Keypoint: Multiple decisions from the same judicial district come down differently on wiretapping claims while three courts in different states each reject VPPA-defendants’ arguments that the plaintiffs lacked Article III standing.

Welcome to the twelfth installment in our monthly data privacy litigation report. Not only does this month’s post mean we have been doing this for over a year now (and actually a little longer as there was at least one post that combined two months of updates into one post because, well, holidays), but more importantly we are releasing this post on the eve of heading to Washington, D.C. to attend the IAPP Summit. If you will be there, make sure to come and meet us!

We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, we look at three decisions from the Southern District of California, each of which addressed nearly identical factual allegations and legal arguments but reached different conclusions. We also take a look at three VPPA decisions denying motions to dismiss regarding claims premised on the Meta Pixel that highlight how district courts are addressing Article III standing objections and the required specificity of a plaintiff’s allegations at the pleading stage.

1. Litigation Updates

a. Chat Wiretapping Lawsuits

We are looking at three decisions from the Southern District of California this month, each of which addressed whether a third party that provided customer support via a chat API, was entitled to the “party exception” under the second prong of Section 631(a). 

The first decision is a fairly length decision and we are consequently spending a fair amount of time/space covering it. This decision did two things that warrant inclusion in this month’s post. First, the decision identified a third way in which courts resolve the question of whether a third party is entitled to the “party exception” under Section 631(a). Second, the decision recognized how courts are issuing conflicting decisions under nearly identical theories, thereby creating uncertainty for parties who face these claims.

In this case, the plaintiff alleged customers who used the defendant’s chat service were not in fact chatting with defendant as they thought, but were instead chatting with a third-party, which was an API interface that was “plugged into” the defendant’s website such that the chat ran from the third-party’s servers. “Whenever a chat message is sent from a member of the Class to Defendant, it is first routed through the [third-party’s] server.” The plaintiff alleged this configuration allowed the third party to use the intercepted messages for their own purpose.

The central issue in this case was whether the third party was entitled to the party exception or deemed an eavesdropper. After examining the (increasingly lengthy) number of decisions that have addressed this issue, the court separated the decisions into three camps. First, the Graham decisions hold software providers are extensions of the websites that employ them and thus not third-parties. Second, are the Javier line of decisions, which have identified problems in the Graham line of decisions and instead look to whether the third-party has the capability to use its record of the interaction for any other purpose. The court also identified a third line of cases, which have mostly arisen in the aftermath of the two-above groups of decisions. Decisions that fall into this third group find it is inappropriate to decide between the two groups at the pleading stage and declare whether the third party is entitled to the party exception to be a question of fact. This decision is notable for identifying the number of cases that fall into this third category.

After identifying the three groups of decisions, however, this court joined the second group: finding the case could be dismissed if the plaintiff failed to allege the third party had the capability to use the allegedly intercepted chat data for its own purpose. The court then held the plaintiff had failed to do so. In doing so, however, the court again looked to how other courts had decided identical theories, finding “[s]ome district courts have found similar allegations sufficient to state a claim for a violation of clause two, . . .  while other district courts have found similar allegations insufficient to state a claim under clause two.” As it did before, the court chose one of the camps it had identified, finding the plaintiff failed to allege the third party had the capability to use the chat for their own purposes and benefit.

In contrast, in our second decision, the court reached the opposing conclusions with nearly identical facts. Like our first decision, the plaintiff here alleged the defendant allowed a third party to embed its chat technology code into the chat feature offered on the defendant’s website such that communications occurred on the third party’s server. The plaintiff also similarly alleged the third party recorded users’ interactions “to enable targeted marketing” by the defendant-website (as opposed to the third party). This court then put itself in the third group of decisions (discussed above) and denied the motion to dismiss after concluding whether the third party had the “capability” to use the information for its own purposes was a factual question. The court also found the plaintiff had plead the “content” of its communications were intercepted. Once again, the plaintiffs’ allegations in the two cases were nearly identical, involving high level allegations that the third parties collected a “transcript of the chat.” While the first court found that insufficient to allege content, the second court found it sufficient and denied the motion to dismiss. These two decisions should serve as a reminder that courts can, and will, come down differently even under nearly identical facts and allegations.

In the third SD Cal decision  we are covering this month., the court dismissed the plaintiff’s Section 631(a) CIPA allegations, finding the third-party chat provider was entitled to the party exception under subsection (2). Although the court first hinted it may deny the motion to dismiss, stating “the Court must assume the truth of the Plaintiff’s assertions” at the pleading stage, the Court then showed how assuming the truth of those assertions required dismissal. The court noted the plaintiff alleged the third party used the chat communications to analyze whether the customer would likely buy a product and, because sales were for the defendant, concluded this meant the third party was using the information for the benefit of the defendant (and thus entitled to the party exception). Also of note, the court found the plaintiff failed to allege “content” of the communications was intercepted, despite it being a chat service.

b. Session Replay Lawsuits

We are not covering any session replay lawsuits this month. Courts issued more decisions on chat-based claims in March. Check back in April to likely see more coverage of session replay technology, which remains a hotly disputed theory under wiretapping law.

c. Video Privacy Protection Act (“VPPA”) Lawsuits

We are covering three decisions under the VPPA from March which show VPPA claims premised on the Meta Pixel surviving motions to dismiss.

The first decision is a lengthy order from the Northern District of Ohio denying a motion to dismiss a VPPA claim. In the case, the plaintiffs allege that newspaper publishing companies violate the VPPA by sharing the plaintiffs’ identities and video selections from newspaper websites through the Meta Pixel ad targeting cookie.

In the decision, the Court first rejected the defendant-companies’ jurisdictional argument — that plaintiffs lacked an injury to establish Article III standing — based on the “well-established” precedent that disclosure of personal information alone does constitute an injury under the VPPA for standing purposes. The Court was not convinced by the defendants’ evidence that only rarely was the file name of a video seen by users shared with Facebook through the Meta Pixel. The Court also disagreed with defendants that plaintiffs lacked standing because the information shared via the Meta Pixel did not indicate whether the user actually “interacted with” or watched the video. According to the Court, nothing in the VPPA requires a plaintiff to show that they watched or “interacted with” a video to assert a VPPA claim.

The court next found that plaintiffs stated a claim under the VPPA because (1) plaintiffs were “subscribers” under the VPPA; (2) defendants met the definition of a “video tape service provider” under the VPPA; and (3) the VPPA’s ordinary course of business exception did not apply. On the first two issues, the court found that plaintiffs were “subscribers” under the VPPA because they had created accounts on defendants’ newspaper websites to access defendants’ “main business: news and journalism” which was provided via written articles and videos. The court noted that the videos on defendants’ websites were not “secondary or ancillary” to defendants’ main business. Finally, the court rejected the argument that the VPPA’s ordinary course of business exception applied because, according to the court, that exception does not encompass advertising.

The second decision we are covering was issued in the Northern District of California and also denied a motion to dismiss as to one of the defendants. This decision is noteworthy for finding that video NFTs (non-fungible tokens) can constitute “prerecorded video cassette tapes or similar audio visual materials” for purposes of determining whether a defendant is a “video tape service provider” under the VPPA. In that case, one of the defendants licensed with a professional sports league to sell video NFTs of sports highlights online (akin to trading cards), and shared purchaser information through the Meta Pixel. Because the NFTs were “pre-recorded video clips of … highlight-worthy plays,” the court found that the plaintiff had adequately stated a VPPA claim against one of the defendants.

The final decision we are covering which also shows a VPPA claim surviving the pleading stage, comes from the Southern District of New York. The defendant in this case is an education media company that publishes and sells print and digital products, including on-demand educational videos on its website. The plaintiff subscribes to defendant’s online product and alleges that the titles and URLs of videos and other services he requested are disclosed in violation of the VPPA through the Meta Pixel. In denying the defendant’s motion to dismiss, the district court found the complaint adequately alleged an injury-in-fact to establish Article III standing and sufficiently pled a claim under the VPPA.

On the standing issue, the court held that the alleged disclosure of the plaintiff’s Facebook ID (through the Meta Pixel) and the titles or URLs of plaintiff’s video selections were sufficient to allege an injury. And contrary to defendant’s argument, it was not necessary for the plaintiff to identify the specific titles of the videos he viewed or the dates he viewed them to establish standing under the VPPA. For similar reasons, the court found that the complaint sufficiently alleged the disclosure of “personally identifiable information” under the VPPA to state a claim. On this element, the defendant argued that an ordinary person could not identify the plaintiff through the cookie string of digits containing a Facebook ID and that plaintiff failed to identify specific video titles that he viewed and defendant disclosed. The court rejected these arguments, noting that the “personally identifiable information” element only required the plaintiff to allege that the disclosed information identified a particular person (rather than an anonymous individual) and connected that particular person with their viewing history. Based on prior cases, the court held that disclosing a Facebook ID readily permits an ordinary person to identify a particular user accessing a specific video and, at the pleading stage, it is not necessary for a plaintiff to identify specific video titles that have been wrongfully disclosed. In sum, the court found that the level of specificity demanded by the defendant was not required to state a VPPA claim at the pleading stage.

2. On the Radar

In this section we identify other types of data privacy lawsuits we are watching and other interesting information in the world of data privacy litigation. We are continuing to watch pen registry cases but have made a new section for those cases. We are also continuing to watch voice recording lawsuits, but this appears to be a trend that failed to catch momentum.

3. Overview of Current U.S. Data Privacy Litigation Trends and Issues

Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip this section.

Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.

Lawsuits relating to session replay technology also involve claims that the alleged behavior violates wiretapping laws in “two party” or “all party” consent states. This technology allows website operators to monitor how website visitors interact with the website. Websites that use session replay technology are often trying to better understand how users interact with the website and may even want to document that users have seen and are aware of the site’s privacy policy. Where the technology also captures the website visitor’s communications—such as (but not limited to) chat services or when the visitor completes a form on the website—privacy plaintiffs have alleged use of the technology violates wiretapping laws.

Many cases alleging wiretapping violations are filed in California under the California Invasion of Privacy Act (“CIPA”). Most lawsuits assert a violation of Section 631 of CIPA and courts routinely refer to specific clauses or subsections of that section. When discussing litigation updates, we therefore also refer to courts disposing of specific clauses or subsections of Section 631. Courts have noted Section 631 “is somewhat difficult to understand.” See Warden v. Kahn, 99 Cal. App. 3d 805, 811 (Ct. App. 1979). To help guide readers, we have provided Section 631(a) below with the specific clauses (sometimes called subsections) delineated:

Any person who, [Clause 1 or Subsection (a)(1):] by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or [Clause 2 of Subsection (a)(2):] who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or [Clause 3 or Subsection (a)(3):] who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or [Aiding Provision, Clause 4, or Subsection (a)(4):] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable . . . .

Wiretapping claims—whether based on website chat services, the use of session replay technology, or something else—are typically resolved on a limited number of issues:

• How did the communication occur? Plaintiffs often allege they accessed a website using a mobile phone. Courts have held the first clause of Section 631(a) does not apply if the interception does not occur over a telephonic wire. Courts have also held Section 632.7, another provision of CIPA, requires a communication between two wireless or cordless devices and therefore does not apply if the website is communicating via a wired server. Some judges, however, disagree.
• Is the defendant or a third-party a “party” to the communication? If so, then the “party exception” will apply and the defendant will not be liable. When deciding whether a third-party was a “party” to the communication, courts consider whether the party is merely acting as a tool for the defendant (akin to a tape recorder) or can use the communication for their own benefit (akin to someone listening into a conversation).
• Did the website have consent to record or share the communication? Consent is a defense to wiretapping claims, but it can be difficult for courts to resolve whether the plaintiff provided consent at the pleading stage.
• Did the website share the “contents” of a communication? Wiretapping claims only apply to the contents of a communication. Merely sharing record information of a communication, such as an IP address, will not establish liability under wiretapping laws. Courts often struggle to define what constitutes communication “contents” and URLs can be especially tricky.
• Was the communication intercepted or stored and then forwarded? If the communication is not intercepted, then there cannot be liability under Clause 2 of Section 631.
• Was the plaintiff harmed? Do they have standing to sue? Courts are often split on whether an “invasion of privacy” itself is sufficient harm to provide standing, but this issue has weighed in defendants’ favor more often following the Supreme Court’s 2021 TransUnion decision, which held Article III standing requires a concrete injury even in the context of a statutory violation.

Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel or Google Analytics tags) on websites that include video content. The VPPA reads: “A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person for the relief provided in subsection (d).” 18 U.S.C. § 2710(b)(1). The VPPA defines a “provider” as an entity engaged in the business of “rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials” and a “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Where the defendant directly rents or sells video content or access to such content, courts will typically find the defendant is a video tape service provider and the plaintiff to meet the “consumer” definition. Where the defendant’s core business is unrelated to video services, however, and the video contents at issue are merely marketing for that other core business, courts are likely to find the parties do not meet the VPPA’s definitions of “provider” and “consumer.”

Lawsuits alleging a defendant has violated prohibitions on voice recording (commonly Section 637.3 of the California Penal Code) typically involve the use of voice recognition software, which is often used as a security measure by companies that provide sensitive information such as banks or other financial institution.

Finally, some plaintiffs have alleged defendants who track IP-addresses run afoul of “pen registry” laws such as CIPA, § 638.51, which prohibits “a person” from “install[ing] or us[ing] a pen register or a trap and trace device without first obtaining a court order . . . .” Cal. Penal Code § 638.51. Traditionally, pen registers were used by law enforcement to record all numbers called from a particular telephone. Under CIPA, however, a “pen register” is more broadly defined to mean “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” § 638.50(b).

[View source.]