UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA
BENJAMIN PAUL DE AYORA, et al., Case No. 25-cv-03645-AGT
Plaintiffs, ORDER RE: MOTION TO DISMISS v. Re: Dkt. No. 45 INSPIRE BRANDS, INC., et al., Defendants.
1. Plaintiffs Lack Standing to Sue Inspire. Defendants Inspire Brands, Inc. (Inspire), Arby’s Restaurant Group, Inc. (Arby’s), Jimmy John’s Franchisor SPV, LLC (Jimmy John’s), Sonic Industries Services, LLC (Sonic),1 and Dunkin’ Brands, Inc. (Dunkin’)2 (collectively, Defendants) ask the Court to dismiss Inspire with prejudice. Dkt. 45 at 17 & 36.3 Defendants argue that plaintiffs Benja- min Paul de Ayora, Christine Wiley, Mikhail Gershzon, and George Nino (collectively, Plaintiffs) allege no facts linking Inspire to the allegations of the complaint, id. at 17, and instead seek to hold Inspire liable based only on its status as parent company. Dkt. 48 at 10– 11. Plaintiffs argue that Inspire claims to have engaged in the conduct at issue in the
1 Sonic is not separately alleged in the complaint as a party defendant. See dkt. 35 ¶¶ 6–13. 2 Dunkin’ is alleged to operate both the Dunkin’ website and that of Baskin Robbins. Dkt. 35 ¶ 13. 3 Page numbers in this order correspond to the ECF generated page number. complaint, dkt. 46 at 17, and that the privacy statements on the websites of the other defend- ants include Inspire. Oral Argument at 5:25–6:35;4 see also dkt. 35 ¶ 44.5 But no named plaintiff alleges ever visiting Inspire’s website or reading those privacy policies, nor do Plaintiffs provide any authority showing that such a policy is sufficient alone to show stand- ing. As such, Plaintiffs’ allegations are insufficient where Plaintiffs do not plausibly plead
any harm traceable to Inspire’s actions. See Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016), as revised (May 24, 2016) (“The plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be re- dressed by a favorable judicial decision.”). This case is distinguishable from Briskin v. Shopify, Inc., wherein the Ninth Circuit allowed a plaintiff to pursue a parent and its subsidiaries based on a complaint which “de- scribe[d] each company’s role in the alleged data collection and monetization scheme,” 135 F.4th 739, 762 (9th Cir. 2025), and where the parent itself allegedly collected the personal data. Id. at 748 (“[Parent] describes [subsidiary] as a subprocessor of the personal data col-
lected by [parent].”). Without more, the mere existence of a parent-subsidiary relationship alone is an insufficient basis for standing against Inspire. See, e.g., Gustavson v. Wrigley Sales Co., 961 F. Supp. 2d 1100, 1132–33 (N.D. Cal. 2013) (concluding same and dismissing parent). Defendants’ motion to dismiss Inspire is granted with leave to amend. / / /
4 Citations to argument in this order refer to time stamps from the audio recording of the Court’s December 12, 2025, hearing. Upon request, the Court can provide access to the re- cording. Any such requests should be filed on the Court’s docket. 5 The operative complaint was filed as the “first amended class action complaint.” Dkt. 35. In fact, it is simply the first complaint; there have been no amendments yet. 2. Plaintiffs Sufficiently Allege a Concrete Privacy Injury. As noted above, a plaintiff must allege facts demonstrating “(i) that he suffered an injury in fact that is concrete, particularized, and actual or imminent; (ii) that the injury was likely caused by the defendant; and (iii) that the injury would likely be redressed by judicial relief.” TransUnion LLC v. Ramirez, 594 U.S. 413, 423 (2021). Intangible injuries may be
concrete if they have a “close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts,” such as “reputational harms, disclosure of private information, and intrusion upon seclusion.” Id. at 425. Defendants argue that Plaintiffs fail to allege concrete privacy injuries. Dkt. 45 at 17–19. First, Defendants contend that Plaintiffs fail to allege what information was actually collected during their visits to the relevant websites. Id. at 18. But Plaintiffs plead that De- fendants caused cookies and tracking technologies to be placed on their devices without their knowledge. Dkt. 35 ¶¶ 110, 119, 128, & 137. And Plaintiffs plead that their “browsing his- tory, visit history, website interactions, user input data, demographic information, interests
and preferences, shopping behaviors, device information, referring URLs, session infor- mation, user identifiers, and/or geolocation data” were obtained by third parties using those cookies. Id. ¶ 52. As argued by Plaintiffs, dkt. 46 at 13, this is sufficient. See Gabrielli v. Motorola Mobility LLC, No. 24-CV-09533, 2025 WL 1939957, at *10 (N.D. Cal. July 14, 2025) (denying motion to dismiss where plaintiff alleged that defendant “caus[ed] third party cookies to be stored on consumers’ devices and browsers that enabled the Third Parties to track and collect Plaintiff’s and Class member’s . . . browsing history, visit history, website interactions, user input data, demographic information, interests and preferences, shopping behaviors, device information, referring URLs, session information, user identifiers, and/or geolocation data”). Second, Defendants argue that, even if the cookies did track the alleged information, the collection of that information does not constitute a sufficient privacy injury. Dkt. 45 at 19. For support Defendants rely upon Popa v. Microsoft Corp., 153 F.4th 784 (9th Cir. 2025). In Popa, the plaintiff alleged collection of “the date a user visited the website, the
device the user accessed the website on, the type of browser the user accessed the website on, the operating system of the device used to access the website, the country where the user accessed the website from, a user’s mouse movements, a user’s screen swipes, text inputted by the user on the website, and how far down a webpage a user scrolls.” Id. at 786. The Ninth Circuit reasoned that the plaintiff “identifie[d] no embarrassing, invasive, or otherwise pri- vate information collected,” such that she had not demonstrated standing based on common- law privacy torts. Id. at 791. Instead, the information was more akin to “a store clerk’s ob- serving shoppers in order to identify aisles that are particularly popular or to spot problems that disrupt potential sales.” Id.
Plaintiffs argue that Popa is distinguishable. Dkt. 46 at 14–15. Indeed, the infor- mation allegedly collected here is more intrusive than that considered in Popa. Beyond the data generated during visits to a website, Plaintiffs allege that Defendants’ cookies scooped up their historical data and information about where Plaintiffs came from via referring URLs. Dkt. 35 ¶ 52. Using the same analogy in Popa, the alleged information at issue here is beyond what would be observable to a store clerk tasked with monitoring shoppers. Popa thus does not support dismissal here. See Gabrielli v. Haleon US Inc., No. 25-CV-02555, 2025 WL 2494368, at *6–8 (N.D. Cal. Aug. 29, 2025) (finding that a plaintiff alleging collection of “[t]he information the user entered into the Websites’ form fields, including search queries, the user’s name, age, gender, email address, location, and/or payment information, demo- graphic information, and also device information, session information, and/or geolocation data” had sufficiently alleged standing, distinguishing Popa). Plaintiffs have alleged facts sufficient to show that the alleged collection of data could be highly offensive, and the undersigned cannot dismiss the claims as a matter of law
at the pleading stage. “Under California law, courts must be reluctant to reach a conclusion at the pleading stage about how offensive or serious the privacy intrusion is.” In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F. Supp. 3d 767, 797 (N.D. Cal. 2019). Indeed, determining the offensiveness of an invasion requires consideration of “the degree of the intrusion, the context, conduct and circumstances surrounding the intrusion as well as the intruder’s motives and objectives, the setting into which he intrudes, and the expectations of those whose privacy is invaded.” Hill v. Nat’l Collegiate Athletic Assn., 865 P.2d 633, 648 (Cal. 1994). Only if the allegations “show no reasonable expectation of privacy or an insub- stantial impact on privacy interests” can the “question of [a serious or highly offensive] in-
vasion [ ] be adjudicated as a matter of law.” Id. at 657. That is not the case here. See In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 606 (9th Cir. 2020) (“The ultimate question of whether Facebook’s tracking and collection practices could highly offend a rea- sonable individual is an issue that cannot be resolved at the pleading stage.”).6 / / / / / /
6 Because Plaintiffs allege that Defendants deprived them of control of personal information, the Court will not address Defendants’ arguments that Plaintiffs have not shown injury through diminution in the value of their personal information. And because, for reasons ex- plained below, the Court dismisses the trespass to chattels claim, the Court will not review Defendants’ arguments regarding standing based on a reduction in the storage or value of Plaintiffs’ devices. 3. Plaintiffs Do Not Meet Rule 9(b)’s Heightened Pleading Standard. Claims that sound in fraud must meet the heightened pleading standard of Federal Rule of Civil Procedure 9(b). See Kearns v. Ford Motor Co., 567 F.3d 1120, 1124 (9th Cir. 2009). “[W]here fraud is not an essential element of a claim, only allegations (‘averments’) of fraudulent conduct must satisfy the heightened pleading requirements of Rule 9(b).” Vess
v. Ciba-Geigy Corp. USA, 317 F.3d 1097, 1105 (9th Cir. 2003). Defendants argue that all of Plaintiffs’ claims sound in fraud, dkt. 45 at 22, and liken this case to Williams v. Facebook, Inc., 384 F. Supp. 3d 1043 (N.D. Cal. 2018).7 There, Judge Seeborg found that claims alleging violations of California’s constitutional right to privacy, intrusion upon seclusion, trespass to personal property, and unjust enrichment were subject to Rule 9(b)’s heightened pleading standard. Id. at 1046 & 1052. He reasoned that, “[p]laintiffs’ theory of liability is [that the defendant] failed to represent accurately or dis- close it was collecting user data in violation of user privacy, and deprived users of any in- come generated from the use or sale of the data.” Id. at 1046. As such, “[t]he nature of the
averred misrepresentation sounds in fraud.” Id. at 1052. Similarly, these Plaintiffs seek to hold Defendants liable for what Plaintiffs term “outright lies.” Dkt. 35 ¶ 2. Plaintiffs claim that Defendants presented a pop-up cookie ban- ner which ostensibly allowed users to decline all cookies on Defendants’ websites. Id. ¶ 1. But even for users who declined all cookies, Defendants caused third-parties to place cookies that track users’ interactions with the websites. Id. ¶ 2. Plaintiffs all allege clicking decline and being tracked anyway. Id. ¶¶ 108–140. It is this alleged deception which forms the
7 Defendants compare this case to a later-filed decision in Williams v. Facebook, 498 F. Supp. 3d 1189 (N.D. Cal. 2019). For convenience, the Court cites to the decision wherein Judge Seeborg found Rule 9(b) applicable. backbone for all of Plaintiffs’ claims, and therefore the Court finds that the nature of the averred conduct sounds in fraud. Plaintiffs’ claims are subject to Rule 9(b). Plaintiffs disagree, arguing that they need only meet Rule 9(b)’s requirements for fraud-based claims and for not statutory or invasion of privacy claims. Dkt. 46 at 17–18. In support of this proposition, they cite Smith v. Google, wherein Judge Pitts found that the
plaintiffs’ statutory claims, including CIPA claims, did not sound in fraud. 735 F. Supp. 3d 1188, 1198. In Smith, however, the plaintiffs did not allege any sort of misrepresentation. Instead, they only alleged using online tax filing services which had installed Google’s track- ing tools. The plaintiffs then sued Google, alleging unlawful wiretapping (among other claims). Id. at 1193–94. There was no allegation regarding a cookie banner, and no allegation that the defendant misled or lied to those plaintiffs. See id. at 1198 (“Because plaintiffs are directly challenging Google’s alleged data collection rather than challenging any potentially fraudulent or misleading representations about this collection, their claims do not sound in fraud and are not subject to Rule 9(b).”). Smith doesn’t help Plaintiffs when Plaintiffs allege
that “Defendants falsely told . . . users . . . that they could avoid tracking and data shar- ing . . . .” Dkt. 35 ¶ 5. Given that Rule 9(b) is in play, do Plaintiffs meet the Rule 9(b) standard? “Averments of fraud must be accompanied by ‘the who, what, when, where, and how’ of the misconduct charged.” Vess, 317 F.3d at 1106. Defendants essentially argue here that Plaintiffs fail to meet the heightened pleading standard laid out in Rule 9(b) because they have failed to plead the “when” with requisite specificity. Dkt. 45 at 22–23. Plaintiffs plead visiting Defendants’ websites during the class period, which they argue is sufficient. Dkt. 46 (opposition) at 18. The period at issue, however, stretches four years, see dkt. 35 ¶¶ 105, 114, 123, & 132, and Defendants represent that cookie banners were implemented and updated on different web- sites at different times. Dkt. 45 at 23. Those cookie banners form the “where” of Plaintiffs’ claims. See dkt. 35 ¶¶ 107, 116, 125, 134, 215–16. Given that the cookie banners were changed during the accused period, the Court finds that Plaintiffs have not adequately given Defendants notice of the “when” or the “where” here. As such, all of Plaintiffs’ claims are
dismissed for failure to comply with Rule 9(b). 4. Plaintiffs’ Fifth Claim, Fraud, Fails. “Under California law, the indispensable elements of a fraud claim include a false representation, knowledge of its falsity, intent to defraud, justifiable reliance, and damages.” Vess, 317 F.3d at 1105 (cleaned up). For the reasons stated above, this fifth claim is dis- missed with leave to amend. 5. Plaintiffs’ Sixth Claim, Unjust Enrichment, Fails. Defendants argue that California has no stand-alone claim for unjust enrichment. Dkt 45 at 33–34. Plaintiffs disagree, arguing in essence that it can be brought as a quasi-contact
claim. See dkt. 46 at 27. Case law surrounding an unjust enrichment claim in California is less than clear. There are indications that unjust enrichment can present a stand-alone cause of action. See, e.g., Hartford Cas. Ins. Co. v. J.R. Mktg., L.L.C., 353 P.3d 319 (Cal. 2015). There are also indications to the contrary. See, e.g., Hooked Media Grp., Inc. v. Apple Inc., 269 Cal. Rptr. 3d 406, 417 (Cal. Ct. App. 2020); De Havilland v. FX Networks, LLC, 230 Cal. Rptr. 3d 625, 646–47 (Cal. Ct. App. 2018). The Ninth Circuit, noting the ambiguity, has allowed unjust enrichment claims to proceed when pled as quasi-contract claims. ESG Cap. Partners, LP v. Stratos, 828 F.3d 1023, 1038–39 (9th Cir. 2016). This Court will follow the weight of authority in this District and do the same. See, e.g., Pemberton v. Rest. Brands Int’l, Inc., No. 25-CV-03647, 2025 WL 3268404, at *8–9 (N.D. Cal. Nov. 24, 2025) (permitting unjust enrichment claim under quasi-contract theory). Unjust enrichment permits recovery when “a claim [is brought] that a defendant has been unjustly conferred a benefit through mistake, fraud, coercion, or request.” Astiana v.
Hain Celestial Grp., Inc., 783 F.3d 753, 762 (9th Cir. 2015) (cleaned up). Defendants argue that Plaintiffs fail to plead an actionable misrepresentation, dooming their unjust enrichment claim. Dkt. 45 at 34. For the reasons stated above, the Court agrees that Plaintiffs have failed to adequately plead under Rule 9(b) and therefore have not “establish[ed] the requisite rela- tionship” between their fraud and unjust enrichment claims by alleging Defendants “ha[ve] been unjustly conferred a benefit through . . . fraud.” See B.K. v. Desert Care Network, No. 23-CV-05021, 2024 WL 1343305, at *11 (C.D. Cal. Feb. 1, 2024) (cleaned up). This sixth claim is dismissed with leave to amend. See Hammerling v. Google LLC, 615 F. Supp. 3d 1069, 1096–97 (N.D. Cal. 2022) (dismissing unjust enrichment claim where plaintiffs failed
to plead fraud with particularity); B.K., No. 23-CV-05021, 2024 WL 1343305, at *11 (same). 6. Plaintiffs’ First and Second Common-Law Privacy Claims Are Other- wise Sufficient. To state a claim for invasion of privacy or intrusion upon seclusion under Califor- nia’s common law, a plaintiff must show (1) a reasonable expectation of privacy and (2) that the defendant’s intrusion was highly offensive. See In re Facebook, Inc. Internet Tracking Litig., 956 F.3d at 601. Defendants argue first that Plaintiffs fail to allege that any of their own information was disclosed or collected during their visits to the websites in question. Dkt. 45 at 23. The Court disagrees. As noted, Plaintiffs plead that Defendants caused cookies and tracking tech- nologies to be placed on their devices without their knowledge, dkt. 35 ¶¶ 110, 119, 128, & 137, and Plaintiffs plead that their “browsing history, visit history, website interactions, user input data, demographic information, interests and preferences, shopping behaviors, device information, referring URLs, session information, user identifiers, and/or geolocation data”
were obtained by third parties using those cookies. Id. ¶ 52. Next, Defendants argue that website visitors have no reasonable expectation of pri- vacy in the type of information at issue in this complaint. “[T]here is no reasonable expec- tation of privacy when the data collection is within users’ common-sense expectation or when the information is not sensitive.” Hammerling, 615 F. Supp. 3d at 1089. Plaintiffs argue that they had a reasonable expectation of privacy because Defendants misled them into believing that their browsing would be private, given that Plaintiffs declined cookies. Dkt. 46 at 20. Where a plaintiff could have understood that defendants were not collecting data in a particular way, and then defendants subsequently collected data in that manner,
courts have found that a reasonable expectation of privacy has been adequately pled. See Hammerling, 615 F. Supp. 3d at 1089–90; In re Facebook, Inc. Internet Tracking Litig., 956 F.3d at 602 (“Plaintiffs have plausibly alleged that Facebook set an expectation that logged- out user data would not be collected, but then collected it anyway.”); Calhoun v. Google LLC, 526 F. Supp. 3d 605, 630 (N.D. Cal. 2021) (“Plaintiffs in the instant case could have reasonably assumed that Google would not receive their data while they were using Chrome without sync based on Google’s representations.”). Defendants additionally argue that the information collected was not sensitive. Dkt. 45 at 24–25. But for the reasons stated above, Plaintiffs have plausibly alleged that the information might be sensitive to the reasonable person, which is sufficient to survive a mo- tion to dismiss. See Pemberton, No. 25-CV-03647, 2025 WL 3268404, at *5 (finding same). Finally, Defendants argue that none of their conduct was highly offensive. Dkt. 45 at 25. Plaintiffs argue that this inquiry is fact-specific and should be deferred. Dkt. 46 at 21. Again, for the reasons noted above, the Court cannot now conclude —based on the pleadings
alone and as a matter of law — that the alleged tracking is not highly offensive. See Williams, 384 F. Supp. 3d at 1054 (“The theft of a person’s call and text logs, without the user’s consent or knowledge as alleged in the FACC, may or may not be highly offensive to current privacy norms. It is indeed a factual question best left for a jury.”) (cleaned up). Plaintiffs’ first and second common law privacy claims could otherwise survive dis- missal under Rule 12(b)(6), assuming they are able to satisfy Rule 9(b). 7. Plaintiff Ayora’s CIPA Claims Are Equitably Tolled in Part. Plaintiff Ayora pleads in the complaint that he learned of the conduct giving rise to his claims on October 15, 2023. Dkt. 35 ¶ 141. He communicated with defendant Inspire on
October 30, 2023, id. ¶ 142; filed a demand for arbitration on April 29, 2024, id. ¶ 20; and received an arbitration decision on February 24, 2025, along with a closing letter from JAMS on April 4, 2025. Id. ¶ 145. He filed this suit on April 25, 2025. See dkt. 1. The statute of limitations applicable to the California Invasion of Privacy Act (CIPA) is one year. Brodsky v. Apple Inc., 445 F. Supp. 3d 110, 134 (N.D. Cal. 2020). The statute of limitations on Ayora’s claims thus ran on approximately October 15, 2024. On the face of the complaint, as argued by Defendants, see dkt. 45 at 26–27, Ayora’s CIPA claims are time-barred. See A.B. by & Through Turner v. Google LLC, 737 F. Supp. 3d 869, 877–78 (N.D. Cal. 2024) (“If the running of the statute is apparent on the face of the complaint,” “the defense may be raised by a motion to dismiss.”) (citing Jablon v. Dean Witter & Co., 614 F.2d 677, 682 (9th Cir. 1980)). Ayora’s time-barred claims could be saved from dismissal because of equitable toll- ing. To qualify for relief, Ayora must show Defendants had timely notice, suffer no preju- dice, and Ayora engaged in good faith and reasonable conduct. See Butler v. Nat’l Cmty.
Renaissance of California, 766 F.3d 1191, 1204 (9th Cir. 2014). Ayora, however, cannot show timely notice to all Defendants. Ayora pleads claims against Arby’s, Baskin Robbins, Dunkin’, and Jimmy John’s. Dkt. 35 ¶ 105. But, Ayora’s arbitration demand only went to defendants Inspire and Arby’s. Id. ¶ 144. The Court finds that Ayora’s arbitration demand did not provide notice to Baskin Robbins, Dunkin’, or Jimmy John’s. Equitable tolling is therefore inapplicable to Ayora’s CIPA claims against Baskin Robbins, Dunkin’, or Jimmy John’s. These claims are dismissed with leave to amend to the extent that Ayora can allege facts which show timely notice. 8. Plaintiff Wiley Is Not Entitled to Equitable Tolling on CIPA Claims.
Plaintiff Wiley pleads that she learned of Defendants’ conduct on July 22, 2023. Dkt. 35 ¶ 147. She communicated with defendant Inspire on February 13, 2024, id. ¶ 148; filed an arbitration demand against defendants Inspire and Jimmy John’s on May 10, 2024, id. ¶ 150; and received a final award dated January 3, 2025, and a closing letter dated April 29, 2025. Id. ¶ 151. Wiley was added to this case as a plaintiff on August 18, 2025. See id., generally. Similar to Ayora, the statute of limitations on Wiley’s CIPA claims lapsed as pre- sented in the complaint and the parties disagree whether her CIPA claims are time-barred. See dkt. 45 at 26–27; dkt. 46 at 18–19. Equitable tolling does not save Wiley’s CIPA claims because, like Ayora, the notice is insufficient. Wiley filed an arbitration demand against Inspire and Jimmy John’s, dkt. 35 ¶ 150, but alleges in the complaint visiting the websites of Jimmy John’s, Baskin Robbins, and Dunkin’. Id. ¶ 114. Wiley’s arbitration demand does not provide any notice to Baskin Robbins or Dunkin’. Her CIPA claims against these de- fendants must be dismissed.
Wiley, however, has a further problem with her delay. She alleges receiving a final award dated January 3, 2025. Id. ¶ 151. She did not join this case until August 18, 2025. See id., generally. Defendants argue that Wiley presented no good reason for this delay after the close of arbitration. Dkt. 48 at 14. The Court agrees. Wiley pleads no facts in her complaint, nor does she argue in opposition, that waiting a further eight months to file or join suit after receiving an arbitration decision can support a claim of good faith and reasonableness. At the hearing, Plaintiffs conceded that they could not reconcile that eight month delay. Oral Argument at 42:00–43:40. As such, Wiley’s CIPA claims against Jimmy John’s, Baskin Robbins, and Dunkin’ are dismissed without leave to amend. See Pemberton, No. 25-CV-
03647-JSC, 2025 WL 3268404, at *6 (dismissing where plaintiff waited nine and a half months after the arbitrator’s decision to file a complaint).8 9. Plaintiffs’ Third Claim, Wiretapping, Fails. Plaintiffs allege violations of California Penal Code § 631(a), which prohibits: [(1)] intentionally tap[ping], or mak[ing] any unauthorized connec- tion . . . with any telegraph or telephone wire, line, cable, or instru- ment . . . or [(2)] . . . willfully and without the consent of all parties to the com- munication, or in any unauthorized manner, read[ing], or at- tempt[ing] to read, or . . . learn[ing] the contents or meaning of any message, report, or communication while the same is in
8 Defendants argued during the hearing that certain of Wiley’s other claims are also time- barred. Oral Argument at 43:55–44:28. But this argument was not included in their moving papers, and the Court finds the argument has been waived but without prejudice. transit . . . or [(3)] . . . us[ing], or attempt[ing] to use, in any manner, or for any purpose, or to communicate in any way, any information so ob- tained, or [(4)] . . . aid[ing], agree[ing] with, employ[ing], or conspir[ing] with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section . . . .
Cal. Pen. Code § 631(a) (subsections added). Defendants argue that Plaintiffs cannot allege a predicate violation of the first clause as it does not apply to online conduct. Dkt. 45 at 28. Plaintiffs do not respond to this argument in opposition and thereby concede it. Instead, Plaintiffs argue that they sufficiently allege under the fourth clause that De- fendants aided third parties in their CIPA violations. Dkt. 46 at 21–22. The gravamen of Plaintiffs’ arguments goes to alleged violations of the second clause by third parties, which requires showing that, without consent, an entity read or attempted to read the contents of a message while the message was in transit. See Cal. Pen. Code § 631(a). Defendants argue that Plaintiffs fail to allege transmitting any communications, let alone communications with contents; fail to allege that any communications were intercepted while in transit; and fail to allege the requisite knowledge from Defendants. Dkt. 45 at 28–31. “Courts analyzing CIPA claims apply the same definitions for the federal Wiretap Act where appropriate.” Mikulsky v. Bloomingdale’s, LLC, 713 F. Supp. 3d 833, 845 (S.D. Cal. 2024). In that context, the Ninth Circuit has held that, for an electronic communication “to be ‘intercepted’ in violation of the Wiretap Act, it must be acquired during transmission, not while it is in electronic storage.” Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 878 (9th Cir. 2002). In other words, only “acquisition contemporaneous with transmission” is cognizable. Id. See also Zarif v. Hwareh.com, Inc., 789 F. Supp. 3d 880, 896 (S.D. Cal. 2025) (applying definition in context of § 631(a) claim). Plaintiffs argue that they have adequately alleged interception while in transit, pointing the Court to paragraphs 3, 39, 49, 50, and 51 of their complaint. See dkt. 46 (oppo- sition) at 24. But none of these paragraphs include, nor has the Court found elsewhere in the complaint, a description of “how the software works or how the interception occurs.” Cody v. Ring LLC, 718 F. Supp. 3d 993, 1001 (N.D. Cal. 2024). As such, Plaintiffs’ mere assertion that Defendants or third parties acquire the communications contemporaneously, without
factual support, is insufficient to survive Defendants’ motion to dismiss. See Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007) (“a formulaic recitation of the elements of a cause of action will not do” to survive dismissal). See also Quigley v. Yelp, Inc., No. 17-CV-03771, 2018 WL 7204066, at *4 (N.D. Cal. Jan. 22, 2018) (dismissing where plaintiff failed to “allege[ ] facts giving rise to an inference that his communications were intercepted while ‘in transit’”). Plaintiffs’ third claim for wiretapping is additionally dismissed with leave to amend on Rule 12(b)(6) grounds. 10. Plaintiffs’ Fourth Claim, Use of a Pen Register, Is Otherwise Sufficient.
Plaintiffs allege Defendants use a pen register in violation of California Penal Code § 638.51. Dkt. 35 ¶¶ 203–13. They allege that the third parties’ cookies and corresponding code on Defendants’ websites are pen registers. Id. ¶ 207. Defendants argue that online cookie technology does not qualify as a pen register device. Dkt. 45 at 31. For this, Defend- ants cite the plain language of the statute, the legislative history, and recent California state court decisions. Id. at 31–32. As Judge Chhabria recently commented, CIPA’s language is opaque. See Doe v. Eat- ing Recovery Ctr. LLC, No. 23-CV-05561, 2025 WL 2971090, at *1 (N.D. Cal. Oct. 17, 2025) (“The language of CIPA is a total mess.”). A state court decision cited by Defendants in their moving papers found that a plaintiff failed to state claims alleging use of a pen reg- ister where the cookies at issue apparently tracked only an IP address. See Licea v. Hickory Farms LLC, No. 23STCV26148, 2024 WL 1698147, at *1 (L.A. Super. Ct. Mar. 13, 2024) (“Plaintiff maintains the ‘pen register’ technology used in conjunction with an IP address via mobile phone qualifies as an improper act.”). The Licea court found that plaintiff failed
to show that an IP address provided unique location and other information typically acces- sible to law enforcement only with a warrant. Id. at 3. As such, the plaintiff failed to show “any actually acquired qualifying information for the establishment of a violation.” Id. Here, Plaintiffs have alleged tracking of more than just an IP address, so Licea is distinguishable, nor did it find that new technologies could never be cognizable under CIPA. Likewise, in another state court case cited by Defendants, the court found that the plaintiff failed to show that the software at issue collected any outgoing addressing infor- mation from visitors’ devices. See Aviles v. Liveramp, Inc., No. 24STCV19869, 2025 WL 487196, at *2 (L.A. Super. Ct. Jan. 28, 2025). Accordingly, the plaintiff failed to allege use
of a pen register. Id. Defendants don’t argue here for any issue with outgoing information and, again, the Aviles court did not find that a pen register claim under CIPA could never encompass cookies. Indeed, in Aviles, “the [d]efendant [did] not argue that software cannot be a pen register or trap and trace device.” Id. at *3. Instead, this Court follows a growing number of colleagues and finds that, in line with Judge van Keulen’s recent reasoning in Walsh v. Dollar Tree Stores, Inc., Plaintiffs have sufficiently stated a claim. No. 25-CV-01601, 2025 WL 2939229, at *18. See also Shah v. Fandom, Inc., 754 F. Supp. 3d 924, 933 (N.D. Cal. 2024) (“Plaintiffs have plausibly al- leged that the Trackers operate as pen registers under the meaning of the statute”); Motorola, No. 24-CV-09533, 2025 WL 1939957, at *11–12 (“Motorola argues that the legislative his- tory of Section 638.51 — which discusses pen registers in relation to telephones — indicates that the statute applies only to telephones. The Court disagrees.”) (cleaned up); Haleon, No. 25-CV-02555, 2025 WL 2494368, at *11–12 (finding that third-party trackers constitute pen registers under CIPA).
Defendants additionally argue that Plaintiffs’ § 638.51 pen register claims cannot coexist with their § 631 wiretapping claims. Dkt. 45 at 31. California Penal Code § 638.50(b) defines pen register as a device that “records dialing, routing, addressing, or signaling infor- mation transmitted by an instrument or facility from which a wire or electronic communica- tion is transmitted, but not the contents of a communication” (emphasis added). As such, Defendants argue that Plaintiffs, in alleging both collection of content under § 631 and of dialing, routing, addressing, or signaling information under §§ 638.50–51(b), have pled con- tradictory facts. Dkt. 45 at 31. This argument has similarly been considered and rejected by judges in this District, two of whom recently found that, “given CIPA’s purpose to protect
Californians’ privacy, it seems very unlikely that the state Legislature meant to permit the installation and implementation of pen registers ‘so long as those devices also record the contents of third party’s communications.’” Haleon, No. 25-CV-02555, 2025 WL 2494368, at *12 (N.D. Cal. Aug. 29, 2025) (quoting In re Meta Pixel Tax Filing Cases, 793 F. Supp. 3d 1147, 1153 (N.D. Cal. 2025)). Finally, Defendants argue that Plaintiffs fail to plead intent to utilize an illegal pen register, which dooms Plaintiffs’ claims. Dkt. 45 at 33. Plaintiffs respond that they alleged that Defendants intentionally enabled a third party’s eavesdropping on or interception of the communication, which is sufficient. Dkt. 46 at 22. When analyzing intent under the Wiretap Act, the Ninth Circuit found that the statute required pleading only “an intentional act, de- fined as an act that is being done on purpose,” not whether the defendant “had a good or evil purpose.” United States v. Christensen, 828 F.3d 763, 775 (9th Cir. 2015) (cleaned up). That definition has been applied in the CIPA context to find that a defendant who acted deliber- ately in deploying tracking software had the requisite intent. See Zarif, 789 F. Supp. 3d at
894 & 896. Plaintiffs here allege that Defendants voluntarily designed their websites to allow third parties to place cookies on the devices of consumers. Dkt. 35 ¶ 2 & ¶ 35. If Plaintiffs can meet the requirements of Rule 9(b), their fourth claim, use of a pen register, could oth- erwise proceed under Rule 12(b)(6).9 11. Plaintiffs’ Seventh Claim, Trespass to Chattels, Fails. Trespass to chattels “allows recovery for interferences with possession of personal property not sufficiently important to be classed as conversion.” Best Carpet Values, Inc. v. Google, LLC, 90 F.4th 962, 967 (9th Cir. 2024) (cleaned up). Under California law, a tres- pass to chattels claim exists “where an intentional interference with the possession of per-
sonal property causes injury.” Id. at 968 (cleaned up). Plaintiffs plead here that cookies were placed on their devices and damaged their devices by “[reducing] storage, disk space, and performance of Plaintiffs’ . . . computing devices.” Dkt. 35 ¶ 240. But Plaintiffs don’t plead how the cookies reduce any of these three, nor offer any factual support for their conclusory statement. As such, this is a “naked asser- tion[ ] devoid of further factual enhancement,” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (cleaned up), insufficient to survive a motion to dismiss. This seventh claim is dismissed
9 The pen register claims can only proceed only to the extent that Plaintiffs’ claims are timely. with leave to amend. See Haleon, No. 25-CV-02555, 2025 WL 2494368, at *13-14 (dis- missing trespass to chattels claim where plaintiffs pled “[r]eduction of storage, disk space, and performance of Plaintiff’s and other users’ computing devices”). 12. Defendants’ Request to Strike Class Allegations Is Denied. Defendants ask the Court to strike Plaintiffs’ class allegations as overbroad and un- workable. Dkt. 45 at 35-36. Plaintiffs oppose, arguing that such requests are disfavored and rarely granted. Dkt. 46 at 29-30. The Court agrees with Plaintiffs that striking class allega- tions at this pleading stage would be premature. The request is denied without prejudice. See Motorola, No. 24-CV-09533, 2025 WL 1939957, at *16 (“This is not an exceptional case that warrants the class claims being stricken at this stage.”). 13. Conclusion Defendants’ motion to dismiss is granted and all claims are dismissed with leave to amend. Defendants’ request to strike class allegations is denied. Any amended complaint is due January 30, 2026. IT IS SO ORDERED. Dated: December 22, 2025 Alex G. Tse United States Magistrate Judge