Greetings CIPAWorld!
Just picked up an interesting California Invasion of Privacy Act (“CIPA”) ruling from Judge Susan Illston in the Northern District of California, and this one is a big deal. In Krzyzek v. OpenX Techs., Inc., No. 25-CV-05588-SI, 2026 WL 206855 (N.D. Cal. Jan. 27, 2026), the Court denied nearly the entirety of OpenX’s Motion to Dismiss, allowing claims for intrusion upon seclusion, CIPA wiretapping under Section 631(a), CIPA pen register under Section 638.51, and even a federal Electronic Communications Privacy Act (“ECPA”) claim under 18 U.S.C. § 2511 to proceed. The only casualty? The unjust enrichment claim, and even that was dismissed with leave to amend. In other words, this is about as close to a clean sweep as you’re going to see at the pleading stage.
By way of background, OpenX Technologies is a registered data broker. Under California law, that means it’s a business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct [i.e., consumer-facing] relationship.” See Cal. Civ. Code § 1798.99.80(c). Here, OpenX operates a tracking pixel that Plaintiffs allege “tracks in real time and records indefinitely the personal information and specific web activity of hundreds of millions of Americans.” Krzyzek, 2026 WL 206855 at *1. That is a huge allegation, but the pixel is only half the story. OpenX also allegedly sells its tracking services through an “identity resolution tool” that assigns a unique ID to each user, thereby linking that user to a record of their web and app activity for targeted advertising. Plaintiffs allege that through this process, OpenX has amassed access to “nearly three-quarters of all Americans’ identities.” Id. Let that sink in for a moment!
Plaintiff alleges that the OpenX pixel collected information about her device and browser and tracked her as she navigated through the Covered California website to apply for health insurance in 2022 and 2024. Id. Additionally, another Plaintiff alleges that the OpenX pixel tracked him while he browsed Bon Appetit’s website in April 2025, intercepting his article selections and audience information, and that the tracker was also present on other websites he visited, including Apartmenttherapy.com, Foxnews.com, and BusinessInsider.com. Id. As a result, both Plaintiffs allege that OpenX compiled the information it gathered into detailed profiles without their knowledge or consent.
In response, OpenX moved to dismiss the entire Complaint under Rules 12(b)(1) and 12(b)(6). It was unsuccessful on almost every front.
So with that in mind, let’s get into the Court’s reasoning. Starting with Article III standing, OpenX argued that Plaintiffs didn’t allege “highly offensive” privacy injuries sufficient to confer standing. OpenX leaned heavily on the Ninth Circuit’s decision in Popa v. Microsoft Corp., 153 F.4th 784 (9th Cir. 2025), where the Court dismissed claims for lack of standing because the plaintiff alleged that session-replay technology captured her browsing activity on a single pet supply website, and the information collected was not “embarrassing, invasive, or otherwise private.” Id. at 791. But Judge Illston found the allegations here to be far more invasive. Unlike Popa, which involved a single website, Plaintiffs allege that OpenX compiled detailed user profiles by tracking their interactions across multiple websites, including sensitive browsing activity, without their knowledge or consent. Krzyzek, 2026 WL 206855 at *3. The Court aligned this case with In re Facebook, Inc., Internet Tracking Litigation, 956 F.3d 589, 596 (9th Cir. 2020), where the Ninth Circuit found Article III standing because Facebook’s tracking practices allegedly allowed it to amass a “cradle-to-grave profile without users’ consent.” Id. at 599. The Court also noted what other lower courts have already recognized: Popa did not set out a new rule of law on standing; it simply applied existing common-law principles to the facts of that case. See Dellasala v. Samba TV, Inc., 2025 WL 3034069, at *2 (N.D. Cal. Oct. 30, 2025); Deivaprakash v. Conde Nast Digital, 2025 WL 2779193, at *1 (N.D. Cal. Sep. 30, 2025).
OpenX also raised the anonymity defense, arguing that its pixel collects only information tied to “devices – not individuals.” Krzyzek, 2026 WL 206855 at *4. The Court was unpersuaded because Plaintiffs alleged that OpenX effectively deanonymized users by tying them to individual profiles within a broad “identity graph.” Id. As the Court noted, where anonymity is rendered “functionally meaningless,” pseudonymization arguments don’t hold up. See Riganian v. LiveRamp Holdings Inc., 791 F. Supp. 3d 1075, 1086–87 (N.D. Cal. 2025).
On the intrusion upon seclusion claim, OpenX argued that Plaintiffs can’t reasonably expect privacy while browsing public websites, suggesting that shopping on a public website is like shopping in a public store. See Thomas v. Papa Johns Int’l., 2024 WL 2060140, at *2 (S.D. Cal. May 8, 2024). Judge Illston rejected that analogy outright. Why? OpenX allegedly tracks, compiles, and sells large volumes of personal information without users knowing that an OpenX pixel has been loaded on a given website. That, the Court found, is ‘very different from being observed by a retailer while shopping in a store.’ Krzyzek, 2026 WL 206855 at *4. The Court’s reasoning included persuasive authority in Selby v. Sovrn Holdings, 2025 WL 2950164, at *3 (N.D. Cal. Oct. 17, 2025), and Riganian, 791 F. Supp. 3d at 1087, both of which found that unauthorized tracking and data collection that compiles detailed profiles of online browsing activity tied to personal identifiers is actionable. Additionally, on the “highly offensive” prong, the Court found it was too early to conclude that OpenX’s conduct wasn’t offensive, noting that “courts must be reluctant to reach a conclusion at the pleading stage about how offensive or serious the privacy intrusion is.” In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F. Supp. 3d 767, 797 (N.D. Cal. 2019).
Now that you all have been waiting for, the CIPA Section 631(a) and ECPA Section 2511 claims, which the Court analyzed together. OpenX confidently presented every defense in its playbook, but the Court decisively rejected them all.
First, on the “contents” issue, OpenX asserted that the information it collects—device information, browser types, website visits—doesn’t constitute the “contents” of a communication. The Court disagreed for the very reason that Plaintiffs alleged that OpenX collects users’ communications with partner websites “in the form of full-string URLs and button click events.” Krzyzek, 2026 WL 206855 at *6. Here, the Complaint detailed how those full-string URLs include the full title of articles users view, revealing their interests. As we’ve seen before, URLs that reveal a user’s personal interests, queries, and habits constitute ‘contents’ under both CIPA and ECPA. See R.C. v. Walgreen Co., 733 F. Supp. 3d 876, 902 (C.D. Cal. 2024). OpenX argued that Plaintiffs should have identified the specific URLs they visited. That didn’t work either. See Gilligan v. Experian Data Corp., 2026 WL 32259, at *3 (N.D. Cal. Jan. 6, 2026).”
Second, with respect to the third-party question, OpenX asserted that it was merely “an extension” of the website operators and therefore a party to the communications, thereby exempting it from liability. The Court applied the “capability approach” and found that OpenX is a third party because it has the capability of using its recording for another purpose. See Turner v. Nuance Communications, Inc., 735 F. Supp. 3d 1169, 1184 (N.D. Cal. 2024). Plaintiffs may have voluntarily visited the websites, but they didn’t voluntarily or knowingly visit websites that intercepted and compiled their browsing via an unannounced OpenX pixel. In sum, the Court found the privacy concerns akin to “having an unannounced second auditor listening in.” Id. at 1182.
Third, with respect to the “in transit” requirement, OpenX argued that any interception occurs after communications have arrived at their intended destination. However, we’re dealing with a Complaint that included detailed descriptions of how OpenX’s pixel technology works, and the Court found that Plaintiffs adequately alleged real-time interception. The pixel allegedly intercepts detailed, full-string URLs from each page a user visits, and this process begins “within seconds” of the user reaching a partner website. Krzyzek, 2026 WL 206855 at *7. For the Court’s analysis, it distinguished NovelPoster v. Javitch Canfield Group, 140 F. Supp. 3d 938 (N.D. Cal. 2014), where emails were accessed after they landed in the recipient’s account. Here, by contrast, Plaintiffs allege that OpenX intercepted their communications while they were still actively browsing.
Next, for the ECPA’s crime-tort exception, OpenX asserted that one party to the communication (the website operator) consented to the pixel’s installation, which should immunize OpenX. In response, the Court acknowledged the one-party consent defense but found that the crime-tort exception applies. Why, may you ask? Under that exception, there’s still a violation, even with consent, if the communication is intercepted for the purpose of committing a criminal or tortious act. See 18 U.S.C. § 2511(d). OpenX argued its primary motivation was profit, not tortious injury. The Court wasn’t persuaded, agreeing with the growing body of case law holding that being primarily motivated by profit doesn’t render the exception inapplicable. As the court in Riganian put it: “committing a tort and seeking a profit are not mutually exclusive (if anything, the latter is often the reason for the former).” Riganian, 791 F. Supp. 3d at 1090–91. Since Plaintiffs adequately alleged invasion of privacy, the crime-tort exception saved the ECPA claim.
On the pen register claim under Section 638.51, OpenX argued that pixels don’t qualify as “pen registers” under CIPA for three reasons: the pixel records a user’s own information rather than numbers dialed on a telephone, the legislative history doesn’t support application to web pixels, and reading the statute to encompass pixels would conflict with the CCPA. The Court dispatched these arguments quickly, noting that “[n]umerous courts in this district and elsewhere have already found pixels to be ‘pen registers’ at the pleading stage, and OpenX’s arguments tread no new ground.” Krzyzek, 2026 WL 206855 at *9. In Bradshaw v. Lowe’s Companies, Inc., 2025 WL 3171740, at *7 (S.D. Cal. Nov. 12, 2025), the Court observed that “[T]he case law is not in Defendants’ favor. Indeed, it uniformly supports the opposite outcome.” On top of that, another court in the Northern District already determined that OpenX’s own pixel qualifies as a pen register at the pleading stage. See Echeverria-Corzan v. Fox Corp., 2025 WL 3128194, at *1 (N.D. Cal. Nov. 7, 2025).
The only claim that didn’t survive was unjust enrichment, and that’s only because Plaintiffs didn’t allege they lacked an adequate remedy at law. Under Sonner v. Premier Nutrition Corp., 971 F.3d 834, 844 (9th Cir. 2020), you can’t pursue equitable relief without making that allegation. The Court dismissed with leave to amend.
All in all, this case is heading to discovery, and given the alleged scope of OpenX’s tracking, this is going to be a significant one to follow!
As always,
Keep it legal, keep it smart, and stay ahead of the game.
Talk soon!
CIPAWorld 