As privacy litigation over tracking pixels continues to surge, a recent decision out of California offers a clear win for companies that implement strong consent mechanisms.
In Lakes v. Ubisoft, Inc., 2025 WL 1036639 (N.D. Cal. Apr. 2, 2025), Plaintiffs Trevor Lakes and Alex Rajjoub filed a class action against Defendant Ubisoft, Inc., a video game company, alleging violations of the Video Privacy Protection Act (VPPA), California’s Invasion of Privacy Act (CIPA), and the Electronic Communications Privacy Act (ECPA).
According to Plaintiffs, their claims arose when they visited Ubisoft’s website (the “Website”) to download games while logged into their respective Facebook accounts. Plaintiffs alleged that Ubisoft installed a Meta/Facebook tracking pixel on the Website, which disclosed their personally identifiable information to Meta. The allegedly disclosed information included the consumers’ unique and unencrypted Facebook ID, a cookie containing an encrypted Facebook ID, and their Video Request Data.
Plaintiffs sought to represent the following classes:
- All PII Users on the Website that had their PII, search terms, and detailed webpage information improperly intercepted by and disclosed to Facebook through the use of the Pixel (the “Class”).
- All PII Users, who reside and used the Website in California, that had their PII, search terms, and detailed webpage information improperly intercepted by and disclosed to Facebook through the use of the Pixel (the “California Subclass”).
Ubisoft filed a motion to dismiss and requested judicial notice of its Website and the policies publicly available on the Website, including its Privacy Policy, Cookies Settings, and Website Cookies Banner. Ubisoft contended that these were necessary for the Court to have a complete picture of a user’s journey, what the user consents to, and the policies they are provided and agree to. The request for judicial notice was granted for specific portions of the Ubisoft Website.
On the Website’s landing page, a first-time user is presented with a Cookie Banner notifying them that by clicking “OK” and “continuing to navigate on the site” they “accept the use of cookies by Ubisoft and its partners to offer advertising adapted to [their] interests.” If a user clicks on the “set your cookies” hyperlink in the banner, a pop-up appears with more detailed options to change cookie preferences.
To make any purchases on the Website, a user must first create a Ubisoft account and affirmatively accept Ubisoft’s Terms of Use, Terms of Sale, and Privacy Policy, which are all hyperlinked on the Website. Ubisoft’s Privacy Policy informs users that their information will be shared with third parties and outlines how users can withdraw their consent. After agreeing to the Privacy Policy and consenting to the sharing of data during account creation, a user is once again presented with the Privacy Policy every time they make a purchase on the Website.
In light of the above processes, Ubisoft argued that all of Plaintiffs’ claims fail because Plaintiffs were repeatedly informed of, and consented to, the use of cookies and pixels on the Website. The Court agreed, finding that Ubisoft’s disclosures clearly state that it allows partners to use cookies on the Website, that specific analytics and personalization cookies would be used, and that cookie identifiers and other similar data connected to the use of the site could be collected and shared.
In doing so, the Court rejected Plaintiffs’ assertion that a granular disclosure stating that Meta will collect Plaintiffs’ “video game titles combined with unique Facebook identifiers” was required to obtain actual consent. Here, the Privacy Policy explicitly disclosed that Ubisoft uses technologies such as cookies to collect game, login, and browsing data, and that Ubisoft allows its partners to set and access user cookies. This was found to be sufficient, because “a reasonable user would understand from the Privacy Policy that he or she is consenting to the use of cookies including by third parties.”
“[A] reasonable user would understand from the Privacy Policy that he or she is consenting to the use of cookies including by third parties.”
Therefore, the Court granted Ubisoft’s motion to dismiss the complaint in its entirety, with prejudice. The Court concluded that granting Plaintiffs leave to amend would be futile because they cannot overcome the issue of consent.
The most important takeaway here is the need for businesses to maintain proper consent and disclosure mechanisms – include a cookie disclosure on the website landing page, clearly inform users what data you collect and who you share it with, and allow users to customize non-essential cookies. Although, a Pennsylvania court held that a privacy policy contained in a browsewrap agreement gave users constructive notice of a website’s use of tracking software, affirmative consent obtained via a clickwrap agreement worked in Ubisoft’s favor here. Finally, make sure your privacy policy is accurate and up to date.
Ultimately, this ruling underscores how detailed, user-facing consent flows and transparent data-sharing policies remain critical defenses in privacy litigation.