California Federal Court Denies Class Certification in CIPA Pixel-Tracking Case
What You Need To Know
- A recent decision from the U.S. District Court for the Northern District of California denied class certification in a California Invasion of Privacy Act (CIPA) pixel-tracking case.
- The decision may give companies additional support for arguing that individualized issues of data sharing, consent, and standing preclude class treatment.
A California federal court denied class certification in Ingraham et al v. Capital One Financial Corporation, marking a significant class action ruling in website tracking litigation.
Background on CIPA Claims
CIPA prohibits intentional eavesdropping on, or recording of, certain confidential communications. After a Ninth Circuit decision held that website tracking technologies can give rise to CIPA claims, plaintiffs’ firms began targeting companies whose websites use third-party pixels and similar tracking tools. Subsequent district court decisions have permitted pixel-tracking claims, prompting numerous firms and pro se litigants to send mass demand letters to companies and to pursue claims in court and arbitration.
The Allegations
In 2024, plaintiffs filed a putative class action against Capital One, alleging that the company’s website used invisible third-party tracking technologies to transmit users’ private personal and financial information in violation of CIPA.
The plaintiffs moved to certify two classes, each with California subclasses:
- Server-to-Server Technology Class: A nationwide class of individuals whose information was collected or transmitted through server-to-server data-sharing technology.
- Tracking Technology Class: A nationwide class of individuals whose information was collected or transmitted through browser-based tracking technology.
Class Certification Denial
Although District Court Judge Trina Thompson identified common questions of law, she denied class certification because individualized issues predominated across several key areas:
- Predominance Issues with Categories of Data: The court held that consumers’ browsing habits and browser settings may affect how information is shared with third parties. The plaintiffs’ privacy claims would require individualized assessments of each putative class member’s interactions with the tracking technology and of the information included in that person’s credit card application, which is then ultimately shared with a third party.
- Predominance Issues with Consent: The court held that a consumer’s consent to the sharing of data would turn on each user’s subjective understanding of the relevant agreements. Therefore, the court would need to account for variations in the disclosures each person saw and whether each person knew about and consented to the alleged interception of data.
- Predominance Issues with Standing: The court held that the plaintiffs needed a class-wide method of proving harm, but they did not provide one. Instead, each prospective plaintiff would require an individualized, fact-intensive inquiry into what data was shared, when it was shared, why it was shared, and how it was shared.
Implications and Practical Takeaways for Businesses
This decision continues a recent trend of class certification denials in CIPA cases in the Northern District of California. While some companies struggle to obtain favorable orders on their motions to dismiss, these decisions on class certification reinforce that CIPA claims are complex, fact-intensive, and not necessarily viable after the pleadings are settled. The Capital One decision gives companies additional grounds to oppose class certification and may improve their leverage in resolving these disputes early in the process.
Before waiting to brief class certification, there are still meaningful steps that may help businesses reduce their risk from CIPA claims. The business may decide that before they ever collect information from a website user, they will require affirmative consent through an opt-in consent banner. Practically, this may greatly reduce the risk of ever seeing a claim and increase the chance of prevailing on a motion to dismiss. Alternatively, businesses may implement a geofence opt-in strategy and require opt-in in high-risk states, like California.
Summer associate Zoe Hayes contributed to this alert.