Keypoint: Three courts that do not normally see privacy litigation issued decisions in November and December, perhaps forecasting more cases in new districts in 2024.

Welcome to the ninth installment in our monthly data privacy litigation report, which we are releasing just after the New Year. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this post, we look at ten privacy litigation decisions issued in November and December 2023. Three of these decisions were issued by the Western District of Washington, the District of Nebraska, and the Eastern District of Louisiana; all of which do not see the number of privacy cases seen by the California, Florida, and Third Circuit district courts whose decisions we normally cover. This may suggest 2024 will see more decisions issued from courts other than California.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

1. Litigation Updates

a. Chat Wiretapping Lawsuits

The first chat-based wiretapping decision we are covering was issued on November 27 in the Central District of California. The defendant operated a website for its lighting company and included a chat feature on the website, which was operated by a third-party who allegedly routed communications to its servers and, via integrations with Meta, used its record of users’ interactions “for data analytics and marketing and advertising to consumers.” After performing a thorough analysis of several decisions from the Central and Northern Districts of California concerning the “party” exception to the second clausa of Section 631(a), this court accepted the reasoning in Javier v. Assurance IQ, 2023 WL 114225, at *6 (N.D. Cal. Jan. 5, 2023), which held it would be improper to read a “use” requirement into the second prong, but would not find potential liability if the third-party lacked the capability to use the received communications for its own benefit. The court then found the plaintiff had not alleged facts sufficient to show the third-party had the capability to use the communications for its own benefits. The court also found the plaintiff did not allege “specific facts about what was intercepted and when or how the interception took place” and dismissed the claim under the second prong for both reasons. The court granted the plaintiff leave to amend.

b. Session Replay Lawsuits

We are covering three session replay decisions from November 2023. Although we are not covering any session replay decisions from December, we are covering one decision based on similar technology – a software development kit (SDK).

In the first November decision, we are returning to a case we previously covered in our July post. In this case, the plaintiffs alleged the defendant—a medical-related company who operates hospitals—violated CIPA and other laws through the use of the Meta pixel on its website. Earlier this year, the Southern District of California dismissed the plaintiffs’ claims, finding the plaintiffs did not allege enough factual information to establish the “contents” of the communications were intercepted by a third-party as a result of the defendant’s action. Following that decision, the plaintiffs amended their complaint and the defendant once again moved to dismiss. This time, however, the court sided with the plaintiffs. The court found the plaintiff alleged the communicated data included personal search queries and therefore plausibly conveyed content. The court found Hammerling v. Google, LLC, 615 F.Supp.3d 1069, 1092-93 (N.D. Cal. 2002), to be persuasive. There, the court employed “a contextual ‘case-specific’ analysis hinging on ‘how much information would be revealed by the information’s tracking and disclosure.” 615. F.Supp.3d at 1092-93. The Hammerling court noted information may be record information but the same information may also be content when it is part of the substance of the conveyed message. Id.

We next case we are covering from November is from the Central District of California. The defendant had argued its use of session replay technology was more akin to a tape recorder and therefore did not implicate wiretapping laws. The court noted the circuit split, finding “courts have found ‘a key distinction is whether or not the alleged third-party software provider aggregates or otherwise processes the recorded information, which might suggests that the software vendor independently ‘uses’ the gathered data in some way,” while also noting other courts have rejected this test because it would impose a “use” requirement into the second prong of Section 631. Ultimately, the court concluded it did not need to resolve the circuit split because the plaintiff had sufficiently plead the session replay vendor used the information to cross-reference and analyze user activity across all websites they monitor. The defendant also argued the session replay technology—which captured the users’ mouse clicks, scrolls, keystrokes, text entry, search terms, and more information, even when the user did not ultimately submit that information—did not capture the “contents” of the communication. The court also rejected this argument, however, finding “[a]lthough perhaps not all of this information is ‘content’ under CIPA, much of what is captured certainly is and the allegations are more than sufficient for pleading purposes.”

The third decision we are covering from November is from the Northern District of California involving a well-known sports website. The defendant’s session replay technology captured not just pages viewed, but also keystrokes and search terms. The plaintiffs alleged the captured information was used by both the defendant to market to and attract new customers, but also the third-party vendor who “retains and uses the same data to assist other clients.” The court first addressed the defendant’s arguments that the plaintiffs lacked standing under the Supreme Court’s TransUnion decision. Relying on the Ninth Circuit’s In re Facebook Inc. Internet Tracking Litigation decision, the court found the plaintiffs were not required to show that any interception of information was highly offensive to have standing and also rejected the defendant’s argument that the plaintiffs had not alleged the captured information was sufficiently personal to impose standing. The court went on to distinguish several other decisions on which the defendant had relied, in part because those cases dealt with anonymized information. Although the court denied the motion to dismiss under Rule 12(b)(1), it granted the Rule 12(b)(6) motion (albeit with leave to amend). The court addressed an argument not seen in many wiretapping claims; whether the defendant intended for the third-party to intercept the information at issue. The court found the plaintiff sufficiently alleged the defendant intended for the third-party to intercept users’ communications with the defendant’s website because the defendant knowingly employed the third-party’s software, but had not alleged enough to show the defendant intended for the third-party to use the information for the benefit of others.

For December, we are covering a decision that considered whether a software development kit (SDK) used on a healthcare website violated eight different laws, include CIPA and the U.S. Computer Fraud and Abuse Act (“CFAA”). The plaintiffs alleged a healthcare provider website included SDK code that extracted private healthcare information, including medical conditions, immunizations, prescriptions, physician information, and other private data, including healthcare search terms, videos watched, and links accessed. The Western District of Washington issued its decision on December 19, 2023, denying the defendant’s motion to dismiss. (We will likely see many more decisions from Washington as the private right of action provision of the My Health My Data Act goes into effect soon.) The court first rejected the defendants’ argument that the plaintiffs consented to the information being shared when they created an account, finding the defendants’ argument hinged on the user being logged into their account and the SDK operated regardless of whether the user was logged in or not. The court also found the privacy policy would not inform a user their health information was being shared. The court also rejected the defendants’ arguments that the third-parties were entitled to the party exception and that the SDK did not share the contents of the communication after finding the plaintiff alleged the SDK shared URLs containing search queries “that could divulge a user’s medical conditions, allergies, and immunizations.”

c. Video Privacy Protection Act (“VPPA”) Lawsuits

In this “holiday post”, we are covering three VPPA decisions from November and two decisions from December. The first VPPA decision we are covering in this update is from early November and was issued by the Eastern District of Louisiana, which has rarely (if ever) addressed the VPPA as it is being used by privacy plaintiffs. Based on this decision, however, we may see more cases filed in this district. The court found the plaintiff adequately alleged she was a consumer under the VPPA because she was given exclusive access to video content as a paid subscriber of the defendant’s website and her video watching history of that content was transmitted to Meta. The court also rejected the defendant’s arguments that the Facebook ID was not PII and that the defendant did not “knowingly” transmit the PII.

In the second VPPA case from November we are covering in this post, the defendant argued, and submitted evidence in support of its argument, that it had removed the Meta Pixel from all pages that played video in August 2022 – months before the plaintiff accessed the website. In July 2023, the court had allowed the plaintiff to conduct discovery to address this point and in November found the plaintiff lacked standing and dismissed the complaint.

In our third and final decision from November, the plaintiffs were paid subscribers to the defendant’s news service. The plaintiffs alleged the defendant used the Meta Pixel to share the plaintiffs’ information when they viewed videos on the website or mobile application. The defendant argued the mere transmission of URLs for webpages containing video content was insufficient to support a VPPA claim because it did not prove the user actually requested or watched the video—an argument a Southern District of New York court accepted in February 2023. This judge, however, was unconvinced – finding the defendant’s argument required the court to resolve factual disputes and determine exactly what information was conveyed via the URLs. The court also rejected the defendant’s argument that the plaintiff consented to the disclosure, finding it was a factual dispute and not appropriate to be resolved at the pleading stage. The court concluded its opinion with a section entitled “the VPPA is not fit to address data privacy issues stemming from online video streaming,” which declared the VPPA was an “uncomfortable fit” to “free video streaming services” and cautioned plaintiffs to “seek protection through the ordinary legislative process rather than through the courts.”

The first December VPPA decision we are covering was filed in the District of Nebraska by a Colorado plaintiff against a Delaware LLC with its headquarters in Texas and a Missouri LLC with its headquarters in New York, who operated the website for a well-known Nebraska educational institution. (Although the parties’ residencies are immaterial to the decision because the VPPA presents a federal-question, it is fun to note.) The university-website includes video content and utilizes the Meta Pixel and other ad-tracking cookies. The plaintiff alleged they visited the website several times a month to watch video-content but did not consent for the plaintiff’s video-watching behavior to be shared with Meta. The court issued a 38-page opinion and ultimately decided the plaintiff was not a “consumer” under the VPPA because the plaintiff’s “mere exchange of personal information and occasional clicks on links contained in the newsletters to videos on the [Defendant’s website] do not suffice to make Plaintiff a ‘subscriber.’ This is so for the simple reason that he never provided monetary consideration or its equivalent in exchange for the newsletters.”

The next VPPA decision we are covering from December is another example of a ruling on a motion to dismiss after the plaintiff was given leave to amend their prior complaint. Once again, the issue turned on whether the plaintiff could plead they were a “consumer” under the VPPA because they subscribed to something the defendant offered (in this case, an email newsletter). The Northern District of California held the plaintiff had once again missed the mark and provided a great explanation of the standard courts have widely adopted:

A newsletter of the sort in question here, which is comprised primarily of text and occasional external hyperlinks to video content, does not fit readily within that definition. The amended complaint does not allege that any videos were presented in the newsletters themselves. It also does not allege that plaintiffs received enhanced access to the videos, which were equally available to all [Defendant’s]  visitors. At most, the amended complaint established that plaintiffs subscribed to a predominantly written, not video, good or service, which is outside the purview of the VPPA.

2. On the Radar

In this section – previously called “On the Horizon” – we identify other types of data privacy lawsuits we are watching and other interesting information in the world of data privacy litigation.

Illustrating just how prevalent these lawsuits currently are in the judicial system, defendants in CIPA-based lawsuits have begun filing third-party notices of related cases in several other lawsuits.

We are also watching a case in New Jersey where sandwich shop Jersey Mike’s has asked the district court to bar the American Arbitration Association (AAA) from administering multiple arbitrations that it contends are frivolous claims over the practice of sharing data with Facebook. We have not covered these underlying claims before because the AAA proceedings are not public, but will provide updates about the New Jersey case as it develops.

We are continuing to watch for complaints that allege wiretapping violations arising from the de-anonymization of website visitors. These cases claim the third-party can match a visitor’s IP address, obtained through the website containing spyware, to their name, face, location, e-mail, and browsing history and the use of this technology is equivalent to “doxing” website visitors. We will monitor how these cases progress as they move through the court system.

3. Overview of Current U.S. Data Privacy Litigation Trends and Issues

Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip this section.

Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.

Lawsuits relating to session replay technology also involve claims that the alleged behavior violates wiretapping laws in “two party” or “all party” consent states. This technology allows website operators to monitor how website visitors interact with the website. Websites that use session replay technology are often trying to better understand how users interact with the website and may even want to document that users have seen and are aware of the site’s privacy policy. Where the technology also captures the website visitor’s communications—such as (but not limited to) chat services or when the visitor completes a form on the website—privacy plaintiffs have alleged use of the technology violates wiretapping laws.

Many cases alleging wiretapping violations are filed in California under the California Invasion of Privacy Act (“CIPA”). Most lawsuits assert a violation of Section 631 of CIPA and courts routinely refer to specific clauses or subsections of that section. When discussing litigation updates, we therefore also refer to courts disposing of specific clauses or subsections of Section 631. Courts have noted Section 631 “is somewhat difficult to understand.” See Warden v. Kahn, 99 Cal. App. 3d 805, 811 (Ct. App. 1979). To help guide readers, we have provided Section 631(a) below with the specific clauses (sometimes called subsections) delineated:

Any person who, [Clause 1 or Subsection (a)(1):] by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or [Clause 2 of Subsection (a)(2):] who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or [Clause 3 or Subsection (a)(3):] who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or [Aiding Provision, Clause 4, or Subsection (a)(4):] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable . . . .

Wiretapping claims—whether based on website chat services, the use of session replay technology, or something else—are typically resolved on a limited number of issues:

  • How did the communication occur? Plaintiffs often allege they accessed a website using a mobile phone. Courts have held the first clause of Section 631(a) does not apply if the interception does not occur over a telephonic wire. Courts have also held Section 632.7, another provision of CIPA, requires a communication between two wireless or cordless devices and therefore does not apply if the website is communicating via a wired server. Some judges, however, disagree.
  • Is the defendant or a third-party a “party” to the communication? If so, then the “party exception” will apply and the defendant will not be liable. When deciding whether a third-party was a “party” to the communication, courts consider whether the party is merely acting as a tool for the defendant (akin to a tape recorder) or can use the communication for their own benefit (akin to someone listening into a conversation).
  • Did the website have consent to record or share the communication? Consent is a defense to wiretapping claims, but it can be difficult for courts to resolve whether the plaintiff provided consent at the pleading stage.
  • Did the website share the “contents” of a communication? Wiretapping claims only apply to the contents of a communication. Merely sharing record information of a communication, such as an IP address, will not establish liability under wiretapping laws. Courts often struggle to define what constitutes communication “contents” and URLs can be especially tricky.
  • Was the communication intercepted or stored and then forwarded? If the communication is not intercepted, then there cannot be liability under Clause 2 of Section 631.
  • Was the plaintiff harmed? Do they have standing to sue? Courts are often split on whether an “invasion of privacy” itself is sufficient harm to provide standing, but this issue has weighed in defendants’ favor more often following the Supreme Court’s 2021 TransUnion decision, which held Article III standing requires a concrete injury even in the context of a statutory violation.

Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel or Google Analytics tags) on websites that include video content.

The VPPA reads: “A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person for the relief provided in subsection (d).” 18 U.S.C. § 2710(b)(1). VPPA decisions are also often resolved on a limited number of issues, including:

  • Is the defendant a “video tape service provider” as defined by the VPPA? The VPPA defines a provider as an entity engaged in the business of “rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.” Where the defendant directly rents or sells video content or access to such content, courts will typically find the defendant is a video tape service provider. Where the defendant only delivers the content, however, courts often struggle to determine whether the defendant is a provider under the VPPA.
  • Is the plaintiff a “consumer” under the VPPA? The VPPA defines a “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Courts often require an established relationship between the plaintiff and defendant and consider whether the connection relates to the video materials. Many of the more-recent VPPA decisions are resolved on this basis.
  • Is the “video content” at issue pre-recorded? Courts have held live-streaming content does not fall under the VPPA.
  • Did the defendant disclose “personally identifiable information” belonging to the plaintiff? Courts have held a Facebook ID is personally identifiable information when combined with a video URL, while a device ID, IP address, or a user’s browser settings may not be PII.

Finally, lawsuits alleging a defendant has violated prohibitions on voice recording (commonly Section 637.3 of the California Penal Code) typically involve the use of voice recognition software, which is often used as a security measure by companies that provide sensitive information such as banks or other financial institution.