Judge Kirk E. Sherriff, of the Eastern District of California, granted defendants’ motion to dismiss, with prejudice, in a privacy putative class action. Plaintiffs alleged that, during the process of creating accounts on a plasma donation center’s website, third-party trackers (operated by Snap and Salesforce) collected their email and IP addresses without consent, purportedly in violation of the California Invasion of Privacy Act (CIPA). Plaintiffs claimed this data could be used for marketing, advertising, and analytics, and sought to represent a class of similarly affected users.
No Article III Standing Without Concrete Injury
The court granted the defendants’ motion to dismiss, finding that plaintiffs lacked Article III standing—a constitutional requirement for bringing suit in federal court—because they failed to allege a concrete injury.
- Nature of the Information Collected: The one-time collection of an email address and IP address, even if done without consent, does not rise to the level of a concrete injury. Courts have generally held that such information, by itself, is not sufficiently sensitive or private to trigger a legally protected privacy interest.
Plaintiffs have failed to establish that defendants’ one-time collection and dissemination of plaintiffs’ IP and email addresses, through the third-party trackers, sufficiently impacts plaintiffs’ privacy interests to give rise to a concrete injury. Courts have held that there is no legally protected privacy interest in an IP address or, in many contexts, in such relatively quotidian private information as an email address. See Khamooshi v. Politico LLC, 786 F. Supp. 3d 1174 (N.D. Cal. 2025); I.C. v. Zynga, Inc., 600 F. Supp. 3d 1034 (N.D. Cal. 2022); Mikulsky v. Noom, Inc., 682 F. Supp. 3d 855 (S.D. Cal. 2023); Liau v. Weee! Inc., 23-civ-1177 (PAE), 2024 WL 729259 (S.D.N.Y. Feb. 22, 2024). Concrete intangible harms must also bear a close relationship to traditionally recognized harms. See Spokeo, 578 U.S. at 341.
As the Ninth Circuit recently clarified, “there existed no free-roaming privacy right at common law but rather four discrete torts that protected specific kinds of privacy-related harms … ‘intrusion upon seclusion, appropriation of another person’s name or likeness, publicity given to another person’s private life, and publicity that places one in a false light.’ ” Popa v. Microsoft Corp., — F.4th —, 2025 WL 2448824, at *6 (9th Cir. Aug. 26, 2025) (quoting Nabozny v. Optio Sols. LLC, 84 F.4th 731, 735 (7th Cir. 2023)). At oral argument, plaintiffs argued that defendants committed an intrusion upon seclusion when the third-party trackers allegedly intercepted their IP and email addresses. The Court disagrees. To show intrusion upon seclusion, a plaintiff must show “an intentional interference with his interest in solitude or seclusion, either as to his person or as to his private affairs or concerns, of a kind that would be highly offensive to a reasonable man.” Id. at *5 (quoting Nayab v. Cap. One Bank (USA), N.A., 942 F.3d 480, 491 (9th Cir. 2019) (emphasis added)). Disclosure of one’s email address and IP address, without more, does not bear similarity to the “highly offensive” interferences or disclosures that were actionable at common law. See id.; Khamooshi, 786 F. Supp. 3d at 1180; Zynga, 600 F. Supp. 3d at 1049; Xu v. Reuters News & Media Inc., 24-civ-2466 (PAE), 2025 WL 488501 (S.D.N.Y. Feb. 13, 2025); Cooper v. Bonobos, Inc., 21-cv-854 (JMF), 2022 WL 170622, at *4 (S.D.N.Y. Jan. 19, 2022).
Plaintiffs rely on the Ninth Circuit’s decision in In re Facebook, Inc. Internet Tracking Litigation, 956 F.3d 589 (9th Cir. 2020). There, it was alleged that, when a user created a Facebook account, Facebook placed more than ten cookies on the user’s browser that tracked the user’s browsing history even after the user logged out of Facebook and visited other websites. Facebook, 956 F.3d at 596. Facebook used such information in combination with the user’s personal Facebook profiles, which could include employment history and political and religious affiliations, to gain a cradle-to-grave profile without the user’s consent. Id. at 599. The court held that allegations of data collection performed “in order to receive and compile [the user’s] personally identifiable browsing history … no matter how sensitive or personal” constituted a “clear invasion of the historically recognized right to privacy” sufficient to establish Article III standing. Id. at 598–99.
In arguing that the one-time collection, and dissemination to Snap and Salesforce, of a user’s IP address and email address establishes a concrete injury, plaintiffs misinterpret Facebook. Facebook held that a dissemination of personal information may result in a concrete injury, as the right to privacy “encompass[es] the individual’s control of information concerning his or her person,” Facebook, 956 F.3d at 598 (quoting Eichenberger v. ESPN, Inc., 876 F.3d 979, 983 (9th Cir. 2017)), but the invasive nature of the information collected was crucial to Facebook’s holding. The Facebook decision “accounted for the individual circumstances giving rise to the plaintiffs’ alleged injuries rather than simply greenlighting a per se rule for privacy statutes.” Popa, 2025 WL 2448824, at *8. Here, plaintiffs allege a one-time collection of their IP and email addresses, but they do not allege that the third-party trackers collected any other “embarrassing, invasive, or otherwise private information.”4Id. at *5.
- Comparison to Precedent: The court distinguished this case from prior decisions where standing was found, such as cases involving the collection of detailed browsing histories or sensitive personal information. Here, plaintiffs did not allege that any additional, more invasive data was collected, nor that they suffered any actual consequences (such as receiving targeted advertising) as a result.
- Speculative Harm Insufficient: Plaintiffs’ claims that the collected data could potentially be used for ID bridging or targeted advertising were deemed too speculative. The court noted that hypothetical or potential future uses of the data, without allegations of actual misuse or harm, do not satisfy the injury-in-fact requirement.
- No Intrusion Upon Seclusion: The court rejected the argument that the alleged conduct amounted to an “intrusion upon seclusion,” a common law privacy tort, finding that the disclosure of an email address and IP address alone is not “highly offensive” to a reasonable person.
EDWARD WOOTEN & SARKIS OGANYAN, individually & on behalf of all others similarly situated, v. BIOLIFE PLASMA SERVICES L.P. & TAKEDA PHARMACEUTICALS U.S.A., INC., No. 1:25-CV-00099-KES-SKO, 2025 WL 2979619 (E.D. Cal. Oct. 22, 2025).
