• by Wendy Davis , Yesterday

Meta must face a lawsuit alleging that it secretly tracked Android users' browsing activity on mobile websites that embedded Meta's analytics pixel, and linked that activity to users' identities, a federal judge ruled Monday.

The decision, issued by U.S. District Court Judge Rita Lin in San Francisco, grew out of a class-action complaint initially brought last June by California resident Devin Rose (and later joined by other Android users).

Rose alleged that between September 2024 and June 2025, Meta exploited Android's localhost -- a feature that allows software developers to test applications -- to connect users’ mobile web browsing to their Facebook and Instagram profiles.

Rose filed suit the same day researchers published the report “Disclosure: Covert Web-to-App Tracking via Localhost on Android,” which discussed the alleged exploit. (Meta stopped the covert tracking the day the report came out, researchers said in an update to the report.)

Rose alleged in the complaint that he visited mobile sites with Meta's pixel, including techcrunch.com and wired.com, and that everything he did on those sites -- including the articles he viewed, and searches he conducted -- was collected by Meta, tied to his identity and then used for advertising purposes.

The complaint includes claims that Meta violated a California wiretapping law, and engaged in “intrusion upon seclusion” -- a claim that can be brought in California over “highly offensive” privacy violations.

Meta urged Lin to throw out the lawsuit at a relatively early stage, arguing that even if the allegations were proven true, they wouldn't give the plaintiffs grounds to sue.

Among other arguments, Meta said the plaintiffs consented to the data collection by accepting Meta's privacy terms, writing that its privacy policy "broadly discloses" that it collects identifiers from "advertising partners" and uses those identifiers "to match users’ browsing activity to their Meta accounts."

Lin rejected that argument, allowing Rose and the others to proceed with most of the claims in the case.

"If the privacy policy disclosed the practices at issue, it could potentially be sufficient to find consent as a matter of law," she wrote. "But a reasonable user could plausibly read the privacy policy to not disclose that Meta would open a backdoor to link their Android web browsing activities to their Meta accounts with absolute certainty."

"Seemingly broad text in a disclosure might not provide effective consent if it would be objectively reasonable for a person to interpret the text more narrowly," she added.

Meta also argued that the allegations, if true, wouldn't establish the kind of "highly offensive" privacy violation that could establish a claim for "intrusion upon seclusion."

Lin rejected that argument as well, writing that the allegations against Meta involved activity "far beyond" routine commercial activity.

"According to plaintiffs, Meta surreptitiously circumvented browsers' sandboxing protections in order to perfectly link users’ browsing behavior with their Meta accounts," she wrote. (The court papers roughly describe "sandboxing protections" as walls between mobile apps, and between browsers and apps.)

"Browser developers, researchers, and members of the public were shocked and concerned when this behavior came to light," Lin continued, citing the complaint. "Thus ... plaintiffs have plausibly alleged a highly offensive intrusion."

While Lin dismissed a few claims in the complaint, the ruling allows the plaintiffs to proceed with the bulk of their case against Meta.

Rose and the others also sued Google for allegedly negligently failing to employ security measures that would have protected people's data.

Google also urged Lin to dismiss the suit against it, arguing that the allegations, even if proven true, wouldn't show that Google was at fault.

"Plaintiffs seek to hold Google liable for what they claim was a deliberate scheme by Meta to circumvent Android's privacy protections," Google argued. "Yet plaintiffs do not (nor can they) plead that Google knew of, much less participated in or benefited from, the alleged scheme."

Counsel for the plaintiffs countered that the Android operating system had "fundamental flaws" that allowed Meta to circumvent privacy protections.

Lin rejected Google's argument, ruling that the company must face a claim that it was negligent.

"Google designed Android and wrote its code, putting Google in a position to implement data safeguards," she wrote. "Though plaintiffs can implement some rudimentary safeguards like passcodes, they cannot patch Android design vulnerabilities on their own."

"It is entirely foreseeable that negligently designing software with inadequate data safeguards could result in harm to users," Lin added.