MyFitnessPal CIPA & common law class action over advertising cookies survives dismissal

On February 18, 2026, a California federal judge allowed a class action lawsuit against the diet app MyFitnessPal to proceed in part over allegations that the company failed to honor user opt-out requests.

Key takeaways

• Plaintiffs allege MyFitnessPal placed third-party tracking cookies on their devices even after they expressly opted out via a consent banner
• The judge allowed claims for invasion of privacy, intrusion upon seclusion, and unjust enrichment to proceed
• The court found that users have a reasonable expectation of privacy when a company explicitly promises not to collect information for advertising or analytics

The lawsuit includes claims under CIPA (California Invasion of Privacy Act) and California common law.

What is this case about?

In May 2025, California residents Vishal Shah and Christine Wiley filed a class action complaint against MyFitnessPal in the US District Court for the Northern District of California (Shah et al. v. MyFitnessPal Inc., Case No. 5:25-cv-04430).

The plaintiffs allege that when they visited the MyFitnessPal website, a consent banner gave them the option to reject tracking cookies from outside companies.

However, after they expressly opted out, the company allegedly continued to track their website browsing activities and share personal data with advertising third parties for monetization purposes.

What are the specific allegations?

The complaint alleges that MyFitnessPal “surreptitiously” used third-party pixels to place tracking cookies on users' devices and share personal data with ad partners, including Meta, Google, ByteDance, Amazon, and The Trade Desk.

According to the plaintiffs, these third-party pixels collected sensitive health information, such as calorie counts and dietary restrictions. The plaintiffs argue that this data could be considered private and embarrassing.

The allegations the judge allowed to proceed:

• California constitutional right to privacy (not honoring consent banner data sharing opt-outs)
• California common-law intrusion upon seclusion (not honoring consent banner data sharing opt-outs)
• California’s unjust enrichment restitution doctrine (retention of benefits from allegedly unlawful tracking and monetization of users’ data)

The allegations the judge dismissed:

• CIPA wiretapping provision, California Penal Code § 631 (interception of communications via tracking technologies)
• CIPA pen register / trap-and-trace provision, California Penal Code § 638.51 (use of tracking tools functioning as a pen register)
• California common-law fraud, deceit, and/or misrepresentation (not honoring consent banner data sharing opt-outs)
• California common-law trespass to chattels (interference with users’ devices through unwanted tracking technologies)

Why did the judge let the case proceed?

MyFitnessPal asked the court to throw out (dismiss) the complaint. The company argued the allegations lacked detail and that the plaintiffs had no expectation of privacy regarding browsing history, page views, and other data shared with third parties.

US District Court Judge P. Casey Pitts rejected these arguments, finding that the plaintiffs adequately established standing and a reasonable expectation of privacy.

The judge noted that MyFitnessPal allegedly told users it would not collect information for advertising or analytics if they opted out. As such, a reasonable visitor would expect the company to honor that choice and not place tracking cookies.

The judge allowed the claims for invasion of privacy, intrusion upon seclusion, and unjust enrichment to proceed. Other claims were dismissed, but the judge gave the plaintiffs 28 days to file an amended complaint.

In particular, there are a number of crucial reasons why this case is proceeding:

• MyFitnessPal told users that the cookie banner gave them the ability to opt out of cookies used for advertising purposes.
• However, the specific data allegedly collected includes user input data (e.g., search queries), referring URLs, session info, user identifiers, and geolocation, plus browsing/visit history and interactions/clicks.
• At the same time, the CIPA claims were dismissed. The judge suggested the alleged tracking could involve “contents” (especially search queries, clicks, referring URLs, and health context), but dismissed those claims because plaintiffs didn’t allege their own communications were intercepted.
• Relatedly, the plaintiffs didn’t plead that they actually communicated with the website and didn’t identify the specific dialing/routing/addressing/signaling information tracked.
• The judge, citing the California Attorney General’s CCPA explainer, said the CCPA helps shape Californians’ reasonable expectations about opting out of data collection for cross-context behavioral advertising.
• At the pleading stage, the judge noted that offensiveness is not always resolved, but can be a “plus factor.” The plaintiffs allege they wouldn’t have used the site had they known about the tracking and the lack of effective opt-out functionality, in alleged violation of the CCPA.
• While all of that was considered, the reason the case survives at all is that the court held plaintiffs plausibly alleged a concrete injury, emphasizing:

(1) alleged misrepresentation about tracking, and

(2) the potentially sensitive/embarrassing nature of nutrition/fitness-related interactions.

Legal updates during this stage of the litigation:

• Procedural update: The plaintiffs filed a First Amended Complaint on February 24, 2026.
• Named third parties in this case include Facebook (Meta), Google (Alphabet), TikTok, Amazon, and The Trade Desk.
• Statute of limitations: This wasn’t dismissed as untimely because “last four years” doesn’t make untimeliness apparent on the face of the complaint.
• Motion to strike: MFP tried to strike screenshots and class allegations. The court denied the motion to strike in full (screenshots could be authenticated later, and class issues were not “plain enough” at the pleadings stage).
• Other claims: Fraud and trespass to chattels were dismissed with leave to amend. The fraud claim failed Rule 9(b), and the trespass claim lacked allegations of a substantive “measurable loss” or impairment.

Summary and takeaways

Although the CCPA does not allow for a private right of action for these types of opt-out violations, CCPA standards for honoring data-sharing opt-outs are being applied to laws that do allow for private action.

By operating websites that do not comply with CCPA, companies dramatically increase their risk of expensive litigation for violating CIPA and many other US privacy laws.

This decision highlights the evolving and complex threat of privacy litigation in California, specifically targeting companies over website tracking and consent banners.

While the judge dismissed the CIPA wiretapping claims in this specific instance, the plaintiffs were given leave to amend them, and three core privacy claims survived.

Ensure compliance with Privado AI

• Web Auditor: Scan your websites to verify consent banners, pixels, and data flows are compliant with each regulation in each location. Flag compliance risks in real-time with evidence for exactly what needs to be fixed. No technical implementation required.
• App Auditor: Scan app files to ensure consent banners, SDKs, and data flows are compliant with each regulation in each location. Flag compliance risks in real-time with evidence for exactly what needs to be fixed. No technical implementation required.

MyFitnessPal class action FAQs

What is the MyFitnessPal lawsuit about?

The plaintiffs allege that MyFitnessPal continued to place third-party tracking cookies on their devices and share personal data with ad partners, even after users explicitly opted out via a consent banner on the website.

What data was allegedly collected?

The tracking pixels reportedly captured numerous data points, including:

• sensitive health-related information like calorie counts and dietary restrictions
• search queries
• referring URLs
• session data
• user identifiers
• geolocation
• browsing history.

Why did the judge allow the case to continue?

The judge found that users had a reasonable expectation of privacy, especially because MyFitnessPal allegedly told them it would not collect data for advertising or analytics if they opted out. The court also pointed to the potentially sensitive and embarrassing nature of nutrition and fitness data as part of the alleged concrete injury.

What's the key takeaway for businesses?

Non-compliance with CCPA, including failing to honour cookie opt-outs, significantly increases litigation risk under other California privacy laws. Companies should ensure their consent banners and data practices are actually aligned, not just cosmetically compliant.