In a recent ruling underscoring the growing scrutiny on digital tracking practices, U.S. District Court Judge Jon S. Tigar denied Motorola Mobility LLC’s motion to dismiss a class-action lawsuit alleging that the company failed to honor users’ opt-out requests for non-essential cookies on its website. The case, Gabrielli v. Motorola Mobility LLC (No. 4:24-cv-09533, N.D. Cal.), filed in December 2024 by California resident Jonathan Gabrielli, highlights critical tensions in online privacy governance, particularly around consent mechanisms and third-party data sharing. For privacy professionals and lawyers, this decision serves as a reminder of the evolving litigation landscape where seemingly routine website features like cookie banners can trigger significant liability under state privacy statutes.
Case Background and Allegations
The complaint centers on Gabrielli’s visits to Motorola’s website (motorola.com) in 2022 and 2023, during which he encountered a cookie consent banner promising users the ability to “Reject All non-essential cookies” via a dedicated button. Despite selecting this option, Gabrielli alleges that Motorola permitted third-party trackers including those from Google, TikTok, Amazon, and others to deploy cookies and collect his browsing data. This data reportedly included sensitive details such as IP addresses, device identifiers, and interaction history, which were transmitted to these entities without his effective consent.
Gabrielli characterizes Motorola’s opt-out mechanism as a “fake button” designed to create a “false sense of security,” arguing that the company’s representations were deceptive and undermined user autonomy over personal data. The suit proposes a class of all California residents who visited the site and opted out but were still tracked, seeking statutory damages, injunctive relief, and attorney fees. Motorola countered in its dismissal motion that the button’s presence demonstrated good-faith intent and any malfunction was likely a “bona fide error,” but Judge Tigar ruled on July 14, 2025, that these defenses raised factual disputes unsuitable for resolution at the pleadings stage. The court found Gabrielli’s allegations sufficient to plead concrete injury-in-fact for standing purposes, paving the way for discovery into Motorola’s tracking infrastructure.
This case exemplifies a broader wave of “tester” litigation, where plaintiffs proactively seek out privacy lapses on websites. Privacy counsel should note the emphasis on technical functionality: mere provision of an opt-out interface may not suffice if it fails to block tracking in practice, potentially exposing companies to claims of misrepresentation and unauthorized data interception.
This case is also catching the eyes of those who have received demand letters for arbitration. If the name Swigart Law, Tauler Smith, or Pacific Trial Attorneys comes to mind then you’ll appreciate the need for setting up privacy software with the help of Captain Compliance.
Direct Ties to the California Invasion of Privacy Act (CIPA)
At the heart of the suit is California’s wiretap provision under the California Invasion of Privacy Act (CIPA, Cal. Penal Code § 631), which prohibits the unauthorized interception of communications, including electronic ones. Gabrielli invokes § 631 to argue that Motorola’s allowance of third-party cookies constituted an illegal “eavesdropping” on his website interactions, akin to wiretapping. Courts have increasingly applied CIPA to digital tracking tools like cookies, pixels, and beacons, viewing them as mechanisms that “intercept” user data in real-time without consent.
CIPA’s application here is particularly potent because it imposes strict liability and statutory damages of up to $5,000 per violation, without requiring proof of actual harm. Recent amendments to CIPA, such as those passed in June 2025 via SB 690, clarify exemptions for certain cookie uses tied to “business purposes” under other privacy laws, but they do not apply retroactively and still mandate compliance with opt-out signals. For lawyers advising clients, this means auditing cookie banners for actual efficacy—ensuring that “Reject All” selections genuinely halt non-essential tracking—is essential to mitigate CIPA risks. The Gabrielli ruling aligns with other CIPA cases targeting website analytics, where plaintiffs have successfully argued that unconsented data routing to third parties violates the statute’s anti-interception mandate.
The complaint also advances an “intrusion upon seclusion” claim, a common-law tort under California law that complements CIPA by addressing highly offensive invasions of privacy. Judge Tigar upheld this, noting that deliberate opt-out failures could meet the threshold for intentional intrusion if proven.
Connections to the Electronic Communications Privacy Act (ECPA)
While the Gabrielli suit is grounded in state law, it echoes themes from the federal Electronic Communications Privacy Act (ECPA, 18 U.S.C. §§ 2510-2523), which amends the Wiretap Act to protect electronic communications from unauthorized interception, access, or disclosure. ECPA has been invoked in analogous website tracking litigation, where plaintiffs allege that tools like session replay software or pixels “intercept” user inputs (e.g., keystrokes or clicks) in transit to third parties.
Unlike CIPA, which applies broadly to any “communication” and has fueled a surge in California-specific suits, ECPA requires interstate transmission and often faces higher hurdles, such as the “party exception” (allowing interception by communication participants) or consent defenses. In cases like In re Pharmatrak, Inc. (2003), courts dismissed ECPA claims against website trackers, holding that routine data collection did not constitute unlawful interception absent malicious intent. However, ECPA’s Stored Communications Act component (Title II) could apply if tracked data is stored and accessed post-transmission, providing a federal overlay for multi-state classes. A law firm out of Chicago, Illinois Almeida Law Group has been active with ECPA claims when the business violates HIPAA.
Privacy professionals should consider ECPA in hybrid litigation strategies: while Gabrielli proceeds under CIPA, similar facts could support ECPA claims in federal courts, especially for companies operating nationally. The interplay highlights a patchwork regulatory environment, where state laws like CIPA fill gaps in ECPA’s aging framework, which predates modern web tracking.
Implications Under the California Consumer Privacy Act (CCPA)
The Gabrielli allegations also intersect with the California Consumer Privacy Act (CCPA, Cal. Civ. Code §§ 1798.100 et seq.), as amended by the California Privacy Rights Act (CPRA). CCPA grants consumers the right to opt out of the “sale” or “sharing” of personal information, which courts and the California Privacy Protection Agency (CPPA) interpret to include cross-context behavioral advertising via cookies. Motorola’s alleged failure to block third-party trackers after opt-out mirrors CCPA violations, where businesses must honor requests within 15 days and ensure mechanisms like Global Privacy Control (GPC) signals are respected.
Although the complaint does not explicitly plead CCPA claims, the facts could support them—particularly if tracking involved monetized data sharing. Recent CPPA enforcement actions, such as against Honda in 2025 for defective cookie opt-outs, demonstrate aggressive scrutiny: the agency fined entities for imposing “excessive hurdles” on opt-outs, like non-functional banners. Fines under CCPA reach $7,500 per intentional violation, and private rights of action exist for data breaches, but enforcement trends suggest increasing focus on tracking compliance.
For lawyers, integrating CCPA into risk assessments is key: websites must align cookie policies with CCPA’s notice and opt-out requirements, including clear disclosures of data recipients. The Gabrielli case could inspire amended complaints adding CCPA counts, especially as CPPA rulemaking evolves to address “dark patterns” in consent interfaces.
Takeaways for Privacy Practitioners
This ruling amplifies the need for robust privacy-by-design in website ecosystems. Key action items include:
- Technical Audits: Regularly test opt-out buttons to confirm they disable trackers, using tools like browser developer consoles.
- Consent Management: Adopt granular, CCPA-compliant banners that distinguish essential vs. non-essential cookies and honor automated signals.
- Litigation Preparedness: Document intent and error logs to bolster “bona fide mistake” defenses under CIPA and ECPA.
- Multi-Law Compliance: Harmonize practices across CIPA (interception), ECPA (federal electronic privacy), and CCPA (data rights) to avoid cascading liabilities.
As privacy litigation proliferates amid “robust data privacy laws,” cases like Gabrielli signal that opt-out promises must be more than performative—failure to deliver can invite scrutiny from courts, regulators, and class-action plaintiffs alike. Privacy teams should monitor developments in this suit for precedents on tracking accountability.
