In a recent decision with broad implications for digital privacy enforcement, a California federal court denied Six Flags’ motion to dismiss a lawsuit alleging the amusement park operator unlawfully tracked website visitors through third-party cookies. The court allowed all seven causes of action—including violations of the Federal Wiretap Act, two separate provisions of the California Invasion of Privacy Act (CIPA), invasion of privacy under the California Constitution, intrusion upon seclusion, common law fraud, and unjust enrichment—to proceed past the pleadings stage. The matter is Casillas v. Six Flags Entertainment Corporation, Case No.: 2:25-cv-6824-CBM-PD.
In Casillas, the plaintiff alleged that the defendant, a Delaware corporation with its principal place of business in North Carolina, used tracking technologies on its website to intercept, collect, and profit from personal information of California residents—without obtaining proper consent.
The court began by addressing personal jurisdiction under Federal Rule of Civil Procedure 12(b)(2). Although the defendant is not incorporated or headquartered in California, the court found specific jurisdiction appropriate under the “Calder effects” test. The FAC plausibly alleged that the defendant purposefully directed its conduct at California by designing and operating a commercial, interactive website that sold amusement park tickets to California consumers, made references to California privacy laws, and falsely promised compliance with cookie consent preferences. These allegations were sufficient to satisfy all three prongs of the Calder test: intentional conduct, express aiming at the forum state, and knowledge that harm would be felt in that forum. Notably, the defendant failed to satisfy its burden of demonstrating the exercise of jurisdiction would be unreasonable, thus failing to rebut the plaintiff’s showing. The court accordingly found personal jurisdiction proper and denied the defendant’s request to transfer the case under 28 U.S.C. § 1631, which only applies when jurisdiction is lacking.
Turning to the substance of the claims under Rule 12(b)(6), the court found that the FAC sufficiently stated causes of action under all seven causes of action. Regarding the Federal Wiretap Act, the court emphasized that while certain data collected—such user’s name, email address and location—might constitute mere record information, the FAC also alleged the interception of “content” under the statute’s definition, including search queries, product selections, and user interests. These allegations satisfied the requirement that the intercepted data pertain to the “substance, purport, or meaning” of a communication.
Similarly, the court found that the privacy claims under California law—both the constitutional invasion of privacy and the common law tort of intrusion upon seclusion—were well-pleaded. The FAC alleged that plaintiff and other users had a reasonable expectation of privacy while interacting with the defendant’s website and that the surreptitious use of third-party cookies to track detailed browsing behavior was highly offensive. Although the defendant argued that the data collected was not sensitive enough to support such claims, the court held that this was a factual issue inappropriate for resolution at the pleading stage.
With respect to the CIPA §631(a) claim, the court clarified that the first clause of the statute, which addresses telephonic communications, did not apply to the internet-based conduct alleged. However, the second clause—which prohibits unauthorized attempts to read or learn the contents of communications in transit—did apply. Even if the defendant was a party to the communications and could not be directly liable, the FAC sufficiently alleged that it aided and conspired with third parties to intercept user data without consent. The allegations that cookies were installed and user data was transmitted in real time to third parties, despite users’ opt-out selections, were enough to state a claim under the statute.
The court also upheld the plaintiff’s claim under CIPA §638.51, which prohibits the use of trap and trace devices without a court order. The FAC alleged that third-party tracking tools implemented by the defendant captured routing and identifying information from users’ electronic communications. Although the defendant argued that the statute applied only to telephone communications, the court rejected that reading and cited a string of recent cases holding that the provision applies to data collected through web technologies.
On the issue of standing, the court found that the plaintiff sufficiently alleged an injury-in-fact based on loss of privacy, unauthorized interception of communications, and the economic value of the personal data that was monetized. The court rejected the argument that the plaintiff failed to specify what data was collected or how she was harmed, pointing to detailed allegations concerning the type of content collected and its use for commercial gain.
The plaintiff’s unjust enrichment claim was also allowed to proceed. While California does not formally recognize unjust enrichment as a standalone cause of action, the court construed the claim as one for restitution and found that the FAC plausibly alleged that the defendant profited from the unauthorized collection and sharing of private information. The plaintiff asserted that the defendant was enriched by its deceptive practices, including misrepresentations about cookie consent, and that it benefited financially at the expense of user privacy.
Lastly, the fraud claim survived under the heightened pleading standard of Rule 9(b). The FAC identified specific misrepresentations in the website’s cookie banners, alleged the defendant’s knowledge of their falsity, and outlined the plaintiff’s reliance on those misstatements. Contrary to the defendant’s assertion that the complaint relied on speculative allegations, the court found the pleadings sufficiently particular, pointing to specific data allegedly transmitted to named third parties such as Claritas, Pinterest, and Criteo.
In sum, the court’s detailed analysis and refusal to dismiss any of the seven claims under both federal and California law, reflects a growing willingness among California courts to recognize data privacy violations as plausible—especially where plaintiffs can plausibly allege misuse of data collected through online platforms.
xoxo Queenie
CIPAWorld 