/>iGreetings, CIPAWorld!
I’m back with the latest, and we’ve got a fresh ruling out of the Eastern District of California that highlights just how tricky it can be for plaintiffs to plead viable CIPA claims based on pixel tracking technology. The decision in King v. Hard Rock Cafe Int’l, Inc., No. 2:24-cv-01119-DC-CKD, 2025 U.S. Dist. LEXIS 109123 (E.D. Cal. June 9, 2025), reinforces the increasingly well-settled view that fundamental web interactions—even if captured by the Meta Pixel—often do not constitute “contents” or “confidential communications” under the California Invasion of Privacy Act (“CIPA”).
If you’ve ever booked a hotel online, you know the drill. You start by picking your destination. Maybe it’s Las Vegas for a weekend getaway or San Francisco for a business trip. You click through dates, select the number of guests, and maybe browse between a standard room and a suite with a view. Each click feels like a private conversation between you and the hotel’s booking system. Right? But what if I told you that conversation is allegedly like a three-way call, with Facebook listening in the entire time?
The facts here are becoming all too familiar, as we repeatedly see. Plaintiff, a Sacramento resident, visited Hard Rock’s hotel website in 2023 to book a stay. Unbeknownst to her, Hard Rock’s site included the Meta Pixel, which allegedly caused her web activity—including button clicks, room selections, and personal information—to be transmitted to Meta’s servers. Here, because Plaintiff had a Facebook account and used the same browser, Meta was allegedly able to link her interactions on Hard Rock’s site to her personal identity. This Meta Pixel allegedly then intercepted what Plaintiff characterized as “guest records” including name, address, telephone number, credit card number, email address, ZIP code, and user-specific values contained in Meta cookies, as well as button clicks selecting travel destinations, desired dates, number of rooms, and hotel preferences. See King, 2025 U.S. Dist. LEXIS 109123, at *3-4
As a result, Plaintiff filed a class action under CIPA, seeking to represent all California Facebook users who had visited Hard Rock’s site. Specifically, the putative class consisted of “all California residents who have a Facebook account and accessed and navigated the Website while in California.” Id. at *2. The Complaint asserted violations of Section 631(a), which prohibits interception of communications, and Section 632, which bars recording of confidential communications without consent. Notably, Plaintiff pursued the fourth avenue of relief under Section 631(a), alleging that Hard Rock aided Meta’s wrongdoing rather than claiming Hard Rock directly intercepted communications. Think of it like this: Plaintiff wasn’t saying Hard Rock was the one eavesdropping—she was saying Hard Rock handed the wiretap to Facebook and said, basically, here, listen to this.
But as is often the case in these pixel-based lawsuits, the Court found that the pleading failed to meet the legal standards required under CIPA and dismissed the claims, with leave to amend.
The Section 631(a) claim was initially unsuccessful. As Judge Coggins explained, violations under CIPA are analyzed under the same standards applied to a violation of the federal wiretap act, Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. § 2510 et seq. Under the ECPA, “contents” is defined as “any information concerning the substance, purport, or meaning of that communication.” 18 U.S.C. § 2510(8). The Court relied on In re Zynga Privacy Litigation, where the Ninth Circuit held that “‘[c]ontents’ means ‘the intended message conveyed by the communication’ as opposed to ‘record information regarding the characteristics of the message that is generated in the course of the communication.'” In re Zynga Priv. Litig., 750 F.3d 1098, 1106 (9th Cir. 2014). Noting courts employ a contextual case-specific analysis hinging on “how much information would be revealed” by the information’s tracking and disclosure. Hammerling v. Google L.L.C., 615 F. Supp. 3d 1069, 1092 (N.D. Cal. 2022).
Here’s where things get legally fascinating. Let me give a hypothetical example to help put this into better context. Imagine you’re writing a text message to a friend about your vacation plans. The actual words “Hey, I’m thinking of going to Vegas next month” would essentially be “contents.” But if someone intercepted just the metadata—that you sent a text at 3 PM to phone number XXX-XXX-XXXX—that would be “record information.” In a hotel booking context, this means your actual travel preferences and personal details might be considered mere “record information” rather than the protected “contents” of a communication.
Applying that standard, the Court found that Plaintiff’s allegations—that her name, address, phone number, email, button clicks, and room selections were transmitted—failed to establish that the contents of her communications had been intercepted. The Court indicated that the Plaintiff’s First Amended Complaint (“FAC”) fails to sufficiently claim that the actual ‘contents’ of communications were intercepted, as opposed to merely ‘record information.’
Critically, the Court found that Plaintiff’s factual allegations were inadequate. As Judge Coggins observed, “Plaintiff’s FAC does not identify with specificity what information she provided on Defendant’s Website that was intercepted by Meta. Plaintiff’s FAC dedicates only one short paragraph to describing her personal interactions with Defendant’s Website.” King, 2025 U.S. Dist. LEXIS 109123, at *10. It’s like filing a complaint about a burglary by saying someone took my stuff without listing what was stolen. The Court distinguished this case from the requirements set in Cousin v. Sharp Healthcare, where complaints that only provided hypothetical examples and did not specify what information the plaintiffs shared with the defendants through their browsing history were deemed inadequate to support a CIPA claim. See Cousin v. Sharp Healthcare, 681 F. Supp. 3d 1117, 1123 (S.D. Cal. 2023)
The Court further explained that personal identifiers such as name, address, and email were record information under established precedent: “Generally, customer information such as a person’s name, address, and subscriber number or identity is record information, but it may be contents when it is part of the substance of the message conveyed to the recipient.” Hammerling, 615 F. Supp. 3d at 1092-93. Similarly, Plaintiff’s “button clicks” were “more akin to the ‘record’ information that the Ninth Circuit has held not to be contents of a communication.” Mikulsky v. Bloomingdale’s, L.L.C., 713 F. Supp. 3d 833, 845 (S.D. Cal. 2024); Yoon v. Lululemon U.S., 549 F. Supp. 3d 1073, 1082-83 (C.D. Cal. 2021) (holding that “mouse clicks” constitute record information, not “message content,” for purposes of CIPA, unlike the text of an email or message).
While the Court acknowledged that specific descriptive URLs might qualify as content, it found Plaintiff had not alleged that she conducted any such searches or that the URLs captured in her case contained such content. See St. Aubin v. Carbon Health Techs., Inc., No. 24-cv-00667-JST, 2024 U.S. Dist. LEXIS 179067, at *4 (N.D. Cal. Oct. 1, 2024) (“descriptive URLs that reveal specific information about a user’s queries” may reflect the “contents” of communications under CIPA). Although Plaintiff’s Complaint did provide examples of the types of “full-string URLs” allegedly intercepted by Meta, Plaintiff did not allege she conducted the searches or visited the webpages provided in the examples.
Plaintiff’s Section 632 claim faced a separate but related problem: a failure to establish that her communications were “confidential.” Section 632 requires that the plaintiff show the communication was “carried on in circumstances as may reasonably indicate that any party to the communication desires it to be confined to the parties thereto.” Cal. Penal Code § 632(c). The Court reiterated that “[c]ourts generally find that internet communications do not have an objectively reasonable expectation of confidentiality, especially if those communications can be easily shared by the recipients of the communications.” Yoon, 549 F. Supp. 3d 1073. A plaintiff must plead “something unique about [] particular internet communications” to demonstrate those communications are confidential.” In re Meta Pixel Healthcare Litig., 647 F. Supp. 3d 778, 799 (N.D. Cal. 2022) (acknowledging that communications between patients and medical providers are distinct because they are “protected by federal law and are inherently personal.”).
Furthermore, Plaintiff attempted to invoke California Civil Code § 53.5(a), which provides that guest records are confidential, to support her claim. That’s a pretty smart move, if you ask me. You would think that hotel guest information—historically some of the most protected data in the hospitality industry—would get special treatment. After all, there’s a reason hotels have long been required to keep guest records confidential. However, the Court noted that the Plaintiff did not claim that her communications with the Defendant’s Website qualify as guest records. Moreover, her vague allegation that she merely “browsed and booked a Hard Rock hotel” was insufficient. See Cousin, 681 F. Supp. 3d at 1123 (finding CIPA complaints insufficient where they “only provided hypothetical examples and failed to specify what information plaintiffs provided defendants through their browsing history”). The Court explained that “regardless of whether ‘guest records’ under California Civil Code Section 53.5(a) qualify as ‘confidential’ communications under Section 632 of CIPA,” Plaintiff’s lack of specific facts about her website interactions was detrimental to the claim. King, 2025 U.S. Dist. LEXIS 109123, at *14-15.
Interestingly, the Court declined to address Hard Rock’s alternative argument that Plaintiff had consented to the data sharing through the website’s terms and policies, noting that “because the court finds Plaintiff has failed to state a claim under Sections 631 and 632, the court does not address Defendant’s arguments regarding consent.” King, 2025 U.S. Dist. LEXIS 109123, at *6 n.2. Accordingly, the Court denied Hard Rock’s request for judicial notice of the relevant terms and conditions as moot.
Ultimately, the Court dismissed both claims, but granted leave to amend. Still, the court order is yet another clear reminder of the hurdles pixel plaintiffs face in trying to fit web tracking into CIPA’s wiretap and eavesdropping framework.
