Listen to this post

Keypoint: In this post: (1) How a privacy policy can defeat a plaintiff’s “delayed discovery” argument; (2) Two CA state courts reject plaintiffs’ allegations concerning personal jurisdiction; (3) Three courts dismiss PR/TT claims due to lack of harm; (4) Two courts diverge on certifying VPPA classes; and (5) First MHMD case filed in Washington.

This is our twenty-first installment in our monthly data privacy litigation report. As we forecast last month, we are tweaking the format of these posts to hopefully provide readers with the most helpful information in the easiest to digest manner. If you have any thoughts on what you’d like to see (either in content or form) from these posts, please don’t hesitate to reach out!

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

1. Five Privacy Litigation Takeaways from February 2025

  • Takeaway #1: A Central District of California Court held a privacy policy can defeat the plaintiff’s claim that the “delayed discovery” doctrine excuses the plaintiff’s failure to bring the claim within the statute of limitations.

Ad-tech is not exactly new. The Meta Pixel, which is often the focus of privacy lawsuits, was introduced in 2015. In contrast, wiretapping laws often have a relatively short statute of limitations period. For example, California’s CIPA requires claims to be brought within one (1) year. In many cases, the website has been using the accused technology for longer than that and the plaintiff may have been visiting the website for longer than that as well. To get around this issue, plaintiffs often plead the “delayed discovery” doctrine allows them to bring the claim now. To invoke the delayed discovery doctrine, the plaintiff must plead facts to show the time and manner of their discovery and that they could not have made an earlier discovery of the injury despite reasonable diligence. Often, plaintiffs allege the defendant’s use of the ad-tech was hidden to explain why they could not have discovered it earlier.

A Central District of California court rejected that argument in February, finding the privacy policy available on the defendant’s website established the plaintiff should have known the defendant’s website was using the tracking tools. Although courts have often considered whether the privacy policy could establish the plaintiff consented to the tracking, it is less common for a court to consider what impact the privacy policy has on the plaintiff’s discovery of the tracking.

The court did not address whether the privacy policy was merely available at the bottom of the website or whether the defendant used a “click wrap” style agreement despite this distinction being very important when considering content. In our own testing of the website, a link to the privacy and cookie preferences tool is provided at the bottom of the screen when a user visits the site.

This image has an empty alt attribute; its file name is Byte-Back-AI-for-Blog-656x331.jpg

The court found the plaintiff’s recognition that the website collected her information was sufficient to provide constructive notice of the privacy policy. The court further found the plaintiff had inquiry knowledge of the injury when she began seeing ads for the product on her Facebook regardless of whether she could see the tools on the website.

  • Takeaway #2: Two California state courts find the plaintiffs’ conclusory allegations insufficient to establish personal jurisdiction.

Two California state courts in Los Angeles county each found plaintiffs’ allegations concerning personal jurisdiction were conclusory and therefore insufficient to establish personal jurisdiction.

In the first decision, the defendant is a meal prep service that mails products to its customers’ homes. The plaintiff alleged the defendant violated California’s wiretapping service by sharing with third parties URLs that contained the plaintiff’s search terms. The defendant moved to quash service of the summons and argued there was no personal jurisdiction over the defendant. The court agreed, finding the plaintiff merely conclusory alleged the defendant specifically targeted California consumers given the state’s population. The court further found the plaintiff’s allegations were unconnected from the defendant’s alleged connections to California. “Plaintiff alleges that his privacy was violated upon visiting Defendant’s website, which is accessible from anywhere. The only connection to California is that Plaintiff happened to be in California at the time he accessed the website.” The court found plaintiff consequently failed to show his claim arose from the defendant’s forum-related activities and granted the motion to quash.

In the second decision, the defendant is a New York based Delaware corporation that sells menswear online. The plaintiff alleged he accessed the defendant’s website but did not allege he purchased anything from the website. The plaintiff instead alleges he was harmed because the defendant secretly deployed “spyware” that monitored and reported the plaintiff’s online habits after the plaintiff left the website. The court found the defendant’s website targets a national audience and the plaintiff failed to allege facts sufficient to show the defendant expressly aimed their website at California. The court noted, however, that the nature of the claim was sufficiently related to the defendant’s contact with California (the website) and granted limited jurisdictional discovery for the plaintiff to determine whether the defendant made substantial online sales to California residents equivalent to having a brick-and-mortar store in California and whether the defendant targeted California in any way.

  • Takeaway # 3: Three courts dismiss PR/TT claims because the plaintiff failed to allege they were harmed and therefore could not establish Article III standing.

Three decisions—two from the Southern District of New York and one from a California court—dismissed plaintiffs’ claims after finding the plaintiff failed to allege they were harmed by the defendant’s activity and therefore could not establish Article III standing. Critically, one of the decisions involved a claim that the defendant violated California’s PR/TT law by using the TikTok pixel on the defendant’s website. This represents one of the first decisions dismissing a PR/TT claim based on the TikTok ad-tech.

The first decision we are covering comes from the Central District of California and was issued on February 3. The defendant operated a website through which it sells products “related to health and wellness.” The plaintiff alleged the defendant operated a TikTok software on the website, which “instantly gathers visitors’ device and browser information, geographic location, and other details” and sent that information to TikTok in violation of Section 638.51 of the California Penal Code. The court rejected the defendant’s arguments that: the TikTok software was not a “tap and trace” device under Section 638.50; the defendant could not be liable under Section 638.51 because it was a party to the communication; and that the plaintiff consented via language in the defendant’s privacy policy. The court nevertheless dismissed the complaint after finding the plaintiff failed to allege a concrete harm and therefore lacked standing. This represents a rare instance where the court dismissed a PR/TT claim involving the TikTok pixel.

The second and third decisions both come from the Southern District of New York. Both also involve a claim against a news publication website and include allegations that the defendant caused a “tracker” to be installed on the plaintiffs’ browser that collected the plaintiffs’ IP address for the purpose of serving targeted advertisements and conducting website analytics. Despite these similarities, the named plaintiffs in the two decisions are not the same.

In the second decision, the defendant argued the plaintiff lacked Article III standing because the complaint did not allege a concrete injury in fact. The court, quoting TransUnion—“no concrete harm, no standing”—agreed. The court repeatedly noted the plaintiff failed to allege he was at all actually affected by the defendant’s activity. He did not receive any targeted advertising and the IP address is not like any information that could be used to steal his identity or inflict similar harm. The court also rejected the plaintiff’s argument that the mere violation of CIPA necessarily gave rise to a concrete right. The court also rejected the plaintiff’s argument that the defendant’s action deprived the plaintiff of the right to control his personal information, finding the IP address was not the type of “personal information” courts had found sufficient to establish a harm.

In the third decision, the court did not focus on whether the plaintiff alleged he had in fact been shown additional advertising but rather focused on what information an IP address could provide. Unlike other advertising technologies such as the Meta Pixel, the IP address did not allow a third party to identify the plaintiff specifically but merely that a device from the plaintiff’s general area had visited the website. The court found this insufficient to constitute a harm and dismissed the claim.

  • Takeaway # 4: Two federal courts issue contrasting decisions on class certification of VPPA claims under Rule 23.

Two decisions reached opposite rulings on whether a VPPA plaintiff could certify a class under Rule 23. Comparing the two decisions underscores the different views courts take on whether a proposed VPPA class is ascertainable from clear and objective criteria. The decisions also highlight the difficulty some plaintiffs have in demonstrating an administratively feasible and non-speculative method for identifying class members in the VPPA context.

The first decision—which granted class certification—comes from the Northern District of Georgia where the plaintiff asserts a VPPA claim against a popular health news and information site, alleging the site uses the Facebook/Meta pixel to share users’ video-viewing activity and personally identifiable information with Facebook. Here, the court was convinced that the proposed VPPA class was adequately defined and clearly ascertainable based largely on the deposition testimony of a Meta software engineer who indicated there was an available method for identifying class members through records from the defendant and Facebook. The court also found that the class was sufficiently numerous with over 550,000 potential members and, in doing so, rejected the reasoning of a Southern District of Florida decision which had denied class certification on numerosity grounds in October (which we covered here). Finally, the court concluded that common questions of law and fact predominated over individual issues to hold that the remaining Rule 23 requirements were satisfied to certify the class.

The second decision­—which denied class certification—comes from the District of Massachusetts. The plaintiff asserts a VPPA claim against a local news broadcasting company for disclosing users’ video watching data from the company’s mobile applications for advertising purposes. The court denied class certification primarily because it found the plaintiff’s expert had used an unreliable methodology to show that the proposed class was ascertainable from objective criteria. Specifically, the court found the expert’s methodology, which relied on geolocation data to identify potential class members, was administratively infeasible and could violate the defendant’s due process rights because it relied on validating testimony from each putative class member. The court also noted that the ascertainability inquiry would likely create individual issues predominating over common ones and would overlap with the merits of the VPPA claim, further complicating the certification process. The court, therefore, denied the plaintiff’s motion for class certification under Rule 23.

  • Takeaway # 5: The first My Health My Data (“MHMD” case has been filed in Washington.

In case you missed our February 11 post, the first lawsuit alleging violation of the MHMD Act was filed against an online retailer. The complaint alleges the retailer collected and monetized location data from consumers’ mobile phones through a software development kit (SDK). The complaint alleges this location data provides insights into a consumer’s health, including when the user visits a cancer clinic and more broad insights such as health behaviors (when the user goes to the gym or eats fast food) or the neighborhood where the consumer lives or works.

We are monitoring this case closely. Make sure you are subscribed to our newsletter and follow us on LinkedIn for more information.