Judge Jacqueline Scott Corley, in the Northern District of California, partially denied a motion to dismiss privacy claims. The plaintiff, representing a class of California website users, claimed that after opting out of the sale and sharing of personal information via the website’s cookie consent window, the website operator continued to allow third-party cookies to be placed and user data to be transmitted to external parties. The data allegedly collected included browsing history, visit history, website interactions, user input data, demographic information, shopping behavior, device information, session details, user identifiers, and geolocation data.
The plaintiff asserted that these actions violated his privacy and contradicted the website’s representations that opting out would prevent such data sharing. Claims included invasion of privacy, intrusion upon seclusion, wiretapping and pen register violations under the California Invasion of Privacy Act (CIPA), fraud, unjust enrichment, and trespass to chattels.
The website “immediately” presented a popup cookie consent banner (“Cookie Banner”), which stated: “This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising, and analytics partners.” (Id. ¶ 85.) The Cookie Banner offered Plaintiff the options “Accept Cookies” or “Cookie Settings,” and “[c]onsistent with his typical practice in rejecting or otherwise declining the placement or use of cookies and tracking technologies,” Plaintiff clicked the “Cookie Settings” button. (Id. ¶¶ 85-86.) The website then displayed a “cookie consent preferences window” (“Cookie Window”), which included a toggle switch and stated: “You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalized ads and will not hand over your personal information to any third parties.” (Id. ¶¶ 36, 86.) Plaintiff moved the toggle switch to opt out, and clicked a “Confirm my Choices” button. (Id. ¶ 86.) Believing these steps “would allow him to opt out of, decline, and/or reject all non-required cookies and other tracking technologies (inclusive of those cookies that cause the disclosure of user data to third-party social media, advertising, and analytics companies for the purposes of providing personalized content, advertising, and analytics services),” Plaintiff continued browsing the website in reliance on Defendants’ promises. (Id. ¶¶ 86, 89.)
Standing and Privacy Claims Survive
The court found that the plaintiff’s allegations of loss of control over personal information constituted a sufficiently concrete injury for Article III standing. The plaintiff plausibly alleged a reasonable expectation of privacy in the data collected, especially given the website’s explicit statements about opting out. The court held that the alleged conduct—continuing to transmit data to third parties after users opted out—could be considered highly offensive and contrary to social norms, allowing the invasion of privacy and intrusion upon seclusion claims to proceed.
Fraud and Unjust Enrichment Claims Allowed
The court determined that the plaintiff had adequately pled fraud, including specific allegations about the website’s representations, the plaintiff’s reliance, and the defendants’ knowledge and intent. The plaintiff also sufficiently alleged unjust enrichment, claiming defendants benefited financially from the unauthorized use of personal data, even if the plaintiff did not suffer direct economic loss.
CIPA and Trespass to Chattels Claims Dismissed With Leave to Amend
The court dismissed the CIPA wiretap and pen register claims as time-barred, finding the plaintiff had not shown reasonable and good faith conduct to justify equitable tolling of the statute of limitations. The trespass to chattels claim was also dismissed, as the plaintiff failed to allege any actual impairment or damage to his device from the placement of cookies, which are generally considered too small to affect device performance.
DANIEL PEMBERTON v. RESTAURANT BRANDS INTERNATIONAL, INC. & RESTAURANT BRANDS INTERNATIONAL US SERVICES LLC, No. 25-CV-03647-JSC, 2025 WL 3268404 (N.D. Cal. Nov. 24, 2025).
