U.S. Privacy Litigation Update: September 2024

Keypoint: California state courts weigh in on what does, and does not, qualify as a “pen registry” or “tap and trace” device while one California federal court raises whether a wiretapping claim can also allow for a CCPA privacy right of action.

Authors: Owen Davis and Dustin Taylor

Welcome to the eighteenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, we examine two decisions from California Federal District Courts that dismissed chat-based wiretapping claims. We also look at four VPPA decisions (three from the same jurisdiction) that all dismissed VPPA claims under Rule 12(b)(6), showing courts’ growing lack of patience for plaintiffs’ attorneys who fail to plead such claims with specificity and under the standards established by past VPPA decisions.

Byte Back + members also get access to coverage of four pen registry decisions, one (substantial) pixel decision, an email tracking decision, plus and our coverage of oral argument in the Ninth Circuit’s Briskin v Shopify decision. Interested in learning more about Byte?Back+? Contact the authors or click?here .

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn .

1. Litigation Updates

a. Chat Wiretapping Lawsuits

Two California courts—one from the Northern District and one from the Southern District—in September dismissed wiretapping claims that were based on the “chat” theory of liability. In the first decisionv, issued September 26, the defendant moved to dismiss the complaint because the plaintiff never alleged they actually used the chat service. The defendant argued that even though she never expressly alleged she had used chat service, it could be inferred from the allegations that she visited the website, had communications with the defendant, and such communications were intercepted. The court disagreed and dismissed the claim. Although the court granted leave to amend, the court cautioned the plaintiff that any such amendment would need to do more than conclude the plaintiff had used the chat service. The plaintiff will need to also provide detail, such as the content of the alleged chat communication, to allege any privacy injury.

The second decision issued four days later, on September 30. Here, the plaintiff alleged when she visited the website of a national fitness company and used the chat feature on the website, the contents of her communications were routed through a third-party vendor who had the capability of using the communications for their own purposes, such as storing the communications indefinitely and analyzing how likely a website visitor was to purchase the defendant’s products. The defendant argued the Section 631 claim should be dismissed for three reasons: (1) that the vendor was merely a tool the defendant used to communicate with website visitors; (2) the plaintiff failed to allege interception of any communication; and (3) the plaintiff did not allege she entered any “contents” of communication into the chat feature. The court agreed with all of the defendant’s arguments and dismissed the case. The court first found the plaintiff’s allegations merely established the use was for the defendant’s benefit. The court next found the plaintiff failed to allege “how” the interception occurred. Finally, the court found the plaintiff did not meet her burden to demonstrate that her “engage[ment]” with the chat feature contained more than record information.”

b. Session Replay Lawsuits

We are not covering any session replay lawsuits this month. Check back next month to see if the courts have issued any decisions

c. Pixel-based wiretapping claims

Under this theory, the mere use of a pixel (e.g., the Facebook/Meta pixel or the Google Analytics cookies) violate wiretapping laws. This theory has long been promoted by a limited number of plaintiffs’ firms that preferred arbitration to court, but we are now seeing this theory gain more traction by other plaintiff firms and appear in traditional court pleadings as well. This section is limited to Byte Back+ members. Not a member of Byte Back+? Reach out to the authors to learn more.

d. Pen Registry Lawsuits

We are covering four “tap and trace” / “pen register” decisions this month. This section is limited to members of Byte?Back+. Interested in learning more about Byte?Back+? Contact the authors or click?here .

e. Video Privacy Protection Act (“VPPA”) Lawsuits

We are covering four decisions concerning the VPPA from September. The first three decisions come from the Southern District of New York, while the last decision comes from the Western District of Washington. In all four decisions, the courts dismissed the plaintiffs’ VPPA claims under Rule 12(b)(6).

The first decision we are covering comes from the Southern District of New York where the court granted the defendant’s motion to dismiss. The plaintiff in the case alleged that the defendant, a professional sports league, violated the VPPA by disclosing to Facebook, through the Meta Pixel and Facebook SDKs, personally identifiable information (PII) of users who visited the defendant’s website, mobile application, and subscription service. The defendant sought to dismiss the plaintiff’s class action claim under Rule 12(b)(1) and 12(b)(6). The court first rejected the defendant’s argument under Rule 12(b)(1) — that the plaintiff lacked standing to sue because he consented to tracking provisions in the defendant’s terms of service and privacy policy and therefore, could not have suffered a cognizable harm. According to the court, this argument did “not advance the ball” given that the plaintiff had specifically alleged that he did not consent to the sharing of his PII with Facebook. Turning to the defendant’s Rule 12(b)(6) arguments, however, the court agreed that the plaintiff’s failure to specifically plead that he watched “pre-recorded video content” on defendant’s services was fatal to his VPPA claim. “Even accepting the non-pleaded fact that [defendant’s subscription service] has prerecorded content (to which the parties nonetheless appear to agree), the Court agrees with Defendant that Plaintiff, by failing to plead that he viewed prerecorded video content through [defendant’s subscription service], has insufficiently alleged that he was a consumer of a ‘video tape service provider.’” In dismissing the lawsuit, the court notably denied the plaintiff’s request to stay the case pending the outcome of the Second Circuit appeal in Salazar v. Nat’l Basketball Ass’n, No. 23-1147, going against a recent trend in the Southern District of New York to stay VPPA cases until that appeal is decided.

The second decision we are covering is also from the Southern District of New York where the court similarly dismissed the plaintiffs’ VPPA claims against the defendant, a non-profit organization that produces popular videos of pre-recorded talks hosted on its website and mobile application. According to the complaint, the defendant shared users’ PII (names, email addresses, videos viewed, and user IDs) with third-party service providers Leanplum, Mixpanel, and OpenWeb for marketing and data analytics purposes. In granting the defendant’s motion to dismiss (without prejudice), the court rejected the argument that plaintiffs lacked standing but agreed that the complaint failed to state a VPPA claim because it did not sufficiently allege that the plaintiffs were “consumers” under the statute. As we’ve seen in other VPPA cases, the court relied on a six-factor test from the Eleventh Circuit’s 2015 decision in Ellis v. Cartoon Network, Inc., concluding that the complaint did not show that the plaintiff met the “commitment,” “delivery,” or “access to restricted content” factors from Ellis. On that final factor, the court held that it was insufficient for the plaintiffs to claim that having user accounts (to defendant’s services) allowed them to download videos. According to the court, “[h]aving the ability to download videos is different in kind from having ‘special access to certain content’ unavailable to non-account-holders.”

The third decision we are covering also comes from the Southern District of New York where the court granted the defendant’s motion to dismiss the plaintiff’s VPPA claim with prejudice. In a third amended complaint, the plaintiff alleged that the defendant, a multinational media conglomerate that owns broadcasting networks and a popular morning show, used the Meta Pixel to share PII of users who registered for the morning show’s digital newsletters and mobile application. The sole issue on the defendant’s motion to dismiss was whether the plaintiff plausibly alleged that she was a “consumer” under the VPPA. The court held that she failed to meet the “consumer” definition for two reasons: (1) the plaintiff failed to link her alleged subscription to her use of the morning show’s free mobile application where videos were watched; and (2) the complaint lacked any allegations that hyperlinks contained in the newsletters plaintiff received gave her access to exclusive video content otherwise unavailable to the general public. Citing the first decision summarized above in this post, the court noted that the plaintiff’s access to a newsletter containing hyperlinks to videos on a website—that non-subscribers could just as easily access on the same website—does not make her a subscriber to video content to satisfy the VPPA’s definition of “consumer.”

The final decision we are covering comes from the Western District of Washington where the court dismissed plaintiffs’ VPPA claims without prejudice against defendants who operate a large online retailer and video streaming service. Here, the plaintiffs alleged that the defendants’ affiliated entities had access to the PII of plaintiffs and other users of the defendants’ video streaming service, in violation of the VPPA. The court dismissed the complaint on two grounds. First, the court observed that allegedly providing access to PII does not plausibly suggest that the defendants took the “affirmative act of disclosing that data” or that such data was actually received, as required to state a VPPA claim. Second, the court agreed with defendants that the plaintiffs had failed to plausibly allege that their PII had been disclosed to any third parties unaffiliated with the defendants. For the court, it was not sufficient for the plaintiffs to simply surmise that the defendants must have disclosed PII to third parties based simply on the statement in the defendants’ terms of use that they “may provide information about your viewing behavior to third parties.”

f.?? Other Lawsuits

This section covers privacy-related lawsuits that do not fit within the above categories but lack enough decisions to warrant their own category. This section is also limited to members of ByteBack+.

2. Overview of Current U.S. Data Privacy Litigation Trends and Issues

Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip this section.

Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.

Lawsuits relating to session replay technology also involve claims that the alleged behavior violates wiretapping laws in “two party” or “all party” consent states. This technology allows website operators to monitor how website visitors interact with the website. Websites that use session replay technology are often trying to better understand how users interact with the website and may even want to document that users have seen and are aware of the site’s privacy policy. Where the technology also captures the website visitor’s communications—such as (but not limited to) chat services or when the visitor completes a form on the website—privacy plaintiffs have alleged use of the technology violates wiretapping laws.

Many cases alleging wiretapping violations are filed in California under the California Invasion of Privacy Act (“CIPA”). Most lawsuits assert a violation of Section 631 of CIPA and courts routinely refer to specific clauses or subsections of that section. When discussing litigation updates, we therefore also refer to courts disposing of specific clauses or subsections of Section 631. Courts have noted Section 631 “is somewhat difficult to understand.” See Warden v. Kahn, 99 Cal. App. 3d 805, 811 (Ct. App. 1979). To help guide readers, we have provided Section 631(a) below with the specific clauses (sometimes called subsections) delineated:

Any person who, [Clause 1 or Subsection (a)(1):] by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or [Clause 2 of Subsection (a)(2):] who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or [Clause 3 or Subsection (a)(3):] who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or [Aiding Provision, Clause 4, or Subsection (a)(4):] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable . . . .

Wiretapping claims—whether based on website chat services, the use of session replay technology, or something else—are typically resolved on a limited number of issues:

• How did the communication occur? Plaintiffs often allege they accessed a website using a mobile phone. Courts have held the first clause of Section 631(a) does not apply if the interception does not occur over a telephonic wire. Courts have also held Section 632.7, another provision of CIPA, requires a communication between two wireless or cordless devices and therefore does not apply if the website is communicating via a wired server. Some judges, however, disagree.
• Is the defendant or a third-party a “party” to the communication? If so, then the “party exception” will apply and the defendant will not be liable. When deciding whether a third-party was a “party” to the communication, courts consider whether the party is merely acting as a tool for the defendant (akin to a tape recorder) or can use the communication for their own benefit (akin to someone listening into a conversation).
• Did the website have consent to record or share the communication? Consent is a defense to wiretapping claims, but it can be difficult for courts to resolve whether the plaintiff provided consent at the pleading stage.
• Did the website share the “contents” of a communication? Wiretapping claims only apply to the contents of a communication. Merely sharing record information of a communication, such as an IP address, will not establish liability under wiretapping laws. Courts often struggle to define what constitutes communication “contents” and URLs can be especially tricky.
• Was the communication intercepted or stored and then forwarded? If the communication is not intercepted, then there cannot be liability under Clause 2 of Section?631.
• Was the plaintiff harmed? Do they have standing to sue? Courts are often split on whether an “invasion of privacy” itself is sufficient harm to provide standing, but this issue has weighed in defendants’ favor more often following the Supreme Court’s 2021 TransUnion decision, which held Article III standing requires a concrete injury even in the context of a statutory violation.

Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel or Google Analytics tags) on websites that include video content. The VPPA reads: “A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person for the relief provided in subsection (d).” 18 U.S.C. §?2710(b)(1). The VPPA defines a “provider” as an entity engaged in the business of “rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials” and a “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Where the defendant directly rents or sells video content or access to such content, courts will typically find the defendant is a video tape service provider and the plaintiff to meet the “consumer” definition. Where the defendant’s core business is unrelated to video services, however, and the video contents at issue are merely marketing for that other core business, courts are likely to find the parties do not meet the VPPA’s definitions of “provider” and “consumer.”

Lawsuits alleging a defendant has violated prohibitions on voice recording (commonly Section 637.3 of the California Penal Code) typically involve the use of voice recognition software, which is often used as a security measure by companies that provide sensitive information such as banks or other financial institution.

Finally, some plaintiffs have alleged defendants who track IP-addresses run afoul of “pen registry” laws such as CIPA, § 638.51, which prohibits “a person” from “install[ing] or us[ing] a pen register or a trap and trace device without first obtaining a court order . . . .” Cal. Penal Code §?638.51. Traditionally, pen regpisters were used by law enforcement to record all numbers called from a particular telephone. Under CIPA, however, a “pen register” is more broadly defined to mean “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” §?638.50(b).