Greetings CIPAWorld!
I’m back with the latest scoop. Imagine browsing hunting gear at Sportsman’s Warehouse online, checking out a fishing rod. You don’t buy anything, don’t create an account, and don’t enter your email. You look around and leave. Weeks later, you get an email from a completely different outdoor retailer suggesting products similar to what you viewed. That’s creepy, right? That’s the essence of Cordero v. Sportsman’s Warehouse, Inc., No. 2:24-CV-575-DAK-CMR, 2025 U.S. Dist. LEXIS 72337 (D. Utah Apr. 15, 2025).
Here, Plaintiff filed a Complaint against Sportsman’s Warehouse after discovering that his browsing activity had been tracked by a third-party service called AddShoppers without his consent. I was digging through this case last night while coincidentally shopping for tickets to an upcoming Blink-182 concert, and caught myself about to click “Accept All” on a cookie banner to see those ticket prices (long story short… I didn’t buy them… yet). The irony wasn’t lost on me. Those seemingly mundane clicks we make without thinking twice? They matter. And sometimes, as this case shows, even not clicking anything can land your data in someone else’s hands. What’s particularly unsettling about the AddShoppers system described in Cordero is that it operates largely invisibly to the average consumer browsing online. Unlike standard cookies that work on a single website, this third-party tracking system follows you across an entire network of seemingly unrelated websites. Have you all watched the new season of Black Mirror yet?
Unlike the recent decision in Lakes v. Ubisoft, Inc., No. 24-cv-06943-TLT, 2025 U.S. Dist. LEXIS 67336 (N.D. Cal. Apr. 1, 2025), in which cookie consent banners saved the day for the video game company, Plaintiff’s lawsuit failed for a different reason altogether: standing. Judge Dale A. Kimball determined that the Plaintiff hadn’t suffered a concrete harm sufficient to give him Article III standing to bring the case. Interesting stuff.
So let’s dig into what’s at issue here. According to the Complaint, AddShoppers operates a “Data Co-Op” where participating companies install AddShoppers’ code on their websites. When an internet user creates an account or purchases with one business in the network, a third-party tracking cookie with a unique identifier is created that AddShoppers associates with that user. Pretty straightforward, right? Once that cookie is in your browser, AddShoppers can track your activity across any website in its network. What? Yes, you read that right. Suppose you’ve provided personal information to one site in the network. In that case, AddShoppers can use that information to target you with ads from completely different companies, even if you never gave those companies your information. For instance, you’re shopping around, adding a pair of boots to your cart on one site and then, days later, getting an email from another company you’ve never interacted with about outdoor gear, all because the two retailers are plugged into the same silent backend tracking system. Spooky stuff.
AddShoppers’ co-founder described this operation as having two data sources: a “blind Co-Op” where brands submit data in exchange for using the collective data pool, and “publisher relationships” where they license data for additional scale. This creates what the Complaint described as a “data lake, ” a centralized repository where information from different sources is matched to create detailed profiles of individuals. What’s particularly concerning is that, according to the Complaint, AddShoppers’ network includes companies selling highly personal products like feminine hygiene and men’s health items, potentially revealing private information to anyone sharing a computer with the user.
Plaintiff’s data request from AddShoppers revealed he had been tracked by at least a dozen companies, including Sportsman’s Warehouse, for several years. The timestamps revealed exactly when he visited these websites. But here’s the critical point that ultimately closed down Plaintiffs case. Here, Plaintiff never provided any personal information to Sportsman’s Warehouse. Plaintiff simply visited their website.
The Court analyzed this lack of personal information exchange through precedent established by the Supreme Court in TransUnion L.L.C. v. Ramirez, 594 U.S. 413 (2021). The Court emphasized that “Only those plaintiffs who have been concretely harmed by a defendant’s statutory violation may sue that private defendant over that violation in federal court.” Id.The Court ruled that a timestamp showing when someone last visited a website doesn’t constitute personal information that can identify an individual under California law.
Distinguishing this case from In re Facebook, Inc., Internet Tracking Litigation, 956 F.3d 589 (9th Cir. 2020), where Facebook was accused of capturing detailed browsing information that was used to create personally identifiable profiles describing users’ “likes, dislikes, interests, and habits over a significant amount of time.” Unlike Facebook, Sportsman’s Warehouse never obtained Plaintiff’s personally identifiable information.
As the Court put it, “Sharing the last time someone visited a website is not statutorily protected in California as protected personal information.” Cordero, 2025 U.S. Dist. LEXIS 72337. This reasoning was based on similar rulings in Cook v. GameStop, Inc., 689 F. Supp. 3d 58 (W.D. Pa. 2023), which held that “product preference information is not personal information” and In re BPS Direct, L.L.C., 705 F. Supp. 3d 333 (E.D. Pa. 2023), which stated that “browsing activity is not sufficiently private to establish concrete harm.”
The Court also declined to follow decisions like Lineberry v. Addshopper, Inc., No. 23-cv-01996-VC, 2025 U.S. Dist. LEXIS 29903 (N.D. Cal. Feb. 19, 2025), where the Complaint alleged plaintiff made a purchase and was plausibly identifiable. Here, Plaintiff made no purchase, provided no email, and entered no personal details. Those factual gaps were key here in the Court’s reasoning.
Sportsman’s Warehouse also asserted the persuasive authority in Ingrao v. AddShoppers, Inc., No. 24-1022, 2024 WL 4892514 (D. Utah Nov. 25, 2024), which involved nearly identical facts and resulted in dismissal for lack of standing. The Court found Ingrao persuasive and more directly applicable than Facebook, particularly because both Ingrao and Plaintiff’s case lacked allegations that personal data was ever collected, let alone misused.
So what does this mean for you and me? While Plaintiff’s case was dismissed for lack of standing, it provides more insight into how companies track our digital footprints in ways most of us never consider. Those seemingly browsing sessions on retail websites could be feeding into vast data-sharing networks that follow you across the internet.
For companies, the lesson here might seem to be you’re in the clear as long as you don’t collect identifiable personal information. But that would be missing the bigger picture. As privacy laws evolve and consumers become more aware of tracking practices, the legal landscape could shift dramatically. In Lakes, the Court held that layered cookie banners could provide legally binding consent. In Cordero, the Court didn’t even get that far, because if there’s no injury, it doesn’t matter what disclosures you did or didn’t give. The procedural defenses may differ, but the outcome is the same: these privacy lawsuits are shut down at the door.
For consumers, cases like this highlight why those cookie preferences matter. When was the last time you read a privacy policy? And if you did, would you expect it to list every company that might get your data? Probably not. But these cases show that courts won’t always assume you didn’t know. Those extra 30 seconds spent clicking “customize settings” instead of “accept all” could mean the difference between your browsing habits being your own business or becoming valuable data points in a marketplace you never consented to join.
Looking at Lakes and Cordero together, a clear trend emerges. If a company collects personal data with explicit consent, it’s protected. Additionally, if it avoids collecting personal data altogether, it’s also protected. For businesses, that’s a powerful takeaway. The current legal framework favors companies that either build robust consent flows or steer clear of collecting personally identifiable information. Even under California’s strong privacy laws, the bar for plaintiffs to survive a motion to dismiss remains high, especially when standing is questioned.
So next time you’re shopping online, whether for camping gear, concert tickets, or anything else, remember that your digital footprints may be tracked in ways you never imagined. Unlike the plaintiffs in Lakes v. Ubisoft, who clicked through consent banners, Cordero never got the chance to consent or decline. Plaintiff just browsed.
All in all, what stood out to me in Judge Kimball’s ruling was how decisively the conversation ended. This wasn’t a case where more facts might have saved the Complaint. The Court didn’t say plead better. It said you were never supposed to be here.
As always,
Keep it legal, keep it smart, and stay ahead of the game.
Talk soon!