• by Wendy Davis , Yesterday

The music company Universal Music Group must face a privacy lawsuit over its alleged failure to honor web users' request to reject tracking, a federal judge ruled Wednesday.

The decision, issued by U.S. District Court Judge P. Casey Pitts in the Northern District of California, came in a lawsuit brought in April by state residents Christine Wiley and Vishal Shah.

They alleged in a class-action complaint that they visited Universal's websites, including imaginedragonsmusic.com and arianagrande.com, and were greeted with banners that gave them the opportunity to reject cookies.

Both plaintiffs alleged that they checked a box to decline cookies, but that tracking cookies from third parties were nonetheless placed on their devices.

"Defendant’s promises are outright lies, designed to lull users into a false sense of security," the complaint alleges.

Shah and Wiley added that even after users reject cookies, Universal "surreptitiously enables several third parties" including Meta, Google, TikTok and Snap "to place and/or transmit cookies that track users’ website browsing activities."

"Defendant, in violation of plaintiffs’ and other class members’ reasonable expectation of privacy and without their consent, permits the third parties to use cookies and other tracking technologies to collect, track, and compile users’ private communications, including their browsing history, visit history, website interactions, user input data, demographic information, interests and preferences, shopping behaviors, device information, referring URLs, session information, user identifiers, and/or geolocation data," the duo alleged.

Their complaint includes claims that Universal violated various state privacy standards and wiretap laws.

Universal urged Pitts to dismiss the complaint for several reasons. Among others, the company argued that the allegations, even if proven true, wouldn't establish that either plaintiff experienced the kind of injury that warrants a lawsuit.

"Plaintiffs have no expectation of privacy in any of the information allegedly collected," the company wrote.

"Plaintiffs do not identify any information of theirs that was actually collected by any website cookie. And even if any of their information was collected, courts consistently have held that the mere collection of browsing history, page views and IP addresses, absent a tangible or concrete harm, does not constitute a sufficient injury to support legal claim," Universal added.

Pitts partially sided against Universal, ruling that the plaintiffs could proceed with some claims including invasion of privacy and "intrusion upon seclusion" (a privacy claim that can be brought in California, and involves "highly offensive" activity).

Universal "is correct that the information at issue, standing alone, may not involve the types of information in which users have an unqualified expectation of privacy" Pitts wrote.

"But in this case [Universal] allegedly represented to plaintiffs that it would not collect information for advertising or analytics if they opted out of such collection," he continued, adding that because Universal said users could opt out, users "had a reasonable expectation of privacy with respect to that information."

Pitts dismissed other counts, including claims that Universal violated California's wiretap laws. But he said the plaintiffs could reformulate those counts and bring them again within 28 days.

The ruling marks at least the third time this year that a federal judge has required companies to face privacy lawsuits for allegedly failing to honor opt-out choices.

Last month, a federal judge ruled that Burger King must face a similar lawsuit, and in July a judge rejected a request by Motorola to dismiss comparable claims.