Keypoint: Five Takeaways from Privacy Litigation Decisions in January 2025

Welcome to the twentieth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. After our expansive “holiday edition” post last month we are changing things up a bit with this month’s post. Instead of providing case summaries on multiple decisions we are providing five takeaways from cases in the past month. Our hope is this provides a more practical post for in-house counsel and business owners facing the quickly changing world of privacy litigation.

Do you find these posts helpful? Wish we would cover another privacy trend or provide more information? If so – we want to hear from you! Please reach out and let us know what you would like to see in future privacy litigation updates.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

1.         Five Privacy Litigation Takeaways from January 2025

• Takeaway #1: Courts have indicated they may find a plaintiff consented to alleged wiretapping via a website privacy policy provided the defendant can show enough to establish constructive consent; even if defendants have not done so yet.

Two decisions from two different courts in January 2025 suggested courts are willing to entertain arguments that a plaintiff consented to the use of ad-tech on websites (defeating a claim for wiretapping) even where the website did not require users to take some affirmative action to indicate their consent (i.e., where the website uses a browser wrap agreement). Unfortunately for the defendants in these cases, however, the courts found the defendants did not offer enough information to allow the court to make that finding and denied the motions to dismiss on these points.

In the first decision, a Northern District of California court rejected a well-known social media company-defendant’s argument that the plaintiffs consented via the website privacy policy, finding there was no evidence in the record that plaintiffs were required to affirmatively acknowledge the privacy policy and that—while the plaintiffs could have consented to a browser wrap agreement—the defendant had failed to show the plaintiffs had the required actual or constructive knowledge of the policies.

In the second decision, a Central District of California court dismissed a claim that the defendant violated California’s wiretapping law when it shared a URL that contained the plaintiff’s search terms. The court dismissed the claim after finding the plaintiff failed to allege a concrete harm required to establish standing. The court then continued and discussed the defendant’s other arguments, including that the plaintiff had consented via the website privacy policy. The court found whether the plaintiff consented turned on whether the cookie banner was sufficiently conspicuous and whether it sufficiently disclosed how the defendant would use the plaintiff’s data. Because the plaintiff did not allege any details about the banner and the defendant did not provide any details about the banner via judicial notice, the court found the uncontradicted allegations were accepted as true and rejected the consent argument. The plaintiff will likely file an amended complaint to address the standing issues the court identified and we may see the defendant take another shot at the consent argument when it likely moves to dismiss the amended complaint.

• Takeaway #2: Courts inconsistently consider statements by third party vendors when determining whether the third party is entitled to the “party exception” in a wiretapping claim.

An Eastern District of California court issued two identical decisions involving the same plaintiff against different defendants who both used the same third party vendor. In both decisions, the court denied the defendants’ motion to dismiss after finding the third-party software vendor had the capability to use the information for its own purposes. The plaintiff alleged the software vendor reserved its right to use data it obtained “to optimize and improve Services or otherwise operate [Vendor’s] business.” Although the defendants argued a Business Association Agreement prohibited the vendor from using the information for its own purposes, the court found it could not rely on that agreement because it was outside the pleadings. Regardless, the court found the vendor’s terms superseded the agreement and found the vendor was a third party not entitled to the defendant’s party exemption. Notably, the court issued its order on January 8. By the end of the month, the parties had stayed all deadlines to allow the parties to potentially settle the case.

In contrast, a Northern District of California decision denied a plaintiff’s request to amend their complaint after finding amendment would be futile because the plaintiff failed to allege the third-party vendor was not entitled to the party exemption. The plaintiff relied on published materials from the third party that advertised the third party shares customer information with third-party applications, such as Facebook, and advertised its partnership with other third parties. Because the plaintiff failed to offer any “facts to suggest it is anything other than speculation” that the third party used information it obtained from defendant, rather than other parties, the court found the amendment would be futile.

• Takeaway # 3: Tap & Trace / Pen Registry claims continue to survive motions to dismiss.

California courts continue to deny motions to dismiss claims brought under Section 638.51 of California’s Penal Code, even where the decision does not specifically mention the TikTok pixel. A Central District of California court rejected a defendant’s argument that Section 638.51 should not apply because the alleged software only collects IP addresses. The court found the plaintiff alleged the software collected more than an IP address but also collected “operating system information, browser information, geolocation data, and email addresses.” The court also rejected the defendant’s argument that the plaintiff consented to the use of the software. Rather than arguing the plaintiff consented because of a privacy policy or cookie banner, the defendant instead argued the software was analogous to a caller ID, which courts have found is permissible even though technically a violation of PR/TT laws because the recipient of a telephone call consented to its installation and use. The court rejected this argument, finding that while caller ID is installed on the recipient’s information, the alleged software was installed on the website visitor’s browser.

• Takeaway # 4: Courts are relying on the Salazar decision to support a broad interpretation of the VPPA but still stop short of finding selling tickets for an in-person viewing violates the VPPA.

A Southern District of New York decision is notable for being one of the first district court rulings on a Rule 12(b)(6) motion to dismiss following the Second Circuit’s recent opinion in Salazar v. Nat’l Basketball Assoc. from October 2024. That opinion, which we covered in our last post, expanded the VPPA’s application and lowered the burden on VPPA plaintiffs at the motion to dismiss stage. The impact of that opinion was not lost on the district court here which asked the parties for supplemental briefing on Salazar before ruling on the motion to dismiss.

In the case, the plaintiff asserts VPPA class claims against the owner of a popular movie theater chain known for featuring independent and foreign films. The complaint alleges the movie theater’s website, operated by defendant, utilizes the Meta Pixel to transmit visitors’ personal information to Facebook, including the videos (e.g., movie trailers) they watch and the tickets they purchase. The plaintiff claims to hold an account on the theater’s website and to subscribe to the theater’s newsletter.

In denying the motion to dismiss, the court rejected the defendant’s argument that it was not a “video tape service provider” under the VPPA insofar as the term applied to the defendant’s website. The heavily relied on Salazar which, according to the court, “emphasized the breadth of [the] [VPPA’s] statutory scheme” to apply even where an entity does not “deal exclusively in audiovisual content.” The court also cited multiple decisions that have held the term “video tape service provider” to include websites and streaming services that deliver online video content to consumers.

With respect to defendant’s brick-and-mortar theaters, however, the court held that the plaintiff’s VPPA claim did not “pass muster” because theaters do not rent, sell, or “deliver” films; rather, they sell tickets to theatergoers. The court, therefore, allowed the plaintiff’s VPPA claim to proceed based on defendant’s website offerings but excluded the plaintiff’s theory of liability based on the defendant’s brick-and-mortar theater business. Notably, the defendant’s motion to dismiss had also raised the argument that the plaintiff was not a “consumer” under the VPPA (a common argument in these cases). But in light of the Salazar decision — which held that plaintiffs could plausibly allege they were a “subscriber” (and thus a “consumer”) under the VPPA if they provided personal information to enroll in a website’s newsletter and watched videos on the website — the defendant abandoned that argument in its briefing.

• Takeaway # 5: Spy pixel cases fail to launch.

A District of Massachusetts District Court issued a decision in January 2025 dismissing a claim under Arizona’s “spy pixel” law. The plaintiff is an Arizona resident who alleged she frequently opened promotional materials that allegedly contained “spy pixel” the defendant embedded into the email. The plaintiff alleged the “spy pixel” collected information about: the email and its recipients, including the email address, subject, when the email is opened and read, the recipient’s location, how long the recipient spends reading the email, whether the email is forwarded or printed, and what kind of email server the recipient uses. The plaintiff alleged the defendant therefore violated Arizona State § 44-1376.

The defendant moved to dismiss both under FRCP 12(b)(1) (standing) and 12(b)(6) failure to state a claim).The court found the plaintiff failed to allege a concrete harm and therefore lacked standing. The court first rejected the plaintiff’s argument that the mere fact that the Arizona legislature enacted the statute was sufficient to establish violation of the statute is a harm. The court instead relied on the Supreme Court’s TransUnion decision, which held a statutory violation does not “automatically satisf[y] the injury-in-fact requirement.” 594 U.S. at 426. The court then considered whether the plaintiff’s injury was akin to an intrusion upon seclusion and found it was not. The court finally rejected the plaintiff’s arguments that the use of the spy pixel is akin to violations of other “similar substantive privacy statutes” that could give rise to Article III standing. The court therefore held the plaintiff lacked standing and dismissed the claim without reaching the 12(b)(6) arguments.

2.         Overview of Current U.S. Data Privacy Litigation Trends and Issues

Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip this section.

Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.

Lawsuits relating to session replay technology also involve claims that the alleged behavior violates wiretapping laws in “two party” or “all party” consent states. This technology allows website operators to monitor how website visitors interact with the website. Websites that use session replay technology are often trying to better understand how users interact with the website and may even want to document that users have seen and are aware of the site’s privacy policy. Where the technology also captures the website visitor’s communications—such as (but not limited to) chat services or when the visitor completes a form on the website—privacy plaintiffs have alleged use of the technology violates wiretapping laws.

Many cases alleging wiretapping violations are filed in California under the California Invasion of Privacy Act (“CIPA”). Most lawsuits assert a violation of Section 631 of CIPA and courts routinely refer to specific clauses or subsections of that section. When discussing litigation updates, we therefore also refer to courts disposing of specific clauses or subsections of Section 631. Courts have noted Section 631 “is somewhat difficult to understand.” See Warden v. Kahn, 99 Cal. App. 3d 805, 811 (Ct. App. 1979). To help guide readers, we have provided Section 631(a) below with the specific clauses (sometimes called subsections) delineated:

Any person who, [Clause 1 or Subsection (a)(1):] by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or [Clause 2 of Subsection (a)(2):] who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or [Clause 3 or Subsection (a)(3):] who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or [Aiding Provision, Clause 4, or Subsection (a)(4):] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable . . . .

Wiretapping claims—whether based on website chat services, the use of session replay technology, or something else—are typically resolved on a limited number of issues:

• How did the communication occur? Plaintiffs often allege they accessed a website using a mobile phone. Courts have held the first clause of Section 631(a) does not apply if the interception does not occur over a telephonic wire. Courts have also held Section 632.7, another provision of CIPA, requires a communication between two wireless or cordless devices and therefore does not apply if the website is communicating via a wired server. Some judges, however, disagree.
• Is the defendant or a third-party a “party” to the communication? If so, then the “party exception” will apply and the defendant will not be liable. When deciding whether a third-party was a “party” to the communication, courts consider whether the party is merely acting as a tool for the defendant (akin to a tape recorder) or can use the communication for their own benefit (akin to someone listening into a conversation).
• Did the website have consent to record or share the communication? Consent is a defense to wiretapping claims, but it can be difficult for courts to resolve whether the plaintiff provided consent at the pleading stage.
• Did the website share the “contents” of a communication? Wiretapping claims only apply to the contents of a communication. Merely sharing record information of a communication, such as an IP address, will not establish liability under wiretapping laws. Courts often struggle to define what constitutes communication “contents” and URLs can be especially tricky.
• Was the communication intercepted or stored and then forwarded? If the communication is not intercepted, then there cannot be liability under Clause 2 of Section 631.
• Was the plaintiff harmed? Do they have standing to sue? Courts are often split on whether an “invasion of privacy” itself is sufficient harm to provide standing, but this issue has weighed in defendants’ favor more often following the Supreme Court’s 2021 TransUnion decision, which held Article III standing requires a concrete injury even in the context of a statutory violation.

Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel or Google Analytics tags) on websites that include video content. The VPPA reads: “A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person for the relief provided in subsection (d).” 18 U.S.C. § 2710(b)(1). The VPPA defines a “provider” as an entity engaged in the business of “rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials” and a “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Where the defendant directly rents or sells video content or access to such content, courts will typically find the defendant is a video tape service provider and the plaintiff to meet the “consumer” definition. Where the defendant’s core business is unrelated to video services, however, and the video contents at issue are merely marketing for that other core business, courts are likely to find the parties do not meet the VPPA’s definitions of “provider” and “consumer.”

Lawsuits alleging a defendant has violated prohibitions on voice recording (commonly Section 637.3 of the California Penal Code) typically involve the use of voice recognition software, which is often used as a security measure by companies that provide sensitive information such as banks or other financial institution.

Finally, some plaintiffs have alleged defendants who track IP-addresses run afoul of “pen registry” laws such as CIPA, § 638.51, which prohibits “a person” from “install[ing] or us[ing] a pen register or a trap and trace device without first obtaining a court order . . . .” Cal. Penal Code § 638.51. Traditionally, pen registers were used by law enforcement to record all numbers called from a particular telephone. Under CIPA, however, a “pen register” is more broadly defined to mean “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” § 638.50(b).