Hi CIPAWorld! In the latest development in the ongoing wave of website tracker litigation, the Northern District of California court in Smith, et al., v. Rack Room Shoes, Inc., No. 24-CV-06709-RFL, 2025 WL 2210002 (N.D. Cal. Aug. 4, 2025), has allowed a putative class action against Rack Room Shoes, Inc. to proceed on claims under the federal Wiretap Act and California’s Comprehensive Computer Data and Access Fraud Act (“CDAFA”).
The court denied Rack Room’s motion to dismiss these claims and found that the plaintiffs had plausibly alleged compensable harm and tortious intent. However, the court dismissed claims under California’s Unfair Competition Law (“UCL”) and Consumers Legal Remedies Act (“CLRA”) without leave to amend.
The lawsuit centers on Rack Room’s use of embedded code from third parties, including Meta and Attentive, on its website. Plaintiffs allege that these tools, such as the Meta Pixel and Attentive Tag, intercept their communications and personally identifiable information without their consent and transmit it to the third parties.
The data allegedly shared includes URLs revealing search queries, items viewed and placed in carts and even hashed or unencrypted personally identifiable information like names, email addresses, and phone numbers.
The court had previously held in Smith I that Rack Room’s privacy policy failed to adequately disclose that third parties could collect this personally identifiable information and use it for their own commercial purposes, making any argument of user consent questionable.
Here, Rack Room argued that the claim was barred by the “party exception” under 18 U.S.C.§2511(2)(d), as it was a party to the communications with its website visitors and consented to the interception.
However, the court found that the plaintiffs plausibly alleged that the “crime-tort exception” applied. This exception negates the party exception if the interception was done “for the purpose of committing any criminal or tortious act.”
The key question is whether the defendant had an independent prohibited purpose beyond the act of interception itself.
Here, the court identified the tortious purpose as Rack Room’s intent to use and disclose its customers’ personally identifiable information for targeted advertising—directly contradicting the promises made in its own privacy policy. This subsequent use, the court reasoned, constituted a further invasion of privacy, satisfying the requirement for an independent tortious act.
The court rejected Rack Room’s argument that its primary financial motivation shielded it from liability and held that “a monetary purpose does not insulate a party from liability under the Wiretap Act, at least at the motion to dismiss stage.”
The case will now proceed to discovery on the CDAFA and Wiretap Act claims which continues the trend of courts allowing these website tracker cases to move past the pleading stage.