The court found that the plaintiffs had plausibly alleged “damage or loss” under CDAFA by claiming that the company and its vendors unjustly profited from the plaintiffs’ personal information.
A California federal court has allowed privacy claims to proceed against Rack Room Shoes based on its use of embedded tracking tools on its website—signaling that companies may face liability under both state and federal privacy laws, even where data collection is disclosed in a privacy policy. In Smith v. Rack Room Shoes, Inc. (2025 WL 2210002), decided August 4, 2025, Judge Rita Lin of the Northern District of California declined to dismiss claims brought under the federal Wiretap Act and California’s Comprehensive Computer Data Access and Fraud Act (CDAFA).
The plaintiffs allege that the company embedded a third-party tracking code into its website that enabled vendors to capture sensitive user data—including names, emails, phone numbers and shopping behavior—and used that data not only to support the company’s marketing, but also for the vendors’ own commercial purposes.
The case had previously survived an initial motion to dismiss, though several claims were dismissed with leave to amend. In this most recent decision, the court permitted the CDAFA and Wiretap Act claims to proceed, but dismissed claims under California’s Unfair Competition Law (UCL) and Consumers Legal Remedies Act (CLRA) without leave to amend.
Key Takeaways
CDAFA – Data Monetization as Injury
The court found that the plaintiffs had plausibly alleged “damage or loss” under CDAFA by claiming that the company and its vendors unjustly profited from the plaintiffs’ personal information. Relying on existing Ninth Circuit precedent, the court agreed that individuals have a stake in the profits derived from their data—even absent direct financial harm.
Wiretap Act – Tortious Purpose Defeats Consent Defense
While the company was a party to the communications, the court held that the “party exception” to Wiretap Act liability did not apply. Plaintiffs sufficiently alleged that the company acted with a “tortious purpose”—specifically, by violating its own privacy policy and using the data for targeted advertising in ways not clearly disclosed. This finding is particularly significant because it suggests that generic or incomplete privacy policy disclosures may not shield companies from wiretap liability if their actual data practices exceed what they've disclosed to users.
UCL and CLRA – No Tangible Harm
The state-law claims under the UCL and CLRA failed because the plaintiffs did not allege economic loss or a tangible increased burden. General assertions about the commercial value of user data were not enough to satisfy the statutory requirements.
Conclusion
While this is just a single district court ruling, it’s another example of a court allowing data privacy claims to proceed past the pleading stage—even where a company has a privacy policy in place. It also suggests that profit-based theories of harm, such as unjust enrichment, may be sufficient to establish standing under certain state privacy statutes. In addition, privacy disclosures are receiving closer scrutiny, with courts increasingly focused on whether a company’s actual data practices align with what is disclosed to users.
For More Information
If you have any questions about this Alert, please contact J. Colin Knisely, Michael S. Zullo, any of the attorneys in our Website Accessibility and Privacy Compliance Litigation Group, any of the attorneys in our Technology, Media and Telecom Industry Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.