Keypoint: October showed judges are not consistent in how they handle wiretapping cases although they are largely consistent in how courts handle VPPA claims.

This is the eighth installment in our monthly data privacy litigation reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this post, we look at privacy litigation decisions issued in October 2023. California judges remain inconsistent in how they rule on motions to dismiss wiretapping claims, with most courts struggling on the “tape recorder” or “human eavesdropper” distinction. In contrast, both California and Delaware federal courts dismissed VPPA claims, while a Florida federal district court denied a motion to dismiss. Perhaps coincidentally, more new VPPA cases were filed in Florida in October than any other court.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

1. Litigation Updates

a. Chat Wiretapping Lawsuits

We are covering three decisions from the Northern District of California and one each from Central and Southern Districts of California. The facts of our first Northern District decision are different from most wiretapping claims we cover in this blog. The plaintiff alleged they had received a document from the defendant that indicated the defendant had “tracked, compiled, and analyzed their web browsing and other activity, thereby creating an ‘electronic profile’ of them.” The plaintiffs alleged the tracking including the plaintiffs’ financial data. The court considered several claims under both California and Florida law. Of note here, the court found the plaintiffs had sufficiently alleged the defendant’s recorded the content of the plaintiffs’ communications by capturing “refer URLs and data entered into forms.” In a prior decision in April 2023, this court had held the plaintiffs’ lack of specificity as to the specific URLs at issue made the motion to dismiss a “close call,” the court nevertheless found the plaintiffs’ had stated a claim because they also alleged completed forms were recorded. It is likely a claim that only included “referrer URLs” would be dismissed where the URLs do not contain user-generated content such as search terms. Indeed, any finding that “referrer URLs” constitute “content” under wiretapping laws would expressly contradict the Ninth Circuit’s 2014 In re Zynga decision.

The second Northern District decision we are covering is also unlike most of the cases we cover in this blog because it is a “traditional” wiretapping claim; the plaintiff alleges the defendant improperly recorded phone calls without consent. The holding is nevertheless relevant to all wiretapping claims. The plaintiff brought a class action lawsuit. The defendant moved to strike the class allegations, arguing determining consent requires an individual inquiry, which is not conducive to class treatment. The court denied the motion after finding discovery may establish suitability for class treatment.

In the third Northern District decision we are covering this month, the plaintiff alleged the defendant aided a third-party (a well-known sales and lead management company) in intercepting chat communications. The court granted the motion to dismiss but gave leave to amend, instructing the plaintiff to provide more detail to support its claim that the third-party’s service is more takin to a person eavesdropping on a conversation that a tool such as a tape recorder.

In contrast, the Central District denied a motion to dismiss in October where the defendant argued the third-party was more similar to a tape recorder than a human eavesdropper, finding the argument raised a factual dispute and could not be resolved at the pleading stage. The plaintiff alleged the defendant “intercepted and diverted chat messages” and therefore violated both California’s wiretapping law and the Comprehensive Computer Data Access and Fraud Act (CDAFA), which is California’s state equivalent to the federal Computer Fraud and Abuse Act. The defendant moved to dismiss both claims. In support of its request to dismiss the wiretapping claims, the defendant argued: (1) the plaintiff consented to the recording because the privacy policy disclosed the practice; and (2) the third-party was merely a tool, like a tape recorder, and not a third-party eavesdropper. The court rejected both arguments. First, the court found “even when a website contains privacy clauses, a plaintiff’s pleading that she did not consent to the recording . . . is sufficient to survive a motion to dismiss.” Second, the court found the defendant’s arguments that the third-party was a tool raised a factual dispute and could not be resolved at the pleading stage.  The court did dismiss the CDAFA claims, however, finding the plaintiff did not allege the defendant overcame any technical or code-based barrier. Because the CDAFA allows a plaintiff to recover attorneys’ fees, we may see future plaintiffs try again to apply a CDAFA claim to the chat-communication scenario.

Finally, a Southern District of California court both dismissed and denied a request to dismiss wiretapping claims, both of which considered whether the third-party was more similar to a tape recorder or human eavesdropper. The plaintiffs alleged the defendant allowed a third-party to intercept and analyze online chats with the defendant’s customer service representatives. The plaintiffs brought claims under CIPA, California’s UCL, and the California Constitution. The defendant moved to dismiss and argued the plaintiffs lacked standing and had failed to state a claim. The court found the plaintiffs had standing for three of the four claims because CIPA and the California Constitution’s right to privacy codify substantive rights to privacy, but did not have standing to bring the UCL claim because the plaintiffs did not allege they lost money or property. Turning to the Section 631(a) claim, the court found the plaintiff plausibly alleged the defendant violated the second clause by aiding and abetting the third-party, but did not plausibly allege violation of the third clause because the plaintiff failed to allege the third-party used the chat data for its own purposes. Although the defendant also argued the “tape recorder” defense should apply as to the second clause, the court disagreed, finding there is no “use” requirement in the second clause of Section 631(a). Finally, the court found the plaintiffs did not have a reasonable expectation of privacy in their chats with customer service representatives on the defendant’s website.

b. Session Replay Lawsuits

This month, we are covering two session replay decisions, both of which involved the same defendant, a well known department store. Although the defendant and judge were the same, the plaintiffs and their firms were not; perhaps indicating that well-known defendants are at risk of multiple lawsuits from multiple firms if they cannot quickly make changes to their website functionality to reduce their exposure to these types of lawsuits.

Fortunately for the defendant in these cases, the judge dismissed the complaints without leave to amend. In both cases, the plaintiffs sued under both the federal wiretapping and California wiretapping acts. The defendant moved to dismiss on the basis that the court lacked jurisdiction. Although the courts found the defendant had purposefully availed itself in California and therefore satisfied the first prong of the specific jurisdiction test, the court then found the plaintiffs’ claims did not arise out of, or relate to, the defendant’s contacts with the State of California. The court granted the motion to dismiss without leave to amend.

c. Video Privacy Protection Act (“VPPA”) Lawsuits

Although California courts have to-date issued the lion’s share of VPPA decisions, Florida was the hot spot for new VPPA filings this month. October only saw one note worthy VPPA decision from Florida, however, where a court held plaintiffs did not need to identify the actual titles they allege were disclosed under the VPPA.

We are also covering three other VPPA decisions, two from the Southern District of California and another from Delaware. On October 3, a Southern District of California court considered an amended complaint that attempted to assert a VPPA claim. The court had previously dismissed the complaint after finding it did not adequately allege the defendant was a video tape service provider. The plaintiff’s second attempt did not fare any better. The court distinguished decisions where the defendant financially benefitted directly from the collection and/or sale of consumer video information from the case at bar, where the defendant merely used videos as a method to drive sales of its primary product (e.g., fashion merchandise). Another Southern District of California decision also dismissed a VPPA claim after finding the plaintiff failed to allege a well-known candy manufacturer was a video tape service provider as defined by the VPPA.

Finally, a Delaware federal district court dismissed the plaintiff’s VPPA claim, seemingly because the court found the complaint to be poorly drafted and ambiguous. The court concluded its analysis by stating: “[t]he bottom line is that the Complaint is too poorly drafted for me to evaluate the competing arguments of the parties on this issue. The sloppiness of the Complaint is apparent on its face, and there is good reason to believe that the Complaint is a copy-and-paste job.” The court cautioned “[a]ll plaintiff counsel, but especially counsel who seek to represent a class of plaintiffs, need to spend the necessary time and effort to draft a complaint that complies with Rule 8’s ‘plain statement’ mandate.” We will be watching to see whether the plaintiff amends the complaint by the November 17 deadline or whether the plaintiff, and/or its counsel, determines that preparing a complaint that meets the court’s stringent standards is too much effort.

2. On the Horizon

In this section, we forecast what other types of data privacy lawsuits we are watching and may cover in future litigation update monthly posts.

We are continuing to watch for complaints that allege wiretapping violations arising from the de-anonymization of website visitors. These cases claim the third-party can match a visitor’s IP address, obtained through the website containing spyware, to their name, face, location, e-mail, and browsing history and the use of this technology is equivalent to “doxing” website visitors. We will monitor how these cases progress as they move through the court system.

So far, the other theories identified in the “on the horizon” section of our prior posts have not materialized into substantial litigation.

3. Overview of Current U.S. Data Privacy Litigation Trends and Issues

Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip this section.

Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.

Lawsuits relating to session replay technology also involve claims that the alleged behavior violates wiretapping laws in “two party” or “all party” consent states. This technology allows website operators to monitor how website visitors interact with the website. Websites that use session replay technology are often trying to better understand how users interact with the website and may even want to document that users have seen and are aware of the site’s privacy policy. Where the technology also captures the website visitor’s communications—such as (but not limited to) chat services or when the visitor completes a form on the website—privacy plaintiffs have alleged use of the technology violates wiretapping laws.

Many cases alleging wiretapping violations are filed in California under the California Invasion of Privacy Act (“CIPA”). Most lawsuits assert a violation of Section 631 of CIPA and courts routinely refer to specific clauses or subsections of that section. When discussing litigation updates, we therefore also refer to courts disposing of specific clauses or subsections of Section 631. Courts have noted Section 631 “is somewhat difficult to understand.” See Warden v. Kahn, 99 Cal. App. 3d 805, 811 (Ct. App. 1979). To help guide readers, we have provided Section 631(a) below with the specific clauses (sometimes called subsections) delineated:

Any person who, [Clause 1 or Subsection (a)(1):] by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or [Clause 2 of Subsection (a)(2):] who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or [Clause 3 or Subsection (a)(3):] who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or [Aiding Provision, Clause 4, or Subsection (a)(4):] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable . . . .

Wiretapping claims—whether based on website chat services, the use of session replay technology, or something else—are typically resolved on a limited number of issues:

  • How did the communication occur? Plaintiffs often allege they accessed a website using a mobile phone. Courts have held the first clause of Section 631(a) does not apply if the interception does not occur over a telephonic wire. Courts have also held Section 632.7, another provision of CIPA, requires a communication between two wireless or cordless devices and therefore does not apply if the website is communicating via a wired server. Some judges, however, disagree.
  • Is the defendant or a third-party a “party” to the communication? If so, then the “party exception” will apply and the defendant will not be liable. When deciding whether a third-party was a “party” to the communication, courts consider whether the party is merely acting as a tool for the defendant (akin to a tape recorder) or can use the communication for their own benefit (akin to someone listening into a conversation).
  • Did the website have consent to record or share the communication? Consent is a defense to wiretapping claims, but it can be difficult for courts to resolve whether the plaintiff provided consent at the pleading stage.
  • Did the website share the “contents” of a communication? Wiretapping claims only apply to the contents of a communication. Merely sharing record information of a communication, such as an IP address, will not establish liability under wiretapping laws. Courts often struggle to define what constitutes communication “contents” and URLs can be especially tricky.
  • Was the communication intercepted or stored and then forwarded? If the communication is not intercepted, then there cannot be liability under Clause 2 of Section 631.
  • Was the plaintiff harmed? Do they have standing to sue? Courts are often split on whether an “invasion of privacy” itself is sufficient harm to provide standing, but this issue has weighed in defendants’ favor more often following the Supreme Court’s 2021 TransUnion decision, which held Article III standing requires a concrete injury even in the context of a statutory violation.

Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel or Google Analytics tags) on websites that include video content.

The VPPA reads: “A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person for the relief provided in subsection (d).” 18 U.S.C. § 2710(b)(1). VPPA decisions are also often resolved on a limited number of issues, including:

  • Is the defendant a “video tape service provider” as defined by the VPPA? The VPPA defines a provider as an entity engaged in the business of “rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.” Where the defendant directly rents or sells video content or access to such content, courts will typically find the defendant is a video tape service provider. Where the defendant only delivers the content, however, courts often struggle to determine whether the defendant is a provider under the VPPA.
  • Is the plaintiff a “consumer” under the VPPA? The VPPA defines a “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Courts often require an established relationship between the plaintiff and defendant and consider whether the connection relates to the video materials. Many of the more-recent VPPA decisions are resolved on this basis.
  • Is the “video content” at issue pre-recorded? Courts have held live-streaming content does not fall under the VPPA.
  • Did the defendant disclose “personally identifiable information” belonging to the plaintiff? Courts have held a Facebook ID is personally identifiable information when combined with a video URL, while a device ID, IP address, or a user’s browser settings may not be PII.

Finally, lawsuits alleging a defendant has violated prohibitions on voice recording (commonly Section 637.3 of the California Penal Code) typically involve the use of voice recognition software, which is often used as a security measure by companies that provide sensitive information such as banks or other financial institution.