📋 Case Overview

─────────────────────────────────────────

Cases: CIPA Cookie Tracking | Ortega v. Powur, PBC

Courts: C.D. California | W.D. Texas

Dates: March 2026

Verticals: Privacy / TCPA

Article Type: Roundup

Privacy Law Roundup: Courts Deliver Two Defense Wins in Cookie Tracking and TCPA Vicarious Liability Cases

Two recent federal court decisions are reshaping how plaintiffs must frame privacy and telemarketing claims — one limiting the reach of California's wiretapping statute to online cookies, the other raising the bar for holding companies responsible for third-party robocalls.

Courts across the country continue to grapple with how decades-old statutes apply to modern technology. As recent coverage from Inside Class Actions illustrates, not every novel legal theory survives judicial scrutiny — and two rulings handed down in March 2026 serve as a reminder that privacy and TCPA plaintiffs face meaningful procedural hurdles before their cases can proceed.

1. Federal Court Rejects Claim That Cookies Are Illegal Trap and Trace Devices

Court: U.S. District Court, Central District of California

Ruling Date: March 2026

Statute at Issue: California Penal Code § 638.51 (California Invasion of Privacy Act)

Who Was Potentially Affected: California consumers who visited websites using cookie-based tracking technology

A California federal court has declined to extend the state's wiretapping law to standard web cookies, rejecting a theory that has gained traction in other California privacy litigation.

The case centered on California Penal Code section 638.51, part of the California Invasion of Privacy Act (CIPA), which prohibits the use of "trap and trace devices" — tools that capture the originating number or routing information of incoming communications. Plaintiffs in a growing wave of lawsuits have argued that website tracking technologies, including cookies and tracking pixels, qualify as illegal trap-and-trace devices under this statute because they capture information about a visitor's device or browsing activity without consent.

The Central District of California disagreed. According to reporting on the decision, the court rejected the argument that cookies constitute trap-and-trace devices within the meaning of CIPA, drawing a line between the traditional communications interception the statute was designed to address and the way cookies function on modern websites.

The ruling is notable because California courts have not been uniform on this question. Some earlier decisions allowed similar CIPA claims to proceed, leaving open the question of how broadly section 638.51 applies to online tracking. This decision narrows that window, at least within the Central District.

For consumers, the practical effect is that cookie-based tracking on websites — a near-universal practice across the internet — may not, on its own, support a private lawsuit under CIPA's trap-and-trace provisions, according to this court's interpretation.

What this means for plaintiffs: Legal observers have noted that CIPA trap-and-trace claims have become one of the most frequently filed privacy theories in California. This ruling may prompt plaintiffs' attorneys to refine their pleading strategies or pivot toward other CIPA provisions, such as the wiretapping subsection under section 631, which courts have more often allowed to proceed.

2. W.D. Texas Dismisses TCPA Claims Over Failure to Allege Vicarious Liability

Court: U.S. District Court, Western District of Texas

Case: Ortega v. Powur, PBC, No. 5:25-cv-0864-JKP

Ruling Date: March 23, 2026

Statute at Issue: Telephone Consumer Protection Act (TCPA)

Who Was Potentially Affected: Consumers who received allegedly unsolicited telemarketing calls placed by third-party vendors

A Texas federal court dismissed TCPA claims against solar energy company Powur, PBC at the pleading stage, finding that the plaintiff failed to adequately allege that unidentified third-party telemarketers were acting as the company's agents when they made the calls at issue.

Under the TCPA, companies can be held liable not only for calls they make directly, but also for calls made on their behalf by third-party telemarketers — a theory known as vicarious liability. Establishing vicarious liability typically requires showing that the company exercised sufficient control over the telemarketer's conduct, or that the telemarketer was acting with the company's actual or apparent authority.

According to the court's ruling in Ortega v. Powur, the plaintiff's complaint did not plausibly allege the facts necessary to support such a relationship. The court granted the motion to dismiss, finding the vicarious liability allegations insufficient to survive the pleading stage.

What makes this ruling particularly significant, according to legal commentary on the decision, is the timing: vicarious liability questions in TCPA cases are far more commonly tested at the summary judgment stage — after discovery has allowed plaintiffs to gather evidence about the relationship between the defendant and its telemarketers. Courts that dismiss these claims at the pleading stage are signaling that plaintiffs must come forward with more specific factual allegations from the outset, even before they have had an opportunity to conduct discovery.

What this means for plaintiffs: For consumers who receive unsolicited telemarketing calls from vendors acting on behalf of larger companies, this decision underscores the importance of gathering as much information as possible about who made the call and why — details that may bear directly on whether a TCPA lawsuit can survive early legal challenges.

Key Takeaways

• California's CIPA trap-and-trace theory faces new limits. The Central District of California's rejection of cookie-as-trap-and-trace arguments may signal a course correction for a theory that had proliferated in California privacy litigation.
• TCPA vicarious liability requires specific factual allegations early. The Ortega v. Powur ruling is a reminder that plaintiffs cannot simply name the brand behind a telemarketing call — they must allege a plausible agency relationship with enough detail to survive a motion to dismiss.
• Defense wins at early stages don't end the legal debate. Both rulings represent district court decisions, not binding appellate precedent. Similar claims continue to be litigated across the country, and outcomes vary by court and circuit.
• Legal theories evolve. Plaintiffs' attorneys in both the CIPA and TCPA spaces are likely to adapt their strategies in response to rulings like these, potentially narrowing their theories or shoring up factual allegations in future complaints.

Have you received unsolicited telemarketing calls or have concerns about how your data is tracked online? Share your experience in the comments below.

InjuryClaims.com reports on litigation developments for informational purposes only. Nothing in this article constitutes legal advice. Eligibility for any settlement or lawsuit is determined by attorneys and courts, not by this publication.