Judge Trina Thompson of the Northern District of California, denied in part and granted in part, a financial institution’s motion to dismiss claims based on alleged website tracking. We highlight a few of the claims here.
Invasion of Privacy:
Focusing on whether the plaintiffs’ allegations rose to a level of conduct that was sufficiently egregious to support a claim for invasion of privacy, the court held:
Regardless of whether Plaintiffs possessed a legally protected privacy interest or maintained a reasonable expectation of privacy, Plaintiffs here do not allege an intrusion that is highly offensive as a matter of public policy. Plaintiffs allege that Defendant disclosed personal information in the form of employment information, bank account information, and their eligibility for preapproval or approval for a credit card, but this information does not rise to the level of an “egregious breach of social norms.” Compl. ¶ 4; see Hammerling v. Google LLC, 615 F. Supp. 3d 1069, 1090 (N.D. Cal. 2022) (“Courts in this district have held that data collection and disclosure to third parties that is routine commercial behavior is not a highly offensive intrusion of privacy.”); In re Yahoo Mail Litig., 7 F. Supp. 3d at 1038 (“Even the disclosure of very personal information has not been deemed an egregious breach of social norms sufficient to establish a constitutional right to privacy”); Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1025 (N.D. Cal. 2012) (finding that the disclosure of personal information, such as social security numbers, was not an “egregious breach of the social norms”); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1063 (N.D. Cal. 2012) (finding that the disclosure of the unique device identifier number, personal data, and geolocation information was not an egregious breach of privacy). Accordingly, the Court GRANTS Defendant’s motion to dismiss as to the invasion of privacy without prejudice.
Standing for UCL and CDAFA:
Looking to the four corners of the complaint, the court considered plaintiffs’ alleged economic injury as required for standing under both the UCL and CDAFA:
Here, Plaintiffs state that they had a property interest in their personal information and that Plaintiffs lost money and property when Defendant disclosed their personal information with third parties. Compl. ¶¶ 273–74. However, Plaintiffs’ personal information does not constitute property. See Low, 900 F. Supp. 2d at 1030 (explaining that the “weight of authority” holds that a plaintiff’s personal information does not constitute property); In re iPhone Application Litig., 844 F. Supp. 2d at 1074–75 (holding that personal information is not property). Additionally, Plaintiffs do not plead that they “ever attempted or intended to participate in the market for the information” Defendant disclosed or that they derived economic value from that information. Lau v. Gen Digit. Inc., No. 22-cv-08981-JST, 2023 WL 10553772, at *7 (N.D. Cal. Sept. 13, 2023). As a result, Plaintiffs fail to allege that they had a property interest in their personal information.
Plaintiffs also cannot make an argument that the profit Defendant made as a result of disclosing Plaintiffs’ data is sufficient to demonstrate a loss. See In re Facebook, Inc. v. Consumer Priv. User Profile Litig., 402 F. Supp. 3d 767, 804 (N.D. Cal. 2019) (“Facebook may have gained money through its sharing or use of the plaintiffs’ information, but that’s different from saying the plaintiffs lost money.”); Hazel v. Prudential Fin., Inc., No. 22-cv-07465-CRB, 2023 WL 3933073, at *6 (N.D. Cal. June 9, 2023) (explaining that even if a company made money off of the sharing or use of a plaintiff’s information, that company’s gain of money does not equal a plaintiff’s loss of money or property).
CCPA Claim:
Without allegations of a data breach, the court held that alleged disclosure of plaintiffs’ personal information, via website tracking technology and without consent, was sufficient to plead a violation of CCPA at this early stage:
The CCPA provides a limited civil cause of action for any “consumer whose nonencrypted and nonredacted personal information… is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security practices.” Cal. Civ. Code § 1798.150(a)(1). Under the CCPA, “[a] third party shall not sell or share personal information about a consumer that has been sold to, or shared with, the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out.” Id. § 1798.115.
Although the CCPA “calls for enforcement by the California Attorney General,” it allows a private right of action in the event of a security breach. Delgado v. Meta Platforms, Inc., 718 F. Supp. 3d 1146, 1155 (N.D. Cal. 2024). Courts, however, have also permitted the CCPA claims to survive a motion to dismiss in cases where the plaintiff does not allege a data breach, but instead where the “defendants disclosed plaintiff’s personal information without his consent due to the business’s failure to maintain reasonable security practices.” M.G. v. Therapymatch, Inc., No. 23- cv-04422-AMO, 2024 WL 4219992, at *7 (N.D. Cal. Sept. 16, 2024).
In this case, Plaintiffs allege that Defendant knowingly collected, used, and sold Plaintiffs’ personal information to third and fourth parties without their consent. Compl. ¶ 292. Because Plaintiffs allege that Defendant allowed third parties to embed trackers, such as Google and Microsoft, on its website and that these trackers transmitted Plaintiffs’ personal information, Plaintiffs need not allege a data breach. Id. ¶¶ 51–52; see Therapymatch, 2024 WL 4219992, at *7 (finding that the plaintiff did not need to allege a data breach where the plaintiff disclosed plaintiff’s personal information without his consent); Stasi v. Inmediata Health Grp. Corp., 501 F. Supp. 3d 898, 924 (S.D. Cal. 2020) (finding that plaintiffs alleged a sufficient CCPA claim when defendants disclosed their personal information over the internet but there was no theft). Because Plaintiffs plead that Defendant disclosed their personal information without their consent, Plaintiffs state a CCPA claim.
Shah, et al. v. Capital One Corp., 3:24-cv-05985-TLT (N.D Cal. March 3, 2025).
