The recent decision in Wiley v. Universal Music Group highlights how courts are scrutinizing website operators’ privacy controls and representations, particularly regarding cookie banners and opt-out tools. 2025 WL 3654085 (N.D. Cal. Dec. 17, 2025). In a recent decision, although Universal Music Group (UMG) dodged most of the putative class claims over its handling of third-party tracking cookies, some key allegations survived. The case offers timely reminders for any company managing user data and transparency obligations.

Case Overview

UMG is a music company that owns and operates websites where users can obtain information about artists and merchandise. A putative class sued UMG, alleging that several of its music websites continued to deploy third-party advertising and analytics cookies even when users opted to “Decline All” via the site’s cookie consent banner. Plaintiffs alleged multiple privacy, contract, and fraud violations under California law and common law. UMG successfully moved to dismiss the bulk of the claims, though some (especially those grounded in privacy expectations) remain alive.

Key Findings

Wiretapping and Pen Register (CIPA) Claims Dismissed

Plaintiffs’ claims under the California Invasion of Privacy Act (CIPA) regarding wiretapping and pen register provisions were dismissed, with leave to amend. The court found that plaintiffs failed to allege that their own communications with UMG sites were “intercepted” in a way that meets CIPA’s requirements. Simply opting out of cookies and visiting websites did not, by itself, constitute an actionable “communication” for wiretapping or pen register purposes. This holding could impact other plaintiffs raising similar CIPA claims based on online tracking technologies. The court emphasized that a valid CIPA interception claim requires specific, individualized allegations that a plaintiff’s own communications were actually intercepted or contents accessed while “in transit,” not just generalized assertions about user activity or tracking across a website.

Fraud and Contract Claims Rejected

The court dismissed the common law fraud claim for lack of specificity, finding that plaintiffs did not identify when or how UMG’s cookie banners allegedly made misrepresentations to them. This meant UMG could not be put on fair notice to defend. Similarly, the breach of implied contract claim could not proceed because plaintiffs failed to allege any bargained-for exchange since access to UMG’s websites was available regardless of cookie preferences.

Unjust Enrichment Claim Survives

However, the plaintiffs’ unjust enrichment claim was allowed to proceed. The court found it plausible that UMG misled users about the effect of declining cookies and that the company benefitted from unauthorized data collection for marketing purposes, even if no formal contract existed. As a result, UMG may be required to disgorge the value derived from this allegedly improper use of personal data. This finding suggests that unjust enrichment may remain a significant avenue for litigation risk in privacy and data tracking cases, even where other legal theories fail.

Invasion of Privacy and Intrusion Upon Seclusion Survive

Additionally, the claims for invasion of privacy and intrusion upon seclusion were not dismissed. Here, the court agreed that plaintiffs plausibly alleged a reasonable expectation of privacy (reinforced by the cookie banner’s promises and the structure of the California Consumer Privacy Act (CCPA)), California’s consumer privacy law, which supports consumers’ opt-out rights. Further, the court found that this was a highly offensive intrusion, especially since UMG allegedly deceived users and collected broad categories of personal and behavioral data after users explicitly opted out.

The court’s analysis underscores how CCPA-related practices and representations can transform user expectations. Where a website assures consumers that cookies and associated tracking can be declined, courts may treat any undisclosed override as an egregious privacy violation.

Takeaways and Lessons for Businesses

  • Website representations matter – If your website offers visitors control, such as a “Decline All” button or other opt-out for cookies or tracking, your data practices must align with those promises. Plaintiffs and regulators are testing banners for both accuracy and technical enforcement. Any dark pattern or technical override of consent can support privacy and unjust enrichment claims.
  • CCPA and consumer expectations – California’s CCPA and its opt-out regime are shaping what qualifies as a “reasonable expectation of privacy,” and many other states are following in California’s footsteps with comprehensive consumer privacy laws. Currently, 20 states have such privacy laws in effect. Businesses operating in these states must treat privacy representations and opt-outs as enforceable boundaries.
  • Unjust enrichment as a standalone risk – Even without contract formation or common law fraud, courts may allow users to recover the “value” of their misappropriated data through restitution claims such as unjust enrichment. This outcome may signal increasing judicial willingness to treat consumer data as conferring value to a business, independent of a formal contract.
  • Documentation and transparency are key – Businesses should regularly audit cookie consent mechanisms, privacy banners, and disclosures to so that technical and operational process match the representations given to users. Undocumented exceptions or technical gaps can create exposure, even if users aren’t personally harmed in a traditional sense.
  • Regular policy updates – Keeping privacy policies and cookie practices accurately updated is not just best practice, but a compliance requirement under many state privacy laws. Regulators may view outdated disclosures as a red flag for enforcement, so companies should conduct annual policy reviews and updates.

The UMG decision reinforces that privacy as promised is privacy as legally required. If your business tells users that tracking can be declined, you must have robust systems in place to honor that promise. This will not only mitigate litigation risk but will also maintain consumer trust as privacy expectations evolve.

Photo of Roma Patel Roma Patel

Roma Patel focuses her practice on a broad range of data privacy and cybersecurity matters. She handles comprehensive responses to cybersecurity incidents, including business email compromises, network intrusions, inadvertent disclosures and ransomware attacks. In response to privacy and cybersecurity incidents, Roma guides clients…

Roma Patel focuses her practice on a broad range of data privacy and cybersecurity matters. She handles comprehensive responses to cybersecurity incidents, including business email compromises, network intrusions, inadvertent disclosures and ransomware attacks. In response to privacy and cybersecurity incidents, Roma guides clients through initial response, forensic investigation, and regulatory obligations in a manner that balances legal risks and business or organizational needs. Read her full rc.com bio here.

Read more about Roma Patel
Show more Show less