trackers collect the contents of communications. Condé also implies that the trackers’ transmission of device metadata places them outside the scope of the pen register definition (see Motion at 16-17), but metadata necessarily does not constitute the content of a communication. See also Shah, 754 F. Supp. 3d at 929 (“[T]he ‘contents’ referenced by [the pen register definition] are the users’ HTTP requests to load [a] website ․”).

Third, Condé argues that the third parties receive information affirmatively sent to them by users’ browsers (under instruction from the trackers), as opposed to information intercepted by the trackers. (See Motion at 17-19.) As an initial matter, it is not clear how this argument implicates the pen register definition. At best, Condé appears to be arguing that the CIPA does not prohibit the third parties from recording information voluntarily shared with them. But as discussed above, Deivaprakash sufficiently alleges that the trackers themselves recorded the information from his request to Condé’s website (i.e., before they transmitted any information to the third parties). Deivaprakash also alleges that he did not consent to the trackers’ recording of that information from his visit to Condé’s website for the purpose of transmitting it to the third parties, thereby defeating any assertion of voluntariness. (See Complaint ¶ 199.) Nor, as Condé asserts, does the California Consumer Privacy Act insulate Condé from liability, as the cited provision provides a right to opt out from selling or sharing information (see Motion at 18-19; Cal. Civ. Code § 1798.120(a)(1)), and Deivaprakash expressly alleges a “surreptitious collection” of data (see Complaint ¶ 134); if Deivaprakash did not know about the data collection, he could not have exercised his right to opt out. See also Mirmalek, 2024 WL 5102709, at *5 (opt-out framework of the California Consumer Privacy Act does not prohibit pursuing CIPA claim).

B. Deivaprakash Sufficiently Alleges That Condé Used the Trackers

The CIPA prohibits the installation or use of pen registers without prior court approval. See Cal. Penal Code § 638.51(a). Therefore, Condé argues, even if the trackers are pen registers, it did not violate the statute because it did not install or use the trackers. With respect to use, Condé asserts that websites record users’ IP addresses as part of their ordinary operations and without utilizing trackers. (See Motion at 19-20.) Even if true, Deivaprakash alleges the collection of other information as well, and Condé does not claim that websites also collect this other information in the ordinary course without utilizing trackers. And as discussed above, Deivaprakash sufficiently alleges that the trackers themselves collected IP addresses, and he bases his claim on this collection (and not on any collection separate from that performed by the trackers). Accordingly, Deivaprakash adequately alleges Condé’s use of the trackers.³

C. Deivaprakash Sufficiently Alleges That He Suffered an Injury Caused by Condé

The CIPA confers statutory standing to bring a private right of action on persons “injured by a violation” of the statute. See Cal. Pen. Code § 637.2(a). Deivaprakash sufficiently alleges that he suffered an injury in the form of an invasion of privacy. Specifically, as discussed above, Deivaprakash describes how the trackers allow the third parties to generate profiles that reflect users’ geographic locations, incomes, and preferences, among other characteristics, and hinder users’ ability to remain anonymous as they browse the Internet, and he alleges that the third parties did so with respect to him. (See Complaint ¶¶ 198, 200.) These allegations suffice. See, e.g., Shah, 754 F. Supp. 3d at 932 (sufficient allegations of injury where trackers collected IP addresses and “reveal[ed] geographical location and other personal information sufficient for third parties to conduct targeted advertising”); Mirmalek, 2024 WL 5102709, at *4 (similar). Accordingly, it does not matter whether Deivaprakash had a “reasonable expectation of privacy” in the information collected (see Motion at 24) because the privacy violation extends beyond the collection of just his IP address and metadata; it encompasses how that collection allegedly allowed the third parties to: (1) build a profile reflecting his personal information; and (2) interfere with his ability to remain anonymous.

For the same reason, Condé’s reliance on Mitchener v. CuriosityStream, Inc., No. 25-cv-01471-NW, 2025 WL 2272413 (N.D. Cal. Aug. 6, 2025), does not support its injury argument. (See Dkt. No. 25.) There, the court held that the plaintiff did not have an expectation of privacy regarding his metadata. See Mitchener, 2025 WL 2272413, at *4-5. But here, Plaintiff alleges a privacy invasion based on the creation of a detailed profile and his reduced capacity to remain anonymous. Mitchener also concerned Article III standing, while Condé disputes whether Deivaprakash satisfies the requirements of statutory standing.⁴ See also Khamooshi v. Politico LLC, No. 24-cv-07836-SK, ––– F.Supp.3d ––––, –––– n.5, 2025 WL 1408896, at *4 n.5 (N.D. Cal. May 13, 2025) (“Article III standing is different from, and not to be measured by, statutory standing.” (citation omitted)).

Condé also argues that it did not cause any privacy injury allegedly suffered by Deivaprakash because the injury “was caused by information [the third parties] had amassed on him separate and apart from anything” Condé did. (See Motion at 27.) Condé ignores, however, that, as alleged by Deivaprakash, it enabled the third parties to amass information about Deivaprakash by embedding the code in its websites that surreptitiously installed the trackers on Deivaprakash's browser in the first place. (See Complaint ¶ 64.) And contrary to Condé’s assertion otherwise (see Motion at 28), under Deivaprakash's allegations, his injury would not have occurred without Condé’s installation of the trackers that provided the addressing information used in building the third parties’ profiles.⁵

D. The Rule of Lenity Does Not Apply

Under the rule of lenity, “ambiguity in a criminal statute should be resolved in favor of lenity, giving the defendant the benefit of every reasonable doubt on questions of interpretation.” See People v. Nuckles, 56 Cal. 4th 601, 611, 155 Cal.Rptr.3d 374, 298 P.3d 867 (2013) (citation omitted). But the rule “does not apply every time there are two or more reasonable interpretations of a penal statute. On the contrary, this principle applies only when two reasonable interpretations of the same provision stand in relative equipoise.” Smith v. LoanMe, Inc., 11 Cal. 5th 183, 202, 276 Cal.Rptr.3d 746, 483 P.3d 869 (2021) (citations and quotation marks omitted). In other words, the rule applies only where “resolution of the statute's ambiguities in a convincing manner is impracticable.” See People v. Avery, 27 Cal. 4th 49, 58, 115 Cal.Rptr.2d 403, 38 P.3d 1 (2002).

Condé urges the Court to adopt his interpretations of the CIPA in an exercise of lenity, citing ambiguities concerning the pen register definition and whether the statutory prohibition applies to IP addresses. (See Motion at 29-31.) But the application of the CIPA to the allegations in this case does not require the interpretation of any ambiguities in the statute, let alone ambiguities that cannot practicably be resolved in a convincing manner. See, e.g., Riganian v. LiveRamp Holdings, Inc., No. 25-cv-00824-JST, ––– F.Supp.3d ––––, ––––, 2025 WL 2021802, at *12 (N.D. Cal. July 18, 2025) (declining to apply rule of lenity to definition of pen register where the defendant “argued for a certain interpretation” but did not establish any “grievous ambiguity”). Moreover, “the California Supreme Court has instructed courts to interpret CIPA in the manner that fulfills the legislative purpose of CIPA by giving greater protection to privacy interests.” Shah, 754 F. Supp. 3d at 930 (quotation marks and citation omitted). Implementation of that directive further weighs against application of lenity here.

IV. CONCLUSION

For the foregoing reasons, the Court DENIES the Motion.

IT IS SO ORDERED.

FOOTNOTES

1.   All citations to page numbers in the Motion refer to ECF page numbers.

2.   Because Deivaprakash sufficiently alleges that the trackers record information, this Order does not reach Condé’s argument that the trackers do not decode information. (See Motion at 14.)

3.   Because Deivaprakash adequately alleges Condé’s use of the trackers, this Order does not reach Condé’s argument that it did not install the trackers.

4.   In any event, Deivaprakash's allegations likely satisfy Article III's injury requirement. In In re Facebook, Inc. Internet Tracking Litigation, 956 F.3d 589 (9th Cir. 2020), the Ninth Circuit held that allegations of data collection performed “in order to receive and compile [the plaintiffs’] personally identifiable browsing history ․ no matter how sensitive or personal” constituted sufficient allegations of injury for purposes of Article III standing. See id. at 598 (quotation marks omitted). That holding remains good law after the Supreme Court's decision in TransUnion LLC v. Ramirez, 594 U.S. 413, 141 S.Ct. 2190, 210 L.Ed.2d 568 (2021). See Popa v. Microsoft Corp., No. 24-14, ––– F.4th ––––, –––– – ––––, 2025 WL 2448824, at *7-8 (9th Cir. Aug. 26, 2025).

5.   Because Deivaprakash sufficiently alleges that Condé caused his privacy injury, this Order does not reach Condé’s argument that Condé’s alleged unjust enrichment does not satisfy the CIPA's injury requirement. (See Motion at 28-29.)

RITA F. LIN, United States District Judge