Keypoint: California district courts continue to split over whether “knowledge” is required to plead liability under Section 631(a)’s fourth prong while two decisions show courts taking different approaches to VPPA claims at the pleading stage.

Welcome to the seventeenth installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, California district courts continue to disagree over whether “knowledge” that the third party’s actions violated the law is required to prove liability under the fourth prong of Section 631(a), with the most recent court to address the question holding such knowledge is required. These district courts also continue to apply different standards to determine whether a third party has the capability to use intercepted communication-content for its own purpose. One court found the plaintiff’s allegations conclusory and dismissed a complaint while another court found the plaintiff sufficiently alleged a third-party had the capability to use the intercepted information for its own purpose when the plaintiff alleged the third party used the communications to train its AI model.

Although we only examine one SRT decision this month, the decision examines wiretapping law in California, Maryland, Minnesota, and Florida. The decision addresses issues of consent, standing, and our more “traditional” reasons for dismissal. We also look at two VPPA decisions that illustrate how courts in different circuits are handling Rule 12(b)(6) motions to dismiss.

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. The contents provided below are time-sensitive and subject to change. 

1. Litigation Updates

a. Chat Wiretapping Lawsuits

Our first decision highlights a growing split between California federal district courts over whether liability under the fourth prong of Section 631(a) requires the plaintiff to prove the defendant knew the third-party’s conduct constituted a breach of duty. The court found the fourth prong does require this “knowledge.” In doing so, the court distinguished the 2023 Cousins decision from the Central District of California and identified three reasons to support the “knowledge” requirement. First, although the fourth prong does not contain the word “abet” (which the Cousins court found controlling), the first and second clauses contain the following language: “aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things.” This court found the only way one could “unlawfully” do those things is by acting “intentionally” or “willfully” and the absence of the word “abet” therefore does not negate any requirement of knowledge or intent under clause four. Second, the court noted Section 631’s “criminal nature,” and found that under aiding and abetting principles of criminal law, “liability under clause four could only arise if the defendant knew the perpetrator intended to commit the crime and intended to aid and abet the perpetrator in committing the crime.” Third, the court found under California civil law, the common law definition of “aiding” applies when the specific provision does not impose an explicit scienter requirement. This court also noted two other courts have required knowledge for liability under the fourth prong. Certainly, other courts have rejected this requirement and we may see the Ninth Circuit weigh in to resolve this split.

In our next decision, a Central District court considered a third motion to dismiss the plaintiff’s complaint, having granted the previous two motions. By this time, the only issue was whether the plaintiff could prove liability under the fourth prong (“aiding and abetting”). The court found the plaintiff could not and (again) dismissed the complaint. The court walked through each of the prongs under which the plaintiff would have to prove liability for the defendant to have aided the third party’s violation of Section 631(a). The court first found there could be no liability under the first prong because the plaintiff alleged they visited the chat service using their cell phone’s web browser, which has repeatedly been found insufficient for liability. The court then found the plaintiff failed to plead the communications were “intercepted” while in transit, rejecting the plaintiff’s allegations that “secret code” was used to automatically route the communications to the third party.

In our third chat decision, the court dismissed the complaint after finding the plaintiff failed to allege the third-party had the capability to “use” the information it allegedly obtained. The court found the plaintiff’s “sole allegations” pertaining to the alleged use were that the defendant’s website said the third party “may record, store, and use communication [sic] for the purposes of collecting information about a specific user,” “creates a transcript … that Defendant can also access” and “uses chat data to enhance its own business.” The court found these allegations were “too general and conclusory to support a reasonable inference” that the third-party had the capability to use the communications for any purpose beyond providing it to the defendant.

The final decision we are covering this month involves a large chat service provider. In response to a prior motion to dismiss, the court had dismissed the Section 631 claim after finding the plaintiff did not plausibly allege the third party had the capability to use the communications for their own purpose. The plaintiff filed an amended complaint and alleged the third party used the communications to train its AI models that form the basis of its service in addition to other ways. Although the defendant had moved to dismiss the Section 631 claim, it later admitted the plaintiff had sufficiently alleged the defendant had the capability to use the communications for its own purpose even if it disagreed with the truth of the allegations. The defendant also moved to dismiss the Section 631 claim because the communications were not intercepted “in transit” because the third party’s servers were the intended destination of the communication. The court disagreed, finding the defendant could not have been the intended destination it was not the intended recipient of the communication.

b. Session Replay Lawsuits

In the only SRT decision we are covering this month, the plaintiffs alleged the defendant shared sensitive information with third parties, including Facebook, when website visitors filled out a questionnaire on the defendant’s website. The plaintiff brought claims under not only California’s wiretapping act, but also the wiretapping acts of Maryland, Minnesota, and Florida.

The court first considered whether the plaintiffs had consented to the collection via the website’s privacy policy, which was available via a hyperlink at the bottom of the website. Although the court took judicial notice of the privacy policy, the court found whether the policy established the plaintiffs’ consent to the alleged recording was a factual issue.

The court next considered whether the plaintiffs had standing to bring the claim. The court noted the tension between the Ninth Circuit’s 2020 In re Facebook decision, which found violations of a right to privacy sufficient to establish harm and thus standing and the U.S. Supreme Court’s 2021 TransUnion decision, which suggested “disclosure of private information and instruction upon seclusion” were not a concrete ham required to sue in federal court. Although the court acknowledged how district courts split on whether TransUnion overruled In re Facebook, the court found the plaintiffs met the standing requirement under either test because each named plaintiff alleged the interception of specific personal and sensitive information, including their name, date of birth, gender, email address, and health information.

Next, the court considered the defendant’s arguments that the claims should be dismissed under Rule 12(b)(6). The defendant argued the plaintiff failed to allege: (1) the interception of the communication; (2) that the “contents” of a communication were intercepted; or (3) that a “device” was used to intercept the communication. The court found the plaintiff’s allegations were vague, did not meet the pleading requirements, and dismissed the complaint with leave to amend.

Although the defendant argued the plaintiffs’ claims under California, Maryland, Minnesota, and Florida law could be resolved together, the court disagreed. The court nevertheless dismissed the California, Maryland, and Minnesota claims for the same reason. For the Florida claim, however, the court also found Florida courts “have found that the FSCA does not apply to session replay software, software that records a website users’ mouse clicks, keystrokes, search terms, and information inputted into the website.”

c. Pixel-based wiretapping claims

Under this theory, the mere use of a pixel (most often the Facebook/Meta pixel) violate wiretapping laws. This theory has long been promoted by a limited number of plaintiffs’ firms that preferred arbitration to court, but we are now seeing this theory gain more traction by other plaintiff firms and appear in traditional court pleadings as well. This section is limited to Byte Back+ members. Not a member of Byte Back+? Reach out to the authors to learn more.

d. Pen Registry Lawsuits

We are covering two “tap and trace” / “pen register” decisions this month. This section is limited to members of Byte Back+. Interested in learning more about Byte Back+? Contact the authors or click here.

e. Video Privacy Protection Act (“VPPA”) Lawsuits

We are covering two decisions concerning the VPPA from August. The first decision illustrates a VPPA claim sufficiently pled to survive a Rule 12(b)(6) motion to dismiss, while the second decision continues a trend in New York courts to defer a ruling on such motions until the Second Circuit issues a ruling in a still-pending appeal.

The first decision we are covering is from the Northern District of Texas where an Article III judge adopted the recommendation of a magistrate judge to deny a motion to dismiss the plaintiff’s class action VPPA claim. As alleged in the complaint, the plaintiff subscribed to a newsletter from a political news website owned by the defendant. The plaintiff claims that defendant’s website utilized the Facebook Pixel and Conversion AI to automatically disseminate users’ personal viewing information to third parties, which included “the computer file of the video” the user viewed, a “corresponding URL,” and the user’s Facebook ID. In a lengthy recommendation, the magistrate judge denied the defendant’s motion to dismiss, finding the plaintiff had sufficiently alleged: (1) he was a “consumer” under the VPPA based on his digital subscription to video content; (2) specific video content was disclosed in the form of video titles and URLs; (3) his identity was disclosed by the defendant’s use of the Facebook Pixel; (4) a connection between the video content disclosed (video URLs) and personally identifiable information (his Facebook ID); and (5) the defendant knowingly disclosed his personally identifiable information by installing the Facebook Pixel. The Article III judge adopted the recommendation, disregarding the defendant’s reliance on more “recent” caselaw that it failed to cite in the underlying motion. The judge observed, however, “that the law regarding the VPPA and what is required to allege a valid claim under the VPPA at the pleading stage is not well developed.”

The second VPPA decision we are covering is from the Southern District of New York in which the court denied the defendant’s motion to dismiss without prejudice while agreeing to stay the case upon the plaintiffs’ request. In the case, the plaintiffs allege that the defendant—a popular business news media publisher—disclosed the video viewing histories of its website’s subscribers through the Facebook Pixel in violation of the VPPA. The defendant’s motion argued the plaintiffs had failed to adequately allege that they qualified as “consumers” under the VPPA to state a claim. The court viewed this argument favorably, noting that several previous decisions in the district had held the “consumer” element not satisfied where, as here, the plaintiff merely alleges he or she created an account with an online publication that utilized the Facebook Pixel. However, the court denied the defendant’s motion without prejudice and effectively deferred a final ruling by granting the plaintiffs’ request to stay the case pending the outcome of the Second Circuit appeal in Salazar v. Nat’l Basketball Ass’n, No. 23-1147. The court acknowledged that a stay was appropriate given that the Salazar appeal concerns “the same legal question centrally at issue here—whether plaintiffs who created accounts on sites where such accounts were not necessary to view video content qualify as ‘subscribers’ under the [VPPA’s ‘consumer’ definition].” The court therefore stayed the lawsuit until the Second Circuit issues a decision in Salazar, at which point the defendant may renew its motion to dismiss.

2. Overview of Current U.S. Data Privacy Litigation Trends and Issues

Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip this section.

Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.

Lawsuits relating to session replay technology also involve claims that the alleged behavior violates wiretapping laws in “two party” or “all party” consent states. This technology allows website operators to monitor how website visitors interact with the website. Websites that use session replay technology are often trying to better understand how users interact with the website and may even want to document that users have seen and are aware of the site’s privacy policy. Where the technology also captures the website visitor’s communications—such as (but not limited to) chat services or when the visitor completes a form on the website—privacy plaintiffs have alleged use of the technology violates wiretapping laws.

Many cases alleging wiretapping violations are filed in California under the California Invasion of Privacy Act (“CIPA”). Most lawsuits assert a violation of Section 631 of CIPA and courts routinely refer to specific clauses or subsections of that section. When discussing litigation updates, we therefore also refer to courts disposing of specific clauses or subsections of Section 631. Courts have noted Section 631 “is somewhat difficult to understand.” See Warden v. Kahn, 99 Cal. App. 3d 805, 811 (Ct. App. 1979). To help guide readers, we have provided Section 631(a) below with the specific clauses (sometimes called subsections) delineated:

Any person who, [Clause 1 or Subsection (a)(1):] by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or [Clause 2 of Subsection (a)(2):] who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or [Clause 3 or Subsection (a)(3):] who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or [Aiding Provision, Clause 4, or Subsection (a)(4):] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable . . . .

Wiretapping claims—whether based on website chat services, the use of session replay technology, or something else—are typically resolved on a limited number of issues:

• How did the communication occur? Plaintiffs often allege they accessed a website using a mobile phone. Courts have held the first clause of Section 631(a) does not apply if the interception does not occur over a telephonic wire. Courts have also held Section 632.7, another provision of CIPA, requires a communication between two wireless or cordless devices and therefore does not apply if the website is communicating via a wired server. Some judges, however, disagree.
• Is the defendant or a third-party a “party” to the communication? If so, then the “party exception” will apply and the defendant will not be liable. When deciding whether a third-party was a “party” to the communication, courts consider whether the party is merely acting as a tool for the defendant (akin to a tape recorder) or can use the communication for their own benefit (akin to someone listening into a conversation).
• Did the website have consent to record or share the communication? Consent is a defense to wiretapping claims, but it can be difficult for courts to resolve whether the plaintiff provided consent at the pleading stage.
• Did the website share the “contents” of a communication? Wiretapping claims only apply to the contents of a communication. Merely sharing record information of a communication, such as an IP address, will not establish liability under wiretapping laws. Courts often struggle to define what constitutes communication “contents” and URLs can be especially tricky.
• Was the communication intercepted or stored and then forwarded? If the communication is not intercepted, then there cannot be liability under Clause 2 of Section 631.
• Was the plaintiff harmed? Do they have standing to sue? Courts are often split on whether an “invasion of privacy” itself is sufficient harm to provide standing, but this issue has weighed in defendants’ favor more often following the Supreme Court’s 2021 TransUnion decision, which held Article III standing requires a concrete injury even in the context of a statutory violation.

Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel or Google Analytics tags) on websites that include video content. The VPPA reads: “A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person for the relief provided in subsection (d).” 18 U.S.C. § 2710(b)(1). The VPPA defines a “provider” as an entity engaged in the business of “rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials” and a “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Where the defendant directly rents or sells video content or access to such content, courts will typically find the defendant is a video tape service provider and the plaintiff to meet the “consumer” definition. Where the defendant’s core business is unrelated to video services, however, and the video contents at issue are merely marketing for that other core business, courts are likely to find the parties do not meet the VPPA’s definitions of “provider” and “consumer.”

Lawsuits alleging a defendant has violated prohibitions on voice recording (commonly Section 637.3 of the California Penal Code) typically involve the use of voice recognition software, which is often used as a security measure by companies that provide sensitive information such as banks or other financial institution.

Finally, some plaintiffs have alleged defendants who track IP-addresses run afoul of “pen registry” laws such as CIPA, § 638.51, which prohibits “a person” from “install[ing] or us[ing] a pen register or a trap and trace device without first obtaining a court order . . . .” Cal. Penal Code § 638.51. Traditionally, pen registers were used by law enforcement to record all numbers called from a particular telephone. Under CIPA, however, a “pen register” is more broadly defined to mean “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” § 638.50(b).

[View source.]