InMobi's Bid to Kill Mobile Tracking Suit Fails as Judge Backs Broad Reading of California Privacy Law

SAN FRANCISCO (LN) — A federal judge on Wednesday refused to dismiss a putative class action alleging that InMobi Pte. Ltd. ran a covert mobile tracking operation that collected users' precise geolocation, mobile advertising IDs, and device fingerprinting data and fed it into identity resolution services that built persistent profiles — including segments labeled "Addictions > Alcohol," "Eating Disorder," and "Use Any Rx Treatment for Depression."

Plaintiff James Caldwell alleges InMobi's software development kit, embedded by app developers without user interaction, functions as an illegal pen register under California's Invasion of Privacy Act by recording and transmitting routing and addressing information "immediately and in real time without any intervening actor breaking the chain of transmission."

U.S. District Judge Araceli Martínez-Olguín, sitting in the Northern District of California, denied InMobi's motion to dismiss all three claims — the CIPA pen register count, intrusion upon seclusion under California common law, and invasion of privacy under the California Constitution — holding that Caldwell's allegations were sufficient to survive the pleading stage.

InMobi argued that stretching CIPA's pen register provision to cover its SDK "ignores the statutory text, expands the statute to unintended technologies, and makes for an unworkable reading." Martínez-Olguín was unpersuaded, pointing to a growing body of district court decisions that have read the statute broadly. She cited Harris v. iHeartMedia, Inc., decided in January, which observed that "[t]he overwhelming majority of courts that have considered this question have similarly concluded that third-party internet trackers meet the technical requirements of a pen register under CIPA."

InMobi also tried a late-breaking argument — that Caldwell had pleaded himself out of court because CIPA's definition of "electronic communication" excludes communications from a tracking device. The judge rejected that argument on procedural grounds, noting it appeared for the first time in InMobi's reply brief and was therefore not grounds for dismissal.

On the privacy claims, Caldwell alleged he used "a dating app for gay individuals on his Android device" that, unbeknownst to him, contained InMobi's embedded tracking code. The SDK allegedly transmitted his data to InMobi's servers each time the app made an ad request, and InMobi in turn shared that data with third-party identity resolution partners who matched it against existing profiles and returned persistent identity tokens. The resulting profiles allegedly tracked "sexuality and orientation, movements, habits, and other sensitive traits" without his "knowledge or consent."

InMobi countered that Caldwell never identified the app by name, never alleged InMobi linked his data to personal identifiers like his name or email address, and characterized the collection as "routine, commercial [advertising] activity." Martínez-Olguín rejected each argument, noting InMobi could seek the app's name through discovery and raise consent defenses at summary judgment.

InMobi also pointed to a November 2025 petition for writ of mandate pending before California's Second District Court of Appeal, where a state court is weighing whether CIPA's pen register provision should apply to website tracking technology at all. Martínez-Olguín declined to wait, noting InMobi "cites no authority for why those proceedings should dictate the outcome here."

The case now proceeds toward discovery, where InMobi will have its first opportunity to learn which dating app carried its SDK — and to mount the consent defense the court explicitly left open.