Judge Noel Wise, in the Northern District of California, dismissed a putative class action against a cruise line operator, finding that the plaintiff lacked standing and that the software at issue did not violate California’s privacy laws.
No Standing Without Concrete Injury
Plaintiff alleged that the cruise line’s website used TikTok-designed software to collect and transmit visitor data—including device, browser, and geographic information—without user consent. However, the court found that the plaintiff failed to allege any specific, concrete injury. General claims of data collection or privacy invasion, without details about what personal information was actually collected or how the plaintiff was harmed, were deemed insufficient to establish standing under Article III of the U.S. Constitution.
Plaintiff alleges only that Defendant invaded his privacy by impermissibly collecting Plaintiff’s “data” and “information.” A court considering a near identical complaint (see supra n.1) found the allegations insufficient to confer Article III standing because:
Plaintiff fails to allege any basic facts from which the Court could infer a concrete injury, like when and how many times she visited the site, what information she provided, what information Defendant captured, whether she was aware of Defendant’s tracking practices, or if she has any reason to believe that she was indeed de-anonymized.
Heiting v. FKA Distrib. Co., No. 2:24-CV-07314-HDV-AGR, 2025 WL 736594, at *3 (C.D. Cal. Feb. 3, 2025) (internal citation omitted). “Plaintiff cannot establish constitutional standing based on conclusory statements.” Steinmeyer v. Am. Ass’n of Blood Banks, 715 F. Supp. 3d 1302, 1318 (S.D. Cal. 2024).
Likewise, even if Plaintiff’s allegations were sufficiently concrete and particularized (they are not), Plaintiff has failed to allege the invasion of a legally protected right. Lujan, 504 U.S. at 560. The mere “collection of basic contact information by … software[,] or where the plaintiffs merely visited the website[,] are not concrete harms.”
Smidga v. Spirit Airlines, Inc., No. 2:22-CV-1578-MJH, 2024 WL 1485853, at *4 (W.D. Pa. Apr. 5, 2024) (collecting cases); Carolus v. Nexstar Media Inc., No. 24-CV-07790-VC, 2025 WL 1338193, at *1 (N.D. Cal. Apr. 9, 2025) (refusing so find an injury in fact where plaintiffs alleged only that defendant tracked “browser and device data” and “other identifying information” alongside IP addresses). IP addresses, for example, can provide “device and browser information” and “geographic information” the collection of which purportedly invaded Plaintiff’s privacy in the instant case, FAC ¶ 13, but it is well established in the Ninth Circuit that “there is no legally protected privacy interest in IP addresses.” Heeger v. Facebook, Inc., 509 F. Supp. 3d 1182, 1189 (N.D. Cal. 2020); United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008) (“Internet users have no expectation of privacy in … the IP addresses of the websites they visit.”); Carolus, 2025 WL 1338193, at *1 (no injury in fact where plaintiff alleges only “that a given device visited [Defendant’s] website and the general location of that device, including what zip code it’s in.”).
And though Plaintiff alleges that Defendants could gain “additional information about [a] visitor such as name, date of birth, and address,” and that allegation could intrude on Plaintiff’s right to privacy, he fails to convert that hypothetical into concrete harm to him.
Allegations of harm and injury must go beyond general assertions of privacy violations and identify specific personal information that implicates a protectable privacy interest.
California’s Trap and Trace Device Law
The plaintiff’s claim relied on the California Invasion of Privacy Act (CIPA), arguing that the TikTok software functioned as a “trap and trace device” by capturing identifying information about website visitors. The court rejected this argument, clarifying that the statute applies only to devices that capture metadata—such as the “who,” “when,” and “where” of communications, but not the content itself.
Plaintiff’s single claim turns on whether Defendant’s Website and the related software constitute a “trap and trace device” as defined by Cal. Penal Code § 638.50(c) and penalized by § 638.51. By definition, a “trap and trace device” captures identifying information about a communication “but not the contents of a communication.” § 638.50(c) (emphasis added).
As the Superior Court of Los Angeles County explained when a substantively identical claim (see supra n.1) came before it:
the crucial distinction from other devices is that … “trap and trace devices” are designed to capture information about the communication, but not the content of the communication itself. Indeed, other devices accomplish that, and a host of statutes and caselaw are directed at those other devices too. For purposes of Section 638.51, “trap and trace devices” by definition are tools which provide information about the “who,” “when,” and “where” of communications—but not the “what.”
Price v. Headspace, Inc., No. 24STCV19921, 2025 WL 1237977, at *3 (Cal. Super. Apr. 01, 2025).
…
Though neither party discusses the distinction between information about a communication versus information within a communication, it crystalizes the futility of Plaintiff’s suit (and the myriad identical cases Plaintiff’s counsel has filed in both federal and state courts).
If the software collected only metadata (e.g., IP addresses, general location), the court found there was no reasonable expectation of privacy and thus no statutory violation. Conversely, if the software collected content (such as names or addresses input by users), it would not qualify as a trap and trace device under the statute. This distinction was central to the court’s reasoning and led to dismissal of the claim.
KIEREN KISHNANI, Plaintiff, v. ROYAL CARIBBEAN CRUISES LTD., Defendant., No. 25-CV-01473-NW, 2025 WL 1745726 (N.D. Cal. June 24, 2025).
