Keypoint: May 2023 saw victories for defendants as courts dismissed wiretapping claims based on website chat functionality and VPPA claims.

This is the fourth installment in our monthly data privacy litigation reports to provide updates on how courts in the United States have handled emerging data privacy tends in the past month. In this post we look at California courts who have dismissed wiretapping claims based on website chat functionality and VPPA claims.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

1.          Litigation Updates

a.         Chat Wiretapping Lawsuits

Another court in the Northern District of California dismissed a plaintiff’s Section 631(a) and Section 632.7 claims that were based on website chat functionality. Although the court rejected the defendant’s argument that the plaintiff consented to the recording, the court nevertheless dismissed the second clause of section 631(a) because the court found the plaintiff did not allege the third-party service provider—the identity of which the plaintiff admitted it did not know—had the capability of using the record of the conversation for its own purpose. This is consistent with the recent trend of decisions that have required plaintiffs to allege the third-party had the capability to use the information for their own benefit and was thus more like an eavesdropper than a tape recorder to be used by the party to the conversation.

The court also accepted the defendant’s argument that the plaintiff failed to allege the communications were “intercepted” as required by the second clause of Section 631(a) and dismissed the Section 632.7 claim after finding the plaintiff did not allege the defendant received the message on a cellular or cordless device.

Another California court similarly found the plaintiff did not adequately allege the plaintiff’s communications were “intercepted” rather than being acquired while in electronic storage. There, the plaintiff sued the website operator only and alleged the defendant “covertly monitors, records, and creates secret transcripts of all communications through the chat feature on its website,” without the knowledge of its customers” and further “shares the secret transcripts with . . . a third party that publicly boasts about its ability to harvest highly personal data from chat transcripts for sales and marketing purposes.” The court dismissed the plaintiff’s Federal Wiretap Act (FWA) and California Invasion of Privacy Act (CIPA) claims after finding the defendant was a known and intended recipient of the communications, as alleged by the plaintiff himself. The court rejected the plaintiff’s argument that the third-party was an “unseen auditor.” The court also found the plaintiff failed to allege any communications the third-party received were “intercepted,” rather than being acquired while in electronic storage. The court gave the plaintiff leave to amend to cure these issues if it could.

In a victory for plaintiffs, however, another California court remanded a case to the state court on May 8. There, the plaintiff alleged the number of class members “to be greater than 100 individuals, if not many more.” The court rejected the defendant’s argument that this language necessarily meant the class included at least 2,000 individuals, which would satisfy the jurisdictional standard under the Class Action Fairness Act’s $5 million threshold. The court then found the defendant also failed to present any evidence that the number was at least 2,000 and held the defendant therefore failed to meet its burden and remanded the case.

b.         Session Replay Lawsuits

May did not see significant developments in published session replay lawsuits. We will continue to watch these cases in June.

c.         Video Privacy Protection Act (“VPPA”) Lawsuits

A Northern District of California judge dismissed a VPPA claim after finding the plaintiff did not qualify as a “consumer” under the VPPA. The defendant filed a motion to dismiss and argued the plaintiff not only did not qualify as a “consumer,” but that the complaint did not allege the defendant was a video tape service provider or that the defendant knowingly disclosed the plaintiff’s information to a third party (Meta). The court agreed with the defendant, finding that a “subscriber is not just someone who provides her name and address to a website, for some undisclosed purpose or benefit.” Because the plaintiff did not allege more than that she subscribed to the defendant’s email list, the court held the plaintiff did not allege she was a subscriber and dismissed the complaint with leave to amend. The court did not address the defendant’s other arguments.

We also checked in on a VPPA case about which we have previously written. Last month, Chick-fil-a filed a motion to dismiss. The plaintiff filed its opposition on May 18. The primary issues seem to be whether the defendant is a “video tape service provider” regulated by the VPPA, whether the plaintiffs are “consumers” protected by the VPPA, and whether the defendant shared the plaintiffs’ personally identifiable information in violation of the VPPA (and did so “knowingly”). On May 22, Chick-fil-a filed a motion for limited early discovery to determine whether the plaintiff’s claim is subject to arbitration. Chick-fil-a has also filed a motion to transfer the case to Georgia. We will be watching this case for updates in June. We are also seeing VPPA cases expand beyond the Meta Pixel, which has been a focal point for VPPA cases to date. New allegations take aim at similar technology, including Google Analytics tracking tags.

2.         On the Horizon

In this section, we forecast what other types of data privacy lawsuits we are watching and may cover in future litigation update monthly posts. We have moved our voice-recording cases and Washington My Health My Data Act (MHMD) cases to this section as well because we have not yet seen enough cases filed under those theories to include them in our monthly update. As a reminder, the MHMD starts to go into effect in July 2023.

In June, we will be watching a recent trend that claims the recording of data about a specific consumer equates to a misuse of the consumer’s name, image, and likeness.

3.         Overview of Current U.S. Data Privacy Litigation Trends

Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip this section.

Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. Most, but not all, have been filed in California. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.

Lawsuits relating to session replay technology also involve claims that the alleged behavior violates wiretapping laws in “two party” or “all party” consent states. This technology allows website operators to monitor how website visitors interact with the website. Websites that use session replay technology are often trying to better understand how users interact with the website and may even want to document that users have seen and are aware of the site’s privacy policy. Where the technology also captures the website visitor’s communications—such as (but not limited to) chat services or when the visitor completes a form on the website—privacy plaintiffs have alleged use of the technology violates wiretapping laws.

Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel or Google Analytics tags) on websites that include video content.

Finally, lawsuits alleging a defendant has violated prohibitions on voice recording (commonly Section 637.3 of the California Penal Code) typically involve the use of voice recognition software, which is often used as a security measure by companies that provide sensitive information such as banks or other financial institution.