Lawyer: Calif. Courts Warm Up to Recognizing CIPA Violations in Six Flags Case

The U.S. District Court for Central California allowed seven causes of action against Six Flags to continue on Dec. 15, denying a motion to dismiss, the blog said.

This ruling and its “detailed analysis” have “broad implications for digital privacy enforcement,” Amin said. It “reflects a growing willingness among California courts to recognize data privacy violations as plausible -- especially where plaintiffs can plausibly allege misuse of data collected through online platforms.”

The plaintiff in Casillas v. Six Flags Entertainment Corporation accused Six Flags of using third-party cookies to unlawfully track website visitors. Miltitas Casillas alleged violations of the Federal Wiretap Act, two claims under CIPA, invasion of privacy under the state Constitution, intrusion upon seclusion, common law fraud, and unjust enrichment in case 2:25-cv-6824.

Judge Consuelo Marshall found the complaint “sufficiently stated causes of action” under each of the seven claims, Amin said. Casillas also “sufficiently alleged an injury-in-fact” due to loss of privacy, economic value of data monetized and unlawful interception of communications.

Additionally, despite the fact that Six Flags is a Delaware corporation with a principal place of business in North Carolina, jurisdiction was met because its website sold tickets to California consumers and referenced the state’s privacy laws.

Website visitors “had a reasonable expectation of privacy” on the site, which made use of third-party trackers “highly offensive,” the blog said. Though the court clarified the part of CIPA addressing telephone communications "did not apply," another provision prohibiting “unauthorized attempts to read or learn the contents of communications in transit” did.

Marshall also dismissed claims that the amusement park’s third-party tracking tools were not trap-and-trace devices. Case 2:25-cv-6824 now proceeds past the pleadings stage.