This one definitely caught my attention. I’ve been using MyFitnessPal for 13+ years – it’s been a very reliable tool for tracking my fitness and nutrition. But like so many other companies these days, it’s in hot privacy water for how it handles user data.
In a recent case, a U.S. District Judge P. Casey Pitts of the Northern District of California issued a mixed but impactful order in Shah et al. v. MyFitnessPal Inc., Case No. 25-cv-04430-PCP allowing key privacy claims to proceed while dismissing several statutory and common law allegations with leave to amend. The lawsuit, brought by California residents Vishal Shah and Christine Wiley, challenges MyFitnessPal’s use of third-party tracking cookies on its website, allegedly in violation of users’ explicit attempts to opt out via cookie consent tools. Plaintiffs claim that MyFitnessPal misrepresented its cookie practices, continuing to share sensitive user data with third parties like Facebook, Google, and The Trade Desk even after users declined advertising and analytics cookies. The court held that the plaintiffs had adequately alleged Article III standing based on a privacy harm analogous to common law torts such as public disclosure of private facts, emphasizing that the alleged misrepresentation regarding cookie use and the sensitive nature of the health-related information involved distinguished the case from recent Ninth Circuit precedent in Popa v. Microsoft, which found no standing where the data collected was not as invasive.
Judge Pitts denied the motion to dismiss claims for invasion of privacy, intrusion upon seclusion, and unjust enrichment. The court emphasized that post-CCPA norms have reshaped users’ expectations about their ability to control data collection, particularly in contexts involving opt-out consent mechanisms. According to the court, a reasonable user of MyFitnessPal’s website, particularly one focused on tracking health and wellness would expect that opting out of certain cookies would prevent related tracking, and MyFitnessPal’s alleged disregard of this opt-out setting could constitute a “highly offensive” intrusion. According to the complaint, MyFitnessPal benefited commercially from the undisclosed data collection by better targeting advertisements and improving its marketing and product development. The court also sustained the unjust enrichment claim, construing it as a quasi-contract theory based on MyFitnessPal’s alleged deceptive practices and retention of valuable user data.
But the court dismissed with leave to amend the Plaintiffs’ claims under the California Invasion of Privacy Act (CIPA) for wiretapping and pen register violations, as well as their claims for common law fraud and trespass to chattels. While Judge Pitts agreed that the data collected could constitute the “contents” of communications under CIPA § 631(a), he found the complaint deficient in failing to allege that Plaintiffs personally engaged in communications that were intercepted. Similarly, the pen register claim failed because Plaintiffs did not allege any specific outgoing communications or associated signaling data. The fraud claim was dismissed under Rule 9(b) for failure to plead the “when” of the misconduct, what exact representations were made at that time, or how they relied on those statements. Without temporal specificity or details about the alleged misrepresentations, the fraud claim could not survive. The trespass to chattels claim was similarly dismissed. Although the Plaintiffs claimed that their devices were compromised by the placement of unwanted cookies, they did not allege any measurable harm such as diminished performance or functionality, required under California law following Intel Corp. v. Hamidi.
Finally, the court rejected MyFitnessPal’s motion to strike screenshots and class allegations. It found that, while the screenshots were undated and not directly tied to the Plaintiffs’ devices, they could become relevant if authenticated and consistent with user experience. The court held that class allegations were not so facially deficient as to warrant striking them at the pleading stage.
Plaintiffs were given 28 days to amend the dismissed claims. This ruling is yet another reminder of California courts’ continued willingness to entertain privacy claims rooted in deceptive cookie/pixel practices—especially where health data and explicit user choices are involved.
We will be breaking down the biggest privacy and CIPA cases in detail at Law Conference of Champions this year.
You won’t want to miss out!
CIPAWorld 