UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA
ETHAN ALLISON, Case No. 25-cv-05323-RFL
Plaintiff, AMENDED ORDER GRANTING IN v. PART MOTION TO DISMISS
PHH MORTGAGE, Re: Dkt. No. 18 Defendant.
I. INTRODUCTION Plaintiff Ethan Allison brought this putative class action against Defendant PHH Mortgage, alleging that PHH secretly configured and implemented code-based tracking devices into its website that disclosed his and other users’ personal and financial information without their knowledge or consent. Allison’s complaint asserts eleven claims under federal and state law. (Dkt. No. 1 (“Compl.”).) PHH now moves to dismiss the complaint under Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim. (Dkt. No. 18.) For the reasons that follow, PHH’s motion to dismiss is GRANTED IN PART AND DENIED IN PART with leave to amend. II. BACKGROUND The facts detailed below are based on the allegations contained in the complaint, the truth of which the Court accepts for purposes of resolving the motion to dismiss. See Boquist v. Courtney, 32 F.4th 764, 772 (9th Cir. 2022). A. phhmortgage.com PHH, a subsidiary of Onity Group Inc.,1 is a mortgage lender and servicer that “offers industry-leading mortgage solutions for the entire mortgage lifestyle including correspondent lending, MSR/Co-Issue, subservicing, commercial servicing, reverse mortgages and portfolio retention.” (Compl. ¶¶ 17, 23.) PHH provides services both in the United States and globally via its website, https://www.phhmortgage.com. (Compl. ¶ 2.) The website “allows users to explore various services relating to their mortgages and home loans, including refinancing, home purchasing, applying for pre-approval, loan applications and loan approval.” (Compl. ¶ 26.) On the website, “customers can, among other things, apply for loans, use an online loan calculator, request callbacks from PHH to apply for a loan, and navigate to libertyreversemortgage.com . . . to learn about and apply for reverse mortgages.” (Compl. ¶ 2.) B. PHH’s Alleged Collection and Sharing of User Data PHH allegedly installed trackers on its website “purposely and secretly . . . to gather and share information about Customers.” (Compl. ¶ 28.) These are “code-based tracking devices” made by third parties such as Google, HotJar, Microsoft, Yahoo, and Blend/Sentry.io. (Compl. ¶¶ 3, 28, 39, 49.) “When an individual accesses a webpage containing online tracking technology . . . the trackers instantaneously and surreptitiously duplicate communications with that webpage and send the[m] to the Third party. The information travels directly from both the user’s browser and the webpage owner’s server and then on to the Third Party’s server, based off instructions from the Third Party’s tracker.” (Compl. ¶ 32.) Crucially, the trackers “may not be deleted from an individual’s device” because “they are built into a webpage,” over which a customer does not have control. (Compl. ¶ 33.) By way of example, PHH allegedly shares users’ pre-approval application activities with Google and Blend/Sentry, a third-party application processor that PHH uses to process pre-
1 At the time the complaint was filed, PHH had announced that it was changing its name to Onity Mortgage, which was to be established as a “doing business as” of PHH Mortgage. (Compl. ¶ 17 n.7.) The Court takes judicial notice of the fact that in line with its prior announcement, PHH has since changed its name to Onity Mortgage. See Fed. R. Evid. 201. This order continues to refer to Defendant as “PHH” to avoid confusion. approval loan applications. (Compl. ¶¶ 43, 58, 62.) First, PHH informs Google when a user is starting a pre-approval application. “PHH sends events to Google informing it that [a] user is on a page entitled ‘Get Pre-Approved | PHH Mortgage’” and then “sends another set of events informing it that the user is on a page with the URL, ‘https://www.phhmortgage.com/Get- started.’” (Compl. ¶ 60.) PHH also “discloses users’ scrolling details on the ‘Get-started’ page,” for example, revealing that a user scrolled a certain percentage of the way through the page. (Compl. ¶ 61.) And PHH discloses to Blend/Sentry when user is creating an account on PHH, whether they have a coborrower, whether they own real estate, and whether they are applying for a purchase rather than a refinance. (Compl. ¶¶ 63–64.) As another example, PHH allegedly discloses information to third parties such as Google concerning customers’ equity and refinancing loan applications, including the fact that they applied for these types of loans. (Compl. ¶ 65.) PHH informs Google when users are on the page for “Get Cash Out of Your Equity | PHH Mortgage” and when the user navigates to the page for PHH’s cash out refinancing product.” (Compl. ¶¶ 67–68.) PHH also reports to Google when users start filling out the form to begin an equity loan or cash-out refinancing loan application and that users have submitted their applications for these loans. (Compl. ¶ 70–72.) As a result of the trackers PHH installed on its website, PHH has “transmitted Customers’ communications with PHH’s website and thus their Personal and Financial Information to . . . Third Parties without Customers’ knowledge or authorization. This information included their browsing activities including the pages they viewed and the buttons they clicked; the user’s status as a customer; the user’s browsing activities, including that the user clicked certain buttons and what URLs or webpages they led to; loan application activities, such as that a user is applying for a loan or mortgage; Customers’ use of PHH’s online loan calculator; when a Customer requested a callback from PHH to apply for a loan; and disclosures about users’ activities on the Liberty Website when users browse pages about reverse mortgages.” (Compl. ¶ 46.) The trackers also allow PHH to track and share data capable of identifying a particular user and tracking them across websites, such as “users’ IP addresses, cookies, and ‘browser fingerprints.’” (Compl. ¶ 38.) PHH allegedly uses “the information it collect[s] to market its services and bolster its profits by surreptitiously diverting the information to Third Parties like Google and Facebook.” (Compl. ¶ 29.) By collecting and sharing user information with third parties, PHH is able to “save costs on its marketing campaigns, improve its data analytics, attract new customers, and generate sales.” (Compl. ¶ 4.) Armed with this information, third parties can “more effectively create, manage and grow high-impact digital marketing campaigns.” (Compl. ¶ 38.) Third parties also “act as data brokers, meaning they collect data, compile it into datasets, and sell it to” other parties—i.e., fourth parties—who can in turn use the information for their own purposes. (Compl. ¶ 114.) Thus, third parties are not only able to use PHH users’ information for their own benefit, but they are also able to share this data to “benefit fourth parties who are even further removed from the Customers.” (Compl. ¶ 30.) C. PHH’s Privacy Representations PHH’s privacy representations are contained in a group of “Privacy Contracts” comprising Onity Group’s Privacy and Security Policy, California Consumer Privacy Act (“CCPA”) Disclosure, Terms & Conditions, and Privacy Notice. (Compl. ¶ 90.)2 The Privacy Contracts, which are contained on various sections of Onity Group’s website, explain Onity and its subsidiaries’ practices for “collecting, using, maintaining, protecting, and disclosing” user information, as well as users’ rights regarding their data. (Compl. ¶¶ 91–96.) Privacy and Security Policy. Per its own characterization, the Privacy and Security Policy “describes the types of information PHH . . . may collect from [users] offline or when [they] visit [PHH’s] websites . . . and [PHH’s] practices for collecting, using, maintaining, protecting, and disclosing that information.” (Dkt. No. 1-1 at 3.)3
2 Because the Privacy Contracts are attached to the complaint and incorporated by reference in the complaint, they are properly considered when deciding PHH’s motion to dismiss. See UFCW Loc. 1500 Pension Fund v. Mayer, 895 F.3d 695, 698 (9th Cir. 2018). 3 All references to page numbers in documents on the docket refer to ECF pagination. With regard to data collection, the Privacy and Security Policy discloses that PHH collects “several types of information from and about” its users, including (a) information provided by users such as “name, address, email address, telephone number, social security number, education, employment, financial information, . . . assets and liabilities, income, username/password, . . . internet protocol address, and other personally identifying information”; (b) information provided by “affiliates” such as users’ “loan approval amount[s], loan balance[s], payment histor[ies] and other loan account information from businesses within the PHH Mortgage Corporation Family”; and (c) “[i]nformation collected automatically as [users] navigate through the Website[, including] . . . usage details . . . and inforamtion [sic] collected through cookies for advertisements.” (Dkt. No. 1-1 at 3–4.) With regard to data use, the Privacy and Security Policy states that PHH uses the information it collects or receives to, among other things, “work with marketing partners to provide [users] with products or services that may be of interest” and “to report aggregated information to [its] advertisers and to audit use of the Website.” (Dkt. No. 1-1 at 4.) The Policy also indicates that PHH may disclose the information it collects or receives to “contractors, service providers, and other third parties [PHH] use[s] to support [its] business” and “to retailers and other third parties to market to [users]” subject to PHH’s Privacy Notice. (Dkt. No. 1-1 at 4– 5.) Privacy Notice. Onity’s Privacy Notice provides additional explanation to users regarding what PHH does with their personal information. (Dkt. No. 1-4.) The Privacy Notice discloses that PHH can share users’ personal information for various purposes including “for non-affiliates to market to [them],” and defines non-affiliates as financial and nonfinancial “[c]ompanies not related by common ownership or control.” (Dkt. No. 1-4 at 2, 4.) CCPA Disclosure. Onity’s CCPA Disclosure “applies solely to California residents” who are not “consumer[s] or customer[s] of personal, household, or family financial products or services,” and “explains how Onity Group Inc. and its subsidiaries and affiliates, including PHH Mortgage Corporation and its subsidiaries and affiliates (collectively ‘PHH’, ‘us’, ‘our’, or ‘we’) collect, use, disclose, and/or retain personal information (‘Information Practices’) subject to the California Consumer Privacy Act (‘CCPA’).” (Dkt. No. 1-2 at 2.) The CCPA Disclosure contains a “Notice at Collection” that “identifies the categories of personal information to be collected from [users] and the purposes for which the personal information will be used.” (Dkt. No. 1-2 at 2.) Among the categories of “General Personal Information” that are identified is “Internet or Other Similar Network Activity,” which includes “information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.” (Dkt. No. 1-2 at 4.) The Notice does not disclose that this information is being collected for marketing purposes. (Dkt. No. 1-2 at 4.) The CCPA Disclosure also contains a “California Privacy Policy” which describes “online and offline practices” regarding user information and users’ “rights as they related to . . . collection and use of . . . personal information.” (Dkt. No. 1-2 at 6.) While the California Privacy Policy lists categories user information disclosed to third parties, it does not indicate that users’ “Internet or Other Similar Network Activity” is disclosed to any third parties. (Dkt. No. 1-2 at 6–7.) The CCPA Disclosure further clarifies that the “General Personal Information” and “Sensitive Personal Information” listed within it are collected from users directly, internet service providers, and operating systems and platforms. (Dkt. No. 1-2 at 8–9.) It also states explicitly, “We do not sell or share personal information for cross-context behavioral advertising. We do not sell or share sensitive personal information.” (Dkt. No. 1-2 at 9.) Terms & Conditions. The Terms & Conditions contain the terms and conditions governing PHH’s website and other Onity websites. (Dkt. No. 1-3.) Regarding information gathering, the Terms & Conditions state:
Our website does not covertly capture information regarding the specific activities of any particular user. Our website does, however, produce reports that permit us to view your activity on our website in anonymous or aggregated form. The only personal information that we capture has been specifically submitted to us through our email information request function, or data specifically input by users into predetermined input forms and webpages programmed throughout our website. (Dkt. No. 1-3 at 3–4.) D. Allison’s Experiences Allison used PHH’s website to apply for a mortgage in or around 2020 or 2021. (Compl. ¶ 131.) He “regularly used PHH’s Website for managing his mortgage, checking his balance, making payments including setting autopay, and accessing tax forms.” (Compl ¶ 131.) Allison alleges that through PHH’s “use of Third Party Trackers on its Website” and the “systematic data sharing process” described above, PHH “disclosed to Third Parties information [he] provided to PHH . . . including [his]: Existing user or Customer status; Browsing activities, including the pages and content [he] viewed; Coborrower information; Real estate ownership information; The type of loan [he] applied for; Identity, including via his IP address; and Information collected through an Internet ‘cookie’ (or information collecting device from a web server).” (Compl. ¶¶ 141–42.) Allison states that he did not expect his personal information to be transmitted to third parties who were uninvolved in providing mortgage services. (Compl. ¶¶ 136–38.) He represents that he “would not have submitted his information to PHH if [he] had known it would be shared with Third Parties and further sold to fourth parties for purposes of marketing Third and fourth party products.” (Compl. ¶ 144.) III. LEGAL STANDARD To survive challenge under Rule 12(b)(6), a plaintiff must allege “enough facts to state a claim to relief that is plausible on its face.” See Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). A claim “has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” See Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). The complaint must allege “more than a sheer possibility that a defendant has acted unlawfully.” Id. When ruling on a motion to dismiss, a court may consider only “the complaint, materials incorporated into the complaint by reference, and matters [subject to] judicial notice.” See UFCW Loc. 1500 Pension Fund v. Mayer, 895 F.3d 695, 698 (9th Cir. 2018) (citation omitted). A court must also presume the truth of a plaintiff’s allegations and draw all reasonable inferences in their favor. See Boquist, 32 F.4th at 773. However, a court need not accept as true “allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences.” See Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 1008 (9th Cir. 2018) (citation omitted). IV. DISCUSSION Allison’s complaint comprises eleven claims: (1) negligence, (2) negligence per se, (3) violation of the Comprehensive Computer Data Access and Fraud Act (“CDAFA”), (4) violation of California’s Consumer Protection Law (“UCL”), (5) violation of the California Consumer Privacy Act (“CCPA”), (6) breach of express and implied contract, (7) unjust enrichment, (8) declaratory judgment, (9) breach of confidence, (10) violation of the Invasion of Privacy Act (“CIPA”), and (11) violation of the Electronic Communications Privacy Act. A. Consent to PHH’s Information Sharing PHH’s overarching argument is that Allison’s complaint should be dismissed because he was notified of PHH’s collecting and sharing of his personal and financial information and expressly agreed to it. (Dkt. No. 18 at 12.) To be sure, “[c]onsent generally defeats privacy claims.” Javier v. Assurance IQ, LLC, No. 20-cv-02860-JSW, 2021 WL 940319, at *2 (N.D. Cal. Mar. 9, 2021). Allison admits to agreeing to the Privacy Contracts. (Compl. ¶ 242.) PHH contends that the complaint never “alleges any sharing of information by PHH that was inconsistent with or went beyond what was described in the Privacy Contracts,” which it asserts is fatal to Allison’s claims. (Dkt. No. 18 at 12.) However, as further explained below, the Privacy Contracts do not clearly disclose that PHH collects and shares information about a particular user’s activity on its website with third parties. Accordingly, it cannot be concluded as a matter of law that Allison or other PHH website users consented to that use of their data. “On a motion to dismiss, the burden of proof to show consent rests with defendants.” Doe v. FullStory, Inc., 712 F. Supp. 3d 1244, 1253 (N.D. Cal. 2024). Consent is “generally limited to the specific conduct authorized.” Javier, 2021 WL 940319, at *2. Thus, courts have required that privacy policies “explicitly notify” users “of the practice at issue” to establish consent. M.D. v. Google LLC, No. 24-cv-06369-AMO, 2025 WL 2710095, at *4 (N.D. Cal. Sept. 23, 2025) (citation omitted). If a reasonable user “could have plausibly interpreted the contract language as not disclosing that [PHH] would engage in particular conduct, then [PHH] cannot obtain dismissal of a claim about that conduct . . . based on the issue of consent.” In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F. Supp. 3d 767, 789–90 (N.D. Cal. 2019). As described above, the complaint alleges that PHH collects individual users’ activities on its website and discloses that information to third parties along with other information capable of identifying those users and linking them to other online accounts. PHH argues that the Privacy Contracts expressly permit this sort of information sharing. It points to the Consumer Privacy Notice, which states that PHH may share customers’ personal information with non- affiliates such as the third parties the complaint identifies for the non-affiliates to market to PHH’s users. (See Dkt. No. 1-4 at 2, 4.) PHH also references the Privacy and Security Policy, which provides that PHH may disclose the information it collects to “service providers” it “use[s] to support [its] business” and to “marketing partners,” including unaffiliated “retailers and other third parties,” to use the information to “market to [users].” (See Dkt. No. 1-1 at 4–5.) But PHH’s interpretation of the Privacy Contracts is not the only reasonable interpretation of those documents. Indeed, a reasonable user could interpret the Privacy Contracts in their entirety as disclosing only that PHH collects and shares user information in the aggregate but not information organized by particular users—for instance, that a particular user has started filling out a pre-approval loan application. While PHH points to several provisions in the Privacy Contracts permitting it to share users’ personal information with third parties, the Privacy Contracts also contain conflicting provisions that appear to disavow any collection of website activity at the individual level. Under the heading “Information Gathering,” the Terms & Conditions expressly provide that PHH’s website “does not covertly capture information regarding the specific activities of any particular user.” (Dkt. No. 1-3 at 3 (emphasis added).) Instead, the website “produce[s] reports that permit [PHH] to view [user] activity on [its] website in anonymous or aggregated form. The only personal information that [PHH] capture[s] has been specifically submitted to [it] through [its] email information request function, or data specifically input by users into predetermined input forms and webpages programmed throughout [its] website.” (Dkt. No. 1-3 at 3–4 (emphasis added).) Based on these representations, a reasonable user could interpret the Privacy Contracts in their entirety as disclosing only that PHH collects and shares user information in the aggregate but not information organized by particular users. This interpretation is underscored by provisions in the Privacy and Security Policy stating (a) that PHH uses information it collects about users or that users provide it “to report aggregated information to [its] advertisers” and (b) that “PHH may disclose aggregated information about [its] users, and information that does not identify an individual.” (Dkt. No. 1-1 at 4, 6.) At the hearing, PHH contended that its disclosures could be read as describing collection and disclosure of information about individual users, as long as PHH did not disclose those users’ names, email addresses, or similar identifying information. That reading, however, appears directly at odds with the representation in the Terms & Conditions that the PHH website does not “capture” information about “any particular user,” which can be plausibly understood as a promise not to keep individualized data, and thus not to provide it to third parties. Therefore, to the extent that the Privacy Contracts disclose that PHH collects user data and shares it with third parties, it does not disclose that the data collected is individualized. The provisions PHH points to in the Privacy Contracts confirm this fact, as they disclose only that PHH shares information with third parties for marketing purposes but does not clarify whether that information is individualized or aggregated. (E.g., Dkt. No. 1-4 at 2 (“All financial companies need to share customers’ personal information to run their everyday business.”).) Accordingly, the Court cannot conclude as a matter of law that Allison and other PHH users consented to the information collection and sharing that is challenged here. See Allison v. United Wholesale Mortg., No. 25-cv-05377-WHO, 2025 WL 3702863, at *5 (N.D. Cal. Dec. 21, 2025) (granting motion to dismiss based on consent because plaintiffs insufficiently alleged that defendant’s use of data “goes beyond the scope of what is agreed upon by [defendant’s] Terms of Services or Privacy Policy.”). B. Negligence and Negligence Per Se Claims Allison’s complaint states a claim against PHH for negligence. To state a negligence claim under California law, a plaintiff “must establish four required elements: (1) duty; (2) breach; (3) causation; and (4) damages.” Wells Fargo Bank, N.A. v. Renz, 795 F. Supp. 2d 898, 924 (N.D. Cal. 2011) (citation omitted). As to the first two elements, the complaint contains allegations that PHH did not take proper care when disclosing individualized user information to third parties that could be used to deduce the users’ identities: namely, it failed to ensure that the information was not being shared or used in violation of their privacy disclosures and in violation of prevailing industry standards. See Shah v. Cap. One Fin. Corp., 768 F. Supp. 3d 1033, 1046 (N.D. Cal. 2025) (“Plaintiffs therefore alleged a valid duty of care by alleging that they placed trust in Defendant to protect their personal information, which Defendant then disclosed.”). (See Compl. ¶ 171.) Allison has also adequately alleged that PHH caused him injury by collecting his information and sharing it with third parties, and that Allison suffered not just mere “economic loss” but “actual loss” giving rise to negligence recovery. (Dkt. No. 18 at 16–17.) Indeed, Allison alleges that PHH disclosed, among other things, the type of loan(s) for which he applied (Compl. ¶¶ 71–72, 142), which qualifies as sensitive financial information that, if disclosed, can give rise to “a non-economic privacy injury traditionally recognized under the law.” Toy v. Life Line Screening of Am. Ltd., No. 23-cv-04651-RFL, 2024 WL 1701263, at *4 (N.D. Cal. Mar. 19, 2024); see also Greenley v. Avis Budget Grp. Inc., No. 19-cv-00421-GPC-AHG, 2020 WL 1493618, at *13 (S.D. Cal. Mar. 27, 2020). Allison also alleges that he lost time trying “to mitigate and remediate the effects of the use of [his] information” (Compl. ¶ 179), which is not a pure economic loss. Shah, 768 F. Supp. 3d at 1046; see also Gerber v. Twitter, Inc., No. 23-cv- 00186-KAW, 2024 WL 1354449, at *6 (N.D. Cal. Mar. 29, 2024) (recognizing lost time as a non-economic injury when prompted by the need to mitigate disclosure of highly sensitive information). Accordingly, the motion to dismiss Allison’s negligence claim is denied. However, Allison’s complaint does not state a claim for negligence per se. “The doctrine of negligence per se is not a separate cause of action, but creates an evidentiary presumption that affects the standard of care in a cause of action for negligence.” Dent v. Nat’l Football League, 968 F.3d 1126, 1130 (9th Cir. 2020) (cleaned up). Allison concedes that the two statutes he relies on, the Federal Trade Commission and Gramm-Leach-Bliley Acts, do not provide private rights of action. (Dkt. No. 18 at 15–16 (citing Hall v. Equifax Info. Servs., No. 21-cv-01979 JAM, 2021 WL 5566746, at *1 (E.D. Cal. Nov. 29, 2021), report and recommendation adopted, No. 21-cv-01979 JAM, 2022 WL 397556 (E.D. Cal. Feb. 9, 2022)); Dkt. No. 27 at 12–14.) Accordingly, the motion to dismiss Allison’s negligence per se claim is dismissed without leave to amend because amendment would be futile. “The dismissal, however, ‘should not be construed as ruling on the viability of [Allison’s] ability to employ the concept of negligence per se in establishing [his] negligence claim.’” Toy, 2024 WL 1701263, at *5 (quoting Medoff v. Minka Lighting, LLC, No. 22-cv-08885-SVW-PVC, 2023 WL 4291973, at *10 n.11 (C.D. Cal. May 8, 2023)). C. UCL and CDAFA Claims PHH’s motion to dismiss the UCL claim is denied. PHH’s motion to dismiss the CDAFA claims is granted as to the claims under Sections 502(c)(2) and (8) but denied as to the claim under Section 502(c)(1)(B). PHH argues that Allison lacks standing under both statutes. Allison has standing under the UCL. For a plaintiff to allege standing under the UCL, they must have (a) suffered an injury in fact and (b) lost money or property as a result of the alleged unfair competition. Hahn v. Select Portfolio Servicing, Inc., No. 18-cv-05629-JSC, 2018 WL 6046463, at *4 (N.D. Cal. Nov. 19, 2018). Allison alleges that as a result of PHH collecting and transmitting his data, he “[l]ost [the] benefit of his bargain with PHH, as [he] did not receive the reasonable privacy and data security protections for which he paid.” (Compl. ¶ 145(f).) This supports a plausible inference that Allison had a mortgage with PHH and made payments on it, and that Allison would have been willing to pay less for his mortgage if he had known that his data would be collected by PHH and transmitted to third parties. That is sufficient to establish standing under the UCL. Accordingly, the motion to dismiss the UCL claim is denied. As to the CDAFA claims, Allison lacks standing to bring his claims under Sections 502(c)(2) and (8) but has standing to bring his Section 502(c)(1)(B) claim. Section 502(c)(2) prohibits “[k]nowingly access[ing] and without permission tak[ing], cop[ying], or mak[ing] use of any data from a computer, computer system, or computer network”; and Section 502(c)(8) prohibits knowingly introducing “any computer contaminant into any computer, computer system, or computer network.” Cal Penal Code § 502(c)(2), (8). Allison lacks standing to bring his claims under these sections because he was not subjected to the relevant proscribed conduct, namely, alleged access of his computer without permission or introduction of a computer contaminant into his computer. The complaint alleges only that PHH installed trackers on its website such that a user could not avoid the trackers with their device. (E.g., Compl. ¶ 33 (“Online tracking technologies may not be deleted from an individual’s device; they are built into a webpage, and a webpage Customer has no control or warning over their presence or data collection.”).) But there are no allegations that the trackers were ever introduced into Allison’s computer or that they accessed data from his computer. The complaint instead appears to allege that PHH’s trackers collected and transmitted data that Allison generated by engaging with PHH’s website. (E.g., Compl. ¶ 46.) Accordingly, Allison does not have standing to bring a claim under Sections 502(c)(2) or (8). This argument does not preclude standing under Section 502(c)(1)(B), which prohibits “[k]nowingly access[ing] and without permission . . . us[ing] any data, computer, computer system, or computer network in order to . . . wrongfully control or obtain money, property, or data.” As discussed above, the complaint contains allegations that PHH knowingly accessed Allison’s data. PHH argues that Allison nonetheless lacks standing because he has not demonstrated that he suffered economic harm or loss caused by damage to his computer system, network, program, or data. (Dkt. No. 18 at 18.) However, PHH’s alleged unjust profit from the use of Allison’s personal information “can plausibly constitute a ‘damage or loss’ under CDAFA,” as CDAFA does not limit those terms to “expenditures to determine whether a computer system or data was damaged” or “the costs of damaged computer systems or data.” Tsering v. Meta Platforms, Inc., No. 25-cv-01611-RFL, 2026 WL 89320, at *5 (N.D. Cal. Jan. 12, 2026) (quoting Smith v. Rack Room Shoes, Inc., No. 24-cv-06709-RFL, 2025 WL 2210002, at *3 (N.D. Cal. Aug. 4, 2025)). Allison therefore has demonstrated he has standing to bring his claim under Section 502(c)(1)(B). Accordingly, the motion to dismiss Allison’s CDAFA claims is granted as to the claims under Sections 502(c)(2) and (8) and denied as to the claim under Section 502(c)(1)(B). Dismissal is with leave to amend because the Court cannot conclude on the current record that amendment would be futile. D. CCPA Claim Allison’s complaint states a claim under the CCPA. PHH argues only that Allison lacks standing under the CCPA because the statute’s private right of action is limited to data breaches. (Dkt. No. 18 at 18.) However, the CCPA provides a private right of action to any “consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Cal. Civ. Code § 1798.150(a)(1) (emphasis added). Nothing in the plain language of the provision limits its application to data breaches by third parties. By its own terms, the language covers unauthorized disclosure of private information that was to be kept secure and confidential, regardless of whether the disclosure was intentional or merely negligent, and regardless of whether the disclosure was made by a third party or agents of the defendant. See Shah, 768 F. Supp. 3d at 1048–49 (allowing CCPA claim to proceed where “the plaintiff does not allege a data breach” but that “‘defendants disclosed plaintiff’s personal information without his consent’” (quoting M.G. v. Therapymatch, Inc., No. 23-cv-04422-AMO, 2024 WL 4219992, at *7 (N.D. Cal. Sept. 16, 2024))). The Legislature may have been focused principally on third-party security breaches, as reflected in the section’s title of “Personal Information Security Breaches,” but the language of the statute is not limited to that scenario. PHH cites no case law or legislative history counseling a contrary result. Accordingly, given Allison’s allegations that PHH disclosed his personal information without his consent due to its failure to ensure it sent only aggregated user information, the motion to dismiss this claim is denied.4 E. Breach of Express and Implied Contract Claims Allison’s complaint states a breach of express contract claim. Although the Privacy Contracts disclose that PHH may share user data with third parties for their own purposes, Allison adequately alleges that PHH breached provisions of the Privacy Contracts stating that PHH would not collect and disclose individualized user data. As detailed above, Allison has plausibly alleged a violation of the provision of the Terms & Conditions stating that PHH’s website “does not covertly capture information regarding the specific activities of any particular user.” These allegations plausibly allege the existence of an obligation that PHH breached by collecting and disclosing individualized user data that was covertly collected while users were browsing its site. See Young v. Facebook, Inc., 790 F. Supp. 2d 1110, 1117 (N.D. Cal. 2011) (dismissing a breach of contract claim in the absence of such allegations). Accordingly, the motion to dismiss Allison’s breach of express contract claim is denied. However, Allison’s complaint fails to state a claim for breach of implied contract. “[A]n implied contract cannot exist when there is an express contract between parties covering the same subject.” Doe I v. Google LLC, 741 F. Supp. 3d 828, 848 (N.D. Cal. 2024). To plead breach of express and implied contract claims in the alternative, a plaintiff must allege that the provisions relied on in the express contract claim are alternatively unenforceable. See
4 The Court declines to rule on PHH’s argument that Allison’s failure to provide written notice to PHH precludes him from seeking statutory damages, which is only raised in a footnote (Dkt. No. 18 at 19 n.7). See Est. of Saunders v. Comm’r, 745 F.3d 953, 962 n.8 (9th Cir. 2014) (“Arguments raised only in footnotes, or only on reply, are generally deemed waived.”). In any event, a motion to dismiss must be directed to a claim, not a particular form of damages. See Farella Braun + Martel LLP v. Fed. Deposit Ins. Corp., No. 24-cv-01306-SI, 2024 WL 3972992, at *6 (N.D. Cal. Aug. 28, 2024). Hammerling v. Google LLC, 615 F. Supp. 3d 1069, 1096 n.13 (N.D. Cal. 2022). Allison’s complaint contains no such allegations, instead intertwining the breach of express and implied contract claims. (Compl. ¶¶ 241–47.) Accordingly, the motion to dismiss Allison’s breach of implied contract claim is granted. Dismissal is with leave to amend because the Court cannot conclude on the current record that amendment would be futile. F. Unjust Enrichment Claim Allison’s complaint fails to state a claim for unjust enrichment. “A claim for unjust enrichment is essentially a claim for restitution, the elements of which are that the defendant received and unjustly retained a benefit at the plaintiff’s expense.” See Lau v. Gen Digital Inc., No. 22-cv-08981-RFL, 2024 WL 1880161, at *5 (N.D. Cal. Apr. 3, 2024) (citing Durell v. Sharp Healthcare, 183 Cal. App. 4th 1350, 1370 (Cal. Ct. App. 2010)), aff’d sub nom. Karwowski v. Gen Digital, Inc., No. 24-7213, 2025 WL 3002610 (9th Cir. Oct. 27, 2025). However, an unjust enrichment claim “cannot lie where there exists between the parties a valid express contract covering the same subject matter.” Barrett v. Apple Inc., 523 F. Supp. 3d 1132, 1156 (N.D. Cal. 2021) (quoting Lance Camper Mfg. Corp. v. Republic Indem. Co., 44 Cal. App. 4th 194, 203 (Cal. Ct. App. 1996)). Accordingly, a restitution claim “cannot survive a motion to dismiss unless the proponent adequately pleads that no legal remedy exists”—e.g., that that the terms of the alleged express contract are “invalid or are in any way unenforceable.” Id. at 1157. As discussed above regarding Allison’s implied contract claim, Allison’s complaint contains no allegations that the relevant provisions in the Privacy Contracts are invalid or otherwise unenforceable. Thus, the motion to dismiss Allison’s unjust enrichment claim is granted with leave to amend. G. Breach of Confidence Claim Allison’s complaint fails to state a breach of confidence claim. Breach of confidence claims, like other implied and quasi-contract claims, “must be based on an implied obligation or contract—not an express contract.” Huynh v. Quora, Inc., No. 18-cv-07597-BLF, 2019 WL 11502875, at *8 (N.D. Cal. Dec. 19, 2019). As previously discussed with regard to Allison’s implied contract and unjust enrichment claims, Allison’s complaint contains no allegations that the Privacy Contracts are invalid or unenforceable. Instead, Allison’s “breach of confidence claim is based on an express contract”—i.e., the Privacy Contracts. Id. Accordingly, the motion to dismiss the breach of confidence claim is granted with leave to amend. H. CIPA Claims Allison’s complaint brings two claims under CIPA: (1) violation of Section 631(a) , which prohibits persons from “aid[ing], agree[ing] with, employ[ing], or conspir[ing] with” a third party to “read[], or attempt[] to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained” “by means of any machine, instrument, or contrivance, or in any other manner”; and (2) violation of Section 632(a), which prohibits persons from intentionally recording confidential communications without consent of all parties to the communication. See Cal. Penal Code §§ 631(a), 632(a). While Allison’s complaint states a claim under Section 632(a), it fails to state a claim under Section 631(a). Section 631(a) applies only to “the contents or meaning of any message.” Cal. Penal Code § 631(a). Accordingly, to state a claim under Section 631(a), a plaintiff must “identify the contents of any communication that” the defendant “allegedly intercepted,” that is, “any information concerning the substance, purport, or meaning of that communication.” Brodsky v. Apple Inc., 445 F. Supp. 3d 110, 127 (N.D. Cal. 2020) (quoting 18 U.S.C. § 2510). “The analysis for a violation of CIPA is the same as that under the federal Wiretap Act.” Id. (citation omitted). In the context of federal wiretap law, the Ninth Circuit has held that “the ‘contents’ of an online communication . . . ‘refers to the intended message conveyed by the communication, and does not include record information regarding the characteristics of the message that is generated in the course of the communication.’” Yoon v. Lululemon USA, Inc., 549 F. Supp. 3d 1073, 1082 (C.D. Cal. 2021) (quoting In re Zynga Priv. Litig., 750 F.3d 1098, 1106 (9th Cir. 2014)). The complaint contains no allegations that the personal and financial information PHH allegedly shared with third parties were the “contents” of any communications between users and PHH’s website. For instance, while Allison alleges that PHH shares with third parties whether a user started and ultimately completed an equity loan form, Allison does not allege that PHH shares any of the user’s actual inputs when filling out that form. Nor does Allison allege that PHH is intercepting another communication from the user’s computer to the PHH website, such as a GET request. Indeed, it is unclear from the allegations presently in the complaint whether the trackers work by recording information about a user’s session on the website, intercepting a communication attempting to convey the precise user information PHH is alleged to have collected, or using some other method. Without allegations regarding the manner in which the trackers operate, Allison does not plausibly allege that PHH aided and abetted third parties in learning the contents of any communication as opposed to simply record or session information. See In re Zynga Priv. Litig., 750 F.3d at 1104; Yoon, 549 F. Supp. 3d at 1082. The motion to dismiss is therefore granted with regard to Allison’s claim under Section 631(a). Dismissal is with leave to amend because the Court cannot conclude on the current record that amendment would be futile. However, Allison states a claim under Section 632(a). PHH argues only that PHH consented to PHH’s recording of user information. (Dkt. No. 18 at 21.) But for the reasons previously described, a reasonable user could have understood the Privacy Contracts as not permitting PHH to collect individualized information from its users. Thus, Allison and other PHH users did not consent to the collection of that sort of user information. Accordingly, the motion to dismiss Allison’s Section 632(a) claim is denied. I. Federal Wiretap Act Claim PHH also moves to dismiss the federal Wiretap Act claim on the basis of consent. Consent of any “party to the communication” is a complete defense to a Wiretap Act claim unless the “communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” 18 U.S.C. § 2511(2)(d). PHH argues that Allison’s Wiretap Act claim fails because, at the very least, PHH consented to any alleged interception, and the complaint does not allege facts showing that PHH committed the tort that Allison identifies in his complaint, invasion of privacy. (Dkt. No. 18 at 21.) However, the complaint alleges that PHH collected and disclosed users’ sensitive financial information, such as whether a particular user was applying for a certain type of loan, in addition to collecting and disclosing IP addresses and other information capable of identifying a particular user. The complaint also alleges that PHH collected and disclosed this information while representing in its Privacy Contracts that it did not do so. Combined, that is sufficient to allege invasion of privacy under California law. Brown v. Google LLC, 525 F. Supp. 3d 1049, 1075 (N.D. Cal. 2021). Allison also plausibly alleges that PHH acted with the purpose of committing an invasion of privacy tort. (See Dkt. No. 18 at 21.) The complaint alleges that PHH installed trackers on its website to trade customers’ sensitive financial information to reduce the cost of marketing services. (See, e.g., Compl. ¶ 4.) That is sufficient to allege a purpose to invade privacy for PHH’s profit, which triggers the crime-tort exception. Riganian v. LiveRamp Holdings, Inc., 791 F. Supp. 3d 1075, 1091 (N.D. Cal. 2025) (rejecting the notion that a financial motive removes a claim from the crime-tort exception). The motion to dismiss Allison’s Wiretap Act claim is denied.5 J. Declaratory Judgment Allison’s complaint states a declaratory judgment claim. PHH argues only that dismissal is appropriate because all of Allison’s substantive claims fail. (Dkt. No. 18 at 21.) Because
5 Although, as discussed above, CIPA and federal wiretap claims are subject to the same analysis, PHH’s motion to dismiss argues only (a) that PHH consented to any alleged interception and (b) that the crime-tort exception does not apply. (Dkt. No. 18 at 21.) Accordingly, the Court does not reach any other bases upon which Allison’s federal wiretap claim might be dismissed. PHH’s motion to dismiss has been denied as to several of Allison’s claims, the motion to dismiss Allison’s declaratory judgment claim is too denied. V. CONCLUSION For the foregoing reasons, the Court GRANTS IN PART and DENIES IN PART PHH’s motion to dismiss. The Court GRANTS PHH’s motion to dismiss the negligence per se claim without leave to amend. The Court GRANTS PHH’s motion to dismiss the CDAFA Section 502(c)(2) and (8) claims, breach of implied contract claim, unjust enrichment claim, breach of confidence claim, and CIPA Section 631(a) claim with leave to amend. The Court DENIES the remainder of PHH’s motion to dismiss. If Allison wishes to file an amended complaint correcting the deficiencies identified above, he shall do so by June 4, 2026. Allison may not add new claims or parties without leave of the Court or stipulation by the parties pursuant to Federal Rule of Civil Procedure 15. Ifno such amended complaint is filed by that date, the claims that were dismissed in this Order will remain dismissed with prejudice. IT IS SO ORDERED. Dated: May 14, 2026
United States District Judge