• by Wendy Davis  @wendyndavis, February 25, 2025

A California resident claims in a new lawsuit that Bloomingdale's violates a California privacy law by allegedly using TikTok's tracking technology to collect data from visitors to the retailer's website.

In a class-action complaint filed Monday in the Central District of California, Kirra Hanson alleges that TikTok's software compiles a host of information about Bloomingdales.com visitors, including data about their devices, browsers and geolocation.

Hanson adds that TikTok's software also collects information about users' names and passwords, and transfers the data to China, Russia and other locales. 

The complaint cites an ABC News report from 2023 as a source for those allegations; TikTok told ABC at the time that all new U.S. data was routed to Oracle and that only U.S. employees of TikTok were able to access the information.

Hanson's complaint claims Bloomingdale's is violating a California Invasion of Privacy Act provision prohibiting anyone from using a “trap and trace” device without a court order. That law essentially defines “trap and trace” devices as technology that capture metadata related to electronic communications.

The suit is one of numerous recent cases alleging that web companies violate the California law by using analytics software to collect information about website visitors. Whether these claims will ultimately succeed remains unclear.

In December, a federal appeals court upheld the dismissal of a related privacy complaint against Bloomingdale's, but the claim in that matter was that the site used keystroke logging technology to capture the content of communications -- not metadata.

The 9th Circuit Court of Appeals said the plaintiff in that case, California resident Amanda Daghaly, failed to allege detailed information about her activity on the retailer's site.

“Daghaly’s allegations about her own interactions with the Bloomingdales.com website are sparse,” the judges wrote. “She alleges only that she 'visited' and 'accessed' the website ... but she does not allege that she herself actually made any communications that could have been intercepted once she had accessed the website,” the judges added.

Separately, Massachusetts' highest court ruled in October that hospitals don't violate that state's wiretap law by transmitting data about website visitors' browsing activity to Google and Meta.

That statute, passed in 1968, makes it illegal to intercept communications without the consent of all parties. The Massachusetts judges said the law was aimed at prohibiting eavesdropping on “person-to-person conversations or messaging,” and doesn't apply when companies use technology to track online browsing activity.

A Bloomingdale's spokesperson said the company does not comment on pending litigation.