Last week, the Third Circuit affirmed dismissal of a putative class action asserting that defendant Quest Diagnostics violated the California Invasion of Privacy Act (“CIPA”) and the Confidentiality of Medical Information Act (“CMIA”) by employing a website pixel to track and collect data about their website activity for advertising purposes. See Cole v. Quest Diagnostics Inc., No. 25-1449, 2025 WL 3172640 (3d Cir. Nov. 13, 2025). The Third Circuit held that Quest was not liable under CIPA for aiding and abetting wiretapping because no wiretapping had occurred, nor under CMIA because Plaintiffs had not alleged the disclosure of protected “medical information.”Continue Reading Third Circuit Affirms Dismissal of CIPA and CMIA Claims
California Court Grants Summary Judgment for Defendant, Urging the California Legislature to “Bring CIPA”—“A Total Mess”—“Into the Modern Age”
Recently, a California federal court granted summary judgment for defendant Eating Recovery Center (“ERC”) on a plaintiff’s California Invasion of Privacy Act (“CIPA”) § 631(a) wiretapping claim, joining other California federal courts that have granted summary judgment on CIPA claims for a plaintiff’s failure to “satisfy [CIPA’s] ‘in transit’ requirement as a matter of law.” In granting summary judgment, the court critiqued CIPA’s language as “ill-suited for application to internet communications” and called upon the California Legislature to “step up” and “speak clearly” about whether and how CIPA applies to website-based data collection tools. Doe v. Eating Recovery Ctr., LLC, –F. Supp. 3d–, 2025 WL 2971090 (N.D. Cal. Oct. 17, 2025).Continue Reading California Court Grants Summary Judgment for Defendant, Urging the California Legislature to “Bring CIPA”—“A Total Mess”—“Into the Modern Age”
Court Applies Popa to Dismiss CIPA Pen Register Claim for Lack of Article III Standing
In a win for businesses using third-party technologies to power their websites, a California federal court applied the Ninth Circuit’s recent decision in Popa v. Microsoft Corporation to dismiss a “pen register” claim brought under the California Invasion of Privacy Act (“CIPA”) for lack of Article III standing. Khamooshi v. Politico LLC, No. 24-cv-07836-SK, 2025 WL 2822879 (N.D. Cal. Oct. 2, 2025). “As in Popa,” the Khamooshi court held that the plaintiffs—who alleged the collection of their device type, browser type, and “device fingerprints”—“identifie[d] no embarrassing, invasive, or otherwise private information collected,” as required to establish an Article III injury. Continue Reading Court Applies Popa to Dismiss CIPA Pen Register Claim for Lack of Article III Standing
Court Clarifies Federal Wiretap Act’s Crime-Tort Exception: “Commercial Purposes” Are “Not the Stuff of Which a Crime-Tort Is Made”
After last year’s landmark ruling holding that the Massachusetts Wiretap Act does not prohibit businesses’ use of pixels to capture website browsing data, Massachusetts plaintiffs have shifted their focus to the federal Wiretap Act. The problem: unlike the Massachusetts Wiretap Act, its federal counterpart is a “one-party consent” law, meaning that a business’s consent to the use of the pixels is enough to preclude liability. Last month, a federal court held that a “crime-tort exception” to this consent exemption does not apply when website browsing data is collected for “commercial purposes or advantages.” Goulart v. Cape Cod Healthcare, Inc., 2025 WL 1745732 (D. Mass. June 24, 2025).Continue Reading Court Clarifies Federal Wiretap Act’s Crime-Tort Exception: “Commercial Purposes” Are “Not the Stuff of Which a Crime-Tort Is Made”
User Consent Provided Under Time Pressure Is Still Consent Barring CIPA Suit
User consent bars website wiretapping claims brought under the California Invasion of Privacy Act (“CIPA”). As we reported on here, one way users may consent to the use of third-party website technologies is during a checkout process, such as via a checkbox indicating agreement to a website’s privacy policy. But is consent negated if a 10-minute timer begins counting down the moment a user enters that checkout process? A California court answered no in Washington v. Flixbus, Inc., 2025 WL 1592961 (S.D. Cal. June 5, 2025), rejecting a plaintiff’s argument that a countdown timer “imposes undue pressure that negates any consent.”Continue Reading User Consent Provided Under Time Pressure Is Still Consent Barring CIPA Suit
Collection of Website Visit Time Stamp Not Enough to Confer Article III Standing
Capture of personal or private information is a prerequisite to Article III standing in wiretapping cases brought under the California Invasion of Privacy Act (“CIPA”). As we reported on here, when a plaintiff fails to plead the capture of any such information, courts have dismissed the plaintiff’s complaint for
Continue Reading Collection of Website Visit Time Stamp Not Enough to Confer Article III StandingHome Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
Health-related websites are increasingly targeted with wiretapping suits if they use pixels or other third-party technologies to power their websites. A few months ago, a California court dismissed on multiple grounds one such suit challenging the use of website pixels by Clearblue, a company that offers home pregnancy and fertility test kits. Saedi v. SPD Swiss Precision Diagnostics d/b/a Clearblue, 2025 WL 1141168 (C.D. Cal. Feb. 27, 2025).Continue Reading Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit
Court Grants Summary Judgment: Website Vendor Cannot Read “Session Replay” Data “In Transit” Under CIPA
“Session replay” software is one of many website analytics tools targeted in wiretapping suits under the California Invasion of Privacy Act (“CIPA”). Last month, a California federal court confirmed one of the many reasons why the use of this software does not violate CIPA section 631: A defendant cannot “read” (or attempt to read) session replay data “in transit,” as CIPA requires, because “events recorded by” this software “do not become readable content until after they are stored and reassembled into a session replay.” Torres v. Prudential Financial, Inc., 2025 WL 1135088 (N.D. Cal. Apr. 17, 2025). Continue Reading Court Grants Summary Judgment: Website Vendor Cannot Read “Session Replay” Data “In Transit” Under CIPA
“Tester” Plaintiff Who “Actively Seeks Out Privacy Violations” Lacks Standing to Pursue CIPA Claim
Lawsuits targeting businesses’ use of website tools under the California Invasion of Privacy Act (“CIPA”) increasingly are filed by so-called “tester” plaintiffs. These plaintiffs seek out websites to “test” for potential CIPA violations and then file lawsuits seeking damages for those alleged violations. A California federal court recently confirmed that
Continue Reading “Tester” Plaintiff Who “Actively Seeks Out Privacy Violations” Lacks Standing to Pursue CIPA ClaimImplied Consent to Privacy Policy in Webpage Footer Forecloses Website Wiretapping Claim
Does a plaintiff’s use of a website constitute consent to a privacy policy linked in the website’s footer? A Pennsylvania federal court answered yes in Popa v. Harriet Carter Gifts, Inc., 2025 WL 896938 (W.D. Pa. Mar. 24, 2025), granting summary judgment in favor of an online retailer (Harriet Carter Gifts) and its marketing partner (NaviStone) accused of collecting data about plaintiff’s website visit in violation of the Pennsylvania Wiretapping and Electronic Surveillance Control Act (“WESCA”).Continue Reading Implied Consent to Privacy Policy in Webpage Footer Forecloses Website Wiretapping Claim