LOS ANGELES—A federal district court judge ruled Tuesday that Aylo, the parent company of Pornhub.com, must face claims under the California Invasion of Privacy Act (CIPA).
This ruling, handed down by U.S. District Judge Wesley Hsu of the Central District of California, stems from a case brought by a proposed class action alleging that Aylo violated CIPA using online marketing tools that allegedly picked up on the porn viewing habits of the plaintiffs, meriting data privacy violations.
Scott Adair, Kent Henderson and Tarris Wallace sued Aylo and its affiliated companies, including its entity in Ireland, over the summer of 2025. All three filed a proposed class action before the Los Angeles Superior Court, but Aylo removed the case to the Central District of California.
At the time, AVN and the Free Speech Coalition alerted the adult entertainment industry to lawsuits targeting adult platforms for simply using online marketing tools. In the immediate suit, plaintiffs allege that Aylo violated its own terms of service by using "third-party tracking technologies" on its website.
These "third-party tracking technologies" are commonplace in digital marketing. The technologies include Google Analytics and trackers built by Aylo for the collection of user experience data and algorithmic recommendations for preferred content.
Plaintiffs allege that the Aylo defendants:
..."intercept[ed], read and analyz[ed] a range of highly sensitive and identifying information, including (1) specific video titles a user has selected and played; (2) any sexual orientation categories navigated (e.g., transgender, gay, bisexual); (3) explicit and detailed scene-specific attributes of the videos (such as the presence of named pornographic performers, the production type like ‘amateur,’ ‘homemade’ or 'doggy style,' or whether the video was made in a specific country such as 'Japan'); (4) any search terms entered by the user into the Pornhub Website search bar, including even sensitive queries like 'Asian teen girl' or 'young black teens'; and (5) details about products viewed or purchased on the Website’s online shop, including item categories, names, and price."
Under this assessment, the plaintiffs claim that simply visiting Pornhub exposes them. Hsu explains in a minutes order issued on Tuesday that there is not yet any class action claim to be made at the federal level, however the federal court remains the appropriate venue to hear the case.
"As to the reasonable expectation of privacy, [the] plaintiffs have plausibly alleged that users would reasonably expect [the] defendants not to track their highly sensitive private information related to Plaintiffs’ pornography viewing habits," Hsu argues. "Plaintiffs have also plausibly alleged that users would not expect Defendants to use that highly sensitive private information to build detailed profiles pertaining to users."
The judge adds, "Additionally, [the] plaintiffs have plausibly alleged that the alleged data collection plausibly defies social norms. ... Plaintiffs have alleged that they did not consent to the alleged data collection. Without this consent, it is reasonable to infer [that the] Plaintiffs were unaware [and that] defendants were collecting data pertaining to Plaintiffs’ highly sensitive pornographic search terms and purchases."
Under CIPA, violations generally involve intentionally recording or eavesdropping on a confidential communication without the consent of all parties. They can also include using devices or software to intercept, track or record communications—such as calls, chats or website interactions—without legally required notice or consent.
The law indicates that a violation of CIPA may have occurred because the plaintiffs were not adequately notified that their data would be tracked using marketing software like Google Analytics. Penalties can include fines.
