Ruling on a motion to dismiss in a privacy class action, Judge Rita F. Lin, in the Northern District of California, allowed claims for the California Comprehensive Computer Data Access and Fraud Act (CDAFA) and the federal Wiretap Act to proceed, while dismissing claims under California’s Unfair Competition Law (UCL) and Consumers Legal Remedies Act (CLRA).
Plaintiffs allege that a retailer embedded third-party tracking code—such as Meta Pixel and Attentive Tag—on its website, which caused visitors’ personally identifiable information (PII) and browsing activity to be transmitted to third parties without user consent. The data allegedly included search queries, items viewed or purchased, contact information, and, in some cases, Facebook IDs. Plaintiffs claim that both the retailer and the third parties used this data for commercial purposes, including targeted advertising, and that the retailer’s privacy policy did not adequately disclose these practices.
CDAFA Claim
The court found that the plaintiffs plausibly alleged “damage or loss” under CDAFA by asserting that both the retailer and third parties unjustly profited from the use of plaintiffs’ personal data. The court recognized that, under California law, disgorgement of unjust profits can constitute a compensable injury, even if plaintiffs did not directly expend money or experience a diminution in the value of their data. This interpretation aligns with the statute’s privacy-protective purpose and recent case law.
“California law requires disgorgement of unjustly earned profits regardless of whether a defendant’s actions caused a plaintiff to directly expend his or her own financial resources or whether a defendant’s actions directly caused the plaintiff’s property to become less valuable.” In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 600 (9th Cir. 2020). A disgorgement theory can “constitute[ ] an injury sufficient to establish [Article III] standing to bring [a plaintiff’s] claims for CDAFA violations.” Id. at 601. Plaintiffs have a “stake in the profits garnered” unjustly from their data, and “[u]nder California law, this stake in unjustly earned profits exists regardless of whether an individual planned to sell his or her data or whether the individual’s data is made less valuable.” Id. at 600. That logic applies equally to the issue of whether plaintiffs have suffered “damage” under CDAFA. Plaintiffs are damaged by not having received a share of the allegedly unjust profits generated from their data. That reading is also consistent with CDAFA’s statutory purpose. The legislature found that the “protection of … lawfully created … computer data is vital to the protection of the privacy of individuals,” Cal. Pen. Code § 502(a), and made available equitable relief. Cal. Penal Code § 502(e)(1). In light of that intent, Rack Room’s alleged unjust profit from the use of Plaintiffs’ private personal information, which holds at least some financial value to Rack Room, plausibly constitutes a “damage or loss” within the meaning of CDAFA. See Rodriguez v. Google LLC, 772 F. Supp. 3d 1093, 1109 (N.D. Cal. 2025) (plaintiffs stated a CDAFA claim under a disgorgement theory).
Federal Wiretap Act Claim
The court also allowed the federal Wiretap Act claim to proceed. Plaintiffs sufficiently alleged that the retailer “intentionally used” intercepted communications—collected via third-party code—for its own commercial benefit, in violation of its own privacy policy. The court found that the so-called “crime-tort exception” to the Wiretap Act’s party consent rule applied, because the retailer’s alleged use of the data for targeted advertising, contrary to its privacy commitments, could constitute an independent tortious act (such as invasion of privacy). The court rejected the argument that a financial motive alone shields a defendant from liability at this stage.
UCL and CLRA Claims
By contrast, the court dismissed the UCL and CLRA claims without leave to amend.
California law provides that only one “who has suffered injury in fact and has lost money or property as a result of the unfair competition” may bring suit under the UCL. Cal. Bus. & Prof. Code § 17204. Under the CLRA, plaintiffs must allege a “tangible increased cost or burden to the consumer.” See Meyer v. Sprint Spectrum L.P., 200 P.3d 295, 301 (Cal. 2009); see also Rojas v. Bosch Solar Energy Corp., 386 F. Supp. 3d 1116, 1130 (N.D. Cal. 2019). The Court previously found that Plaintiffs had not adequately pled harm under the UCL or CLRA. Smith I, 2025 WL 1085169, at *6. The generalized allegations in the SAC regarding the value of web browsing data are still insufficient to support Plaintiffs’ diminution of value theory, and therefore do not cure the deficiencies identified in the prior order. See Lau v. Gen Digital Inc., No. 22-cv-08981-RFL, 2024 WL 1880161, at *4 (N.D. Cal. Apr. 3, 2024). Moreover, unlike in the CDAFA context, the unjust enrichment theory does not satisfy the statutory standing requirements of the UCL or CLRA, where a plaintiff must show “loss of money or property” or a “tangible increased cost or burden to the consumer,” and not merely the general “damage” that must be shown under CDAFA. See, e.g., Hazel v. Prudential Fin., Inc., No. 22-cv-07465-CRB, 2023 WL 3933073, at *6 (N.D. Cal. June 9, 2023).
DEMETRIUS SMITH, et al., Plaintiffs, v. RACK ROOM SHOES, INC., Defendant., No. 24-CV-06709-RFL, 2025 WL 2210002 (N.D. Cal. Aug. 4, 2025).
