Kiley Krzyzek, et al. v. OpenX Technologies, Inc.

• Court: District Court, N.D. California
• Decided: January 27, 2026
• Docket: 3:25-cv-05588
• Status: Unknown

Opinion

1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 KILEY KRZYZEK, et al., Case No. 25-cv-05588-SI

8 Plaintiffs, ORDER GRANTING IN PART AND 9 v. DENYING IN PART MOTION TO DISMISS 10 OPENX TECHNOLOGIES, INC., Re: Dkt. No. 26 11 Defendant.

12 13 Before the Court is defendant OpenX’s motion to dismiss plaintiffs’ putative class action. 14 Dkt. No. 26. The Court held a hearing on January 16, 2026. After considering the papers and oral 15 argument, the Court GRANTS IN PART and DENIES IN PART defendant’s motion to dismiss. 16 17 BACKGROUND 18 Plaintiffs bring this putative class action against defendant OpenX Technologies, Inc. 19 (“OpenX”). Defendant OpenX is a registered data broker.1 Dkt. No. 23, First Amended Complaint 20 (“FAC”) ¶ 11. OpenX operates the OpenX pixel, which plaintiffs allege “tracks in real time and 21 records indefinitely the personal information and specific web activity of hundreds of millions of 22 Americans.” Id. ¶ 1. This order assumes the reader’s familiarity with defendant’s pixel tracking 23 technology, described in detail in the FAC. Id. ¶¶ 65-173. In addition to its pixel, OpenX sells its 24 tracking services to advertising partners through its “identity resolution tool,” through which OpenX 25 “assigns an ID number to an individual so that the individual is attached to a record of their web and 26

27 1 A “data broker” is a “business that knowingly collects and sells to third parties the personal 1 app activity for the purpose of targeted advertising.” Id. ¶¶ 154-158. 2 Plaintiffs are natural persons and citizens of California who OpenX allegedly tracked. Id. 3 ¶¶ 4-5. Specifically, plaintiff Kiley Kyrzek alleges that the OpenX pixel collected information about 4 her device and browser, and “tracked her as she navigated through the [Covered California] website” 5 in 2022 and 2024 to apply for health insurance. Id. ¶¶ 199-203. Plaintiff Christian Calcines alleges 6 that the OpenX pixel tracked him while he navigated through the Bon Appetit website in April 2025 7 and intercepted his “article selections” and “audience information related to those selections.” Id. 8 ¶¶ 210-217. Calcines also alleges that the OpenX tracker was present on other websites he visited, 9 including Apartmenttherapy.com, Foxnews.com, and BusinessInsider.com. Id. ¶ 221. Each named 10 plaintiff also alleges that OpenX compiled the information it gathered into a profile on plaintiff, and 11 that plaintiffs were unaware of and did not consent to OpenX’s conduct. Id. ¶¶ 205, 207-208, 219, 12 222-223. 13 Plaintiffs bring five claims against OpenX: intrusion upon seclusion under California 14 common law (Count I); violations of provisions of the California Invasion of Privacy Act (“CIPA”), 15 California Penal Code §§ 631(a) and 638.51 (a) (Counts II and III), unjust enrichment (Count IV), 16 and violation of the Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. § 2511 (Count 17 V). 18 On November 21, 2025, OpenX moved to dismiss plaintiffs’ first amended complaint for 19 lack of subject matter jurisdiction and failure to state a claim.2 Dkt. No. 26. Plaintiffs filed a 20 response3, and Open X filed a reply. Dkt. Nos. 27, 30. 21 22 23 /// 24

25 2 Plaintiffs filed their complaint on July 2, 2025. Dkt. No. 1. After defendant filed a motion to dismiss on October 3, 2025, plaintiffs filed their first amended complaint (FAC). Dkt. Nos. 22, 26 23.

27 3 Plaintiffs also filed “Exhibit 1 to Plaintiffs’ Opposition to Defendant’s Motion to Dismiss 1 LEGAL STANDARD 2 I. Rule 12(b)(1) 3 Federal Rule of Civil Procedure 12(b)(1) allows a party to challenge a federal court’s 4 jurisdiction over the subject matter of the complaint. As the party invoking the jurisdiction of the 5 federal court, the plaintiff bears the burden of establishing that the court has the requisite subject 6 matter jurisdiction to grant the relief requested. See Kokkonen v. Guardian Life Ins. Co. of America, 7 511 U.S. 375, 377 (1994) (internal citations omitted). A complaint will be dismissed if, looking at 8 the complaint as a whole, it appears to lack federal jurisdiction either “facially” or “factually.” 9 Thornhill Publ’g Co., Inc. v. General Tel. & Elecs. Corp., 594 F.2d 730, 733 (9th Cir. 1979); Safe 10 Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004) (“A Rule 12(b)(1) jurisdictional 11 attack may be facial or factual.”). When the complaint is challenged for lack of subject matter 12 jurisdiction on its face, all material allegations in the complaint will be taken as true and construed 13 in the light most favorable to the plaintiff. NL Indus. v. Kaplan, 792 F.2d 896, 898 (9th Cir. 1986). 14 15 II. Rule 12(b)(6) 16 Under Federal Rule of Civil Procedure 12(b)(6), a district court must dismiss a complaint if 17 it fails to state a claim upon which relief can be granted. To survive a Rule 12(b)(6) motion to 18 dismiss, the plaintiff must allege “enough facts to state a claim to relief that is plausible on its face.” 19 Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). This “facial plausibility” standard requires 20 the plaintiff to allege facts that add up to “more than a sheer possibility that a defendant has acted 21 unlawfully.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). While courts do not require “heightened 22 fact pleading of specifics,” a plaintiff must allege facts sufficient to “raise a right to relief above the 23 speculative level.” Twombly, 550 U.S. at 555, 570. 24 In deciding whether the plaintiff has stated a claim upon which relief can be granted, the 25 court must assume that the plaintiff’s allegations are true and must draw all reasonable inferences 26 in the plaintiff’s favor. See Usher v. City of Los Angeles, 828 F.2d 556, 561 (9th Cir. 1987). 27 However, the court is not required to accept as true “allegations that are merely conclusory, 1 1049, 1055 (9th Cir. 2008). 2 If the Court dismisses the complaint, it must then decide whether to grant leave to amend. 3 The Ninth Circuit has “repeatedly held that a district court should grant leave to amend even if no 4 request to amend the pleading was made, unless it determines that the pleading could not possibly 5 be cured by the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 1130 (9th Cir. 2000) 6 (citations and internal quotation marks omitted). 7 8 DISCUSSION 9 I. Article III Standing 10 The parties dispute whether plaintiffs have Article III standing to bring their claims against 11 OpenX. OpenX argues that the Court should dismiss plaintiffs’ claims for lack of subject matter 12 jurisdiction because plaintiffs do not allege “highly offensive” privacy injuries sufficient to confer 13 Article III standing. Mot. at 8-11. Plaintiffs respond that they establish an injury in fact because 14 OpenX “compiled detailed profiles by tracking [Plaintiffs’] interactions across many websites, 15 including websites where they disclosed sensitive data and selling that information to any and all 16 interested advertisers.” Opp’n at 2. 17 Federal courts may only hear a case if plaintiffs can show they have standing to sue. Spokeo, 18 Inc. v. Robins, 578 U.S. 330, 338 (2016, revised May 24, 2016). To establish standing to sue, 19 plaintiffs must show an injury, trace that injury to the defendant’s conduct, and prove that courts 20 can provide adequate redress for the injury. Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992). 21 The injury “must be concrete, particularized, and actual or imminent.” Clapper v. Amnesty Int’l 22 USA, 568 U.S. 398, 409 (2013) (internal quotation marks and citation omitted). Intangible harms 23 may constitute concrete injuries if they bear a “close relationship to harms traditionally recognized 24 as providing a basis for lawsuits in American courts.” TransUnion LLC v. Ramirez, 594 U.S. 413, 25 425 (2021). “[B]oth the common law and the literal understandings of privacy encompass the 26 individual’s control of information concerning his or her person.” U.S. Dep't of Just. v. Reps. Comm. 27 For Freedom of Press, 489 U.S. 749, 763 (1989). 1 plaintiffs’ claims. See 153 F.4th 784, 791 (9th Cir. 2025). In Popa, the Ninth Circuit affirmed the 2 district court’s dismissal for lack of Article III standing where plaintiff alleged defendant’s session- 3 replay technology captured her information while she browsed for pet supplies on a single website, 4 https://www.petsuppliesplus.com, because the nature of the collected information was not 5 “embarrassing, invasive, or otherwise private.” Id. at 786-87, 791. The information defendant 6 collected allegedly included: the date the user visited the website, the device the user accessed the 7 website on, the type of browser the user accessed the website on, the operating system of the device 8 used to access the website, the country where the user accessed the website from, a user’s mouse 9 movements, a user’s screen swipes, text inputted by the user on the website, and how far down a 10 webpage a user scrolls, the user’s mailing address with the street number and zip code omitted, and 11 the pet supplies products the user clicked on. Id. 12 However, here, plaintiffs allege a more invasive injury. Indeed, plaintiffs allege that OpenX 13 compiled detailed user profiles by tracking plaintiffs’ interactions across many websites, including 14 sensitive browsing activity, without plaintiffs’ knowledge or consent. FAC. ¶¶ 43-44, 53-56, 79, 15 92-93, 163, 186, 238, 244. Plaintiffs also allege that OpenX tracked plaintiffs’ future web browsing 16 activity across the internet. Id. ¶¶ 174, 185, 206, 220. The collected data allegedly includes 17 “cookies, IP addresses, hashed email addresses4, HTTP headers that specify information such as 18 type of browser, device and operating system information, location information, and other unique 19 identifiers” and “information regarding the users’ activity on the websites and communications with 20 the websites in the form of full-string URLs and button click events.” Id. ¶¶ 89-90. Plaintiffs allege 21 that OpenX collects information on plaintiffs’ “interests and even-sociopolitical views.” Id. ¶¶ 43, 22 98. Plaintiffs Kyrzek and Calcines allege that, without their knowledge or consent, OpenX loaded 23 its pixel onto websites they visited (Covered California and BonAppetit, respectively), created a 24 new user profile of them or matched them to a pre-existing profile, collected and tracked their 25 browsing activity while on those websites, and then tracked their future web browsing activity across 26

27 4 Plaintiffs allege that while OpenX collects “hashed” email addresses and phone numbers, 1 the internet. Id. ¶¶ 199-224. 2 Unlike in Popa, which involved non-sensitive browsing activity on a single pet supply 3 website, here plaintiffs allege that OpenX created or added to detailed user profiles by tracking their 4 interactions across the internet, and that this tracking remains ongoing. Accordingly, this situation 5 is more akin to In re Facebook, Inc., Internet Tracking Litigation, finding Article III standing where 6 plaintiffs “adequately alleged that Facebook’s tracking and collection practices would cause harm 7 or a material risk of harm to their interest in controlling their personal information.” 956 F.3d 589, 8 596 (9th Cir. 2020).5 As in In re Facebook, OpenX allegedly “gained a cradle-to-grave profile 9 without users’ consent.” See id. at 599 (“As alleged, Facebook’s tracking practices allow it to amass 10 a great degree of personalized information. Facebook’s user profiles would allegedly reveal an 11 individual’s likes, dislikes, interests, and habits over a significant amount of time, without affording 12 users a meaningful opportunity to control or prevent the unauthorized exploration of their private 13 lives.”). 14 The Court is also unpersuaded by OpenX’s argument that plaintiffs lack standing because 15 the personal information OpenX’s pixel collected is anonymous. Mot. at 10-11, Reply at 7. OpenX 16 argues that it collects information tied to “devices – not individuals.” Mot. at 2. Beyond allegations 17 of OpenX’s technology’s capacity to deanonymize data, plaintiffs claim that OpenX products do 18 identify and deanonymize users. For instance, the complaint alleges that defendant effectively 19 deanonymized plaintiffs by using the information it gathers to tie plaintiffs to individual profiles 20 within a broad “identity graph.” FAC ¶¶ 56-57.6 Plaintiffs allege that through this process OpenX 21 5 Lower courts have recognized that Popa did not set out a new rule of law for Article III 22 standing, but rather applied the same common law rules to the individual circumstances of that case. See Dellasala v. Samba TV, Inc., 2025 WL 3034069, at *2 (N.D. Cal. Oct. 30, 2025); Camplisson 23 v. Adidas Am., Inc., 2025 WL 3228949, at *6 (S.D. Cal. Nov. 18, 2025). Indeed, “Popa confirmed that Facebook remains good law. Specifically, Popa observed that it ‘need not revist’ the continued 24 viability of Facebook, because Facebook’s alleged compilation of ‘personally identifiable browsing history’ demonstrated ‘individual circumstances giving rise to plaintiffs’ alleged injuries’ that 25 satisfied Article III’s standing requirements.” Deivaprakash v. Conde Nast Digital, 2025 WL 2779193, at * 1 (N.D. Cal. Sep. 30, 2025) (internal citation omitted). 26

6 In its reply brief, OpenX argues that the FAC does not adequately allege OpenX collected 27 hashed emails or hashed phone numbers from plaintiffs Kryzek and Calcines such that their 1 has amassed access to “nearly three-quarters of all Americans’ identities.” Id. ¶¶ 62. Where 2 anonymity is rendered “functionally meaningless,” lower courts have found “pseudonymization” 3 arguments unpersuasive. See, e.g., Riganian v. LiveRamp Holdings Inc., 791 F. Supp. 3d 1075, 4 1086-87 (N.D. Cal. 2025). 5 The Court finds that, at this stage of the litigation, plaintiffs have adequately pled a “highly 6 offensive” intrusion of privacy that invades a reasonable internet user’s expectation of privacy 7 sufficient to establish standing. See In re Facebook, 956 F.3d at 606 (“The ultimate question of 8 whether Facebook’s tracking and collection practices could highly offend a reasonable individual is 9 an issue that cannot be resolved at the pleading stage.”). Thus, the Court DENIES defendant’s Rule 10 12(b)(1) motion. 11 12 II. Intrusion Upon Seclusion (COUNT I) 13 OpenX argues that plaintiffs failed to establish either prong of an intrusion upon seclusion 14 claim. Mot. at 11-15. To state a claim for intrusion upon seclusion under California common law, 15 “[f]irst, the defendant must intentionally intrude into a place, conversation, or matter as to which the 16 plaintiff has a reasonable expectation of privacy, and second, the intrusion must occur in a manner 17 highly offensive to a reasonable person.” Hernandez v. Hillsides, Inc., 47 Cal. 4th 272, 287 (2009). 18 When determining whether a reasonable expectation of privacy exists, courts consider “a variety of 19 factors, including the customs, practices, and circumstances surrounding a defendant’s particular 20 activities.” In re Facebook, 956 F.3d at 601-02. When determining whether an invasion is “highly 21 offensive,” courts consider “the degree and setting of the intrusion,” as well as “the intruder’s 22 motives and objectives.” Hernandez, 47 Cal. 4th at 287. “Under California law, courts must be 23 reluctant to reach a conclusion at the pleading stage about how offensive or serious the privacy 24 intrusion is.” In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F. Supp. 3d 767, 797 25 (N.D. Cal. 2019). 26 OpenX first argues that plaintiffs cannot reasonably expect privacy while browsing on the 27 1 internet on websites such as Bon Appetit and Covered California. Mot. at 12. OpenX suggests 2 “[s]hopping on a public website, like shopping in a public store, is not an activity one can reasonably 3 expect to keep private from the retailer.” See Thomas v. Papa Johns Int’l., 2024 WL 2060140, at 4 *2 (S.D. Cal. May 8, 2024). Moreover, OpenX contends that there is no reasonable expectation of 5 privacy in the type of information that OpenX allegedly collected. Mot. at 13. 6 The Court finds that OpenX’s alleged conduct is very different from being observed by a 7 retailer while shopping in a store. Instead, as discussed above, OpenX allegedly tracks, compiles, 8 and sells massive amounts of information on plaintiffs, without their knowledge that an OpenX pixel 9 has been loaded onto a given website. The Court also agrees with various other lower courts that 10 have found that “engag[ing] in unauthorized tracking and data collection, allowing it to compile 11 detailed profile of each [p]laintiff’s online web browsing activity – including highly sensitive 12 browsing activity – tied to their email addresses and other personal identifiers” is actionable. Selby 13 v. Sovrn Holdings, 2025 WL 2950164, at *3 (N.D. Cal. Oct. 17, 2025); see also Riganian, 791 F. 14 Supp. 3d at 1087 (“the Court here cannot conclude at the pleading stage that Plaintiffs had no 15 reasonable expectation of privacy in the information that LiveRamp compiled across hundreds to 16 thousands of disparate online and offline sources and then sold to third parties without their 17 knowledge or consent”). Here, too, defendant allegedly amasses information allowing it to compile 18 detailed profiles to sell to advertisers. 19 OpenX next argues that its conduct collecting user information reflects “routine commercial 20 behavior,” and is not highly offensive. Mot. at 14. However, at this stage, the Court cannot conclude 21 that OpenX’s conduct was not offensive, as “courts must be reluctant to reach a conclusion at the 22 pleading stage about how offensive or serious the privacy intrusion is.” In re Facebook, Inc., 402 F. 23 Supp. at 797; see also Selby 2025 WL 2950164, at *3. Therefore, the Court finds that the plaintiffs’ 24 intrusion on seclusion claim can proceed. 25 26 27 1 III. Violations of CIPA § 631 and ECPA § 2511(1) (COUNTS II and V) 2 California Penal Code section 631 creates four alternative avenues of liability for any 3 person [1] who, by means of any machine, instrument, or contrivance, or in 4 any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, 5 inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of 6 any internal telephonic communication system, or

7 [2] who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to 8 read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, 9 line, or cable, or is being sent from, or received at any place within this state; or 10 [3] who uses, or attempts to use, in any manner, or for any purpose, 11 or to communicate in any way, any information so obtained, or

12 [4] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the 13 acts or things mentioned above in this section . . . .

14 Cal. Pen. Code § 631(a) (subdivisions added for clarity); Javier v. Assurance IQ, LLC, 649 F. Supp. 15 3d 891, 897 (N.D. Cal. 2023). The third clause requires proving a violation of the first or second 16 clauses. See In re Google Assistant Priv. Litig., 457 F. Supp. 3d 797, 827 (N.D. Cal. 2020). 17 Otherwise, these clauses are independent bases for liability and a section 631 claim survives if a 18 plaintiff plausibly alleges a defendant committed any of the prohibited actions. Here, plaintiffs 19 allege violations of the last three clauses of the statute. FAC. ¶¶ 246-260.7 20 Plaintiffs also allege a violation of the ECPA, which provides a cause of action against any 21 person who “intentionally intercepts, endeavors to intercept, or procurers any other person to 22

23 7 In a footnote and during the hearing, defendant argued that “to the extent Plaintiffs’ vague allegations that Open X ‘enables Partner Trackers to identify the user behind any specific 24 communication’ is intended to invoke a claim under subsection (iv) aiding and abetting, that allegation is plainly insufficient.” Mot. at 15, n.3. Plaintiffs did not address this argument in their 25 opposition brief. When questioned by the Court at the hearing, plaintiffs directed the Court to FAC ¶ 257, which states: “Further, Defendant ‘[a]ids, agrees with, employs, or conspires with’ each 26 Partner Tracker that it provides identity resolution to and who intercepts Plaintiffs’ and California Subclass Members’ confidential communications, in that Defendant enables these Partner Trackers 27 to identify the user behind any specific communication.” The Court finds aiding and abetting 1 intercept or endeavor to intercept, any wire, oral, or electronic communication.” FAC ¶¶ 286-306; 2 18 U.S.C § 2511(1).8 3 The parties dispute whether defendant intercepted the “contents” of plaintiffs’ 4 communications; whether defendant is a third party subject to the law or a party to the conversation 5 exempt from the law; whether defendant intercepted communications “in transit,” and whether the 6 crime-tort exception to the ECPA applies. See Mot. at 15-21; Opp’n at 8-14. The Court considers 7 each argument in turn. 8 9 A. Contents of Communications 10 Open X argues that “information about [users’] devices, browsers, visits to Bon Appetit and 11 Covered California websites (though not any specific URLs), and unspecified ‘future browsing 12 activity’” do not constitute “contents” of a communication. Mot. at. 16. 13 “Contents” are defined as the “substance, purport, or meaning” of a communication. 18 14 U.S.C. § 2510(8); see U.S. v. Reed, 575 F.3d 900, 917 (9th Cir. 2009).9 The Ninth Circuit has 15 explained that “record information regarding the characteristics of the message that is generated in 16 the course of the communication” is not “content.” In re Zynga Priv. Litig., 750 F.3d 1098, 1106 17 (9th Cir. 2014). 18 Notwithstanding OpenX’s contention to the contrary, plaintiffs’ complaint adequately 19 alleges that OpenX intercepts more than just “record information.” Plaintiffs allege that OpenX 20 collects users’ “communications with [partner] websites in the form of full-string URLs and button 21 click events.” Id. ¶ 90. Plaintiffs allege that OpenX’s pixel intercepts the “detailed, full-string 22 URLS” from each page of a website that the user visits, “thereby intercepting the user’s 23 communications with the website regarding which articles they want to view.” Id. ¶ 170. The 24 complaint explains that those full-string URLs include the full title of articles users’ view, which 25 8 Courts analyze violations of 18 U.S.C. § 2511(1) and CIPA § 631(a) under the same 26 standards. See, e.g., Cline v. Reetz-Laiolo, 329 F. Supp. 3d 1000, 1051 (N.D. Cal. 2018).

27 9 Courts have determined that “the ‘contents’ of a communication under the ECPA and CIPA 1 reveals the users’ interests (e.g. “htpps://www.bonappetit.com/gallery/taylor-swift-travis-kelce- 2 pop-tarts”). Id. ¶ 120. “URLs which disclose search terms that reveal website users’ personal 3 interests, queries, and habits are ‘contents’ of communications under CIPA and ECPA.” R.C. v. 4 Walgreen Co., 733 F. Supp. 3d 876, 902 (C.D. Cal. 2024); see also, Selby., 2025 WL 2950164, at 5 *3. 6 Open X disputes plaintiffs’ contention that collecting the specific web pages users visit 7 discloses “personal interests, queries, and habits.” Opp’n at 9; Reply at 10. Further, Open X 8 contends that Selby, R.C., and other authority plaintiffs cite to are inapposite because in those cases 9 the defendants allegedly intercepted users’ “search terms” or “search queries,” whereas here the 10 complaint alleges OpenX intercepts URLs. Reply at 10. But, as these cases acknowledge, URLs 11 can also reveal website users’ personal interests, queries, and habits, particularly when aggregated 12 into comprehensive user profiles. 13 OpenX also argues that the complaint is deficient because plaintiffs do not identify which 14 specific URLs they visited while using the websites that OpenX purportedly tracked. Mot. at 17. 15 The Court disagrees. Plaintiffs have adequately alleged that OpenX intercepts not only the websites 16 visited, but also URLS including specific articles or pages the plaintiffs viewed. See, e.g., Gilligan 17 v. Experian Data Corp. 2026 WL 32259, *3 (N.D. Cal. Jan. 6, 2026). The Court acknowledges that 18 lower courts have sometimes found similar complaints deficient where a plaintiff does not identify 19 with specificity what searches they conducted or what webpages they viewed. See, e.g., King Hard 20 Rock Café International Café Int’l (USA), Inc., 2025 WL 1635419, *4 (E.D. Cal. June 9, 2025); 21 Lewis v. Magnite, Inc. 2025 WL 3687546 *12 (C.D. Cal. Dec. 4, 2025). However, the Court finds 22 that here plaintiffs have sufficiently alleged that OpenX intercepted the contents of their 23 communications while they navigated through various websites, including Bon Appetit and Covered 24 California, such that OpenX has adequate notice of plaintiffs’ claims. 25 26 B. Third Party 27 OpenX argues that that it is a “party” to plaintiffs’ alleged communications, and therefore 1 knowingly transmitted data to the website operators. Mot. at 17. OpenX suggests it is merely, “an 2 extension” of the website operators rather than an outsider “who presses up against a door to listen 3 to a conversation.” Id. (quoting Graham v. Noon, Inc. (Graham I), 533 F. Supp. 3d 823, 832 (N.D. 4 Cal. 2021)). Plaintiffs counter that the “extension approach” is the incorrect standard to apply, but 5 that even applying that outdated approach, OpenX would qualify as a third party. Opp’n at 12. 6 The Court finds that OpenX is a “third party” under CIPA § 631 because it “ha[s] the 7 capability of using its recording for another purpose.” See e.g. Turner v. Nuance Communications, 8 Inc., 735 F. Supp. 3d 1169, 1184 (N.D. Cal. 2024) (collecting cases applying the “capability 9 approach”). Plaintiffs may voluntarily visit the websites in question, but plaintiffs allege they did 10 not voluntarily or knowingly visit websites that intercepted and compiled their every search via 11 unannounced OpenX pixel. Therefore, while OpenX argues that it did not use any data for any 12 reason other than to facilitate sales of advertising impressions for its website partners, this is not the 13 question the third party analysis turns on. See Taylor v. ConverseNow Techs., Inc., 2025 WL 14 2308483, * 4 (N.D. Cal. Aug. 11, 2025). Instead, what matters is that the privacy concerns here are 15 akin to “having an unannounced second auditor listening in[.]” Turner, 735 F. Supp. 3d at 1182. 16 Accordingly, the Court rejects OpenX’s contention that it is exempt from liability on this basis. 17 18 C. Interception in Transit 19 The second clause of Section 631 requires that the defendant intercept a communication 20 when it is “in transit.” Cal. Pen. Code § 631(a). The “in transit” element has the same meaning 21 under the ECPA. To determine whether an interception has occurred, courts will look at “cases 22 analyzing the Wiretap Act as informative of section 631(a).” Licea v. Am. Eagle Outfitters, Inc., 23 659 F. Supp. 3d 1072, 1084 (C.D. Cal. 2023). The Ninth Circuit analyzed 18 U.S.C. § 2511(1) to 24 determine that interception “with respect to wire communications” is “acquisition contemporaneous 25 with transmission.” Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 878 (9th Cir. 2002). 26 Defendant argues that plaintiffs’ interactions with websites are not intercepted while “in 27 transit” because any interception “occurs after any communications arrived at their intended 1 communications in real-time. The complaint includes detailed descriptions of how OpenX’s pixel 2 technology purportedly works. FAC ¶ ¶ 124-162. The complaint adequately alleges that after the 3 OpenX pixel is loaded onto a user’s browser, then it “intercepts the detailed, full-string URL from 4 each page” of a website a user visits, “thereby intercepting the user’s communications with the 5 website regarding which articles they want to view.” FAC ¶ 170. This process allegedly occurs in 6 “transit,” and begins “within seconds” of the user reaching a partner website. Id. ¶ ¶ 168, 255. 7 OpenX suggests that, like in NovelPoster v. Javitch Canfield Grp., its purported conduct is 8 “analogous to collecting information about emails after they are received.” Mot. at 19; see 140 F. 9 Supp. 3d 938, 951-52 (N.D. Cal. 2014) (“There is only a narrow window during which an E-mail 10 interception may occur—the seconds or milli-seconds before which a newly composed message is 11 saved to any temporary location following a send command.”). But, unlike in NovelPoster where 12 emails were accessed in accounts after they were received, here the complaint alleges that OpenX’s 13 “interceptions” occurred while users communicated with websites through their browsing activities. 14 While OpenX may be able to show that it does not actually intercept any communications in transit, 15 that factual dispute is not appropriately resolved here. The Court therefore finds that plaintiffs have 16 plausibly alleged interception in transit. 17 18 D. Crime-Tort Exception 19 OpenX argues that plaintiffs’ ECPA claim fails because Bon Appetit and, allegedly, Covered 20 California10 consented to install the OpenX pixel on their websites, and thus there is no liability 21 under the ECPA. Mot. at 19-20. Plaintiffs contend that any consent is negated by the crime-tort 22 exception to the ECPA. Opp’n at 13-14. 23 Where “one of the parties to the communication has given prior consent to such 24 interception,” there can be no violation of ECPA. 18 U.S.C. § 2511(d); see also, In re Yahoo Mail 25 Litig., 7 F. Supp. 3d 1016, 1026 (N.D. Cal. 2014) (“The consent of one party is a complete defense 26

27 10 OpenX acknowledges that Bon Appetit installed OpenX’s pixel on its website, but states 1 to a Wiretap Act claim.”). However, the ECPA provides an exception (“the crime-tort exception”) 2 whereby there is a violation even with consent if the “communication is intercepted for the purpose 3 of committing any criminal or tortious act in violation of the Constitution or laws of the United 4 States or any state.” 18 U.S.C. § 2511(d); see Katz-Lacabe v. Oracle America, Inc. 668 F. Supp. 3d 5 928 (N.D. Cal. 2023); In re Google Inc. Gmail Litig., 2014 WL 1102660, at *18 n.3 (N.D. Cal. Mar. 6 18, 2014) (“Alleged interceptions fall within the tort or crime exception only where the ‘primary 7 motivation or a determining factor in [the interceptor’s] actions has been to injure plaintiffs 8 tortiously.’”) (quoting In re Double Click Inc. Privacy Litig., 154 F. Supp. 2d 497, 518 (S.D.N.Y 9 2001). Courts have held that “the association of Plaintiffs’ data with preexisting user profiles is a 10 further use of Plaintiffs’ data that satisfies this exception.” See Brown v. Google LLC, 525 F. Supp. 11 3d 1049, 1067 (N.D. Cal. 2021); see also Planned Parenthood Fed’n of Am., Inc., v. Ctr. for Med. 12 Progress, 214 F. Supp. 3d 808, 828 (N.D. Cal. 2016). 13 OpenX argues that ECPA’s crime-tort exception is inapplicable because OpenX’s primary 14 motivation in collecting data was to profit, or “routine commercial behavior,” rather than to injure 15 plaintiffs tortiously or criminally. Mot. at 20. The Court is not persuaded by the authorities OpenX’s 16 cites to argue financial motives cannot constitute tortious motive. See Lakes v. Ubisoft, Inc., 777 F. 17 Supp. 3d 1047 (N.D. Cal. 2025), appeal docketed, No. 25-2857 (9th Cir. May 2, 2025); Roe v. 18 Amgen Inc, 2024 WL 2873482, at *6 (C.D. Cal. June 5, 2024). As numerous lower courts have 19 found, being primarily motivated by profit does not render the crime-tort exception inapplicable. 20 See, e.g., R.C., 733 F. Supp. 3d at 902 (C.D. Cal. 2024) (collecting cases); Riganian, 791 F. Supp. 21 3d at 1090-91 (“Put simply, committing a tort and seeking a profit are not mutually exclusive (if 22 anything, the latter is often the reason for the former)”). Where, as here, plaintiffs adequately alleged 23 invasion of privacy, the Court is not convinced that ECPA’s crime-tort exception does not apply. 24 Therefore, the Court declines to dismiss plaintiffs’ ECPA claim. 25 26 E. Conclusion as to CIPA § 631 and ECPA § 2511 Liability 27 OpenX’s arguments that plaintiffs have failed to state claims under CIPA § 631 and ECPA 1 third, and fourth clauses of Section 631. The Court therefore DENIES OpenX’s motion to dismiss 2 plaintiffs’ claims under CIPA § 631 and ECPA § 2511. 3 4 IV. Violation of CIPA § 638.51 (COUNT III) 5 Under Section 638.51(a) of the California Penal Code, “a person may not install or use a pen 6 register ... without first obtaining a court order[.]” A pen register is a “device or process that records 7 or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or 8 facility from which a wire or electronic communication is transmitted, but not the contents of a 9 communication.” Cal. Penal Code. § 638.50(b). 10 OpenX argues that pixels do not meet the definition of a “pen register” under CIPA for three 11 primary reasons. Mot. at 21. First, defendant argues that its pixel is not a pen register because it 12 records a user’s own information, and is therefore not akin to the numbers dialed on a telephone. 13 Id. Second, defendant argues that CIPA’s legislative history demonstrates that it does not apply to 14 web pixels. Id. at 22. Third, defendant argues that reading CIPA’s definition of pen registers to 15 encompass web pixels would create conflict between the California Penal Code and the California 16 Consumer Privacy Act (CCPA). Id. at 23. OpenX relies on various state court decisions to support 17 its interpretation. 18 Numerous courts in this district and elsewhere have already found pixels to be “pen 19 registers” at the pleading stage, and OpenX’s arguments tread no new ground. See Fregosa v. 20 Mashable Inc., 2025 WL 2886399, at *2 (“Several judges in this district, including Judges Lin, 21 Orrick, Pitts, Ryu, Tigar, and [Breyer], have held that such allegations suffice at the pleading 22 stage.”); see also Bradshaw v. Lowe’s Companies, Inc., 2025 WL 3171740, at *7 (S.D. Cal Nov. 23 12, 2025) (“[T]he case law is not in Defendants’ favor. Indeed, it uniformly supports the opposite 24 outcome”). Another court in this district recently determined OpenX’s pixel to be a pen register at 25 the pleading stage. See Echeverria-Corzan v. Fox Corp., No. 2025 WL 3128194, at *1 (N.D. Cal. 26 Nov. 7, 2025). For the same reasons these earlier courts have stated, the Court finds that plaintiffs’ 27 CIPA § 638.51 claim can proceed. ] V. Unjust Enrichment (COUNT IV) 2 Finally, defendant argues that the Court should dismiss plaintiffs’ unjust enrichment claim 3 || because plaintiffs do not plead that they lack an adequate remedy at law. Mot. at 23. Plaintiffs 4 || contend that they bring their unjust enrichment claim in the alternative, which is sufficient at the 5 || pleading stage. Opp’n at 21. 6 In Sonner v. Premier Nutrition Corp., the Ninth Circuit held that a plaintiff could not pursue 7 || equitable relief unless there is no adequate remedy at law. 971 F.3d 834, 844 (9th Cir. 2020). The 8 Court finds that plaintiffs’ unjust enrichment claim must be dismissed with leave to amend, because 9 || plaintiffs have not alleged that they lack an adequate remedy at law. See Jn Re Apple Processor 10 || Litig., 2023 WL 5950622, at * 2 (9th Cir. Sept. 13, 2023) (“[p]laintiffs were obliged to allege that 11 they had no adequate legal remedy in order to state a claim for equitable relief); see also Selby, 2025 12 || WL 2950164, at *4 (failing to allege “how the money they seek through restitution is any different 13 || than the money they seek as damages”); Gilligan, 2026 WL 32259, at *4 (“Nothing in the Complaint 14 || indicates that the plaintiffs’ legal remedies are insufficient.”). Therefore, the Court GRANTS 3 15 OpenX’s motion as to Count IV, with leave to amend.

17 CONCLUSION Zz 18 For the foregoing reasons and for good cause shown, the Court hereby GRANTS defendant’s 19 || motion to dismiss with leave to amend as to Count IV only. To the extent plaintiffs wish to amend 20 || their complaint, they must do so by February 5, 2026. The Court DENIES the remainder of 21 defendant’s motion to dismiss. 22 23 IT IS SO ORDERED. 24 || Dated: January 27, 2026 Site WU tee 25 SUSAN ILLSTON 26 United States District Judge 27 28