Keypoint: Twenty-five (25) privacy decisions from October-December show a significant uptick in the number of pixel-based wiretapping decisions issued from courts nationwide.

Welcome to the nineteenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. We are covering decisions from three months in this “holiday edition” update that covers decisions from October, November, and December 2024. Our holiday edition post covers the chat, session replay, and VPPA decisions just like our normal posts but also includes pixel-based wiretapping claims and pen registry/tap and trace decisions that are normally accessibly only by Byte Back + members. Interested in learning more about Byte Back+? Contact the authors or click here.

We are covering twenty-five (25) decisions in this holiday edition post, including four (4) chat-wiretapping decisions, four (4) SRT-wiretapping decisions, ten (10) pixel-wiretapping decisions, five (5) pen registry/ tap and trace (“PRTT”) decisions, and two (2) VPPA decisions. With that, let’s get to it.

Before we do, however, a quick disclaimer. There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: Massachusetts’ highest court ruled the use of software that tracks users’ activity on its website does not violate the state’s Wiretap Act, which was intended to prevent the recording or interception of communications between two or more persons.

On October 24, the Massachusetts Supreme Judicial Court held the state’s wiretapping act did not apply to the collection of users’ browsing activities on websites. In Vita v. New England Baptist, Massachusetts’ highest State Court held in a 5-1 decision that although the law did not define “communication,” it nevertheless was limited to communications between individuals and did not extend to cover a user’s browsing on a website. This decision, which is limited to the Massachusetts Wiretap Act, establishes that website operators can use tracking tools like Meta Pixel and Google Analytics to gather users’ browsing data without their consent, highlighting the limitations of the decades-old surveillance laws in addressing modern privacy concerns. Notably, several California courts have reached opposite conclusions under the corresponding California wiretapping laws (commonly known as CIPA Section 631(a)).

In the below article, we provide an overview and analysis of the Massachusetts Supreme Judicial Court ruling and the potential impact on the wave of privacy litigation ongoing in California Courts.

Keypoint: California state courts weigh in on what does, and does not, qualify as a “pen registry” or “tap and trace” device while one California federal court raises whether a wiretapping claim can also allow for a CCPA privacy right of action.

Welcome to the eighteenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, we examine two decisions from California Federal District Courts that dismissed chat-based wiretapping claims. We also look at four VPPA decisions (three from the same jurisdiction) that all dismissed VPPA claims under Rule 12(b)(6), showing courts’ growing lack of patience for plaintiffs’ attorneys who fail to plead such claims with specificity and under the standards established by past VPPA decisions.

Byte Back + members also get access to coverage of four pen registry decisions, one (substantial) pixel decision, an email tracking decision, plus and our coverage of oral argument in the Ninth Circuit’s Briskin v Shopify decision. Interested in learning more about Byte Back+? Contact the authors or click here.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: California district courts continue to split over whether “knowledge” is required to plead liability under Section 631(a)’s fourth prong while two decisions show courts taking different approaches to VPPA claims at the pleading stage.

Welcome to the seventeenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, California district courts continue to disagree over whether “knowledge” that the third party’s actions violated the law is required to prove liability under the fourth prong of Section 631(a), with the most recent court to address the question holding such knowledge is required. These district courts also continue to apply different standards to determine whether a third party has the capability to use intercepted communication-content for its own purpose. One court found the plaintiff’s allegations conclusory and dismissed a complaint while another court found the plaintiff sufficiently alleged a third-party had the capability to use the intercepted information for its own purpose when the plaintiff alleged the third party used the communications to train its AI model.

Although we only examine one SRT decision this month, the decision examines wiretapping law in California, Maryland, Minnesota, and Florida. The decision addresses issues of consent, standing, and our more “traditional” reasons for dismissal. We also look at two VPPA decisions that illustrate how courts in different circuits are handling Rule 12(b)(6) motions to dismiss.

Byte Back + members also get a look at two pixel-based wiretapping claims, two pen registry decisions, and two other privacy litigation decisions. Interested in learning more about Byte Back+? Contact the authors or click here.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: Courts have started to issue Pixel-based wiretapping decisions, the Seventh Circuit weighs in on when a manufacturer can be forced to pay arbitration fees, and three courts showed different approaches to dismissing VPPA claims at the pleading stage.

Welcome to the sixteenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, we are covering two wiretapping decisions based on chat services on website and one based on use of SRT.

If you are a Byte Back+ member, you will also see our coverage on the recent trend of cases brought under pen registry laws and—new this month—multiple “pixel” cases that are disconnected from session replay or chat-based theories and an update regarding an arbitration defendant can be forced to pay arbitration fees. Members also get access to our “other lawsuits” section, where this month we are covering one decision that involves an AI/machine learning based technology used to provide customer support agents with suggested responses to common questions from customers and two decisions from the Seventh Circuit that consider whether a large manufacturer can be forced to pay arbitration fees for thousands of arbitration demands when the manufacturer withheld payment after disagreeing with the merits of the demands.

Interested in learning more about Byte Back+? Click here.

We are also covering four VPPA decisions resolving motions to dismiss that illustrate a plaintiff’s prima facie burden at the pleading stage and the potential for joint and several liability under the statute.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: Courts reject personal jurisdiction arguments and suggest the Shopify decision will be overturned; Courts continue to show differing approaches to VPPA claims at the pleading stage with a large VPPA class action settlement recently approved.

Welcome to the fifteenth installment in our monthly data privacy litigation report. We would like to thank Liz Ignowski, a summer associate with Husch Blackwell, for her help with this month’s report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, we look at several cases that decline to follow the Ninth Circuit’s Shopify decision, which is currently pending rehearing, and then deny motions to dismiss for lack of personal jurisdiction. We also look at how courts are deciding whether the party exception applies to a complaint, and what facts are necessary to survive a motion to dismiss on consent and the contents of a communication. Additionally, we look at three VPPA decisions from June, where courts granted, denied, or deferred motions to dismiss, showing that although new VPPA cases may have decreased, courts are still allowing these claims to proceed past the pleading stage. We also highlight a VPPA class action settlement approval that illustrates how costly these claims can be if they survive the pleading stage.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: The Central District of California issued several wiretapping decisions in May while two decisions on the VPPA illustrate how claims fail or succeed at the pleading stage.

Welcome to the fourteenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, we look at multiple courts who distinguish the Ninth Circuit’s Shopify decision and deny motions to dismiss for lack of personal jurisdiction and how courts reach opposition conclusions regarding whether the “contents” of a communication were transmitted to a third party. We also take a look at two decisions that granted and denied motions to dismiss VPPA claims, and highlight one case where the federal government has again intervened to defend the VPPA’s constitutionality.

If you are a Byte Back+ member, you will also see our coverage on recent lawsuits beyond the wiretapping and VPPA claims, including the recent trend of cases brought under pen registry laws, efforts against plaintiffs who have brought wiretapping claims in private arbitration rather than the public courts, and—new this month—the recent flood of cases brought under New Jersey’s Daniel’s Law. Interested in learning more about Byte Back+? Click here.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: The Central District of California issues a major victory for website owners facing CIPA-arbitration demands, two decisions address whether a plaintiff consented as a defense to wiretapping claims, three courts in different states each dismissed VPPA claims, and another court weighs in on the recent pen registry case theory.

Welcome to the thirteenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. A lot happened in April. In this month’s post, we look at two decisions from California that addressed whether language in the privacy policy can establish the plaintiff consented to the recording and sharing of chat communications. We also take a look at three VPPA decisions granting motions to dismiss where plaintiffs failed to allege facts that satisfy the definitional prerequisites of the statute. Additionally, we note a recent development in one pending case where the VPPA is being challenged as unconstitutional.

If you are a Byte Back+ member, you will also see our coverage on recent lawsuits beyond the wiretapping and VPPA claims, including the recent trend of cases brought under pen registry laws, efforts against plaintiffs who have brought wiretapping claims in private arbitration rather than the public courts (including a major victory for website owners), and—new this month—the recent flood of cases brought under New Jersey’s Daniel’s Law. Interested in learning more about Byte Back+? Click here.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: Two California state court decisions have addressed motions to dismiss claims under the novel “pen registry” and “tap and trace” theories, but reached different outcomes after finding different policy considerations more important.

In July 2023, a Southern District of California District Court denied a motion to dismiss in Greenley v. Kochava, 2023 WL 4833466 (S.D. Cal. July 27, 2023), in which the plaintiff argued a SDK developer violated California laws that prohibited use of a “pen registry” and “tap and trace” device by building into the SDK code that forwarded location information to the SDK developer.

Keypoint: Multiple decisions from the same judicial district come down differently on wiretapping claims while three courts in different states each reject VPPA-defendants’ arguments that the plaintiffs lacked Article III standing.

Welcome to the twelfth installment in our monthly data privacy litigation report. Not only does this month’s post mean we have been doing this for over a year now (and actually a little longer as there was at least one post that combined two months of updates into one post because, well, holidays), but more importantly we are releasing this post on the eve of heading to Washington, D.C. to attend the IAPP Summit. If you will be there, make sure to come and meet us!

We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, we look at three decisions from the Southern District of California, each of which addressed nearly identical factual allegations and legal arguments but reached different conclusions. We also take a look at three VPPA decisions denying motions to dismiss regarding claims premised on the Meta Pixel that highlight how district courts are addressing Article III standing objections and the required specificity of a plaintiff’s allegations at the pleading stage.

If you are a Byte Back+ member, you will also see our coverage on recent lawsuits beyond the wiretapping and VPPA claims, including the recent trend of cases brought under pen registry laws and efforts against plaintiffs who have brought wiretapping claims in private arbitration rather than the public courts. Interested in learning more about Byte Back+? Click here.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.