Adidas has been accused of violating the California Invasion of Privacy Act (CIPA) by installing tracking pixels on its website: “small, almost-invisible images embedded on the website to track a user’s activities.” The footwear and sports apparel company was sued in a class action filed in the California Southern District Court. Now, a ruling has come down from the court: CIPA lawsuit against Adidas can proceed. Legal experts are paying close attention to the outcome of the case because it could have major implications for California’s data privacy laws.
The user information collected by the Adidas website is allegedly sent to TikTok and Microsoft, purportedly for analytics and advertising purposes. But this information about website visitors can also be shared with third parties such as data brokers, advertisers, and even the Chinese Communist Party, which raises serious privacy concerns.
For more information about the class action against Adidas, keep reading.
Adidas Accused of Installing Software on Website to Track Customer Activity
Adidas is an international sportwear company that specializes in footwear and athletic apparel. It is the second largest sportwear manufacturer in the world. The Adidas website, www.adidas.com/us, allows consumers to learn about and purchase the sportswear company’s products.
When a user visits the Adidas website, code allegedly installs a tracker into the user’s browser without permission. This tracker can then access the user’s interactions on the website, as well as other sensitive customer information. The pixel-tracking software allegedly gives Adidas the ability to place targeted advertisements on users’ screens.
What Customer Data Is Tracked on the Adidas Website?
According to the class action lawsuit, the data tracked by Adidas on its website without permission includes:
- The user’s operating system.
- The user’s IP address.
- The time when the website was accessed.
- Any previous “cookies” on the user’s browser.
The plaintiffs in the civil suit also allege that Adidas used cookies to track and collect data about customer input data. This would include information that customers entered into the website’s forms, such as name, age, gender, email address, location, payment information, demographic information, and search queries.
Class Action: Adidas Collects and Shares Customer Data with TikTok
Adidas allegedly used at least two different pixel trackers on its website: TikTok Software and Microsoft Bing Software.
TikTok Software on Adidas Website
According to the complaint against Adidas, the TikTok Software “enables website owners to track users’ interactions with the website.” The TikTok Software then allegedly sends data to the China-owned social media company, including:
- Timestamp: When a website visitor clicks on a button or takes any other action.
- IP address: This can be used to determine the geographic location of the user.
- Unique browser identifiers: These are assigned to a user’s device or browser session, and they can be used to distinguish one user from another.
- Device details: This includes the make, model, and operating system of the computer or cell phone used to access the website.
- Browser information: This may include information about the user’s online activity.
The TikTok Software on the Adidas website also allegedly uses “fingerprinting.” This is a process that collects information about the website user and matches it to information within the existing TikTok database across other websites that also have the TikTok Software installed. The information gathered by TikTok can then be associated with personally identifying information about the user.
Additionally, the TikTok Software allegedly utilizes “AutoAdvanced Matching,” which allows Adidas to determine highly personal information about a website user and then send that data to TikTok. The personal information allegedly collected by the AutoAdvanced Matching feature includes the user’s name, date of birth, and address.
Microsoft Software on Adidas Website
The Microsoft Bing Software utilized by the Adidas website places a cookie on the user’s browser to collect information. The software allegedly allows both Adidas and Microsoft to identify website users by creating a unique Microsoft ID to track users’ activity across the internet.
Significantly, Adidas does not actively notify website users about either the TikTok Software or the Microsoft Bing Software allegedly being used to track users’ activity.
Lawsuit Accuses Adidas of Violating the California Invasion of Privacy Act (CIPA)
Camplisson et al v. Adidas America, Inc. is a class action filed against Adidas in the U.S. District Court for the Southern District of California. The plaintiffs in the class action lawsuit are California residents who visited the Adidas website. The plaintiffs claimed that they suffered injuries because their personal information was improperly acquired the moment that they landed on the Adidas website. Additionally, the plaintiffs claimed that they did not consent to having their personal information collected, stored, or disseminated.
The statutory basis for the lawsuit is the California Invasion of Privacy Act (CIPA). The plaintiffs alleged that Adidas violated CIPA when the company installed and used tracking pixels on users’ browsers and collected their private information without permission. Since these tracking pixels qualify as “pen registers” under Cal. Penal Code § 638.50(b), argued the plaintiffs, Adidas violated CIPA’s prohibition against the unauthorized use of pen registers and trap & trace devices.
Court Rejects Motion to Dismiss Data Privacy Lawsuit Against Adidas
Adidas attempted to get the case thrown out during the pre-trial stage by filing a motion to dismiss. The Defendant argued that the complaint lacked Article III standing and statutory standing because the plaintiffs supposedly failed to allege a concrete privacy harm. The plaintiffs responded that they have standing to sue because suffered an injury-in-fact and the trackers used by Adidas constituted a “pen register” in violation of the CIPA.
The federal court held a hearing on the matter and ultimately agreed with the plaintiffs: the plaintiffs have both statutory standing and Article III standing to sue Adidas. This means that the CIPA claim against Adidas can move forward and potentially proceed to trial.
California Consumers Have Statutory Standing to Sue Adidas for CIPA Violations
Statutory standing basically means that a plaintiff can bring a lawsuit so long as their claim falls within the statute they are suing under. The basis for the lawsuit against Adidas is the California Invasion of Privacy Act (CIPA), which prohibits unauthorized interceptions of communications. In its ruling rejecting the Defendant’s motion to dismiss, the U.S. District Court stated that an individual who has been injured by a party that “installs or uses a pen register or a trap and trace device without first obtaining a court order” would have standing under CIPA.
During the pre-trial hearing, Adidas argued that the plaintiffs in the class action suit failed to plead any injury that would allow for statutory standing to sue. The court rejected this argument because it relied on a restrictive interpretation of the law. The court found that standing to sue under CIPA does not require more than a showing that one’s privacy rights were violated. Importantly, the court cited recent case law, including Conohan v. Rad Power Bikes.
Rad Power Bikes Case: TikTok Software Violates CIPA
The Rad Power Bikes case concerned a consumer class action against an e-bike company that embedded TikTok tracking code on its website to deanonymize users. The California Central District Court ruled that the plaintiffs, represented by the data privacy attorneys at Tauler Smith LLP, plausibly alleged that the Defendant violated CIPA by using TikTok Software to fingerprint and identify website visitors as soon as they landed on the site.
In the Adidas case, the court held that the plaintiffs have statutory standing to sue because they specifically alleged that their personally identifiable information was recorded by Adidas without consent.
Court: Adidas Website Visitors Have Article III Standing to Sue for CIPA Violations
Adidas also argued that the plaintiffs failed to allege a particular injury and instead merely pleaded a bare “procedural violation.” If true, this would preclude standing to sue under Article III because the U.S. Constitution requires that an injury must be “concrete, particularized, and actual or imminent.” In other words, the plaintiff would need to allege an injury that is more than just abstract; it would need to affect the plaintiff in a personal and individual way.
On this point, Adidas argued that there was no concrete injury because the California Invasion of Privacy Act (CIPA) only applies to landline telephones, not internet communications. In support of this argument, Adidas noted that internet technologies had not yet been invented when the CIPA was enacted. The U.S. District Court rejected this line of reasoning and ruled against Adidas.
The court pointed out that legislators very clearly did not intend the statute to be limited to only telephone technologies. That’s because California lawmakers wanted to “broadly protect the right of privacy of the people of the state.” Other courts have also consistently ruled that CIPA applies to website communications. Therefore, the plaintiffs would have standing to sue under Article III because the tracking pixels used by Adidas fall within the scope of CIPA.
Court: Adidas May Have Violated CIPA by Accessing Customers’ Sensitive Personal Information
Adidas also made an argument concerning Article III: that the plaintiffs did not have standing to sue because the user data collected by the Defendant was not “sensitive” personal information. The U.S. District Court rejected this argument as well.
The court noted that the legislative history of CIPA indicates that the California legislature intended to protect a substantive right to privacy, and that there was no statutory requirement of any additional injury beyond the violation of that right. Moreover, said the court, there has never been any sort of heightened requirement that the information collected be deemed “sensitive.”
Once again, the court cited Conohan v. Rad Power Bikes as precedent. The Los Angeles data privacy attorneys at Tauler Smith LLP represented the plaintiffs who sued Rad Power Bikes. Significantly, the court in that case found that the plaintiffs had Article III standing to sue because their privacy rights were violated, and this constituted “sufficient injury for standing purposes.”
In the Adidas case, the trackers on the Adidas website collected the personal identifying information of users without their consent. This would be a clear violation of CIPA’s explicit protection of individuals’ privacy rights, particularly the right to control access to personal information.
Internet “Cookies” Are Pen Registers Under the CIPA
Adidas also tried to get the class action lawsuit dismissed for “failing to state a claim upon which relief can be granted.” Specifically, Adidas argued that the lawsuit was invalid because cookies do not qualify as “pen registers” under the California Invasion of Privacy Act (CIPA). The court rejected this argument, too.
Section 638.50 of the CIPA defines a “pen register” as a device or process that records dialing, routing, addressing, or signaling information but not the contents of a communication. The court noted that the definition of a pen register under the statute is intentionally broad and “not limited to specific technology.” This means that internet communications and cookies do qualify as pen registers.
Tauler Smith LLP Represented Plaintiffs in Moody v. C2 Educational Systems
The Adidas court cited several other cases in which different California courts recognized that website trackers can constitute a pen register or trap & trace device. One of these cases was Moody v. C2 Educational Systems, in which the California Central District Court ruled that TikTok Software embedded on a major tutoring company’s website fell within the scope of CIPA.
The plaintiffs in that data privacy class action were represented by Tauler Smith LLP, and they secured a big pre-trial victory when the court found that the use of de-anonymization software known as “fingerprinting” to collect website visitor data can constitute an unlawful invasion of privacy.
Court: There Was No User Consent for Tracking Pixels on Adidas Website
Adidas made yet another argument that got rejected by the U.S. District Court: users agreed to the installation of cookies and tracking pixels on their devices. Here, Adidas vainly contended that website users automatically consented to the collection of their data as soon as they landed on the site and saw the Privacy Policy link.
In its motion to dismiss the complaint, Adidas acknowledged the use of tracking pixels on its website but claimed that it notified users via the Terms and Conditions page and the Privacy Policy. According to Adidas, the Terms and Conditions outlined that third-party trackers, such as cookies, were used by Adidas for targeted advertising purposes. Additionally, the Privacy Policy stated that cookies and other tracking technologies were used by the website to collect and store users’ data.
The Adidas website Privacy Policy stated that “cookies and other tracking technologies are implemented on the browser in order to collect and store data.” Additionally, the website Terms and Conditions referenced the Privacy Policy and declared that both are “binding on all visitors to the website.”
However, the court emphasized that this was not enough: Adidas needed to make sure that the Privacy Policy and the Terms and Conditions were conspicuous enough that users could notice them. Both the Terms and Conditions page and the Privacy Policy were located in a hyperlink at the very bottom of the Adidas website. The hyperlink was in small font and not conspicuous or easy to notice.
Browsewrap Agreements on Websites Must Be Conspicuous
Other courts have previously ruled that browsewrap agreements like the Adidas Privacy Policy cannot be enforced where the link is “buried at the bottom of the page or tucked away in obscure corners of the website where users are unlikely to see it.” The federal court in the Adidas case found that Adidas failed to make the Privacy Policy or the Terms and Conditions prominent: instead, users were forced to scroll down to the website footer in order to find the links.
Beyond that, the court in the Adidas class action also found that Adidas failed to provide website users with a meaningful opportunity to consent to having their data collected because there was no mechanism for “affirmative action to demonstrate assent.” The Adidas website needed to include a pop-up window that would obtain users’ consent.
Contact the California Data Privacy Lawyers at Tauler Smith LLP
Data privacy violations have become a huge concern for consumers who frequently use the internet and social media – only to later learn that their personal information has been intercepted and shared with third parties who want to monetize the data. Thankfully, California has the strongest data privacy laws in the country. If you are a California resident whose private information was collected without permission, you may have legal recourse.
Call 310-590-3927 or send an email today to speak with one of the experienced Los Angeles data privacy lawyers at Tauler Smith LLP.
