The privacy world has been so busy with pixel-tracking that retail cases almost started to feel like the “quieter cousin.” Camplisson v. adidas, decided this week, is a reminder that retail sites aren’t getting a free pass, especially when they install high-powered pixels that behave more like surveillance tools than simple analytics.
The plaintiffs weren’t doing anything intimate or personal — they were just shopping on adidas.com. But the TikTok Pixel and Microsoft Bing tracker embedded in the site didn’t just record clicks. According to the complaint, they collected IP addresses, device identifiers, timestamps, fingerprinting data, and even used features like AutoAdvanced Matching that can tie your browsing back to your name, birthday, and address. That’s not “retargeting ads.” That’s a map back to the actual person, with the live location feature, if I may add.
And Judge Curiel’s order reflects exactly that reality. Instead of getting caught up in the “but this is just retail!” framing, the Court focuses on the substance: the trackers were allegedly installed on users’ browsers, they collected identifying and addressing information, and they did it without consent. Under CIPA’s pen-register provisions, that is more than enough to state a claim.
What’s interesting is how thoroughly the Court rejects the defense playbook. The “no standing because this isn’t a traditional privacy harm” argument? No. The “CIPA only applies to 1970s phone lines and this will break the internet” argument? Also no. Courts have been very clear that CIPA isn’t tied to a specific technology; it’s tied to the principle of preventing secret interception. TikTok Pixel + fingerprinting + third-party data sharing falls squarely within that principle.
Then there’s the consent angle. adidas, like half the internet, relied on buried browsewrap terms in the website footer — the kind no human ever scrolls down to find. Judge Curiel essentially says: if you want users to consent to browser-level tracking, you need to actually ask them. Not hide it in tiny font. Not imply that visiting the site equals consent. Without conspicuous notice and an affirmative “yes,” the consent exception under CIPA doesn’t apply.
And the ending is where the sass (quietly but unmistakably) lands. The Court basically shuts the door on adidas’s dismissal arguments with the judicial equivalent of: “Plaintiffs have sufficiently alleged a privacy invasion — the motion is denied.” Not dramatic. Not emotional. Just a firm reminder that CIPA’s pen-register provisions have teeth, and retail defendants don’t get to track first and explain later.
So when retail pixel cases meet reality, the message is simple: if your site quietly plants sophisticated trackers on users’ browsers and sends their information to third parties, courts aren’t going to swoop in and save you at the pleadings stage. CIPA protects the right not to be secretly tracked without consent. And in adidas, that was more than enough for the claim to move forward.