Continuing the trend of early dismissals in website wiretapping cases, a California federal court has dismissed a putative class action challenging the use of third-party pixel technology on nonprofit food bank websites. Timothee v. Meta Platforms, Inc., No. 25-CV-05106-LB, 2026 WL 1130363 (N.D. Cal. Apr. 27, 2026). The court held plaintiffs failed to plausibly plead concrete injury to establish Article III standing, consented to the third party’s receipt of their information, and proposed an impermissibly broad nationwide class.
The plaintiffs in Timothee alleged that several nonprofit food banks embedded third-party pixel technology into their websites, which collected and transmitted users’ addresses and “intent to receive nutrition assistance.” Some plaintiffs further alleged that the pixel technology collected detailed information about “financial hardship,” “disability status, mobility status, and urgency of [their] need for food assistance.” According to plaintiffs, this information was then used by the third party to target them with advertisements. The plaintiffs claimed these transmissions violated the California Invasion of Privacy Act (“CIPA”), the Federal Wiretap Act, and various California privacy and common-law doctrines. The court disagreed, dismissing plaintiffs’ claims, with leave to amend, on three grounds.
First, the court held plaintiffs failed to adequately allege Article III standing to sue the food bank defendants. Anchoring its analysis in the Ninth Circuit’s decision in Popa v. Microsoft Corporation, the court explained that standing in the privacy context occurs “where the alleged harm is ‘similar to the highly offensive interferences or disclosures that were actionable at common law.’” Applying that framework, the court concluded plaintiffs failed to allege a concrete injury because they identified no authority holding that the information collected or the receipt of targeted advertisements is traditionally actionable or highly offensive. The court also rejected plaintiffs’ effort to analogize disclosure of food bank website usage to the disclosure of welfare status prohibited by California statute, finding the situations not comparable.
Second, the court concluded that plaintiffs consented to the third party’s receipt of their information when they agreed to the third party’s policies. Those policies “explicitly notify” plaintiffs of the alleged practices by disclosing that the third party receives information from websites about plaintiffs’ activities on those sites and uses that information for advertising. Although the third party’s policies were not attached to the complaint, the court considered them incorporated by reference because plaintiffs’ claims “depend[] on the contents of [the] document” to determine consent. Critically, the court also concluded that plaintiffs had failed to plausibly allege that the third party “received or shared sensitive information of any kind,” which undermined plaintiffs’ allegations regarding lack of consent.
Third, the court struck plaintiffs’ proposed class definition, despite the general reluctance to do so at the pleading stage. The plaintiffs had proposed a nationwide class of all persons in the United States who had used the food bank websites in the last year. The court held this proposed class was facially overbroad because many users who visited the website would not have transmitted any of the alleged information relevant to plaintiffs’ claims, and thus liability would necessarily turn on individualized inquiries.
This case reiterates themes for defendants to explore early when faced with website privacy litigation. First, courts continue to require plaintiffs to plead facts showing the disclosure of “highly offensive” information to establish Article III standing in the aftermath of Popa. Second, consent arguments grounded in privacy policies remain viable at the motion to dismiss stage. And third, courts may be willing to reject overbroad class allegations early where the proposed definition is not tethered to the alleged harm.