UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK ALISON CAMM, NICOLE FLICK, NORMA CISNEROS, KRYSTAL FORBES, and ENZA ZITO, on behalf of themselves and all others similarly situated, 25 Civ. 1921 (KPF) Plaintiffs, OPINION AND ORDER -v.- REACH FINANCIAL, LLC, Defendant. KATHERINE POLK FAILLA, District Judge: Alison Camm, Nicole Flick, Norma Cisneros, Krystal Forbes, and Enza Zito (collectively, “Plaintiffs”) brought this putative class action against Reach Financial, LLC (“Reach” or “Defendant”), alleging that Reach collected and transmitted their sensitive personal information without their consent through the use of Google’s tracking software on Reach’s website. Before the Court is Reach’s motion to dismiss Plaintiffs’ numerous federal and state-law claims under Federal Rule of Civil Procedure 12(b)(6). For the reasons set forth below, the Court grants the motion to dismiss in part and denies it in part. BACKGROUND1 A. Factual Background
1. The Parties Reach is a debt relief company that offers debt consolidation loan programs. (Compl. ¶ 9). It owns and operates a website on which a potential customer can fill out an application for a debt consolidation loan and receive an instant determination as to whether his or her application has been accepted or denied. (Id. ¶ 10). Reach is a limited liability corporation incorporated in Delaware with its principal place of business in New York. (Id.
¶ 44). Each of the five Plaintiffs in this case accessed Reach’s website at some point to apply for a debt consolidation loan using her personal electronic device while logged into her Google account on the same device. (Compl. ¶¶ 15, 18, 21, 24, 27, 30, 33, 36, 39, 42). After providing sensitive financial information to Reach as part of the application process, all five Plaintiffs reported seeing targeted online advertisements for debt relief services. (Id. ¶¶ 19, 25, 31, 37, 43). Alison Camm and Nicole Flick are citizens of California; Norma Cisneros
1 This Opinion draws its facts from the Complaint (“Compl.” (Dkt. #1)), the well-pleaded allegations of which are taken as true for purposes of this Opinion. See Ashcroft v. Iqbal, 556 U.S. 662, 678-79 (2009). In addition, the Court relies, as appropriate, on the declaration of Alexia Chapman in support of Defendant’s motion to dismiss (“Chapman Decl.” (Dkt. #25)) and the exhibit attached thereto (“Chapman Decl., Ex. A”). For ease of reference, the Court refers to Reach’s memorandum of law in support of its motion to dismiss as “Reach Br.” (Dkt. #26), to Plaintiffs’ memorandum of law in opposition to Reach’s motion as “Pl. Opp.” (Dkt. #23), and to Reach’s memorandum of law in reply as “Reach Reply” (Dkt. #28). and Krystal Forbes are citizens of Illinois; and Enza Zito is a citizen of Missouri. (Id. ¶¶ 14, 20, 26, 32, 38). 2. Reach’s Allegedly Unauthorized Collection and Transmission of Sensitive Personal Information Like many other companies, Reach uses Google’s suite of marketing, advertising, and customer analytics tools — including Google Analytics, Google AdSense, and Google Tag Manager (collectively, the “Business Tools”) — to
manage its website. (Compl. ¶¶ 5-8). In exchange for access to Google’s Business Tools, Reach allows Google to run “surveillance software” on its website, including “tracking pixels” and “third-party cookies” that capture sensitive personal information provided by website users (the “Tracking Tools”). (Id. ¶ 6; see id. ¶ 52). Google then uses the information collected from websites like Reach’s to sell targeted advertising to website users. (Id. ¶ 54). According to Plaintiffs, “[w]hen website operators, like Defendant, make use of Google’s Business Tools, they are essentially choosing to participate in Google’s mass
surveillance network, and in return they benefit from Google’s collection of user data, at the expense of their website users’ privacy.” (Id. ¶ 61). On Reach’s website, the Tracking Tools were specifically configured to capture and transmit sensitive personal information that users communicated to Reach while applying for debt consolidation loans. (Compl. ¶ 79). For example, the Tracking Tools were able to identify a user’s Google account, the fact that the user was “getting started” on a debt consolidation loan application, and Reach’s determination as to whether the user’s loan application was approved or denied. (Id. ¶¶ 80-83). The Tracking Tools were generally invisible to Reach’s website users, who could not have detected their presence without analyzing the source code or using sophisticated web
developer tools. (Id. ¶ 85). Indeed, Plaintiffs were unaware of the Tracking Tools and did not know that sensitive personal information, including Reach’s denial of their loan applications, was being collected and transmitted to Google. (Id. ¶¶ 16, 22, 28, 34, 40, 87-88). Plaintiffs were shown no disclaimer or warning about the disclosure and transmission. (Id. ¶ 86). As a result of Reach’s unauthorized disclosure and transmission of their sensitive personal information, Plaintiffs allegedly suffered numerous injuries, including “(i) invasion of privacy; (ii) lack of trust in communicating with online
service providers; (iii) emotional distress and heightened concerns related to the release of [s]ensitive [i]nformation to third parties[;] (iv) loss of benefit of the bargain; (v) diminution of value of the [s]ensitive [i]nformation; (vi) statutory damages[;] and (viii) continued and ongoing risk to their [s]ensitive [i]nformation.” (Compl. ¶ 12). B. Procedural Background On March 7, 2025, Plaintiffs filed a Complaint against Reach in this Court on behalf of themselves, a nationwide class, and several subclasses
under Federal Rules of Civil Procedure 23(b)(2), (b)(3), and (c)(5). (Dkt. #1; Compl. ¶¶ 116-118). The putative nationwide class is defined as “[a]ll natural persons who used Defendant’s [w]ebsite to apply for a loan, and whose [s]ensitive [i]nformation was disclosed or transmitted to Google, or any other unauthorized third party.” (Compl. ¶ 117). Plaintiffs also seek to assert claims on behalf of those natural persons who reside in California, Illinois, and Missouri, thus forming three state-specific subclasses within the nationwide
class. (Id. ¶ 118). The Complaint alleges nine counts based on Reach’s unauthorized disclosure and transmission of Plaintiffs’ sensitive personal information: (i) common-law invasion of privacy, specifically intrusion upon seclusion; (ii) common-law breach of confidence; (iii) common-law negligence; (iv) common-law breach of implied contract; (v) common-law unjust enrichment; (vi) violation of the federal Electronic Communications Privacy Act (“ECPA”); (vii) violation of New York General Business Law (“GBL”) Section 349,
which prohibits deceptive business acts and practices; (viii) violation of the California Invasion of Privacy Act (“CIPA”); and (ix) violation of the California Unfair Competition Law (“UCL”). (Compl. ¶¶ 130-227). In addition, the Complaint alleges that Reach’s conduct violated Title V of the Gramm-Leach-Bliley Act (“GLBA”), which prohibits financial institutions from disclosing nonpublic personal information to third parties unless certain disclosures are made and conditions are met. (Compl. ¶¶ 89-95 (citing 15 U.S.C. § 6802)). According to the Complaint, Reach is a financial institution
under the statute, and its decision to disclose Plaintiffs’ sensitive personal information to third parties like Google without their knowledge or consent violated Title V of the GLBA. (Id. ¶¶ 92, 95). Because Plaintiffs have pleaded that the amount in controversy exceeds $5 million, there are more than 100 putative class members, and minimal diversity exists between the class and Reach, this Court has subject matter
jurisdiction under the Class Action Fairness Act (“CAFA”), 28 U.S.C. § 1332(d). (Compl. ¶ 45). In addition, because Plaintiffs have raised a federal claim under the ECPA, this Court has federal question jurisdiction under 28 U.S.C. § 1331, and it may exercise supplemental jurisdiction over the state-law claims under 28 U.S.C. § 1367(a). On May 12, 2025, Reach filed a pre-motion letter in anticipation of moving to dismiss Plaintiffs’ class action. (Dkt. #8). Plaintiffs responded on May 23, 2025. (Dkt. #14). The Court held a pre-motion conference to discuss
Reach’s anticipated motion on May 28, 2025, at which it asked the parties to jointly propose a briefing schedule. (Dkt. #13; May 28, 2025 Minute Entry). According to the schedule proposed by the parties (Dkt. #18), which the Court approved (Dkt. #19), Reach filed its motion to dismiss and supporting papers on July 11, 2025 (Dkt. #21-22, 24-26).2 Plaintiffs filed their opposition on August 8, 2025. (Dkt. #23). And on September 5, 2025, Reach filed its reply. (Dkt. #28).
2 Reach re-filed its motion to dismiss and supporting papers on August 11, 2025, due to certain non-substantive filing errors. DISCUSSION A. Applicable Law
On a Rule 12(b)(6) motion, the court “draw[s] all reasonable inferences in [the plaintiffs’] favor, assume[s] all well-pleaded factual allegations to be true, and determine[s] whether they plausibly give rise to an entitlement to relief.” Faber v. Metro. Life Ins. Co., 648 F.3d 98, 104 (2d Cir. 2011) (internal quotation marks omitted) (quoting Selevan v. N.Y. Thruway Auth., 584 F.3d 82, 88 (2d Cir. 2009)); see Ashcroft v. Iqbal, 556 U.S. 662, 678-79 (2009). A plaintiff is entitled to relief if she alleges “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007).
Nevertheless, the court is “not bound to accept conclusory allegations or legal conclusions masquerading as factual conclusions.” Rolon v. Henneman, 517 F.3d 140, 149 (2d Cir. 2008) (internal quotation marks omitted) (quoting Smith v. Local 819 I.B.T. Pension Plan, 291 F.3d 236, 240 (2d Cir. 2002)). Indeed, the plaintiff must do more than provide a “formulaic recitation of the elements of a cause of action” — that is, her “[f]actual allegations must be enough to raise a right to relief above the speculative level.” Twombly, 550 U.S. at 555.
B. The Court Grants in Part and Denies in Part Reach’s Motion to Dismiss Before turning to the merits of Plaintiffs’ claims, the Court notes that the parties have stipulated that the common-law tort claims are governed by the laws of Plaintiffs’ respective home states and that the implied contract and unjust enrichment claims are governed by New York law. (Dkt. #18). Accordingly, the Court applies the stipulated choice of law in evaluating each of the non-statutory claims.
In addition, Plaintiffs have withdrawn their California UCL claim as well as their claims for intrusion upon seclusion under Illinois and Missouri law, and they do not contest Reach’s arguments regarding their breach-of- confidence claims. (Dkt. #18; Pl. Opp. 22 n.8). The Court therefore dismisses those claims and does not consider them in its analysis. See Lipton v. County of Orange, 315 F. Supp. 2d 434, 446 (S.D.N.Y. 2004) (“This Court may, and generally will, deem a claim abandoned when a plaintiff fails to respond to a defendant’s arguments that the claim should be dismissed.” (collecting cases)).
Finally, the Court observes that Plaintiffs have not asked for leave to amend their Complaint, despite being provided with an opportunity to do so at the May 28, 2025 pre-motion conference. Consequently, any claim that the Court dismisses below is dismissed with prejudice. See Gallop v. Cheney, 642 F.3d 364, 369 (2d Cir. 2011) (“While leave to amend under the Federal Rules of Civil Procedure is ‘freely granted,’ … no court can be said to have erred in failing to grant a request that was not made.” (quoting Fed. R. Civ. P. 15(a))). 1. Plaintiffs Fail to Allege an ECPA Claim
The ECPA provides for “a private right of action against ‘any person who ... intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept wire, oral, or electronic communication.’” Cooper v. Mount Sinai Health Sys., Inc., 742 F. Supp. 3d 369, 378 (S.D.N.Y. 2024) (quoting 18 U.S.C. § 2511). The federal statute does not impose liability on any person who “is a party to the communication,” 18 U.S.C. § 2511(2)(d), but that carveout does not apply where “an aggrieved
individual … has had her oral communications intentionally intercepted by a party to those communications for the purpose of committing a crime or tort,” Caro v. Weintraub, 618 F.3d 94, 97 (2d Cir. 2010) (citing 18 U.S.C. §§ 2520, 2511(1), 2511(2)(d)). Nevertheless, this crime-tort exception must be “construed narrowly, covering only acts accompanied by a specific contemporary intention to commit a crime or tort.” In re DoubleClick Inc. Priv. Litig., 154 F. Supp. 2d 497, 515 (S.D.N.Y. 2001). “The crime or tort must have been the ‘primary motivation’ or
‘a determinative factor’ for the defendant’s conduct.” Cooper, 742 F. Supp. 3d at 378 (quoting DoubleClick, 154 F. Supp. 2d at 514-15). In addition, the offending party must have “intercepted the communication for the purpose of a tortious or criminal act that is independent of the intentional act of recording.” Caro, 618 F.3d at 100. Here, the parties do not dispute that Reach was a party to the communications that Plaintiffs made on Reach’s website, but they disagree on whether the crime-tort exception applies. (Def. Br. 12-17; Pl. Opp. 10-15). In
their Complaint, Plaintiffs allege that Reach’s interception of sensitive communications “was done for purposes of committing criminal and tortious acts,” including invasion of privacy, breach of implied contract, violation of the GLBA, violation of New York GBL Section 349, and violation of CIPA. (Compl. ¶ 195). But in their opposition, Plaintiffs focus solely on the GLBA, arguing that Reach violated the GLBA by disclosing the intercepted communications to unauthorized third parties like Google, which disclosure was distinct from the
act of interception itself. (Pl. Opp. 12). In so arguing, Plaintiffs analogize the alleged GLBA violation in this case to cases involving the Health Insurance Portability and Accountability Act (“HIPAA”), where courts in this Circuit have found that “[a] defendant’s criminal or tortious purpose of knowingly … disclos[ing] individually identifiable health information to another person[ ] … in violation of HIPAA[ ] may satisfy the crime-tort exception.” Cooper, 742 F. Supp. 3d at 380 (internal quotation marks omitted) (quoting 42 U.S.C. § 1320d-6); see also Gay v. Garnet Health, No. 23 Civ. 6950 (NSR), 2024 WL
4203263, at *3-4 (S.D.N.Y. Sept. 16, 2024); Kane v. Univ. of Rochester, No. 23 Civ. 6027 (FPG), 2024 WL 1178340, at *7 (W.D.N.Y. Mar. 19, 2024). Reach, however, argues that this case is distinguishable for several reasons. First, Reach contends that the criminal or tortious act that allegedly constituted a GLBA violation was not independent from the interception itself — that is, Reach’s disclosure of Plaintiffs’ sensitive personal information to Google and other third parties constituted violations of both the GLBA as well as the ECPA. (Def. Br. 15; Def. Reply 6). Second, Reach believes that it
lacked a criminal or tortious purpose because Plaintiffs’ Complaint “concede[d] that Reach used the Tracking Tools for the purpose of receiving the marketing and business-level benefits that Google offers.” (Def. Br. 15; see Def. Reply 6- 7). Third and finally, Reach argues that Plaintiffs have failed to establish any crime or tort, as Reach’s alleged violation of Section 6802 of the GLBA amounts to neither. (Def. Reply 4-6; see Compl. ¶¶ 89-95 (alleging that Reach violated Title V of the GLBA by disclosing Plaintiffs’ information to third parties without
their knowledge or consent)). This Court determines that while Reach’s disclosure of Plaintiffs’ sensitive personal information to third parties is an independent act from the interception of that information, Plaintiffs’ claim fails because they have not pleaded that Reach possessed the requisite intent to commit a crime or tort. a. Reach’s Interception of Plaintiffs’ Sensitive Information Is Independent from Its Alleged Criminal Use Plaintiffs have sufficiently alleged that Reach not only intercepted their information but also used that information for distinct commercial purposes. (See Compl. ¶¶ 96-102 (alleging that Reach received “advanced advertising services and cost-effective marketing” in exchange for the disclosure of Plaintiffs’ information)). The ECPA defines “intercept” as “the aural or other
acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” 18 U.S.C. § 2510(4). The statute distinguishes between the “intentional interception, use, and disclosure of electronic communications,” and in the context of the crime- tort exception, “the use of intercepted communications is often the criminal or tortious purpose.” Castillo v. Costco Wholesale Corp., No. 23 Civ. 1548 (JHC), 2024 WL 4785136, at *5 (W.D. Wash. Nov. 14, 2024) (emphasis added). Therefore, Reach’s act of disclosure and use of Plaintiffs’ information for marketing and commercial reasons — regardless of whether those purposes are in fact criminal or tortious — are distinct from its interception of Plaintiffs’ information in violation of the ECPA.
b. Reach Did Not Act with the Requisite Intent to Commit a Criminal or Tortious Act Nevertheless, Plaintiffs’ ECPA claim fails because Reach’s purpose in disclosing Plaintiffs’ sensitive personal information was not to commit a crime or tort. To be sure, the Complaint alleges that Reach intentionally configured the Tracking Tools on its website to enable third parties like Google to capture user-specific information, including whether Reach accepted or denied a debt consolidation loan application. (Compl. ¶¶ 78-84). In other words, Reach acted deliberately in allowing Google to install Tracking Tools and transmit Plaintiffs’ sensitive personal information. But Reach’s motivation in doing so was primarily commercial. See Cohen v. Casper Sleep Inc., No. 17 Civ. 9325 (WHP), 2018 WL 3392877, at *4 (S.D.N.Y. July 12, 2018) (determining that the
plaintiffs failed to allege that the defendants’ “primary motivation at the time of the alleged interception was to commit a tort” or crime). Indeed, the collection and disclosure of Plaintiffs’ information were “the means [Reach] used to achieve [its] real purpose — marketing.” Id. The Court agrees with Plaintiffs that the existence of a financial motivation does not necessarily inoculate a defendant from liability, but the HIPAA cases on which Plaintiffs rely are nonetheless inapposite because HIPPA explicitly “makes it a crime for a health care provider to disclose individually identifiable health information for commercial gain.” Cooper, 742 F. Supp. 3d at 382. Therefore, disclosure for commercial purposes is a crime under HIPAA. However, where an ECPA case does not involve “alleged violations of HIPAA (or
like statutes criminalizing disclosure of private information for commercial purposes),” id. at 382-83, the inquiry becomes whether there are sufficient allegations that the defendant intended to commit an act that is criminal or tortious, see id. at 382; Cohen, 2018 WL 3392877, at *4 (“[T]he test is whether Defendants intended to commit a tort.”). Here, Plaintiffs have not shown that Reach’s disclosure of their information for marketing purposes evinced an intent to commit a crime or tort. In fact, the Court finds Plaintiffs’ arguments about the GLBA to be
unpersuasive because it is unclear whether Reach’s alleged violation of the GLBA is criminal or tortious at all. Put differently, Reach could not have possessed a criminal or tortious intent if the independent act it undertook was not criminal or tortious itself. See Caro, 618 F.3d at 102 (requiring an allegation of “an independent tort that could provide the basis for the tortious intent necessary to bring a claim”). In general, “the GLBA sets forth both ‘affirmative and continuing obligations’ on the part of financial institutions to ‘respect the privacy of their customers and to protect the security and
confidentiality of ... nonpublic personal information.’” Allen v. Quicken Loans Inc., No. 17 Civ. 12352 (ES) (MAH), 2018 WL 5874088, at *6 (D.N.J. Nov. 9, 2018) (alterations adopted) (quoting 15 U.S.C. § 6801(a)). While the statute does impose criminal penalties, they pertain only to a section of the GLBA that prohibits the obtaining of or solicitation of a person to obtain customer information under false pretenses. Id.; 15 U.S.C. §§ 6821, 6823. A violation of Section 6802 of the GLBA — which Plaintiffs accuse Reach of committing
(Compl. ¶ 95) — does not amount to a crime. In addition, Plaintiffs have not demonstrated that Reach’s GLBA violation is a tort, especially given that the statute does not contemplate any private right of action. See Shostack v. Diller, No. 15 Civ. 2255 (GBD) (JLC), 2015 WL 5535808, at *7 (S.D.N.Y. Sept. 16, 2015) (“It is well-settled that the GLBA does not provide for a private right of action.” (collecting cases)). The Court recognizes that Plaintiffs’ Complaint also alleges that Reach violated other common-law torts and state statutes. (See Compl. ¶ 195). But
Plaintiffs have not argued in their briefing that those alleged violations trigger the crime-tort exception — and for good reason. Some of those torts are simply not independent from the act of interception itself. See Caro, 618 F.3d at 101 (“Invasion of privacy through intrusion upon seclusion … is a tort that occurs through the act of interception itself.”). And Plaintiffs have not otherwise demonstrated that Reach’s primary motivation was to commit those torts and statutory violations. See, e.g., Cohen, 2018 WL 3392877, at *4 (explaining that the plaintiff offered “nothing to show that [the] [d]efendants intended to violate
the [New York] GBL”). As a result, because the Complaint failed to allege Reach’s intent to commit a crime or tort, Plaintiffs’ ECPA claim must be dismissed. 2. Plaintiffs Fail to Allege a New York GBL Section 349 Claim New York GBL Section 349 provides that “[u]nfair, deceptive, or abusive acts or practices in the conduct of any business, trade[,] or commerce or in the
furnishing of any service in this state are hereby declared unlawful.” N.Y. Gen. Bus. Law § 349(a). To assert a private claim under Section 349, “a plaintiff must allege that a defendant has engaged in [i] consumer-oriented conduct that is [ii] materially misleading and that [iii] [the] plaintiff suffered injury as a result of the allegedly deceptive act or practice.” City of New York v. Smokes- Spirits.Com, Inc., 12 N.Y.3d 616, 621 (2009). In this case, Plaintiffs allege that Reach violated Section 349 by “[u]sing the Tracking Technologies to record and transmit the sensitive
communications made by” Plaintiffs to third parties without their knowledge or consent and “[d]isclosing the sensitive communications made by … Plaintiffs … in exchange for marketing and advertising services.” (Compl. ¶ 208). Plaintiffs claim that Reach “intended to mislead … [and] induce Plaintiffs … to rely on its misrepresentations and omissions,” though the Complaint does not specify what those misrepresentations and omissions entailed. (Id. ¶ 209). Reach argues that Plaintiffs do not have statutory standing to bring a Section 349 claim, and it also disputes the materially misleading and injury elements of
Plaintiffs’ claim. (Def. Br. 6-8; Def. Reply 2-4). Because Plaintiffs lack statutory standing to bring a Section 349 claim and have not sufficiently alleged materially misleading conduct by Reach, the Court dismisses the claim. a. Plaintiffs Lack Standing to Bring Such a Claim A plaintiff has statutory standing to bring a Section 349 claim only if “the transaction in which the consumer is deceived … occur[red] in New York.”
Goshen v. Mut. Life Ins. Co. of N.Y., 98 N.Y.2d 314, 324 (2002); see id. at 325 (“Thus, to qualify as a prohibited act under the statute, the deception of a consumer must occur in New York.”); see also Baker-Rhett v. Aspiro AB, 324 F. Supp. 3d 407, 416 (S.D.N.Y. 2018) (discussing Section 349’s territoriality requirement). That is because the intent of Section 349 “is to protect consumers in their transactions that take place in New York State.” Goshen, 98 N.Y.2d at 325. Accordingly, the residency of the parties is not dispositive; nor is the territoriality requirement “intended to function as a per se bar to out-
of-state plaintiffs’ claims of deceptive acts leading to transactions within the state.” Id. Reach argues that Plaintiffs in this case lack any meaningful connection to New York and therefore do not have statutory standing to bring a Section 349 claim. (Def. Br. 6-7). Specifically, none of the Plaintiffs resides in New York. (Id. at 7). Moreover, Plaintiffs do not claim that they used Reach’s website while visiting New York or that they attempted to purchase New York- specific services or products. (Id.). To be sure, Reach is a corporation with its
principal place of business in New York (Compl. ¶ 44), but “[i]t is well-settled that a purchaser does not have standing to bring a Section 349 claim just because he or she transacted with a seller who resides in New York.” Wright v. Publishers Clearing House, Inc., 439 F. Supp. 3d 102, 110 (E.D.N.Y. 2020). (See Def. Br. 6). Critically, courts in this Circuit have “consistently rejected claims under § 349 … based solely on an out-of-state customer’s interacting with a website controlled in New York.” Wheeler v. Topps Co., Inc., 652 F.
Supp. 3d 426, 431 (S.D.N.Y. 2023) (collecting cases). (See Def. Br. 6). In an attempt to salvage their claim, Plaintiffs assert New York connections based on Reach’s terms of use as well as the communications that they made on Reach’s website, but their argument misses the mark. (Pl. Opp. 4-7). Indeed, Plaintiffs refer to the terms of use of Reach’s website, which include New York choice-of-law and forum-selection clauses. (Id. at 5). But those terms of use were not included in Plaintiffs’ Complaint by reference or otherwise, meaning that the Court may not consider them as part of Plaintiffs’
pleading. Compare Polk v. Del Gatto, Inc., No. 21 Civ. 129 (PAE), 2021 WL 3146291, at *1 n.2 (S.D.N.Y. July 23, 2021) (considering terms of use that were incorporated by reference in complaint), with Grecco v. Age Fotostock Am., Inc., No. 21 Civ. 423 (JSR), 2021 WL 3353926, at *2 (S.D.N.Y. Aug. 2, 2021) (declining to consider terms of use that were not integral to complaint, i.e., that complaint did not “rel[y] heavily on [their] terms and effect” (internal quotation marks omitted) (quoting Int’l Audiotext Network, Inc. v. Am. Tel. & Tel. Co., 62 F.3d 69, 72 (2d Cir. 1995) (per curiam))).
Even if the Court were to consider them, those terms alone would have been insufficient to establish statutory standing in this case. Cf. Cruz v. FXDirectDealer, LLC, 720 F.3d 115, 123-24 (2d Cir. 2013) (finding standing because the defendant required all customer communications to be sent to its New York office in addition to stipulating to New York choice-of-law and forum- selection clauses); Ward v. TheLadders.com, Inc., 3 F. Supp. 3d 151, 168 (S.D.N.Y. 2014) (finding standing because the defendant operated its website
and maintained its bank account in New York). Here, Plaintiffs have not alleged that they interacted with Reach’s office in New York, that they made monetary transactions on Reach’s website involving a bank account maintained in New York, or that the relevant communications and transactions they made on Reach’s website were “equivalent to communicating or transacting directly with a New York address.” Ward, 3 F. Supp. 3d at 168. In fact, because Plaintiffs constituted would-be Reach customers at best and did not make any payments or engage in transactions involving Reach’s debt
consolidation services at all, this case is “distinguishable from Cruz” and other cases cited by Plaintiffs “with respect to the place [and existence] of payment.” Cline v. TouchTunes Music Corp., 211 F. Supp. 3d 628, 634 (S.D.N.Y. 2016). b. Even If They Had Standing, Plaintiffs Have Not Adequately Pleaded Any Materially Misleading Conduct On the materially misleading prong, “the New York Court of Appeals has adopted an objective definition of misleading, under which the alleged act must be likely to mislead a reasonable consumer acting reasonably under the circumstances.” Orlander v. Staples, Inc., 802 F.3d 289, 300 (2d Cir. 2015) (internal quotation marks omitted and alteration adopted) (quoting Cohen v. JP Morgan Chase & Co., 498 F.3d 111, 126 (2d Cir. 2007)). In this case, Plaintiffs advance an omission-based theory to satisfy this prong, alleging that “[u]nbeknownst to Plaintiffs …, [Reach] intentionally configured the Google [p]ixels installed on its [w]ebsite to capture and transmit the [s]ensitive [i]nformation that they communicated to [Reach] while applying for a debt
consolidation loan.” (Compl. ¶ 79; Pl. Opp. 7). Plaintiffs argue that Reach’s conduct was misleading because Reach did not warn them about its disclosure of their sensitive information to third parties like Google. (Pl. Opp. 7). Nevertheless, as Reach contends, “it is not sufficient for … [P]laintiffs to point to the omission alone,” as they “must also show why the omission was deceptive.” Pelman v. McDonald’s Corp., 237 F. Supp. 2d 512, 529 (S.D.N.Y. 2003). (See Def. Reply 3). Indeed, Plaintiffs have not alleged sufficient facts demonstrating that they “could not reasonably obtain” information about the
Tracking Tools or that such information was “solely within the possession of” Reach. Pelman, 237 F. Supp. 2d at 529. Consequently, the Court must dismiss the Section 349 claim for Plaintiffs’ lack of standing as well as Plaintiffs’ failure to allege any materially misleading conduct. 3. Plaintiffs Allege a Claim Under CIPA3 To plead a violation of CIPA, a plaintiff “must allege sufficient facts to show that [the] [d]efendant either [i] engaged in intentional wiretapping;
[ii] willfully read ‘the contents or meaning’ of a communication without consent; [iii] attempted to use or communicate information obtained as a result
3 Plaintiffs assert a CIPA claim on behalf of only Ms. Camm, Ms. Flick, and the California subclass. (See Compl. ¶¶ 211-221). of engaging in the previous two activities; or [iv] aided another in any of the previous three activities.” Smith v. YETI Coolers, LLC, 754 F. Supp. 3d 933, 939 (N.D. Cal. 2024) (quoting Cal. Penal Code § 631(a)). Here, Plaintiffs’ theory
is that Reach is derivatively liable under the fourth clause of Section 631(a) because it “aided, employed, agreed with, and conspired with Google, and likely other third parties, to track and intercept” Plaintiffs’ communications on Reach’s website. (Compl. ¶¶ 211-221). Reach argues that Plaintiffs’ CIPA claim fails because they cannot establish that Google committed an underlying violation of Section 361. (Def. Br. 9-10). Even so, Reach adds that Plaintiffs have not alleged that Reach itself acted with the requisite knowledge or intent in aid of Google’s violation of California’s wiretapping statute. (Id. at 10-12).
This Court disagrees with both arguments. a. Plaintiffs Sufficiently Allege Google’s Underlying Violation of CIPA Because Plaintiffs’ theory is one of derivative liability, they must first allege that there is some wrongdoing by a third party in violation of CIPA. See Graham v. Noom, Inc., 533 F. Supp. 3d 823, 833 (N.D. Cal. 2021) (finding no aiding and abetting liability where “there is no [underlying] wrongdoing”). Reach argues that Plaintiffs have failed to allege sufficient facts showing that Google’s use of Tracking Tools violated Section 631(a). (Def. Br. 9-10). But the Complaint contains plenty of allegations that Google eavesdropped on and intercepted Plaintiffs’ private communications with Reach, including the outcomes of their loan applications. (See, e.g., Compl. ¶¶ 214-215). It is well established that “if a third party listens in on a conversation between the participants (even if one participant consents to the presence of that third party), then the third party is liable under the second prong (and the
participant is often liable under the fourth prong).” Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891, 897-98 (N.D. Cal. 2023). Indeed, many federal district courts in California applying CIPA have found that the unauthorized interception and transmission of website users’ information by third-party tracking tools like Google’s qualify as underlying violations of Section 631(a). See, e.g., M.G. v. Therapymatch, Inc., No. 23 Civ. 4422 (AMO), 2024 WL 4219992, at *3-4 (N.D. Cal. Sept. 16, 2024); Toy v. Life Line Screening of Am. Ltd., No. 23 Civ. 4651 (RFL), 2024 WL 1701263, at *1 (N.D. Cal. Mar. 19,
2024); YETI Coolers, 754 F. Supp. 3d at 940-42. There is no reason for this Court to stray from those decisions. b. Reach Acted with Knowledge and Intent Having alleged an underlying violation by Google, Plaintiffs must then show that Reach knew about Google’s unlawful conduct and acted with the intent of aiding Google in the unauthorized collection and transmission of Plaintiffs’ sensitive personal information. See YETI Coolers, 754 F. Supp. 3d at 942 (explaining that Section 631(a)’s fourth clause “does require some level of
knowledge and intent”). Reach argues that both elements are lacking here. (Def. Br. 10-12). On knowledge, Reach claims that it did not know that Google would use its Tracking Tools unlawfully, as it only agreed to configure its website “so that Google could collect data for marketing purposes.” (Id. at 11 (emphasis omitted)). And on intent, Reach argues that its decision to install Google’s Tracking Tools on its website “to avail itself of the technologies’ purported benefits” was insufficient to support an intent to facilitate Google’s
alleged misconduct. (Id. at 11-12). Reach relies principally on YETI Coolers to make its knowledge and intent arguments, but that case is inapposite. In YETI Coolers, the defendant used a third-party payment platform to process online purchases on its website and allowed the third party to incorporate customers’ financial information into its fraud prevention system. 754 F. Supp. 3d at 938. Nevertheless, the third party also took the customers’ financial information and marketed it to merchants without the customers’ consent. Id. Because it was the third
party’s secondary, unauthorized act of marketing customer information to merchants — and not the third party’s collection of customer information itself — that constituted the underlying CIPA violation, the court in YETI Coolers determined that the plaintiff in that case had failed to allege sufficient knowledge and intent on the defendant’s part. See id. at 943. Here, however, Google’s unauthorized tracking of Plaintiffs’ sensitive personal information is the underlying CIPA violation. Reach certainly knew about Google’s unlawful conduct and intended to facilitate Google’s collection
and transmission, even going so far as to configure the Tracking Tools on Reach’s website so that Google could capture user-specific information, including the outcomes of loan applications. (See Compl. ¶¶ 78-84). Those allegations in Plaintiffs’ Complaint satisfy the knowledge and intent components. See Therapymatch, 2024 WL 4219992, at *5 (finding sufficient allegations to support aiding and abetting claim where the defendant “knowingly agreed to use Google Analytics, embedded tracking technology code
on its website, and allowed Google to have direct access to [its] users’ private medical information”). As a result, the Court denies Reach’s motion to dismiss Plaintiffs’ CIPA claim. 4. Plaintiffs Fail to Allege an Invasion of Privacy Under California law, [t]o state a claim for invasion of privacy — intrusion upon seclusion, a plaintiff must allege [i] the defendant intentionally intruded into a place, conversation, or matter as to which plaintiff has a reasonable expectation of privacy; and [ii] the intrusion was highly offensive to a reasonable person and sufficiently serious and unwarranted “to constitute an egregious breach of the social norms.” Saedi v. SPD Swiss Precision Diagnostics GmbH, No. 24 Civ. 6525 (WLH), 2025 WL 1141168, at *6 (C.D. Cal. Feb. 27, 2025) (quoting Hernandez v. Hillsides, Inc., 211 P.3d 1063, 1073 (Cal. 2009)); see also Hammerling v. Google LLC, 615 F. Supp. 3d 1069, 1088 (N.D. Cal. 2022). In their Complaint, Plaintiffs allege that Reach disclosed to third parties sensitive personal information in which Plaintiffs had a reasonable expectation of privacy and that was intended only for Reach to receive, and that Reach’s disclosure of such information is highly offensive to the reasonable person. (Compl. ¶¶ 130-141). This Court determines that Plaintiffs’ claim fails on both prongs. a. Reach Did Not Intentionally Intrude On the first prong, the Court finds that Reach did not “intentionally intrude” into Plaintiffs’ private matters because “one cannot logically intrude
into communications to which [it is] a party.” Saedi, 2025 WL 1141168, at *8. (See Def. Br. 18-19). In other words, even if Plaintiffs had a reasonable expectation of privacy regarding their financial circumstances, Reach could not have intruded upon their privacy when it was the intended recipient of that sensitive personal information through the loan application process. See Saedi, 2025 WL 1141168, at *8 (explaining that it is “the intrusion itself … [that] subjects a defendant to liability” (citing Graham v. Sunnova Energy Int’l, Inc., No. 22 Civ. 622 (JLT) (BAM), 2024 WL 871858, at *12 (E.D. Cal. Feb. 28,
2024))). Plaintiffs do not address the issue of Reach’s status as the intended recipient, instead citing several cases to argue that “[t]he vast majority of courts applying California law … have concluded that intrusion upon seclusion is properly plead[ed] where plaintiffs allege disclosure of sensitive information through the use of Tracking Tools identical to those used [by] Reach.” (Pl. Opp. 15-16). That may be true, but a closer look at those cases reveals that they do not mandate the same outcome here.
Some of the cited cases are suits against the original makers and owners of the Tracking Tools, and not against the website owners on whose websites the Tracking Tools operated. See Silver v. Stripe Inc., No. 20 Civ. 8196 (YGR), 2021 WL 3191752, at *5-6 (N.D. Cal. July 28, 2021) (suing Stripe, a payment platform, for tracking financial data on third-party websites); In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d 778, 799-800 (N.D. Cal. 2022) (suing Meta for collecting medical data of Facebook users on third-party websites); Doe v.
FullStory, Inc., 712 F. Supp. 3d 1244, 1257 (N.D. Cal. 2024) (suing Meta for compiling healthcare information on a telemedicine website). The Court agrees that those cases would govern had Plaintiffs sued Google instead of Reach. And of the cases that are brought against website owners, none discusses the key question here — namely, whether intended recipients of sensitive personal information could intrude on privacy. See Cousin v. Sharp Healthcare, 702 F. Supp. 3d 967, 973-74 (S.D. Cal. 2023) (evaluating only the second element of whether the intrusion was “highly offensive”); Doe v. Regents
of Univ. of Cal., 672 F. Supp. 3d 813, 820 (N.D. Cal. 2023) (addressing whether private information was “transmitted” and whether the transmission was “highly offensive”); St. Aubin v. Carbon Health Techs., Inc., No. 24 Civ. 667 (JST), 2024 WL 4369675, at *11-13 (N.D. Cal. Oct. 1, 2024) (assessing invasion of privacy under the California Constitution without discussing intrusion). Therefore, the Court finds that Reach cannot intentionally intrude upon communications in which it was the intended recipient. b. Any Intrusion Was Not Highly Offensive
On the second prong, even if Reach had intruded into Plaintiffs’ private matters, any such intrusion would not be sufficient to meet the “highly offensive” bar. Indeed, federal district courts in California evaluating this tort “have held that data collection and disclosure to third parties that is ‘routine commercial behavior’ is not a ‘highly offensive’ intrusion of privacy.” Hammerling, 615 F. Supp. 3d at 1090 (collecting cases); cf. St. Aubin, 2024 WL 4369675, at *13 (explaining that disclosure of medical information is more
likely to be an egregious breach of the social norms and therefore highly offensive). In an almost identical case in which a financial institution was accused of disclosing to third-party website trackers the personal information of its users, including “employment information, bank account information, and their eligibility for preapproval or approval for a credit card,” a court in the Northern District of California found that such an intrusion was not “highly offensive as a matter of public policy.” Shah v. Cap. One Fin. Corp., 768 F.
Supp. 3d 1033, 1041, 1047 (N.D. Cal. 2025). And still other courts have found that the disclosure of what could be considered extremely personalized and private information — including social security numbers and geolocation information — did not amount to highly offensive conduct in the commercial context. See Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1025 (N.D. Cal. 2012) (social security numbers); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1063 (N.D. Cal. 2012) (geolocation information). Persuaded by the reasoning of those cases, this Court cannot say that Reach’s disclosure of
Plaintiffs’ sensitive personal information — even information about the outcomes of their loan applications — rises to the level of being highly offensive. Perhaps recognizing the limits of the intrusion-upon-seclusion tort, Plaintiffs contend that they succeed under the alternative theory of publication of private facts. (Pl. Opp. 16-17). In putting forward this theory for the first
time in their opposition brief, Plaintiffs also attempt to circumvent their stipulation with Reach, in which they agreed to withdraw their intrusion-upon- seclusion claims under Illinois and Missouri law, because they now seek to rely on not just California case law but also Illinois and Missouri cases in support of the alternative theory. (Id.; see Dkt. #18). Nevertheless, “[i]t is well established that ‘a complaint may not be amended by the briefs in opposition to a motion to dismiss.’” Chamberlain v. City of White Plains, 986 F. Supp. 2d 363, 390 n.19 (S.D.N.Y. 2013) (quoting Wright v. Ernst & Young LLP, 152 F.3d
169, 178 (2d Cir. 1998)). The proper way for Plaintiffs to bring a claim under the publication theory would have been through amending their Complaint, which Plaintiffs have not sought to do. Therefore, the Court does not consider the alternative theory.4 5. Plaintiffs Allege a Negligence Claim Under Illinois Law, But Not Under the Laws of California and Missouri Under California, Illinois, and Missouri law, a negligence claim comprises three common elements: (i) the defendant must owe the plaintiff a legal duty of care, (ii) the defendant must breach that duty, and (iii) the breach must
4 In any event, at least in California, the common-law tort of public disclosure of private facts requires the disclosure to be “widely published and not confined to a few persons or limited circumstances.” Hill v. Nat’l Collegiate Athletic Ass’n, 865 P.2d 633, 648-49 (Cal. 1994). Here, Plaintiffs’ Complaint allege only that their sensitive personal information was disclosed to third parties like Google, and not to a large public audience. (See Compl. ¶ 134). Therefore, the alternative theory is likely to fail. proximately cause the plaintiff’s resulting injury. See Low, 900 F. Supp. 2d at 1031 (discussing California law); Brown v. State Farm Mut. Auto. Ins. Co., No. 23 Civ. 6065 (LAH), 2025 WL 81340, at *5 (N.D. Ill. Jan. 13, 2025)
(discussing Illinois law); Henreid v. Kodner Watkins LC, No. 23 Civ. 249 (HEA), 2024 WL 5200857, at *4 (E.D. Mo. Dec. 23, 2024) (discussing Missouri law). In this case, Plaintiffs allege that Reach owed them a “duty of care to use reasonable means to secure and safeguard [their sensitive personal information] from unauthorized disclosure to third parties,” but that Reach breached that duty by disclosing the information to Google and other third parties without Plaintiffs’ consent, thereby causing Plaintiffs to suffer several injuries. (Compl. ¶¶ 151-159). Reach contests the first and third elements of
the claim. This Court holds that Plaintiffs’ negligence claim fails under California law, survives under Illinois law, and has been abandoned under Missouri law.5 a. Reach Owed Plaintiffs a Legal Duty Under California and Illinois Law Reach first argues that it did not owe a legal duty of confidentiality to Plaintiffs. (Def. Br. 22-23; Def. Reply 9-10). According to Reach, “none of Plaintiffs’ home states’ laws impose[s] a blanket legal duty upon website owners
5 Plaintiffs do not address Missouri law or cite a single Missouri case in support of their negligence claim in their opposition brief. “A court may, and generally will, deem a claim abandoned when a plaintiff fails to respond to a defendant’s arguments that the claim should be dismissed.” Chamberlain v. City of White Plains, 986 F. Supp. 2d 363, 392 (S.D.N.Y. 2013) (internal quotation marks omitted) (quoting Martinez v. City of New York, No. 11 Civ. 7461 (JMF), 2012 WL 6062551, at *1 (S.D.N.Y. Dec. 6, 2012))). (See Def. Reply 9). Accordingly, the Court deems the Missouri claim to be abandoned and does not address Missouri law in its analysis. to maintain the confidentiality of all information website visitors voluntarily provide on a website.” (Def. Br. 23). In addition, Reach contends that there was no special relationship between itself and Plaintiffs that would have given
rise to a specific duty to “maintain the confidentiality of Plaintiffs’ loan application determination.” (Id.). This Court finds that Plaintiffs have sufficiently pleaded a duty of care under the laws of both California and Illinois. Beginning with California, as a matter of first principles, [w]here the defendant has neither performed an act that increases the risk of injury to the plaintiff nor sits in a relation to the parties that creates an affirmative duty to protect the plaintiff from harm, … [California state- court] cases have uniformly held the defendant owes no legal duty to the plaintiff. Brown v. USA Taekwondo, 483 P.3d 159, 166 (Cal. 2021). Nevertheless, applying California law, federal district courts in California have determined that a website owner owes its users a reasonable duty of care in handling their sensitive personal information, especially when such information is entrusted to the website owner. See Shah, 768 F. Supp. 3d at 1045-46 (determining that plaintiffs sufficiently alleged that defendant, which operated a financial services website, owed them a valid duty of care in safeguarding communications from third-party online tracking technologies, including information about credit card approval and eligibility); see also In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F. Supp. 3d 767, 799 (N.D. Cal. 2019) (finding that Facebook owed plaintiffs a duty to “use reasonable care to safeguard [sensitive] information” and constrain third-party access); Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1039 (N.D. Cal. 2019) (“The lack of reasonable care in the handling of personal information can foreseeably harm the individuals providing the information.”). Here, because
Plaintiffs allege that they provided and entrusted sensitive personal information to Reach, including information about their financial circumstances to determine loan eligibility, they have sufficiently pleaded under California law that Reach owed them a reasonable duty to protect that information. In Illinois, a recent statutory amendment and ensuing case law also provide support for a legal duty to safeguard personal information. Citing a Seventh Circuit case that in turn relies on an Illinois appellate-court case, Reach argues that there is no such common-law duty in Illinois. (Def. Br. 23).
See Cmty. Bank of Trenton v. Schnuck Mkts., Inc., 887 F.3d 803, 817 (7th Cir. 2018) (“Cooney shows that Illinois has not recognized an independent common law duty to safeguard personal information.” (citing Cooney v. Chi. Pub. Schs., 943 N.E.2d 23 (Ill. App. Ct. 2010))). But in 2017, the Illinois legislature amended the state’s Information Protection Act and “created a duty [for data collectors in possession of the personal information of Illinois residents] to maintain reasonable security measures,” leading another Illinois appellate court to observe that “the
reasoning of the Cooney court no longer applies.” Flores v. Aon Corp., 242 N.E.3d 340, 353 (Ill. App. Ct. 2023). Indeed, “[w]hile the Information Protection Act does not expressly repeal Cooney’s holding, subsequent cases have called into question the notion that no duty exists under Illinois law to safeguard personal information.” Allison Theys v. Dental Intel., Inc., No. 25 Civ. 2464 (LCJ), 2026 WL 636743, at *8 (N.D. Ill. Mar. 6, 2026) (collecting cases). At least one federal district court in Illinois has concluded recently that a website
owner owes its users a duty to “use reasonable means to secure and safeguard [personal information] from unauthorized disclosure to third parties” like Google. Id. at *1, 9. In this case, this Court similarly concludes that, as a matter of Illinois law, it cannot dismiss Plaintiffs’ claim based on the lack of a legal duty. b. Plaintiffs Adequately Plead Injury Under Illinois Law, But Not Under California Law Next, even if Reach owed Plaintiffs a duty of care, Reach argues that Plaintiffs’ negligence claim would still fail because they did not suffer actual damages as a result of Reach’s breach of that duty. (Def. Br. 23-24). In their Complaint, Plaintiffs allege that they suffered several injuries as a result of Reach’s negligent disclosure of their sensitive personal information, including
invasion of privacy, erosion of trust in communications with online service providers, emotional distress, loss of benefit of the bargain, diminution in the value of their information, statutory damages, and continued and ongoing risk to their information. (Compl. ¶ 12). The Court agrees with Reach that Plaintiffs have failed to plead “appreciable, nonspeculative, present harm” under California law. In re Sony Gaming Networks and Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942, 962 (S.D. Cal. 2012). To start, the “mere misappropriation of personal information does not establish compensable damages” unless the disclosure is “so highly offensive that it is sufficient to state a claim for intrusion on seclusion.” Toy, 2024 WL 1701263, at *4 (internal quotation marks omitted)
(quoting Pruchnicki v. Envision Healthcare Corp., 845 F. App’x 613, 615 (9th Cir. 2021) (unpublished memorandum disposition)). Because the Court has dismissed Plaintiffs’ invasion of privacy claim in this case, it determines that the alleged privacy injury is insufficient for purposes of pleading actual damages. In addition, “although emotional distress damages can be sufficient to sustain a negligence claim, Plaintiffs’ emotional distress allegations are too conclusory.” R.C. v. Walgreen Co., 733 F. Supp. 3d 876, 898 (C.D. Cal. 2024).
Plaintiffs have not pleaded “facts pertaining to the nature and extend of [their] emotional or mental suffering.” Id. (internal quotation marks omitted) (quoting Burnell v. Marin Humane Soc’y, No. 14 Civ. 5635 (JSC), 2015 WL 6746818, at *19 (N.D. Cal. Nov. 5, 2015)). “The same is true with respect to Plaintiffs’ conclusory allegations concerning the lost economic value of their information, which are unsupported by any facts explaining what economic value the information held to Plaintiffs and how it was lost through [Reach’s] dissemination.” Id. And any allegation about future harm — including the
continued and ongoing risk to Plaintiffs’ information — cannot satisfy the damages requirement of a negligence claim under California law. Id. at 899; see Sony, 903 F. Supp. 2d at 962-63 (“The breach of a duty causing only speculative harm or the threat of future harm does not normally suffice to create a cause of action for negligence.”). However, in Illinois, Plaintiffs’ alleged injuries are legally cognizable.
That is because general allegations of emotional harm — such as “fear, anxiety, and worry about the status of, and the loss of control over, … information” — are “sufficient to state a negligence claim under Illinois law, including in the data privacy context.” Smith v. Loyola Univ. Med. Ctr., No. 23 Civ. 15828 (JCD), 2024 WL 3338941, at *7 (N.D. Ill. July 9, 2024) (internal quotation marks omitted); see also Worix v. MedAsserts, Inc., 857 F. Supp. 2d 699, 704 (N.D. Ill. 2012) (explaining that another court “denied the defendants’ motion to dismiss because the plaintiff had alleged that he suffered emotional distress, which, if
proven, could constitute the required present injury”). Indeed, federal district courts in Illinois applying state law have repeatedly allowed negligence claims to go forward in cases where the plaintiffs pleaded harms similar to those alleged by Plaintiffs here. See, e.g., Juenger v. Deaconess Health Sys., No. 24 Civ. 2332 (NJR), 2025 WL 2780221, at *4 (S.D. Ill. Sept. 30, 2025) (allowing a claim to go forward where the plaintiff alleged “decreased value of … private information, emotional harm, loss of privacy, … and increased risk of future harm” (internal quotation marks omitted));
Hannant v. Culbertson, No. 24 Civ. 4164 (SLD) (RLH), 2025 WL 2413894, at *12 (C.D. Ill. Aug. 20, 2025) (“[E]motional harms … are compensable injuries under Illinois law in this pixel tracker context.”). In sum, Plaintiffs’ negligence claim survives under Illinois law, but the Court dismisses those claims under California and Missouri law. 6. Plaintiffs Fail to Allege Breach of an Implied Contract
“Under New York law, the elements required to allege a breach of implied contract are identical to those necessary to allege a breach of contract.” Wallace v. Health Quest Sys., Inc., No. 20 Civ. 545 (VB), 2021 WL 1109727, at *10 (S.D.N.Y. Mar. 23, 2021). Among other elements, a plaintiff must allege the existence of an implied contract, which, “like an express contract, requires consideration, mutual assent, legal capacity[,] and legal subject matter.” Id. (internal quotation marks omitted) (quoting Sackin v. TransPerfect Glob., Inc., 278 F. Supp. 3d 739, 750 (S.D.N.Y. 2017)); see also Beth Israel Med. Ctr. v.
Horizon Blue Cross and Blue Shield of N.J., Inc., 448 F.3d 573, 582 (2d Cir. 2006) (“A contract implied in fact may result as an inference from the facts and circumstances of the case, although not formally stated in words, and is derived from the presumed intention of the parties as indicated by their conduct.” (quoting Jemzura v. Jemzura, 36 N.Y.2d 496, 503-04 (1975))). Here, Plaintiffs allege that when they “provided their [s]ensitive [i]nformation to [Reach] in exchange for services, they entered into an implied contract pursuant to which [Reach] agreed to safeguard and not disclose their
[s]ensitive [i]nformation without consent.” (Compl. ¶ 161). Specifically, Plaintiffs claim that they “accepted [Reach’s] offers and provided their [s]ensitive [i]nformation to [Reach].” (Id. ¶ 162). Reach, in turn, challenges the existence of an implied agreement between the parties, arguing that Plaintiffs do not specify what “offers” Reach allegedly made or identify any alleged conduct by Reach that would be sufficient to demonstrate its mutual assent to protect Plaintiffs’ information. (Def. Br. 25-26). Reach adds that Plaintiffs have
not alleged that any agreement was supported by consideration. (Id. at 26). This Court determines that Plaintiffs’ allegations are insufficient to support the existence of an implied contract. Critically, Plaintiffs have not pointed to any conduct by Reach plausibly reflecting its agreement to protect Plaintiffs’ sensitive information. Unlike the cases cited by Plaintiffs, the Complaint here did not reference any privacy policy or notice provided by Reach on its website promising to protect Plaintiffs’ sensitive personal information. Cf. Wallace, 2021 WL 1109727, at *10-11 (explaining that the
defendant’s privacy notices posted on its website supported an inference that it “intended to be bound by its obligation to safeguard” the plaintiffs’ information, which gave rise to an implied contract). Nor did the Complaint allege any employment or special relationship between Plaintiffs and Reach that required the provision of sensitive personal information as a condition for sustaining the relationship. Cf. In re GE/CBPS Data Breach Litig., No. 20 Civ. 2903 (KPF), 2021 WL 3406374, at *11-12 (S.D.N.Y. Aug. 4, 2021) (finding an implied contract where the defendant
required its employees to submit personal information as a condition of employment and made a promise to safeguard that information); In re Unite Here Data Sec. Incident Litig., 740 F. Supp. 3d 364, 383-84 (S.D.N.Y. 2024) (similar in the context of a union’s implicit promise to safeguard the personal information of its members as a condition of receiving union services). Without more, the mere solicitation of information is insufficient to plead an implied contract. See Lapine v. Seinfeld, 918 N.Y.S.2d 313, 318 (N.Y. Sup. Ct. 2011).6
7. Plaintiffs’ Unjust Enrichment Claim Is Dismissed As Duplicative To state a claim for unjust enrichment in New York, “a plaintiff must allege that [i] [the] defendant was enriched; [ii] the enrichment was at [the] plaintiff’s expense; and [iii] the circumstances were such that equity and good conscience require [the] defendant[ ] to make restitution.” In re Unite Here Data Sec. Incident Litig., 740 F. Supp. 3d at 384 (internal quotation marks omitted) (quoting Labajo v. Best Buy Stores, L.P., 478 F. Supp. 2d 523, 531 (S.D.N.Y. 2007)). In their Complaint, Plaintiffs allege that Reach was unjustly enriched from disclosing Plaintiffs’ sensitive personal information to third parties because it “received compensation in the form of advanced advertising services and cost-effective marketing on third-party platforms[.]” (Compl. ¶¶ 96-97). In
addition, Plaintiffs claim that their sensitive personal information had inherent financial value, which was diminished by Reach’s unauthorized disclosure. (Id. ¶¶ 98-102). Reach, however, contends that Plaintiffs’ unjust enrichment claim duplicates their other federal and state claims. (Def. Br. 27-28). Accordingly,
6 Plaintiffs do not oppose Reach’s second argument that any purported breach of an implied contract did not damage Plaintiffs (Def. Br. 26), so the Court considers Plaintiffs to have forfeited any opposition on that point. See Chamberlain, 986 F. Supp. 2d at 392. Moreover, Plaintiffs’ contention that an implied contract “existed by virtue of Reach’s obligations under the GLBA” is inapposite (Pl. Opp. 21), as it is “well-settled that the GLBA does not provide for a private right of action” and is not a contract itself, Shostack v. Diller, No. 15 Civ. 2255 (GBD) (JLC), 2015 WL 5535808, at *7 (S.D.N.Y. Sept. 16, 2015). Reach argues that this claim must be dismissed because the other claims provide adequate remedies at law. (Def. Reply 12). The Court agrees with Reach and dismisses Plaintiffs’ unjust enrichment
claim as duplicative. Under New York law, “an unjust enrichment claim is not available where it simply duplicates, or replaces, a conventional contract or tort claim.” Shane Campbell Gallery, Inc. v. Frieze Events, Inc., 441 F. Supp. 3d 1, 6 (S.D.N.Y. 2020) (internal quotation marks omitted and alteration adopted) (quoting Corsello v. Verizon N.Y., Inc., 18 N.Y.3d 777, 790-91 (2012)). That includes valid tort claims brought under the laws of other states. See Brumfield v. Trader Joe’s Co., No. 17 Civ. 3239 (LGS), 2018 WL 4168956, at *1, 5 (S.D.N.Y. Aug. 30, 2018) (dismissing unjust enrichment claim “as duplicative
of [the plaintiffs’] other claims,” including statutory and tort claims under both New York and California law). Here, Plaintiffs’ CIPA claim and negligence claim under Illinois law survive Reach’s motion to dismiss. These claims rely on the same factual allegations as the unjust enrichment claim — at their core, all three claims are premised on the same alleged wrongdoing, namely Reach’s unauthorized disclosure of Plaintiffs’ sensitive personal information to third-party trackers. “Because Plaintiffs expressly rely on the same underlying wrongful conduct,”
the Court determines that their unjust enrichment claim is duplicative and dismisses it on that basis. Toretto v. Donnelley Fin. Sols., Inc., 583 F. Supp. 3d 570, 602 (S.D.N.Y. 2022). CONCLUSION For the foregoing reasons, Reach’s motion to dismiss is GRANTED IN PART and DENIED IN PART. Specifically, the Court dismisses with prejudice
Plaintiffs’ claims under the ECPA, New York GBL Section 349, invasion of privacy under California law, negligence under California and Missouri law, breach of an implied contract, and unjust enrichment. Additionally, Plaintiffs have withdrawn or abandoned their claims under the California UCL, for breach of confidence, and for intrusion upon seclusion under Illinois and Missouri law, and the Court dismisses those claims with prejudice as well. What remains are Plaintiffs’ claims under CIPA and for negligence under Illinois law.
The parties are directed to file a joint letter proposing next steps regarding the remaining claims on or before April 13, 2026. The Clerk of Court is directed to terminate the pending motion at docket entry 24. SO ORDERED. Dated: March 30, 2026 New York, New York
KATHERINE POLK FAILLA United States District Judge