Keypoint: In March 2023, more California courts tackled motions to dismiss claims that chat features violate wiretapping laws while Georgia and Minnesota courts weighed in on VPPA claims.

This is the first of our monthly data privacy litigation reports to provide updates on how courts have handled emerging data privacy tends in the past month. In this post we look at developments in lawsuits relating to chat wiretap claims, session replay claims, VPPA claims, and BIPA claims. (If any of these case theories are new to you, be sure to check out the “Overview” section below.) There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out.

The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

1.         Overview of Current U.S. Data Privacy Litigation Trends

Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip down to the next section that looks at how courts have handled these cases in the past month.

Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. Most, but not all, have been filed in California. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.

Lawsuits relating to session replay technology also involve claims that the alleged behavior violates wiretapping laws in “two party” or “all party” consent states. This technology allows website operators to monitor how website visitors interact with the website. Websites that use session replay technology are often trying to better understand how users interact with the website and may even want to document that users have seen and are aware of the site’s privacy policy. Where the technology also captures the website visitor’s communications—such as (but not limited to) chat services or when the visitor completes a form on the website—privacy plaintiffs have alleged use of the technology violates wiretapping laws.

Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel) on websites that include video content.

2.         Litigation Updates

a.         Chat Wiretapping Lawsuits

We have previously covered how California courts have been handling motions to dismiss claims brought under a chat wiretapping theory. In March 2023, California courts continued to resolve the many pending motions to dismiss these claims.

The Central District of California dismissed claims brought under Section 631(a) of the California Penal Code after finding the complaints failed to allege facts to plausibly plead the chat communications were intercepted by a third-party who used the communications for the third-party’s own purposes rather than acting as a tape recorder that merely recorded the communications for use by the website operator. The courts have allowed the plaintiffs to amend their complaints if they think they can cure these defects.

These decisions also reaffirmed the theory that claims under Section 632.7 require all devices in the communication be telephonic devices and at least one device be a cellular or cordless telephonic device. These decisions have not provided more guidance about to what extent a privacy policy can defeat these claims, however. In one decision, the court found the complaint alleged the privacy policy “was added to its chat function only after the present matter was filed.” In another, the court rejected arguments that the plaintiff lacked standing due to the privacy policy upon finding the defendant failed to provide evidence that it had a conspicuously placed privacy policy before the lawsuit was filed.

We also saw many privacy plaintiffs voluntarily dismiss their claims before the court held a hearing on the motion to dismiss or when the court cancelled the hearing because it determined the matter could be resolved on the papers. Whether such dismissals were a result of settlement or the plaintiff wanting to avoid a negative decision by the court is unclear.

In April, we are looking for more courts to resolve pending motions to dismiss. Several courts vacated March hearings on motions to dismiss and indicated the court would rule on the papers. Other courts rescheduled the hearings for April or even later.

We will also be watching whether privacy plaintiffs will accept the courts’ offers to file amended pleadings and try to cure the defects with Section 631(a) claims. Even if so, these amended complaints will likely see more motions to dismiss and it will be some time before we see whether the courts accept the plaintiffs revised theories.

b.         Session Replay Lawsuits

Although courts have resolved many chat-based privacy lawsuits in March, there has not been as much development in cases involving “session replay technology.” Most notable, in California, the Northern District court denied a motion to compel arbitration where the terms of use were deemed an unenforceable “browserwrap agreement.” Unlike “clickwrap agreements” that require a user to “click” or otherwise take some affirmative action to acknowledge their consent to the website terms of use, a browserwrap agreement informs the user that some action (commonly continued use of the website) signifies the users’ consent to the website terms of use. Although the court made clear that not all browserwrap agreements are per se unenforceable, this decision is a good reminder that whether browserwrap agreements are enforceable is extremely fact specific.

c.         Video Privacy Protection Act (“VPPA”) Lawsuits

Courts in Georgia and Minnesota each tackled VPPA claims in March. A Georgia district court was the self-proclaimed first in the Eleventh Circuit to consider whether a subscription to non-video services (for example, a newsletter) was sufficient to make a user a “subscriber” under the VPPA. The Georgia court also noted another decision, in the SDNY, that had expressed skepticism about such a theory, but never decided the issue. The Georgia court, however, also sidestepped the issue and instead found the plaintiff had sufficiently pled the plaintiff subscribed to video services.

A Minnesota district court allowed a VPPA claim against an online news website to proceed past the pleading stage when it denied the defendant’s motion to dismiss under both Rules 12(b)(1) and 12(b)(6). In reaching its decision, the court held use of the Pixel sufficiently connected the user to the disclosed watching history and that use of the Pixel means any such disclosure is made “knowingly” under the VPPA. The court also rejected the defendant’s argument that the plaintiff had consented to such disclosure via the privacy policy. Although the court ultimately viewed that issue as an affirmative defense, it also expressed skepticism that the privacy policy met the stringent requirements for consent under the VPPA.

d.         BIPA Lawsuits

In March, other members of our team published an alert on two important decisions involving the Illinois Biometric Information Privacy Act. Click here to read the alert.

3.         On the Horizon

In this section, we forecast what other types of data privacy lawsuits we are watching and may cover in future litigation update monthly posts.

In April, we will be watching cases that allege companies who rely on voice authentication security technologies violate Section 637 of the California Penal Code, which prohibits the use of a system that examines or records a person’s voice to determine the truth of falsity of the person’s statements without the person’s express, written, consent. So far, only one court has addressed this theory on the substantive merits. In February of this year, the Southern District of California dismissed a claim based on this theory after finding Section 637.3 was limited to voiceprint analysis for the specific purpose of determining the truth or falsity of the speaker’s statement. Because the software specifically at issue did not rely on the user identifying themselves, the court found the software was not used to determine whether the speaker’s statement was true or not. Whether courts will allow claims that analysis of “I am John Smith” statements to determine whether the caller is in fact John Smith to proceed remain to be seen.