Pen Register & Trap and Trace: How a Phone-Era Surveillance Law Reached Website Tracking
By Steve Levine · Updated July 2, 2026 · 7 min read
Quick Answer
A pen register is a device or process that records the outgoing dialing, routing, addressing, or signaling information of a communication — classically, the numbers a telephone dialed. A trap and trace device captures the same information for incoming communications. California Penal Code § 638.51 (part of CIPA) bars installing or using either without a court order, subject to exceptions including user consent. Since Greenley v. Kochava (S.D. Cal. 2023) read the statute's “device or process” language to potentially cover tracking software, plaintiffs have filed a wave of class actions alleging that website trackers collecting IP addresses and device data are unauthorized digital pen registers. Courts have split on the theory — it is developing, contested law — but CIPA's $5,000-per-violation statutory damages keep the filings coming.
The Traditional Definitions — Phone-Era Surveillance
“Pen register” and “trap and trace” are terms from telephone
surveillance. A pen register records the outgoing side of a line —
the numbers dialed and related routing information — without capturing what was
said. A trap and trace device is the mirror image: it identifies where
incoming calls come from. The names are literal artifacts of the technology; the
earliest pen registers recorded telegraph pulses with a pen on paper tape.
Because these tools capture metadata rather than the contents of a conversation,
the law has always treated them differently from wiretaps. Under the federal Pen
Register Act and its state counterparts, law enforcement must generally obtain a court
order before installing one — a lower bar than a wiretap warrant, but a real
legal gate. The key concept to carry into the modern cases is the statutory phrase:
pen registers capture “dialing, routing, addressing, or signaling
information.” The fight in today's litigation is over what that phrase means
when the “line” is a web browser.
CIPA § 638.51 — No Pen Register Without a Court Order
California's version lives inside the
California
Invasion of Privacy Act. Penal Code § 638.51(a) provides that a person
may not install or use a pen register or a trap and trace device without first
obtaining a court order. The statute carries exceptions — most importantly
for providers acting in the ordinary course of service and where the consent of the
user has been obtained — and § 638.50 supplies the definitions.
Two features of the California text matter enormously to the litigation. First,
§ 638.50(b) defines a pen register as a “device or process”
that records outgoing dialing, routing, addressing, or signaling information —
and plaintiffs seize on the word process to argue that software, not just
physical hardware, qualifies. Second, the prohibition is not limited to law
enforcement: it applies to “a person,” which plaintiffs read to include
website operators and their advertising-technology vendors. Put together, the argument
goes: if a tracking script captures the addressing and signaling information of my
browser session, and no court ever ordered it and I never consented, the website has
used an illegal pen register on me.
Greenley v. Kochava — the Ruling That Changed the Game
The theory moved from creative to mainstream with Greenley v. Kochava, Inc., a
2023 decision from the U.S. District Court for the Southern District of California.
Kochava is a mobile data broker; the complaint alleged its software development kit
(SDK), embedded invisibly inside third-party apps, collected users' device and
identifying data for sale. On a motion to dismiss, the court declined to throw out the
§ 638.51 claim, reasoning that the Legislature's choice of the broad word
“process” — and CIPA's history of being construed to keep pace
with new technology — made it at least plausible that data-collecting
software could be a pen register.
Two accuracy points. Greenley was a ruling at the pleading stage —
it held the claim was plausible enough to proceed, not that Kochava violated the law.
And it is one district court's decision, persuasive but not binding on any other
court. Neither caveat slowed the reaction: within months, plaintiffs' firms had
repurposed the reasoning against ordinary websites, and the pen-register claim became
the newest arrow in the web-tracking quiver alongside
session-replay,
chat-wiretapping,
and Meta Pixel
claims.
What the Web-Tracking Complaints Allege
The post-Greenley complaints follow a recognizable pattern. Plaintiffs allege
— and these are allegations the defendants dispute — that a website
installed tracking technology that functions as a digital pen register or trap and
trace device:
Advertising pixels. The TikTok pixel has been a frequent target, with complaints alleging it captures a visitor's IP address, device details, and browsing events and transmits them the moment a page loads — before any consent banner is clicked.
Analytics and fingerprinting scripts. Tools that allegedly collect IP addresses, device identifiers, screen and browser characteristics, and other fingerprint-grade data that can identify or locate a visitor.
The statutory hook. Plaintiffs characterize IP addresses and device data as "routing, addressing, or signaling information" — the exact phrase § 638.50 uses — captured without a court order or the visitor's consent.
Note what the theory does not require: unlike a § 631 wiretap claim, a
pen-register claim concerns metadata, so plaintiffs do not have to show anyone
read the “contents” of their communications. That is precisely its appeal
— it potentially reaches garden-variety analytics that the wiretap theories miss.
The Court Split — a Contested, Developing Theory
Courts — mostly California state and federal trial courts — have divided
sharply, and no appellate court has definitively resolved the theory. Decisions
allowing claims past the pleading stage generally accept that “process” can
cover software and that IP and device data can be “routing, addressing, or
signaling information.” Decisions dismissing the claims have reasoned, variously,
that a visitor's browser voluntarily conveys an IP address to every site it
contacts; that the statute targets records of the user's own outgoing
communications rather than a website logging its inbound traffic; that the visitor
consented via banners and policies; or that a routine website visit inflicts no
concrete injury sufficient for
standing.
The honest description of pen-register web-tracking law in mid-2026 is
unsettled: materially identical complaints survive in one courtroom and die in
the next, and the theory's ultimate fate awaits appellate guidance or legislative
clarification. Readers should treat any confident claim that the theory
“works” or “fails” with skepticism — both outcomes are
being reached weekly.
Damages and What Consumers Should Know
Pen-register plaintiffs invoke CIPA's private right of action, Penal Code
§ 637.2, seeking the greater of $5,000 per violation or three times
actual damages, plus injunctive relief — with no requirement of any dollar loss.
Aggregated across every visitor to a popular website, the theoretical exposure is
enormous, which is why the theory generates settlement pressure even while contested.
As always, those are amounts a court may award if a violation is proven; they
are not an automatic payout, and no one should expect a check because a complaint
cites § 638.51.
For consumers, the pen-register wave is mostly a window into how much invisible
metadata collection accompanies ordinary browsing — and a reminder that
cookie-consent choices have legal significance, since user consent is a statutory
exception. If web-tracking cases built on this theory settle on a classwide basis,
eligible visitors are typically notified and can file claims; current opportunities
appear on our open settlements
listing, and privacy and data-security cases are collected on the
data breach
settlements hub.
Frequently Asked Questions
What is a pen register?
Traditionally, a pen register is a device that records the outgoing dialing, routing, addressing, or signaling information of a communication — classically, the phone numbers dialed from a particular line — without capturing the contents of the conversation. A trap and trace device is its mirror image: it captures the originating number and similar information for incoming communications. Both were law-enforcement surveillance tools regulated by statutes requiring a court order before use.
What does CIPA § 638.51 prohibit?
California Penal Code § 638.51, part of the California Invasion of Privacy Act, makes it unlawful to install or use a pen register or trap and trace device without first obtaining a court order, subject to exceptions — including where the provider obtains the consent of the user. California defines a pen register as a 'device or process' that records outgoing routing, addressing, or signaling information, and plaintiffs argue the word 'process' reaches modern tracking software.
What did Greenley v. Kochava decide?
In Greenley v. Kochava, Inc. (S.D. Cal. 2023), a federal district court declined to dismiss a § 638.51 claim against a mobile data broker, reasoning that the statute's 'device or process' language could plausibly cover software embedded in apps that collects device and identifying data. The decision was the first prominent ruling to read California's pen-register law to reach tracking software, and it triggered a wave of web-tracking pen-register class actions. It is one district court's ruling at the pleading stage, not binding precedent.
What do website pen-register lawsuits allege?
Plaintiffs allege that tracking technologies — advertising pixels such as the TikTok pixel, analytics scripts, and device-fingerprinting tools — act as digital pen registers by capturing visitors' IP addresses, device identifiers, and browsing metadata, which they characterize as 'routing, addressing, or signaling information,' without a court order or the visitor's consent. These are contested allegations; courts have split on whether the statute reaches website tracking at all, and many cases have been dismissed while others have been allowed past the pleading stage.
What damages are available for a pen-register violation?
Plaintiffs invoke CIPA's private right of action, Cal. Penal Code § 637.2, which authorizes the greater of $5,000 per violation or three times actual damages, plus injunctive relief, without requiring proof of a dollar loss. Those are amounts a court may award if a violation is proven — the pen-register web-tracking theory remains developing, contested law, and no appellate court has definitively endorsed it.
Get notified when new class actions open to claims
Join thousands of readers who get the latest class action settlements you may qualify for — delivered straight to your inbox.
About This Page
General legal-information about pen registers, trap and trace devices, and the CIPA
§ 638.51 web-tracking litigation theory, not legal advice. OpenClassActions.com is
a consumer news site and is not a law firm or a settlement administrator. The
pen-register web-tracking theory is developing, contested law on which courts have
split; lawsuits described here involve allegations the defendants dispute, and
settlements resolve claims without any admission of wrongdoing. For the controlling
text, see Cal. Penal Code §§ 638.50–638.51 and § 637.2 and the
decisions interpreting them. If you think your rights were affected, consult a
qualified attorney in your jurisdiction.
More on Digital Surveillance & Tracking Law
CIPA — California Invasion of Privacy Act: The umbrella statute: wiretapping, eavesdropping, and the pen-register ban. Read the guide →
Meta Pixel (Facebook Pixel): How the ad-tracking snippet works and the litigation wave it sparked. Learn more →
Session Replay Software: The website-recording scripts behind the § 631 wiretap class actions. Read more →
Chatbot Wiretapping: CIPA claims over live-chat and AI chatbot conversations shared with vendors. What it covers →
ALPR — License Plate Reader Privacy: Another surveillance technology drawing privacy class actions. How it works →