Recently, a federal judge in the Northern District of California denied major ad network InMobi's motion to dismiss a putative class action alleging that its mobile advertising SDK functions as an unlawful pen register under California Penal Code § 638.51. Caldwell v. InMobi Pte Ltd., No. 25-cv-09977-AMO (N.D. Cal. Apr. 29, 2026). The court also sustained claims for intrusion upon seclusion and invasion of privacy under the California Constitution.

While this is not the first time a court has sustained claims based on a mobile SDK, Caldwell is aimed squarely at the ubiquitous, mobile ad tech ecosystem. The decision extends risk to every company that embeds a third-party ad-serving SDK in its app.

An ad-serving SDK is a package of pre-built code that an app developer drops into its app to monetize user traffic. A few lines of code, an ad placement, and the SDK handles the rest. That includes collecting device-level signals, transmitting them to the ad network's servers, and facilitating real-time ad auctions. All of it happens automatically, in the background, the moment the user opens the app. The Caldwell plaintiff alleged that the SDK operates “with no clear disclosure, no in-app control settings, and no operating system-level permissions that would allow users to block or substantially limit these transmissions.”

The data at issue can go well beyond IP addresses. The Caldwell SDK allegedly collected precise geolocation, mobile advertising IDs, device fingerprinting details, and behavioral signals to build persistent cross-device profiles enriched with sensitive demographic segments. For example, the SDK allegedly collected plaintiff's use of “a dating app for gay individuals on his Android device." 

This is what distinguishes mobile SDK-based tracking lawsuits from more traditional browser-based pixel tracking lawsuits, and why it is potentially harder to defend. A pixel fires in the user's browser, where it can be detected, blocked, or managed through a cookie banner. There are options to mitigate risk. But an SDK runs as compiled code inside the app itself, at the operating system level. The user cannot see it, cannot inspect it, and cannot block it without uninstalling the app. There is no obvious cookie banner equivalent for in-app SDK tracking.

For companies that integrate these SDKs, the exposure is real. Whether companies deploying those SDKs, as opposed to the SDK-owner itself, becomes a co-defendant or a future target is a question the next wave of complaints will likely answer. And consent is not a silver bullet: the Caldwell court expressly deferred the consent question to summary judgment or trial, holding it is a factual issue that cannot be resolved on the pleadings.

Understand what SDKs your app deploys, what data it collects, where it flows, and whether your vendor agreements address indemnification and compliance with state wiretap laws. The cost of that audit is a fraction of the cost of defending a class action.