Orellana v. OneTrust LLC – Complaint for Invasion of Privacy

Table of Contents

Orellana v. OneTrust LLC – Complaint for Invasion of Privacy

Case: Lucas Orellana v. OneTrust LLC, a Delaware limited liability company, d/b/a www.onetrust.com

Court: Superior Court of the State of California, County of Los Angeles

Filing Date: June 25, 2026

Plaintiff Counsel: Scott J. Ferrell and Victoria C. Knowles, Pacific Trial Attorneys, APC

The following is the text of the complaint. Allegations in a complaint are claims made by the plaintiff and have not been proven in court. This is a translation of the filed complaint. 

OneTrust Privacy Lawsuit

Complaint for Invasion of Privacy

PACIFIC TRIAL ATTORNEYS
A Professional Corporation
Scott J. Ferrell, Bar No. 202091
sferrell@pacifictrialattorneys.com
Victoria C. Knowles, Bar No. 277231
vknowles@pacifictrialattorneys.com
4100 Newport Place Drive, Ste. 800
Newport Beach, CA 92660
Tel: (949) 706-6464
Fax: (949) 706-6469

Attorneys for Plaintiff

SUPERIOR COURT OF THE STATE OF CALIFORNIA
FOR THE COUNTY OF LOS ANGELES

LUCAS ORELLANA,
Plaintiff,

v.

ONETRUST LLC, a Delaware limited liability company, d/b/a WWW.ONETRUST.COM,
Defendant.

COMPLAINT FOR INVASION OF PRIVACY

I. Introduction

1. This case involves an outrageous privacy “bait and switch” scheme: Defendant lures visitors to onetrust.com (the Website) by assuring consumers that it respects their privacy. Defendant even presents visitors with a “consent banner” that purports to allow visitors to choose whether to permit Defendant to install third party tracking cookies used to harvest their private information. However, Defendant secretly tracks, de-anonymizes, and sells visitors’ personal information before a user can provide legally valid consent. As shown below, Defendant has violated California law.

Jurisdiction and Venue

2. As a Court of general jurisdiction, this Court has jurisdiction over all matters presented to it per the mandates of the California Constitution.

3. Venue is proper in this County.

4. Defendant is subject to jurisdiction because the exercise of jurisdiction over Defendant is not “inconsistent with the Constitution of this state or the United States.”

Parties

5. Plaintiff is a resident and citizen of California.

6. Defendant is a Delaware limited liability company that operates the website. The website markets and sells data and AI solutions.

Factual Allegations

A. Defendant Secretly Tracks Visitors and Sell Their Personal Information To the Highest Bidders.

7. Defendant’s Website presents users with a “consent banner” that purports to allow visitors to choose whether to allow third party tracking cookies to be installed when visiting Defendant’s Website. In other words, the consent banner tells website visitors that they can decide whether to be tracked and have their personal information harvested by third parties.

8. In reality, Defendant deploys third-party tracking technologies — including cookies and related client-side identifiers associated with SixSense, Adobe Advertising, Adobe Marketo, Google Advertising, LinkedIn, Microsoft Advertising, Xandr, and others—on visitors’ devices before they can even provide legally valid consent. Those tracking cookies enable the third parties to de-anonymize and track users’ online activities such as their browsing history, visit history, website interactions, user input data, demographic information, interests and preferences, shopping behaviors, device information, referring URLs, session information, user identifiers and geolocation data.

9. Plaintiff visited Defendant’s Website several times – most recently in early 2026 – and elected to reject all third-party cookies. Defendant nonetheless secretly installed tracking technology on Plaintiff’s device and caused Plaintiff to be de-anonymized, tracked and surveilled while using the internet.

10. The spyware installed by Defendant’s Website uses algorithms to analyze internet and device data and predict whether two or more devices are owned by the same person. Participating websites and apps then cater their advertisements based on a collective knowledge of the user’s actions across all of their devices. It uses data such as cookie IDs, operating system IDs, IP addresses, online registrations and data from partnering publishers to develop a probability that different devices are shared by the same person.

11. The spyware is used for advertising to consumers across devices, where a user is shown an ad on their mobile or tablet device based on websites they visited on a desktop. For example, if an Android phone visits a website shortly after a desktop PC from the same home network, the spyware will assess that there is a high probability that the two devices are operated by the same person and will show them similar ads on both devices. The spyware also uses cross-device analytics for things like location, timing, user behavior, and audience analysis.

12. The spyware activities described above are known as “fingerprinting.” Put simply, the spyware collects as much data as it can about an otherwise anonymous visitor to the Website and matches it with existing data acquired and accumulated about hundreds of millions of Americans to identify the user and tailor marketing and advertising.

B. The Spyware is a Trap and Trace Device.

13. Under the California Invasion of Privacy Act (CIPA), it is unlawful to use a “trap and trace” device without consent. The tracking cookies secretly installed by Defendant falls squarely within the statutory definition of such a device.

14. Section 638.50(c) of CIPA defines a “trap and trace device” as: “a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communication.”

15. CIPA makes it unlawful to install or use such a device without a court order or proper consent, even on a private communication system.

16. Each tracking cookie installed by Defendant on Plaintiff’s device is a “process” that captures routing and addressing information. Each cookie captures and transmits the IP address of the originating device, device identifiers such as cookies, device IDs, or browser fingerprints, URL referrer paths, headers, and session identifiers, and other dialing, routing, addressing, and signaling information that identifies the source of the user’s electronic communication.

17. This data is the very type of “signaling information” contemplated by CIPA’s definition of a trap and trace device. Just like a telephone trap and trace system captures the originating number, each tracking cookie identifies the originating digital sender — Plaintiff — through the routing and addressing metadata automatically included in the HTTP(S) request. The same principle applies here: each tracking cookie is a 21st century analog to a telephone trap and trace device—monitoring the metadata of electronic communications without consent.

18. Defendant did not obtain Plaintiff’s express or implied consent to be subjected to fingerprinting and de-anonymization; in fact, Plaintiff expressly rejected Defendant’s request to fingerprint, track, and de-anonymize Plaintiff.

19. CIPA imposes civil liability and statutory penalties for the installation of trap and trace software without a court order.

C. Defendant’s Conduct is Highly Offensive To A Reasonable Person.

20. Defendant’s “bait and switch” scheme – purporting to offer visitors the opportunity to decline tracking but actually tracking them even after they “opt out” – is highly offensive to a reasonable person for at least five reasons. First, it breaches trust and expectations – Defendant explicitly promised to give visitors a choice, but then installed tracking cookies on plaintiff’s device in direct contravention of its explicit assurances. Second, it involves deception because Defendant promises one thing but does the opposite. That kind of dishonesty makes the conduct more offensive than ordinary tracking because it undermines autonomy and consent—cornerstones of digital privacy. Third, it occurs in a private and sensitive setting. Fourth, it enables unwanted third-party surveillance by allowing cross-site profiling and targeted advertising without Plaintiff’s consent—something most people find invasive when done in secret. Fifth, it violates established privacy norms that companies will be transparent about tracking, obtain meaningful consent, and honor their privacy policies.

21. Defendant’s conduct creates a genuine likelihood of serious harm to Plaintiff. The personal information Defendant surreptitiously harvested via the tracking cookies includes name, contact information, location data, browsing behavior, device fingerprints, and interests. This type of information can be — and has been — used for identity theft, targeted harassment, and manipulative advertising. Data brokers purchasing this information can assemble comprehensive profiles to discriminate, exploit, or endanger users, particularly vulnerable populations such as women, minors, and individuals seeking health services. The danger is not abstract: the FTC has warned that data sold to third parties may be used to expose sensitive locations like domestic violence shelters or reproductive clinics, as well as to facilitate stalking or physical tracking. Such practices impose serious privacy and safety risks, not mere discomfort.

22. Cross-device attribution is a technique used by data brokers and advertisers to link a person’s activity across different devices — such as their phone, laptop, tablet, or smart TV. This means that even if someone switches from browsing on their phone to using a laptop, the data broker can still identify them as the same person.

23. Tracking pixels, which are tiny pieces of code embedded in websites or emails, are key to this. They quietly collect information like IP address, browser type, screen resolution, and behaviors like clicks or time spent on a page. When this data is combined with third-party data or identifiers (such as email hashes or cookies), it becomes possible to follow the user across multiple devices without their knowledge. This is what happened to Plaintiff through Defendant’s Website.

24. Courts and regulators (like the Federal Trade Commission and State Attorneys General) have increasingly recognized that misleading tracking practices — especially those that span across a person’s devices and online life — are not just deceptive, but highly invasive.

25. This conduct is especially offensive when coupled with false privacy promises that Defendant will protect and respect user privacy. Courts have found that misleading consumers into thinking their privacy is respected — while secretly undermining that very privacy — is especially egregious and offensive.

26. The degree and setting of Defendant’s intrusion is particularly severe – what sets Defendant’s conduct apart is not just the nature of the information collected, but the context in which the intrusion occurred. The tracking took place in a purportedly trusted setting—Defendant’s own corporate website—which explicitly assured Plaintiff that Defendant would not track Plaintiff. Instead, Defendant did exactly the opposite.

27. Defendant’s motives and objectives were both deceptive and exploitative: the purpose of the intrusion further supports its offensiveness. Defendant did not track users for benign analytics or internal operations. Rather, Defendant partnered with a data broker known for trafficking in intimate and geolocation data—and did so to profit off Plaintiff’s personal information. This is not an isolated lapse in oversight: it is a deliberate business strategy premised on deception, surveillance, and commodification of user trust. Secretly surveilling users to profit from the sale of their personal data—while falsely promising not to—is the very definition of manipulative and predatory conduct.

28. There are no legitimate or countervailing interests or social norms that render the intrusion inoffensive. First, the data at issue — such as real-time location, unique identifiers, or private browsing data — is highly sensitive and context-dependent. Second, there is no legitimate business or social interest in falsely promising privacy protections while secretly violating them. The only “interest” advanced by Defendant is financial profit derived from deception—an interest that cannot render the intrusion inoffensive under state and federal law.

29. Taken together, the factors articulated by California courts—the severity of the intrusion, the deceptive setting, the potential for serious harm, the exploitative motive, and the lack of any countervailing justification—all weigh heavily in favor of a finding that the intrusion was highly offensive.

II. Causes of Action

First Cause of Action
Violations of the California Trap and Trace Law
Cal. Penal Code § 638.51

30. California’s Trap and Trace Law is part of the California Invasion of Privacy Act (“CIPA”) codified at Cal. Penal Code 630, et. seq.

31. CIPA was enacted to curb “the invasion of privacy resulting from the continual and increasing use of” certain technologies determined to pose “a serious threat to the free exercise of personal liberties.” CIPA extends civil liability for various means of surveillance using technology, including the installation of a trap and trace device.

32. A “trap and trace device” as “a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.” Cal. Penal Code § 638.50(c).

33. California Penal Code § 638.51(a) provides that “a person may not install or use…a trap and trace device without first obtaining a court order.…”

34. Defendant uses a trap and trace process on its Website by deploying the tracking cookie because it captures routing, addressing and/or other signaling information of website visitors including Plaintiff.

35. Defendant did not obtain consent from Plaintiff before using trap and trace technology to identify users of its Website and has violated section 638.51 and did not obtain a court order to do so. In fact, Defendant promised not to track plaintiff after plaintiff chose to “opt out” of tracking, but Defendant did so anyway.

36. CIPA imposes civil liability and statutory penalties for violations of section 638.51. Cal. Penal Code § 637.2.

Second Cause of Action
California Intrusion Upon Seclusion

37. Defendant intentionally intruded upon the private affairs, concerns, and seclusion of Plaintiff by improperly accessing Plaintiff’s personal information and using it for improper purposes, including by partnering with a data broker to sell Plaintiff’s private information to the highest bidder and by targeting Plaintiff with behavioral advertising.

38. Defendant’s intrusions upon the private affairs, concerns, and seclusion of Plaintiff has been substantial and would be highly offensive to a reasonable person and constitute an egregious breach of social norms, as is evidenced by countless consumer surveys, studies, and op-eds decrying the online tracking of website visitors, centuries of common law, state and federal statutes and regulations, legislative commentaries, enforcement actions undertaken by the FTC, industry standards and guidelines, scholarly literature on consumers’ reasonable expectations, and the penalties imposed by the FTC and other regulatory bodies.

39. Plaintiff did not consent to Defendant’s intrusions. Indeed, as shown above, Defendant promised that it would protect Plaintiff’s privacy.

Prayer

WHEREFORE, Plaintiff prays for the following relief against Defendant:

  1. Actual and statutory damages;
  2. Reasonable attorneys’ fees and costs;
  3. An injunction to prevent the unlawful conduct alleged above; and
  4. All other relief that would be just and proper as a matter of law or equity, as determined by the Court.

Dated: June 25, 2026

PACIFIC TRIAL ATTORNEYS, APC

By:
Scott J. Ferrell
Attorneys for Plaintiff

Written by: 

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.