Keypoint: Courts reject personal jurisdiction arguments and suggest the Shopify decision will be overturned; Courts continue to show differing approaches to VPPA claims at the pleading stage with a large VPPA class action settlement recently approved.
Welcome to the fifteenth installment in our monthly data privacy litigation report. We would like to thank Liz Ignowski, a summer associate with Husch Blackwell, for her help with his month’s report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, we look at several cases that decline to follow the Ninth Circuit’s Shopify decision, which is currently pending rehearing, and then deny motions to dismiss for lack of personal jurisdiction. We also look at how courts are deciding whether the party exception applies to a complaint, and what facts are necessary to survive a motion to dismiss on consent and the contents of a communication. Additionally, we look at three VPPA decisions from June, where courts granted, denied, or deferred motions to dismiss, showing that although new VPPA cases may have decreased, courts are still allowing these claims to proceed past the pleading stage. We also highlight a VPPA class action settlement approval that illustrates how costly these claims can be if they survive the pleading stage.
There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive.
1. Litigation Updates
a. Chat Wiretapping Lawsuits
We are covering two chat-based wiretapping lawsuits this month, both from the Central District of California, and both class actions. In our first decision, the defendant argued the nationwide CIPA class allegations should be stricken because the plaintiff and other class members resided outside of California did not have a claim under California law because their injuries arose outside the state. In response, the plaintiff agreed to withdraw the CIPA claim and request to certify a nationwide class.
In our second case the court denied a motion to dismiss based on personal jurisdiction, declining to follow Shopify while it is being reheard. In this case, the plaintiff was a California resident who claim to have used a website’s chat feature while in California. The chat conversation allegedly included personally identifiable information (PII), which was routed through a third party’s servers. The court concluded that personal jurisdiction existed because the plaintiff’s claims “related to” the defendant’s conduct in the forum state, and the defendant had a history of selling “physical goods to California residents through the website.” The court went on to state that defendant’s efforts to “drive sales to California consumers [were] sufficiently related to claims arising from those efforts.” The judge also found the plaintiff sufficiently alleged the third party operating the chat feature was acting as an eavesdropper rather than an agent, tool, or extension of the company running the website. The court ultimately determined the plaintiff had alleged enough facts to assert the third-party chat provider intercepted and used information from the chat services, in violation of Section 631(a).
b. Session Replay Lawsuits
In our first session replay decision, a Central District of California court granted a motion to dismiss based on the party exception in CIPA and the Electronic Communications Privacy Act (“ECPA”). Because the ECPA is a one-party consent statute, however, the court dismissed the claim after finding the plaintiff alleged the defendant had consented to the recording.. The court also dismissed the CIPA claim after finding “[c]laims under CIPA and ECPA are analyzed similarly.”
Our second session replay decision comes from the Northern District of California, where the judge denied a motion to dismiss for personal jurisdiction and interception claims. The court declined the defendant’s argument to dismiss based on the Shopify decision because that case is currently being reheard. The court went on to say that it would have declined the defense’s personal jurisdiction argument anyway, only that Shopify “no longer [being] good law only makes the issue easier.” The court also rejected the defendant’s argument that the plaintiff ailed to allege Meta intercepted the communications “in transit”, crediting the plaintiff’s allegations that the transmission is “instantaneous” and “simultaneously.”
Our final session replay decision also comes from the Northern District of California, where the judge denied a motion to dismiss after rejecting the defendant’s arguments based on consent and the party exception. The plaintiffs argued the defendant used certain analytics and tracking tools to collect and track their financial data on several tax preparation websites, in violation of CIPA Sections 631, 632, and 635. Under Section 631, the judge first ruled that consent could not be determined in the motion to dismiss phase, as “the mere existence of various terms of service and privacy policies” did not mean that the plaintiffs had consented to those terms and policies. The court also found persuasive that the plaintiffs also specifically alleged they did not consent to the use of these tools and the disagreement created a factual dispute. Second, the judge analyzed (and rejected) the defendant’s argument that the alleged eavesdropper was merely serving as a tape recorder. The court found the defendant created and then used the “tape recorder,” crediting the plaintiff’s allegations that the analytics and tracking tools were used and that because the tools were offered for free, then the defendant derived some other benefit from the information. Although the judge suggested the defendant could refute this claim moving forward, the court found the plaintiff’s allegations were sufficient to survive a Rule 12(b)(6) motion. The court also allowed the plaintiffs’ Section 362 and 365 claims to continue under similar lines of reasoning, as well as federal wiretap claims and similar Florida, Texas, and Illinois state law claims.
c. Video Privacy Protection Act (“VPPA”) Lawsuits
We are covering four decisions under the VPPA from June. Two of the decisions show defendants being successful and unsuccessful on a motion to dismiss at the pleading stage. A third decision illustrates a growing trend in one district to defer rulings on a motion to dismiss VPPA claims pending a Second Circuit appeal. Finally, the last decision we’re covering highlights the cost of settling VPPA class action claims after the pleading stage.
The first decision we are covering comes from the Central District of California, where a judge granted another Rule 12(b)(6) motion to dismiss a VPPA class action claim after dismissing the complaint without prejudice late last year. In the case, the plaintiff asserts a VPPA claim against a defendant digital media company for sharing user video selections to Facebook through the defendant’s entertainment news and pop culture website. The court previously dismissed the complaint without prejudice based on the plaintiff’s failure to allege that he qualified as a “subscriber” under the VPPA’s “consumer” definition. On the defendant’s renewed motion to dismiss an amended complaint, the court again found that the plaintiff failed to allege he was a “subscriber” for his VPPA claim to survive dismissal. Specifically, the court relied on a six-factor test from the Eleventh Circuit’s 2015 decision in Ellis v. Cartoon Network, Inc. to find that the amended complaint did not show that the plaintiff met the “commitment” or “delivery” factors from Ellis. On the “commitment” factor, the court found that plaintiff’s agreement to defendant’s then-existing Terms of Use and Privacy Policy were not sufficient to satisfy that factor. For the “delivery” factor, the court found that posting a video on a website or emailing links to those videos does not constitute “delivery” to support a subscription relationship under Ellis. Finally, the court also held that the amended complaint failed to allege a factual nexus between the plaintiff’s alleged subscription and the defendant’s actionable video content. According to the court, a link to a video from the defendant’s website does not create a subscription relationship if any user can access the video on the defendant’s website.
The second decision we are covering comes from the Northern District of Illinois, where a judge denied a motion to dismiss the plaintiff’s class action VPPA claims. In that case, the defendant operates an online streaming service for live and prerecorded video. The plaintiff asserts a VPPA claim on behalf of a potential class, alleging the defendant tracks users’ video selection histories and shares that information with third parties for marketing purposes. The court rejected three arguments raised by the defendant in their motion to dismiss under Rule 12(b)(6). First, the Court found that the plaintiff had alleged plausible facts to show that the defendant disclosed her personal information to third parties by citing the defendant’s privacy policy, annual reports, and press releases. According to the court, this evidence was sufficient to infer that the defendant had disclosed user information in a non-VPPA-compliant manner. Next, the Court found that the plaintiff adequately alleged that the defendant was a “video tape service provider” for the VPPA to apply because the court could infer from the complaint that the defendant’s streaming service included pre-recorded video. Finally, the court rejected the defendant’s argument that the VPPA’s “ordinary course” exception applied on the grounds that “advertising activities” do not fall within the exception under a Seventh Circuit decision from 2014.
The third decision we are covering comes from the Southern District of New York, which shows a growing trend in that district of judges deferring the dismissal of VPPA claims under Rule 12(b)(6) pending the outcome of a Second Circuit appeal in Salazar v. Nat’l Basketball Ass’n, No. 23-1147. In the district court case, the plaintiff alleges that the defendant — a multinational technology company — violated the VPPA by operating a weather forecasting and news website that shares users’ video selection information with marketing companies. On the defendant’s motion to dismiss, the district judge denied the defendant’s Article III standing challenge to the plaintiff’s VPPA claim but deferred its ruling on the defendant’s Rule 12(b)(6) arguments given the pending appeal in Salazar. Specifically, the defendant argued that the plaintiff failed to adequately allege that she was a “subscriber” under the VPPA’s “consumer” definition for her claim to survive dismissal. The court noted that the VPPA’s definition of “consumer” was one question at issue in the Salazar appeal and found that it would benefit both parties to gain “clarity on the scope of the VPPA before engaging in potentially expensive—and uncertain—litigation.” The court therefore deferred its ruling on the viability of the plaintiff’s VPPA claim until the Second Circuit issues its decision in Salazar.
A final decision worth a brief mention comes from the District of Minnesota where the court has approved a $2.9 million class action settlement of a VPPA claim. In that case, the defendant operates a news website and is alleged to have violated the VPPA by sharing its subscribers’ video-viewing history through the Facebook Pixel. The parties mutually agreed to settle the plaintiff’s class claim under the VPPA which the court approved of as fair, reasonable, and adequate under the Federal Rules of Civil Procedure. Cases such as these show how costly VPPA claims can be for defendants if they are not dismissed at the pleading stage.
d. Pen Registry Lawsuits
We are not covering any pen registry decisions this month but expect at least one SDNY court to issue a decision in July.
e. Other Lawsuits
This section covers privacy-related lawsuits that do not fit within the above categories but lack enough decisions to warrant their own category.
2. Overview of Current U.S. Data Privacy Litigation Trends and Issues
Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip this section.
Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.
Lawsuits relating to session replay technology also involve claims that the alleged behavior violates wiretapping laws in “two party” or “all party” consent states. This technology allows website operators to monitor how website visitors interact with the website. Websites that use session replay technology are often trying to better understand how users interact with the website and may even want to document that users have seen and are aware of the site’s privacy policy. Where the technology also captures the website visitor’s communications—such as (but not limited to) chat services or when the visitor completes a form on the website—privacy plaintiffs have alleged use of the technology violates wiretapping laws.
Many cases alleging wiretapping violations are filed in California under the California Invasion of Privacy Act (“CIPA”). Most lawsuits assert a violation of Section 631 of CIPA and courts routinely refer to specific clauses or subsections of that section. When discussing litigation updates, we therefore also refer to courts disposing of specific clauses or subsections of Section 631. Courts have noted Section 631 “is somewhat difficult to understand.” See Warden v. Kahn, 99 Cal. App. 3d 805, 811 (Ct. App. 1979). To help guide readers, we have provided Section 631(a) below with the specific clauses (sometimes called subsections) delineated:
Any person who, [Clause 1 or Subsection (a)(1):] by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or [Clause 2 of Subsection (a)(2):] who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or [Clause 3 or Subsection (a)(3):] who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or [Aiding Provision, Clause 4, or Subsection (a)(4):] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable . . . .
Wiretapping claims—whether based on website chat services, the use of session replay technology, or something else—are typically resolved on a limited number of issues:
- How did the communication occur? Plaintiffs often allege they accessed a website using a mobile phone. Courts have held the first clause of Section 631(a) does not apply if the interception does not occur over a telephonic wire. Courts have also held Section 632.7, another provision of CIPA, requires a communication between two wireless or cordless devices and therefore does not apply if the website is communicating via a wired server. Some judges, however, disagree.
- Is the defendant or a third-party a “party” to the communication? If so, then the “party exception” will apply and the defendant will not be liable. When deciding whether a third-party was a “party” to the communication, courts consider whether the party is merely acting as a tool for the defendant (akin to a tape recorder) or can use the communication for their own benefit (akin to someone listening into a conversation).
- Did the website have consent to record or share the communication? Consent is a defense to wiretapping claims, but it can be difficult for courts to resolve whether the plaintiff provided consent at the pleading stage.
- Did the website share the “contents” of a communication? Wiretapping claims only apply to the contents of a communication. Merely sharing record information of a communication, such as an IP address, will not establish liability under wiretapping laws. Courts often struggle to define what constitutes communication “contents” and URLs can be especially tricky.
- Was the communication intercepted or stored and then forwarded? If the communication is not intercepted, then there cannot be liability under Clause 2 of Section 631.
- Was the plaintiff harmed? Do they have standing to sue? Courts are often split on whether an “invasion of privacy” itself is sufficient harm to provide standing, but this issue has weighed in defendants’ favor more often following the Supreme Court’s 2021 TransUnion decision, which held Article III standing requires a concrete injury even in the context of a statutory violation.
Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel or Google Analytics tags) on websites that include video content. The VPPA reads: “A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person for the relief provided in subsection (d).” 18 U.S.C. § 2710(b)(1). The VPPA defines a “provider” as an entity engaged in the business of “rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials” and a “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Where the defendant directly rents or sells video content or access to such content, courts will typically find the defendant is a video tape service provider and the plaintiff to meet the “consumer” definition. Where the defendant’s core business is unrelated to video services, however, and the video contents at issue are merely marketing for that other core business, courts are likely to find the parties do not meet the VPPA’s definitions of “provider” and “consumer.”
Lawsuits alleging a defendant has violated prohibitions on voice recording (commonly Section 637.3 of the California Penal Code) typically involve the use of voice recognition software, which is often used as a security measure by companies that provide sensitive information such as banks or other financial institution.
Some plaintiffs have alleged defendants who track IP-addresses run afoul of “pen registry” laws such as CIPA, § 638.51, which prohibits “a person” from “install[ing] or us[ing] a pen register or a trap and trace device without first obtaining a court order . . . .” Cal. Penal Code § 638.51. Traditionally, pen registers were used by law enforcement to record all numbers called from a particular telephone. Under CIPA, however, a “pen register” is more broadly defined to mean “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” § 638.50(b).
Finally, plaintiffs in New Jersey have filed more than 140 lawsuits under the state’s “Daniel’s Law,” which allows a “Covered Person” or their “Authorized Person” to request a “person, business, or association” to not “disclose or re-disclose on the Internet or otherwise make available” the Person’s home address or unpublished home telephone number. The Law provides a private right of action for any Covered Person against any “person, business, or association” who: (1) receives from the Covered Person a notification that complies with the statute and; (2) after 10 business days of receiving such notice, discloses or re-discloses on the Internet “or otherwise makes available” the home address or unpublished home telephone number of any covered person “who has received approval from the Office of Information Privacy for the redaction or nondisclosure of the covered person’s address.”
[View source.]
