Case Information
UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA SABER KHAMOOSHI, et al., Case No. 24-cv-07836-SK Plaintiffs, ORDER GRANTING MOTION TO
v. DISMISS FOR LACK OF STANDING AND REMANDING CASE POLITICO LLC,
Defendant. Regarding Docket No. 35
Plaintiffs Saber Khamooshi, Ryan Wu, Brian Carolus and John Deddeh (“Plaintiffs”) bring this putative class action against Defendant Politico LLC (“Defendant”), claiming that Defendant shared Plaintiffs’ personal information without their consent. (Dkt. No. 33.) This matter comes before the Court upon consideration of Defendant’s motion to dismiss, which contends that Plaintiffs lack Article III standing to bring their claims and have not alleged sufficient facts to state their claims. (Dkt. No. 35.) All parties have consented to magistrate judge jurisdiction. (Dkt. Nos. 20, 21.) Having carefully considered the parties’ papers, relevant legal authority, and the record in the case, and having had the benefit of oral argument, the Court hereby GRANTS Defendant’s motion to dismiss for lack of Article III standing for the reasons set forth below. Because the Court agrees with Defendant that Plaintiffs lack Article III standing, there is no need to reach Defendant’s alternative arguments regarding the sufficiency of Plaintiffs’ claims.
BACKGROUND
A. Factual Allegations.
The Amended Complaint alleges the following facts, which the Court takes as true for purposes of this motion.
Defendant owns and operates www.Politico.com, which publishes political news. (Dkt. No. 33, ¶ 25.) Plaintiffs are California residents who visited www.Politico.com using an internet browser. ( Id. at ¶¶ 10-23.) According to the Amended Complaint, third-party trackers embedded on www.Politico.com collected Plaintiffs’ information for advertising and analytics purposes. ( Id. at ¶¶ 1, 8.) The information included browser and device data, IP address, and “other identifying information.” ( Id. at ¶¶ 1, 7, 8, 31, 35, 63, 66, 68, 71-72, 75, 78, 83, 127, 145.) An IP address is a numerical code that identifies a specific device connected to the internet and facilitates communication between devices. ( Id. at ¶ 54.) Defendant never disclosed its use of third-party trackers to website users, and Plaintiffs never authorized or consented to the disclosure of their information. ( Id. at ¶¶ 1, 7, 8, 9, 12, 13, 16, 17, 20, 21, 23.) Plaintiffs bring five claims under California law: (1) California Computer Data Access and
Fraud Act, Cal. Penal Code § 502; (2) the California Invasion of Privacy Act, Cal. Penal Code § 638.51; (3) the right to privacy, Cal. Const. Art. 1, § 1; (4) unjust enrichment; and (5) the Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq. (“UCL”). ( Id. at ¶¶ 105-79.) They seek injunctive and declaratory relief, compensatory damages, statutory damages, restitution, disgorgement of profits, nominal damages, costs, and fees. ( at pp. 40-41.) B. Procedural History.
Khamooshi, Wu, and Carolus first filed this action in the Superior Court of California for the County of San Franciscio on September 26, 2024. (Dkt. No. 1-1, p. 4.) The case was removed to federal court and consolidated with a later-filed case brought by Deddeh. (Dkt. Nos. 1, 29.) Following consolidation, Plaintiffs filed their Amended Complaint. (Dkt. No. 33.)
On March 31, 2025, Defendant filed the instant motion to dismiss the Amended Complaint pursuant to Rules 12(b)(1), 12(b)(6), and 9(b). (Dkt. No. 35.) The motion has been fully briefed. (Dkt. Nos. 35, 38, 44.) The Court heard oral argument on May 12, 2025.
ANALYSIS
A. Legal Standard.
The Court evaluates challenges to Article III standing under Rule 12(b)(1), which governs motions to dismiss for lack of subject matter jurisdiction. See Maya v. Centex Corp. , 658 F.3d 1060, 1067 (9th Cir. 2011). Where, as here, a defendant brings a facial challenge to standing, the court assesses whether the plaintiff has alleged sufficient facts that, taken as true, demonstrate each element of Article III standing. Jones v. L.A. Cent. Plaza LLC , 74 F.4th 1053, 1057 (9th Cir. 2023) (citing Spokeo, Inc. v. Robins , 578 U.S. 330, 338 (2016), cleaned up). A plaintiff must allege facts demonstrating “(i) that he suffered an injury in fact that is concrete, particularized, and actual or imminent; (ii) that the injury was likely caused by the defendant; and (iii) that the injury would likely be redressed by judicial relief.” TransUnion LLC v. Ramirez , 594 U.S. 413, 423 (2021).
Here, the dispute centers on whether Plaintiffs have alleged an injury that is “concrete.” A concrete injury is “real, and not abstract.” Id. at 424 (quoting Spokeo , 578 U.S. at 340). Concrete harms include “traditional tangible harms, such as physical harms and monetary harms.” at 425. Intangible injuries may be concrete if they have a “close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts,” such as “reputational harms, disclosure of private information, and intrusion upon seclusion.” Id. B. Defendant’s Motion. Plaintiffs contend that they have suffered three types of concrete injury: invasion of privacy, economic harm, and heightened risk of future harm. (Dkt. No. 33, ¶¶ 38-40; Dkt. No. 38, pp. 11-13.) The Court addresses each argument in turn.
1. Invasion of Privacy.
Disclosure of private information is a concrete injury. , 594 U.S. at 425; Phillips v. U.S. Customs & Border Prot. , 74 F.4th 986, 993 (9th Cir. 2023) (noting that invasion of privacy is “an injury identified by the Supreme Court as concrete.”). However, to say that a privacy injury can be concrete is not to say that the alleged privacy injury here is concrete. Rather, courts “make their decisions regarding whether a plaintiff has stated a legally protectable privacy interest based on the nature of the information at issue.” Mikulsky v. Noom, Inc. , 682 F. Supp. 3d 855, 864 (S.D. Cal. 2023) (quoting In re Yahoo Mail Litig. , 7 F. Supp. 3d 1016, 1041 (N.D. Cal. 2014)). “[I]n data breach cases, courts must examine the nature of the specific information at issue to determine whether privacy interests were implicated at all.” I.C. v. Zynga, Inc. , 600 F. Supp. 3d 1034, 1050 (N.D. Cal. 2022). “Otherwise, every data breach (or any situation in which one loses control of information) would confer standing, regardless of whether private information is exposed.” Id. “To survive a motion to dismiss, a plaintiff must identify the ‘specific personal information she disclosed that implicates a protectable privacy interest.’” Mikulsky , 682 F. Supp. 3d at 864 (quoting Byars v. Sterling Jewelers, Inc. , No. 5:22- CV-01456-SB-SP, 2023 WL 2996686, at *3 (C.D. Cal. Apr. 5, 2023)).
Here, the only specific category of information that Plaintiffs identify is the category of IP addresses for their devices. Plaintiffs also allege that Defendant disclosed their “browser and device data” and “other identifying information” (Dkt. No. 33, ¶¶ 1, 7, 8, 31, 35, 63, 66, 68, 71- 75, 78, 83, 127, 133, 145, 155, 174) but fail to provide any more detail. Those allegations are too vague to assert a protectable privacy interest. See Mikulsky , 682 F. Supp. 3d at 864 (“Plaintiff’s conclusory allegation that she disclosed ‘personal information’ does not allow the Court to determine whether Plaintiff has a protectable privacy interest in that information.”); Hughes v. Vivint, Inc. , No. CV 24-3081-GW-KSX, 2024 WL 5179916, at *4 (C.D. Cal. July 12, 2024), adopted , No. CV 24-3081-GW-KSX, 2024 WL 5179917 (C.D. Cal. Aug. 5, 2024) (finding allegations that defendant collected “device and browser information,” among other data, insufficient to specify what information was captured).
Thus, the question presented is whether disclosure of IP addresses gives rise to a privacy injury. It does not. As many courts have explained, “there is no legally protected privacy interest in IP addresses.” Heeger v. Facebook, Inc. , 509 F. Supp. 3d 1182, 1189 (N.D. Cal. 2020); United States v. Forrester , 512 F.3d 500, 510 (9th Cir. 2008) (“Internet users have no expectation of privacy in . . . the IP addresses of the websites they visit . . . .”); see also United States v. Rosenow , 50 F.4th 715, 737-38 (9th Cir. 2022). Two legal principles support this conclusion.
First, a person generally “has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Carpenter v. United States , 585 U.S. 296, 307 (2018) (quoting Smith v. Maryland , 442 U.S. 735, 743-44 (1979)). That remains true “even if the information is revealed on the assumption that it will be used only for a limited purpose . . . .” United States v. Miller , 425 U.S. 435, 443 (1976). When internet users visit a website, their devices automatically send their IP addresses to the website’s server as part of the communication process. See Forrester , 512 F.3d at 510. Therefore, “IP addresses are . . . voluntarily turned over in order to direct the third party’s servers.” Id. Accordingly, no reasonable expectation of privacy attaches to IP addresses. Id. The principle that IP addresses do not implicate a legally protectable privacy interest originates in the Fourth Amendment context. See id. However, courts within this Circuit have consistently extended this reasoning to alleged injuries to privacy in the civil context in analyzing whether there is an injury under Article III. See , e.g., Heeger , 509 F. Supp. 3d at 1189-90; R.C. v. Walgreen Co. , 733 F. Supp. 3d 876, 889 (C.D. Cal. 2024). The second principle hinges on ’s mandate that intangible harms may constitute concrete injuries if they bear a “close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.” 594 U.S. at 425. “[B]oth the common law and the literal understandings of privacy encompass the individual’s control of information concerning his or her person .” U.S. Dep’t of Just. v. Reps. Comm. For Freedom of Press , 489 U.S. 749, 763 (1989) (emphasis added). In other words, a concrete injury arises only where the alleged harm involves personal information—and specifically, information whose disclosure would be considered “highly offensive to a reasonable person.” See Phillips , 74 F.4th at 995-96 (quoting Restatement (Second) of Torts § 652B). IP addresses are information about an address associated with a device, not sensitive personal information. See Forrester , 512 F.3d at 510 (“IP addresses constitute addressing information”); Xu v. Reuters News & Media Inc. , No. 24 CIV. 2466 (PAE), 2025 WL 488501, at *5 (S.D.N.Y. Feb. 13, 2025) (finding that IP addresses are not personal information); see also Mikulsky , 682 F. Supp. 3d at 864 (finding that disclosure of “basic contact information, such as [an] email address or phone number . . . does not bear a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.”); Zynga , 600 F. Supp. 3d at 1049-50 (finding that collection of “basic contact information” is an “insufficient fit” with “the common law privacy torts”).
Plaintiffs argue that a violation of the California Invasion of Privacy Act (“CIPA”) automatically constitutes a concrete injury. (Dkt. No. 38, p. 13.) Plaintiffs rely on language from the Ninth Circuit’s decision in In re Facebook, Inc. Internet Tracking Litig. (“ Facebook Internet Tracking ”), which held that CIPA “codif[ies] a substantive right to privacy, the violation of which gives rise to a concrete injury sufficient to confer standing.” 956 F.3d 589, 598 (9th Cir. 2020). However, TransUnion subsequently clarified that legislative “creation of a statutory prohibition or obligation and a cause of action does not relieve courts of their responsibility to independently decide whether a plaintiff has suffered a concrete harm under Article III . . . .” 594 U.S. at 426. “[U]nder Article III, an injury in law is not an injury in fact.” Id. at 427. “Only those plaintiffs who have been concretely harmed by a defendant’s statutory violation may sue that private defendant over that violation in federal court.” The Ninth Circuit’s decision in Phillips is instructive. There, the plaintiffs alleged that the government’s retention of illegally-obtained records violated their constitutional rights. Phillips , 74 F.4th at 988. The court rejected the contention that “unlawful collection and retention of records alone gives rise to a concrete injury for purposes of standing.” Id. at 995. Relying on TransUnion , the court held that standing could only be established if the “retention of unlawfully obtained or created information amounts to the type of concrete injury recognized by the Supreme Court.” Id. at 993. The Court then examined whether the nature of the retained information supported a concrete injury to a plaintiff’s privacy. Id. at 995-96. It concluded that the information at issue—names, birthdays, Social Security numbers, occupations, addresses, social media profiles, and political views and associations—was not “so sensitive that another’s retention of the information is analogous to tortious conduct.” Id.
A violation of CIPA, like a constitutional violation, does not automatically give rise to a concrete injury. As in Phillips , the information at issue here— an IP address—is not sufficiently private or personal to be analogous to the type of harm recognized in traditional privacy torts. Even assuming Plaintiffs have alleged an injury in law, they have not alleged an injury in fact. See TransUnion , 594 U.S. at 427. As such, Plaintiffs are “not seeking to remedy any harm to [themselves] but instead [are] merely seeking to ensure a defendant’s compliance with regulatory law (and, of course, to obtain some money via the statutory damages).” Id. at 427-28 (internal quotation marks and citation omitted). “Those are not grounds for Article III standing.” at 428.
The Court is aware of a division among district courts in this Circuit as to whether TransUnion overruled Facebook Internet Tracking ’s holding that a violation of CIPA, standing alone, gives rise to a concrete injury. Compare Popa v. PSP Grp., LLC , No. C23-0294JLR, 2023 WL 7001456, at *4 (W.D. Wash. Oct. 24, 2023) (“[T]he court is not persuaded by [the] argument that [ Facebook Internet Tracking ] . . . continue[s] to stand, post- TransUnion , for the proposition that a plaintiff sufferes [sic] an injury in fact simply by alleging a violation of a privacy statute.”) with D’Angelo v. FCA US, LLC , 726 F. Supp. 3d 1179, 1193 (S.D. Cal. 2024) (“ TransUnion does not undermine the reasoning in [ Facebook Internet Tracking ].” (citation omitted)). For the reasons explained above, the Court agrees with those decisions holding that precludes standing where plaintiffs fail to allege a concrete injury, even if they have asserted a violation of CIPA. See , e.g., Rodriguez v. Autotrader.com, Inc. , __F. Supp. 3d__, 2025 WL 65409, at *2 (C.D. Cal. Jan. 8, 2025); Valenzuela v. Keurig Green Mountain, Inc. , No. 3:22-CV-09042-JSC, 2023 WL 6609351, at *2 (N.D. Cal. Oct. 10, 2023); Hughes , 2024 WL 5179916, at *4-5; Lightoller v. Jetblue Airways Corp. , No. 23-CV-00361-H-KSC, 2023 WL 3963823, at *3 (S.D. Cal. June 12, 2023); Byars , 2023 WL 2996686, at *4; Popa , 2023 WL 7001456, at *4.
Moreover, the decisions reaching a contrary conclusion have largely involved information implicating a protectable privacy interest. See, e.g., Brown v. Google LLC , 685 F. Supp. 3d 909, 923-25 (N.D. Cal. 2023) (private browsing history); D’Angelo , 726 F. Supp. 3d at 1192-93 (chat conversations, including ones that were “deeply personal”); Licea v. Cinmar , LLC , 659 F. Supp. 3d 1096, 1101, 1103 (C.D. Cal. 2023) (chat conversations); Keskinen v. Lush Handmade Cosms. LLC , __F. Supp. 3d__, 2025 WL 851074, at *1, 5 (C.D. Cal. Mar. 11, 2025) (telephone conversations). Facebook Internet Tracking also involved information implicating a protectable privacy interest—browsing histories that revealed “an individual’s likes, dislikes, interests, and habits over a significant amount of time.” 956 F.3d at 598-99. The Court specifically distinguished such data from IP addresses, noting that browsing data “reveal[ed] ‘much more information’” about the user than IP addresses. at 604-05 (quoting Forrester , 512 F.3d at 510 n.6). Accordingly, these cases do not address the issue presented here: allegations of a violation of CIPA that, even if true, do not amount to a cognizable privacy injury under Article III. Moreover, neither party could identify a case holding that disclosure of an IP address, by itself, constitutes a concrete injury to privacy that is sufficient to establish Article III standing.
In sum, Plaintiffs have not alleged the disclosure of information that implicates a legally protected privacy interest. As such, Plaintiffs have failed to allege a concrete privacy injury sufficient to establish Article III standing. Because the Court concludes that IP addresses do not implicate a legally protected privacy interest, it need not reach Defendant’s alternative argument that Plaintiffs lacked a subjective expectation of privacy due to their alleged status as “tester” plaintiffs. (Dkt. No. 44, p. 6.)
2. Economic Harm.
Plaintiffs argue that they suffered economic harm because Defendant unjustly profited from the use of their data. (Dkt. No. 38, pp. 11-12.) Unjust enrichment has historical common law roots and thus constitutes a concrete injury under the framework set forth in . See Kellman v. Spokeo, Inc. , No. 21-CV-08976-WHO, 2024 WL 2788418, at *5 (N.D. Cal. May 29, 2024); The Intellectual History of Unjust Enrichment , 133 Harv. L. Rev. 2077, 2078-87 (2020) (describing unjust enrichment’s common-law foundations). However, to establish standing under this theory, Plaintiffs “must allege they retain a stake in the profits garnered from their [IP addresses] because ‘the circumstances are such that, as between the two parties, it is unjust for [Defendant] to retain it.’” Facebook Internet Tracking , 956 F.3d at 600 (quoting McBride v. Boughton , 20 Cal.Rptr.3d 115, 122 (Ct. App. 2004), cleaned up). In other words, Plaintiffs must allege that (1) Defendant’s actions were unjust, and (2) as a result, Defendant was enriched. In re Zoom Video Commc’ns Inc. Priv. Litig. , 525 F. Supp. 3d 1017, 1044 (N.D. Cal. 2021). Here, Plaintiffs fail to plausibly allege that Defendant’s disclosure of their IP addresses was unjust. In Facebook Internet Tracking , the Ninth Circuit found that plaintiffs adequately alleged an injury in unjustly earned profits by stating that defendant “charges users by acquiring the users’ sensitive and valuable personal information and selling it to advertisers for a profit.” 956 F.3d at 601 (internal quotation marks omitted). Thus, Facebook Internet Tracking ’s holding relied on the “sensitive” and “personal” nature of the information at issue. See id. Conversely, the court in Heeger held that Article III standing based on unjust enrichment was “undercut by the scarcity of facts plausibly demonstrating how [defendant’s] profits were unjustly earned, given that the only factual allegations are that [defendant] collected, stored, and used plaintiffs’ IP address information, as to which they had no legally protected privacy interest.” 509 F. Supp. 3d at 1191.
This case is like Heeger . Plaintiffs only specifically allege the disclosure of IP addresses—information which is so commonly shared across the internet that it cannot reasonably be considered private. See id. Just as a retailer might profit from the use of home addresses without being unjustly enriched, Plaintiffs has not shown why Defendant’s use of their IP addresses was unjust. Absent plausible allegations that Defendant profited unjustly from Plaintiffs’ data, Plaintiffs cannot establish an economic injury based on unjust enrichment.
3. Heightened Risk of Future Harm.
Plaintiffs also make a single-sentence argument that their fear their information will be misused in the future constitutes a concrete injury. (Dkt. No. 39, p. 11.) To the extent Plaintiffs seek damages, an unmaterialized risk of future harm does not qualify as a concrete injury. , 594 U.S. at 437. Regardless of the form of relief sought, Plaintiffs have not alleged any facts indicating that the disclosed information could plausibly be used to commit fraud or otherwise cause harm. See Zynga , 600 F. Supp. 3d at 1054 n.15 (rejecting heightened risk of future harm argument where information disclosed could not plausibly be used to commit fraud); In re Google, Inc. Privacy Pol’y Litig ., 58 F. Supp. 3d 968, 978-79 (N.D. Cal. 2014) (rejecting similar argument where sensitive personal information was not disclosed and no criminal activity was alleged). ///
///
///
///
///
///
///
///
///
///
///
CONCLUSION
Plaintiffs have not alleged a concrete injury, and thus have not met their burden of demonstrating Article III standing. The Court therefore GRANTS Defendant’s motion to dismiss. If Plaintiffs believe they can amend the Amended Complaint to adequately allege standing to sue in federal court, they may attempt to do so within 21 days of this order. If a second amended complaint is not filed by that deadline, dismissal of the federal action will be without leave to amend, and this case shall be remanded to the Superior Court of California for the County of San Francisco to decide in the first instance whether Plaintiffs have statutory standing. See Polo v. Innoventions Int’l, LLC , 833 F.3d 1193, 1196 (9th Cir. 2016); Walker v. Kroger Co. , No. 22-CV- 00261-JST, 2022 WL 20208929, at *2 (N.D. Cal. June 21, 2022).
IT IS SO ORDERED . Dated: May 13, 2025 ______________________________________ SALLIE KIM United States Magistrate Judge
[1] The Court GRANTS Defendant’s unopposed request for judicial notice of four documents on file in this district court. (Dkt. No. 45); See Harris v. Cnty. of Orange , 682 F.3d 1126, 1132 (9th Cir. 2012).
[2] During oral argument, Plaintiffs’ counsel asserted that Defendant collected a “digital 27 fingerprint” of Plaintiffs, including browsing activity and interaction data. However, this characterization does not appear in the Amended Complaint and cannot create a factual allegation 28 that is otherwise absent from the pleadings.
[3] The third-party doctrine does not apply to certain types of information, such as a “detailed and comprehensive record of [a] person’s movements” captured by cell-site location data. Carpenter , 585 U.S. at 309-310. Those nuances do not apply here, where the only information at issue is the category of IP addresses. Rosenow , 50 F.4th at 737 (distinguishing IP addresses from cell-site location data).
[4] Plaintiffs contend that an IP address constitutes personal information. (Dkt. No. 38, p. 19 13.) However, the authorities they cite do not directly support this proposition. For instance, In re Google RTB Consumer Privacy Litigation did not hold that an IP address alone constitutes 20 personal information. 606 F. Supp. 3d 935, 946-947 (N.D. Cal. 2022). Instead, it considered a combination of information—“plaintiff’s IP address, geo-location data, and web-browsing 21 information, search terms, and sensitive websites that plaintiffs visited relating to race, religion, sexual orientation, and health”—to be personal information under California law. Similarly, 22 Plaintiffs’ reliance on 45 C.F.R. § 164.514 is misplaced. This regulation does not designate an IP address as protected health information under HIPAA. Rather, it lists IP addresses among 23 identifiers that must be removed to de-identify health information. 45 C.F.R. § 164.514(b)(2)(i). That list also includes names and birth dates, which similarly do not implicate a legally protected 24 privacy interest. The fact that IP addresses can de-anonymize sensitive personal information does not mean that IP addresses themselves constitute sensitive personal information. Similarly, 25 California Civil Code § 1798.140 lists identifiers that may be considered “personal information” if they could be linked to a particular individual or household and are not publicly available, including identifiers that are not inherently private like names and IP addresses. Cal. Civ. Code § 26 1798.140(v). Further, as previously noted, consumers make their IP addresses publicly available 27 by disclosing them to the websites they visit. Lastly, California Penal Code § 1546 classifies IP addresses as “Electronic Communications Information,” not personal information. Cal. Pen. Code 28 § 1546(d).
[5] Plaintiffs’ authorities analyzing statutory standing, but not Article III standing, do not bear on this question. See Shah v. Fandom, Inc. , 754 F. Supp. 3d 924, 932 (N.D. Cal. 2024); Mirmalek v. Los Angeles Times Commc’ns LLC , No. 24-CV-01797-CRB, 2024 WL 5102709, at *4 (N.D. Cal. Dec. 12, 2024). “Article III standing is different from, and not to be measured by, statutory standing.” In re Capacitors Antitrust Litig. , 154 F. Supp. 3d 918, 925 (N.D. Cal. 2015) (citing Steel Co. v. Citizens for a Better Env’t , 523 U.S. 83, 97 (1998)). Plaintiffs’ authorities predating TransUnion are also unhelpful.