Privacy litigation has always had a measurement problem. Everyone understands the intuition: If a bank, hospital, retailer, or platform secretly shares sensitive information with Google, Meta, Adobe, or another tracking ecosystem, something private has been taken. But courts do not award damages for intuition. They ask harder questions. What exactly was disclosed? Was it tied to an identifiable person? Was it sensitive? Was the disclosure “highly offensive”? Did the plaintiff actually expect privacy? And, most importantly, what was the injury?

That is what makes Ingraham v. Capital One Financial Corp., No. 24-cv-05985-TLT, Order Granting-in-Part and Denying-in-Part Defendant’s Motion to Dismiss (N.D. Cal. May 21, 2026), important. The case is not merely another cookie or pixel case. It is a judicial roadmap for what privacy plaintiffs must prove when they claim that invisible tracking technologies transmitted personal and financial data to third parties.

The Claim

The plaintiffs alleged that Capital One used third-party tracking technologies on its website, including Google, Adobe, DoubleClick, New Relic, Skai/Kenshoo, Snowplow, Biocatch, Tealium, and the Meta Pixel. According to the complaint, these tools did more than measure web traffic. They allegedly transmitted information about employment, bank accounts, citizenship and dual citizenship status, credit-card preapproval, approval or denial status, customer status, browsing activity, application status, IP addresses, cookies, and other personal and financial information. One plaintiff, Gary Ingraham, allegedly applied for a Capital One credit card, was denied, and then received credit-card ads on Facebook. Another plaintiff, Deia Williams, similarly applied and was denied, and alleged that she was “constantly bombarded” with credit-card advertisements.

The case is Ingraham v. Capital One Financial Corp., No. 24-cv-05985-TLT, 2026 WL unavailable in the uploaded order, Order Granting-in-Part and Denying-in-Part Defendant’s Motion to Dismiss (N.D. Cal. May 21, 2026). The docket appears publicly under Shah v. Capital One Financial Corp., No. 3:24-cv-05985 (N.D. Cal.).

The court had previously allowed several claims to proceed, including negligence, California Consumer Privacy Act, unjust enrichment, declaratory judgment, California Invasion of Privacy Act, and Electronic Communications Privacy Act claims. In this later order, Capital One again challenged standing, arguing that the plaintiffs had not shown a concrete Article III injury. That argument matters because privacy claims often fail not because no data was moved, but because courts conclude that the movement of data did not produce a legally cognizable harm.

The court applied the modern privacy-standing framework. Under Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992), a plaintiff must show injury in fact, causation, and redressability. Under Spokeo, Inc. v. Robins, 578 U.S. 330 (2016), the injury must be concrete and particularized. In privacy cases involving tracking technologies, the court looked to whether the alleged harm bears a close relationship to traditional privacy torts such as intrusion upon seclusion and public disclosure of private facts.

Post-Popa Web Cookie Claims

That inquiry has become more demanding after Popa v. Microsoft Corp., 153 F.4th 784 (9th Cir. 2025). In Popa, the Ninth Circuit held that the use of session-replay technology on a pet-supply website did not create Article III standing where the alleged data collection involved ordinary web-interaction data, pet-store preferences, and a street name, but not sensitive financial, medical, or similarly private information. The Ninth Circuit emphasized that tracking technology might be offensive in another case, especially where it captured sensitive medical or financial information, but routine browsing analytics alone were not enough.

Capital One tried to use Popa as a shield. The court did not fully accept that argument. Judge Trina L. Thompson distinguished between ordinary website analytics and the alleged transmission of sensitive financial-application data. The plaintiffs alleged that Capital One transmitted personally identifiable information, citizenship status, employment status, bank-account type, the kind of credit card applied for, whether the application was approved or denied, and allegedly obfuscated FICO and income-band information. That was materially different from pet-store browsing activity.

The court also relied on the developing post-Popa line of Northern District of California decisions. In Krzyzek v. OpenX Technologies, Inc., No. 25-cv-05588, 2026 WL 206855 (N.D. Cal. Jan. 27, 2026), the court found standing where tracking allegedly collected cookies, IP addresses, hashed emails, device information, location information, URLs, click events, interests, and sociopolitical views. In Gabrielli v. Haleon US Inc., No. 25-cv-02555-WHO, 2025 WL 2494368 (N.D. Cal. Aug. 29, 2025)/, the court similarly found that alleged use of third-party cookies and tracking technologies to collect website interactions, demographic information, preferences, shopping behavior, device information, session information, user identifiers, and geolocation data was enough to plead concrete privacy injury. At the end of the day, it seems that it’s not about WHETHER data was collected, but WHAT data was collected.

Was the Data Individually Identifiable?

The first key ruling in Ingraham was that there was a genuine factual dispute about whether data transmitted to Adobe and Google was individually identifiable. Capital One argued that Adobe received anonymous identifiers and routine metadata. Plaintiffs responded that supposedly anonymized data could be de-anonymized and that Adobe itself allegedly marketed its ability to connect anonymous data to real people. Because identifiability went both to standing and the merits, the court held that the issue could not be resolved on a motion to dismiss. That is significant. The privacy fight increasingly turns on the word “anonymous.” Companies say “hashed,” “tokenized,” “pseudonymous,” or “aggregated.” Plaintiffs respond that the advertising ecosystem is built precisely to reidentify, match, enrich, and monetize that data.

Highly Offensive or Highly Personal?

The second key ruling was that the alleged transmissions were sufficiently “highly offensive.” That phrase is doing enormous work in modern tracking litigation. Courts are increasingly unwilling to treat every cookie, pixel, beacon, SDK, or session-replay tool as a constitutional injury. But Ingraham shows that the analysis changes when the alleged data involves financial eligibility, employment, citizenship, income, FICO segments, application denial, or other information that a reasonable user would not expect to be broadcast to the ad-tech supply chain.

Was the Data Expected to Be Private?

The third key ruling cut against one plaintiff. The court held that plaintiff Williams plausibly maintained a reasonable expectation of privacy, but plaintiff Ingraham did not. Why? Because Ingraham allegedly submitted additional Capital One credit-card applications after filing the lawsuit. The court found that this later conduct was inconsistent with an actual expectation of privacy. That is a sharp reminder that privacy standing is not abstract. Courts look at what the plaintiff actually did. If a plaintiff claims that a website’s tracking practices are intolerably invasive but then continues using the same site in the same way after learning of the challenged conduct, a court may treat that behavior as evidence that the plaintiff did not actually expect privacy.

The ruling therefore split the baby. Capital One did not win dismissal on the theory that the alleged data transmissions were too ordinary, too anonymous, or insufficiently offensive as a matter of law. But Capital One did win dismissal as to Ingraham because his own post-suit conduct undermined his claimed expectation of privacy.

Lessons Learned?

For people harmed by cookies, pixels, session-replay scripts, and tracking technologies, the message is clear. Future plaintiffs should not expect courts to accept “my data was tracked” as enough. They will need to plead and prove what data was collected, where it went, whether it was tied or reasonably linkable to them, why it was sensitive, why the disclosure exceeded the company’s privacy policy or consent disclosures, how the tracking operated technically, and why the intrusion would be highly offensive to a reasonable person.

They should also expect judicial skepticism about damages. Privacy harms are real, but they are difficult to price. A person may feel violated when a bank shares credit-card denial information with an advertising platform, but what is the dollar value of that violation? Is it emotional distress? Diminished value of data? Unjust enrichment? Statutory damages? Targeted advertising? Increased risk of future misuse? Courts have frequently treated such theories with suspicion unless the plaintiff can connect the disclosure to a concrete, personal, and legally recognized injury.

That is why statutory claims matter. CIPA, Cal. Penal Code §§ 631, 632, 637.2, provides statutory remedies for certain unlawful interceptions and eavesdropping. The CCPA, Cal. Civ. Code § 1798.150, provides a limited private right of action for certain unauthorized access and exfiltration, theft, or disclosure of specified personal information caused by a failure to maintain reasonable security practices. ECPA, 18 U.S.C. § 2511, prohibits certain interceptions of electronic communications. These statutes can sometimes provide a remedy where common-law damages are elusive. But even statutory claims still run through Article III standing in federal court.

Promises Made – Promises Ignored?

The practical lesson for companies is equally clear. Privacy policies that say, in broad terms, “we share data for analytics and advertising” may not be enough if the actual tracking transmits sensitive financial, medical, employment, citizenship, eligibility, or application-status data. Companies should inventory pixels, tags, SDKs, session-replay tools, server-to-server events, clean rooms, analytics platforms, and advertising APIs. They should know not merely what vendors receive, but what the vendor can infer, match, hash, reverse, enrich, or use. The question is not simply whether the company intended to disclose sensitive data. It is whether the technical implementation did disclose it.

The practical lesson for plaintiffs is more demanding. Successful cookie and tracking litigation will require technical specificity. Plaintiffs will need browser captures, expert analysis, event logs, payload inspection, testimony about identifiability, and careful pleading about why the data is sensitive. They must also behave consistently with their claimed expectation of privacy. Continuing to use the same website after learning of the tracking may become a defense exhibit.

Ingraham does not make every cookie case viable. It makes some of them more viable. The dividing line is sensitivity, identifiability, offensiveness, and expectation. Routine analytics about clicks and page views may not be enough after Popa. But the alleged silent disclosure of credit-card application results, employment status, citizenship status, income bands, FICO segments, and personally identifying information to ad-tech vendors is different. Courts may be skeptical about privacy damages, but they are not blind to privacy injury.

The future of tracking litigation will therefore not turn on whether a website used cookies. Almost every website does. It will turn on what the cookies, pixels, scripts, APIs, and server-side events actually disclosed, whether users were meaningfully told, whether the data was sensitive and identifiable, and whether the claimed harm can be translated into a legally cognizable injury. In privacy law, the injury is often obvious to the person who suffered it. The hard part is proving it to a court.

Recent Articles By Author

• Perry Machine and the Case of the Privileged Prompt – Courts Consider Whether AI Legal Advice is Privileged
• “Hey Rocky, Watch Me Pull a Rabbit Out of My Hat!”. Is This the Year the Federal Government Passes Comprehensive Privacy Legislation?
• Knowing What You Know – New OMB Regulations Require New Logging and Action

More from Mark Rasch