Keypoint: The past two months have seen many courts dismiss privacy claims as judges appear to be more critical of plaintiffs’ theories while other judges have allowed cases to proceed past the motion to dismiss stage.
This is the seventh installment in our monthly data privacy litigation reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this post we look at advancements in data privacy litigation in August and September 2023. Because we are covering two months in this post instead of our normal “one post per month” practice, this post is a bit longer than normal. We have seen a lot of development in privacy litigation over the past two months, however, so without further delay let’s dive in.
One final note. There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.
1. Litigation Updates
- Chat Wiretapping Lawsuits
California courts have remained split on how to resolve motions to dismiss chat-based wiretapping lawsuits. In August and September, five courts—including two state court decisions, two decisions from the Northern District, and one decision from the Southern District—dismissed wiretapping claims after finding both the alleged third-party and the defendant were entitled to the party-exception rule. In contrast, two Central District of California courts and one Southern District of California court rejected the defendant’s “party exception” argument and denied the motion to dismiss.
Unlike federal courts, state courts have been less likely to provide decisions that explain the court’s reasoning in resolving these disputes. Over the past two months, however, we saw two decisions where California state courts dismissed chat-based wiretapping claims and provided decisions that set forth the courts’ reasoning. A San Diego Superior Court held the defendant was a party to the communication and was therefore not directly liable. The court also held the defendant’s chat feature was not liable under Section 631(a) because that section only imposed liability if the alleged conduct is done against a telephone. The court also rejected the plaintiff’s aiding and abetting theory, finding the defendant hired a third-party who retrieved information about the plaintiff’s communication from electronic storage rather than intercepting the communication. The court also agreed with several other courts and held Section 632.7 does not apply when both parties need to be using a cellular phone. The court did not grant leave to amend.
On September 7, 2023, a Superior Court of California, County of San Diego court dismissed the plaintiff’s Section 631(a) claims. The court adopted the “tape recorder” or “eavesdropper” test used by numerous federal courts and found the plaintiff did not allege the third-party vendor attempted to use the plaintiff’s communications, regardless of whether the vendor had the capability to do so. The court also found the plaintiff had not alleged plausible facts to establish the vendor intercepted the communications, but rather caused the communications to be routed directly to them “in the same way a voicemail could record a message to be listened to at a later time.” The court also agreed with many other courts who have held Section 632.7 does not apply when the plaintiff uses a cellular phone to communicate with a website server.
Perhaps given the greater availability of federal court precedent, several defendants have removed wiretapping claims to federal court by claiming diversity jurisdiction. Federal court judges, however, have viewed these removals with scrutiny. On September 18, 2023, Judge Sykes of the Central District of California issued several orders to show in writing why cases that were removed from state court on diversity basis should not be remanded. The orders focused on the amount in controversy requirement. These orders should serve as a reminder to any defendant seeking removal from state court: it is vital to establish with specificity the minimum number of violations and not merely rely on the plaintiff’s use of plural when describing consumers or the conduct at issue.
As noted above, federal courts were split in resolving motions to dismiss. An August 25, 2023, decision from the Northern District of California concerned a chat feature that first routed communications to a third-party server, created chat communications in real time and then transmitted to the defendant/contracting company, and allowed an agent to view the contents of a user’s message before the customer sent the message (i.e., while the user was still typing in real time). The plaintiffs brought claims under both California and Pennsylvania wiretapping laws. The court first rejected the defendant’s argument that the plaintiffs lacked Article III standing because the wiretapping laws “codified a substantive right to policy, the violation of which gives rise to a concrete injury sufficient to confer standing.” The court also noted the plaintiffs alleged they communicated personal health information. The court nevertheless dismissed the CIPA Section 631 claim after finding the allegations did not support a reasonable inference that the third-party had the capability to use the communications for any purpose other than furnishing them to the defendant and was therefore more akin to a tape recorder than an eavesdropper.
An August 30, 2023, decision from the Northern District also granted the defendant’s motion to dismiss. The court first found the defendant did not directly violate the first three clauses of Section 631(a). The court also found the defendant did not aid any third party in violating Section 631(a) because the plaintiff did not plead the third-party used the information for its own benefit (thus making the third-party more akin to a tape recorder) or that the third-party intercepted the communications instead of receiving the communications after the chat reaches the defendant. The court also dismissed the plaintiff’s Section 632 claim, Federal Wiretap Act claim, and California UCL claim.
A Southern District decision by Judge Huie also dismissed the plaintiff’s Section 631(a) claim. The plaintiff filed a class action in state court and the defendant removed the case to federal court. The court found “in the context of texted chat communications that a smartphone user directs to a website” the plaintiff’s theory of recording to be “incoherent” because “[s]uch communications are, by their very nature, recorded.” The court also rejected the plaintiff’s theory that the defendant aided and abetted a third party in eavesdropping on the conversations. The court not only found the plaintiff failed to allege the third-party violated Section 631(a) but continued and “agree[d] with those decisions holding that a website owner that engages a vendor to record website-based communications for the website owner’s own purposes” does not violate Section 631(a). The court also dismissed the plaintiff’s Section 632.7 claim, agreeing with other courts that Section 632.7 does not apply to the alleged conduct.
Two decisions from the Central District and one from the Southern District reached opposite conclusions, however, and denied the defendants’ motions to dismiss. On August 14, a Central District of California court denied the defendant’s motion to dismiss a Section 631 claim. The court found the plaintiff sufficiently alleged a violation of the second clause of Section 631 when the plaintiff alleged the defendant partnered with a third-party and allowed the interception of chat communications in real time. Although the defendant disagreed with the plaintiff’s allegations, the court found the allegation of real time interception was plausible based on the factual support alleged and noted “nothing more than this combination of plausibility and notice is required at this stage.” The court also rejected the defendant’s argument that it did not aid the third-party because the third-party acted for the defendant’s benefit. In reaching its decision, the court rejected other courts’ decisions that found third-party software vendors to be more akin to a tape recorder than an eavesdropper because the third-party was a distinct corporate entity. Although the court allowed the Section 631 claim to continue, it dismissed the Section 632.7 claim with prejudice after finding that section required communication between two telephonic devices. Because the website communicated via a server, there could not be any Section 632.7 liability.
On September 5, another Central District court denied the defendant’s motion to dismiss the plaintiff’s Section 631(a) claim because the court found the plaintiff sufficiently alleged the third-party vendor’s capabilities were more akin to an eavesdropper than a tape recorder and allowed it to intercept the communications in real time. The court acknowledged that the plaintiff “will bear the burden of proving her relatively novel allegations at a later point in these proceedings” but determined the question of whether the vendor was more similar to a tape recorder or an eavesdropper was “a question of fact best resolved by a jury.”
- Session Replay Lawsuits
In August and September, we saw fewer wiretapping claims based on session replay technology than those based on website chat technology. A Central District of California court dismissed several claims based on session replay technology after finding the plaintiff had not established standing to bring the claim. The court distinguished the Ninth Circuit’s Facebook decision, finding that case involved comprehensive tracking that provided Facebook with a “cradle-to-grave profile” without users’ consent, whereas the instant case did not involve the same level of alleged tracking and did not extend beyond the defendant’s website. The court also found the plaintiff did not allege any of the information collected was sensitive. The court rejected the plaintiff’s argument that it was not required to prove what all information had been collected at the pleading stage, finding the plaintiff was required to establish standing.
Two other decisions also merit mention. First, a Southern District of California court dismissed the plaintiff’s CIPA claim. Rather than undertaking a lengthy analysis, however, the court simply incorporated the reasoning of a July 2023 decision the Court had issued. This may be one way courts overcome the burden imposed by the high volume of wiretapping claims.
Finally, an Eastern District of California court transferred a case to the District of New Jersey after finding the forum-selection clause contained in the website Terms and Conditions was enforceable and applied to the claims at issue. The court expressly noted all website users must accept the Terms and Conditions to create an account and use the defendant’s website.
- Video Privacy Protection Act (“VPPA”) Lawsuits
August and September saw several California and New York courts dismiss VPPA claims after finding the defendant did not meet the statutory definition of a “video tape service provider,” the plaintiff did not meet the statutory definition of a “consumer,” or the plaintiff had not adequately alleged the defendant disclosed PII. Two of these decisions involved not only the Meta Pixel, which has long been the focus of VPPA claims, but also Google Analytics cookies.
Multiple California federal district courts dismissed VPPA claims after finding the defendant did not meet the statutory definition of a “video tape service provider.” On September 1, a district court in the Central District of California held the VPPA “does not cover every company that merely delivers audio visual materials ancillary to its business.” The court then held the defendant was not a “video tape service provider” and the plaintiffs were not “consumers” under the VPPA. In reaching its decision, the court quoted from the 1988 Senate Report, which notes that sections of the VPPA are drafted “to make clear that simply because a business is engaged in the sale or rental of video materials or services does not mean that all of its products or services are withing the scope of the bill. For example, a department store that sells video tapes would be required to extend privacy protection to only those transactions involving the purchase of video tapes and not other products.” S. Rep. 100-599, at 12 (1988). Although the court allowed the plaintiffs leave to amend, it cautioned plaintiffs that they should only amend “if they can do so consistent with the requirements of Rule 11 of the Federal Rules of Civil Procedure.”
This decision was consistent with earlier decisions from both the Southern District and Northern District of California. On July 28, 2023, a judge in the Southern District of California held the defendant did not meet the statutory definition of a “video tape service provider” because the plaintiff’s allegations concerning the volume and role of the video content at issue did not support an inference that the videos the plaintiff viewed were more than peripheral to the defendant’s business. The court also rejected the plaintiff’s argument that merely signing up for the defendant’s email list after watching the videos was sufficient to create the “type of commitment, relationship, or association . . . between a person and an entity” or “support the existence of a nexus between the alleged subscription and the video content at issue” required to qualify the plaintiff as a “consumer” under the VPPA. Although this case was somewhat unique because it involved not only the Meta Pixel, but also Google tracking cookies, the court’s decision did not turn on this issue.
On August 29, 2023, a Northern District of California judge also held a defendant was not a video tape service provider because the allegations did not indicate providing video content was a substantial or significant purpose of the defendant’s business. The court rejected the argument that merely creating video content, as opposed to relying on a third-party to do so, was enough to make a party a video tape service provider under the VPPA. The court also held the plaintiff was not a “consumer” because there was no alleged nexus between the plaintiff and defendant’s relationship and the video content provided.
Two other courts in the Northern District of California, however, rejected the defendant’s arguments that they were not video tape service providers under the VPPA. On July 28, 2023, a Northern District court rejected the defendant’s argument that a company must provide full-length movies to qualify as a “video tape service provider.” Although the court noted several courts had held the VPPA does not apply to retail websites that provide audio visual media that is merely incidental to their primary business (and are therefore not video tape service providers), the court nevertheless denied the motion to dismiss after finding whether the defendant’s videos were merely incidental raised a factual dispute. The court did not consider whether the plaintiff was a “consumer” under the VPPA. The court also rejected the defendant’s argument that a plaintiff must allege it actively elected to view videos as opposed to the videos merely auto-playing to meet the VPPA’s requirement that the plaintiff requested videos. The court noted the VPPA also applied where the plaintiff “obtained” videos, which would apply regardless of whether the videos played automatically or needed to be clicked to play.
One month later, on August 28, another judge in the Northern District of California also found the defendant was a “video tape service provider” under the VPPA. The court rejected the defendant’s arguments that the VPPA only applied to video materials of a specific length (i.e., feature-length movies) or subject matter. The court did not, however, consider what role the videos at issue played in the defendant’s business, which is how many other courts (including courts in this district) resolved the issue. The court also found the plaintiffs met the “consumer” definition under the VPPA even where only one plaintiff had paid for access to the defendant’s website because both plaintiffs provided some information to the defendant. This contradicts other decisions in August and September which have held merely providing information is insufficient unless it provides the plaintiff with access to video content not available without providing the information. Although the court did not dismiss the complaint on the above issues, it did dismiss the complaint upon finding the defendant did not disclose PII. The court agreed a Facebook ID can constitute PII “where it leads to a Facebook page that discloses personal and identifying information about the consumer,” but found the plaintiffs did not allege their Facebook pages contained that information and therefore did not allege the defendant disclosed PII. The court granted the plaintiffs leave to amend to provide the missing information.
Three Southern District of New York judges dismissed VPPA claims in four separate decisions, each finding that regardless of whether the defendant was a video tape service provider, the plaintiff could not meet the statutory definition of a “consumer.”
On August 7, 2023, Judge Rochon dismissed a VPPA claim after finding the plaintiff did not sufficiently plead they were a “consumer” under the VPPA. The plaintiff alleged they had a digital subscription to the defendant’s website, which had required the plaintiff to sign up for an online newsletter and provide an email address and the plaintiff’s IP address. Because the plaintiff did not allege the newsletter provided unique access to video content or that the plaintiff was required to be signed into the defendant’s website to watch video content, the court found the plaintiff did not allege they were a subscriber (and therefore a consumer) under the VPPA.
On September 22, 2023, another Southern District of New York court stayed a case based on similar facts because the August 7 decision was appealed to the Second Circuit. The subsequent court found the Second Circuit’s decision would resolve whether a plaintiff must consume audio visual materials, not just any products or services, from a defendant to qualify as a “consumer” under the VPPA.
On August 23, 2023, Judge Engelmayer also dismissed the plaintiff’s VPPA claim. The court first rejected the defendant’s arguments that it was not a “video tape service provider” under the VPPA after finding the website allowed users to view on-demand, pre-recorded materials through the defendant’s website and mobile application. The court found videos were part of the defendant’s business model because the complaint alleged the defendant, a well-known media company, sold “users’ video-viewing information to advertisers.” After rejecting the defendant’s other arguments, however, the court then dismissed the claim after finding the plaintiff did not sufficiently allege they were a “consumer” under the VPPA. The plaintiff had alleged they were a “subscriber” because they signed up for an online newsletter from the defendant, provided her personal information during that process, and had since-received emails from the defendant and viewed videos on the defendant’s website and through its mobile application. The court found these allegations did not establish the plaintiff enjoyed any video viewing benefits from signing up for the newsletter that were not available to members of the general public who simply chose to visit the website or use the mobile application. The court examined numerous other decisions and summarized that to qualify as a subscriber under the VPPA, a plaintiff must allege more than having merely downloaded a free application or signed up for a free email newsletter that is unrelated to the video viewing. Although the court found the plaintiff had not met this standard, it nevertheless allowed the plaintiff to amend its complaint to allege greater detail about the email newsletter and mobile application services.
Judge Carter of the Southern District of New York dismissed two VPPA claims. On September 27, 2023, Judge Carter held the plaintiff was not a consumer because they merely alleged they were “subscribers to newsletters, not subscribers to audio video materials.” The next day, Judge Carter dismissed a VPPA claim in an unrelated case. Although the court rejected the defendant’s argument that it was not a video tape service provider under the VPPA, the court dismissed the VPPA claim after finding the plaintiff was not a “consumer” because the plaintiff did not allege their membership or subscription entitled them to special or enhanced access to videos. This decision was unique because it also provided a detailed analysis on whether the plaintiff could meet the Article III standing requirement. The defendant had submitted evidence contesting the plaintiff’s claims regarding when the plaintiff created their account and what content the plaintiff had accessed. Although the court ultimately concluded the plaintiff met the standing requirement, this decision shows standing is not always assumed in VPPA cases.
One decision from the Eastern District of New York also merits mention. On September 30, 2023, the court dismissed the plaintiff’s VPPA claim after finding both the plaintiff did not allege the defendant shared the plaintiff’s PII and that the video content at issue was not “pre-recorded.” The court first held the Facebook ID is not per se PII under the VPPA and that a plaintiff must allege the plaintiff’s public profile page that can be accessed with the Facebook ID contains identifying information about the plaintiff to state a claim. The court granted leave to correct that issue. The court also independently dismissed the VPPA claim—without leave to amend—because the plaintiff alleged the plaintiff only watched live content while the VPPA applies only to pre-recorded content. The court rejected the plaintiff’s argument that the defendant’s video services were pre-recorded because they were first recorded as a video file, then delivered to an encoder to convert the file into a smaller streamable file, and then delivered to the end users’ devices. The court relied on a previous decision involving the Facebook Live service, which rejected this technical argument.
Finally, we note that the VPPA case against Chick-fil-a—which we first covered in January of this year—is still on-going, although there is now a pending motion to dismiss. This should serve as a reminder that even where a defendant may have a seemingly clear defense to a VPPA claim, the process to potential dismissal can be lengthy.
2. On the Horizon
In this section, we forecast what other types of data privacy lawsuits we are watching and may cover in future litigation update monthly posts.
We are continuing to watch for complaints that allege wiretapping violations arising from the de-anonymization of website visitors. These cases claim the third-party can match a visitor’s IP address, obtained through the website containing spyware, to their name, face, location, e-mail, and browsing history and the use of this technology is equivalent to “doxing” website visitors. We will monitor how these cases progress as they move through the court system.
So far, the other theories identified in the “on the horizon” section of our prior posts have not materialized into substantial litigation.
3. Overview of Current U.S. Data Privacy Litigation Trends and Issues
Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip this section.
Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.
Many cases alleging wiretapping violations are filed in California under the California Invasion of Privacy Act (“CIPA”). Most lawsuits assert a violation of Section 631 of CIPA and courts routinely refer to specific clauses or subsections of that section. When discussing litigation updates, we therefore also refer to courts disposing of specific clauses or subsections of Section 631. Courts have noted Section 631 “is somewhat difficult to understand.” See Warden v. Kahn, 99 Cal. App. 3d 805, 811 (Ct. App. 1979). To help guide readers, we have provided Section 631(a) below with the specific clauses (sometimes called subsections) delineated:
Any person who, [Clause 1 or Subsection (a)(1):] by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or [Clause 2 of Subsection (a)(2):] who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or [Clause 3 or Subsection (a)(3):] who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or [Aiding Provision, Clause 4, or Subsection (a)(4):] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable . . . .
Wiretapping claims—whether based on website chat services, the use of session replay technology, or something else—are typically resolved on a limited number of issues:
- How did the communication occur? Plaintiffs often allege they accessed a website using a mobile phone. Courts have held the first clause of Section 631(a) does not apply if the interception does not occur over a telephonic wire. Courts have also held Section 632.7, another provision of CIPA, requires a communication between two wireless or cordless devices and therefore does not apply if the website is communicating via a wired server. Some judges, however, disagree.
- Is the defendant or a third-party a “party” to the communication? If so, then the “party exception” will apply and the defendant will not be liable. When deciding whether a third-party was a “party” to the communication, courts consider whether the party is merely acting as a tool for the defendant (akin to a tape recorder) or can use the communication for their own benefit (akin to someone listening into a conversation).
- Did the website have consent to record or share the communication? Consent is a defense to wiretapping claims, but it can be difficult for courts to resolve whether the plaintiff provided consent at the pleading stage.
- Did the website share the “contents” of a communication? Wiretapping claims only apply to the contents of a communication. Merely sharing record information of a communication, such as an IP address, will not establish liability under wiretapping laws. Courts often struggle to define what constitutes communication “contents” and URLs can be especially tricky.
- Was the communication intercepted or stored and then forwarded? If the communication is not intercepted, then there cannot be liability under Clause 2 of Section 631.
- Was the plaintiff harmed? Do they have standing to sue? Courts are often split on whether an “invasion of privacy” itself is sufficient harm to provide standing, but this issue has weighed in defendants’ favor more often following the Supreme Court’s 2021 TransUnion decision, which held Article III standing requires a concrete injury even in the context of a statutory violation.
Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel or Google Analytics tags) on websites that include video content.
The VPPA reads: “A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person for the relief provided in subsection (d).” 18 U.S.C. § 2710(b)(1). VPPA decisions are also often resolved on a limited number of issues, including:
- Is the defendant a “video tape service provider” as defined by the VPPA? The VPPA defines a provider as an entity engaged in the business of “rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.” Where the defendant directly rents or sells video content or access to such content, courts will typically find the defendant is a video tape service provider. Where the defendant only delivers the content, however, courts often struggle to determine whether the defendant is a provider under the VPPA.
- Is the plaintiff a “consumer” under the VPPA? The VPPA defines a “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Courts often require an established relationship between the plaintiff and defendant and consider whether the connection relates to the video materials. Many of the more-recent VPPA decisions are resolved on this basis.
- Is the “video content” at issue pre-recorded? Courts have held live-streaming content does not fall under the VPPA.
- Did the defendant disclose “personally identifiable information” belonging to the plaintiff? Courts have held a Facebook ID is personally identifiable information when combined with a video URL, while a device ID, IP address, or a user’s browser settings may not be PII.
Finally, lawsuits alleging a defendant has violated prohibitions on voice recording (commonly Section 637.3 of the California Penal Code) typically involve the use of voice recognition software, which is often used as a security measure by companies that provide sensitive information such as banks or other financial institution.