Many California-based privacy claims have turned on the application of longstanding statutes to modern technologies, with courts frequently holding that certain online tracking technologies can qualify as impermissible trap-and-trace devices in violation of California Penal Code section 638.51, part of the California Invasion of Privacy Act (CIPA). A recent decision from the Central District of California, however, signals that these arguments will not always succeed.
On March 11, 2026, Judge David O. Carter dismissed plaintiff’s claims without leave to amend in Travis Rounds v. Development Dimensions International, Inc. The court found “persuasive Defendant’s argument that allegations of the use of cookies does not suffice as a statutory violation of § 638.51 and the alleged use of a trap and trace device.” Travis Rounds v. Development Dimensions Int’l, Inc., 2026 WL 746291 at *2 (C.D. Cal. Mar. 11, 2026).
Penal Code § 638.50(c) defines a “trap and trace device” as “a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.”
The plaintiff, Rounds, had alleged that Defendant Development Dimensions International (“DDI”) installed a data-broker software development kit from 6Sense on its website to “deanonymize” users and build covert profiles by analyzing a user’s geolocation, device information, browser cookies, and other browser data. According to the complaint, when Rounds visited DDI’s website, his approximate location and browser and device information were transmitted to 6Sense, which allegedly added that information to an existing profile and shared additional data about Rounds with DDI. Rounds contended that this conduct constituted the use of a trap‑and‑trace device in violation of § 638.51.
DDI moved to dismiss on personal jurisdiction grounds, arguing that it did not target Californians, install software on Californian’s devices independent of the users’ choice, or use data collected from Californians as part of its business model. Rounds countered that DDI’s use of cookies to track Californian users was sufficient to establish personal jurisdiction. The court disagreed, concluding that the alleged use of cookies did not plausibly establish a statutory violation of § 638.51 and, as a result, did not support the exercise of personal jurisdiction. The Court dismissed the complaint for lack of personal jurisdiction without leave to amend.