CIPA Claims Dismissed in Lakes v. Ubisoft: Consent Still Reigns Supreme

The California Invasion of Privacy Act (CIPA) is keeping a lot of lawyers busy these days, and not just in California. We’ve seen clients receive demand letters from California plaintiffs' firms claiming that the use of third-party cookies, pixels, and other tracking technology on their websites violates CIPA by functioning as a “trap and trace” device.

CIPA was originally passed to prevent unauthorized wiretapping. It generally requires all parties to a communication to consent before anything can be intercepted. That’s why you hear, “This call may be recorded,” at the beginning of customer service calls.

A “trap and trace device” refers to technology that captures incoming signaling information likely to identify the source of an electronic communication. Plaintiffs are now arguing that pixels and cookies meet this definition.

So why the increase in CIPA claims against websites? One big reason is the law’s statutory penalty: $5,000 per violation. Multiply that by thousands of website visits in a class action, and you have serious financial risk, even when the legal theory is a stretch.

That brings us to Lakes v. Ubisoft, Inc., No. 24-cv-06943-TLT (N.D. Cal. Apr. 1, 2025). Plaintiffs claimed Ubisoft violated CIPA by using Meta’s Pixel to collect and share user data like Facebook IDs and game preferences without proper consent.

Ubisoft pushed back, arguing that users had consented. The court agreed. Visitors saw a cookie banner that disclosed data collection. Purchasers had to create an account and accept a privacy policy that explained third-party sharing. That was enough to show actual, informed consent and defeat the CIPA claim.

Plaintiffs argued the disclosures were too vague because they didn’t name Meta specifically. But the court ruled that CIPA doesn’t require naming every third party. The case was dismissed with prejudice. The court found that no version of the complaint could overcome the central fact: users had consented.

The lesson from Lakes is simple: a clear, well-documented consent process remains one of the strongest defenses against CIPA and other privacy claims.