Court Decision Emphasizes That Retail Stores Aren’t Exempt From CIPA, Lawyer Says
A recent court decision demonstrates that “retail sites aren’t getting a free pass” when it comes to California Invasion of Privacy Act (CIPA) claims, especially when pixel trackers are collecting much more than what's needed for ads, said Troutman Amin lawyer Keerti Jaya in a blog post Friday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
In Camplisson v. Adidas, plaintiffs were shopping on the athletic apparel website, where the TikTok Pixel and Microsoft Bing trackers embedded in the site recorded “IP addresses, device identifiers, timestamps [and] fingerprinting data,” and “used features like AutoAdvanced Matching that can tie your browsing back to your name, birthday, and address,” the blog said.
“That’s not ‘retargeting ads,’” Jaya argued. “That’s a map back to the actual person, with the live location feature, if I may add.”
That echoed the opinion of Judge Gonzalo Curiel of the U.S. District Court for Southern California, whose Nov. 18 order in case 3:25-cv-00603 “focuses on the substance: the trackers were allegedly installed on users’ browsers, they collected identifying and addressing information, and they did it without consent,” Jaya wrote. “Under CIPA’s pen-register provisions, that is more than enough to state a claim.”
Jaya said it's “interesting … how thoroughly the Court rejects the defense playbook.” She noted that while other courts have dismissed claims for lack of standing, claiming a traditional privacy tort wasn't alleged (see 2510270015), Curiel rejected that. He additionally denied the claim that CIPA shouldn’t apply to the internet, as some defense lawyers have argued (see 2507100072).
“Courts have been very clear that CIPA isn’t tied to a specific technology; it’s tied to the principle of preventing secret interception,” the blog said. “TikTok Pixel + fingerprinting + third-party data sharing falls squarely within that principle.”
Adidas also said it obtained consent for tracking in terms located in the website footer, but the judge rejected that as well. His ruling said that “if you want users to consent to browser-level tracking, you need to actually ask them. Not hide it in tiny font. Not imply that visiting the site equals consent,” Jaya wrote. “Without conspicuous notice and an affirmative ‘yes,’ the consent exception under CIPA doesn’t apply.”
The case’s takeaway “is simple: if your site quietly plants sophisticated trackers on users’ browsers and sends their information to third parties, courts aren’t going to swoop in and save you at the pleadings stage,” Jaya said. “CIPA protects the right not to be secretly tracked without consent.”