On February 17, 2026, Judge P. Casey Pitts, in the Northern District of California, allowed several privacy claims to proceed based on allegations that defendant’s website continued to track users even after users clicked “Reject All” on the company’s cookie consent banner.
Factual Background
Plaintiffs alleged that defendant’s website presented visitors with a popup cookie consent banner offering the options to “Accept Cookies,” “Reject All,” or “Manage Privacy Preferences”. The banner stated that defendant shares information with social media, advertising, and analytics partners, and represented that opting out would be honored.
According to the complaint, when users clicked “Reject All,” the website nonetheless placed both first-party and third-party cookies on their devices, allowing third parties—including Google, X Corp, Listrak, and Digioh—to track users’ browsing history, website interactions, demographic information, shopping behaviors, device information, and geolocation data. Plaintiffs brought a proposed class action on behalf of California consumers who clicked “Reject All” but were allegedly tracked anyway.
Claims Allowed to Proceed
Invasion of Privacy and Intrusion Upon Seclusion. The court held that plaintiffs adequately alleged that defendant facilitated third parties’ intrusions into users’ privacy by voluntarily integrating third-party tracking tools into its website pursuant to agreements with those parties. The court further found that plaintiffs alleged the type of “deceit plus factor” necessary to support a claim that the intrusion was “highly offensive” because defendant affirmatively promised not to collect or enable the collection of data but then did so anyway. The court emphasized that users were misled into engaging in tracked conduct they otherwise would not have undertaken.
Common Law Fraud (as to Plaintiffs Thayer and D’Antonio). The court found that two of the three plaintiffs adequately pleaded the required specificity for fraud claims by alleging the approximate dates they visited the website, that they were shown the consent banner, and that they clicked “Reject All” in reliance on the banner’s representations. The court concluded that the allegation that those plaintiffs suffered a “diminution of the value of their private and personally identifiable information” was sufficient to allege damages at the pleading stage.
Unjust Enrichment. The court found that plaintiffs adequately alleged that defendant was unjustly enriched because the data collection enabled the company to better market its products, better target advertisements, and profit from its understanding of user behaviors.
Claims Dismissed with Leave to Amend
California Invasion of Privacy Act (CIPA) Wiretapping. The court dismissed this claim because plaintiffs failed to allege that they personally engaged in communications with the website whose content could have been intercepted. While plaintiffs alleged that the website enabled interception of user communications generally, they did not allege that they themselves communicated with the website in a manner that would support a wiretapping claim.
CIPA Pen Register. The court rejected defendant’s argument that California’s pen register statute applies only to telephones, finding no such textual limitation and noting that such a narrow interpretation would undermine CIPA’s privacy-protective purpose. However, the court dismissed the claim because plaintiffs failed to allege that they communicated with the website or identify specific “dialing, routing, addressing, or signaling information” that was tracked.
Common Law Fraud (as to Plaintiff Cuevas Garcia). The court found that this plaintiff failed to satisfy Rule 9(b)’s heightened pleading standard because she alleged only that she visited the website “in or around 2024,” which was insufficient to provide adequate notice to the defendant.
Breach of Contract and Breach of Implied Covenant of Good Faith and Fair Dealing. The court dismissed these claims because the plaintiffs failed to allege a bargained-for exchange sufficient to establish a contract. The court observed that plaintiffs would have received the same access to the website regardless of whether they consented to cookies, meaning there was no consideration to support a contractual relationship.
Trespass to Chattels. The court dismissed this claim because the plaintiffs failed to plausibly allege measurable physical or functional harm to their devices from the placement of cookies.
TONY D’ANTONIO, et al., v. SMITH & WESSON INC., No. 25-CV-03085-PCP, 2026 WL 446310 (N.D. Cal. Feb. 17, 2026).
