Gabrielli v. Haleon US Inc.
3:25-cv-02555
| N.D. Cal. | Aug 29, 2025Background
- Plaintiff Jonathan Gabrielli visited multiple Haleon websites (e.g., Tums, Centrum, Sensodyne, Emergen‑C), encountered a cookie consent banner offering a “Reject All” option, and alleges he clicked that option before continuing to browse.
- Gabrielli claims Haleon nonetheless caused third‑party cookies/trackers to be placed and to transmit users’ browsing data and other private communications to third parties, despite users’ explicit rejection.
- He brings a putative California class action asserting: invasion of privacy and intrusion upon seclusion (California Constitution), violations of CIPA (Cal. Penal Code §§ 631 and 638.51), common‑law fraud, unjust enrichment, and trespass to chattels.
- Haleon moved to dismiss for lack of Article III standing and for failure to state plausible claims; it also argued CIPA claims were time‑barred.
- The court concluded Gabrielli plausibly alleged a concrete privacy injury (loss of control over private digital information) and denied dismissal on all counts except trespass to chattels, which was dismissed with leave to amend.
- The court applied the discovery rule to toll some CIPA claims, found CIPA §631(a) and §638.51 theories adequately pleaded at the pleading stage, and allowed punitive‑damages allegations to proceed.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III standing | Loss of control over private browsing/communication data after clicking “Reject All” is a concrete, privacy‑based injury | Alleged cookie capabilities (not specific collection) are speculative and insufficient after TransUnion | Plaintiff has standing: deprivation of control over private information is a concrete injury; complaint pleads actual transmission to third parties |
| Invasion of privacy / Intrusion upon seclusion | Cookies caused unwanted tracking and disclosure of sensitive website interactions and inputs | Alleged conduct is not sufficiently offensive or specific to satisfy the high bar | Claims survive pleading stage; offensiveness is fact‑intensive and cannot be resolved on the pleadings |
| CIPA §631(a) (wiretapping/contents) | Trackers captured “contents” (e.g., search terms, form inputs, URLs) and Haleon aided third‑party interception | Plaintiff failed to plead intent to aid and did not identify contents | §631(a) claim survives: intent adequately pleaded generally; alleged data (search terms/user inputs) can be “contents” |
| CIPA §638.51 (pen register / trap & trace) | Third‑party trackers/processes function as pen registers by recording routing/addressing (IP/session) info | Pen register statute applies only to telephony or not to internet technologies | §638.51 claim survives; courts construe “device or process” broadly to cover internet tracking tools |
| Statute of limitations for CIPA claims | Discovery rule/delayed discovery and tolling apply because tracking is technical and plaintiff learned of wrongdoing only later | Plaintiff had actual notice from cookie banner and privacy notice; claims are time‑barred | Discovery rule applies at pleading stage here; CIPA claims not dismissed as time‑barred |
| Trespass to chattels | Cookies stored on devices impaired device condition/value and caused damages (storage, performance, diminution) | Alleged harms are conclusory; cookies are minuscule and do not impair modern devices | Trespass to chattels dismissed with leave to amend: plaintiff failed to plausibly allege required impairment/damages |
Key Cases Cited
- TransUnion LLC v. Ramirez, 594 U.S. 413 (Sup. Ct.) (statutory violations require a concrete injury; intangible privacy harms can be concrete)
- In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589 (9th Cir.) (privacy violations and statutory privacy rights can supply concrete injury for standing)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (Sup. Ct.) (Article III standing elements and pleading burden)
- Spokeo, Inc. v. Robbins, 578 U.S. 330 (Sup. Ct.) (plaintiff must clearly allege facts demonstrating each standing element)
- Zynga, Inc. v. [named plaintiffs], 750 F.3d 1098 (9th Cir.) (some URL/search‑term data can be the “contents” of a communication)
- In re Google Inc. Cookie Placement Consumer Privacy Litig., 934 F.3d 316 (3d Cir.) (tracking without authorization can be a concrete privacy injury)
- Intel Corp. v. Hamidi, 30 Cal.4th 1342 (Cal. S. Ct.) (principles for digital trespass/trespass to chattels under California law)