Judge Jon S. Tigar of the Northern District of California denied most of data broker LiveRamp Holdings, Inc.’s motion to dismiss in a case challenging large-scale data aggregation, identity resolution, and the sale of consumer information. The only claim dismissed was for declaratory relief.
Plaintiffs allege that LiveRamp, a registered California data broker, compiles detailed “identity profiles” on hundreds of millions of individuals—most of whom have never interacted directly with the company. LiveRamp’s business model involves collecting and purchasing vast amounts of personal data from both online and offline sources, including names, addresses, device identifiers, and browsing histories. This information is aggregated into unique “RampID” profiles, which are then monetized through a Data Marketplace accessible to advertisers and other data brokers.
The complaint details how LiveRamp’s technologies—including cookies, tracking pixels, JavaScript code, and the AbiliTec system—enable the company to track individuals across devices, websites, and even physical locations. Plaintiffs claim that sensitive information, such as health conditions, financial status, religious affiliation, and sexual orientation, is included in the data segments sold to third parties, often without meaningful consumer consent.
LiveRamp argued that the data it collects is not sensitive and that consumers have no reasonable expectation of privacy in such information. The court rejected this argument, emphasizing that the aggregation of large quantities of data—even if individual data points are not inherently sensitive—can itself violate privacy expectations. The court cited recent precedent holding that the creation of detailed, individualized profiles from disparate sources implicates significant privacy concerns, especially when consumers are unaware of the data collection or its scope.
The court also found that LiveRamp’s “pseudonymization” of data (i.e., assigning unique IDs rather than using names) did not eliminate privacy risks, particularly because LiveRamp’s Attribute Enrichment feature allows customers to link profiles to real-world identities.
In Katz-Lacabe v. Oracle America Inc., the plaintiffs brought suit against Oracle based on its extensive data brokering business—primarily challenging Oracle’s identity resolution product and its data marketplace, which was “allegedly one of the world’s largest commercial data exchanges.” Katz-Lacabe v. Oracle Am., Inc., 668 F. Supp. 3d 928, 935 (N.D. Cal. 2023). The court there applied Facebook Tracking to find that the plaintiffs’ allegation that “Oracle’s accumulation of a ‘vast repository of personal data,’—from compiling Plaintiffs’ browsing activity, online communications, and offline activity” sufficiently stated a claim that Oracle violated their reasonable expectation of privacy. Id. at 942. The court further reasoned that although it was—based on plaintiffs’ generalized allegations—a “close question as to whether Oracle plausibly did collect and aggregate information to reveal” insights on “sensitive health and personal safety information,” “viewing the allegations in the light most favorable to Plaintiffs, such allegations of data collection would go well beyond the routine commercial behavior of collecting contact information for sending advertisements.” Id. (internal citations and quotation marks omitted).
Here, Plaintiffs argue that “LiveRamp provides functionally identical services to Oracle’s: tracking and identity resolution to create persistent identifiers linked to comprehensive behavioral profiles, and a data marketplace enabling the sale of sensitive personal information.” ECF No. 55 at 21. The court thus agrees with the analysis in Katz-Lacabe and is, for the reasons discussed above, unpersuaded by LiveRamp’s attempt to distinguish the case based purely on an alleged difference in the scale of data collection. See ECF No. 49 at 20; ECF No. 56 at 12.
The Court also rejects LiveRamp’s invitation to determine that the alleged intrusion wasn’t offensive or serious. “Under California law, courts must be reluctant to reach a conclusion at the pleading stage about how offensive or serious the privacy intrusion is.” In re Facebook, Inc., Consumer Priv.User Profile Litig., 402 F. Supp. 3d 767, 797 (N.D. Cal. 2019). When determining whether an invasion is “highly offensive,” courts consider “the degree and setting of the intrusion,” as well as “the intruder’s motives and objectives.” Hernandez, 47 Cal. 4th at 287, 97 Cal.Rptr.3d 274, 211 P.3d 1063. Given the factually intensive nature of the inquiry, “[c]ourts are generally hesitant to decide claims of this nature at the pleading stage.” In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d 778, 799 (N.D.Cal. 2022). Only if the allegations “show no reasonable expectation of privacy or an insubstantial impact on privacy interests” can the “question of [a serious or highly offensive] invasion [ ] be adjudicated as a matter of law.” Hill, 7 Cal. 4th at 40, 26 Cal.Rptr.2d 834, 865 P.2d 633. Plaintiffs have alleged enough in the FAC such that the Court cannot at this stage conclude as a matter of law that the alleged aggregation, synthesis, and sale of comprehensive online and offline data of individuals without their knowledge is not highly offensive. SeeKatz-Lacabe, 668 F. Supp. 3d at 942–43; see alsoFacebook Tracking, 956 F.3d at 606 (“The ultimate question of whether … [Defendants’] practices could highly offend a reasonable individual is an issue that cannot be resolved at the pleading stage.”).
Wiretap Act and California Invasion of Privacy Act (CIPA) Claims
The court allowed claims under both the federal Wiretap Act and California’s CIPA to proceed. LiveRamp’s defense—that its activities were authorized by one-party consent—was rejected in light of the “crime-tort exception,” which precludes consent as a defense if the interception of communications is for the purpose of committing a tort or crime. The court reasoned that commercial profit does not insulate a company from liability if the underlying conduct is tortious.
Unlike the DoubleClick court and the courts that have followed it, this Court is not persuaded that commercially exploiting unlawfully obtained information is “licit” merely because it is profitable. Put simply, committing a tort and seeking a profit are not mutually exclusive (if anything, the latter is often the reason for the former). Thus, if Plaintiffs ultimately prove that LiveRamp unlawfully intercepted, packaged, and sold personal information without consent at scale, that conduct will not be excused on the grounds that LiveRamp acted in pursuit of profit. Other cases have come to the same conclusion.
On the CIPA claims, the court found that plaintiffs plausibly alleged that LiveRamp’s technologies intercept and “read” communications in real time while they are in transit, satisfying the statutory requirements. The court also interpreted CIPA’s “pen register” provisions broadly, holding that internet tracking technologies can fall within the statute’s scope, not just traditional telephone devices.
Section 638.50 defines a “pen register” as “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication”—without limiting its application to telephones. Cal. Penal Code § 638.50(b). By contrast, other sections of CIPA specifically do include language regarding telephones. See, e.g., Cal. Penal Code §§ 631(a) (applying the statute to any “telegraph or telephone wire, line, cable, or instrument”); 632.7 (applying the statute to “a communication transmitted between two cellular radio telephones, a cellular radio telephone and a landline telephone, two cordless telephones, a cordless telephone and a landline telephone, or a cordless telephone and a cellular radio telephone”). Thus, if the drafters of Section 638.50 intended for “pen register” to be limited to telephone technologies, they knew how to say so. Accordingly, other federal courts have interpreted the plain language of Section 638.50 expansively to find that “pen registers” includes data collection tools beyond those the record information from telephones. In Greenley v. Kochava, Inc., the court explained:
Moreover, the Court cannot ignore the expansive language in the California Legislature’s chosen definition. The definition is specific as to the type of data a pen register collects—“dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted,” but it is vague and inclusive as to the form of the collection tool—“a device or process.” See Cal. Penal Code § 538.50(b). This indicates courts should focus less on the form of the data collector and more on the result. Thus, the Court applies the plain meaning of a “process” to the statute. A process can take many forms. Surely among them is software that identifies consumers, gathers data, and correlates that data through unique “fingerprinting.” (Am. Compl. ¶¶ 67, 74.) Thus, the Court rejects the contention that a private company’s surreptitiously embedded software installed in a telephone cannot constitute a “pen register.”
*12Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024, 1050 (S.D. Cal. 2023); see alsoMirmalek v. Los Angeles Times Commc’ns LLC, No. 24-CV-01797-CRB, 2024 WL 5102709, at *3–4 (N.D. Cal. Dec. 12, 2024) (citing Greenley to reject the argument that CIPA’s pen register definition applies only to telephone technology and to hold that internet browser trackers can constitute pen registers).
LiveRamp also argues that “[i]f there was any doubt as to the reach of this provision, the rule of lenity requires the doubt to be resolved in favor of Defendants.” ECF No. 49 at 31. The Court sees no role for that rule here. “The rule of lenity applies to criminal and punitive statutes and requires ambiguities to be resolved in favor of the defendant.” Sec. & Exch. Comm’n v. Bardman, 231 F. Supp. 3d 442, 447 n.6 (N.D. Cal. 2017) (citing Fed. Election Comm’n v. Arlen Specter ’96, 150 F. Supp. 2d 797 (E.D. Pa. 2001)). The “rule of lenity only applies if, after considering text, structure, history, and purpose, there remains a ‘grievous ambiguity or uncertainty in the statute.’ ” Barber v. Thomas, 560 U.S. 474, 488, 130 S.Ct. 2499, 177 L.Ed.2d 1 (2010) (quoting Muscarello v. United States, 524 U.S. 125, 139, 118 S.Ct. 1911, 141 L.Ed.2d 111 (1998)); see alsoPeople v. Superior Ct. of Riverside Cnty., 81 Cal. App. 5th 851, 886, 297 Cal.Rptr.3d 517 (2022) (explaining that the rule of lenity applies “only if the court can do no more than guess what the legislative body intended; there must be an egregious ambiguity and uncertainty to justify invoking the rule” (internal quotations omitted)). LiveRamp has argued for a certain interpretation of Section 638.50(b), but it has not established that any “grievous ambiguity” in the statute’s express language.
Communications Decency Act
LiveRamp’s attempt to invoke Section 230 of the Communications Decency Act as a shield from liability was unsuccessful. The court held that Section 230 does not apply where a company is itself responsible for creating or developing the content at issue—in this case, the detailed identity dossiers sold on LiveRamp’s Data Marketplace.
Unjust Enrichment and Declaratory Relief
The court permitted the unjust enrichment claim to proceed, finding that plaintiffs adequately alleged LiveRamp unjustly profited from the unauthorized use and sale of their personal information. However, the court dismissed the standalone claim for declaratory judgment, clarifying that declaratory relief is a remedy, not an independent cause of action.
Riganian v. LiveRamp Holdings, Inc., No. 25-CV-00824-JST, 2025 WL 2021802 (N.D. Cal. July 18, 2025).
