Welcome to the eleventh installment in our monthly data privacy litigation report. We prepare these reports to provide updates on how courts in the United States have handled emerging data privacy trends. In this month’s post, we look at wiretapping decisions from courts that have come out differently on whether plaintiffs have plead facts to sufficiently allege “interception” of chat communications, two decisions that rejected defendant’s arguments concerning plaintiffs’ consent to being recorded, and a failed attempt to compel arbitration. We also look at three session reply technology decisions, all of which grappled with whether the plaintiff had plead the third-party had the capability to use the alleged communications for the third-party’s own benefit. We also take a look at three VPPA decisions that continue to show the balancing act courts have struck when assessing VPPA claims at the pleading stage, including a decision that expands what type of company may be considered a “video tape service provider.”

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. 

1. Litigation Updates

a. Chat Wiretapping Lawsuits

We are covering two February wiretapping decisions where the courts reached different decisions regarding whether the plaintiff had sufficiently plead the messages were “intercepted” while in transit. In the first, the plaintiff alleged the messages were first routed through the third-party’s server to “analyze and collect customer support-agent interactions in real time” and that the third-party’s parent (a well-known social media company) identified “user interests” by monitoring a collection of offsite user activity and generated revenue by selling advertising space. The Northern District of California court held the plaintiff’s allegations concerning interception were merely conclusory because they did nothing more than restate the pleading requirement and failed to provide specific factual allegations. In contrast, another Northern District of California court denied a defendant’s motion to dismiss, finding the plaintiff adequately alleged the communications were intercepted in transit and that the third-party had the capability to use the information for its own purposes (and was thus not like a tape recorder). Here, the plaintiff had alleged the defendant’s website used an API designed and operated by a third-party, which ran on the third-party’s servers because the third-party analyzed the customer-support agent interactions in real time to create live transcripts of the chats as they occurred. The plaintiff also alleged the third-party had the capability to use the information in the chat communications to improve the third-party’s products and develop new products.

We are also covering two decisions that rejected defendants’ arguments that the plaintiff had consented to their chat messages being recorded because the plaintiff knowingly acted as a “tester” to see if the defendant’s website would record the plaintiff without their consent. A Northern District and Southern District court in California both rejected this argument. The Southern District found even if true, the argument did not show the plaintiff consented to a third-party recording the conversation, while the Northern District court found the defendant failed to provide any case law to support this argument. The Northern District court also rejected the defendant’s argument that the plaintiff had consented because of language in the privacy policy, finding “even if” the court took judicial notice of the privacy policy, the defendant had failed “to cite any cases in which merely having a privacy policy online is sufficient to show consent under CIPA.”

We are also covering a chat-based wiretapping decision where the defendant sought to avoid the potential class-action claim by compelling the plaintiff to arbitrate the matter instead. The defendant’s website included a notice that customers agreed to the website’s terms of use and arbitration agreement by clicking a “place order” button. The Northern District of California court found the website used a “modified clickwrap agreement” and analyzed whether the visual appearance of the language and overall design of the website put the plaintiff on notice she was agreeing to the arbitration clause. The court concluded the color of the text and placement of other information near the notice meant the plaintiff lacked notice and denied the motion to compel arbitration.

In the final chat-based wiretapping decision we are covering in this post, a Central District of California court dismissed a case after finding the court lacked specific jurisdiction over the defendant. The plaintiff, as in the other cases, had alleged the defendant impermissibly allowed a third party “to embed code into the chat feature of the Website that ‘automatically create[s] a transcript for each chat session.’”

b. Session Replay Lawsuits

In this post we are covering three session reply technology (SRT) decisions from February. The first SRT decision we are covering this month is from the Northern District of California. The defendant used a product by a third-party vendor to document evidence of prior express consent by consumers to receive telemarketing calls. The product captured strokes, clicks, and other interactions on websites used to establish consent. The court had previously dismissed the complaint after finding the plaintiff did not allege the vendor acted as a third-party eavesdropper. The plaintiff filed an amended complaint and the defendant again moved to dismiss. This time, however, the court denied the motion to dismiss. The amended complaint alleged the vendor “must read and learn the content of the communications” for the product to function as advertised. The court ultimately decided the parties’ disagreement presented factual issues and denied the motion to dismiss.

We are also covering two SRT decisions issued by the Southern District of California. In the first, the court found a question of fact existed whether session replay providers were more similar to a tape recorder or an eavesdropper was a question of fact better answered after discovery. The court nevertheless dismissed the complaint after finding the plaintiff failed to allege the acquisition of the “contents” of a “communication” while in transit. The plaintiff had alleged the defendant’s website tracked “button clicks, mouse movements, scrolling, resizing, touches (for mobile browsers), key presses, page navigation, changes to visual elements in the browsers, network requests, and more.” The court found this was more akin to the “record information” the Ninth Circuit has held to not be the contents of a communication and dismissed the Section 631 claim, but granted the plaintiff leave to amend.

In the second Southern District of California decision, the plaintiff had alleged session replay technology was used when the plaintiff visited the defendant’s website to make purchases, apply for a credit card, and make purchases on the credit card. The court first found whether the session replay provider was entitled to the party exception was a question of fact “better answered after discovery into the session replay technical context of the case.” The court dismissed the motion after finding the plaintiff did not plausibly plead session replay intercepted the “contents” of communications or intercepted anything in transit. The court granted the plaintiff leave to amend, so we will likely see the court address these issues in the future.

c. Video Privacy Protection Act (“VPPA”) Lawsuits

We are covering three decisions under the VPPA from February which demonstrate the growing trend in how courts assess such claims at the pleading stage.

The first decision comes from the Central District of California where the plaintiff alleged the defendant-operator of an online store selling school yearbooks, class pictures, and other memorabilia, violated the VPPA by tracking and sharing video views on its website through Google Analytics. The district court dismissed the claim on the basis that the plaintiff failed to adequately allege that (1) the defendant was a “video tape service provider” and; (2) the plaintiff was a “consumer” or “subscriber” under the VPPA. On the first basis, the court held the plaintiff’s own allegations showed the videos at issue were “aimed toward the sale of Defendant’s products” and were nothing more than “a marketing tool to promote Defendant’s brand and website.” Because the defendant’s videos “market” goods and are not themselves “the goods on offer,” the defendant was not “engaged in the business” of delivering video content to sustain a VPPA claim. On the second basis for dismissal, the court found the plaintiff failed to plead a nexus between her purchase from the defendant’s business and the video content at issue, or allege that she had a substantial and ongoing relationship with the defendant to survive the motion to dismiss.

Similarly, the North District of Illinois also dismissed a claim under the VPPA where the plaintiffs alleged they were subscribers to the defendant’s website which showed prerecorded television programs. The plaintiffs further alleged the defendant shared the plaintiffs’ identities and video selection choices through the Meta Pixel ad targeting cookie. The court dismissed the claim on the basis that plaintiffs failed to show they were “subscribers” under the VPPA. According to the court, the plaintiffs could not allege that access to defendant’s video content required registration with the defendant’s website given plaintiffs’ other allegation that any non-registered visitor had the same access to the website’s videos. Therefore, the court held the plaintiffs failed to allege “a link between the subscription benefits or services received and the defendant’s audio-visual content” to proceed with their VPPA claim.

The third decision comes from the Southern District of New York and provides an example of a VPPA claim surviving a motion to dismiss. In this case, the plaintiffs asserted a class action VPPA claim against a large video game retailer, alleging that when plaintiffs purchased video games from the retailer’s online store, the company shared that information with Facebook through direct uploads and Meta’s ad tracking pixels. In denying the defendant-retailer’s motion to dismiss, the court held that the retailer could be considered a “video tape service provider” because video games are audio visual materials similar to “prerecorded video cassette tapes” under the VPPA’s definition of a “video tape service provider.” Specifically, the court relied on the fact that video games contain “cut scenes” which satisfy the VPPA’s “prerecorded” requirement. According to the court, “cut scenes” in video games are considered “video content” under the VPPA even if they are accompanied by active gaming elements. Therefore, the court held that the plaintiffs adequately alleged that the defendant was a “video tape service provider” for their VPPA claim to survive the pleading stage.

2. On the Radar

In this section we identify other types of data privacy lawsuits we are watching and other interesting information in the world of data privacy litigation. We are continuing to watch pen registry cases but have made a new section for those cases. We are also continuing to watch voice recording lawsuits, but this may be a trend that fails to catch momentum.

3.     Overview of Current U.S. Data Privacy Litigation Trends and Issues

Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip this section.

Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.

Lawsuits relating to session replay technology also involve claims that the alleged behavior violates wiretapping laws in “two party” or “all party” consent states. This technology allows website operators to monitor how website visitors interact with the website. Websites that use session replay technology are often trying to better understand how users interact with the website and may even want to document that users have seen and are aware of the site’s privacy policy. Where the technology also captures the website visitor’s communications—such as (but not limited to) chat services or when the visitor completes a form on the website—privacy plaintiffs have alleged use of the technology violates wiretapping laws.

Many cases alleging wiretapping violations are filed in California under the California Invasion of Privacy Act (“CIPA”). Most lawsuits assert a violation of Section 631 of CIPA and courts routinely refer to specific clauses or subsections of that section. When discussing litigation updates, we therefore also refer to courts disposing of specific clauses or subsections of Section 631. Courts have noted Section 631 “is somewhat difficult to understand.” See Warden v. Kahn, 99 Cal. App. 3d 805, 811 (Ct. App. 1979). To help guide readers, we have provided Section 631(a) below with the specific clauses (sometimes called subsections) delineated:

Any person who, [Clause 1 or Subsection (a)(1):] by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or [Clause 2 of Subsection (a)(2):] who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or [Clause 3 or Subsection (a)(3):] who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or [Aiding Provision, Clause 4, or Subsection (a)(4):] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable . . . .

Wiretapping claims—whether based on website chat services, the use of session replay technology, or something else—are typically resolved on a limited number of issues:

• How did the communication occur? Plaintiffs often allege they accessed a website using a mobile phone. Courts have held the first clause of Section 631(a) does not apply if the interception does not occur over a telephonic wire. Courts have also held Section 632.7, another provision of CIPA, requires a communication between two wireless or cordless devices and therefore does not apply if the website is communicating via a wired server. Some judges, however, disagree.
• Is the defendant or a third-party a “party” to the communication? If so, then the “party exception” will apply and the defendant will not be liable. When deciding whether a third-party was a “party” to the communication, courts consider whether the party is merely acting as a tool for the defendant (akin to a tape recorder) or can use the communication for their own benefit (akin to someone listening into a conversation).
• Did the website have consent to record or share the communication? Consent is a defense to wiretapping claims, but it can be difficult for courts to resolve whether the plaintiff provided consent at the pleading stage.
• Did the website share the “contents” of a communication? Wiretapping claims only apply to the contents of a communication. Merely sharing record information of a communication, such as an IP address, will not establish liability under wiretapping laws. Courts often struggle to define what constitutes communication “contents” and URLs can be especially tricky.
• Was the communication intercepted or stored and then forwarded? If the communication is not intercepted, then there cannot be liability under Clause 2 of Section 631.
• Was the plaintiff harmed? Do they have standing to sue? Courts are often split on whether an “invasion of privacy” itself is sufficient harm to provide standing, but this issue has weighed in defendants’ favor more often following the Supreme Court’s 2021 TransUnion decision, which held Article III standing requires a concrete injury even in the context of a statutory violation.

Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel or Google Analytics tags) on websites that include video content. The VPPA reads: “A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person for the relief provided in subsection (d).” 18 U.S.C. § 2710(b)(1). The VPPA defines a “provider” as an entity engaged in the business of “rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials” and a “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Where the defendant directly rents or sells video content or access to such content, courts will typically find the defendant is a video tape service provider and the plaintiff to meet the “consumer” definition. Where the defendant’s core business is unrelated to video services, however, and the video contents at issue are merely marketing for that other core business, courts are likely to find the parties do not meet the VPPA’s definitions of “provider” and “consumer.”

Lawsuits alleging a defendant has violated prohibitions on voice recording (commonly Section 637.3 of the California Penal Code) typically involve the use of voice recognition software, which is often used as a security measure by companies that provide sensitive information such as banks or other financial institution.

Finally, some plaintiffs have alleged defendants who track IP-addresses run afoul of “pen registry” laws such as CIPA, § 638.51, which prohibits “a person” from “install[ing] or us[ing] a pen register or a trap and trace device without first obtaining a court order . . . .” Cal. Penal Code § 638.51. Traditionally, pen registers were used by law enforcement to record all numbers called from a particular telephone. Under CIPA, however, a “pen register” is more broadly defined to mean “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” § 638.50(b).

[View source.]