Judge P. Casey Pitts, in the Northern District of California, granted in part and denied in part, defendant’s motion to dismiss a class action lawsuit challenging online data tracking practices. Plaintiffs allege that defendant placed tracking cookies on users’ devices even after users opted out, in violation of privacy rights and various state laws.
Background: Cookie Consent and Alleged Misrepresentations
Defendant operates multiple artist and merchandise websites. Like many businesses, defendant’s sites use cookies for advertising, analytics, and personalization. Defendant’s privacy policy and cookie consent banner informed users that they could opt out of certain cookies, including those used for online advertising and performance analytics, by clicking “Decline All.”
Plaintiffs, California residents, allege that despite opting out, Defendant’s websites still placed third-party cookies on their devices, enabling companies such as Meta, Google, TikTok, and others to track a wide range of user data—including browsing history, interactions, demographic information, and geolocation. Plaintiffs claim they would not have used the websites had they known their opt-out choices would be disregarded.
Invasion of Privacy and Intrusion Upon Seclusion
The court denied Defendant’s motion to dismiss the invasion of privacy and intrusion upon seclusion claims. The court found that:
- Users had a reasonable expectation of privacy because Defendant affirmatively represented that opting out would prevent certain tracking.
- The alleged conduct—tracking users after they opted out—could be considered “highly offensive,” especially given the deceptive nature of the representations.
- The California Consumer Privacy Act (CCPA) was cited as shaping user expectations, reinforcing that Californians reasonably expect to control data collection for advertising and analytics.
Wiretapping and Pen Register Claims Dismissed, But May Be Amended
The court dismissed the CIPA wiretapping and pen register claims, but granted leave to amend. The court found that:
- Plaintiffs did not allege with sufficient specificity that their own communications were intercepted or that the relevant “dialing, routing, addressing, or signaling information” was tracked.
- The court rejected defendant’s argument that the pen register statute applies only to telephones, finding the statutory language broad enough to cover online tracking.
While the court is open to applying these statutes to online conduct, plaintiffs must plead specific facts about their own interactions.
Fraud, Contract, and Trespass Claims Dismissed With Leave to Amend
The court dismissed the fraud, breach of contract, breach of implied covenant, and trespass to chattels claims, but allowed plaintiffs to amend:
- Fraud: Plaintiffs failed to specify when the alleged misrepresentations occurred, as required by Rule 9(b).
- Contract and Implied Covenant: Plaintiffs did not adequately allege a bargained-for exchange or consideration, as required for contract formation.
- Trespass to Chattels: Plaintiffs did not plausibly allege any measurable loss or impairment to their devices from the cookies.
Unjust Enrichment Claim Proceeds
The court allowed the unjust enrichment claim to proceed, construing it as a quasi-contract claim for restitution. Plaintiffs plausibly alleged that defendant was unjustly enriched by collecting valuable user data after misleading users about their ability to opt out.
Motion to Strike Denied
Defendant’s motion to strike screenshots and class allegations was denied. The court found these allegations were not immaterial or impertinent at the pleading stage.
