Privacy Litigation Image
Listen to this post

In this post: (1) Courts find cookie banners and sign-in banners place users on notice of privacy policy; (2) but policy must explicitly notify users of practice to establish consent; (3) Courts disagree whether disclosure of Facebook ID violates VPPA; (4) Courts dismiss wiretapping claims after finding messages not received while “in transit”; (5) Defendants forced to litigate in Plaintiffs’ chosen forum as three courts deny motions to transfer venue.

This is our twenty-eighth installment in our data privacy litigation report covering decisions from the previous month. If you have any thoughts on what you’d like to see (either in content or form) from these posts, please don’t hesitate to reach out and let us know.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Finally, for an overview of current U.S. data privacy litigation trends and issues, click here.

Five Privacy Litigation Takeaways from September 2025 Decisions.

  • Takeaway #1: Courts find sign-in banners and cookie banners sufficient to put users on notice of the disclosure (but that is only the first step to winning a motion to dismiss).

Courts are increasingly willing to find that sign-in agreements, cookie banners, and similar online mechanisms are “reasonably conspicuous” and sufficient to alert users to the existence of privacy policies or terms of use. The threshold inquiry at the pleading stage often centers on whether the mechanism by which users are notified—such as a pop-up banner, sign-in agreement, or hyperlinked notice—would be apparent to a reasonably prudent internet user. This month’s post covers three decisions from the Northern District of California, two of which provide examples of when the mechanism is sufficient to make users aware of the privacy policy (regardless of what the policy itself says), and one that provides an example of when the mechanism is not.

In our first decision , the court addressed whether a website’s sign-in process policy was sufficient to establish user consent to the sharing of health information with third-party analytics and advertising providers. The court found the sign-in wrap mechanism—requiring users to affirmatively agree to hyperlinked terms and privacy policies before proceeding—was reasonably conspicuous and established constructive notice. The notice was positioned directly adjacent to the action button, used color or font to distinguish the hyperlink, and was surrounded by ample white space. This mandatory step ensured users could not proceed without encountering and acknowledging the terms, which the court found supported a finding that the notice was reasonably conspicuous.

In another decision from the Northern District of California, the court examined whether a healthcare provider’s cookie banner and privacy policy were sufficient to establish user consent to the collection and sharing of sensitive health-related information. The court found the cookie banner—prominently displayed, with a hyperlinked policy, and a clear message (“By continuing to use our site, you are agreeing to our Cookies Policy”)—met the standard for constructive notice. The court cited the banner’s placement, formatting, and explicit language as factors supporting mutual assent. The banner appeared in a prominent location on the webpage, set off with a contrasting background color, and was written in clear, legible font. The banner’s message was direct, stating that continued use of the site would constitute acceptance of the cookies policy, and included an underlined, capitalized hyperlink to the policy itself. The court noted the absence of clutter around the banner and the use of a large “ACCEPT” button, both of which contributed to the notice being “set apart” and easy to see.

A third decision from the Northern District of California demonstrates how implementation of a cookie banner—the same method used by the party in our second decision—can fail to establish  consent if not implemented properly. The defendant’s website buried the terms of service and related disclosures in a non-obvious location, with no reference in the cookie consent process or other user flows. The terms of service were instead accessible only through a small, nondescript menu icon, buried among other links, and not referenced at any point during the user’s interaction with the site—such as during the cookie consent process. The link to the terms was not visually distinguished (e.g., not in a contrasting color or underlined) and was surrounded by other content in the same font and size, making it unlikely that a user would notice it. The court emphasized that merely providing a hyperlink, especially one that is not clearly marked or called out during user flows, does not amount to reasonably conspicuous notice. The court found this insufficient to put users on notice, holding that neither actual nor constructive consent could be inferred.

  • Takeaway #2: Even when users are aware of policy, that policy must explicitly notify users of the practice at issue to establish consent.

Our second takeaway is a continuation of our first. Even if the court finds users are on notice of the privacy policy, the policy must sufficiently disclose what information the defendant collects and how the defendant uses and shares that information to establish consent at the motion to dismiss stage of litigation. Vague and general disclosures are not sufficient; especially where sensitive information or unexpected uses are involved. To demonstrate this point, we look at two of the three decisions we covered in our first takeaway.

In our first decision, the court addressed whether a website’s privacy policy put users on notice that their sensitive health information would be shared with third parties for advertising. The plaintiffs sued Meta and Google regarding use of their code on a non-party’s website, which the plaintiffs alleged they had used to obtain medical treatment by providing responses to a “medical profile” questionnaire. The plaintiffs alleged the defendants’ tools intercepted and collected when a user registered on the website, added a medication to their cart, and purchased the medication. The court found the privacy policy in place prior to 2024 did not establish consent because it did not explicitly notify users of the practices at issue and rather espoused that the third-party safeguards sensitive health information and only shared it with third parties (such as defendants) for limited purposes, which did not include advertising. In contrast, the privacy policy adopted in 2024 made clear that the third party would share data about users’ activity with both Meta and Google. Although the court found the plaintiffs’ claims could only survive for the period prior to the adoption of the 2024 privacy policy, the court dismissed the entirety of the plaintiff’s complaint because the court also found the plaintiffs did not allege the challenged data sharing practices were in place before that time.

In our second decision, the plaintiff sued both the website owner (a healthcare company) and the analytics provider, LinkedIn. The court reached differing conclusions as to whether the privacy policy established consent as to each defendant. The court first found LinkedIn’s privacy policy provided sufficient notice of its general collection practices: disclosing not only that LinkedIn “‘use[s] cookies and similar technologies (e.g., pixels and ad tags) to collect data . . . on, off and across different services and devices where [users] have engaged with [LinkedIn’s] Services,’ but . . . also explicitly explains how the Insight Tag works—by using ‘[d]ata collected by advertising technologies on and off [LinkedIn’s] Services using pixels, ad tags (e.g., when an advertiser installs a LinkedIn tag on their website) cookies, and other device identifiers.’” The court nevertheless continued to find the disclosure did not go so far as to cover sensitive health information and it was inappropriate to determine at the motion to dismiss stage whether the information at issue was so sensitive that there was a reasonable expectation that the information would be disclosed.

In contrast, the court found the healthcare company’s disclosures “are so specific that there can be no reasonable expectation that the information provided to [the defendant] is private. The Privacy Notice explicitly informs users that [the company] collects users’ personal information—including age, race, marital status, medical condition, gender identity, sexual orientation, date of birth, genetic, psychological, behavioral, and biological characteristics, and a user’s preferences, behavior, aptitudes—and may disclose this information ‘to a third party for a business purpose.’ The Cookies Policy also discloses that [the company] uses ‘Targeting Cookies,’ which it describes as cookies set on its website by advertising partners to build a profile of the user’s interests and show the user relevant advertisements on third-party websites. This is precisely the conduct [the plaintiff] alleges here . . . .”

  • Takeaway #3: Courts disagree whether disclosure of Facebook ID constitutes PII in VPPA claims.

The VPPA prohibits a video tape service provider from knowingly disclosing “personally identifiable information,” which the VPPA defines as “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” 18 U.S.C. § 2710. As VPPA litigation has resurged in the previous few years, a circuit split has developed as to how courts will determine whether information is PII. The First Circuit has adopted the “reasonable foreseeability” test, under which PII is not limited to information that explicitly names a person but also includes information that is “reasonably and foreseeability likely to reveal which videos the plaintiff has watched.” In contrast, the Third, Second, and Ninth Circuit have adopted the “ordinary person” standard, which limits PII to “the kind of information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior.”

Even amongst courts in circuits that have adopted the same “ordinary person” standard, however, courts continue to disagree whether disclosure of the Facebook ID (at issue in most modern VPPA cases) constitutes PII under the VPPA. In this post we take a look at three decisions that found it did not in contrast to one decision that found it did.

In the first decision from a Southern District of New York court, the court dismissed a VPPA claim where the plaintiff alleged that a website transmitted both a video title and a Facebook ID to a third party via tracking code. Applying the “ordinary person” standard, the court held that this type of disclosure—comprised of a string of code containing the Facebook ID and video URL—would not enable an average user, “with little or no extra effort,” to identify the individual and their video selections. The court emphasized that while a technology company might be able to decode this information, the VPPA requires that the information be intelligible to an ordinary person.

Another court, also from the Southern District of New York, reached a similar outcome in a case against a movie ticket website. The court found transmission of the Facebook ID and movie title, embedded in technical code, did not amount to PII under the VPPA. The court pointed to the lack of plausibility that a typical user could extract and interpret the Facebook ID or the movie title from the code, especially without special annotation or technical knowledge. The court also rejected arguments that an ordinary person could use a Facebook ID to locate a user’s profile, noting that the VPPA’s standard is not satisfied by hypothetical or convoluted means of identification.

A third court, from the Eastern District of Pennsylvania, applied the same “ordinary person” standard to likewise dismiss a VPPA claim after finding the plaintiff failed to allege facts showing how a Facebook ID embedded in code could be used by an average person to identify the plaintiff’s video-watching habits. The court noted the absence of allegations regarding the content of the associated Facebook profile or the accessibility of the ID and concluded that only a sophisticated company could make the necessary connections. Critically, however, the court allowed the VPPA claim to proceed past the pleading stage where the claim was not based on the Facebook ID, but rather on the defendant’s listing for sale of its “mailing list,” which included the plaintiff’s information.

By contrast, at least one Northern District of California court has taken a more permissive approach and allowed the VPPA claim based on Facebook ID disclosures to proceed past the pleading stage. The court reasoned that, at the motion to dismiss stage, it was plausible that a Facebook ID could be used to readily identify a person and their video viewing activity, and that further factual development was needed to determine whether an ordinary person standard was satisfied.

  • Takeaway #4: Courts dismiss wiretapping claims after finding messages were not received while “in transit.”

Courts are increasingly scrutinizing the timing of alleged data interception and dismissing claims where plaintiffs cannot plausibly allege that communications were intercepted before reaching their intended recipient.

In one case, the court addressed claims brought under a state wiretapping statute by users who alleged their sensitive information was collected through tracking technologies embedded on healthcare and service provider websites. The court explained that, to state a claim, plaintiffs must plausibly allege that the defendant read or attempted to read the contents of their communications “while in transit”—that is, during transmission, and not after the communication had reached its destination or been stored. The court found general assertions that a tracking technology “collected” or “received” information were insufficient to plead interception occurred while “in transit.” The court required more detail about the real-time capture of data during transmission and dismissed the claims but provided leave to amend.

In another decision, a user alleged a third-party analytics provider unlawfully intercepted data during the process of booking hotel rooms online. Here too, the court found the plaintiff’s allegations—describing how information was eventually gathered and stored by the analytics provider—did not support an inference that the defendant accessed the communication before it reached its intended recipient. The complaint’s references to “real time” or “contemporaneous” collection were not enough to satisfy the statutory standard without concrete allegations about the precise timing of the interception.

  • Takeaway #5: Defendants forced to litigate in Plaintiffs’ chosen forum as courts deny motions to transfer venue.

Two courts, one in the Northern District of California and one in the District of New Jersey, denied defendants’ attempt to fight out the litigations outside of the plaintiffs’ chosen forum. Although the defendant in one case wanted the litigation moved outside the defendant’s home state and the defendant in the other case wanted the litigation moved to their home state, the courts in both cases deferred to the plaintiff’s choice of forum.

In the first decision, users brought claims against a healthcare website operator in the state where the company is headquartered, alleging improper disclosure of sensitive health information to third-party advertisers. The defendant sought to transfer the case to another state, arguing that some plaintiffs resided there and that some website activity occurred there. The court, however, found that the “center of gravity” for the alleged conduct was the defendant’s headquarters, where decisions about the installation and operation of tracking technologies were made. The court gave significant weight to the plaintiffs’ forum choice and noted the strong local interest in regulating the conduct of in-state corporations. Other factors, such as convenience of parties and witnesses and access to electronic evidence, were found to be neutral. On balance, the court concluded that the interests of justice favored keeping the case in the original forum.

In the second decision, a California resident sued a Florida-based company, who sought to have the case transferred to their home state. The court again gave significant weight to the plaintiff’s choice of forum. The convenience of the parties and witnesses were both neutral, as most evidence was electronic and the parties could access either forum with relative ease. The court also noted that California courts were particularly familiar with the relevant privacy statutes and had a strong interest in enforcing them. With no compelling showing of inconvenience or judicial economy to support transfer, the court denied the motion.