Glossary · Privacy

Pen Register & Trap and Trace: How a Phone-Era Surveillance Law Reached Website Tracking

By Steve Levine · Updated July 2, 2026 · 7 min read

Quick Answer

A pen register is a device or process that records the outgoing dialing, routing, addressing, or signaling information of a communication — classically, the numbers a telephone dialed. A trap and trace device captures the same information for incoming communications. California Penal Code § 638.51 (part of CIPA) bars installing or using either without a court order, subject to exceptions including user consent. Since Greenley v. Kochava (S.D. Cal. 2023) read the statute's “device or process” language to potentially cover tracking software, plaintiffs have filed a wave of class actions alleging that website trackers collecting IP addresses and device data are unauthorized digital pen registers. Courts have split on the theory — it is developing, contested law — but CIPA's $5,000-per-violation statutory damages keep the filings coming.

The Traditional Definitions — Phone-Era Surveillance

“Pen register” and “trap and trace” are terms from telephone surveillance. A pen register records the outgoing side of a line — the numbers dialed and related routing information — without capturing what was said. A trap and trace device is the mirror image: it identifies where incoming calls come from. The names are literal artifacts of the technology; the earliest pen registers recorded telegraph pulses with a pen on paper tape.

Because these tools capture metadata rather than the contents of a conversation, the law has always treated them differently from wiretaps. Under the federal Pen Register Act and its state counterparts, law enforcement must generally obtain a court order before installing one — a lower bar than a wiretap warrant, but a real legal gate. The key concept to carry into the modern cases is the statutory phrase: pen registers capture “dialing, routing, addressing, or signaling information.” The fight in today's litigation is over what that phrase means when the “line” is a web browser.

CIPA § 638.51 — No Pen Register Without a Court Order

California's version lives inside the California Invasion of Privacy Act. Penal Code § 638.51(a) provides that a person may not install or use a pen register or a trap and trace device without first obtaining a court order. The statute carries exceptions — most importantly for providers acting in the ordinary course of service and where the consent of the user has been obtained — and § 638.50 supplies the definitions.

Two features of the California text matter enormously to the litigation. First, § 638.50(b) defines a pen register as a “device or process” that records outgoing dialing, routing, addressing, or signaling information — and plaintiffs seize on the word process to argue that software, not just physical hardware, qualifies. Second, the prohibition is not limited to law enforcement: it applies to “a person,” which plaintiffs read to include website operators and their advertising-technology vendors. Put together, the argument goes: if a tracking script captures the addressing and signaling information of my browser session, and no court ever ordered it and I never consented, the website has used an illegal pen register on me.

Greenley v. Kochava — the Ruling That Changed the Game

The theory moved from creative to mainstream with Greenley v. Kochava, Inc., a 2023 decision from the U.S. District Court for the Southern District of California. Kochava is a mobile data broker; the complaint alleged its software development kit (SDK), embedded invisibly inside third-party apps, collected users' device and identifying data for sale. On a motion to dismiss, the court declined to throw out the § 638.51 claim, reasoning that the Legislature's choice of the broad word “process” — and CIPA's history of being construed to keep pace with new technology — made it at least plausible that data-collecting software could be a pen register.

Two accuracy points. Greenley was a ruling at the pleading stage — it held the claim was plausible enough to proceed, not that Kochava violated the law. And it is one district court's decision, persuasive but not binding on any other court. Neither caveat slowed the reaction: within months, plaintiffs' firms had repurposed the reasoning against ordinary websites, and the pen-register claim became the newest arrow in the web-tracking quiver alongside session-replay, chat-wiretapping, and Meta Pixel claims.

What the Web-Tracking Complaints Allege

The post-Greenley complaints follow a recognizable pattern. Plaintiffs allege — and these are allegations the defendants dispute — that a website installed tracking technology that functions as a digital pen register or trap and trace device:

  1. Advertising pixels. The TikTok pixel has been a frequent target, with complaints alleging it captures a visitor's IP address, device details, and browsing events and transmits them the moment a page loads — before any consent banner is clicked.
  2. Analytics and fingerprinting scripts. Tools that allegedly collect IP addresses, device identifiers, screen and browser characteristics, and other fingerprint-grade data that can identify or locate a visitor.
  3. The statutory hook. Plaintiffs characterize IP addresses and device data as "routing, addressing, or signaling information" — the exact phrase § 638.50 uses — captured without a court order or the visitor's consent.
Note what the theory does not require: unlike a § 631 wiretap claim, a pen-register claim concerns metadata, so plaintiffs do not have to show anyone read the “contents” of their communications. That is precisely its appeal — it potentially reaches garden-variety analytics that the wiretap theories miss.

The Court Split — a Contested, Developing Theory

Courts — mostly California state and federal trial courts — have divided sharply, and no appellate court has definitively resolved the theory. Decisions allowing claims past the pleading stage generally accept that “process” can cover software and that IP and device data can be “routing, addressing, or signaling information.” Decisions dismissing the claims have reasoned, variously, that a visitor's browser voluntarily conveys an IP address to every site it contacts; that the statute targets records of the user's own outgoing communications rather than a website logging its inbound traffic; that the visitor consented via banners and policies; or that a routine website visit inflicts no concrete injury sufficient for standing.

The honest description of pen-register web-tracking law in mid-2026 is unsettled: materially identical complaints survive in one courtroom and die in the next, and the theory's ultimate fate awaits appellate guidance or legislative clarification. Readers should treat any confident claim that the theory “works” or “fails” with skepticism — both outcomes are being reached weekly.

Damages and What Consumers Should Know

Pen-register plaintiffs invoke CIPA's private right of action, Penal Code § 637.2, seeking the greater of $5,000 per violation or three times actual damages, plus injunctive relief — with no requirement of any dollar loss. Aggregated across every visitor to a popular website, the theoretical exposure is enormous, which is why the theory generates settlement pressure even while contested. As always, those are amounts a court may award if a violation is proven; they are not an automatic payout, and no one should expect a check because a complaint cites § 638.51.

For consumers, the pen-register wave is mostly a window into how much invisible metadata collection accompanies ordinary browsing — and a reminder that cookie-consent choices have legal significance, since user consent is a statutory exception. If web-tracking cases built on this theory settle on a classwide basis, eligible visitors are typically notified and can file claims; current opportunities appear on our open settlements listing, and privacy and data-security cases are collected on the data breach settlements hub.

Frequently Asked Questions

What is a pen register?

Traditionally, a pen register is a device that records the outgoing dialing, routing, addressing, or signaling information of a communication — classically, the phone numbers dialed from a particular line — without capturing the contents of the conversation. A trap and trace device is its mirror image: it captures the originating number and similar information for incoming communications. Both were law-enforcement surveillance tools regulated by statutes requiring a court order before use.

What does CIPA § 638.51 prohibit?

California Penal Code § 638.51, part of the California Invasion of Privacy Act, makes it unlawful to install or use a pen register or trap and trace device without first obtaining a court order, subject to exceptions — including where the provider obtains the consent of the user. California defines a pen register as a 'device or process' that records outgoing routing, addressing, or signaling information, and plaintiffs argue the word 'process' reaches modern tracking software.

What did Greenley v. Kochava decide?

In Greenley v. Kochava, Inc. (S.D. Cal. 2023), a federal district court declined to dismiss a § 638.51 claim against a mobile data broker, reasoning that the statute's 'device or process' language could plausibly cover software embedded in apps that collects device and identifying data. The decision was the first prominent ruling to read California's pen-register law to reach tracking software, and it triggered a wave of web-tracking pen-register class actions. It is one district court's ruling at the pleading stage, not binding precedent.

What do website pen-register lawsuits allege?

Plaintiffs allege that tracking technologies — advertising pixels such as the TikTok pixel, analytics scripts, and device-fingerprinting tools — act as digital pen registers by capturing visitors' IP addresses, device identifiers, and browsing metadata, which they characterize as 'routing, addressing, or signaling information,' without a court order or the visitor's consent. These are contested allegations; courts have split on whether the statute reaches website tracking at all, and many cases have been dismissed while others have been allowed past the pleading stage.

What damages are available for a pen-register violation?

Plaintiffs invoke CIPA's private right of action, Cal. Penal Code § 637.2, which authorizes the greater of $5,000 per violation or three times actual damages, plus injunctive relief, without requiring proof of a dollar loss. Those are amounts a court may award if a violation is proven — the pen-register web-tracking theory remains developing, contested law, and no appellate court has definitively endorsed it.


About This Page

General legal-information about pen registers, trap and trace devices, and the CIPA § 638.51 web-tracking litigation theory, not legal advice. OpenClassActions.com is a consumer news site and is not a law firm or a settlement administrator. The pen-register web-tracking theory is developing, contested law on which courts have split; lawsuits described here involve allegations the defendants dispute, and settlements resolve claims without any admission of wrongdoing. For the controlling text, see Cal. Penal Code §§ 638.50–638.51 and § 637.2 and the decisions interpreting them. If you think your rights were affected, consult a qualified attorney in your jurisdiction.


More on Digital Surveillance & Tracking Law