Keypoint: In July 2023, plaintiffs have been busy opposing motions to dismiss in chat wiretapping, session replay, and VPPA cases while testing claims against a new technology.

This is the sixth installment in our monthly data privacy litigation reports to provide updates on how courts in the United States have handled emerging data privacy trends in the past month. In this post we look at dismissed chat wiretapping and session replay cases and VPPA cases overcoming the motion to dismiss stage.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

1.         Litigation Updates

a.         Chat Wiretapping Lawsuits

California courts consistently dismissed alleged Section 632.7 violations by confirming the statute does not protect communications transmitted over a website’s chat functionality. A California state court sustained a defendant’s general demurrer without leave to amend, rejecting the assertion that Sections 631(a) and 632.7 apply to website chat communications. The judge found multiple reasons to sustain the demurrer, but ultimately reasoned Section 631(a) only imposes liability if the alleged wiretapping is conducted against a telephone, not an internet website. The judge relied on the plain language of the statute when analyzing the Section 632.7 claim as well. His order stated, “nowhere does the statute reference a computer or a website chat function.” The court subsequently clarified its demurrer. The plaintiff argued the court’s finding that the third-party vendors were not independently using the data received from the chat transcripts was inconsistent with the complaint’s allegation that the third-party used data retrieved from the chat function to conduct targeted marketing. The court disagreed, finding the third-party was not independently retrieving the data on its own and, thus, there was no interception.

A Southern District of California court also dismissed a chat wiretapping suit after holding the plain text of Section 632.7 showed it only applies to communications transmitted by various types of telephones, not internet devices. The court additionally dismissed claims under all four clauses of Section 631. The claims under the first three clauses failed since the defendant was the intended recipient of the communications and, as such, could not eavesdrop on its own conversation. The defendant was not liable under the fourth clause because the plaintiff’s complaint merely speculated the existence of a third-party eavesdropper and did not allege any third-party intercepted and used the data itself. On July 27, 2023, the court dismissed another complaint that was identical to the one the court had previously dismissed, highlighting the danger in plaintiffs using substantially similar or boilerplate complaints.

With almost identical reasoning, a court in the Central District of California granted the defendant’s motion to dismiss. The court reasoned a participant to the conversation cannot be liable for recording its own communications. The court found the plaintiff’s assertions that the defendant shared chat communications with a third-party for storage and data harvesting purposes also did not give rise to a plausible claim.

b.         Session Replay Lawsuits

Two session replay cases entered notices of settlement this month. The first settlement notice came after a Central District of California court permitted the plaintiff to amend his cause of action for derivative liability under Section 631(a) and denied the defendant’s motion to dismiss pursuant to the plaintiff’s CIPA Section 632.7 claim. The settlement in the second case will formally dismiss the claims by early September.

Courts are still disposing of session replay cases at the motion to dismiss stage. A Southern District of California judge dismissed the plaintiffs’ CIPA claim on the basis that the complaint did not plausibly claim Meta intercepted their “content” through the Meta Pixel embedded on the defendant’s website. The judge, however, denied two other arguments the defendant made. He found the fourth prong of Section 631(a) does not require a plaintiff to plead facts establishing the defendant “aided and abetted” under California criminal law. The court also found the plaintiff sufficiently alleged user information was intercepted “in transit” to survive a motion to dismiss by repeatedly claiming the defendant intentionally installed the Meta Pixel and shared user information in real time without users’ authorization.

c.         Video Privacy Protection Act (“VPPA”) Lawsuits

A Middle District of Florida court denied a defendant’s motion to dismiss after oral arguments from the parties. Without further explanation, the court found the plaintiff plausibly alleged the defendant violated her privacy rights by sending her private information to Meta through the installation of the Meta Pixel. Similarly, in California, a Northern District court also denied a motion to dismiss a VPPA claim that asserted the defendant transmitted users’ video viewing information to Meta Platforms by embedding the Meta Pixel on its website. The court first held the defendant qualified as a video tape service provider because its website hosts prerecorded streaming video content. The court then found the plaintiff sufficiently alleged it was a “subscriber” under the VPPA by alleging it created an account on the defendant’s website, provided personal information to the defendant, and then subsequently watched videos on the defendant’s website. The court also found revealing a Facebook user ID constitutes disclosure of PII. Finally, the court held whether the disclosure was incident to the ordinary course of business was not a factual issue the court should decide in a motion to dismiss.

Defendants in Tennessee and Illinois, however, succeeded on motions to dismiss VPPA claims. In both cases, the courts found the plaintiff had not plausibly alleged it was a “consumer” under the VPPA. A Middle District of Tennessee court found a “consumer” is a “subscriber” only when they subscribe specifically to audio visual materials. Because subscribing to the newsletter was not a prerequisite to accessing video content on the website, the court held the plaintiff was merely a subscriber to newsletters, not a subscriber to audio visual materials. Similarly, a Northern District of Illinois court rejected the plaintiffs’ argument that merely opening an account “separate and apart from viewing video content on [the defendant’s] website is sufficient to render [the plaintiffs] ‘subscribers’ under the Act.”

2.         On the Horizon

In this section, we forecast what other types of data privacy lawsuits we are watching and may cover in future litigation update monthly posts.

New technology has sparked a line of cases alleging CIPA violations due to the de-anonymization of website visitors. In the past two months, complaints have been filed in California state courts asserting the defendants aided and abetted a third-party by secretly installing spyware on their websites which provides access to communications transpiring on the sites. The plaintiffs claim the third-party can match a visitor’s IP address, obtained through the website containing spyware, to their name, face, location, e-mail, and browsing history and the use of this technology is equivalent to “doxing” website visitors. We will monitor how these cases progress as they move through the court system.

A July 27 decision by a Southern District of California court illustrates the rise of lawsuits based on this de-anonymization theory. The plaintiff alleged the defendant was a “data broker” that provided software to developers to assist the developers in developing their applications in exchange for allowing the defendant to intercept location data from an application user. The defendant allegedly then packaged the information by connecting users across devices via a “fingerprint” built from “search terms, click choices, purchase decisions, and/or payment methods” and sold the packaged information to advertisers. The plaintiff alleged the defendant’s actions violated several laws, including the California Constitution, California Computer Data Access and Fraud Act (“CDAFA”), California Unfair Competition Law (“UCL”) and common law principles of unjust enrichment. The district denied the defendant’s motion to dismiss, rejecting the defendant’s arguments that the defendant’s actions did not affect the plaintiff in particular, that the collection of the data did not diminish the economic value of the plaintiff’s data, and that the plaintiff had consented to the data collection. As to the third argument, the district court distinguished between general consent to provide location data to the app developer with the specific action of providing the data to the defendant to sell for advertising purposes. Consent for the former did not transform into consent for the latter.

3.         Overview of Current U.S. Data Privacy Litigation Trends

Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip this section.

Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. Most, but not all, have been filed in California. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.

Lawsuits relating to session replay technology also involve claims that the alleged behavior violates wiretapping laws in “two party” or “all party” consent states. This technology allows website operators to monitor how website visitors interact with the website. Websites that use session replay technology are often trying to better understand how users interact with the website and may even want to document that users have seen and are aware of the site’s privacy policy. Where the technology also captures the website visitor’s communications—such as (but not limited to) chat services or when the visitor completes a form on the website—privacy plaintiffs have alleged use of the technology violates wiretapping laws.

Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel or Google Analytics tags) on websites that include video content.

Finally, lawsuits alleging a defendant has violated prohibitions on voice recording (commonly Section 637.3 of the California Penal Code) typically involve the use of voice recognition software, which is often used as a security measure by companies that provide sensitive information such as banks or other financial institution.