Keypoint: April 2023 saw developments in chat, session replay, voice recording, and VPPA litigation along with two new trends to watch in May.

This is our second installment in our monthly data privacy litigation reports to provide updates on how courts in the United States have handled emerging data privacy trends in the past month. In this post we look at developments in lawsuits relating to chat wiretap claims, session replay claims, VPPA claims, and voice recording lawsuits. (If any of these case theories are new to you, be sure to check out the “Overview” section at the bottom of the post.) We also analyze two new theories that have already spawned a series of demand letters and lawsuits.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

1.          Litigation Updates

a.         Chat Wiretapping Lawsuits

Last month, California courts repeatedly dismissed plaintiffs’ lawsuits upon finding plaintiffs failed to sufficiently allege any third-party who operated a chat feature for a defendant recorded the plaintiffs’ communications for some use or potential use beyond simply supplying the information back to the defendant. April saw both more of the same (such as the Central District of California’s decision discussed below) and amended complaints that attempt to avoid such decisions. The coming few months will tell whether plaintiffs’ efforts are successful and, if so, what level of third-party benefit is required to establish liability.

i.          California courts continue to dismiss complaints where the plaintiff fails to sufficiently allege the third-party chat service provider acts for their own interest

Judge Sykes, writing for the Central District of California, again addressed a motion to dismiss claims under Sections 631(a) and 632.7 of the California Penal Code against websites that offer chat-based functionality. The decision has become a typical example of how at least some California courts are handling these types of motions.

On April 19, 2023, Judge Sykes issued an order that granted in part and denied in part the defendant’s motion to dismiss. First addressing the Section 631(a) claim, Judge Sykes held the plaintiff sufficiently pled his communications were intercepted in transit when the plaintiff alleged the defendant uses “a third-party service to ‘covertly embed[] code into its chat feature that automatically records and creates transcripts of all such private conversations,’ and ‘allows at least one third party . . . to secretly intercept in real time, eavesdrop upon, and retain transcripts of Defendant’s chat communications with unsuspecting website visitors.” ECF 33 at 4 (citing ECF 14 at ¶ 11). The court rejected the defendant’s plaintiff’s argument that the allegations were conclusory and required more factual support, finding nothing more was required at the motion to dismiss stage. The court also rejected the defendant’s argument that the messages were not intercepted because they were accessed after they were stored, finding that “factual disputes . . . are not proper for resolution at the motion to dismiss stage.” Id. at 4.

The court dismissed the direct liability theory with prejudice. The court also dismissed the indirect liability theory upon finding the plaintiff’s sole allegation—that the defendant “‘allows a third party to eavesdrop on such communications . . . to harvest data for financial gain’”—“is too vague and conclusory to survive a motion to dismiss.” Id. at 5. The court granted the plaintiff leave to amend. Id.

Judge Sykes also denied the defendant’s motion to dismiss the Section 632.7 claims upon finding Section 632.7 required all devices to be cellular or cordless telephones. Id. at 6. Finally, the court also rejected the defendant’s argument that the plaintiff consented to the recording after finding the plaintiff alleged it did not. Id. at 7.

ii.         Plaintiffs have begun to file amended complaints that try to get around the courts’ dismissals

In another case last month, Judge Sykes similarly dismissed claims against Boscov’s Inc., but granted the plaintiff leave to amend its complaint to allege the third-party service provider was independently liable under Section 631(a). The plaintiff almost immediately did so. Unsurprisingly, the defendant again moved to dismiss. On April 11, the court ordered the motion was appropriate for resolution without a hearing and vacated the April 14 hearing. As we have previously discussed, however, Judge Sykes has been lenient with chat-based complaints. Although Judge Bernal of the Central District had also dismissed Section 631(a) claims with leave to amend, the plaintiffs in those cases instead chose to dismiss the remaining claims rather than file amended complaints. As such, the Boscov case will likely be the first decision in this context to address a motion to dismiss after the plaintiff has been given leave amend.

The Boscov’s litigation is far from the only matter in which plaintiffs are re-trying their luck with this chat-based theory of liability. For example, in Martin v Sephora USA Inc., 1:22-CV-001355 (E.D. Cal.), the plaintiff filed an amended complaint that alleged the website operator “secretly enables and allows a third-party spyware company to eavesdrop on the private conversations of everyone who communications through the chat feature” and that the “spyware company then exploits and monetizes that data by sharing it with other third parties, which use the private chat data to bombard the unsuspecting visitor with targeted marketing.” At least two other California courts have set hearings on similar motions to dismiss for May 19, 2023. Our May recap will hopefully be able to shed more light on how California courts are handling these amended complaints.

April also witnessed more voluntary dismissals by plaintiffs in many of the cases we have been watching. Whether these dismissals follow a settlement or are simply the result of a plaintiff choosing not to pursue a claim before a more hostile judge is unknown.

b.         Session Replay Lawsuits

Unlike chat-based claims, session replay lawsuits did not see as much activity in April. A case that was originally filed in March has been removed to the Northern District of California.

c.         Video Privacy Protection Act (“VPPA”) Lawsuits

Twenty new cases alleging violations of the VPPA were filed in April. Most of these cases were filed in California, but others were filed in Illinois, Florida, and Texas. We will be watching these cases closely but do not expect to see much substantive activity for the next few months.

d.         Voice Recording Lawsuits

We first began tracking voice recording lawsuits this month, after a March article highlighted the relatively new trend of lawsuits against consumer-facing institutions that relied on voice-authentication technology to ensure the security of conversations with customers who call into customer support lines.

These cases, however, remain nascent. Unsurprisingly, there was not much development in voice recording lawsuits in April 2023. One case was removed to Federal court in the Northern District of California.

2.         On the Horizon

In this section, we forecast what other types of data privacy lawsuits we are watching and may cover in future litigation update monthly posts.

In May, we will be watching two more trends in data privacy litigation. First, Washington State has passed the My Health My Data Act (“MHMD”), which is a law on which we have already covered. What makes MHMD significant from a litigation perspective, however, is that the law gives consumers a private right of action through the Washing Consumer Protection Act. Be on the look out for a separate blog post about the private right of action soon.

Second, potential privacy plaintiffs have begun exploring whether websites with cookie banners that allow consumers to opt-out of specific types of cookies are functioning as they should. When the consumers’ cookie selections are not correctly followed or implemented privacy plaintiffs appear to be evaluating potential litigation. These plaintiffs seem especially interested when consumers who have accessed these websites live in California, Pennsylvania, and Florida—each of which are known two-party consent states and often the venue of choice for wiretapping claims. We will be on the lookout for any complaints that make their way to any state or federal court but suspect that many of these claims will end up in arbitration due to arbitration provisions in the website terms.

3.         Overview of Current U.S. Data Privacy Litigation Trends

Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip this section.

Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. Most, but not all, have been filed in California. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.

Lawsuits relating to session replay technology also involve claims that the alleged behavior violates wiretapping laws in “two party” or “all party” consent states. This technology allows website operators to monitor how website visitors interact with the website. Websites that use session replay technology are often trying to better understand how users interact with the website and may even want to document that users have seen and are aware of the site’s privacy policy. Where the technology also captures the website visitor’s communications—such as (but not limited to) chat services or when the visitor completes a form on the website—privacy plaintiffs have alleged use of the technology violates wiretapping laws.

Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel) on websites that include video content.

Finally, lawsuits alleging a defendant has violated prohibitions on voice recording (commonly Section 637.3 of the California Penal Code) typically involve the use of voice recognition software, which is often used as a security measure by companies that provide sensitive information such as banks or other financial institution.