Corporate Misconduct Accountability Project
PUMA North America, Inc. · Class action lawsuit
PUMA Secretly Sent Customer Data to TikTok Without Consent, Lawsuit Says
PUMA North America allegedly installed TikTok tracking software on its website to harvest visitor data including names, phone numbers, and addresses without permission, violating California privacy law.
HIGH SEVERITY
TL;DR
PUMA North America faces a class action lawsuit alleging it installed TikTok tracking software on its website to secretly collect visitor data without consent. The software allegedly captures phone numbers, names, addresses, and browsing behavior the moment users land on the site, before they can even see a cookie banner. Plaintiff Travis Rounds claims this violates California’s Trap and Trace Law, which prohibits capturing identifying electronic communication data without a court order.
This case exposes how major brands may turn your online shopping into a surveillance operation, sharing your personal details with third parties for profit.
$5M+
Amount in controversy for class claims
100+
Estimated class members affected
25
Unknown defendants yet to be identified
The Allegations: A Breakdown
Core Allegations
What they did · 6 points
| 01 | PUMA installed TikTok tracking software on its website that collects visitor data through a process called fingerprinting. The software gathers device and browser information, geographic location, referral tracking, and URL tracking by running scripts that send user details to TikTok without user knowledge. | high |
| 02 | The TikTok software begins collecting information the instant a user lands on the PUMA website. Even though the website displays a cookie banner, the information has already been transmitted to TikTok before users can make any choice about consent. | high |
| 03 | PUMA activated TikTok’s AutoAdvanced Matching technology, which scans every website page for personal information including names, dates of birth, and addresses. This information is sent simultaneously to TikTok so the platform can identify individual users with certainty. | high |
| 04 | The TikTok software runs on virtually every page of PUMA’s website, sending TikTok images of each website user’s interests and browsing behavior. The software captures incoming electronic impulses and identifies dialing, routing, addressing, and signaling information generated by users. | high |
| 05 | PUMA never informed website visitors that it was collaborating with TikTok to obtain their phone numbers and other identifying information. The company did not obtain express or implied consent from class members to share their data with TikTok for fingerprinting and identification purposes. | high |
| 06 | The tracking technology functions as a trap and trace device under California law, designed to identify the source of electronic communications. California Penal Code section 638.51 prohibits installing or using such devices without first obtaining a court order, which PUMA never secured. | high |
Regulatory Failures
Laws ignored · 4 points
| 01 | California law defines a trap and trace device as any device or process that captures incoming electronic impulses identifying the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of electronic communication. PUMA’s TikTok software meets this precise definition. | high |
| 02 | California Penal Code section 638.51 explicitly states that no person may install or use a trap and trace device without first obtaining a court order. PUMA installed and used this tracking technology without any such authorization. | high |
| 03 | The California Invasion of Privacy Act imposes civil liability and statutory penalties for violations of the trap and trace law. PUMA faces potential statutory damages for each class member whose data was intercepted without consent. | medium |
| 04 | Courts have previously recognized that trap and trace violations under California Penal Code section 637.2 warrant legal action. The case Greenley v. Kochava established precedent for civil liability in similar data interception scenarios. | medium |
Profit Over People
Why they did it · 4 points
| 01 | The TikTok software is designed solely to identify the source of electronic communications from website visitors. Its purpose is to match anonymous visitor data with TikTok’s existing database of information about hundreds of millions of Americans for commercial targeting. | high |
| 02 | PUMA chose to enable TikTok’s AutoAdvanced Matching feature, the most invasive tracking option available. This technology actively scans website forms and fields to extract personal information like names and addresses, allowing TikTok to isolate individual users with certainty for advertising purposes. | high |
| 03 | The tracking code runs automatically on virtually every page of PUMA’s website. Every time a user clicks to view a different product or category, new electronic impulses are sent to TikTok to build a comprehensive profile of that shopper’s interests and behavior. | medium |
| 04 | PUMA bypassed meaningful consent by having the TikTok scripts execute before users could interact with any cookie banner or privacy controls. This design prioritizes data collection over user choice, ensuring the company captures valuable consumer intelligence regardless of preferences. | high |
Corporate Accountability Failures
No oversight, no consequences · 4 points
| 01 | PUMA operates through a complex corporate structure with PUMA North America, Inc. registered as a Massachusetts corporation while doing substantial business in California. The complaint also names 25 unknown DOE defendants whose identities and roles remain concealed. | medium |
| 02 | The defendant purposefully directed its tracking activities to California residents by regularly engaging with individuals through its website. The illegal conduct specifically targeted and harmed California residents, including the named plaintiff. | medium |
| 03 | PUMA and its affiliates acted with the full knowledge and consent of each other in deploying the tracking technology. Each defendant ratified the acts and omissions of the others, suggesting coordinated corporate decision making rather than isolated error. | medium |
| 04 | The company provided no transparency about its data sharing practices with TikTok. Website visitors had no way to know their communications were being intercepted, recorded, and monitored by third party software embedded in the site. | high |
Community Impact
Who gets hurt · 4 points
| 01 | The proposed class includes all California residents who communicated with PUMA via its website using cellular or landline telephony and whose communications were recorded or eavesdropped upon without prior consent. The plaintiff believes the number of affected class members reaches into the thousands or more. | high |
| 02 | Class members had no knowledge that the website was collaborating with a Chinese government connected entity to obtain their phone numbers and other identifying information. This hidden surveillance undermines consumer trust and autonomy in the digital marketplace. | high |
| 03 | The exact identities of class members can be ascertained from records maintained by PUMA. The company possesses complete documentation of whose data was intercepted, yet affected consumers remain unaware they are part of this data harvesting operation. | medium |
| 04 | Individual litigation of claims for all class members would be impracticable and inefficient. Even if every class member could afford individual legal action, the court system could not handle the volume, and corporations would face no meaningful deterrent from such fragmented challenges. | medium |
Public Health and Safety
Privacy as a health issue · 3 points
| 01 | Users never consented to having their electronic communications recorded, intercepted, monitored, or eavesdropped upon. This violation of privacy expectations creates psychological stress and erodes the sense of personal autonomy that is fundamental to mental well being. | medium |
| 02 | The covert nature of the tracking means consumers cannot protect themselves from surveillance. Website visitors have no opportunity to make informed choices about their privacy, leaving them vulnerable to ongoing data exploitation with potential downstream harms including identity theft and manipulation. | medium |
| 03 | PUMA’s conduct represents a broader pattern where corporations treat digital surveillance as normal business practice. This normalization of invasive tracking contributes to societal acceptance of privacy violations that can facilitate targeted manipulation and undermine public trust in institutions. | medium |
The Bottom Line
Why this matters · 4 points
| 01 | This lawsuit seeks class certification, a declaration that PUMA’s conduct violates the California Invasion of Privacy Act, and an injunction against the company’s tracking practices. The plaintiff demands statutory damages, punitive damages, prejudgment interest, and attorney fees. | high |
| 02 | The case demonstrates how corporations can exploit cutting edge technology to compromise consumer privacy while chasing market intelligence. Data has become a valuable commodity, and companies may calculate that potential fines are worth the risk if privacy violations are difficult to detect. | high |
| 03 | Common questions affect all class members and predominate over individual circumstances. These include whether PUMA caused electronic communications to be recorded and monitored, whether PUMA aided a third party in eavesdropping, and whether class members are entitled to statutory penalties and injunctive relief. | medium |
| 04 | The lawsuit was filed under the Class Action Fairness Act with the matter in controversy exceeding five million dollars and over 100 class members. The scope and scale of alleged violations position this as a significant test of California privacy protections in the digital commerce era. | medium |
Timeline of Events
Unknown
PUMA installs TikTok tracking software on its e-commerce website
Unknown
PUMA activates TikTok AutoAdvanced Matching technology to capture personal information
Unknown
Plaintiff Travis Rounds visits PUMA website and has data intercepted without consent
November 2024
Travis Rounds files class action lawsuit in Central District of California
November 1, 2024
Complaint formally filed as Case No. 2:24-cv-09468
Direct Quotes from the Legal Record
QUOTE 1
Definition of illegal tracking device
allegations
“A trap and trace device as a device or process that captures the incoming electronic or other impulses that identify the originating number or other dialing, routing, addressing, or signaling information reasonably likely to identify the source of a wire or electronic communication, but not the contents of a communication.”
💡 This legal definition precisely describes what PUMA’s TikTok software does, establishing the violation.
QUOTE 2
Tracking starts immediately
allegations
“The TikTok Software begins to collect information the moment a user lands on the Website. Thus, even though the Website has a cookie banner the information has already been sent to TikTok regarding the user’s visit.”
💡 PUMA circumvents consent by capturing data before users can respond to privacy choices.
QUOTE 3
Most invasive tracking enabled
profit
“Additionally, since PUMA has decided to use TikTok’s AutoAdvanced Matching technology, TikTok scans every website for information, such as name, date of birth, and address, the information is sent simultaneously to TikTok, so that TikTok can isolate with certainty the individual to be targeted.”
💡 PUMA chose the most aggressive tracking option available, prioritizing data extraction over privacy.
QUOTE 4
No user awareness
allegations
“The TikTok Software is a process to identify the source of electronic communication by capturing incoming electronic impulses and identifying dialing, routing, addressing, and signaling information generated by users, who are never informed that the website is collaborating with the Chinese government to obtain their phone number and other identifying information.”
💡 Users had zero knowledge their data was being shared with TikTok for identification purposes.
QUOTE 5
Designed to identify users
profit
“The TikTok Software is reasonably likely to identify the source of incoming electronic impulses. In fact, it is designed solely to meet this objective.”
💡 The software has no purpose other than identifying individual users, the exact conduct California law prohibits.
QUOTE 6
No consent obtained
allegations
“Defendant did not obtain Class Members’ express or implied consent to be subjected to data sharing with TikTok for the purposes of fingerprinting and de-anonymization.”
💡 PUMA never asked permission before intercepting and sharing personal data with third parties.
QUOTE 7
Tracking on every page
profit
“The TikTok Software runs on virtually every page of PUMA’s website, sending to TikTok images of website user’s interest in Defendant’s services.”
💡 The surveillance is comprehensive, tracking users across their entire browsing session.
QUOTE 8
Law explicitly prohibits this
regulatory
“California Penal Code section 638.51 (the California Trap and Trace Law) provides that a person may not install or use…a trap and trace device without first obtaining a court order…”
💡 California law is crystal clear that this type of tracking requires a court order, which PUMA never obtained.
QUOTE 9
Civil penalties apply
regulatory
“CIPA imposes civil liability and statutory penalties for the installation of trap and trace software without a court order. California Penal Code section 637.2; see also, Greenley v. Kochava, 2023 WL 4833466, at *15-*16 (S.D. Cal. July 27, 2023).”
💡 PUMA faces financial penalties for each violation, with legal precedent supporting enforcement.
QUOTE 10
Thousands affected
community
“Plaintiff does not know the number of Class Members but believes the number to be in the thousands, if not more.”
💡 The scale of privacy violations reaches thousands of California consumers.
QUOTE 11
Class action necessary
community
“A class action is superior to other available methods of adjudication because individual litigation of the claims of all Class Members is impracticable and inefficient. Even if every Class Member could afford individual litigation, the court system could not.”
💡 Only collective action can hold PUMA accountable given the scale and nature of the violations.
QUOTE 12
Statutory damages demanded
allegations
“Defendant uses a trap and trace process on its Website by deploying the TikTok Software on its Website, because the software is designed to capture the phone number, email, routing, addressing and other signaling information of website visitors.”
💡 The software’s explicit design confirms it violates the statute’s prohibition on unauthorized data capture.
Frequently Asked Questions
What exactly did PUMA allegedly do wrong?
PUMA allegedly installed TikTok tracking software on its website that secretly captures visitor data including phone numbers, names, addresses, and browsing behavior without obtaining consent. The software starts collecting information the instant someone lands on the site, before they can even see or respond to a cookie banner. California law requires a court order to use this type of tracking device, which PUMA never obtained.
What is TikTok AutoAdvanced Matching?
AutoAdvanced Matching is TikTok’s most invasive tracking technology. It actively scans website pages for personal information in forms and fields, including names, dates of birth, and addresses. This data is sent directly to TikTok so the platform can identify individual users with certainty and target them with advertising. PUMA chose to enable this aggressive tracking feature.
How does the tracking software work?
The TikTok software uses a process called fingerprinting. It collects device and browser information, geographic location, referral data, and URL tracking by running code scripts on the website. It matches this data with information TikTok has already accumulated about hundreds of millions of Americans. The software runs on virtually every page, sending updates to TikTok each time a user clicks to view different products.
Why is this illegal under California law?
California Penal Code section 638.51 prohibits anyone from installing or using a trap and trace device without first obtaining a court order. The law defines such devices as any process that captures electronic impulses identifying phone numbers, routing, addressing, or signaling information that can identify the source of electronic communications. PUMA’s TikTok software meets this exact definition but was installed without any court authorization.
Who is affected by this lawsuit?
The proposed class includes all California residents who visited PUMA’s website using cellular or landline connections and whose communications were recorded or monitored without their consent. The plaintiff estimates the class includes thousands of people. Anyone who shopped on PUMA.com from California during the relevant period may be a class member.
Did PUMA ask for permission to collect this data?
No. The lawsuit alleges PUMA never obtained express or implied consent from website visitors to share their data with TikTok for fingerprinting and identification purposes. Users were never informed that the website was collaborating with TikTok to obtain their phone numbers and other identifying information. The tracking happens automatically before users can make any privacy choices.
What damages is the lawsuit seeking?
The plaintiff seeks class certification, a court declaration that PUMA violated California privacy law, statutory damages under the California Invasion of Privacy Act, punitive damages, prejudgment interest, attorney fees, and an injunction to stop PUMA from continuing these tracking practices. The total matter in controversy exceeds five million dollars.
Why does PUMA want this data?
The tracking software is designed to identify website visitors and match them with TikTok’s extensive user database for commercial targeting purposes. By capturing detailed information about who visits the site and what they browse, PUMA can build comprehensive consumer profiles for advertising. The company chose the most aggressive tracking option available to maximize the data it could collect.
What can I do if I think my data was collected?
If you visited PUMA.com from California and believe your data was intercepted, you may be part of the proposed class. Contact the attorneys representing the plaintiff, Tauler Smith LLP, to learn whether you qualify as a class member and what steps you can take. You can also file a complaint with the California Attorney General’s office about privacy violations and consider using browser privacy tools to limit tracking on other websites.
Has PUMA responded to these allegations?
The lawsuit was just filed in November 2024, and the public record does not yet show a formal response from PUMA. The company will have an opportunity to answer the complaint and defend itself in court. The complaint also names 25 unknown defendants whose identities have not yet been determined.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
