Privacy class actions under common law and California Penal Code § 638.51 theories surged in 2025, with a pivotal Northern District of California decision in December—Wiley, et al., v. Universal Music Group, Inc., No. 25-cv-03095-PCP, 2025 WL 3654085 (N.D. Cal. Dec. 17, 2025)—highlighting two critical takeaways. First, businesses must ensure cookie banner systems accurately track and respect user selections to avoid liability. Second, Defendants can demand plaintiffs detail specific website interactions and captured data to defeat motions to dismiss.
Case Background
Plaintiffs Christine Wiley and Vishal Shah claimed they visited UMG websites (e.g., postmalone.com), selected “Decline All” on cookie banners for advertising and analytics, yet UMG allegedly allowed third parties like Meta, Google, and TikTok to place trackers capturing browsing data such as IP addresses and user interactions. The suit invoked CIPA wiretap (§631(a)), pen register/trap-and-trace (§638.51), intrusion upon seclusion, invasion of privacy, unjust enrichment, and related claims, alleging UMG created false expectations of privacy via cookie banners influenced by CCPA norms.
Maintain Systems That Honor Cookie Banner Selections
UMG asserted that the browsing data at issue wasn’t the type of information in which users have a reasonable expectation of privacy. The Court acknowledged that standing alone, this might be true. However, UMG allegedly represented to plaintiffs that it would not collect information for advertising or analytics if they opted out of such collection. Wiley, 2025 WL 3654085 at *4. UMG’s alleged disregard of opt-outs constituted “highly offensive” deception, supporting Article III standing via injury-in-fact from misled website use. The court therefore denied dismissal of intrusion upon seclusion and invasion of privacy, finding plaintiffs plausibly alleged reasonable privacy expectations from UMG’s opt-out promises.
Specific Communications and Interception Required
The court dismissed Plaintiff’s CIPA wiretap claims because Plaintiffs never alleged that they themselves engaged in any communications with the websites whose contents were intercepted. They alleged generally what happened to “website users,” but as to their own conduct, they alleged only that they visited the websites and clicked “Decline All.” They never alleged that they searched for anything, entered queries, or otherwise communicated with the websites in a way that would generate interceptable content. Consequently, Plaintiffs similarly failed to allege how or what content had actually been intercepted.
Lessons
First, businesses do well to ensure that cookie consent mechanisms, privacy banners, and disclosures operate properly and match the representations given to users. Second, this latest decision emphasizes that businesses facing a CIPA class action should determine whether there is any evidence of Plaintiff actually interacting with their website and whether any data from that interaction was captured. Lack of any such evidence is a basis to argue that the case should be dismissed.