UNIVERSAL MUSIC GROUP’S COOKIE CONSENT DIDN’T HARMONIZE: What The Court Let Play On

Add a comment

Greetings CIPAWorld!

As the year comes to a close, a recent ruling from Judge P. Casey Pitts in the Northern District of California offers timely guidance on cookie consent litigation. In Wiley, et al., v. Universal Music Group, Inc., No. 25-cv-03095-PCP, 2025 WL 3654085 (N.D. Cal. Dec. 17, 2025), the Court granted in part and denied in part Universal Music Group’s (“UMG”) Motion to Dismiss, allowing invasion of privacy and intrusion upon seclusion claims to proceed while dismissing the California Invasion of Privacy Act (“CIPA”) claims with leave to amend. UMG’s Motion to Strike was also denied in full.

Let’s get into a bit of case background. UMG operates a number of artist websites where fans can get information about musicians and merchandise. We’re talking about websites like arianagrande.com, postmalone.com, imaginedragonsmusic.com, nickiminajofficial.com, theweeknd.com, and others. Like many websites, UMG presented visitors with a cookie consent banner offering options. Users could click “Decline All” to opt out of “Online Advertising” and “Performance and Analytics” cookies. The banner even told users that performance and analytics cookies were “[n]ot used for online advertising purposes or by third parties for their own use.” Id. at *1.

Sounds reasonable, right? Almost reassuring. Except Plaintiffs allege that when they clicked “Decline All,” UMG’s websites allegedly placed third-party cookies on their devices anyway and allowed Meta, Google, TikTok, Snapchat, and others to track their browsing history, website interactions, user input data, shopping behaviors, geolocation, and more. In other words, the “Decline All” button allegedly didn’t decline anything.

Plaintiffs brought a variety of claims: invasion of privacy, intrusion upon seclusion, CIPA wiretapping under Section 631(a), CIPA pen register under Section 638.51, common law fraud, unjust enrichment, breach of contract, breach of the implied covenant of good faith and fair dealing, and trespass to chattels. While several non-CIPA claims were addressed, the Court’s analysis ultimately turned on two questions central to CIPA litigation: whether users had a reasonable expectation of privacy after opting out of cookies, and whether Plaintiffs adequately pled their own intercepted communications.

The invasion of privacy and intrusion upon seclusion claims survived, and the Court’s reasoning here is worth unpacking. Both claims require plaintiffs to show that the defendant intruded into something “as to which the plaintiff had a reasonable expectation of privacy” and that the intrusion was “highly offensive.” See In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 601 (9th Cir. 2020). Whether someone has a reasonable expectation of privacy is a mixed question of law and fact, informed by “customs, practices, and circumstances.” Id. at 601–02.

UMG asserted that the browsing data at issue wasn’t the type of information in which users have a reasonable expectation of privacy. The Court acknowledged that standing alone, this might be true. However, UMG allegedly represented to plaintiffs that it would not collect information for advertising or analytics if they opted out of such collection. Wiley, 2025 WL 3654085 at *4. When you tell users they can opt out and then ignore their choice, you’ve created the very expectation you’re now trying to deny.

The Court distinguished D’Angelo v. FCA US, LLC, 726 F. Supp. 3d 1179 (S.D. Cal. 2024), where the Court dismissed privacy claims because the data collected (account names, IP addresses, geolocation) wasn’t “sensitive” enough. But crucially, D’Angelo noted that “Plaintiffs do not allege that Defendant set out an expectation that it would not collect chat conversations.” Id. at 1205. Here, UMG allegedly did precisely that. It told users they could decline cookies, and then allegedly ignored that choice. That promise changed the analysis.

The Court also pointed to the California Consumer Privacy Act (“CCPA”) as shaping users’ reasonable expectations. Post-CCPA, California users visiting websites “can expect to see a popup screen giving them the option to opt out of various types of tracking.” Wiley, 2025 WL 3654085 at *4. The Court noted that cases decided before the CCPA’s 2020 adoption are “of limited value in considering users’ reasonable post-enactment expectations.” Id. That’s a significant observation for anyone still citing pre-CCPA cases to argue that users have no privacy expectations in browsing data. When cookie banners promise control, courts are increasingly willing to treat that promise as legally meaningful.

On the “highly offensive” prong, the Court found that UMG’s alleged deception served as a “plus factor.” See Wiley, 2025 WL 3654085 at *5 (citing In re Google Location Hist. Litig., 514 F. Supp. 3d 1147, 1157 (N.D. Cal. 2021)). Plaintiffs alleged they would not have used the websites if they knew their opt-outs would be ignored. Further, Plaintiffs claim UMG didn’t just invade their privacy; it allegedly tricked them into engaging in conduct they would otherwise have avoided.

With this in mind, the Court also addressed the Ninth Circuit’s recent decision in Popa v. Microsoft Corp., 153 F.4th 784 (9th Cir. 2025), which held that mere session-replay tracking didn’t establish a concrete Article III injury. Judge Pitts distinguished Popa because the website owner in that case “did not indicate to users that it would not track their activities.” Wiley, 2025 WL 3654085 at *6. Here, UMG made affirmative misrepresentations. The Court found the alleged harm analogous to the common-law public-disclosure-of-private-facts tort, recognizing that misrepresenting how private information will be used can itself constitute an invasion of privacy. In short, deception did real work here, both on the merits and on standing.

The CIPA claims fared differently. The CIPA wiretapping and pen register claims were dismissed with leave to amend, and here’s why. The Court explained that Section 631(a) turns on whether the “contents” of a communication were intercepted while in transit, drawing the familiar distinction between message contents and mere record information. Plaintiffs alleged that third parties tracked website interactions, user input data, shopping behaviors, and referring URLs, which in some circumstances could reveal what users were searching for or intended to do on UMG’s websites. The Court agreed that this type of data could, in theory, qualify as “contents” under Section 631.

But theory wasn’t enough. Plaintiffs never alleged that they themselves engaged in any communications with the websites whose contents were intercepted. They alleged generally what happened to “website users,” but as to their own conduct, they alleged only that they visited the websites and clicked “Decline All.” They never alleged that they searched for anything, entered queries, or otherwise communicated with the websites in a way that would generate interceptable content. Conversely, courts have allowed CIPA claims to proceed where plaintiffs alleged their own specific interactions with websites. Here, Plaintiffs didn’t.

The same defect carried over to the pen register claim under Section 638.51. The Court rejected UMG’s argument that the pen register statute applies only to telephones, noting that the statutory definition contains no such limitation and that other provisions of CIPA expressly reference telephones when the Legislature intends to do so. That said, the pen register claim still failed for a simple reason: Plaintiffs did not allege that they communicated with the websites at all. Without communication, there is no dialing, routing, addressing, or signaling information to capture.

So what are the takeaways?

First, affirmative representations matter. If a website tells users they can opt out of tracking and then allegedly ignores that choice, it may create a reasonable expectation of privacy that would not otherwise exist, particularly in a post-CCPA landscape.

Second, plead your own conduct. For CIPA wiretapping and pen register claims, it is not enough to allege, in the abstract, how tracking technologies operate. Plaintiffs must allege what they actually did on the site and how those communications were intercepted.

Plaintiffs have 28 days to amend. If they do, expect any amended complaint to focus far more closely on plaintiff-specific website interactions and the precise data allegedly captured as a result.

As we head into the holidays, Troutman Amin, LLP wishes you and your loved ones a joyous holiday season and a happy, healthy New Year!

As always,

Keep it legal, keep it smart, and stay ahead of the game.

Talk soon!

Unknown's avatar

Published by Blake Landis

Blake Landis joins the esteemed Troutman Amin, LLP as an Associate Attorney in their South Florida location. He is a J.D. graduate from St. Thomas University College of Law, 2024. During law school, Blake was recognized with Cali Book Awards in Appellate Advocacy, Innovations & Patent Management, Trademark and Branding Law, and Trial Advocacy Practice. Blake demonstrated leadership as President of the Intellectual Property & Cyber Law Society and served as the Elected Miami-Dade Bar Association Representative for the Student Bar Association. Blake was also honored with a Pro Bono Commendation Certificate for dedicating over 100 hours to legal and community service. His latest publication, "Brain-Computer Interfaces and Bioethical Implications on Society: Friend or Foe?" delves into evolving data privacy concerns. With Blake's stacked resume and extensive work experience across various legal sectors, he will assist Troutman Amin in defending TCPA class actions with a strong emphasis on evolving AI litigation matters.

Tags: , , , ,

Leave a comment