Judge Susan Illston, in the Northern District of California addresses a motion to dismiss a putative class action against a data broker accused of privacy violations through online tracking technology. Plaintiffs allege that defendant’s pixel technology tracks and records personal information and web activity of millions of Americans, compiling detailed user profiles without consent. The technology is also sold to advertising partners, enabling targeted advertising through identity resolution tools.
Plaintiffs, California residents, claim their browsing activities—including sensitive interactions on health and lifestyle websites—were tracked and profiled. They assert they were unaware of and did not consent to this data collection.
Legal Claims and Standards
Plaintiffs brought five claims: intrusion upon seclusion (California common law), violations of the California Invasion of Privacy Act (CIPA) under two sections, unjust enrichment, and violation of the federal Electronic Communications Privacy Act (ECPA). Defendant moved to dismiss for lack of subject matter jurisdiction and failure to state a claim.
Standing and Privacy Injury
The court found that plaintiffs sufficiently alleged a concrete and particularized injury, distinguishing their claims from prior cases involving less sensitive data. The alleged tracking spanned multiple websites and included sensitive information, supporting a reasonable expectation of privacy and a “highly offensive” intrusion. The court rejected arguments that the data was anonymous, noting allegations that defendant’s technology could deanonymize users and tie data to individual profiles.
Intrusion Upon Seclusion
The court held that plaintiffs plausibly alleged both prongs of the intrusion upon seclusion claim: intentional intrusion into matters with a reasonable expectation of privacy, and conduct that could be highly offensive to a reasonable person. The court emphasized that unauthorized tracking and compilation of detailed profiles for sale to advertisers is actionable, and declined to dismiss this claim at the pleading stage.
CIPA and ECPA Claims
The court found that plaintiffs adequately alleged violations of CIPA § 631 and ECPA § 2511, including interception of the “contents” of communications (such as full-string URLs revealing user interests), acting as a third party rather than a party to the communication, and interception of communications “in transit.” The court also determined that the crime-tort exception to ECPA could apply, even if the defendant’s primary motive was profit, as the alleged conduct involved invasion of privacy.
Regarding CIPA § 638.51, the court agreed with other recent decisions that web pixels can qualify as “pen registers” at the pleading stage, allowing this claim to proceed.
Notwithstanding OpenX’s contention to the contrary, plaintiffs’ complaint adequately alleges that OpenX intercepts more than just “record information.” Plaintiffs allege that OpenX collects users’ “communications with [partner] websites in the form of full-string URLs and button click events.” Id. ¶ 90. Plaintiffs allege that OpenX’s pixel intercepts the “detailed, full-string URLS” from each page of a website that the user visits, “thereby intercepting the user’s communications with the website regarding which articles they want to view.” Id. ¶ 170. The complaint explains that those full-string URLs include the full title of articles users’ view, which reveals the users’ interests (e.g. “htpps://www.bonappetit.com/gallery/taylor-swift-travis-kelce-pop-tarts”). Id. ¶ 120. “URLs which disclose search terms that reveal website users’ personal interests, queries, and habits are ‘contents’ of communications under CIPA and ECPA.” R.C. v. Walgreen Co., 733 F. Supp. 3d 876, 902 (C.D. Cal. 2024); see also, Selby., 2025 WL 2950164, at *3.
Open X disputes plaintiffs’ contention that collecting the specific web pages users visit discloses “personal interests, queries, and habits.” Opp’n at 9; Reply at 10. Further, Open X contends that Selby, R.C., and other authority plaintiffs cite to are inapposite because in those cases the defendants allegedly intercepted users’ “search terms” or “search queries,” whereas here the complaint alleges OpenX intercepts URLs. Reply at 10. But, as these cases acknowledge, URLs can also reveal website users’ personal interests, queries, and habits, particularly when aggregated into comprehensive user profiles.
OpenX also argues that the complaint is deficient because plaintiffs do not identify which specific URLs they visited while using the websites that OpenX purportedly tracked. Mot. at 17. The Court disagrees. Plaintiffs have adequately alleged that OpenX intercepts not only the websites visited, but also URLS including specific articles or pages the plaintiffs viewed. See, e.g., Gilligan v. Experian Data Corp. 2026 WL 32259, *3 (N.D. Cal. Jan. 6, 2026). The Court acknowledges that lower courts have sometimes found similar complaints deficient where a plaintiff does not identify with specificity what searches they conducted or what webpages they viewed. See, e.g., King Hard Rock Café International Café Int’l (USA), Inc., 2025 WL 1635419, *4 (E.D. Cal. June 9, 2025); Lewis v. Magnite, Inc. 2025 WL 3687546 *12 (C.D. Cal. Dec. 4, 2025). However, the Court finds that here plaintiffs have sufficiently alleged that OpenX intercepted the contents of their communications while they navigated through various websites, including Bon Appetit and Covered California, such that OpenX has adequate notice of plaintiffs’ claims.
Unjust Enrichment
The court dismissed the unjust enrichment claim, finding plaintiffs had not alleged the absence of an adequate remedy at law, as required for equitable relief. Plaintiffs were granted leave to amend this claim.
KILEY KRZYZEK, et al., v. OPENX TECHNOLOGIES, INC., No. 25-CV-05588-SI, 2026 WL 206855 (N.D. Cal. Jan. 27, 2026).
