It’s becoming clear that companies that don’t treat their privacy policies as a living document are taking huge risks.
Rack Room Shoes had to learn this the hard way in a recent case out of the Northern District of California. In Smith v. Rack Room Shoes, Inc. (2025 WL 1085169 April 4, 2025), Rack Room lost a motion to dismiss regarding whether or not the Plaintiff gave consent to “the disclosures of their data by continuing to use Rack Room’s website after being notified of Rack Room’s privacy policy…The privacy policies at issue, however, contain ambiguities that prevent a finding of consent as a matter of law.”
Essentially, Rack Room had embedded code of third-party companies onto their website, including both the Meta Pixel and the Attentive Tag. The Meta Pixel would, among other things, record the user’s search queries, items viewed and placed in cart, and hashed values containing the personal information of the user. The Attentive Tag would “send messages that can contain the full URL string visited, the product purchased, and the unencrypted phone number and email that the visitor entered when making a purchase.”
These are normal use cases for these sorts of cookies and generally not a problem. However, Rack Room’s privacy policy explicitly stated that while they use cookies and beacons on their site “none of the information collected through cookies or beacons is personally identifiable.”
Oops.
Additionally, Rack Room argued that their privacy policy allows them to collect voluntarily personally identifiable information and sharing that PII with marketing partners. But, the plaintiffs argued the disclosure of PII was not in isolation, but combined with the browsing and purchase information was violative of the privacy policy. The Court agreed “Plaintiffs plausibly allege…that a reasonable user would not understand Rack Room’s privacy policy to authorize such a disclosure.” Therefore, the Court denied the motion to dismiss all claims based on consent.
The Plaintiffs also made CIPA claims which Rack Room moved to dismiss, but the Court denied those motions as well. Rack Room tried to argue that Meta and Attentive were acting as extensions, but the Court relied on Ambriz v. Google (discussed earlier on CIPAWorld). Because Rack Room knew that the Meta Pixel and the Attentive Tag intercepts personal information, the Court denied the motion to dismiss.
Just multiple misses on behalf of Rack Room in this case, but the main takeaway is companies can get consent to sharing personal information. But, the consent must accurately reflect the practices of the company. General sweeping privacy policy language is no longer effective.
And I get it, people change pixels and tags on their site often. But, that is not going to be an excuse. When companies change pixels and other tracking, there needs to be a process in place to ensure either those pixels/cookies match the privacy policy or the privacy policy needs to be updated.