Judge Gonzalo P. Curiel, in the Southern District of California denied a motion to dismiss a class action lawsuit alleging that a major retailer’s use of tracking pixels—specifically TikTok Pixel and Microsoft Bing—violated the California Invasion of Privacy Act (CIPA) by collecting users’ personal information without proper notice or consent.
The case centers on the retailer’s website, which allegedly embedded tracking pixels to monitor user interactions for targeted advertising and analytics. These pixels collected a range of data, including IP addresses, device details, browser information, and, through advanced features like “fingerprinting” and “AutoAdvanced Matching,” could associate this data with personally identifiable information such as names and addresses. Plaintiffs argued that this data collection occurred without their consent and that the website’s privacy disclosures were insufficient, being relegated to small-font links in the site’s footer.
Standing and CIPA Violations
The defendant sought dismissal on the grounds that plaintiffs lacked standing and failed to state a claim. The court addressed two key issues:
1. Standing to Sue
- Statutory Standing: The court found that CIPA provides a substantive right to privacy, and the unauthorized collection of personal information constitutes an injury sufficient for statutory standing. Plaintiffs need not allege additional harm beyond the privacy violation itself.
- Article III Standing: The court held that the alleged privacy injury was concrete and particularized, aligning with traditional privacy harms recognized at common law. The collection of personally identifying information without consent was deemed a sufficient basis for standing.
2. CIPA’s “Pen Register” Provisions
- Plaintiffs argued that the tracking pixels functioned as “pen registers” under CIPA, which broadly prohibits unauthorized recording of addressing information (such as IP addresses) transmitted via electronic communications.
- The court agreed that the statute’s language is intentionally broad and not limited to telephone technology, finding that website-based trackers can plausibly constitute pen registers.
Consent and Notice: What Counts?
A critical aspect of the ruling was the court’s analysis of user consent. The defendant argued that users were notified via the website’s Terms and Conditions and Privacy Policy, accessible through a footer link. However, the court found this notice insufficient:
- Conspicuousness: The privacy disclosures were not prominently displayed, requiring users to scroll to the bottom of the page.
- Affirmative Consent: The website did not require users to take any affirmative action (such as clicking a box or responding to a pop-up) to indicate consent to data collection.
The court emphasized that, for consent to be valid, users must receive reasonably conspicuous notice and take some action to manifest assent. Mere passive exposure to a hyperlink does not suffice.
For a website user to be contractually bound by a site’s terms, the user need not have actual knowledge of the browsewrap agreement. Nguyen v. Barnes & Noble Inc., 763 F.3d 1171, 1177 (9th Cir. 2014). Instead, the website must put “a reasonably prudent user on inquiry notice of the terms of the contract.” Id. “Whether a user has inquiry notice of a browsewrap agreement, in turn, depends on the design and content of the website and the agreement’s webpage.” Id. Still, “[u]nless the website operator can show that a consumer has actual knowledge of the agreement, an enforceable contract will be found based on an inquiry notice theory only if: (1) the website provides reasonably conspicuous notice of the terms to which the consumer will be bound; and (2) the consumer takes some action, such as clicking a button or checking a box, that unambiguously manifests his or her assent to those terms.” Berman v. Freedom Fin. Network, LLC, 30 F.4th 849, 856 (9th Cir. 2022).
*9 In terms of conspicuousness, many courts have refused to enforce browsewrap agreements “[w]here the link to a website’s terms of use is buried at the bottom of the page or tucked away in obscure corners of the website where users are unlikely to see it.” Nguyen, 763 F.3d at 1177; see, e.g.,In re Zappos.com, Inc., Customer Data Sec. Breach Litig., 893 F. Supp. 2d 1058 (D. Nev. 2012) (“The Terms of Use is inconspicuous, buried in the middle to bottom of every Zappos.com webpage among many other links, and the website never directs a user to the Terms of Use.”); Hines v. Overstock.com, Inc., 668 F. Supp. 2d 362 (E.D.N.Y. 2009), aff’d, 380 F. App’x 22 (2d Cir. 2010) (finding no notice where plaintiff “could not even see the link to them without scrolling down to the bottom of the screen”).
Here, Defendant’s website does not make the Terms and Conditions conspicuous. The website users must, instead, find the details of the terms and the Privacy Policy by scrolling down to the footer of the page. Thus, Defendant does not meet the first requirement to put Plaintiffs on notice.
However, even if the notice was conspicuous, the website must provide a mechanism for “affirmative action to demonstrate assent.” Nguyen, 763 F.3d at 1178.
Camplisson, et al. v. Adidas Am., Inc., No. 25-CV-603-GPC-KSC, 2025 WL 3228949 (S.D. Cal. Nov. 18, 2025).
