Shah v. Cap. One Fin. Corp., No. 24-CV-05985-TLT, 2025 WL 714252 (N.D. Cal. Mar. 3, 2025) has raised some serious allegations against Capital One (“Defendant”), accusing the financial giant of secretly intercepting and sharing sensitive personal information through third-party tracking technologies on its website.

According to a group of plaintiffs, led by the somewhat seasoned Vishal Shah (see INVISIBLE DATA, REAL CONSEQUENCES: Navigating the IP Consent Dilemma – CIPAWorld), these trackers “instantaneously and surreptitiously” captured communications between users and the site, sending personal details to companies like Google, Microsoft, Adobe, Facebook, and others. The information allegedly shared included everything from employment and bank account details to credit card application status and browsing activities.

The Plaintiffs claim they never authorized sharing of their personal and financial data with these third or fourth parties for marketing and sales purposes. In the complaint, the Plaintiffs highlight specific privacy concerns, particularly with the targeted advertising section of Capital One’s Privacy Policy. The Policy states:

“We and our third-party providers may collect information about your activities on our Online Services and across different websites, mobile apps, and devices over time for targeted advertising purposes. These providers may then show you ads, including across the internet and mobile apps, and other devices, based in part on the information they have collected or that we have shared with them.”

The Plaintiffs argue that Capital One’s practices go well beyond what they ever agreed to in the company’s Privacy Policy. While the Privacy Policy does include an option to opt out of targeted advertising, this opt-out only applies to the “specific browser or device” used, meaning users may allegedly still be tracked across other platforms.

 In total, the Complaint outlines a staggering 17 different causes of action, ranging from constitutional privacy violations to property claims. In response to these allegations, Capital One has filed a motion to dismiss the complaint in its entirety, along with all 17 claims brought forth by the Plaintiffs.

So, buckle in, and let’s go through them.

1. Threshold Issues

Defendant sought to dismiss the entire Complaint for two overarching reasons: (1) the Complaint’s exhibits conflict with Plaintiffs’ key allegations and (2) Plaintiffs fail to allege that Defendant disclosed Plaintiffs’ personal information and financial information. 

1. Conflict between allegations of unauthorized disclosure and Privacy Policy attached to the Complaint.

Defendant contended that Plaintiffs’ allegations directly conflict with Defendant’s Privacy Policy because Defendant discloses that it releases customer information for third party marketing. However, the Court noted that while the Privacy Policy states that it collects information about a customer’s internet activities, it does not state that it releases that customer’s personal information such as employment information and credit card preapproval or approval status, which Plaintiffs allege is collected and shared. Therefore, the Court found that the Privacy Policy did not directly conflict with Plaintiffs’ allegations. 

Defendant also argued that Plaintiffs consented to the disclosure of their personal information, that Defendant provided sufficient opt out instruction, and that the disclosures did not involve fourth parties. The Court found that the issue of consent was a factual question and declined to decide it at the pleadings stage.

2. Sufficiency of allegations as to disclosure of personal and financial information.

For the second threshold issue, Defendant argued that Plaintiffs failed to allege specific disclosures of their personal and financial information. The Court found that they did. For instance, Plaintiffs alleged that they interacted with Defendant’s website, which they alleged contained third party trackers. They alleged that they put their personal and financial information, including employment information, bank account information, citizenship status, and credit card preapproval or eligibility, into Defendant’s website and then received targeted third- and fourth-party marketing ads. They also alleged that, as a result of using Defendant’s website, their information was transmitted to third party trackers such as Google, Microsoft, and Meta, without their consent. The Court found these factual allegations sufficient to allege the disclosure of Plaintiff’s personal information and denied Defendant’s motion to dismiss as to the second threshold issue.

2. Plaintiffs’ Negligence Claims.

Defendant first argued that Plaintiffs have not identified a duty owed by Defendant arising under the Gramm-Leach-Bliley Act (“GLBA”) or the Federal Trade Commission (“FTC”) Act, because neither statute provides a private right of action. The Court dismissed this argument as the Defendant conflated negligence and negligence per se, with only the latter being concerned with a statutorily identified duty. 

Further, the Court evaluated the California factors for determining whether a valid duty of care exists and found that Plaintiffs did allege such a duty by alleging that they placed trust in Defendant to protect their personal information, which Defendant then disclosed.

Next, the Court turned to the economic loss doctrine, which prohibits recovery of purely pecuniary or commercial losses in tort actions. While Defendant argued that the economic loss rule bars Plaintiffs’ negligence claims, the Court found that Plaintiffs also plead non-economic harms such as lost time and money incurred to mitigate the effect of the use of their information. Accordingly, the Court denied Defendant’s motion to dismiss as to negligence.

3. Plaintiffs’ Negligence Per Se Claims.

The doctrine of negligence per se creates an evidentiary presumption that affects the standard of care in a cause of action for negligence. Defendant next argued that negligence per se is not a standalone cause of action. The Court agreed and held that because Plaintiffs brought a negligence per se cause of action in addition to a negligence claim, the negligence per se claim was not proper. Accordingly, the Court granted Defendant’s motion to dismiss the negligence per se claim without leave to amend.

4. Plaintiffs’ Invasion of Privacy Claim under the California Constitution.

To state a claim for invasion of privacy under the California Constitution, plaintiffs must show that they possess a legally protected privacy interest, they maintain a reasonable expectation of privacy, and the intrusion is so serious as to contribute an egregious breach of social norms.

The Court determined that regardless of whether Plaintiffs possessed a legally protected privacy interest or maintained a reasonable expectation of privacy in this case, the alleged disclosure of employment information, bank account information, and preapproval or approval for a credit card does not rise to the level of an “egregious breach of social norms.” The Court granted Defendant’s motion to dismiss as the California constitutional privacy claim without prejudice.

5. Plaintiffs’ Comprehensive Computer Data Access and Fraud Act (“CDAFA”) and the Unfair Competition Law (“UCL”) Claim.

The CDAFA prohibits certain computer-based conduct such as knowingly and without permission accessing or causing to be accessed any computer, computer system, or computer network. The CDAFA provides that only an individual who has suffered damage or loss due to a violation of the statute may bring a civil action. Similarly, the UCL prohibits “unlawful, unfair or fraudulent business act or practice.” To have standing under the UCL, a plaintiff must establish that they suffered an injury in fact and lost money or property as a result of the wrongful conduct. 

Here, Plaintiffs stated that they had a property interest in their personal information and that they lost money and property when Defendant disclosed their personal information to third parties. However, the Court determined that Plaintiffs’ personal information does not constitute property. Additionally, Plaintiffs did not plead that they “ever attempted or intended to participate in the market for the information” Defendant allegedly disclosed, or that they derived economic value from that information. Further, the Court held that even an argument that Plaintiffs experienced a diminution of the value of their private and personal information would not confer standing. Accordingly, the Court granted Defendant’s motion to dismiss for lack of standing as to the CDAFA and the UCL without prejudice.

6. Plaintiffs’ California Consumer Privacy Act (“CCPA”) Claims.

The CCPA imposes a duty on businesses to implement and maintain reasonable security practices to protect consumers’ personal information. While it is generally enforced by the California Attorney General, it also provides a limited private cause of action for any consumer whose personal information is subject to unauthorized access or disclosure as a result of a security breach. Courts, however, have also permitted CCPA claims to survive a motion to dismiss in cases where the plaintiff does not allege a data breach, but instead alleges that the defendants disclosed plaintiff’s personal information without consent by failing to maintain reasonable security practices.

In this case, because Plaintiffs allege that Defendant allowed third parties such as Google and Microsoft to embed trackers on its website and that these trackers transmitted Plaintiffs’ personal information, the Court held that Plaintiffs need not allege a data breach. Accordingly, the Court denied Defendant’s motion to dismiss as to the CCPA claim.

7. Plaintiffs’ California Customer Records Act (“CRA”) Claims under §§ 1789.81.5 and 1798.82 of the California Civil Code.

The CRA regulates businesses with regard to treatment and notification procedures relating to their customers’ personal information. It requires businesses to “maintain reasonable security procedures and practices appropriate to the nature of the information” and to protect “personal information from unauthorized access, destruction, use, modification, or disclosure.”

The Court first addressed Plaintiffs’ CRA claim under § 1789.81.5. Defendant argued that because it is a financial institution, it is exempt from liability for any violations under this provision. See Cal. Civ. Code § 1798.81(e)(2) (exempting financial institutions from liability under section 1798.81.5). Plaintiffs, however, alleged that Defendant is a business within the meaning of § 1798.81.5(b). The Court sided with Defendant and granted its motion to dismiss without leave to amend as to Plaintiffs’ § 1789.81.5 claims. 

The Court next addressed Plaintiffs’ CRA claim under Section 1798.82, which requires a business to disclose a breach of security systems to customers. Plaintiffs allege that the CRA applies because Defendant knew that Plaintiffs’ information was acquired by unauthorized persons and failed to disclose it to Plaintiffs. However, there must be a breach of security to show a CRA claim. See Cal. Civ. Code § 1798.82(a) (stating that a person or business shall “disclose a breach of security of the system following discovery or notification of the breach”). Further, a claim under section 1798.82 is not actionable for the breach itself but instead for the “unreasonably delayed notification,” so Plaintiffs must allege when the breach occurred. Here, the Court held that Plaintiffs not to only failed to allege that there was a breach of security but also failed to allege when Defendant became aware of the alleged breach.

Accordingly, the Court granted Defendant’s motion to dismiss as to the CRA section 1798.82 claim without prejudice.

8. Plaintiffs’ Breach of Express Contract Claim.

The Court found that Plaintiffs did not state a claim as to the breach of express contract because, while they alleged that they entered a contract with Defendant, they failed to cite to any specific section of the contract that Defendant allegedly violated. Instead, Plaintiffs stated generally that Defendant breached its express contract with Plaintiffs “to protect their nonpublic personal information.” Questioning where in the contract Defendant agreed to protect their nonpublic personal information or when Defendant explicitly promised not to disclose their data, the Court granted Defendant’s Motion to Dismiss as to the breach of express contract without prejudice.

9. Plaintiffs’ Breach of Implied Contract Claim.

Plaintiffs alleged that they had an implied contract with Defendant that it would keep their personal information confidential. However, once again, Plaintiffs did not state a claim because they failed to expand on the nature of the implied contract. Plaintiffs also fail to differentiate the express contract claim from the implied contract claim – the Court noted that Plaintiffs must elaborate on whether the implied contract involves separate promises from the express contract because Plaintiffs cannot allege both an express contract and an implied contract on the same matter. Accordingly, the Court granted Defendant’s motion to dismiss as to breach of implied contract without prejudice.

10.  Plaintiffs’ Breach of Confidence Claim.

For the same reason as above, the Court held that Plaintiffs do not state a claim as to breach of confidence because they allege the existence of both an express and implied contracts, and the express contract precludes the breach of confidence claim. The Court dismissed the Plaintiffs’ claim without prejudice.

11. Plaintiffs’ Unjust Enrichment Claim.

The Court acknowledged the “somewhat unclear” nature of unjust enrichment claims in California, but, noting that both the Ninth Circuit and the California Supreme Court have allowed independent claims for unjust enrichment to proceed, allowed Plaintiffs claim to proceed basis the allegations that Defendant benefited from using Plaintiffs’ information and that Plaintiffs’ remedies at law are inadequate. 

12. Plaintiffs’ Bailment Claim.

Bailment is generally defined as the deposit of personal property with another, usually for a particular purpose. The Court held that Plaintiffs have not alleged a deposit of personal property that falls within the scope of bailment because they only allege that they deposited their personal information. The Court cited Worldwide Media, Inc. v. Twitter, Inc., 17-cv-07335-VKD, 2018 WL 5304852 (N.D. Cal. Oct. 24, 2018) and In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942 (S.D. Cal. 2012), both finding that personal information is not something that can be delivered or taken custody of and later returned. Accordingly, the Court granted Defendant’s motion to dismiss as to bailment with prejudice.

13. Plaintiffs’ Claim for Declaratory Judgment.

The Court acknowledged Defendant’s contention that the declaratory judgment claim is duplicative of other claims but held that Plaintiffs may still bring it as it is predicated on their negligence claim. Therefore, the Court denied Defendant’s motion to dismiss as to declaratory judgment.

14. Plaintiffs’ Electronic Communications Privacy Act (“ECPA”) Claim.

The ECPA prohibits unauthorized interception of an electronic communication. To state a claim, a plaintiff must allege that the defendant intentionally intercepted the contents of plaintiff’s electronic communications using a device. The one-party consent exemption provides that it is not unlawful for a person to intercept a wire, oral, or electronic communication when that person is a party to the communication or when a party to the communication has consented to interception, unless the interception is to commit a crime or a tort.

Defendant argued that the “one-party consent exemption” applies because Defendant was a party to the communications. However, because Plaintiffs alleged that Defendant intercepted the contents of the communications for an unauthorized purpose, which resulted in tortious acts, the Court held that the one-party exemption does not apply.

Another reason that the one-party exemption does not apply is because the issue of whether Plaintiffs consented to Defendant’s conduct is at the center of the dispute – and this is a factual determination. Accordingly, the Court denied Defendant’s motion to dismiss as to the ECPA.

15. Plaintiffs’ CIPA Claims

Plaintiffs allege that Defendant violated both §§ 631 and 632 of CIPA. 

1. Plaintiffs’ § 631 claims.

§ 631(a)(2) applies to anyone who reads, attempts to read, or to learn the contents of a communication while it is in transit and without the consent of all parties to the communication. Defendant argues that Plaintiffs’ claims under § 631 fail because Plaintiffs consented to the data sharing practices in the Privacy Policy, do not allege that any third party read a communication “in transit,” and do not allege that Defendant disclosed “contents” of a communication. 

As for the first issue, because this once again involves factual determination of consent, the Court held that Plaintiffs’ allegations were sufficient for the pleadings stage. The Court also held that Plaintiffs plausibly alleged that Defendant intercepted communications while they were in transit by describing how Defendant allegedly installed third-party trackers on its website. Finally, Plaintiffs stated that the communication included personal information, which is a “content” under CIPA. As a result, the Court found that Plaintiffs sufficiently stated a claim as to § 631.

2.  Plaintiffs’ § 632 claims.

§ 632 prohibits intentionally and without consent using an “electronic amplifying or recording device” to eavesdrop upon or record confidential communication. Again, because this issue hinges on whether Plaintiffs consented to Defendant’s disclosure, the Court found that Plaintiffs allegations are sufficient for purposes of a motion to dismiss. 

Accordingly, the Court denied Defendant’s motion to dismiss as to the CIPA.

16. Plaintiffs’ Stored Communications Act Claim.

The Stored Communications Act created a private right of action against anyone who intentionally and without authorization (or in excess of their authorization) accesses a facility through which an electronic communications service is provided. The Stored Communications Act, however, only provides liability for a provider that is a “remote computing services” or “electronic communication services.” Plaintiffs alleged in the complaint that Defendant is an electronic communication service because it “intentionally procures and embeds” Plaintiffs’ personal information through the tracking technology on Defendant’s website. However, the Court held that Defendant is not an electronic communication service because its website does not allow customers to send and receive messages to third parties. The Court compared the situation here to that in In re Betterhelp, Inc., No. 23-cv-01033-RS, 2024 WL 4504527, at *2 (N.D. Cal. Oct. 15, 2024), where the defendant was found to be an electronic communication service because defendant’s customers communicated with third parties through the “conduit” of defendant’s websites. Instead, Plaintiffs here themselves stated that they were unaware of the presence of the trackers, and did not allege that they communicated with the third parties. Therefore, because Defendant’s website does not allow customers to send and receive messages to third parties, the Court held Defendant is not an electronic communication service.

Accordingly, the Court granted Defendant’s motion to dismiss as to the Stored Communications Act with prejudice.

17. Plaintiffs’ Computer Fraud and Abuse Act (“CFAA”) Claim.

The CFAA makes intentionally accessing a computer without authorization a federal crime. It imposes a civil liability when someone “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access” unless the “object of the fraud” is less than $5,000 in any 1-year period. Plaintiffs here did not state a claim as to CFAA because they did not allege with specificity a loss of $5,000. The complaint only states that “secret transmission” of Plaintiffs’ personal information caused them loss, but it does not go into further detail. The alleged loss is therefore speculative, and insufficient for purposes of the CFAA. Accordingly, the Court granted Defendant’s motion to dismiss as to the CFAA claim without prejudice.

Takeaways

My first takeaway – if you got through all that, congratulations on your attention span. Secondly, a recurring theme in the Court’s extensive analysis is its refusal to determine issues of consent at the pleadings stage. This is nothing new or groundbreaking, the issue of consent unquestionably requires a factual investigation and is rarely, if ever, conclusive as grounds for a motion to dismiss.

On the brighter side for Capital One, the Court did agree to dismiss three of the Plaintiffs’ claims with prejudice, meaning the Plaintiffs cannot amend these claims and bring them again. These were Plaintiffs’ claims under negligence per se, bailment, and the Stored Communications Act.

The Court also granted the motion to dismiss as to Plaintiffs’ claims for invasion of privacy under the California Constitution, CDAFA, UCL, breach of express contract, breach of implied contract, breach of confidence, and CFAA, albeit with leave to amend. The California Constitution and CDAFA claims are notable for the Courts findings that the alleged disclosures do not amount to an “egregious breach of social norms”, and that Plaintiffs’ personal information does not constitute property. This fits into a trend of Courts being somewhat hesitant to expand the scope of privacy standing where there is no “tangible” harm. Blake digs into this here: READ ALL ABOUT IT: Reuters Faces Privacy Lawsuit But The Court Finds No Story To Tell – CIPAWorld.

You can read the order here: Shah v. Cap. One Fin. Corp., No. 24-CV-05985-TLT, 2025 WL 714252 (N.D. Cal. Mar. 3, 2025)