Keypoint: Courts have started to issue Pixel-based wiretapping decisions, the Seventh Circuit weighs in on when a manufacturer can be forced to pay arbitration fees, and three courts showed different approaches to dismissing VPPA claims at the pleading stage.

Welcome to the sixteenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, we are covering two wiretapping decisions based on chat services on website and one based on use of SRT.

If you are a Byte Back+ member, you will also see our coverage on the recent trend of cases brought under pen registry laws and—new this month—multiple “pixel” cases that are disconnected from session replay or chat-based theories and an update regarding an arbitration defendant can be forced to pay arbitration fees. Members also get access to our “other lawsuits” section, where this month we are covering one decision that involves an AI/machine learning based technology used to provide customer support agents with suggested responses to common questions from customers and two decisions from the Seventh Circuit that consider whether a large manufacturer can be forced to pay arbitration fees for thousands of arbitration demands when the manufacturer withheld payment after disagreeing with the merits of the demands.

Interested in learning more about Byte Back+? Click here.

We are also covering four VPPA decisions resolving motions to dismiss that illustrate a plaintiff’s prima facie burden at the pleading stage and the potential for joint and several liability under the statute.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

1. Litigation Updates

a. Chat Wiretapping Lawsuits

      We are covering two wiretapping decisions that were issued in July. Our first decision is one of the relatively few decisions that is beyond the pleading stage. The court dismissed the claims at summary judgment. The plaintiff claimed the defendant violated California wiretapping laws by including a chat service on its website that was in truth operated by a third-party SaaS provider. The court had previously dismissed the plaintiff’s wiretapping claim based on the theory that the defendant violated the first prong of Section 631(a) but allowed the case to proceed under the fourth prong (aiding and abetting and third-party’s violation of Section 631(a)).

      At the summary judgment stage, however, the court dismissed this claim as well after finding no reasonable juror could find the third party violated the first prong of Section 631(a) because that section is limited to telephone communications. In reaching its holding, the court rejected the plaintiff’s argument that various cases, including Javier v. AssuranceIQ, held the first prong of Section 631(a) applied to internet communications. The court next held there was no genuine dispute over whether the third-party “intercepted” the messages while in transit because: (1) the messages were encrypted while in transit; and (2) it is “virtually impossible” to learn the contents of an internet communication while it is in transit because such communications are sent in network packets. The court also found persuasive that the chat data was accessible only through a password-protected customer dashboard that the defendant, but not the third-party, could access even though the data lived on the third-party’s servers. Finally, the court found the defendant could not aid and abet the third-party in violation of the fourth prong of Section 631(a) because no reasonable juror could find the third-party had violated either the first or second prongs. The plaintiff has appealed this decision and we will continue to watch for more.

      In our second chat decision, the plaintiff brought a CIPA claim against a well-known exercise equipment company, who the plaintiff alleged violated the fourth prong of CIPA by utilizing a third-party to facilitate its chat service. The defendant moved to dismiss, which the court denied. The court first rejected the defendant’s argument that the third-party was entitled to the party exception. After agreeing with the large number of courts who have adopted the Javier rationale which states the party exception does not apply when the third party has the capability (regardless of intent) to use the information for its own purpose, the court found the plaintiff had sufficiently alleged the third-party software intercepted the data through the embedded API and used the data for their own benefit. This decision serves as another reminder of the deference courts give to plaintiff’s allegations at the pleading stage.

      b. Session Replay Lawsuits

      We are covering only one SRT-based decision this month. In this case, the defendant operated a chain of water parks and family resorts with locations in California. The plaintiff alleged when they visited the website, the defendant employed SRT that captured “electronic communications” that include “‘instructions to and from the [defendant’s] computer servers indicating the text that is typed onto the website and the user’s clicks and requested content.” The plaintiff asserted liability under only the fourth prong based on the actions of the third-party who provided the SRT service.

      The court dismissed the complaint, finding the complaint did not allege the website transmitted the content of any communication. The plaintiff had alleged the third-party was allowed to read “credit card numbers entered, expiration dates, CVV codes, zip codes, first names, last names, email addresses, phone numbers, addresses, mouse movements and clicks, keystrokes, search terms, other words and text typed, all information inputted into the website” and behavior such as “pages and content viewed.” The court found these allegations do not show “an ‘intended message conveyed’ to the retailer absent an allegation that it was actually sent to the retailer (i.e., by placing an order).”

      Although it had granted the motion to dismiss, the court nevertheless continued and rejected the defendant’s arguments that the plaintiff had consented to the recording by their status as a repeat “tester” of websites and that the third-party SRT provider was entitled to the party exception.

      c. Pixel-based wiretapping claims

      We are adding a new section to our monthly litigation post for this month (and may continue to include it if courts continue to issue enough decisions involving this theory). Under this theory, the mere use of a pixel (most often the Facebook/Meta pixel) violate wiretapping laws. This theory has long been promoted by a limited number of plaintiffs’ firms that preferred arbitration to court, but we are now seeing this theory gain more traction by other plaintiff firms and appear in traditional court pleadings as well. We cover four decisions this month, all of which involve health care companies, but we are seeing this theory expanded to defendants in other industries as well.

      This section is limited to Byte Back+ members. Not a member of Byte Back+? Reach out to the authors to learn more.

      d. Video Privacy Protection Act (“VPPA”) Lawsuits

        We are covering four decisions involving the VPPA from July. Three of the decisions highlight typical challenges plaintiffs face in asserting their prima facie claim at the pleading stage, while the last decision illustrates the potential for joint and several liability under the VPPA.

        The first decision we are covering is from the Central District of California where a court granted the defendants’ motion to dismiss a VPPA class action claim based on the plaintiffs’ failure to adequately allege that their “personally identifiable information” was disclosed. The case involves defendants who operate websites for schools and universities which contain video content and invite website visitors to subscribe to e-newsletters. In the complaint, the plaintiffs allege on behalf of a proposed class that defendants use this website and the e-newsletters to share the plaintiffs’ Facebook IDs and video selection data with Facebook via the Meta Pixel. In granting the motion to dismiss, the court held that a person’s Facebook ID can constitute “personally identifiable information” under the VPPA if “the person’s Facebook profile is publicly accessible and includes sufficient identifying information.” Here, however, the plaintiffs failed to allege that their Facebook profiles contained personal identifying information. Therefore, the court dismissed the VPPA claim without prejudice and granted plaintiffs leave to amend their complaint to bolster those allegations.

        The second decision involves the same defendants and factual allegations from the decision above, but where a court in the Northern District of Florida granted the defendants’ motion to dismiss on different grounds. At issue in the court’s ruling was whether the plaintiffs’ subscription to defendants’ e-newsletters was sufficient at the pleading stage to show that the plaintiffs were “subscribers” within the VPPA’s definition of “consumers.” The court ruled that it was not, adopting the six-factor test from the Eleventh Circuit’s decision in Ellis v. Cartoon Network, Inc. The court concluded that all six factors were lacking, finding that: (1) the plaintiffs did not allege any “payment”; (2) the “registration” factor was alleged but that plaintiffs’ mere registration to receive e-newsletters did not show a “deliberate and durable affiliation”; (3) email newsletter updates showed no real “commitment”; (4) emails themselves do not satisfy the “delivery” factor; (5) the plaintiffs did not allege that the defendants delivered anything beyond the emails themselves to satisfy the final “expressed association” and “access to restricted content” factors. In sum, the court held that the plaintiffs failed to allege facts “showing that their status as newsletter recipients constituted the type of meaningful relationship that would make them ‘subscribers’ under the VPPA.”

        The third VPPA decision we are covering comes from the Central District of California in which a court also granted the defendants’ motion to dismiss. The plaintiff alleged the defendants, a movie theater chain and an associated operator of the chain’s ticketing website, violated the VPPA by sharing consumers’ movie ticket purchase data to Meta through tracking pixels. Central to the court’s decision was whether the defendants classify as “videotape service providers” subject to the VPPA by engaging in the “rental, sale, or delivery” of prerecorded audiovisual materials. In granting the defendants’ motion to dismiss, the court concluded that the plaintiffs’ allegations failed to show that defendants rent, sell, or deliver audiovisual materials within the meaning of the statute. The court relied on other decisions within the Ninth Circuit which establish that movie theaters cannot be “videotape service providers” because they do not sell or rent audio visual materials, “but rather only sell ‘a license to enter the theater premises at a particular time and, in effect, attend a public event.’” The court further distinguished movie theaters from streaming services, noting that movie theaters are places of public accommodation that do not afford the same privacy rights offered in private homes. Finally, because the defendants’ primary business was operating movie theaters (and not showing movie trailers), the court rejected the plaintiff’s argument that defendants “delivered” audiovisual materials by displaying movie trailers on their website.

        The fourth and final decision is in the Northern District of California where the court denied a defendant’s renewed motion to dismiss the plaintiff’s VPPA claim. In the case (which we covered in a prior update), one defendant had licensed with a professional sports league to sell video NFTs (non-fungible tokens) of sports highlights online (akin to trading cards), and allegedly shared purchaser information through the Meta Pixel. The court previously found that video NFTs can constitute “prerecorded video cassette tapes or similar audio visual materials” under the VPPA. However, it granted a motion to dismiss the sports league and its subsidiary from the lawsuit on the grounds that the plaintiff had failed to adequately allege the existence of a joint venture between the league and the other defendant who operated the online platform. Subsequently, the plaintiff amended his complaint to address that deficiency and the sports league renewed its motion to dismiss on similar grounds. The court denied the renewed motion in July, finding that the allegations in the amended complaint sufficiently pled a joint venture between the defendants while also noting that such issues are fact intensive and best resolved at the summary judgment stage. The decision is notable because it highlights the potential for joint and several liability in VPPA cases.

        e. Pen Registry Lawsuits

        We are covering two “tap and trace” / “pen register” decisions this month. This section is limited to members of Byte Back+. Interested in learning more about Byte Back+? Contact the authors or click here.

        f. Other Lawsuits

        This section covers privacy-related lawsuits that do not fit within the above categories but lack enough decisions to warrant their own category. This month, we are covering two decisions: one that alleges an AI/machine learning service was used to record telephone conversations with consumers; and one from the Seventh Circuit that considered whether a large manufacturer was required to pay arbitration fees relating to thousands of arbitrations filed against it when the manufacturer disputed the merits of the claims in the demand.

        This section is limited to Byte Back+ members. Not a member of Byte Back+? Reach out to the authors to learn more.

        2. On the Radar

          In this section we identify other types of data privacy lawsuits we are watching and other interesting information in the world of data privacy litigation. We are continuing to watch pen registry cases but have made a new section for those cases. We are also continuing to watch voice recording lawsuits, but this appears to be a trend that failed to catch momentum.

          3. Overview of Current U.S. Data Privacy Litigation Trends and Issues

          Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip this section.

          Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.

          Lawsuits relating to session replay technology also involve claims that the alleged behavior violates wiretapping laws in “two party” or “all party” consent states. This technology allows website operators to monitor how website visitors interact with the website. Websites that use session replay technology are often trying to better understand how users interact with the website and may even want to document that users have seen and are aware of the site’s privacy policy. Where the technology also captures the website visitor’s communications—such as (but not limited to) chat services or when the visitor completes a form on the website—privacy plaintiffs have alleged use of the technology violates wiretapping laws.

          Many cases alleging wiretapping violations are filed in California under the California Invasion of Privacy Act (“CIPA”). Most lawsuits assert a violation of Section 631 of CIPA and courts routinely refer to specific clauses or subsections of that section. When discussing litigation updates, we therefore also refer to courts disposing of specific clauses or subsections of Section 631. Courts have noted Section 631 “is somewhat difficult to understand.” See Warden v. Kahn, 99 Cal. App. 3d 805, 811 (Ct. App. 1979). To help guide readers, we have provided Section 631(a) below with the specific clauses (sometimes called subsections) delineated:

          Any person who, [Clause 1 or Subsection (a)(1):] by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or [Clause 2 of Subsection (a)(2):] who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or [Clause 3 or Subsection (a)(3):] who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or [Aiding Provision, Clause 4, or Subsection (a)(4):] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable . . . .

          Wiretapping claims—whether based on website chat services, the use of session replay technology, or something else—are typically resolved on a limited number of issues:

          • How did the communication occur? Plaintiffs often allege they accessed a website using a mobile phone. Courts have held the first clause of Section 631(a) does not apply if the interception does not occur over a telephonic wire. Courts have also held Section 632.7, another provision of CIPA, requires a communication between two wireless or cordless devices and therefore does not apply if the website is communicating via a wired server. Some judges, however, disagree.
          • Is the defendant or a third-party a “party” to the communication? If so, then the “party exception” will apply and the defendant will not be liable. When deciding whether a third-party was a “party” to the communication, courts consider whether the party is merely acting as a tool for the defendant (akin to a tape recorder) or can use the communication for their own benefit (akin to someone listening into a conversation).
          • Did the website have consent to record or share the communication? Consent is a defense to wiretapping claims, but it can be difficult for courts to resolve whether the plaintiff provided consent at the pleading stage.
          • Did the website share the “contents” of a communication? Wiretapping claims only apply to the contents of a communication. Merely sharing record information of a communication, such as an IP address, will not establish liability under wiretapping laws. Courts often struggle to define what constitutes communication “contents” and URLs can be especially tricky.
          • Was the communication intercepted or stored and then forwarded? If the communication is not intercepted, then there cannot be liability under Clause 2 of Section 631.
          • Was the plaintiff harmed? Do they have standing to sue? Courts are often split on whether an “invasion of privacy” itself is sufficient harm to provide standing, but this issue has weighed in defendants’ favor more often following the Supreme Court’s 2021 TransUnion decision, which held Article III standing requires a concrete injury even in the context of a statutory violation.

          Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel or Google Analytics tags) on websites that include video content. The VPPA reads: “A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person for the relief provided in subsection (d).” 18 U.S.C. § 2710(b)(1). The VPPA defines a “provider” as an entity engaged in the business of “rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials” and a “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Where the defendant directly rents or sells video content or access to such content, courts will typically find the defendant is a video tape service provider and the plaintiff to meet the “consumer” definition. Where the defendant’s core business is unrelated to video services, however, and the video contents at issue are merely marketing for that other core business, courts are likely to find the parties do not meet the VPPA’s definitions of “provider” and “consumer.”

          Lawsuits alleging a defendant has violated prohibitions on voice recording (commonly Section 637.3 of the California Penal Code) typically involve the use of voice recognition software, which is often used as a security measure by companies that provide sensitive information such as banks or other financial institution.

          Finally, some plaintiffs have alleged defendants who track IP-addresses run afoul of “pen registry” laws such as CIPA, § 638.51, which prohibits “a person” from “install[ing] or us[ing] a pen register or a trap and trace device without first obtaining a court order . . . .” Cal. Penal Code § 638.51. Traditionally, pen registers were used by law enforcement to record all numbers called from a particular telephone. Under CIPA, however, a “pen register” is more broadly defined to mean “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” § 638.50(b).

          In early 2024, Plaintiffs filed more than 140 lawsuits under New Jersey’s “Daniel’s Law,” which allows a “Covered Person” or their “Authorized Person” to request a “person, business, or association” to not “disclose or re-disclose on the Internet or otherwise make available” the Person’s home address or unpublished home telephone number. The Law provides a private right of action for any Covered Person against any “person, business, or association” who: (1) receives from the Covered Person a notification that complies with the statute and; (2) after 10 business days of receiving such notice, discloses or re-discloses on the Internet “or otherwise makes available” the home address or unpublished home telephone number of any covered person “who has received approval from the Office of Information Privacy for the redaction or nondisclosure of the covered person’s address.”

          Print:
          Email this postTweet this postLike this postShare this post on LinkedIn
          Photo of Dustin Taylor Dustin Taylor

          Dustin is a litigator whose practice primarily focuses on intellectual property disputes, including patent, trademark, and trade secret matters. He also has experience in litigation involving data access, including claims made under the California Unfair Competition Law, the Computer Fraud and Abuse Act…

          Dustin is a litigator whose practice primarily focuses on intellectual property disputes, including patent, trademark, and trade secret matters. He also has experience in litigation involving data access, including claims made under the California Unfair Competition Law, the Computer Fraud and Abuse Act, and the California Computer Data Access and Fraud Act.

          Photo of Owen Davis Owen Davis

          Owen assists employers across industry sectors – from small businesses to Fortune 500 corporations – to identify changing workplace law at a local, state and federal level. He offers legal guidance on employment agreements, restrictive covenants, personnel policies and other human resources issues.

          Owen assists employers across industry sectors – from small businesses to Fortune 500 corporations – to identify changing workplace law at a local, state and federal level. He offers legal guidance on employment agreements, restrictive covenants, personnel policies and other human resources issues. Owen also represents employers before state and federal courts as well as administrative agencies on matters related to discrimination, retaliation, harassment, and wage and hour violations.