The Standing Struggle
The central issue: injury—or the lack thereof.
Under long-standing U.S. Supreme Court precedent, plaintiffs must show a concrete harm. Judge Sabraw concluded that Bradshaw and Lopez had not. Though intangible harms can suffice, they must mirror the types of injuries recognized in common-law torts.
Intrusion Upon Seclusion Argument Falls Short
The plaintiffs argued their situation resembled intrusion upon seclusion, which hinges on an intentional invasion of a space where privacy expectations are reasonable. But the judge found the complaint failed to show any such expectation tied to the core allegation: Lowe’s purportedly transmitted users’ IP addresses to TikTok and Microsoft via the TikTok Pixel and Microsoft Bat Bing Tracker.
“This information may fall within the scope of CIPA Section 638.50(b),” Judge Sabraw wrote, “but plaintiffs must still demonstrate a reasonable expectation of privacy in it.” He added that case law “overwhelmingly” rejects the idea that IP addresses are private.
Plaintiffs countered that IP addresses were just part of the data secretly captured—claiming unique identifiers, Microsoft IDs, timestamps, and device or browser details were also swept up. Judge Sabraw, however, said the operative complaint undermined that assertion and left unclear whether such data is even covered under the statute, which regulates “pen register” devices capable of logging certain routing or signaling information.
Without proving the data falls under Section 638.51(a), any harm tied to its collection cannot fuel a CIPA violation, he concluded.
