Video game developer Ubisoft, Inc. came out on top earlier this month in the Northern District of California when a judge dismissed, with prejudice, a class action claiming that the company’s use of third-party website pixels violated privacy laws. The judge concluded that the “issue of consent defeat[ed] all of Plaintiffs’ claims.” Lakes v. Ubisoft, Inc., No. 24-cv-06943, 2025 WL 1036639 (N.D. Cal. Apr. 2, 2025).

The plaintiffs alleged that Ubisoft collected and disclosed plaintiffs’ personal information and website usage without their consent through website pixels. Ubisoft moved to dismiss the claims based on the fact that the plaintiffs’ claims relied on the lack of consent but that plaintiffs had “consented to the use of cookies and pixels . . . at least three times during the purchase process” when plaintiffs (1) “interacted with the Cookies Banner” when visiting the website; (2) created accounts on the website, which required the plaintiffs to “accept Ubisoft’s Terms of Use, Terms of Sale, and Privacy Policy”; and (3) “made purchases” at which point Ubisoft’s terms and Privacy Policy were displayed again.

The court took judicial notice of Ubisoft’s Privacy Policy, cookie pop-up, and cookie settings and held that the plaintiffs’ consent defeated their claims:

  • Federal Wiretap Act: The federal Wiretap Act allows for the interception of communications where “one of the parties to the communication has given prior consent to such interception,” and the interception is not “for the purpose of committing any criminal or tortious act.” The court determined that the plaintiffs provided consent and that the crime-tort exception to consent did not apply.
  • California Invasion of Privacy Act, California Constitution, and Common-Law Invasion of Privacy: The court held that the plaintiffs’ consent was a “defense to all three claims” under CIPA, the California Constitution, and California common law invasion of privacy.
  • Video Privacy Protection Act: The court determined that Ubisoft’s disclosures in its Privacy Policy, terms, and on its website through banners and pop-ups satisfied each element of the VPPA’s consent provision. 

The plaintiffs sought a request for leave to amend, but the court denied the request, concluding that any amendment would be “futile” because plaintiffs could not “amend their complaint to overcome the issue of consent.” 

A key takeaway for companies to consider is to revamp your website Privacy Policy disclosures, confirm that your website’s cookie preferences and banner are visible and user-friendly, and clearly articulate the use of third-party trackers and the data disclosed to your website users.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.

Read more about Kathryn Rattigan
Show more Show less