Keypoint: In March 2023, more California courts tackled motions to dismiss claims that chat features violate wiretapping laws while Georgia and Minnesota courts weighed in on VPPA claims.
This is the first of our monthly data privacy litigation reports to provide updates on how courts have handled emerging data privacy tends in the past month. In this post we look at developments in lawsuits relating to chat wiretap claims, session replay claims, VPPA claims, and BIPA claims. (If any of these case theories are new to you, be sure to check out the “Overview” section below.) There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out.
The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.
1. Overview of Current U.S. Data Privacy Litigation Trends
Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip down to the next section that looks at how courts have handled these cases in the past month.
Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. Most, but not all, have been filed in California. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.
Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel) on websites that include video content.
2. Litigation Updates
a. Chat Wiretapping Lawsuits
We have previously covered how California courts have been handling motions to dismiss claims brought under a chat wiretapping theory. In March 2023, California courts continued to resolve the many pending motions to dismiss these claims.
The Central District of California dismissed claims brought under Section 631(a) of the California Penal Code after finding the complaints failed to allege facts to plausibly plead the chat communications were intercepted by a third-party who used the communications for the third-party’s own purposes rather than acting as a tape recorder that merely recorded the communications for use by the website operator. The courts have allowed the plaintiffs to amend their complaints if they think they can cure these defects.
We also saw many privacy plaintiffs voluntarily dismiss their claims before the court held a hearing on the motion to dismiss or when the court cancelled the hearing because it determined the matter could be resolved on the papers. Whether such dismissals were a result of settlement or the plaintiff wanting to avoid a negative decision by the court is unclear.
In April, we are looking for more courts to resolve pending motions to dismiss. Several courts vacated March hearings on motions to dismiss and indicated the court would rule on the papers. Other courts rescheduled the hearings for April or even later.
We will also be watching whether privacy plaintiffs will accept the courts’ offers to file amended pleadings and try to cure the defects with Section 631(a) claims. Even if so, these amended complaints will likely see more motions to dismiss and it will be some time before we see whether the courts accept the plaintiffs revised theories.
b. Session Replay Lawsuits
c. Video Privacy Protection Act (“VPPA”) Lawsuits
Courts in Georgia and Minnesota each tackled VPPA claims in March. A Georgia district court was the self-proclaimed first in the Eleventh Circuit to consider whether a subscription to non-video services (for example, a newsletter) was sufficient to make a user a “subscriber” under the VPPA. The Georgia court also noted another decision, in the SDNY, that had expressed skepticism about such a theory, but never decided the issue. The Georgia court, however, also sidestepped the issue and instead found the plaintiff had sufficiently pled the plaintiff subscribed to video services.
d. BIPA Lawsuits
In March, other members of our team published an alert on two important decisions involving the Illinois Biometric Information Privacy Act. Click here to read the alert.
3. On the Horizon
In this section, we forecast what other types of data privacy lawsuits we are watching and may cover in future litigation update monthly posts.
In April, we will be watching cases that allege companies who rely on voice authentication security technologies violate Section 637 of the California Penal Code, which prohibits the use of a system that examines or records a person’s voice to determine the truth of falsity of the person’s statements without the person’s express, written, consent. So far, only one court has addressed this theory on the substantive merits. In February of this year, the Southern District of California dismissed a claim based on this theory after finding Section 637.3 was limited to voiceprint analysis for the specific purpose of determining the truth or falsity of the speaker’s statement. Because the software specifically at issue did not rely on the user identifying themselves, the court found the software was not used to determine whether the speaker’s statement was true or not. Whether courts will allow claims that analysis of “I am John Smith” statements to determine whether the caller is in fact John Smith to proceed remain to be seen.