Updates in Privacy Litigation: An Overview of Another Year of Explosive Growth

By Elaine F. Harwell and Yulian Kolarov

Over the last couple of years, as privacy has become increasingly important to consumers, courts and companies have seen a significant increase in privacy litigation. In this article, we will look at some of the notable data privacy-related litigation trends of the last year, including under California state law claims based on the California Invasion of Privacy Act (“CIPA”) and the Investigative Consumer Reporting Agency Act (“ICRAA”), federal statutory claims, including the Video Privacy Protection Act (“VPPA”), and recent rulings in data breach litigation.

California Invasion of Privacy Act

As many privacy practitioners are aware, plaintiffs–who are visiting websites, filling out forms on websites, entering search terms on websites, or chatting with chatbots–are pursuing litigation against website owners claiming their interactions with the websites are “communications” and the sharing of their data to third parties without their consent violates their privacy rights. In making the claims, plaintiffs have resurrected multiple statutes, including CIPA, a decades-old statute originally enacted to prevent eavesdropping on telephone calls. The new CIPA cases, however, focus on extending the statute to the alleged unlawful use of website tracking technologies, such as pixels and cookies, that collect, use, and share personal information of website visitors with third parties.

Thus far, courts encountering these cases have been inconsistent with their holdings, and very few cases have reached summary judgment. Many of the lawsuits and arbitration demands have centered around a few key arguments:

Wiretapping Claims

While CIPA is a bigger statute, the focus for these cases has been in the context of wiretapping claims. Plaintiffs generally bring claims under California Penal Code section 631(a), which prohibits four types of activities:

• Intentional wiretapping;
• Willfully attempting to learn the contents or meaning of a communication in transit over a wire;
• Attempting to use or communicate information obtained as a result of wiretapping or obtaining the contents of a communication; and
• Aiding, agreeing with, employing, or conspiring with another party to engage in the prohibited activities above.

Plaintiffs have also brought actions under California Penal Code section 632 for eavesdropping or recording of a confidential communication without consent. If found liable, companies may be at risk of paying $5,000 per violation. Expectedly, class actions have been common.

Although litigation has progressed over the last couple of years, there does not appear to be much rhyme or rhythm to how courts are handling motions to dismiss at the pleading stage. In the recent case of Doe v. Google LLC,[1] the plaintiffs sued Google for its source code located on health care providers’ websites. The court granted Google’s motion to dismiss the CIPA claim because the complaint failed to allege “where on a web property [Google’s] source code actually exists.”[2] The court also held that Google did not “intentionally” collect confidential information because it warned and prohibited the companies that use the Google source code not to send Google any personal health information.[3]

Interestingly, there is some disagreement in the federal courts as to whether Google and Meta’s policies are sufficient to resolve the intent prong at the motion to dismiss stage. The court in Doe v. Google LLC noted that it is “possible that this ruling is contrary to Judge Orrick’s analysis of intent in a similar pixel case against Meta,”[4] where Judge Orrick in a different district court case determined that the complaint sufficiently alleged Meta routinely ignored its own policy.[5] To contrast, in another 2024 Meta Pixel case, the court held along the same lines as Judge Orrick and determined Meta’s policy prohibiting customers from transmitting data was a question of fact that could not be resolved at the motion to dismiss stage.[6]

In June 2024, the Northern District of California denied Google’s motion to dismiss a class action complaint alleging that Google Analytics, deployed on various tax websites, collected their gross income and refund amounts without their consent in violation of CIPA.[7] Ultimately, the court disagreed that Google was a “mere vendor” of the tool because Google read the data collected by its tool and benefited and profited from it by creating a “detailed dossier, or digital fingerprint” for each user.[8] Despite Google’s policy that explicitly prohibits its customers and developers from sending personally identifiable data, the court determined that it could not resolve this question of fact at the motion to dismiss stage. This is again contrary to the court in Doe v. Google LLC, which found a similar Google policy to be more convincing in finding lack of intent.

Notably, at least one California district court has ruled on a motion for summary judgment in the context of CIPA. In Gutierrez v. Converse, the defendant’s website contained a chat feature run by a third-party vendor.[9] Messages sent through the chat were transmitted from the consumer’s device to the defendant’s cloud application on the third-party server.[10] The chats, however, were fully encrypted while in transit, and the third party did not have access to the server unless a defendant granted access.[11] Plaintiff, in a putative class action, claimed that she did not consent to the sharing of her communications with the third party when she accessed the chat through her mobile device.[12] The district court granted summary judgment for the defendant, finding:

The third-party did not intentionally wiretap because plaintiff presented no evidence from which a reasonable jury could conclude the website involved telephone communications. Instead, the evidence indicated plaintiff used her smart phone’s internet capabilities by accessing the website on her phone. 2. The third-party did not willfully attempt to learn the contents of a communication while in transit because the evidence showed all messages sent through the chat were encrypted. Furthermore, the third-party vendor could not access any data stored on its servers. 3. Because plaintiff failed to show there was an intentional wiretap or an attempt to learn the contents of a communication in transit, defendant could not be liable for aiding and abetting.[13]

As of this writing, the case pending on appeal before the Ninth Circuit, which may finally rule on these issues.

Pen Register Claims

There has also been a recent rise in claims under California Penal Code section 638.51, which prohibits the use of “pen registers” and trap and trace devices to record or capture “dialing, routing, addressing, or signaling information” from a “wire or electronic communication.” In two similar cases, Anne Heiting v. Taylor Fresh Foods, Inc. (California Superior Court),[14] and Dino Moody v. C2 Educational Systems Inc. et al. (United States District Court for the Central District of California),[15] the plaintiffs claimed that TikTok software deployed on defendants’ websites consisted of a “pen register” or “trap and trace” device under the statute.

At issue in both cases was TikTok’s software that allegedly uses “fingerprinting,” a process where the website employing the software collects data from anonymous visitors and matches that data with TikTok’s database to uncover the visitors’ identities. This is achieved by accessing a website user’s device and browser information, geographic information, referral tracking, and URL tracking. The software is designed to capture phone numbers, emails, routing, addressing and other signaling information of website visitors, and it does so in some instances without the website visitors’ consent.

The defendant in each case challenged the complaint for failure to state a claim. In Moody, defendant contended section 638.51 was intended to regulate physical trap and trace devices such as those attached to telephone lines—not website software.[16] Defendant further argued that the TikTok software had been consented to and that it did not collect dialing routing, addressing, or signaling information in violation of the statute.[17] The court denied defendant’s motion to dismiss finding that CIPA was not limited to physical devices, and that the inclusion of “electronic communication” in the language of the statute sufficiently covered software.[18] The court also did not find persuasive that defendant was the “user” of the software and therefore consented by installing TikTok software on its website. For at the least the motion to dismiss stage, the court found it a possibility that the plaintiff was the relevant user under the statute.[19]

The Anne Heiting court went further and stated that upholding Defendant’s definition of the consent exception would lead to the absurd result that section 638.51 could never be violated, and it would be inapposite to CIPA’s express purpose of protecting California residents’ right to privacy.[20]

Whether these claims ultimately succeed is yet to be determined, but it is notable that the courts are at least willing to entertain the allegations.

Video Privacy Protection Act

Another privacy statute that entered 2024 with a strong showing in courts was the VPPA, which makes it unlawful for a “video tape service provider” to “knowingly disclose[], to any person, personally identifiable information concerning any consumer of such provider.”[21] The statute further defines “consumer” as “any renter, purchaser, or subscriber of goods or services from a video tape service provider.”[22] This 1988 statute was revived by plaintiffs in recent years to fit newer technology under its umbrella.

In an interesting twist to VPPA litigation in the Northern District of Ohio, plaintiffs, in the case Collins v. The Toledo Blade, alleged they subscribed to newspaper websites and received usernames and passwords.[23] In return, the newspapers allowed plaintiffs access to their websites where they could watch pre-recorded and live-stream videos.[24] Using the Meta Pixel, plaintiffs alleged the websites tracked when plaintiffs accessed a video on the websites and subsequently sent identifying information about the web visitor, including Facebook IDs, and video-watching information to Meta.[25] Defendants filed a motion to dismiss and ultimately the Collins court denied the motion finding that disclosure to a third party alone constitutes an injury under the statute.[26] It also held that plaintiffs’ complaint plausibly alleged they were “subscribers” because they signed up to receive more than a periodic newsletter or email–they also signed up to receive access to the website.[27]

In another recent VPPA case, Salazar v. NBA, the Second Circuit breathed additional new life into the statute by expanding the definition of a “subscriber.”[28] In Salazar, plaintiff signed up for a free online NBA newsletter and later watched videos on the NBA’s website.[29] Plaintiff further alleged each time he viewed a video, the NBA disclosed his Facebook ID and video-watching history to Meta without his permission through an embedded pixel.[30] Plaintiff asserted this behavior violated the VPPA. Initially, the district court dismissed the case on the reasoning that the VPPA only applied to “subscribers” and the act of signing up for an online newsletter did not make plaintiff a “subscriber” of goods or services from a “video tape service provider.”

The Second Circuit, however, reversed and held that a subscriber of any goods or services is a “subscriber” under the VPPA. In short, the court expanded the definition of consumer by not limiting standing under the VPPA to those individuals that paid to consume video or audio content from a business for purposes of the statute.[31] The Second Circuit’s simple yet impactful holding may provide guidance for lower courts that have produced conflicting opinions on what type of interactions would make a plaintiff a “subscriber” under the VPPA.

Although it appears the Ninth Circuit has yet to specifically address the issue of what defines a consumer under the VPPA, businesses should be cognizant that asking consumers to subscribe to any goods or services, even a free online newsletter, might make them subject to the VPPA and potential violations.

Investigative Consumer Reporting Agency Act

In another novel use of a decades-old California statute, numerous lawsuits have recently been filed asserting violations of the California Investigative Consumer Reporting Agency Act (“ICRAA”).32 ICRAA places specific obligations on investigative consumer reporting agencies–and anyone who uses investigative consumer reports–with regard to the procurement of background reports, including those typically used by employers and landlords for employment and rental decisions. Anyone requesting an “investigative consumer report” must notify the consumer “not later than three days after the date on which the report was first requested,” including the name and address of the investigative consumer reporting agency.[33] A consumer must also be provided with “a means by which the consumer may indicate on a written form, by means of a box to check, that the consumer wishes to receive a copy of any report that is prepared,” including the name of the reporting agency.[34] Failure to do so may result in liability for actual damages sustained or $10,000, whichever is greater, per violation.[35] The statute also allows for punitive damages for conduct that is grossly negligent or willful.[36]

Recently, numerous lawsuits have been filed against property managers claiming rental applications did not comply with ICRAA’s disclosure requirements or copies of reports were not provided pursuant to the law. Case law is minimal in this area, but notably, there are at least two California superior courts that have come down on different sides as to whether plaintiffs, who arguably suffered no damage, have standing to bring ICRAA claims. In Busane v. WSH Management, Inc.,[37] the court answered in the affirmative. In a relatively short order, the court dismissed the defendant’s contentions that the plaintiffs lacked standing because their rental applications were accepted, and as such, no adverse action was taken against them.[38] The court, however, only found it relevant that the reports were requested, which triggered ICRAA obligations with which the defendant allegedly did not comply.[39] The court interpreted the statutory allowance of $10,000 per violation as a penalty, regardless of whether plaintiffs showed harm, and thus the plaintiffs were found to have standing.

In a separate California superior court case, Yeh. v. Barrington Pacific, LLC, the court found the plaintiffs, who successfully rented apartments, lacked standing because they were not harmed.[40] In a far lengthier opinion, the court relied on a California Court of Appeals’ opinion in Limon v. Circle K Stores Inc., which involved similar arguments under the Fair Credit Reporting Act (“FCRA”).[41] The court analogized ICRAA to the FCRA, which contained a similar provision for damages, and agreed with the Limon court’s legal and linguistic analysis of “damages” and “penalties”.[42] In reviewing the intent of the California Legislature in passing ICRAA, the court determined that the use of the terms “penalty” and “damages” in the same discussion indicated a lack of clear intent to distinguish between damages sustained and the $10,000 cap on recovery.[43] Ultimately, the court held that because the statute provided for damages, not penalties, plaintiffs were required to show they suffer an actual and concrete injury.[44] Because plaintiffs’ rental applications were ultimately approved, and none of the information disclosed in the reports was inaccurate, they did not suffered an injury and therefore lacked standing.45 As of this writing, the trial court order dismissing the coordinated Yeh cases is up on appeal.

Data Breach Litigation

For most companies, one of the main risks following a data breach is facing a potential class action lawsuit. Plaintiffs generally assert various claims, including contract and negligence claims, and various duties to protect personal information under federal and state statutes with a private right of action. A full overview of current data breach litigation is beyond the scope of this article. However, a couple of recent decisions are worth noting.

In one unpublished decision by the Ninth Circuit, the court focused on the language of a data breach notification letter in upholding a lower court dismissal of a plaintiff’s complaint for lack for standing.46 There, the plaintiffs asserted a common argument that they had Article III standing because of an increased future risk of identity theft from a cyberattack, which had compromised driver’s license numbers.[47] Plaintiffs relied on a notice that defendant Noblr Reciprocal Exchange (“Noblr”) had sent to more than 90,000 individuals several months after the attack.[48] The notice stated that the cyber attackers “may” have had access to driver’s license numbers and addresses.[49]

The Ninth Circuit found plaintiffs did not have standing because Noblr’s notice did not explicitly state whether any of the plaintiffs’ driver’s license numbers were actually stolen, only that those numbers may have been exposed.[50] That alone, according to the court, was insufficient to show injury. Although unpublished, the opinion highlights the importance of the language used in data breach notices sent to impacted individuals.

Additionally, companies that have suffered a data breach must also consider what information from a post-breach investigation may end up being subject to discovery. Where a company–or its outside counsel–hires a computer forensics examiner to investigate an incident, a report on the cause and scope of the incident often follows. Some companies have successfully shielded the forensic reports from disclosure in subsequent litigation under the work product doctrine or attorney-client privilege. Several recent court opinions, however, have rejected these claims of privilege, including a recent New Jersey district court held that certain documents shared between Samsung, its outside counsel, and a retained cybersecurity consulting firm, Stroz, were not protected and subject to disclosure.[51] At issue were documents consisting of PowerPoint updates on investigative findings, an analysis outlining conclusions regarding the background and scope of the incident, and a document prepared by the consulting firm to be shared with the FBI.[52]

Following an in camera review, the district court scrutinized whether the documents were intrinsic to the attorney client communication and an understanding of legal advice being rendered to Samsung, as opposed to some other business purpose.[53] The court determined that the above documents were not covered by attorney-client privilege based on the following findings:

• The PowerPoint documents and meetings were merely investigative findings that detailed how the breach had occurred. Present at the meetings were multiple IT and high-level executives outside of the legal department. The executives were “receiving” information from Stroz rather than providing or facilitating information gathering for the purpose of obtaining legal advice.

• The reports outlining conclusions were shared with fifteen different high-level executives, including Samsung’s security response team. The breadth of Samsung’s involvement and participation in Stroz’s investigative process, in addition to the wide dissemination of the documents, indicated Stroz was retained only to provide technical interpretation.

• The FBI report was found to have been drafted for business reasons, including to respond to inquiries from the FBI. There was no showing that the report was related to a litigation purpose.[54]

Moreover, the mere fact that it was Samsung’s outside counsel that hired Stroz to perform a business function was not enough to shield the documents from production based on attorney client or attorney work-product privilege.[55]

Ultimately, for post-breach forensic reports, the court will employ a fact-intensive analysis to assess privilege claims. Companies must be able to demonstrate the primary purpose of the forensic report was to seek legal advice. Additionally, outside counsel’s retention of cybersecurity consultants will not automatically cloak all communications under a blanket of privilege. In order to maximize the ability to successfully assert privilege over a post-breach report, it is important to follow best practices outlined by recent case law.

Conclusion

Data privacy litigation has seen a surge in recent years, a trend which is likely to continue as companies continue to collect, use, and share more data. Meanwhile, the plaintiffs’ bar is continuing to find creative uses of decades-old statutes to assert various privacy violations. As the courts continue to grapple with these issues, businesses would be wise to visit how their data policies and procedures align with emerging guidance.

Elaine F. Harwell is a Partner at the law firm of Procopio, Cory, Hargreaves & Savitch, LLP. Elaine focuses on representing clients in privacy and data security matters, including litigating claims involving privacy issues, helping clients manage emerging risks, and advising on regulatory and compliance issues. Elaine has earned the ANSI-accredited Certified Information Privacy Professional/United States (CIPP/US) and the Certified Information Privacy Manager (CIPM) credentials through the IAPP and is the leader of Procopio’s Privacy and Cybersecurity practice and the firm’s Privacy Officer. 

Yulian Kolarov is an Associate at the law firm of Procopio, Cory, Hargreaves & Savitch, LLP. Yulian assists clients with a wide range of business disputes and civil litigation, including matters involving privacy, cybersecurity, contracts, real property, corporate governance, and partnership and business management disputes. He previously clerked with the Honorable Daniel E. Butcher of the U.S. District Court for the Southern District of California.

---

1. Doe I v. Google LLC, No. 23-CV-02431-VC, 2024 WL 3490744 (N.D. Cal. July 22, 2024).

2. Id. at *6.

3. Id.

4. Id. at *5.

5. Doe v. Meta Platforms, Inc., 690 F. Supp. 3d 1064, 1076 (N.D. Cal. 2023).

6. In re Meta Pixel Tax Filing Cases, No. 22-CV-07557-PCP, 2024 WL 1251350, at *4 (N.D. Cal. Mar. 25, 2024).

7. Smith v. Google, LLC, No. 23-CV-03527-PCP, 2024 WL 2808270 (N.D. Cal. June 3, 2024).

8. Id. at *5.

9. Gutierrez v. Converse Inc., No. CV 23-6547-KK-MARX, 2024 WL 3511648, at *2 (C.D. Cal. July 12, 2024).

10. Id.

11. Id. at *3.

12. Id. at *1.

13. Id. at *7–8.

14. Anne Heiting v. Taylor Fresh Foods, Inc., Superior Court of California, County of Los Angeles, 24STCV12891 (July 31, 2024) (Minute Order Denying Demurrer).

15. Moody v. C2 Educ. Sys. Inc., No. 2:24-CV-04249-RGK-SK, 2024 WL 3561367, at *2 (C.D. Cal. July 25, 2024).

16. Id. at *2.

17. Id.

18. Id. at *2–3.

19. Id. at *3.

20. Anne Heiting v. Taylor Fresh Foods, Inc., Superior Court of California, County of Los Angeles, 24STCV12891 (July 31, 2024) (Minute Order Denying Demurrer).

21. 18 U.S.C. § 2710(b)(1).

22. Id. at (a)(1)

23. Collins v. Toledo Blade, 720 F. Supp. 3d 543, 546 (N.D. Ohio 2024).

24. Id.

25. Id.

26. Id. at 549–51

27. Id. at 551–53.

28. Salazar v. Nat’l Basketball Ass’n, 118 F.4th 533 (2d Cir. 2024)

29. Salazar v. Nat’l Basketball Ass’n, 118 F.4th 533 (2d Cir. 2024)

30. Id. at 537–38.

31. Id. at 550–53.

32. Cal. Civ. Code § 1786.

33. Id. at § 1786.16(a)(3)

34. Id. at § 1786.16(b)(1).

35. Id. at § 1786.50(a)(1).

36. Id.

37. Los Angeles County Superior, Case No. 22STCV29627 (Aug. 29, 2023) (Orde Granting Plaintiff’s Motion for Summary Judgment).

38. Id.

39. Id.

40. Yeh. v. Barrington Pacific, LLC, Los Angeles County Superior Court, Case No. 20STCV42994 (Jan. 18, 2024) (Order Granting Defendant’s Motion for Summary Judgment).

41. Id.

42. Id.

43. Id.

44. Id.

45. Id.

46. Greenstein v. Noblr Reciprocal Exch., No. 22-17023, 2024 WL 3886977 (9th Cir. Aug. 21, 2024).

47. Id. at *1.

48. Id.

49. Id.

50. Id. at *2–3.

51. In re Samsung Customer Data Sec. Breach Litig., No. CV 23-3055(CPO)(EAP), 2024 WL 3861330 (D.N.J. Aug. 19, 2024).

52. Id. at *2–3.

53. Id. at *4.

54. Id. *11–15.

55. Id. at *15.