Welcome to the thirteenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. A lot happened in April. In this month’s post, we look at two decisions from California that addressed whether language in the privacy policy can establish the plaintiff consented to the recording and sharing of chat communications. We also take a look at three VPPA decisions granting motions to dismiss where plaintiffs failed to allege facts that satisfy the definitional prerequisites of the statute. Additionally, we note a recent development in one pending case where the VPPA is being challenged as unconstitutional.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. The contents provided below are time-sensitive and subject to change. 

1. Litigation Updates

a. Chat Wiretapping Lawsuits

The first decision we are discussing is a 32-page order wherein the court grappled with a series of arguments by the defendant, including that: (1) the plaintiff could not show they were injured by the complained-of activity; and (2) the plaintiff consented to the chat communications being shared with the third-party. The court first considered the defendant’s argument that lawsuit should be dismissed under Article III because the plaintiff failed to show they had been injured by participating in the chat communications. Although the court recognized the disagreement within the southern district of California regarding whether TransUnion undermined In re Facebook’s holding that an alleged violation of CIPA itself is sufficient to allege an injury in fact, the court then concluded that, absent of further indication that In re Facebook is overruled, this court would continue to apply it. The court then addressed the defendant’s argument that the plaintiff consented to sharing the chat communications with a third party because the chat included an icon that notified visitors that by starting a chat, they consented to the website’s privacy policy, which disclosed the sharing. This is similar to how users to call centers are informed that they consent to the call being recorded by continuing with the call. The court did not resolve whether this was sufficient because it found the screenshot showing the notification was taken after the plaintiff’s communication and therefore it could not be shown the notification was in place when the alleged injury occurred. The court also rejected the defendant’s alternative argument that the privacy policy itself, which was available via hyperlink at the bottom of the website, established consent. The court noted most courts will not find a website visitor has read a policy where the website has not prompted the user to take some affirmative action. Ultimately, the court denied the motion to dismiss and allowed the case to proceed toward discovery.

Our second decision is an unpublished decision from the Central District of California, which also addressed the issue of consent. The plaintiff visited the website for a well-known grocery store company, where the plaintiff alleges the defendant routed communications through a third-party, which the defendant allowed to save a transcript which it could then use for analytics and marketing to consumers via social media. The defendant argued the court could find implied consent because the defendant’s privacy policy disclosed the website “use[ s] third-party technology to better understand your online behavior” and that it “may share your information with our service providers who provide us support services such as … answering your questions.” The court rejected the defendant’s argument, finding the plaintiff’s complaint did not reference the privacy policy or provide any indication the plaintiff read it. Although that resolved the issue, the court nevertheless continued and found even if the plaintiff had viewed the policy, it did not establish consent because the policy “does not explicitly state that [the defendant] intended to route chats to third parties who would read, store, and harvest data from those chats.” This case should serve as a warning to other websites who use similar language.

The third and final decision we are covering this month did not consider whether the plaintiff consented to recording (and sharing) chat communications. We are instead including this decision as a reminder that courts remain inconsistent in how they handle whether a third party vendor is considered a party to the communication or an eavesdropper – and what level of specificity courts require to make that showing. In this case, the court accepted the plaintiff’s uncited allegations that the third party uses data it collects for its own purposes, at its own direction. The court found “[a]t this stage, these allegations are enough. Whether [the third-party actually uses the information or actually sells—or intends to sell—the customer data is a factual dispute.”

b. Session Replay Lawsuits

We are covering two session replay decisions this month, both of which addressed whether the court had specific jurisdiction over the defendant in cases involving online data collection following the Ninth Circuit’s Briskin decision in December 2023.

In our first decision, the plaintiff visited the website of a national apparel company, which allegedly used session replay technology to record and transmit the plaintiff’s behavior, “including pages and content viewed, and information given to the website, such as search terms, contact information, orders, and credit card information.” Although it initially sounds like the dispute would be over whether the recorded information was or was not “contents” (a common dispute in wiretapping cases), the court instead resolved the case by finding it lacked jurisdiction over the defendant. The court rejected the plaintiff’s arguments that the defendant had directed the website into California, finding the plaintiff’s alleged injury did not relate to any product shipped into the state but instead general use of the website that treated visitors from all states the same.

In contrast, our second decision held specific jurisdiction existed over a pizza-delivery website. The court distinguished the Briskin decision, wherein the party at issue was a back-end payment processor, from the case at bar, wherein the defendant was based on local pizza delivery stores that prepared and delivered products to the homes of California residents. Unlike our first decision, this court did not consider whether the defendant’s alleged harm arose from the delivered-product or the online-only activity.

c. Video Privacy Protection Act (“VPPA”) Lawsuits

We are covering three decisions under the VPPA from April which show plaintiffs’ claims being dismissed based on allegations that fail to satisfy the VPPA’s definitions of “subscriber” and “video service provider.” We are also highlighting a development in one case where the VPPA’s constitutionality is being challenged.

The first decision we are covering is in the Southern District of New York, where the Court dismissed a plaintiff’s VPPA claim against a media broadcasting company that owns websites offering news and video content. The plaintiff alleged he subscribed to one of the defendant’s websites, where his personal information and the videos he viewed were shared with Facebook via the Meta Pixel without his consent. Although the Court rejected the defendant’s lack of standing arguments, it agreed the plaintiff was not a “consumer” under the VPPA because the court found the plaintiff could not be a “renter” or “purchaser” under the VPPA because he did not allege to making payments to the defendant. And as to whether plaintiff was a “subscriber,” the court relied on other decisions to find that someone who simply inputs his email address on a company’s website and receives a free newsletter containing links to videos on the website that are generally accessible to other website visitors, is not a “subscriber” within the meaning of the VPPA. According to the court, “[a] reasonable reader of the VPPA would understand the reference to ‘goods or services from a video tape service provider’ in the statute’s definition of ‘consumer’ to refer to ‘audio-visual materials,’ not ‘goods or services writ large.’” Because plaintiff did not adequately allege to qualify as a “consumer” under the VPPA, the defendant’s motion to dismiss was granted. This decision is a reminder that even when the defendant may be a “video tape service provider,” liability is still a question.

The next decision we are covering is from the Western District of Texas which similarly dismissed a VPPA claim on the grounds that the plaintiff failed to sufficiently allege he was a “subscriber” within the VPPA’s definition of a “consumer.” In this case, the defendants operated websites for schools and universities, and would invite website visitors to subscribe to email newsletters that provided links to videos and other content. The plaintiff, on behalf of a proposed class, subscribed to one of these newsletters and alleged that the defendants shared his personal information and video selections through the Meta Pixel without his consent. The Court rejected defendants’ dismissal arguments based on sovereign immunity and the non-presence of an indispensable party — a state university whose website defendants operated had previously been a co-defendant in the case — but agreed with defendants that the plaintiff was not a “subscriber” under the facts alleged. To align with “almost identical VPPA adjudications against” the same defendants but based on an “alternative reasoning,” the Court held that the plaintiff failed to allege he was a “subscriber” because the VPPA only applies to consumers (including subscribers) of audio visual services, and that the plaintiff did not allege videos were in the newsletters or that his status as newsletter subscriber was a condition to accessing the website’s videos or enhancing his viewing experience. In reaching this conclusion, the Court noted a circuit split on the issue of whether email newsletter subscribers constitute “subscribers” under the VPPA and that “clarity from Congress would be prudent.”

The third case we are covering comes from the Central District of California which also granted a motion to dismiss the plaintiff’s VPPA claim but based on the defendant not selling or otherwise monetizing videos to fall within the definition of a “video tape service provider” under the statute. Here, the defendant sold its products on a website that hosted promotional and human-interest videos and, as the plaintiff alleged, used Google Analytics to collect and share a visitors’ video-watching behavior without consent. Although the plaintiff’s complaint was careful not to identify the types of products the defendant sold, the Court nevertheless found that the website’s videos were not the defendant’s product and that it was not engaged in the business of delivering video content by including such videos on its website. As the Court noted, “[u]sing videos for ‘brand awareness’ rather than as part of ‘a particular field of endeavor’ shows that Defendant’s business is not ‘centered, tailored, or focused around providing and delivering audiovisual content.’” On this basis, the Court dismissed the plaintiff’s complaint.

A final case of note is in the Central District of California where the U.S. Department of Justice (DOJ) filed a memorandum to support the constitutionality of the VPPA. In that case, the plaintiff has brought class claims under the VPPA, alleging that defendant movie theater operators disclosed customers’ personal information through Meta’s tracking pixel online. One of the defendants has filed a motion to dismiss (which is still pending) but also filed a notice of a constitutional challenge to the VPPA under Federal Rule of Civil Procedure 5.1. In response to that notice, the DOJ submitted a memorandum to the court defending the VPPA’s constitutionality. Specifically, the DOJ argued that the VPPA is not unconstitutionally vague because it has reasonably clear terms that have been interpreted by various courts, and that the law passes intermediate scrutiny to survive a First Amendment challenge. We will be tracking this and other constitutional challenges to the VPPA as they develop.

d.         Pen Registry Lawsuits

This section is limited to members of Byte Back+. Interested in learning more about Byte Back+? Click here.

e.         Daniel’s Law

Plaintiffs have recently filed more than 140 lawsuits under New Jersey’s “Daniel’s Law,” which allows a “Covered Person” or their “Authorized Person” to request a “person, business, or association” to not “disclose or re-disclose on the Internet or otherwise make available” the Person’s home address or unpublished home telephone number. The Law provides a private right of action for any Covered Person against any “person, business, or association” who: (1) receives from the Covered Person a notification that complies with the statute and; (2) after 10 business days of receiving such notice, discloses or re-discloses on the Internet “or otherwise makes available” the home address or unpublished home telephone number of any covered person “who has received approval from the Office of Information Privacy for the redaction or nondisclosure of the covered person’s address.”

2. On the Radar

In this section we identify other types of data privacy lawsuits we are watching and other interesting information in the world of data privacy litigation.

We are continuing to watch pen registry cases but have made a new section for those cases. We are also continuing to watch voice recording lawsuits, but this appears to be a trend that failed to catch momentum.

3.  Overview of Current U.S. Data Privacy Litigation Trends and Issues

Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip this section.

Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.

Lawsuits relating to session replay technology also involve claims that the alleged behavior violates wiretapping laws in “two party” or “all party” consent states. This technology allows website operators to monitor how website visitors interact with the website. Websites that use session replay technology are often trying to better understand how users interact with the website and may even want to document that users have seen and are aware of the site’s privacy policy. Where the technology also captures the website visitor’s communications—such as (but not limited to) chat services or when the visitor completes a form on the website—privacy plaintiffs have alleged use of the technology violates wiretapping laws.

Many cases alleging wiretapping violations are filed in California under the California Invasion of Privacy Act (“CIPA”). Most lawsuits assert a violation of Section 631 of CIPA and courts routinely refer to specific clauses or subsections of that section. When discussing litigation updates, we therefore also refer to courts disposing of specific clauses or subsections of Section 631. Courts have noted Section 631 “is somewhat difficult to understand.” See Warden v. Kahn, 99 Cal. App. 3d 805, 811 (Ct. App. 1979). To help guide readers, we have provided Section 631(a) below with the specific clauses (sometimes called subsections) delineated:

Any person who, [Clause 1 or Subsection (a)(1):] by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or [Clause 2 of Subsection (a)(2):] who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or [Clause 3 or Subsection (a)(3):] who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or [Aiding Provision, Clause 4, or Subsection (a)(4):] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable . . . .

Wiretapping claims—whether based on website chat services, the use of session replay technology, or something else—are typically resolved on a limited number of issues:

• How did the communication occur? Plaintiffs often allege they accessed a website using a mobile phone. Courts have held the first clause of Section 631(a) does not apply if the interception does not occur over a telephonic wire. Courts have also held Section 632.7, another provision of CIPA, requires a communication between two wireless or cordless devices and therefore does not apply if the website is communicating via a wired server. Some judges, however, disagree.
• Is the defendant or a third-party a “party” to the communication? If so, then the “party exception” will apply and the defendant will not be liable. When deciding whether a third-party was a “party” to the communication, courts consider whether the party is merely acting as a tool for the defendant (akin to a tape recorder) or can use the communication for their own benefit (akin to someone listening into a conversation).
• Did the website have consent to record or share the communication? Consent is a defense to wiretapping claims, but it can be difficult for courts to resolve whether the plaintiff provided consent at the pleading stage.
• Did the website share the “contents” of a communication? Wiretapping claims only apply to the contents of a communication. Merely sharing record information of a communication, such as an IP address, will not establish liability under wiretapping laws. Courts often struggle to define what constitutes communication “contents” and URLs can be especially tricky.
• Was the communication intercepted or stored and then forwarded? If the communication is not intercepted, then there cannot be liability under Clause 2 of Section 631.
• Was the plaintiff harmed? Do they have standing to sue? Courts are often split on whether an “invasion of privacy” itself is sufficient harm to provide standing, but this issue has weighed in defendants’ favor more often following the Supreme Court’s 2021 TransUnion decision, which held Article III standing requires a concrete injury even in the context of a statutory violation.

Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel or Google Analytics tags) on websites that include video content. The VPPA reads: “A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person for the relief provided in subsection (d).” 18 U.S.C. § 2710(b)(1). The VPPA defines a “provider” as an entity engaged in the business of “rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials” and a “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Where the defendant directly rents or sells video content or access to such content, courts will typically find the defendant is a video tape service provider and the plaintiff to meet the “consumer” definition. Where the defendant’s core business is unrelated to video services, however, and the video contents at issue are merely marketing for that other core business, courts are likely to find the parties do not meet the VPPA’s definitions of “provider” and “consumer.”

Lawsuits alleging a defendant has violated prohibitions on voice recording (commonly Section 637.3 of the California Penal Code) typically involve the use of voice recognition software, which is often used as a security measure by companies that provide sensitive information such as banks or other financial institution.

Finally, some plaintiffs have alleged defendants who track IP-addresses run afoul of “pen registry” laws such as CIPA, § 638.51, which prohibits “a person” from “install[ing] or us[ing] a pen register or a trap and trace device without first obtaining a court order . . . .” Cal. Penal Code § 638.51. Traditionally, pen registers were used by law enforcement to record all numbers called from a particular telephone. Under CIPA, however, a “pen register” is more broadly defined to mean “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” § 638.50(b).

[View source.]