Keypoint: Courts resolved six motions to dismiss wiretapping claims based on session replay technology in January, while two VPPA decisions highlight balance struck by courts. A new privacy litigation theory based on “pen registries” has emerged as well.

Welcome to the tenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this post, we examine one chat-based wiretapping claim and six session replay technology (SRT) based wiretapping claims. These decisions demonstrate how courts are still inconsistent in how they resolve wiretapping claims, even in cases where the plaintiff and SRT vendor are the same. We also look at two VPPA decisions that reflect the balance courts have struck in resolving VPPA decisions. Finally, we look at a new emerging trend based on “pen registry” technology (which is commonly associated with logging what phone numbers a monitored phone dials).

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

1. Litigation Updates

a. Chat Wiretapping Lawsuits

We are covering only one chat-based wiretapping decision this month. The plaintiff alleged they accessed a chat box feature on the defendant’s website, which sent communications—including browser information, operating system information, and “may include” demographic information “like gender”—to a third-party vendor. The plaintiff brought asserted a violation under the fourth prong of CIPS Section 631(a). Adopting the Yockey and Javier line of cases, the court held the plaintiff may maintain a claim under the fourth prong if the plaintiff plausibly alleges the vendor “had the capability to use the [intercepted] communication for another purpose.” The court then considered “just how much a Plaintiff must allege to plausibly plead that the third-party software has such capabilities.” The court examined two cases, one which found the vendor had such a capability where the business model was to harvest data from the intercepted communications and another where the vendor was found to lack the capability where the vendor ran the chat function, could view the transcripts in real time, and would analyze the interactions in real time to create live transcripts of the communications. Turning to the facts before it, the court found the plaintiff conclusory alleged used and granted the motion to dismiss.

b. Session Replay Lawsuits

There were several SRT decisions—four from the Southern District of California and two from the Northern District of California—issued in January. In each of the four decisions dismissing the wiretapping claims, the courts resolved the dispute on different issues. In contrast, both courts that denied the motion to dismiss did so after rejecting the defendants’ arguments that the plaintiff had consented to the recording.

The first decision we are covering is from the Northern District of California. The plaintiff alleged he visited the defendant’s website to obtain an insurance quote but did not realize the defendant used SRT to capture the plaintiff’s keystrokes, mouse clicks, and information—including the plaintiff’s email address, zip code, age, weight, height, and use of prescription medication. The court dismissed the plaintiff’s claims, finding the plaintiff failed to plead a claim second clause of Section 631(a) because he did not allege the third-party vendor had read or attempted to read or learn about the contents of the communication. The court found merely pleading the vendor recorded and stored the communications was insufficient. The court also dismissed the California constitution claim because the plaintiff did not allege the intrusion was significantly serious.

In the next SRT decision we are covering from this month, the Southern District of California also dismissed the wiretapping claim. The court found the plaintiff’s allegation—that the technology collected “button clicks, moues movements, scrolling, resizing, touches (for mobile browsers), key presses, page navigation, changes to visual elements in the browsers, network requests, and more”—were not “contents” of the communications.

Our next decision is also from the Southern District of California and involved the same plaintiff. The plaintiff alleged they accessed the defendant’s website to order pizza but did not realize the defendant was not only taking the plaintiff’s order, but sharing that information—along with the plaintiff’s “words and text”, credit card information, name, and address information—with a SRT vendor. The court rejected the defendant’s consent argument. The defendant argued the plaintiff affirmatively consented by checking a box that signified the plaintiff agreed to the privacy policy each time the plaintiff placed a pizza order. The court instead found convincing the plaintiff’s allegations that they did not consent and found the issue of consent to be a factual dispute that could not be resolved at the pleading stage. The court also rejected the defendant’s other arguments, finding whether the vendor was entitled to the party exception to be a factual dispute and rejecting the defendant’s argument that the tool did not capture the contents of the communication.

Five days later, the Northern District of California issued a decision involving the same third-party vendor in addition to large social media networks. Although the Southern District (above) rejected the vendor’s personal jurisdiction arguments, the Northern District accepted them and granted the vendor’s motion to dismiss. This decision further illustrates how unpredictable litigation can be. The court then denied the social network-defendants’ motions to dismiss. (The claims were based on interactions with a website operated by a defendant no longer in the case. The website involved telemedicine services.) The social network-defendants relied on the privacy policy of the website the plaintiff accessed to argue the plaintiff consented to the collection and use of the information. The court examined the privacy policy in detail (rather than declaring the issue to be a factual dispute) because the plaintiff cited the policy in its complaint. The court nevertheless found the policy did not disclose the alleged conduct and denied the motion to dismiss. The court also rejected defendants’ motion to dismiss the intrusion upon seclusion claim, finding the collection of health data was sufficiently serious to maintain the claim.

The fourth January SRT decision we are covering presents a relatively rare consent argument. The defendant argued the plaintiff’s “very act of sending a communication over the Internet” constituted consent to the recording. The court disagreed. The defendant relied on two Pennsylvania decisions. The first, a state court decision, held an individual sending a message over the internet, like an individual leaving a message on an answering machine, is aware of the fact that the message is received in a recorded and can be accessed by the receiver and stored on the receiver’s system. The California court found this did not extend to the alleged conduct, however, because the alleged conduct involved a third-party, not merely the intended recipient. The second relied-upon decision concerned the transmission of shopping preferences. The California court distinguished this decision too, finding the instant case involved the alleged interception of personal information. The court also rejected the defendant’s argument that the plaintiff consented via the privacy disclosure, finding it was a browserwrap agreement and accepting the plaintiff’s allegation that they had not seen it before accessing the website.

In the final SRT decision we are covering this month, the Southern District of California dismissed the claim after finding the plaintiff lacked Article III standing because she did not allege a concrete harm from the alleged activity. The plaintiff alleged they provided health information via a form on the defendant’s website to obtain fitness and nutrition consulting. The court found the plaintiff’s failure to allege they provided personal identifying information (such as the plaintiff’s name, email address, credit card details, or other contact information) that could be connected to the health information the plaintiff provided.

c. Video Privacy Protection Act (“VPPA”) Lawsuits

We are covering only two VPPA decisions this month as they demonstrate how courts nationwide are resolving VPPA cases. In the first, decision we are covering this month, the defendant operated an online store selling pet products. The court dismissed the VPPA claim, finding in the plaintiff’s own words the defendant was not a “video tape service provider” under the VPPA. Rather, the defendant’s videos were merely promotional material for defendant’s actual business, which was unrelated to videos. The court also found the plaintiff had not pled they were a “consumer” under the VPPA. “[T]he mere fact that Plaintiff allegedly downloaded Defendant’s mobile app is inadequate to sustain a finding (even for pleading purposes) that she is a ‘subscriber’ of Defendant’s alleged video services.”

In the second decision, the defendant owned various apps on which users can “read and watch local and national news, sports, weather, traffic, and entertainment stories.” The defendant used two third-party APIs to transmit tracking information. (Notably, this was not the Meta Pixel, which has received the primary focus of most VPPA litigation.) The court rejected the defendant’s arguments that it was not a “video tape service provider” under the VPPA and that the plaintiff did not meet the “consumer” definition, finding the parties’ relationship was directly tied to the provision of video services.

d.   Other Lawsuits

New for this month, we are including an “other” category for our litigation updates. This section is intended for privacy-related lawsuits that do not fit within the above categories but lack enough decisions to warrant their own category.

On January 29, the Northern District of California issued a decision based on the Meta pixel. The plaintiffs alleged the use of the Meta Pixel provided information to third-party Meta without the plaintiffs’ consent. The plaintiffs alleged the transmitted information included the health conditions for which the plaintiffs sought treatment, as well as examples of their queries, appointment requests, and other inforamtion and services about which they communicated with their providers. The decision turned on where the pixel was located: on a page before the user logged in to a specific healthcare provider’s website. The court found that placement distinguished the case from prior decisions because “the Pixel captures information that connects a particular users to a particular healthcare provider—i.e., patient status—which falls within the ambit of information protected under HIPAA. The court then denied the motion to dismiss the plaintiff’s constitutional privacy and intrusion upon seclusion claims.

2. On the Radar

In this section – previously called “On the Horizon” – we identify other types of data privacy lawsuits we are watching and other interesting information in the world of data privacy litigation.

We are continuing to watch a case in New Jersey where sandwich shop Jersey Mike’s has asked the district court to bar the American Arbitration Association (AAA) from administering multiple arbitrations that it contends are frivolous claims over the practice of sharing data with Facebook. We have not covered these underlying claims before because the AAA proceedings are not public but will provide updates about the New Jersey case as it develops. In January, the plaintiff filed its reply brief in support of its motion to dismiss. Briefing is now complete on this issue and we are watching for a decision from the Court hopefully soon.

We are continuing to watch for complaints that allege wiretapping violations arising from the de-anonymization of website visitors. These cases claim the third-party can match a visitor’s IP address, obtained through the website containing spyware, to their name, face, location, e-mail, and browsing history and the use of this technology is equivalent to “doxing” website visitors. We will monitor how these cases progress as they move through the court system.

We are also now tracking cases that allege websites violate yet another section of CIPA, § 638.51, which prohibits “a person” from “install[ing] or us[ing] a pen register or a trap and trace device without first obtaining a court order . . . .” Cal. Penal Code § 638.51. Traditionally, pen registers were used by law enforcement to record all numbers called from a particular telephone. Under CIPA, however, a “pen register” is more broadly defined to mean “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” § 638.50(b). Bloomberg Law recently wrote about this new trend, noting a small group of plaintiffs have brought more than 50 class actions under the pen registry website since November 2023. It will be a while before courts have the opportunity to resolve these complaints on a motion to dismiss, so make sure to check future monthly posts to keep track how courts handle this newest theory.

3. Overview of Current U.S. Data Privacy Litigation Trends and Issues

Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip this section.

Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.

Lawsuits relating to session replay technology also involve claims that the alleged behavior violates wiretapping laws in “two party” or “all party” consent states. This technology allows website operators to monitor how website visitors interact with the website. Websites that use session replay technology are often trying to better understand how users interact with the website and may even want to document that users have seen and are aware of the site’s privacy policy. Where the technology also captures the website visitor’s communications—such as (but not limited to) chat services or when the visitor completes a form on the website—privacy plaintiffs have alleged use of the technology violates wiretapping laws.

Many cases alleging wiretapping violations are filed in California under the California Invasion of Privacy Act (“CIPA”). Most lawsuits assert a violation of Section 631 of CIPA and courts routinely refer to specific clauses or subsections of that section. When discussing litigation updates, we therefore also refer to courts disposing of specific clauses or subsections of Section 631. Courts have noted Section 631 “is somewhat difficult to understand.” See Warden v. Kahn, 99 Cal. App. 3d 805, 811 (Ct. App. 1979). To help guide readers, we have provided Section 631(a) below with the specific clauses (sometimes called subsections) delineated:

Any person who, [Clause 1 or Subsection (a)(1):] by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or [Clause 2 of Subsection (a)(2):] who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or [Clause 3 or Subsection (a)(3):] who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or [Aiding Provision, Clause 4, or Subsection (a)(4):] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable . . . .

Wiretapping claims—whether based on website chat services, the use of session replay technology, or something else—are typically resolved on a limited number of issues:

  • How did the communication occur? Plaintiffs often allege they accessed a website using a mobile phone. Courts have held the first clause of Section 631(a) does not apply if the interception does not occur over a telephonic wire. Courts have also held Section 632.7, another provision of CIPA, requires a communication between two wireless or cordless devices and therefore does not apply if the website is communicating via a wired server. Some judges, however, disagree.
  • Is the defendant or a third-party a “party” to the communication? If so, then the “party exception” will apply and the defendant will not be liable. When deciding whether a third-party was a “party” to the communication, courts consider whether the party is merely acting as a tool for the defendant (akin to a tape recorder) or can use the communication for their own benefit (akin to someone listening into a conversation).
  • Did the website have consent to record or share the communication? Consent is a defense to wiretapping claims, but it can be difficult for courts to resolve whether the plaintiff provided consent at the pleading stage.
  • Did the website share the “contents” of a communication? Wiretapping claims only apply to the contents of a communication. Merely sharing record information of a communication, such as an IP address, will not establish liability under wiretapping laws. Courts often struggle to define what constitutes communication “contents” and URLs can be especially tricky.
  • Was the communication intercepted or stored and then forwarded? If the communication is not intercepted, then there cannot be liability under Clause 2 of Section 631.
  • Was the plaintiff harmed? Do they have standing to sue? Courts are often split on whether an “invasion of privacy” itself is sufficient harm to provide standing, but this issue has weighed in defendants’ favor more often following the Supreme Court’s 2021 TransUnion decision, which held Article III standing requires a concrete injury even in the context of a statutory violation.

Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel or Google Analytics tags) on websites that include video content.

The VPPA reads: “A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person for the relief provided in subsection (d).” 18 U.S.C. § 2710(b)(1). VPPA decisions are also often resolved on a limited number of issues, including:

  • Is the defendant a “video tape service provider” as defined by the VPPA? The VPPA defines a provider as an entity engaged in the business of “rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.” Where the defendant directly rents or sells video content or access to such content, courts will typically find the defendant is a video tape service provider. Where the defendant only delivers the content, however, courts often struggle to determine whether the defendant is a provider under the VPPA.
  • Is the plaintiff a “consumer” under the VPPA? The VPPA defines a “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Courts often require an established relationship between the plaintiff and defendant and consider whether the connection relates to the video materials. Many of the more-recent VPPA decisions are resolved on this basis.
  • Is the “video content” at issue pre-recorded? Courts have held live-streaming content does not fall under the VPPA.
  • Did the defendant disclose “personally identifiable information” belonging to the plaintiff? Courts have held a Facebook ID is personally identifiable information when combined with a video URL, while a device ID, IP address, or a user’s browser settings may not be PII.

Finally, lawsuits alleging a defendant has violated prohibitions on voice recording (commonly Section 637.3 of the California Penal Code) typically involve the use of voice recognition software, which is often used as a security measure by companies that provide sensitive information such as banks or other financial institution.