Privacy Litigation

Keypoint: In this post: (1) The Ninth Circuit holds essentially any website can be sued in California; (2) two courts limit pen registry claims; (3) courts split on whether privacy policies establish consent for wiretapping claims; (4) Arizona court rejects “spy pixel” theory; and (5) courts continue to expand what is “content” for wiretapping claims.

This is our twenty-third installment in our data privacy litigation report covering decisions from the previous month. If you have any thoughts on what you would like to see (either in content or form) from these posts, please don’t hesitate to reach out and let us know.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn. Finally, for an overview of current U.S. data privacy litigation trends and issues, see Part 2 here.

Keypoint: In this post: (1) California considers a “commercial exception” to wiretapping and pen registry laws; (2) a rise in federal wiretapping claims against websites; (3) more courts impose “knowledge or intent” requirement for Section 631(a); and (4) the Ninth and Seventh Circuits limit and expand the VPPA’s application.

This is our twenty-second installment in our data privacy litigation report covering decisions from the previous month. If you have any thoughts on what you’d like to see (either in content or form) from these posts, please don’t hesitate to reach out and let us know.

Will you be at the IAPP Global Privacy Summit 2025 in Washington DC on April 23-24? If so reach out!

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: In this post: (1) How a privacy policy can defeat a plaintiff’s “delayed discovery” argument; (2) Two CA state courts reject plaintiffs’ allegations concerning personal jurisdiction; (3) Three courts dismiss PR/TT claims due to lack of harm; (4) Two courts diverge on certifying VPPA classes; and (5) First MHMD case filed in Washington.

This is our twenty-first installment in our monthly data privacy litigation report. As we forecast last month, we are tweaking the format of these posts to hopefully provide readers with the most helpful information in the easiest to digest manner. If you have any thoughts on what you’d like to see (either in content or form) from these posts, please don’t hesitate to reach out!

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: Five Takeaways from Privacy Litigation Decisions in January 2025

Welcome to the twentieth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. After our expansive “holiday edition” post last month we are changing things up a bit with this month’s post. Instead of providing case summaries on multiple decisions we are providing five takeaways from cases in the past month. Our hope is this provides a more practical post for in-house counsel and business owners facing the quickly changing world of privacy litigation.

Do you find these posts helpful? Wish we would cover another privacy trend or provide more information? If so – we want to hear from you! Please reach out and let us know what you would like to see in future privacy litigation updates.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: Almost one year after the law went into effect, the first My Health My Data class action lawsuit was filed in Washington.

On February 10, 2025, a class action lawsuit was filed against an online retailer under the Washington My Health My Data (MHMD) Act’s private right of action. The complaint also alleges violations of federal wiretapping and computerized communications laws. MHMD went into effect on March 31, 2024. Despite initial speculation that the law would lead to significant civil litigation, no lawsuits were filed under it until now.

In this post, we provide a brief summary of the complaint, including the factual allegations, causes of action, and damages sought.

Keypoint: Twenty-five (25) privacy decisions from October-December show a significant uptick in the number of pixel-based wiretapping decisions issued from courts nationwide.

Welcome to the nineteenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. We are covering decisions from three months in this “holiday edition” update that covers decisions from October, November, and December 2024. Our holiday edition post covers the chat, session replay, and VPPA decisions just like our normal posts but also includes pixel-based wiretapping claims and pen registry/tap and trace decisions that are normally accessibly only by Byte Back + members. Interested in learning more about Byte Back+? Contact the authors or click here.

We are covering twenty-five (25) decisions in this holiday edition post, including four (4) chat-wiretapping decisions, four (4) SRT-wiretapping decisions, ten (10) pixel-wiretapping decisions, five (5) pen registry/ tap and trace (“PRTT”) decisions, and two (2) VPPA decisions. With that, let’s get to it.

Before we do, however, a quick disclaimer. There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: Massachusetts’ highest court ruled the use of software that tracks users’ activity on its website does not violate the state’s Wiretap Act, which was intended to prevent the recording or interception of communications between two or more persons.

On October 24, the Massachusetts Supreme Judicial Court held the state’s wiretapping act did not apply to the collection of users’ browsing activities on websites. In Vita v. New England Baptist, Massachusetts’ highest State Court held in a 5-1 decision that although the law did not define “communication,” it nevertheless was limited to communications between individuals and did not extend to cover a user’s browsing on a website. This decision, which is limited to the Massachusetts Wiretap Act, establishes that website operators can use tracking tools like Meta Pixel and Google Analytics to gather users’ browsing data without their consent, highlighting the limitations of the decades-old surveillance laws in addressing modern privacy concerns. Notably, several California courts have reached opposite conclusions under the corresponding California wiretapping laws (commonly known as CIPA Section 631(a)).

In the below article, we provide an overview and analysis of the Massachusetts Supreme Judicial Court ruling and the potential impact on the wave of privacy litigation ongoing in California Courts.

Keypoint: California state courts weigh in on what does, and does not, qualify as a “pen registry” or “tap and trace” device while one California federal court raises whether a wiretapping claim can also allow for a CCPA privacy right of action.

Welcome to the eighteenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, we examine two decisions from California Federal District Courts that dismissed chat-based wiretapping claims. We also look at four VPPA decisions (three from the same jurisdiction) that all dismissed VPPA claims under Rule 12(b)(6), showing courts’ growing lack of patience for plaintiffs’ attorneys who fail to plead such claims with specificity and under the standards established by past VPPA decisions.

Byte Back + members also get access to coverage of four pen registry decisions, one (substantial) pixel decision, an email tracking decision, plus and our coverage of oral argument in the Ninth Circuit’s Briskin v Shopify decision. Interested in learning more about Byte Back+? Contact the authors or click here.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: California district courts continue to split over whether “knowledge” is required to plead liability under Section 631(a)’s fourth prong while two decisions show courts taking different approaches to VPPA claims at the pleading stage.

Welcome to the seventeenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, California district courts continue to disagree over whether “knowledge” that the third party’s actions violated the law is required to prove liability under the fourth prong of Section 631(a), with the most recent court to address the question holding such knowledge is required. These district courts also continue to apply different standards to determine whether a third party has the capability to use intercepted communication-content for its own purpose. One court found the plaintiff’s allegations conclusory and dismissed a complaint while another court found the plaintiff sufficiently alleged a third-party had the capability to use the intercepted information for its own purpose when the plaintiff alleged the third party used the communications to train its AI model.

Although we only examine one SRT decision this month, the decision examines wiretapping law in California, Maryland, Minnesota, and Florida. The decision addresses issues of consent, standing, and our more “traditional” reasons for dismissal. We also look at two VPPA decisions that illustrate how courts in different circuits are handling Rule 12(b)(6) motions to dismiss.

Byte Back + members also get a look at two pixel-based wiretapping claims, two pen registry decisions, and two other privacy litigation decisions. Interested in learning more about Byte Back+? Contact the authors or click here.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Keypoint: Courts have started to issue Pixel-based wiretapping decisions, the Seventh Circuit weighs in on when a manufacturer can be forced to pay arbitration fees, and three courts showed different approaches to dismissing VPPA claims at the pleading stage.

Welcome to the sixteenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, we are covering two wiretapping decisions based on chat services on website and one based on use of SRT.

If you are a Byte Back+ member, you will also see our coverage on the recent trend of cases brought under pen registry laws and—new this month—multiple “pixel” cases that are disconnected from session replay or chat-based theories and an update regarding an arbitration defendant can be forced to pay arbitration fees. Members also get access to our “other lawsuits” section, where this month we are covering one decision that involves an AI/machine learning based technology used to provide customer support agents with suggested responses to common questions from customers and two decisions from the Seventh Circuit that consider whether a large manufacturer can be forced to pay arbitration fees for thousands of arbitration demands when the manufacturer withheld payment after disagreeing with the merits of the demands.

Interested in learning more about Byte Back+? Click here.

We are also covering four VPPA decisions resolving motions to dismiss that illustrate a plaintiff’s prima facie burden at the pleading stage and the potential for joint and several liability under the statute.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.