A federal judge has ruled that CNN must face a proposed class action alleging that its website shared consumers’ personal information with Microsoft and adtech firms without consent, in alleged violation of the California Invasion of Privacy Act (CIPA). The lawsuit challenges CNN’s alleged use of online tracking tools and the downstream sharing of data in the digital advertising ecosystem.
According to the complaint, CNN allegedly embedded tracking tools from Microsoft, PubMatic, and OpenX that enabled those companies to collect users’ personal information and build detailed marketing profiles for targeted advertising purposes. The complaint further alleges that at least one advertiser bid on the plaintiff’s information, and that it was likely circulated far more broadly during automated real-time bidding for ad space.
In denying CNN’s motion to dismiss, the judge said that the plaintiff adequately alleged a concrete injury sufficient for federal standing, pointing to allegations that their information was collected and sold in the online advertising marketplace in a manner described as “highly offensive.” The court also found the pleadings sufficient at this stage to claim that the tracking code functioned as a “pen register” under CIPA while noting it was premature to resolve CNN’s argument that it was exempt under a CIPA provision related to operating or maintaining its service. This decision signals that publishers using embedded adtech and analytics tools may face heightened litigation risk under CIPA when user data is collected or shared without clear, consent-based disclosures.