Keypoint: The Central District of California issued several wiretapping decisions in May while two decisions on the VPPA illustrate how claims fail or succeed at the pleading stage.
Welcome to the fourteenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, we look at multiple courts who distinguish the Ninth Circuit’s Shopify decision and deny motions to dismiss for lack of personal jurisdiction and how courts reach opposition conclusions regarding whether the “contents” of a communication were transmitted to a third party. We also take a look at two decisions that granted and denied motions to dismiss VPPA claims, and highlight one case where the federal government has again intervened to defend the VPPA’s constitutionality.
If you are a Byte Back+ member, you will also see our coverage on recent lawsuits beyond the wiretapping and VPPA claims, including the recent trend of cases brought under pen registry laws, efforts against plaintiffs who have brought wiretapping claims in private arbitration rather than the public courts, and—new this month—the recent flood of cases brought under New Jersey’s Daniel’s Law. Interested in learning more about Byte Back+? Click here.
There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.
1. Litigation Updates
a. Chat Wiretapping Lawsuits
We are covering five chat-based wiretapping lawsuits this month, all from the Central District of California. In our first decision, the judge first found the plaintiff’s third-amended complaint did not identify under which prong of Section 631(a) the plaintiff intended to pursue. Regardless, the court found the plaintiff could only pursue a claim under the fourth prong because the “‘party exception’ forecloses any possibility of holding Defendant directly liable under any of the first three subsections of the statute.” The court then found the plaintiff’s “brief description of [the third-party vendor’s] ‘secret code,’ however, does not suggest that [the third-party vendor] necessarily uses that code to intercept customer communications while they are in transit, rather than to store and store such communications after they are received by” the defendant. Our second decision also comes from the same judge and involves the same plaintiff. The court reiterated its findings concerning whether the plaintiff had adequately alleged the vendor intercepted the communications and dismissed the case.
In our third CD Cal decision, the plaintiff alleged he visited the website of a well-known musical reseller and used the chat function on the website. The plaintiff asserted claims under both CIPA (which the plaintiff then withdrew) and Pennsylvania’s wiretapping law. The court denied the defendant’s motion to dismiss the Pennsylvania claims, finding the plaintiff had sufficiently alleged the defendant’s intent (a requirement not found in California’s wiretapping law) and that the communications were intercepted by the third party.
Our fourth Central District of California decision addressed both a motion to dismiss for lack of personal jurisdiction and for failure to state a claim. The plaintiff originally alleged a violation of the VPPA, but then amended the complaint to include a wiretapping violation relating to the defendant’s chat feature on its website. The defendant moved to dismiss and, relying on the Briskin v. Shopify decision, argued it was a Delaware company whose principal place of business was in Minnesota. The court disagreed:
“Defendant presumably offered the chat feature on its Website to facilitate consumer transactions by, for example, allowing potential consumers to ask questions about products or allowing consumers to seek assistance regarding products they purchased in the past. In other words, defendant operated the chat feature to drive sales to consumers, including consumers in California.”
The court not only distinguished Briskin, but also noted the Ninth Circuit intends to rehear that decision en banc and has vacated the three-judge panel opinion on which the defendant relied. Although the court noted Briskin may be more applicable if the plaintiff had sued the alleged third-party interceptor who facilitated the chat service, the court held Briskin could not help the defendant, which operated the website and directed its service to California residents.
The court also denied the defendant’s motion to dismiss under Rule 12(b)(6) after rejecting the defendant’s arguments that the information was not intercepted while in transit or that the third party was capable of using the information. After finding the plaintiff had sufficiently pled the third party violated the second and third prong of Section 631(a), the court then found the plaintiff had also sufficiently pled the defendant aided those actions in violation of the fourth prong.
Our final decision does not concern a motion to dismiss, but rather a discovery dispute. The court had previously denied a motion to dismiss after finding the plaintiff had alleged the defendant’s website contained code that intercepted and diverted chat messages to third-party companies, who were able to eavesdrop and store the users’ information for the third-parties’ own purposes. We are not covering the substance of the dispute, which was specific to the facts of the case, but include this decision as a reminder that some of these cases are proceeding past the motion to dismiss stage and we may soon see summary judgment decisions.
b. Session Replay Lawsuits
In our first session replay decision, a Southern District of California court denied a defendant’s motion to dismiss for lack of personal jurisdiction but granted the motion to dismiss under Rule 12(b)(6). In doing so, the court first distinguished the Ninth Circuit’s Shopify decision after finding the defendant—a retail store—maintained an integrated website that paired online use of the website with the operations of its brick-and-mortar stores in California. The court nevertheless dismissed the complaint without leave to amend, however, after finding the plaintiff failed to allege the SRT captured the “contents” of a communication as required to violate wiretapping law. The court also dismissed the plaintiff’s intrusion upon seclusion claim after finding the Court had previously found the use of SRT was not “highly offensive.”
In our second decision, which is also from the Southern District of California, the court had previously dismissed the plaintiff’s wiretapping claim without leave to amend but allowed the plaintiff to re-assert its claims for invasion of privacy and intrusion upon seclusion. The defendant again moved to dismiss. The court again granted the motion to dismiss, this time finding the “internet is not a place where users have a reasonable expectation of privacy.”
c. Video Privacy Protection Act (“VPPA”) Lawsuits
We are covering two decisions under the VPPA from May which show the continuing trend in how courts assess such claims at the pleading stage. We are also highlighting another case where the federal government has intervened to defend the VPPA’s constitutionality.
The first decision we are covering comes from the District of New Jersey, where the court dismissed a plaintiff’s class action claim under the VPPA against a casino and entertainment company that operates a website offering video games such as virtual slots and roulette. The plaintiff alleged that he and others had created accounts on the defendant’s website to play video games, whereby their personal information and video game selections were shared with Facebook via the Facebook Pixel without consent. The court dismissed the claim on the grounds that (1) the defendant was not a videotape service provider under the VPPA because online casino games are not akin to video tapes for the statute to apply, and (2) the plaintiff failed to adequately plead he was a “consumer” of defendant’s audio-visual offerings under the VPPA.
On the first ground, the court rejected the plaintiff’s argument that online casino games are audio-visual materials similar to video tapes under the VPPA and distinguished its ruling from other decisions that have found the VPPA applicable to audio-visual materials that include prerecorded video content. Notably, the court also distinguished its ruling from a decision we’ve covered in a prior post that found video game “cut scenes” to satisfy the VPPA’s “prerecorded” requirement. In the present case, however, the court found that the plaintiff had failed to sufficiently allege that the defendant’s video games contained any prerecorded content for the VPPA to apply. As to the second ground for dismissal, the court adopted the “majority view” that required the plaintiff to plead specific facts that he subscribed to audio-visual materials under the VPPA to qualify as a “subscriber” under the statute’s “consumer” definition. According to the court, the plaintiff failed to meet this burden which provided another basis for dismissing his complaint.
The second decision we are covering is from the Northern District of California where the court denied a motion to dismiss the plaintiffs’ VPPA claim. In this case, the defendant had been alleged to operate an “Asian entertainment and culture” website that offers television shows and movies to registered users. The plaintiffs claimed that they had subscribed to the website to watch videos and that their personal information and video-viewing preferences were shared by the defendant through the Meta Pixel.
In denying the defendant’s motion to dismiss the VPPA claim, the court first found that the plaintiffs were “subscribers” and therefore satisfied the VPPA’s definition of “consumers” because the plaintiffs adequately alleged that their registered membership with the defendant’s website gave them access to the website’s video content and pre-recorded video rentals. Second, the court rejected the defendant’s argument that the plaintiffs’ Facebook IDs (“FIDs”) — which are a string of numbers shared via the Meta Pixel — did not constitute “personally identifiable information” for the VPPA to apply. In rejecting this argument, the court relied on the Ninth Circuit’s “ordinary person” standard to infer that a unique FID could reasonably identify a specific Facebook user. Next, and based on the complaint’s allegations, the court rejected the defendant’s arguments that the plaintiffs were required to plead specific video titles had been shared and that the plaintiffs failed to adequately allege that the defendant knowingly disclosed the plaintiffs’ personal information to Meta. The court also rejected the defendant’s contention that the VPPA’s ordinary course of business exception applied, finding that the issue was best addressed on summary judgment and not at the pleading stage. Finally, the court similarly refused to dismiss the plaintiffs’ VPPA claim on the argued-for grounds that the plaintiffs had consented to the alleged sharing of information by accepting the defendant’s Terms of Use. In the court’s view, the “VPPA’s consent requirements present factual issues regarding how the alleged consent form was presented to the consumer” and, based on the facts alleged, dismissal on this basis at the pleading stage was inappropriate.
A final case worth noting comes from the Western District of North Carolina where the U.S Department of Justice (DOJ) has again intervened to defend the constitutionality of the VPPA. In that case, the plaintiffs have brought class claims under the VPPA alleging that the defendants, a national auto racing company and its affiliate, disclosed information about videos the plaintiffs had viewed on the company’s website via the Facebook Pixel. The defendants have filed a motion to dismiss (which remains pending) but also filed a notice of a constitutional challenge to the VPPA under Federal Rule of Civil Procedure 5.1. In response to that notice, the DOJ filed a memorandum with the court to support the VPPA’s constitutionality. Specifically, the DOJ argues that the VPPA is not facially void for vagueness because it has reasonably clear terms that have been interpreted by various courts, and that the law withstands intermediate scrutiny to survive a First Amendment challenge. We will continue to track this and other constitutional challenges to the VPPA as they develop.
d. Pen Registry Lawsuits
This section is limited to members of Byte Back+. Interested in learning more about Byte Back+? Click here.
e. Daniel’s Law
Plaintiffs have recently filed more than 140 lawsuits under New Jersey’s “Daniel’s Law,” which allows a “Covered Person” or their “Authorized Person” to request a “person, business, or association” to not “disclose or re-disclose on the Internet or otherwise make available” the Person’s home address or unpublished home telephone number. The Law provides a private right of action for any Covered Person against any “person, business, or association” who: (1) receives from the Covered Person a notification that complies with the statute and; (2) after 10 business days of receiving such notice, discloses or re-discloses on the Internet “or otherwise makes available” the home address or unpublished home telephone number of any covered person “who has received approval from the Office of Information Privacy for the redaction or nondisclosure of the covered person’s address.”
We are not covering any Daniel’s Law decisions this month but will continue to monitor these cases in the future.
f. Other Lawsuits
This section covers privacy-related lawsuits that do not fit within the above categories but lack enough decisions to warrant their own category.
Byte Back + members get access to two wiretapping cases we are not covering in our public post this month. Members also get access to our coverage of the latest update in a lawsuit where the plaintiff sued the American Arbitration Association for its role in allegedly facilitating wiretapping claims against the plaintiff and others. in which a Not a member of Byte Back +? Reach out to the authors to learn more.
2. On the Radar
In this section we identify other types of data privacy lawsuits we are watching and other interesting information in the world of data privacy litigation. We are continuing to watch pen registry cases but have made a new section for those cases. We are also continuing to watch voice recording lawsuits, but this appears to be a trend that failed to catch momentum.
3. Overview of Current U.S. Data Privacy Litigation Trends and Issues
Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip this section.
Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.
Lawsuits relating to session replay technology also involve claims that the alleged behavior violates wiretapping laws in “two party” or “all party” consent states. This technology allows website operators to monitor how website visitors interact with the website. Websites that use session replay technology are often trying to better understand how users interact with the website and may even want to document that users have seen and are aware of the site’s privacy policy. Where the technology also captures the website visitor’s communications—such as (but not limited to) chat services or when the visitor completes a form on the website—privacy plaintiffs have alleged use of the technology violates wiretapping laws.
Many cases alleging wiretapping violations are filed in California under the California Invasion of Privacy Act (“CIPA”). Most lawsuits assert a violation of Section 631 of CIPA and courts routinely refer to specific clauses or subsections of that section. When discussing litigation updates, we therefore also refer to courts disposing of specific clauses or subsections of Section 631. Courts have noted Section 631 “is somewhat difficult to understand.” See Warden v. Kahn, 99 Cal. App. 3d 805, 811 (Ct. App. 1979). To help guide readers, we have provided Section 631(a) below with the specific clauses (sometimes called subsections) delineated:
Any person who, [Clause 1 or Subsection (a)(1):] by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or [Clause 2 of Subsection (a)(2):] who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or [Clause 3 or Subsection (a)(3):] who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or [Aiding Provision, Clause 4, or Subsection (a)(4):] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable . . . .
Wiretapping claims—whether based on website chat services, the use of session replay technology, or something else—are typically resolved on a limited number of issues:
- How did the communication occur? Plaintiffs often allege they accessed a website using a mobile phone. Courts have held the first clause of Section 631(a) does not apply if the interception does not occur over a telephonic wire. Courts have also held Section 632.7, another provision of CIPA, requires a communication between two wireless or cordless devices and therefore does not apply if the website is communicating via a wired server. Some judges, however, disagree.
- Is the defendant or a third-party a “party” to the communication? If so, then the “party exception” will apply and the defendant will not be liable. When deciding whether a third-party was a “party” to the communication, courts consider whether the party is merely acting as a tool for the defendant (akin to a tape recorder) or can use the communication for their own benefit (akin to someone listening into a conversation).
- Did the website have consent to record or share the communication? Consent is a defense to wiretapping claims, but it can be difficult for courts to resolve whether the plaintiff provided consent at the pleading stage.
- Did the website share the “contents” of a communication? Wiretapping claims only apply to the contents of a communication. Merely sharing record information of a communication, such as an IP address, will not establish liability under wiretapping laws. Courts often struggle to define what constitutes communication “contents” and URLs can be especially tricky.
- Was the communication intercepted or stored and then forwarded? If the communication is not intercepted, then there cannot be liability under Clause 2 of Section 631.
- Was the plaintiff harmed? Do they have standing to sue? Courts are often split on whether an “invasion of privacy” itself is sufficient harm to provide standing, but this issue has weighed in defendants’ favor more often following the Supreme Court’s 2021 TransUnion decision, which held Article III standing requires a concrete injury even in the context of a statutory violation.
Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel or Google Analytics tags) on websites that include video content. The VPPA reads: “A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person for the relief provided in subsection (d).” 18 U.S.C. § 2710(b)(1). The VPPA defines a “provider” as an entity engaged in the business of “rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials” and a “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Where the defendant directly rents or sells video content or access to such content, courts will typically find the defendant is a video tape service provider and the plaintiff to meet the “consumer” definition. Where the defendant’s core business is unrelated to video services, however, and the video contents at issue are merely marketing for that other core business, courts are likely to find the parties do not meet the VPPA’s definitions of “provider” and “consumer.”
Lawsuits alleging a defendant has violated prohibitions on voice recording (commonly Section 637.3 of the California Penal Code) typically involve the use of voice recognition software, which is often used as a security measure by companies that provide sensitive information such as banks or other financial institution.
Finally, some plaintiffs have alleged defendants who track IP-addresses run afoul of “pen registry” laws such as CIPA, § 638.51, which prohibits “a person” from “install[ing] or us[ing] a pen register or a trap and trace device without first obtaining a court order . . . .” Cal. Penal Code § 638.51. Traditionally, pen registers were used by law enforcement to record all numbers called from a particular telephone. Under CIPA, however, a “pen register” is more broadly defined to mean “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” § 638.50(b).