Privacy Litigation Image
Listen to this post

In this post: (1) The 9th Circuit tightens what “harm” a plaintiff must suffer to have standing; (2) the D.C. Circuit adds to growing circuit split on defining “consumers”; (3) Three courts find plaintiffs consented via website terms; (4) Courts split on whether software that captures content and address information qualifies as “pen register”; and (5) Daniel’s Law receives first decision narrowing statute.

This is our twenty-seventh installment in our data privacy litigation report covering decisions from the previous month. If you have any thoughts on what you’d like to see (either in content or form) from these posts, please don’t hesitate to reach out and let us know.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Finally, for an overview of current U.S. data privacy litigation trends and issues, click here.

Five Privacy Litigation Takeaways from August 2025 Decisions.

Takeaway #1: The Ninth Circuit tightens what “harm” a plaintiff must suffer to have standing in federal court while a district court immediately distinguishes the decision.

On August 26, the Ninth Circuit issued its Popa decision which affirmed the district court’s finding that the plaintiff lacked standing under Article III. The plaintiff had visited a pet supply website, where she alleges session replay technology (SRT) was allowed to track if a user views a certain product offered for sale. Although the plaintiff alleged a user’s mailing address is also captured, the screenshot in the complaint shows masking software excludes this information. The plaintiff alleged violation of Pennsylvania’s wiretapping act and an “intrusion upon seclusion” claim. A Washington district court ruled the plaintiff failed to establish Article III standing and dismissed the case without prejudice. The plaintiff appealed rather than file an amended complaint.

On appeal, the Ninth Circuit examined two Supreme Court Article III decisions within the past decade—Spokeo (2016) and TransUnion (2021). The court summarized that these decisions “require a court to assess whether an individual plaintiff has suffered a harm that has traditionally been actionable in our nation’s legal system.” The court then examined two Ninth Circuit decisions that were issued before TransUnionEichenberger and In re Facebook Inc. Internet Tracking Litigation—in addition to one decision that post-dated TransUnion, all ofwhich plaintiffs have relied upon to argue the alleged violation of a statute codifying a common-law privacy harm is sufficient to confer Article III standing. The Ninth Circuit, however, refused to interpret these decisions to establish such a categorical rule.

Turning to the facts of the case before it, the Ninth Circuit affirmed the district court’s decision that the plaintiff failed to allege harm required to establish standing. The court rejected the argument that simply alleging a violation of a statute can establish standing. Because the plaintiff did not explain how the tracking of her interactions with the website caused her to experience any kind of harm that are “remotely similar to the ‘highly offensive’ interferences or disclosures that were actionable at common law,” the plaintiff had failed to allege a harm required to establish standing under Article III.

Three days later, a Northern District of California district court issued a decision that found the plaintiff in that case had established Article III standing. The plaintiff alleged they visited various websites operated by the defendant, which provides several over-the-counter healthcare products. The plaintiff alleged that, after they reviewed the cookie banner, they chose to “reject all” cookies and continued browsing the website. Despite this selection, the websites nevertheless caused the placement of cookies to third parties and transmitted the plaintiff’s personal information.

The district court distinguish Popa because the Ninth Circuit decision involved pet food, not healthcare, and further because the tracking technologies at issue in each case were different. While the information in Popa was alleged only to have been used by the defendant, in the district court case the plaintiff alleged the information was provided with third parties to further their own financial gain. The district court found this sufficient to distinguish Popa and hold the plaintiff had established Article III standing.

Takeaway #2: D.C. Circuit latest to weigh in on the Video Privacy Protection Act (VPPA) and defining “consumers” under the Act.

On August 12, the D.C. Circuit Court of Appeals issued its first ever decision interpreting the VPPA, the latest in a string of decisions on the Act from other circuit courts this year. At issue in the case was whether the plaintiff sufficiently pled a VPPA claim against a newspaper publisher to survive a motion to dismiss. In the complaint, the plaintiff alleged that she had subscribed to the newspaper’s online newsletter and upon visiting the newspaper’s website, independent from the newsletter, had her information about videos she watched on the site disclosed via the Meta Pixel without consent.

The lower court dismissed the plaintiff’s complaint, finding she did not sufficiently allege the requisite connection between her newsletter subscription and the personal information transmitted on the newspaper’s website to show she was a “consumer” subject to relief under the Act. The D.C. Circuit agreed.

The circuit court panel held that although the plaintiff had standing to bring her VPPA claim (as have most courts addressing Article III standing under the VPPA), she failed to allege that her newsletter subscription was a subscription to “video or similar audio-visual material” as required to meet the Act’s definition of “consumer.” According to the panel, a plaintiff must have subscribed to (or purchased or rented) video or similar audio-visual materials to be a “consumer” under the Act. Subscribing to (or purchasing or renting) any good or service is not sufficient, even if the defendant also offers video or similar audio-visual materials as a separate good or service. Such a reading of the VPPA, according to the panel, contravenes the statutory text and would be “unadministrable” by requiring video tape service providers to differentiate between consumers who visit the provider’s website and consumers who visit the website after having at some unknown prior time purchased some different non-video-related good or service.

For this reason, the panel found it fatal to plaintiff’s claim that her allegations focused exclusively on the disclosure of information about videos she had watched on the newspaper’s website, separate and apart from the newsletter to which she subscribed. As noted by the panel, the plaintiff did not allege that (1) any videos in the newsletter contained the Meta Pixel to track viewing selections, (2) defendant tracked or disclosed any video viewing selections she made within the newsletter, and (3) she clicked on website links in the newsletter that took her to the newspaper’s website. Because she only claimed visiting the defendant’s website where her viewing information was tracked and disclosed, independent of the newsletter, she had not adequately alleged being a “consumer” entitled to relief under the Act. The panel therefore affirmed the district court’s dismissal of her complaint.

The D.C. Circuit’s decision adds to a growing circuit split on whether a VPPA plaintiff must subscribe to (or purchase or rent) video content specifically or whether subscribing to any good or service offered by a videotape service provider, such as a newsletter, is sufficient to state a claim. In taking the former view, the D.C. Circuit joins the Sixth Circuit in limiting the VPPA’s scope of liability to cover only consumers who subscribe to, purchase, or rent video goods or services. This more restrictive reading diverges from the Second and Seventh Circuits which have both held that a consumer of any good or service may be covered by the Act as long as the defendant meets the definition of “video tape service provider” by the other goods or services it offers.

Takeaway #3: Three courts find plaintiffs consented to alleged privacy violation via the website terms.

Consent has long remained the ultimate defense to claims of privacy violations under both statute (e.g., CIPA, ECPA, etc.) and common law. In August, three courts dismissed plaintiffs’ claims after finding the plaintiff had consented either to proceed in arbitration or simply to the alleged behavior by agreeing to the terms of use or privacy policy.

In one decision involving an online provider of prescription treatments, the court compelled arbitration of privacy claims after finding that the plaintiff was required to check a box agreeing to the site’s terms of use and privacy policy, both presented through conspicuous hyperlinks. The court determined that the agreement was neither procedurally nor substantively unconscionable. The privacy claims—arising from alleged interception of personal and health information—were held to fall within the scope of the arbitration provision. The court rejected arguments that the arbitration clause was hidden or that consent was invalid, emphasizing that the plaintiff had multiple opportunities to review and accept the terms before completing the transaction.

In another case concerning alleged unauthorized data collection through a mobile application, the court found that the plaintiff had assented to the app’s terms of service and privacy policy through a sign-in wrap mechanism. Upon creating an account, the user was presented with a clear advisal that, by continuing, they agreed to the terms and acknowledged the privacy policy. The court held these disclosures were reasonably conspicuous and that clicking the button constituted unambiguous assent. The court further allowed a third-party technology provider to enforce the arbitration agreement, since the privacy policy’s data sharing provisions were closely tied to the claims at issue.

A third decision involved privacy claims against a national hospitality chain. The court dismissed claims after finding that the plaintiff had consented to the privacy policy in effect at the time of booking. The online reservation process required the user to check a box agreeing to “rate and room policies,” with an adjacent, bolded drop-down menu linking to the privacy policy. The court found this combination of features sufficient to provide conspicuous notice, and the privacy policy itself disclosed the data collection and sharing practices challenged in the suit. As both statutory and constitutional privacy claims required lack of consent, the court dismissed the claims.

These decisions reinforce that courts will enforce consent obtained through clear online disclosures—whether via clickwrap, sign-in wrap, or similar mechanisms—provided the notice is reasonably conspicuous and the user takes affirmative action such as checking a box or clicking a button. Plaintiffs challenging data collection or sharing must overcome a significant hurdle where they have agreed to website terms that disclose the contested practices. Courts continue to scrutinize the details of how consent is obtained and what is disclosed, but where the process is robust, consent remains a strong defense.

Takeaway #4: Courts split on whether software that captures content and address information qualifies as “pen register” under CIPA.

California law broadly defines a “pen register” to mean “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” In August, two judges in the Northern District of California issued decisions that disagreed whether software that allegedly captures both addressing information such as an IP address and also captures the contents of a communication qualifies as a “pen register” under California law.

In one decision, the court declined to dismiss claims that a tracking pixel used on online tax filing websites could qualify as a pen register, even though plaintiffs alleged it also captured the contents of communications. The court reasoned that the statutory language was ambiguous and that the legislative purpose of the California Invasion of Privacy Act (CIPA) favored a broad reading. According to the court, excluding software from the pen register definition simply because it also captures content would create a loophole that undermines CIPA’s privacy protections. The court allowed the claim to proceed, noting that the technology at issue could plausibly function as both a wiretap and a pen register, especially where different components or functionalities separately capture metadata and content.

The same day, a different judge—in the same district and addressing similar allegations against a website operator using third-party tracking software—found the statutory definition of a pen register excludes any device or process that captures the contents of a communication. In that case, the court ruled that if the challenged software collected content information—such as names, dates of birth, or addresses—the device would fall outside the pen register provision and instead be subject to CIPA’s wiretap rules.

These decisions highlight an emerging split in the interpretation of CIPA’s pen register provision, with some courts willing to allow dual-function software to be challenged under both pen register and wiretap theories, while others read the statute to require a strict separation between content and addressing information. As more privacy class actions target website tracking technologies, this issue is likely to see further development in the California courts.

Takeaway #5: A New Jersey district court decision finds the New Jersey state law partially preempted and sheds light on meaning “disclose” or “make available”

Daniel’s Law is a New Jersey state law that allows judges, prosecutors, and law enforcement officers and their immediate family members (collectively, “Covered Persons”) to stop their home addresses and unpublished phone numbers from being “disclosed” or “made available.” The law has its roots in the tragic murder of the son of a federal judge. The law imposes statutory damages of $1,000 per violation in addition to actual damages and allows the Covered Person to assign their claim to a third party.

One company, Atlas Data Privacy Corporation, has created a service through which Covered Persons can send takedown requests and has filed many lawsuits against entities—most often data brokers—that the company believes failed to comply with Daniel’s Law. Numerous defendants have challenged the law as unconstitutional, and courts have repeatedly upheld the law.

In August, a New Jersey district court decision narrowed the law. Although the narrowing was minimal, this represents the first narrowing of the law since its passing and may open the gates to future arguments. The decision involved at least six defendants with various types of businesses from commercial data brokers, voter registration entities, and financial reporting entities. Although six defendants moved to dismiss the Daniel’s Law claims against them as preempted by various federal laws, only the financial reporting entity was at all successful.

Two defendants argued Daniel’s Law was preempted by the National Voter Registration Act (“NVRA”) because voter records often include home addresses of voters. The court disagreed, finding the NVRA does not prohibit the redaction of sensitive personal information and Daniel’s Law applies to a narrow group of individuals.

Four other defendants, all of whom are data brokers, argued the claims were preempted under Section 230 of the Communications Decency Act of 1996 (“CDA”). Section 320 shields an entity from liability for information a third party posts on the defendant’s system. The law only protects the defendant from liability for information provided by “another content provider.” The court found numerous factual issues as to whether the defendants created or developed content and denied the motion to dismiss.

Another defendant argued the Fair Credit Reporting Act (“FRCA”) preempted Daniel’s Law and precluded the defendant from liable under Daniel’s Law. This defendant made three arguments as to why the FRCA preempted Daniel’s Law. First, the defendant argued the FRCA governs companies who gather consumer credit data, organize that data into consumer credit reports, and provide those reports to commercial entities for the purpose of assessing the consumer’s creditworthiness. In response, the plaintiff argued the home and address information was not included as part of the report but rather merely a header on the report. The court found factual issues precluded resolution and denied the motion to dismiss on this ground. Second, the defendant argued the FRCA preempts Daniel’s Law because home addresses and telephone numbers are needed to match credit information “about ‘John Smith’ to the correct ‘John Smith.’” The court found this argument was unpersuasive because “Daniel’s Law does not bar [the defendant] from performing this function . . . .” Third, the defendant argued the provisions that address the furnishing of consumer reports in connection with credit or insurance transactions initiated by creditors or insurers rather than by consumers—Sections 1681(c) and 1681(e)—preempted Daniel’s Law. Subsection (c) permits creditors and insurers to purchase pre-screened names and addresses of creditworthy consumers while Subsection (e) allows consumers to remove their names and addresses from these lists via two specific mechanisms: notifying a consumer reporting agency by either calling a toll-free number or submitting to the agency a statutorily prescribed form that is signed by the consumer. The court found Daniel’s Law and the FCRA were “inconsistent with respect to the means and timing for removing a consumer’s home address” and Daniel’s Law was preempted by the FCRA to the extent it allowed covered persons to remove their home addresses from these lists. On that ground only, the court dismissed the complaint.

Although the court’s narrowing of Daniel’s Law was limited, the decision marks the first time a federal court has found any portion of the statute to be preempted and provides new guidance on the meaning of “disclose” and “make available” under the law. This may open the door to further challenges and clarifications in future litigation.