Listen to this post

Keypoint: Twenty-five (25) privacy decisions from October-December show a significant uptick in the number of pixel-based wiretapping decisions issued from courts nationwide.

Welcome to the nineteenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. We are covering decisions from three months in this “holiday edition” update that covers decisions from October, November, and December 2024. Our holiday edition post covers the chat, session replay, and VPPA decisions just like our normal posts but also includes pixel-based wiretapping claims and pen registry/tap and trace decisions that are normally accessibly only by Byte Back + members. Interested in learning more about Byte Back+? Contact the authors or click here.

We are covering twenty-five (25) decisions in this holiday edition post, including four (4) chat-wiretapping decisions, four (4) SRT-wiretapping decisions, ten (10) pixel-wiretapping decisions, five (5) pen registry/ tap and trace (“PRTT”) decisions, and two (2) VPPA decisions. With that, let’s get to it.

Before we do, however, a quick disclaimer. There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

1. Litigation Updates

a. Chat Wiretapping Lawsuits

We have seen a decline in the number of decisions addressing wiretapping claims based on a website’s chat feature. In this post, we are covering only four decisions; two from November and two from December.

Our first decision was issued on November 6 from a California state court. There, the defendant argued (1) the contents of the communications were not specifically identified; (2) the plaintiff failed to allege the third-party intercepted the communications while they were in transit; (3) the plaintiff failed to allege the third-party read or attempted to read the message; and (4) the “party exception” applied. The court rejected all four arguments. The court found “chat” communications constituted content and “interception” occurred when the messages were sent simultaneously to the defendant and the third-party vendor. To resolve the latter two issues, the court relied on the plaintiff’s allegation that the third party “does more than merely provide a storage function for Website users’ chat communications with Defendant. . . . [It] uses its record of Website users’ interaction with Defendant’s chat feature for data analytics and marketing/advertising to consumers – indeed, that is why Defendant pays The Third Party for its software.” Taking this allegation as true, the court found a fact finder could reasonably infer the third-party read the contents of the message and was thus not entitled to the “party exception.”

In our second November decision, the plaintiff alleged they communicated with a chat box on the website for an apparel company. The court distinguished the chat communications from allegations that concerned tracking webpages the plaintiff visited, the plaintiff’s IP address or computer location, or the operating system or type of browser she used, finding “[t]he content of her chat is different in kind from these types of record information.” The court denied the motion to dismiss.

Our third chat decision was issued on December 3 from the Southern District of California. This court had previously dismissed the plaintiff’s claims but allowed the plaintiff leave to amend. The plaintiff did so and the defendant moved to dismiss the amended complaint because the third party was entitled to party exception. The court joined most other courts in adopting the Javier standard (which examines whether the third party had the capability to use the information for their own purpose), and found the plaintiff’s amended complaint sufficiently alleged the third party had such a capability. Specifically, the plaintiff alleged the third party combined data from each of its customers into one dataset which it then uses for all its clients.

Our fourth and final decision was issued on December 18 by a Western District of Washington court. The plaintiff alleged they visited the website of a large online retailer using the phone and had conversations via the chat feature on the website. The defendant argued the plaintiff consented to the recordings as disclosed in the conditions of use and privacy policy when he registered his customer account and each time he made a purchase on the website. The plaintiff argued the terms were not sufficiently explicit to disclose the specific use and he therefore did not consent. The court disagreed and dismissed the claim.

b. Session Replay Wiretapping Lawsuits

We are covering four (4) SRT decisions in this holiday edition post. Our first decision was issued on November 20 from the Northern District of California and is one of the few summary judgment decisions issued in privacy litigation. The defendant was a SRT manufacturer whose product the plaintiff alleged captured users’ keystrokes and therefore violated Section 631(a). The court held the defendant had not read, attempted to read, or learn the contents of any information a website visitor inputted on a website using the defendant’s SRT product because the SRT product immediately “hashed” all data a user entered as soon as the data was transmitted from the website to the defendant’s servers. Although the parties did not dispute the truth of the defendant’s deposition testimony regarding how hashing was carried out, they did dispute the legal impact of that testimony. The plaintiff argued the defendant nevertheless read or learned the contents of the communication because it had “processed and evaluated the data” by performing select formatting adjustments to the data. The court disagreed, finding to “read, or attempt to read, or learn” the contents of a communication under CIPA required “some effort at understanding the substantive meaning of the message, report or communication” and the evidence in this case showed the defendant only used an algorithm that transformed the data into an incomprehensible hash with no inherent substantive meaning.

The remaining three decisions considered whether the plaintiff alleged a concrete harm required to establish Article III standing. Our first decision comes from the Northern District of California and was issued on November 26. Relying on the Ninth Circuit’s 2020 Campbell decision, the court found violation of the CIPA statutory provision presented a “substantive right,” and as such no evidence of a concrete harm was required.

In December, however, we were gifted with a rare privacy litigation decision from the Ninth Circuit. The decision was an appeal from an October decision, wherein the Southern District of California dismissed a claim after finding there was no personal jurisdiction over the defendant. On appeal, the Ninth Circuit affirmed the dismissal not on the issue of personal jurisdiction, but because the plaintiff failed to plead a concrete injury that confers Article III standing. The Ninth Circuit found the plaintiff alleged only that she “visited” and “accessed” the website and notably did not allege she actually made any communications that could have been intercepted. “She does not assert, for example, that she made a purchase, entered text, or took any actions other than simply opening the webpage and then closing it.” Because the Ninth Circuit affirmed on a different ground, it vacated the district court’s entry of final judgment and instructed the district court to consider whether amendment would allow the plaintiff to cure the issue. The Ninth Circuit did not reach the personal jurisdiction issue but noted the district court’s analysis “may be informed by [the Ninth Circuit’s] forthcoming en banc decision in Briskin v. Shopify, Inc.”

Our third and final SRT decision comes from the Southern District of California, which also dismissed the claim after finding the plaintiff’s allegations too vague to establish Article III standing. The court found rather than identifying the personal information shared during the plaintiff’s visit to the website, the plaintiff chose to make generalized and conclusory allegations that SRT is capable of capturing private data. The court also dismissed the claim under Rule 12(b)(6) due to the plaintiff’s general allegations about the “capability” of SRT rather than what “contents” the SRT at issue had allowed to be intercepted. These December decisions highlight that although courts are required to construe factual disputes in favor of the plaintiff, they may still require plaintiffs to meet a pleading standard.

c. Pixel Wiretapping Lawsuits

Under this theory, the mere use of a pixel (e.g., the Facebook/Meta pixel or the Google Analytics cookies) violates wiretapping laws. This theory has long been promoted by a limited number of plaintiffs’ firms that preferred arbitration to court, but we are now seeing this theory gain more traction by other plaintiff firms and appear in traditional court pleadings as well. This section is typically limited to Byte Back+ members, but we are making it available to all members as part of this “holiday edition” post.

Several courts issued pixel-based decisions in October, November, and December. These courts considered whether the pixels transmitted the “content” of any communication, whether the plaintiffs had consented to any recording, and whether the court had personal jurisdiction over the defendant. We are covering ten (10) pixel-based wiretapping decisions and, given the large number, are covering them by how these courts addressed these issues.

We are first covering four (4) decisions that addressed whether the pixel transmitted the “content” of a communication. Our first decision comes from the Northern District of California, which considered a claim that a healthcare company who operates a website through which visitors can book appointments violated Section 631(a) by including both the Meta Pixel and the Google Analytics pixels. The defendant argued the URLs that were transmitted to Meta and Google were not “contents” of a message. The court disagreed, finding the specific way in which a user booked an appointment rendered the subsequent URL “content.” The court also rejected the defendant’s argument that the plaintiff had consented. The court refused to take judicial notice of the privacy terms.

Our second decision comes from an Eastern District of Pennsylvania court, which in a lengthy opinion considered whether two defendants who allegedly tracked plaintiffs’ internet browsing activity and compiled their personal information into consumer profiles violated several laws, including the federal wiretapping act, the Pennsylvania wiretapping act, and the California wiretapping act (CIPA). The court rejected the plaintiffs’ claims, first finding collection of a person’s browsing activity and personal email address is insufficient to establish the concrete injury requirement under Article III. The court next found it lacked personal jurisdiction over the defendant. Finally, the court found the plaintiffs failed to allege the “contents” of any communication were captured. Although the URL of a webpage visited may be the “content” of a communication if created through use of a search engine, it is otherwise record information the court found.

Our third decision comes from the Western District of Washington. The plaintiffs alleged a well-known wholesale store violated Section 631(a) by installing the Meta Pixel and transmitting data to Meta about customers’ interactions with the defendant’s pharmacy website. The court considered the plaintiffs’ claims under the Federal Wiretap Act, the wiretapping laws of California, Washington, and Florida, two state specific medical laws, and several common law claims. The court first rejected the defendant’s motion to dismiss the Federal Wiretap Act claim. The court held the pixel transmitted the “contents” of the communication because “Plaintiffs searched for specific prescriptions.” The court also held that although the defendant was a “party” to the communication, the “crime-tort exception” applied because the defendant not only intercepted the data, but used the data to generate targeted ads for financial gain.

The court also denied the defendant’s motion to dismiss the California and Florida wiretapping claims because the court found the URLs were “content” under both laws. The court found the URLs were not “contents” of the communication under Washington’s wiretapping statute, however, because Washington’s law required the communication be “between two or more individuals” and prior case law had excluded corporations from counting as an individual. The court then considered the plaintiffs’ claim under the Washington Consumer Protection Act (the “WCPA”). Our coverage of this claim is restricted to readers of ByteBack +.

Our fourth decision was issued on December 18 and denied a motion to dismiss a complaint that alleged a well-known housing website violated both the VPPA and CIPA by using the Meta Pixel to transmit what videos a user watched. The court first denied the motion to dismiss the VPPA claim, finding the defendant was a video tape service provider because the videos were a “key element of Defendant’s business model.” The court found the “audiovisual technology is what attracts real estate agents and sellers to list their properties” on the Defendant’s website “in the first place.” The court also found the plaintiff was a “consumer” under the VPPA because he created an account on the defendant’s website. Although he did not pay money for his account, he shared his personal information with the defendant. The court then denied the motion to dismiss the CIPA claim after finding the video URL constituted “content” because the specific videos Plaintiff requested “amounts to content because it ‘concern[s] the substance of Plaintiff’s communications with Defendant.” The court relied on the 2022 In re Meta Pixel Healthcare Litigation from the Northern District of California to support its finding.

Three (3) October decisions considered whether users consented to any recording. The first decision comes from the Northern District of California, where the plaintiff alleged a third-party payment processor used by a well-known cooler company incorporates customers’ financial information into its fraud prevention system and then markets to merchants without customers’ consent. The plaintiff sued the cooler company and alleged violation of CIPA Sections 631(a) and 632. The defendant argued the plaintiff consented because its Terms and Privacy Policy “expressly disclosed to Plaintiff and other . . . users that the information she provided at payment checkout would be shared with third-party service providers.” The court rejected this argument because “under California law, consumers must have actually or constructively consented to be bound by these contractual terms.” Although the defendant’s website included a pop-up similar to the one below, the court found this did not require users to take additional action to demonstrate assent or conspicuously notify them that continuing to use the website constitutes assent to the Privacy Policy and Terms of Use:

After finding the plaintiff had sufficiently alleged the third-party payment processor had violated at least one prong of Section 631(a), the court nevertheless dismissed the complaint because the plaintiff failed to allege the defendant aided, agreed with, employed, or conspired with the third-party. Thus, there was no liability for the defendant under the fourth prong.

Our second decision comes from the Northern District of Illinois, which considered a claim against a social media company whose product is very popular with Gen Z users. The defendant argued the privacy policy established users’ consent to use of the pixel. The court first held it could properly consider the privacy policy because the plaintiffs had referred to it in the complaint and whether the plaintiffs consented to the data collection is “central” to the complaint. The court nevertheless denied the motion to dismiss after finding the record was insufficient to establish all the named plaintiffs had consented to the terms. The court noted the defendant failed to show users were required to agree to the privacy policy when creating an account or that the named plaintiffs had created accounts at all. Although this indicates a court could grant a motion to dismiss on the issue of consent, it should serve as a reminder to defendants that merely attaching the privacy policy is not enough.

Our final October “consent” decision comes from the Central District of California, where the court refused to take judicial notice of documents the defendant argued would establish the plaintiff consented to the recording. The court then denied the motion to dismiss after finding the defendant had not shown the plaintiff consented or that it was entitled to the “party exception,” which the court found was an affirmative defense and not an element to a Section 631(a) claim.

Two (2) pixel decisions considered whether the court had personal jurisdiction over the defendant. In the first decision, the defendant is a well-known airline company accused of infringing Section 631(a) by installing pixels on its website. The defendant argued the court lacked personal jurisdiction over the defendant. The court disagreed, finding the plaintiff’s allegations that they had used their devices in California in combination with allegations the defendant: (1) “records and disseminates” the plaintiff’s data, communications and personal information in California; and (2) intentionally installed the Meta tracking pixel were sufficient to establish specific jurisdiction. The court nevertheless dismissed the complaint after finding the Airline Deregulation Act preempted the CIPA claim.

In the second decision, the court first found there was no general jurisdiction over the defendant, who was neither incorporated in Delaware nor had its principal place of business in California. The court rejected the plaintiff’s argument that general jurisdiction existed because the defendant was registered to do business in California or that it had roughly 6% of its properties in California. The court then found there was no specific jurisdiction because “there is no relationship between these general business contacts and the privacy-related harm actually [at] issue in the Complaint.” The court noted its decision was consistent with another decision against the same defendant from the Central District of California that issued earlier this year.

Our final pixel decision considered whether the plaintiff timely filed the complaint after being exposed to advertising for some time. The plaintiff argued they had not discovered the behavior until recently and the “discovery rule” should excuse their failure to file within the statute of limitations. The court had previously agreed with the defendant after finding the plaintiffs failed to allege the time and manner in which the discovery was made. In October, however, the court found the plaintiff had cured this deficiency and denied the defendant’s motion to dismiss. Although the court acknowledge it was possible that “immediately seeing targeted advertisements after visiting [the defendant’s] website would have put a reasonable person on inquiry notice of an injury,” the court found it was not an issue to be resolved at the motion to dismiss stage.

d. Pen Registry Lawsuits

This section is normally limited to members of Byte Back + but is made available to all users as part or special holiday post. Interested in learning more about Byte Back+? Contact the authors or click here.

We are covering five “pen register” and “tap and trace”  (“PRTT”) decisions this month. In four cases, the plaintiff alleged collection of the plaintiffs’ IP address violated California’s PRTT law. In one decision, the court considered whether it had personal jurisdiction over the defendant. We address each in turn.

In an October decision from a Northern District of California court, the plaintiffs sued a company who operates a well-known video game website for allegedly violating Section 638.51(a) by recording and sending users’ IP addresses to third parties without the users’ consent. The defendant argued “websites across the Internet commonly require users’ computers to send their IP addresses to third parties as part of the process of loading those sites.” The court found the IP address was “routing” information and fell under Section 638.51(a)’s definition of “addressing” information covered by the statute. The defendant argued the trackers do not collect any information belonging to the “recipient” of the communication but instead collect the sender’s IP address. “[B]ecause the Trackers do not operate like traditional phone pen registers—which collect the recipient phone number dialed during the outgoing call—they do not meet the definition of pen registers under CIPA.” The court disagreed, finding “[n]othing in the statutory definition limits pen registers to those that operate the same ways as a traditional phone pen register.”

The second decision, issued in December, also denied the motion to dismiss. The plaintiff alleged the defendant (a media company) caused three trackers to be installed on website-visitors’ internet browsers to collect the visitors’ IP addresses. The case was originally filed in California state court and removed. The court denied the defendant’s motion to dismiss, finding CIPA’s expansive definition of “pen register” included IP addresses. The court also found the plaintiff alleged statutory standing under CIPA because it was harmed when its IP address was used to present targeted advertisements.

In the third decision, the court summarized the plaintiff’s claim that “every time an individual voluntarily visits a party’s website, utilizing an IP address for purposes of connecting to the website, a violation would occur.” The court found this presented a significant public policy issue and would result in a huge disruption of commerce on the Internet. The court further found the plaintiff’s allegations were not specific to the purported visit to the defendant’s website and dismissed the complaint with leave to amend.

In the fourth decision, a California state court held there was no protected privacy interest in the plaintiff’s IP address regardless of whether the IP address fell under the “pen registry” definition. Absent such an interest, the court found there was no injury authorizing a suit under Penal Code section 637.2, subdivision (c).

Finally, a California state court decision from October rejected the plaintiff’s argument that general jurisdiction existed because the defendant was registered to do business in California. The court also found the plaintiff failed to show the controversy is related to or arises out of the defendant’s contacts with the forum. Although the plaintiff identified numerous contacts with California, the plaintiff did not allege they interacted with these contacts.

e. Video Privacy Protection Act (“VPPA”) Lawsuits

It has been a relatively quiet holiday season for substantive VPPA rulings, but we are covering two notable decisions from October. The first is from the Second Circuit, reversing a lower court’s dismissal of a VPPA claim and likely broadening the statute’s application for future cases. The second decision is a denial of class certification, highlighting the challenges plaintiffs may face when certifying a VPPA class for claims premised on the Facebook/Meta Pixel.

The first decision we are covering comes from the Second Circuit on October 15, which will likely expand the VPPA’s application and lower a plaintiff’s burden at the motion to dismiss stage. In the case, the plaintiff alleges that he signed up for a free online newsletter offered by the defendant, a professional sports league, and visited the defendant’s website where he watched video content. The plaintiff claims that through the newsletter and website, the defendant violated the VPPA by disclosing his video watching history and Facebook ID to Meta via the Facebook Pixel. The plaintiff brought his VPPA claim on behalf of a class but in August 2023, the Southern District of New York granted the defendant’s motion to dismiss, finding the plaintiff had not sufficiently pled he was a “consumer” under the VPPA for the law to apply.

On appeal, the Second Circuit vacated the dismissal and remanded the case back to the district court. The Second Circuit’s decision first addressed whether the plaintiff had established Article III standing and, second, the “central question” of whether the plaintiff had met the VPPA’s definition of a “consumer.” As a reminder, the VPPA only applies to “consumers” which the statute defines to include “any renter, purchaser, or subscriber of goods or services from a video tape service provider.”

Answering the first question, the Second Circuit held that the plaintiff did have Article III standing because he had alleged his personal information was disclosed to a third party without his consent. According to the Second Circuit, this allegation “has a ‘close relationship’ to a harm traditionally recognized as providing a basis for a lawsuit in American courts: public disclosure of private facts.” This holding aligns with most lower court decisions that often find VPPA plaintiffs to satisfy Article III’s standing requirements.

On the second question, the Second Circuit held that the plaintiff did meet the definition of a “consumer” by pleading sufficient facts to show he was a “subscriber of goods or services.” According to the panel, it was sufficient for the plaintiff to allege that he had exchanged his personal information for the defendant’s free online newsletter to plausibly show he was a “subscriber” (and thus, a “consumer”) under the VPPA.

To reach this conclusion, the Second Circuit first held that the VPPA’s phrase “goods or services” is not confined to audiovisual goods or services. The decision notes that the VPPA is “not limited to entities that deal exclusively in audiovisual content; rather, audiovisual content need only be part of the provider’s book of business. … Thus, by its plain terms, the statute applies equally to a business dealing primarily in audiovisual materials (think Blockbuster) and one dealing in primarily non-audiovisual materials (think a general store that rents out a few movies).”

Next, the Second Circuit rejected the defendant’s argument that exchanging personal information for a free online newsletter was insufficient to establish a “subscriber” relationship under the VPPA. According to the Second Circuit, the personal information plaintiff exchanged to sign up for the newsletter was “not insignificant” and was valuable to the defendants as it included the plaintiff’s email address, IP address, and device cookies. The Second Circuit also agreed with prior decisions from the Eleventh and First Circuits that a VPPA plaintiff does not need to pay money for a good or service to become a “subscriber” under the statute.

The Second Circuit was careful to note that its ruling was “narrow” and that the defendant’s alternative arguments were best addressed by the district court. It nonetheless stated: “The VPPA is no dinosaur statute. Congress deployed broad language in defining the term ‘consumer,’ showing it did not intend for the VPPA to gather dust next to our VHS tapes. Our modern means of consuming content may be different, but the VPPA’s privacy protections remain as robust today as they were in 1988.” Looking ahead, VPPA plaintiffs are likely to cite this decision and its broad interpretation of the statute to counter motions to dismiss at the pleading stage.

The second decision we are covering is an order from the Southern District of Florida on October 1, denying class certification of a VPPA claim. The defendant in the case is an online video-streaming service that offers livestream access to broadcast networks and video-on-demand (prerecorded) content. The plaintiffs allege on behalf of a class that as subscribers to defendant’s video service, defendant disclosed plaintiffs’ Facebook IDs and the prerecorded videos they accessed to Meta using the Meta Pixel. Following an initial discovery phase, the plaintiffs moved for class certification under Rule 23 to certify a class of: ‘All persons in the U.S. who purchased a subscription to defendant’s streaming service, requested or obtained prerecorded video materials or services on the defendant’s website, used Facebook during the time the Pixel was active on the streaming service’s website from April 13, 2021, through May 8, 2023, and whose personal viewing information the defendant disclosed to Meta.’

The court denied class certification solely on numerosity grounds under Rule 23, finding the plaintiffs had failed to provide sufficient facts that would account for the many variables required for the Meta Pixel to transmit a person’s video-watching information. Based on the parties’ briefing and expert reports, whether the Meta Pixel could transmit a user’s personal viewing information from the defendant’s website depended on the user: (1) having a Facebook account; (2) using a web browser that didn’t block the Meta Pixel by default; (3) having been logged into their own Facebook account while selecting a video; (4) having been logged into Facebook on the same device that the subscriber used to select a video; (5) having been simultaneously logged into Facebook using the same browser through which the subscriber selected the video; and (6) having not deployed browser settings or add-on software that would have blocked the Meta Pixel. In the court’s view, the plaintiffs’ evidence did not sufficiently account for these variables to provide the court a non-speculative way to determine whether the proposed class actually included 15,000 subscribers as the plaintiffs alleged. Accordingly, the court denied class certification for lack of numerosity and declined to address the other elements of Rule 23 certification.

Although federal courts are not bound by this decision, it provides defendants a persuasive argument for defeating class certification of VPPA claims premised on the Facebook/Meta Pixel.

f. Other Lawsuits

This section covers privacy-related lawsuits that do not fit within the above categories but lack enough decisions to warrant their own category. This section is limited to members of ByteBack+.

2.         Overview of Current U.S. Data Privacy Litigation Trends and Issues

Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip this section.

Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.

Lawsuits relating to session replay technology also involve claims that the alleged behavior violates wiretapping laws in “two party” or “all party” consent states. This technology allows website operators to monitor how website visitors interact with the website. Websites that use session replay technology are often trying to better understand how users interact with the website and may even want to document that users have seen and are aware of the site’s privacy policy. Where the technology also captures the website visitor’s communications—such as (but not limited to) chat services or when the visitor completes a form on the website—privacy plaintiffs have alleged use of the technology violates wiretapping laws.

Many cases alleging wiretapping violations are filed in California under the California Invasion of Privacy Act (“CIPA”). Most lawsuits assert a violation of Section 631 of CIPA and courts routinely refer to specific clauses or subsections of that section. When discussing litigation updates, we therefore also refer to courts disposing of specific clauses or subsections of Section 631. Courts have noted Section 631 “is somewhat difficult to understand.” See Warden v. Kahn, 99 Cal. App. 3d 805, 811 (Ct. App. 1979). To help guide readers, we have provided Section 631(a) below with the specific clauses (sometimes called subsections) delineated:

Any person who, [Clause 1 or Subsection (a)(1):] by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or [Clause 2 of Subsection (a)(2):] who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or [Clause 3 or Subsection (a)(3):] who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or [Aiding Provision, Clause 4, or Subsection (a)(4):] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable . . . .

Wiretapping claims—whether based on website chat services, the use of session replay technology, or something else—are typically resolved on a limited number of issues:

  • How did the communication occur? Plaintiffs often allege they accessed a website using a mobile phone. Courts have held the first clause of Section 631(a) does not apply if the interception does not occur over a telephonic wire. Courts have also held Section 632.7, another provision of CIPA, requires a communication between two wireless or cordless devices and therefore does not apply if the website is communicating via a wired server. Some judges, however, disagree.
  • Is the defendant or a third-party a “party” to the communication? If so, then the “party exception” will apply and the defendant will not be liable. When deciding whether a third-party was a “party” to the communication, courts consider whether the party is merely acting as a tool for the defendant (akin to a tape recorder) or can use the communication for their own benefit (akin to someone listening into a conversation).
  • Did the website have consent to record or share the communication? Consent is a defense to wiretapping claims, but it can be difficult for courts to resolve whether the plaintiff provided consent at the pleading stage.
  • Did the website share the “contents” of a communication? Wiretapping claims only apply to the contents of a communication. Merely sharing record information of a communication, such as an IP address, will not establish liability under wiretapping laws. Courts often struggle to define what constitutes communication “contents” and URLs can be especially tricky.
  • Was the communication intercepted or stored and then forwarded? If the communication is not intercepted, then there cannot be liability under Clause 2 of Section 631.
  • Was the plaintiff harmed? Do they have standing to sue? Courts are often split on whether an “invasion of privacy” itself is sufficient harm to provide standing, but this issue has weighed in defendants’ favor more often following the Supreme Court’s 2021 TransUnion decision, which held Article III standing requires a concrete injury even in the context of a statutory violation.

Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel or Google Analytics tags) on websites that include video content. The VPPA reads: “A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person for the relief provided in subsection (d).” 18 U.S.C. § 2710(b)(1). The VPPA defines a “provider” as an entity engaged in the business of “rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials” and a “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Where the defendant directly rents or sells video content or access to such content, courts will typically find the defendant is a video tape service provider and the plaintiff to meet the “consumer” definition. Where the defendant’s core business is unrelated to video services, however, and the video contents at issue are merely marketing for that other core business, courts are likely to find the parties do not meet the VPPA’s definitions of “provider” and “consumer.”

Lawsuits alleging a defendant has violated prohibitions on voice recording (commonly Section 637.3 of the California Penal Code) typically involve the use of voice recognition software, which is often used as a security measure by companies that provide sensitive information such as banks or other financial institution.

Finally, some plaintiffs have alleged defendants who track IP-addresses run afoul of “pen registry” laws such as CIPA, § 638.51, which prohibits “a person” from “install[ing] or us[ing] a pen register or a trap and trace device without first obtaining a court order . . . .” Cal. Penal Code § 638.51. Traditionally, pen registers were used by law enforcement to record all numbers called from a particular telephone. Under CIPA, however, a “pen register” is more broadly defined to mean “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” § 638.50(b).