Keypoint: June 2023 maintained a trend of mostly favorable outcomes for defendants as courts continue to grant motions to dismiss in session replay and VPPA cases.

This is the fifth installment in our monthly data privacy litigation reports to provide updates on how courts in the United States have handled emerging data privacy trends in the past month. In this post we look at decisions to dismiss session replay and VPPA claims coming out of California courts.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

1.         Litigation Updates

a. Chat Wiretapping Lawsuits

June did not see meaningful advancements in chat-based lawsuits. A California state judge denied a motion to dismiss for procedural reasons, and a judge in the Southern District of California dismissed a case based on “the record during the hearing” without expounding further.

b. Session Replay Lawsuits

A Northern District of California judge, Charles Breyer, published two orders this month related to the use of third-party vendors to monitor and analyze website activity.

In the first case, Judge Breyer granted a defendant’s fifth motion to dismiss the plaintiff’s cause of action alleging the defendants wiretapped the electronic communications of website visitors. The judge found that the website design and language of the privacy policy were sufficiently clear to put the plaintiff on inquiry notice of a wiretapping claim at the time he submitted his information on the site. Judge Breyer found the plaintiff therefore did not adequately cure the deficiencies previously found in the complaint. Judge Breyer also foreclosed any further opportunity to do so by closing the case without leave to amend.

In the second case, however, Judge Breyer denied the defendant’s motion to dismiss. The court found the plaintiff adequately alleged the communications were read while “in transit” in violation of Section 631(a). In doing so, the court first rejected the defendant’s argument that the claims were conclusory, distinguishing them as “far more specific” than claims that have failed to plead an interception “in transit.” The court then found a document on which the defendant relied established the tool could be configured to “begin recording Plaintiffs’ movements the moment they began using the webform, as Plaintiffs allege.”

The court also rejected the defendant’s argument that the third-party software vendor merely provided a tool like a tape recorder because the plaintiff pled the third-party had the capability to use the information for its own purpose. This is the second case in which Judge Breyer supported this argument made by a plaintiff.

At the opposite end of the state, a Southern District of California court disposed of a case stating that “a bare CIPA violation by itself is insufficient to demonstrate Article III injury in fact.” The plaintiff’s complaint alleged the defendant monitored and recorded her communications when she visited its website to “obtain flight information.” The court made clear, however, that such information is not personal information and, as such, is “insufficient to allege a concrete harm that bears a close relationship to the substantive right of privacy.”

c. Video Privacy Protection Act (“VPPA”) Lawsuits

In the Southern District of California, a judge rejected a plaintiff’s claim that he was a “consumer” under the VPPA because he purchased products from third parties that advertised on the defendant’s website. The court found the definition of “consumer” only includes those individuals who rented, purchased, or subscribed to products directly from a video tape service provider. Since the plaintiff did not rent, purchase, or subscribe to anything explicitly from the defendant, the VPPA does not protect him. The defendant also argued that the complaint did not plausibly allege that the defendant is a video tape service provider, that the data sent to the third party (Facebook) disclosed the plaintiff’s PII, or that the defendant knowingly disclosed such information. Since the judge resolved the case on the basis that the Act does not protect a non-consumer like the plaintiff, however, the judge declined to address the remaining arguments.

2.         On the Horizon

In this section, we forecast what other types of data privacy lawsuits we are watching and may cover in future litigation update monthly posts.

As we mentioned previously, the Washington My Health My Data Act (MHMD) goes into effect next month on July 23, and we will be closely monitoring for any causes of action filed.

On June 28, plaintiffs filed claims against artificial intelligence company, OpenAI, and Microsoft alleging that the companies violated Illinois’s Biometric Information Privacy Act (BIPA) and the California Invasion of Privacy Act (CIPA). First, the plaintiffs claim that scanning the plaintiffs’ facial geometry from photos posted on the internet amounts to collecting biometric identifiers in violation of BIPA. They also claim that the companies unlawfully failed to inform users that biometric data is collected, failed to obtain consent to collect such data, and disseminated biometric information without authorization.

Second, OpenAI’s chatbot, ChatGPT, allegedly scraped communications on third party websites, like Snapchat and Stripe, for the purpose of training its algorithms violating the CIPA. The plaintiffs claim that by incorporating this technology on third-party platforms, the defendant is “in the unique position of having unrestricted, real-time access to the users’ every input, move, chat, comment, reply, search, keystroke, or other browser activity/communication on the third-party platform,” making it a third-party “eavesdropper.”

3.         Overview of Current U.S. Data Privacy Litigation Trends

Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip this section.

Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. Most, but not all, have been filed in California. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.

Lawsuits relating to session replay technology also involve claims that the alleged behavior violates wiretapping laws in “two party” or “all party” consent states. This technology allows website operators to monitor how website visitors interact with the website. Websites that use session replay technology are often trying to better understand how users interact with the website and may even want to document that users have seen and are aware of the site’s privacy policy. Where the technology also captures the website visitor’s communications—such as (but not limited to) chat services or when the visitor completes a form on the website—privacy plaintiffs have alleged use of the technology violates wiretapping laws.

Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel or Google Analytics tags) on websites that include video content.

Finally, lawsuits alleging a defendant has violated prohibitions on voice recording (commonly Section 637.3 of the California Penal Code) typically involve the use of voice recognition software, which is often used as a security measure by companies that provide sensitive information such as banks or other financial institution.