1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 CHRISTINE WILEY, et al., Case No. 25-cv-03095-PCP
8 Plaintiffs, ORDER DENYING IN PART, 9 v. GRANTING IN PART MOTION TO DISMISS 10 UNIVERSAL MUSIC GROUP, INC., Re: Dkt. No. 21 Defendant. 11
12 In their class action complaint, plaintiffs Christine Wiley and Vishal Shah allege that 13 defendant Universal Music Group, Inc. (UMG) violated their privacy rights by placing certain 14 cookies on their devices even though they had expressly opted out of receiving such cookies. 15 UMG moves to dismiss plaintiffs’ lawsuit for failure to state a claim under Federal Rule of Civil 16 Procedure 12(b)(6). UMG also moves to strike several of plaintiffs’ allegations and their class 17 definition. For the reasons stated below, the Court grants in part and denies in part UMG’s motion 18 to dismiss and denies UMG’s motion to strike. 19 BACKGROUND 20 UMG is a music company that owns and operates websites where users can get 21 information about artists and merchandise.1 UMG’s websites place cookies—text files that 22 identify users to websites—on users’ browsing devices. Cookies allow websites to recognize 23 individual users because they are sent to a website’s server alongside requests for the website’s 24 content. Generally, a website may store third-party cookies on a user’s device, allowing the third- 25 party to track that user across different websites. Owners of websites can use cookies to analyze 26 users’ behavior, personalize information presented, target advertising, and integrate social media 27 1 functions. 2 UMG presented users a choice as to how they would be tracked while on UMG websites. 3 UMG’s privacy policy explains that its websites use cookies and that plaintiffs can “make certain 4 choices about cookies through the cookie choices tools … .” UMG’s popup cookie consent banner 5 told users that the sites use cookies for “Online Advertising” on both the site they visit and 6 “another site you may visit in the future.” UMG’s banner also said that the cookies it used for 7 “Performance and Analytics” were meant “to improve our site” and were “[n]ot used for online 8 advertising purposes or by third parties for their own use.” For California consumers, UMG’s 9 popup cookie consent banner gave users the option to change their “Cookie Choices” by opting 10 out of receiving “Online Advertising” and “Performance and Analytics” cookies, including by 11 clicking “Decline All.” In other words, UMG’s popup cookie consent banner told users that the 12 website they were visiting used cookies but appeared to give users some control over how they 13 would be tracked and how their personal data would be used. 14 Plaintiffs allege that, in reality, even if users clicked “Decline All” or opted out of either 15 “Online Advertising” or “Performance and Analytics” cookies, UMG’s websites nonetheless 16 placed third-party cookies on users’ devices and allowed third parties—including Meta Platforms, 17 Inc., Google LLC, ByteDance Ltd. (TikTok), Snap Inc. (SnapChat), and Appreciation Engine 18 Inc.—to use those cookies to track users’ online activities, including, plaintiffs allege, their “browsing history, visit history, website interactions, user input data, demographic information, 19 interests and preferences, shopping behaviors, device information, referring URLs, session 20 information, user identifiers, and/or geolocation data.” 21 Plaintiffs Christine Wiley and Vishal Shah are California residents who say UMG tracked 22 them despite their having expressly opted out of advertising and performance cookies. Wiley says 23 that “during the last four years” she visited arianagrande.com, icespicemusic.com, 24 universalmusic.com, nickiminajofficial.com, theweekend.com, and lilyachtyofficial.com. Wiley 25 says that she read UMG’s popup cookie consent banner and “Decline[d] All” advertising and 26 performance analytics cookies. UMG nonetheless enabled cookies and other tracking technology 27 1 Plaintiff Shah alleges largely the same facts, contending that he visited postmalone.com and 2 imaginedragonsmusic.com in the last four years “including[] in or around March 2024.” 3 Wiley and Shah bring suit on behalf of a class of similarly situated people, defining the 4 class as “[a]ll persons who browsed the Websites in the State of California after clicking the 5 ‘Cookie Choices’ link and declined cookies in the cookie consent preferences window within the 6 four years preceding the filing of this Complaint.” Plaintiffs bring claims against UMG for 7 invasion of privacy; intrusion upon seclusion; wiretapping in violation of the California Invasion 8 of Privacy Act (CIPA); use of a pen register in violation of CIPA; common law fraud, deceit, or 9 misrepresentation; unjust enrichment; breach of contract; breach of the implied covenant of good 10 faith and fair dealing; and trespass to chattels. Plaintiffs seek injunctive relief, damages, and fees. 11 UMG now moves to dismiss plaintiffs’ complaint for failure to state a claim under Rule 12(b)(6) 12 and moves to strike certain allegations, including plaintiffs’ class allegations. 13 LEGAL STANDARD 14 Federal Rule of Civil Procedure 8(a)(2) requires a complaint to include a “short and plain 15 statement of the claim showing that the pleader is entitled to relief.” Federal Rule of Civil 16 Procedure 12(b)(6) allows a defendant to move to dismiss a complaint for failure to state a claim 17 upon which relief can be granted. Dismissal is required if the plaintiff fails to allege facts allowing 18 the Court to “draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). “Dismissal under Rule 12(b)(6) is 19 appropriate only where the complaint lacks a cognizable legal theory or sufficient facts to support 20 a cognizable legal theory.” Mendiondo v. Centinela Hosp. Med. Ctr., 521 F.3d 1097, 1104 (9th 21 Cir. 2008). To survive a Rule 12(b)(6) motion, a plaintiff need only plead “enough facts to state a 22 claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). 23 In considering a Rule 12(b)(6) motion, the Court must “accept all factual allegations in the 24 complaint as true and construe the pleadings in the light most favorable” to the non-moving party. 25 Rowe v. Educ. Credit Mgmt. Corp., 559 F.3d 1028, 1029-30 (9th Cir. 2009). While legal 26 conclusions “can provide the [complaint’s] framework,” the Court will not assume they are correct 27 1 as true allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable 2 inferences.” In re Gilead Scis. Secs. Litig., 536 F.3d 1049, 1055 (9th Cir. 2008) (quoting Sprewell 3 v. Golden State Warriors, 266 F.3d 979, 988 (9th Cir. 2001)). 4 ANALYSIS 5 I. Motion to Dismiss 6 A. Statute of Limitations 7 Wiley alleges that she visited UMG websites “during the last four years” but alleges no 8 specific date on which she visited those websites. Because a portion of the alleged four-year 9 period falls outside the applicable statutes of limitations, UMG argues that Wiley’s invasion of 10 privacy, intrusion upon seclusion, wiretapping, and pen register claims are untimely.2 11 Because plaintiffs bring state law claims, California’s statutes of limitations apply. See 12 Nev. Power Co. v. Monsanto Co., 955 F.2d 1304, 1306 (9th Cir. 1992). The applicable statutes of 13 limitations range from two years for their invasion of privacy and intrusion upon seclusion claims, 14 Cal. Civ. Proc. Code § 335.1; Brown v. Google LLC, 525 F. Supp. 3d 1049, 1069 (N.D. Cal. 15 2021), to one year for their CIPA wiretapping and pen register claims, see Cal. Civ. Proc. Code 16 § 340; Brodsky v. Apple Inc., 445 F. Supp. 3d 110, 134 (N.D. Cal. 2020). 17 The statute of limitations is “generally an affirmative defense rather than an element of the 18 plaintiff’s claim.” Turner v. Google LLC, 737 F. Supp. 3d 869, 877 (N.D. Cal. 2024). Affirmative defenses do not provide a basis for dismissal under Rule 12(b)(6) unless the plaintiff has pleaded 19 herself out of a claim by “admit[ing] all the ingredients of an impenetrable defense,” Durnford v. 20 MusclePharm Corp., 907 F.3d 595, 604 n.8 (9th Cir. 2018), meaning that the plaintiff’s pleaded 21 facts demonstrate no “potential factual dispute that could affect whether the defense applies,” 22 Rabin v. Google LLC, 725 F. Supp. 3d 1028, 1031 (N.D. Cal. Mar. 26, 2024). Where the 23 defendant moves to dismiss a claim as untimely under the applicable statute of limitations, the 24 motion can be granted “only when ‘the running of the statute is apparent on the face of the 25 complaint.’” Van Saher v. Norton Simon Museum of Art at Pasadena, 592 F.3d 954, 969 (9th Cir. 26 27 1 2010) (quoting Huynh v. Chase Manhattan Bank, 465 F.3d 992, 997 (9th Cir. 2006)). 2 Here, plaintiffs’ complaint does not admit the ingredients of an impenetrable statute of 3 limitations defense as to Wiley. “The face of the complaint,” Huynh, 465 F.3d at 997, alleges that 4 “Plaintiff Wiley visited the arianagrande.com, icespicemusic.com, universalmusic.com, 5 nickiminajofficial.com, theweekend.com, and lilyachtyofficial.com Websites to browse 6 information about music and related products on multiple occasions during the last four years.” 7 The “last four years” includes the past two years or one year, so it is entirely possible, from the 8 face of the complaint, that Wiley’s claims are timely. Therefore, plaintiffs have adequately alleged 9 that their claims are timely. 10 B. Invasion of Privacy & Intrusion upon Seclusion 11 UMG argues that plaintiffs have failed to adequately plead the substantive elements of 12 their causes of action for invasion of privacy and intrusion upon seclusion. Because both causes of 13 actions have similar elements, they are considered together. See In re Facebook, Inc. Internet 14 Tracking Litig., 956 F.3d 589, 601 (9th Cir. 2020). Both require plausibly alleging, first, that the 15 defendant intruded into a “place, conversation, or matter as to which the plaintiff had a reasonable 16 expectation of privacy” and, second, that the defendant’s intrusion was “highly offensive.” Id.; see 17 also Hammerling v. Google, 615 F. Supp. 3d 1069, 1088 (N.D. Cal. 2022). 18 Reasonable Expectation of Privacy UMG argues that plaintiffs’ allegations do not indicate that they had a reasonable 19 expectation of privacy in the specific browsing information allegedly shared with UMG’s 20 assistance. Whether one has a reasonable expectation of privacy is a mixed question of law and 21 fact, informed by “whether a defendant gained ‘unwanted access to data by electronic or other 22 covert means, in violation of the law or social norms.” See In re Facebook, 956 F.3d at 601–02 23 (quoting Hernandez v. Hillsides, Inc., 47 Cal. 4th 272, 286 (2009)). “To make this determination, 24 courts consider a variety of factors, including the customs, practices, and circumstances 25 surrounding a defendant’s particular activities.” Id. (citing Hill v. NCAA, 7 Cal. 4th 1, 36 (1994)). 26 In support of their privacy claims, plaintiffs allege that UMG told them that it would not 27 1 Shah thought that they were opting out of tracking that they allege UMG nevertheless facilitated. 2 Plaintiffs allege that the information UMG collected on them included “their browsing history, 3 visit history, website interactions, user input data, demographic information, interests and 4 preferences, shopping behaviors, device information, referring URLs, session information, user 5 identifiers, and/or geolocation data.” 6 UMG is correct that the information at issue, standing alone, may not involve the types of 7 information in which users have an unqualified expectation of privacy. But in this case UMG 8 allegedly represented to plaintiffs that it would not collect information for advertising or analytics 9 if they opted out of such collection. A reasonable visitor to UMG’s website who selected “Decline 10 All” would thus reasonably expect UMG not to install performance and analytics cookies on their 11 devices. Because UMG told users that they could opt out of such forms of information collection, 12 users of UMG’s website had a reasonable expectation of privacy with respect to that information. 13 UMG’s alleged affirmative misrepresentation distinguishes its actions from those in the 14 cases it cites. See, e.g., In re Zynga Priv. Litig., 750 F.3d 1098, 1108–09 (9th Cir. 2014); In re 15 Google Location Hist. Litig., 428 F. Supp. 3d 185, 198 (N.D. Cal. 2019); D’Angelo v. FCA US, 16 LLC, 726 F. Supp. 3d 1179, 1206 (S.D. Cal. 2024)). Those cases did not involve an affirmative 17 representation that the defendant would not engage in the information collecting at issue. For 18 example, in D’Angelo v. FCA, plaintiffs sued Dodge for not informing them that Dodge.com allowed Salesforce to intercept and analyze their chats. 726 F. Supp. 3d at 1187–88. In relevant 19 part, the district court held that the data allegedly collected—including “the user’s account name, 20 IP address, geographic location, and site the user previously visited”—were not “sensitive” 21 enough to “give rise to an invasion of privacy.” Id. at 1206. At the same time, the court found it 22 relevant that “Plaintiffs do not allege that Defendant set out an expectation that it would not collect 23 chat conversations….” Id. at 1205. In contrast here, UMG “set out an expectation that it would not 24 collect” plaintiffs’ information from advertising or analytics cookies. Id. D’Angelo and other cases 25 where the website owner did not “set out an expectation that it would not collect” information are 26 therefore inapposite. 27 1 plaintiffs Wiley and Shah had a reasonable expectation of privacy in the information that was 2 collected by cookies they had attempted to reject. As the California Attorney General’s website 3 explains, the CCPA requires that companies give users the choice to opt out of any collection of 4 personal information for “cross-context behavioral advertising, which is the targeting of 5 advertising to a consumer based on the consumer’s personal information obtained from the 6 consumer’s online activity across numerous websites.” California Consumer Privacy Act, Off. of 7 the Attorney General, State of California (Mar. 13, 2024), https://oag.ca.gov/privacy/ccpa. 8 When evaluating Californians’ reasonable privacy expectations, the CCPA’s provisions are 9 highly relevant “customs, practices, and circumstances,” In re Facebook, 956 F.3d at 602, because 10 they provide Californians with the reasonable expectation that they will have some control over 11 their data and necessarily shape users’ expectations about their ability to opt out of websites’ 12 collection of data for profit. Cases decided prior to the 2020 adoption of the CCPA are thus of 13 limited value in considering users’ reasonable post-enactment expectations. See, e.g., In re Zynga 14 Priv. Litig., 750 F.3d 1098; In re Google Location Hist. Litig., 428 F. Supp. 3d at 198; White v. 15 Soc. Sec. Admin., 111 F. Supp. 3d 1041 (N.D. Cal. 2015). Today, when California users visit a 16 website, they can expect to see a popup screen giving them the option to opt out of various types 17 of tracking. Because many of the cases UMG cites do not consider this changed circumstance, 18 they do not persuasively establish the absence of a reasonable expectation of privacy with respect to the forms of post-CCPA data collection at issue here. 19 Considering both UMG’s affirmative representation that users could disable the tracking at 20 issue here as well as the CCPA, the “customs, practices, and circumstances” surrounding 21 plaintiffs’ visits to UMG’s websites gave plaintiffs a reasonable expectation of privacy with 22 respect to the data whose collection UMG allegedly facilitated. In re Facebook, 956 F.3d at 602. 23 Highly Offensive 24 UMG separately argues that even if plaintiffs had a reasonable expectation of privacy, the 25 alleged data collection and dissemination were not “highly offensive.” Whether a particular 26 invasion or intrusion was “highly offensive” presents a mixed question of law and fact, see Hill, 7 27 1 questions of law and fact.”), and requires considering the “degree and setting of the intrusion” and 2 “the intruder’s motives and objectives,” Hernandez, 47 Cal. 4th at 295. The “ultimate question of 3 whether … tracking and collection practices could highly offend a reasonable individual is an 4 issue that [often] cannot be resolved at the pleading stage.” See In re Facebook, 956 F.3d at 606. 5 As a result, dismissal under Rule 12(b)(6) is appropriate only if the allegations “show no 6 reasonable expectation of privacy or an insubstantial impact on privacy interests.” Hill, 7 Cal. 4th 7 at 40. “[D]eceit can be a kind of ‘plus’ factor” in determining whether an action is highly 8 offensive. See In re Google Location Hist. Litig., 514 F. Supp. 3d 1147, 1157 (N.D. Cal. 2021) 9 (quoting Heeger v. Facebook, Inc., 2019 WL 7282477, at *4 (N.D. Cal. Dec. 27, 2019); 10 McDonald v. Kiloo ApS, 385 F. Supp. 3d 1022, 1036 (N.D. Cal. 2019)). 11 Here, plaintiffs have pleaded that UMG affirmatively promised not to enable the tracking 12 of plaintiffs’ browsing behavior. Plaintiffs allege not only that they understood UMG to be 13 promising not to track them using performance or analytics cookies, but also that they “would not 14 have used the Websites” otherwise. UMG thus not only misled users into thinking that their opt 15 outs would be effective but led them to engage in tracked conduct they otherwise would not have 16 undertaken. Given that plaintiffs have alleged both an invasion of their reasonable expectations of 17 privacy and that this invasion was undertaken through deceptive conduct, plaintiffs have pleaded 18 facts sufficient to preclude the Court from concluding, as a matter of law, that UMG’s invasion was not “highly offensive.” 19 In arguing that enabling third-party data collection and disclosure was not “highly 20 offensive,” UMG relies on In re iPhone Application Litig., 844 F. Supp. 2d 1040 (N.D. Cal. 2012), 21 and Hammerling, 615 F. Supp. 3d 1060. But neither case involved a specific promise that users 22 would not be tracked in specific ways. See In re iPhone, 844 F. Supp. 2d at 1049–50; 23 Hammerling, 615 F. Supp. 3d at 1078–79. Likewise, although the court in Morilha v. Alphabet 24 Inc., 2024 WL 5205542 (N.D. Cal. Dec. 23, 2024), concluded that “disclosure of IP addresses and 25 geolocation data is not sufficiently ‘egregious’ to support an invasion of privacy claim,” id. at *4, 26 plaintiffs here allege that a broader set of data was collected and disseminated, including 27 1 interests and preferences, shopping behaviors, device information, referring URLs, session 2 information, user identifiers, and/or geolocation data.” Similarly, in Jones v. Tonal Sys., Inc., 751 3 F. Supp. 3d 1025 (S.D. Cal. 2024), the court dismissed plaintiff’s claim because she “only 4 allude[d] to the possibility that chat feature conversations could be ‘private and deeply personal’” 5 and cited an inapposite study. Id. at 1043–44. In contrast here, plaintiffs have identified specific 6 kinds of information that, in the aggregate and drawing all inferences in plaintiffs’ favor, plausibly 7 allege that their tracking and disclosure of the information at issue was “highly offensive.” 8 As UMG notes, the Ninth Circuit recently held in Popa v. Microsoft Corp., 153 F.4th 784 9 (9th Cir. 2025), that the plaintiff in that case had not established a concrete injury-in-fact for 10 Article III standing purposes stemming from Microsoft’s “session-replay technology,” which 11 enables businesses to track users’ browsing activity. The panel reasoned that the plaintiff had not 12 established “how the tracking of her interactions … caused her to experience any kind of harm that 13 is remotely similar to the ‘highly offensive’ interferences or disclosures that were actionable at 14 common law.” Id. at 791. The Ninth Circuit suggested that “the kind of harm and not the degree” 15 is relevant for determining whether an alleged injury-in-fact is concrete enough relative to a 16 “specific common-law tort.” Id. 17 Here, plaintiffs have adequately alleged a concrete injury-in-fact under Popa. The website 18 owner in Popa did not indicate to users that it would not track their activities. See id. at 786–87. In 19 contrast, UMG did. Wiley and Shah affirmatively opted out of advertising and analytics cookies, 20 and UMG disregarded those choices. In other words, UMG made a misrepresentation to users 21 about whether they would be tracked. UMG’s misrepresentations make the actions alleged here 22 sufficiently “highly offensive” for an invasion of privacy or intrusion upon seclusion claim at the 23 pleadings stage. The harm is similar to that addressed by the common law public-disclosure-of- 24 private-facts tort, which prohibits the “public disclosure … of a private fact, … which would be 25 offensive and objectionable to the reasonable person, and … which is not of legitimate public 26 concern.” Taus v. Loftus, 40 Cal. 4th 683, 717 (2007). Though the tort has traditionally required 27 that the private information be “publicized,” the specific inquiry into whether a disclosure is 1 Article III injury in fact. Indeed, the Restatement (Second) of Torts, which Popa cited 2 approvingly, see 153 F.4th at 791, explains that misrepresenting how private information will be 3 used can constitute an invasion of privacy, see Restatement (Second) of Torts, § 652D cmt. C, 4 illus. 11. Here, plaintiffs allege that UMG told them that their individual information would not be 5 shared because they could opt out of unnecessary cookies, and yet it was. Plaintiffs have therefore 6 sufficiently pleaded an injury-in-fact for purposes of Article III standing. 7 For the foregoing reasons, UMG’s motion to dismiss plaintiffs’ intrusion upon seclusion 8 and invasion of privacy claims is denied. 9 C. Wiretapping 10 California Penal Code § 631(a) prohibits: 11 1) “by means of any machine, instrument, or contrivance, or in any other manner, intentionally tap[ping] or mak[ing] any unauthorized connection … with any 12 telegraph or telephone wire, line, cable, or instrument” 13 2) “willfully and without the consent of all parties to the communication, or in any 14 unauthorized manner, read[ing], or attempt[ing] to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit” 15 3) “us[ing], or attempt[ing] to use, in any manner, or for any purpose, or to 16 communicate in any way, any information so obtained” and 17 4) “aid[ing], agree[ing] with, employ[ing], or conspir[ing] with any person or persons 18 to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above….” 19 20 UMG argues that plaintiffs have inadequately alleged a violation of Clause 2 21 because that provision applies only when a third party reads “the contents or meaning of 22 any message, report, or communication” and only when it is “in transit.” Further, UMG 23 argues that plaintiffs have failed to adequately plead a violation of Clauses 3 or 4 because 24 a violation of those clauses depends in this case on a violation of Clause 2.3 And UMG 25 argues that, even if plaintiffs have adequately pleaded that third parties violated CIPA, they 26 have not pleaded that UMG aided those third parties because they have not alleged the 27 1 requisite intent. 2 Clause 2 of California Penal Code Section 631(a) prohibits “willfully and without the 3 consent of all parties to the communication, or in any unauthorized manner, read[ing], or 4 attempt[ing] to read, or to learn the content or meaning of any message, report, or communication 5 while the same is in transit.” UMG argues that “contents” of communications were not intercepted 6 and that, assuming they were, they were not intercepted while those contents were “in transit.” 7 Interpreting a similar provision in the federal Electronic Communications Privacy Act of 8 1986, the Ninth Circuit has distinguished between the contents of a message—i.e., the “intended 9 message conveyed by the communication” including “any information concerning the substance, 10 purport, or meaning of a communication”—and “record information regarding the characteristics 11 of the message that is generated in the course of the communication.” In re Zynga Priv. Litig., 750 12 F.3d at 1106–07 (citing 18 U.S.C. §§ 2511(3)(a), 2702(a), 2510(8)). Whether a particular form of 13 information involves the “contents” of a communication as opposed to mere “record information,” 14 depends on context. See id. For example, “a user’s request to a search engine for specific 15 information could constitute a communication such that divulging a URL containing that search 16 term to a third party could amount to disclosure of the contents of a communication.” Id. at 1108– 17 09; see also Brown v. Google, 685 F. Supp. 3d 909, 936 (N.D. Cal. 2023) (holding that “full-string 18 detailed URLs” that indicate search queries can be “contents” under the Wiretap Act). 19 Plaintiffs allege that third parties intercepted users’ “affirmative decisions, actions, choices, preferences, and activities, … including their browsing history, visit history, website 20 interactions, user input data, demographic information, interests and preferences, shopping 21 behaviors, device information, referring URLs, session information, user identifiers and/or 22 geolocation data.” While many of these categories of information appear to involve record 23 information rather than the contents of users’ communications, the alleged tracking of “website 24 interactions,” “user input data,” “shopping behaviors,” and potentially “referring URLs” could 25 convey, among other things, what users were searching for or what they wanted to do on UMG’s 26 websites. Both types of information would likely entail queries or clicks from users and as a result 27 1 Recovery Ctr. LLC, 2025 WL 2971090, at *4 (N.D. Cal. Oct. 17, 2025) (concluding that data 2 suffices as content for the purposes of § 631 when it “conveys far more than basic identification 3 and address information”). 4 The problem with plaintiffs’ wiretapping claim, however, is that plaintiffs do not 5 specifically allege that their communications were intercepted by any third parties. Plaintiffs 6 repeatedly allege that UMG enabled third parties to track the information and communications of 7 “Website users.” But with respect to their own interactions with UMG’s websites, plaintiffs allege 8 only that they visited UMG’s websites and chose to “Decline All” advertising and analytics 9 cookies. They do not allege that, in interacting with UMG’s websites, they personally engaged in 10 any communications with the websites whose content could have been intercepted. Cf. Yoon v. 11 Lululemon USA, Inc., 549 F. Supp. 3d 1073, 1077, 1083 (C.D. Cal. 2021); Heerde v. Learfield 12 Commc’ns, LLC, 741 F. Supp. 3d 849, 854–55, 861–62 (C.D. Cal. 2024); Brown v. Google LLC, 13 685 F. Supp. 3d at 936–39; St. Aubin v. Carbon Health Techs., Inc., 2024 WL 4369675, at *2 14 (N.D. Cal. Oct. 1, 2024); In re Google RTB Consumer Priv. Litig., 606 F. Supp. 3d 935, 949 (N.D. 15 Cal. 2022). In the absence of any allegation that plaintiffs themselves interacted with the websites 16 in a manner that involved communications whose contents could have been intercepted, they fail 17 to plead the elements of a valid wiretapping claim. That claim will therefore be dismissed with 18 leave to amend. D. Pen Register 19 California Penal Code § 638.51(a) prohibits “install[ing] or us[ing] a pen register” without 20 a court order under specific circumstances. Section 638.50(b) defines a “pen register” as “a device 21 or process that records or decodes dialing, routing, addressing, or signaling information 22 transmitted by an instrument or facility from which a wire or electronic communication is 23 transmitted, but not the contents of a communication.” 24 UMG first argues that California’s pen register law only applies to telephones. The text of 25 the statute, however, contains no such limitation. Section 638.50’s definition does not limit “pen 26 registers” to telephones, even though other sections of CIPA are expressly so limited. See 27 1 Cal. Penal Code §§ 631(a), 632.7). This is a strong indication that UMG’s proposed limitation 2 misconstrues the statute. 3 UMG’s construction is also inconsistent with the California Legislature’s purpose in 4 enacting CIPA. Given ambiguity in construing California state law, “California courts ‘determine 5 the Legislature’s intent so as to effectuate the law’s purpose.’” In re Meta Pixel Tax Filing Cases, 6 793 F. Supp. 3d 1147, 1153 (N.D. Cal. 2025) (quoting Skidgel v. Cal. Unemp. Ins. Appeals Bd., 12 7 Cal. 5th 1, 14 (2021)). The California Legislature enacted CIPA and prohibited pen registers to 8 “protect the right of privacy of the people of this state from what it perceived as a serious threat to 9 the free exercise of personal liberties that cannot be tolerated in a free and civilized society,” as the 10 California Supreme Court observed. Flanagan v. Flanagan, 27 Cal. 4th 766, 775 (2002) (cleaned 11 up). CIPA’s purpose of protecting individuals’ privacy would be ill-served by limiting Section 12 638.51 to telephones in the absence of a strong textual basis for that limitation. 13 In support of its argument that pen register claims only apply to telephones, UMG points 14 to different statutory text and to CIPA’s legislative history. UMG notes that section 638.52(d), 15 which establishes the required content of any judicial order permitting use of a pen register, 16 requires specifying the “number and, if known, physical location of the telephone line to which the 17 pen register … is to be attached….” Cal. Penal Code. § 638.52(d)(3). In UMG’s view, these 18 references to telephone line-specific features demonstrate that the entire pen register statute applies only to telephones. 19 This limited textual provision suggesting that pen registers generally involve telephones 20 cannot trump the express statutory definition of pen register, which is not so limited. To the 21 contrary, a fair reading of Section 638.52(d) would allow an officer seeking a judicial order for an 22 online pen register to provide the equivalent of a “number” for the online device. The broader, 23 more capacious definition of Section 638.50 applies to more devices than the later statutory 24 sections might envision. 25 The legislative history UMG cites also does not prove that pen register claims must 26 involve telephones. While specific portions of the legislative history show that members of 27 1 calls,” the language that it chose was not so limited. Again, if California sought to limit pen 2 register claims to telephones, it knew how to do so and in fact did so in other sections of the 3 statute. 4 UMG also argues that because California law prohibits pen registers that record 5 information “but not the contents of a communication,” the law cannot apply to devices that also 6 collect the contents of a communication. This Court recently considered that argument and 7 rejected it in In re Meta Pixel Tax Filing Cases, 793 F. Supp. 3d at 1152–55. UMG does not offer 8 any arguments that lead the Court to reach a different conclusion here. 9 For these reasons, plaintiffs have sufficiently pleaded that the cookies placed on certain 10 users’ devices could amount to an unauthorized pen register. Once again, however, the problem 11 with plaintiffs’ pen register claim is that they have not alleged that they ever communicated with 12 the website. In the absence of any allegation that they communicated with the websites, they 13 cannot allege that the “dialing, routing, addressing, or signaling information” relating to any such 14 communication was unlawfully tracked. 15 As with plaintiffs’ wiretapping claim, UMG’s motion to dismiss plaintiffs’ pen register 16 claim is granted with leave to amend. Should plaintiffs choose to amend this claim, they must 17 identify not only their communications with UMG’s websites but also the specific “dialing, 18 routing, addressing, or signaling information” for outgoing communications that was tracked. E. Common law fraud, deceit, or misrepresentation 19 UMG argues that plaintiffs’ common law fraud, deceit, or misrepresentation claim should 20 be dismissed because plaintiffs fail to plead with requisite specificity the manner in which they 21 were harmed by UMG’s allegedly fraudulent conduct. Common law fraud in California requires 22 “(a) misrepresentation (false representation, concealment, or nondisclosure); (b) knowledge of 23 falsity (or ‘scienter’); (c) intent to defraud, i.e., to induce reliance; (d) justifiable reliance; and (e) 24 resulting damage.” Kearns v. Ford Motor Co., 567 F.3d 1120, 1126 (9th Cir. 2009) (emphasis 25 removed). A state law fraud claim being pursued in federal court must also satisfy Federal Rule of 26 Civil Procedure 9(b)’s particularity requirement by pleading “the who, what, when, where, and 27 1 Rule 9(b) is to “provide defendants with adequate notice to allow them to defend the charge and 2 deter plaintiffs from the filing of complaints as a pretext for the discovery of unknown wrongs.” 3 Id. at 1125 (internal quotation marks omitted).4 4 Here, plaintiffs have inadequately pleaded the “when … of the misconduct alleged.” Id. at 5 1126. Plaintiffs allege only that they visited specific UMG websites at some unspecified point in 6 the last four years and that, despite opting out of some cookies, UMG “nonetheless caused cookies 7 and tracking technologies … to be placed on [plaintiffs’] device[s] and/or transmitted to the Third 8 Parties along with user data, without [plaintiffs’] knowledge.” This level of generality fails to 9 provide UMG with notice of the misconduct alleged. UMG cannot, for example, determine what 10 specific representations regarding cookies were made on UMG websites on the specific dates that 11 Shah and Wiley visited those websites or determine how the websites were using any cookies 12 placed on users’ devices on those specific dates. See, e.g., Kearns, 567 F.3d at 1126 (concluding 13 that the plaintiff had not satisfied Rule 9(b) when he failed to plead “when he was exposed to” the 14 television advertisements at issue or to “specify … when [an allegedly fraudulent] statement was 15 made”). Because plaintiffs’ allegations do not satisfy Rule 9(b), UMG’s motion to dismiss 16 plaintiffs’ common law fraud, deceit, or misrepresentation claim is granted with leave to amend. 17 F. Unjust enrichment 18 UMG argues that plaintiffs’ unjust enrichment claim fails because unjust enrichment is not a standalone cause of action, because such a remedy only applies in the absence of a contract 19 (which plaintiffs argue exists), and because there was no misrepresentation or omission. On each 20 of these arguments, UMG is incorrect. 21 First, while California does not have a standalone cause of action called “unjust 22 23 4 As UMG notes, if a party alleges a “unified course of fraudulent conduct and rel[ies] entirely on 24 that course of conduct as the basis” for their claim, the “pleading … as a whole must satisfy the particularity requirement of Rule 9(b).” Kearns v. Ford Motor Co., 567 F.3d 1120, 1125 (9th Cir. 25 2009). Contrary to UMG’s argument, however, Rule 9(b) does not apply to plaintiffs’ “pleading as a whole.” Id. While plaintiffs’ suit is based in part on UMG’s allegedly false promise not to enable 26 third parties to track users, none of their claims other than their fraud claim rely “entirely” upon that course of conduct. Id. Instead, the other claims focus primarily on privacy-related harms 27 resulting from the information gathering that was enabled by the cookies placed on plaintiffs’ 1 enrichment,” “[w]hen a plaintiff alleges unjust enrichment, a court may construe the cause of 2 action as a quasi-contract claim seeking restitution.” Astiana v. Hain Celestial Grp., Inc., 783 F.3d 3 753, 762 (9th Cir. 2015) (cleaned up); see also Hartford Cas. Ins. Co. v. J.R. Mktg., L.L.C., 61 4 Cal. 4th 988, 998 (2015). 5 Second, though plaintiffs allege contractual claims, plaintiffs have not plausibly pleaded 6 the existence of a contract, for the reasons explained below. 7 And third, plaintiffs have plausibly pleaded the existence of a misrepresentation or 8 omission because plaintiffs allege that UMG’s “representations that consumers could ‘Decline 9 All’ or toggle off all ‘Online Advertising’ and ‘Performance Analytics’ cookies while Plaintiff 10 Shah and users browsed the Websites, or at least those involved in providing personalized content, 11 advertising, and analytics services, were untrue.” 12 A defendant who unjustly enriches itself “may be required to make restitution[.]” Hartford 13 Cas. Ins., 61 Cal. 4th at 998. “[T]he obligation arises when the enrichment obtained lacks any 14 adequate legal basis and thus ‘cannot conscientiously be retained.’” Id. (quoting Restatement (3d), 15 Restitution and Unjust Enrichment, § 1 cmt. B, p. 6). Plaintiffs have alleged that UMG misled 16 them as to the effect of opting out of certain cookies and that the resulting data collection was 17 valuable because it enabled UMG to better market artists, better target advertisements, and better 18 profit from its understanding of users’ behaviors. Because plaintiffs have thus adequately alleged a cause of action for unjust enrichment, UMG’s motion to dismiss that claim is denied. 19 G. Breach of Contract 20 UMG argues that plaintiffs’ breach of contract claim should be dismissed because 21 plaintiffs did not form a contract with UMG. All enforceable contracts require consideration, 22 which means “[a]ny benefit conferred, or agreed to be conferred, upon the promisor, by any other 23 person, to which the promisor is not lawfully entitled, or any prejudice suffered, or agreed to be 24 suffered, by such person other than such as he is at the time of consent lawfully bound to suffer,” 25 Cal. Civ. Code § 1605; see Godun v. JustAnswer LLC, 135 F.4th 699, 708 (9th Cir. 2025) 26 (“Because contract formation is a question of state law, we first look to the appropriate state 27 1 that a party must “confer (or agree to confer) a benefit or must suffer (or agree to suffer) 2 prejudice,” and, second, that the benefit or prejudice “must have induced the promisor’s promise.” 3 Steiner v. Thexton, 48 Cal. 4th 411, 420–21 (2010). 4 Plaintiffs have not adequately alleged the existence of a contract because they have not 5 pleaded that there was a bargained-for exchange. Plaintiffs argue that the benefit they conferred on 6 UMG was “surrender[ing] more data than they bargained for and that such data is valuable.” But 7 plaintiffs do not allege that they “bargained” for less tracking as opposed to having merely 8 indicated their preference for less tracking. To the contrary, plaintiffs received the same access to 9 UMG’s website whether or not they consented to additional cookies. While plaintiffs may have 10 alleged that UMG broke a promise, they have not alleged that the benefit plaintiffs conferred on 11 UMG induced UMG’s promise. Because plaintiffs have not adequately alleged that they formed a 12 contract with UMG, UMG’s motion to dismiss that claim is granted with leave to amend. 13 H. Breach of the Implied Covenant of Good Faith and Fair Dealing 14 The implied covenant of good faith and fair dealing exists in every contract and requires 15 “that no party to the contract will do anything that would deprive another party of the benefits of 16 the contract” and functions to “protect[] the reasonable expectations of the contracting parties 17 based on their mutual promises.” Digerati Holdings, LLC v. Young Money Ent., LLC, 194 Cal. 18 App. 4th 873, 885 (2011) (citing, among other cases, Wilson v. 21st Century Ins. Co., 42 Cal. 4th 713, 720 (2007), and Carma Developers (Cal.), Inc. v. Marathon Dev. Cal., Inc., 2 Cal. 4th 342, 19 373–74 (1992)). The implied covenant, however, applies only to existing contracts. See Guz v. 20 Bechtel Nat’l Inc., 24 Cal. 4th 317, 349–50 (2000). Because plaintiffs did not form a contract with 21 UMG, plaintiffs cannot plead a breach of the implied covenant of good faith and fair dealing. 22 UMG’s motion to dismiss the breach of the implied covenant of good faith and fair dealing is 23 therefore granted with leave to amend. 24 I. Trespass to Chattels 25 Finally, UMG argues that plaintiffs have failed to state a claim for trespass to chattels 26 because they have not plausibly alleged damage to their property. Under California law, a 27 1 interfere[] with plaintiff’s possessory interest,” and the trespass “proximately resulted in damage” 2 that “impaired the condition, quality, or value of the personal property.” Bui-Ford v. Tesla, Inc., 3 2024 WL 694485, at *7 (N.D. Cal. Feb. 20, 2024) (citing California state decisions). 4 Plaintiffs have failed to plausibly allege the second requirement—that UMG “impaired the 5 condition, quality, or value of [their] personal property.” Plaintiffs argue that the cookies impaired 6 their devices by damaging their security and “by taking up storage space.” In Intel Corp. v. 7 Hamidi, 30 Cal. 4th 1342 (2003), however, the California Supreme Court said that a trespass-to- 8 chattels plaintiff must “demonstrate some measurable loss from the use of [their] computer 9 system,” observing as relevant whether a defendant caused “any physical or functional harm or 10 disruption.” Id. at 1357, 1360. Here, plaintiffs have not plausibly alleged physical, functional, or 11 other “measurable loss” from the involuntary placement of cookies on their devices. UMG’s 12 motion to dismiss the trespass-to-chattels claim is therefore granted with leave to amend. 13 II. Motion to Strike 14 Federal Rule of Civil Procedure 12(f) allows striking “any redundant, immaterial, 15 impertinent, or scandalous matter.” Matter is “immaterial” if it “has no essential or important 16 relationship to the claim for relief or the defenses being pleaded” and is “impertinent” if it 17 “consists of statements that do not pertain, and are not necessary, to the issues in question.” 18 Fantasy, Inc. v. Fogerty, 984 F.2d 1524, 1527 (9th Cir. 1993) (quoting 5 Charles A. Wright & Arthur R. Miller, Fed. Prac. & Proc. § 1382, at 706–07, 711 (1990)), rev’d on other grounds, 510 19 U.S. 517 (1994). 20 UMG moves to strike certain screenshots plaintiff included in their complaint as well as 21 the multiple UMG websites they have listed. Those allegations, however, are not immaterial or 22 impertinent. The screenshots satisfy Rule 12(f) because, if properly authenticated, they show that 23 UMG continued to track users after users opted out of advertising or analytics cookies. The list of 24 websites identifies other UMG websites that may track users in similar ways because of UMG’s 25 actions. While UMG points out that plaintiffs do not say that the undated screenshots in question 26 are from plaintiffs’ own devices or experiences, the screenshots could later be verified as 27 1 an illustration of what happened when plaintiffs attempted to opt out of tracking. 2 UMG also argues that plaintiffs’ class allegations should be stricken because plaintiffs’ 3 || pleadings are inappropriately broad and untimely. Class allegations can be evaluated at the 4 || pleading stage, but their deficiencies should be “plain enough from the pleadings.” See Gen. Tel. 5 Co. of the Sw. v. Falcon, 457 U.S. 147, 160 (1982). UMG’s criticisms of plaintiffs’ class pleadings 6 and class definition are not so plain as to warrant striking them at this stage. UMG may raise its 7 arguments about plaintiffs’ proposed class definition at a later stage. 8 Accordingly, UMG’s motion to strike is denied in its entirety. 9 CONCLUSION 10 For the foregoing reasons, UMG’s motion to dismiss is denied in part and granted in part. 11 UMG’s motion to dismiss plaintiffs’ intrusion upon seclusion, invasion of privacy, and unjust a 12 enrichment claims is denied. UMG’s motion to dismiss plaintiffs’ CIPA wiretapping, CIPA pen 5 13 register, common law fraud, breach of contract, breach of the implied covenant of good faith and S 14 || fair dealing, and trespass to chattels claims is granted with leave to amend. Plaintiffs must file any 3 15 amended complaint within 28 days. Failure to file an amended complaint will result in the 16 || dismissal with prejudice of the claims dismissed in this order. UMG’s motion to strike is denied. IT IS SO ORDERED. 5 1g || Dated: December 17, 2025 19 20 Maybe P. Casey Pitts 21 United States District Judge 22 23 24 25 26 27 28