Data Privacy and Cybersecurity

User consent bars website wiretapping claims brought under the California Invasion of Privacy Act (“CIPA”).  As we reported on here, one way users may consent to the use of third-party website technologies is during a checkout process, such as via a checkbox indicating agreement to a website’s privacy policy.  But is consent negated if a 10-minute timer begins counting down the moment a user enters that checkout process?  A California court answered no in Washington v. Flixbus, Inc., 2025 WL 1592961 (S.D. Cal. June 5, 2025), rejecting a plaintiff’s argument that a countdown timer “imposes undue pressure that negates any consent.”Continue Reading User Consent Provided Under Time Pressure Is Still Consent Barring CIPA Suit

Capture of personal or private information is a prerequisite to Article III standing in wiretapping cases brought under the California Invasion of Privacy Act (“CIPA”).  As we reported on here, when a plaintiff fails to plead the capture of any such information, courts have dismissed the plaintiff’s complaint for

Continue Reading Collection of Website Visit Time Stamp Not Enough to Confer Article III Standing

Last month, a California federal court highlighted one of the “serious problems that the class action plaintiffs’ bar desperately needs to rectify”: “the failure to properly vet named plaintiffs.”  Lineberry v. Addshoppers, Inc., 23-cv-01996-VC, 2025 WL 1533136 (N.D. Cal. May 29, 2025).Continue Reading For Peet’s Sake!  Court Calls Out Class Action Plaintiffs’ Bar’s Failure to Properly Vet Named Plaintiffs in CIPA Suit

Health-related websites are increasingly targeted with wiretapping suits if they use pixels or other third-party technologies to power their websites.  A few months ago, a California court dismissed on multiple grounds one such suit challenging the use of website pixels by Clearblue, a company that offers home pregnancy and fertility test kits.  Saedi v. SPD Swiss Precision Diagnostics d/b/a Clearblue, 2025 WL 1141168 (C.D. Cal. Feb. 27, 2025).Continue Reading Home Pregnancy Test Company Wins Dismissal of Pixel Wiretapping Suit

“Session replay” software is one of many website analytics tools targeted in wiretapping suits under the California Invasion of Privacy Act (“CIPA”).  Last month, a California federal court confirmed one of the many reasons why the use of this software does not violate CIPA section 631: A defendant cannot “read” (or attempt to read) session replay data “in transit,” as CIPA requires, because “events recorded by” this software “do not become readable content until after they are stored and reassembled into a session replay.”  Torres v. Prudential Financial, Inc., 2025 WL 1135088 (N.D. Cal. Apr. 17, 2025). Continue Reading Court Grants Summary Judgment: Website Vendor Cannot Read “Session Replay” Data “In Transit” Under CIPA

Lawsuits targeting businesses’ use of website tools under the California Invasion of Privacy Act (“CIPA”) increasingly are filed by so-called “tester” plaintiffs.  These plaintiffs seek out websites to “test” for potential CIPA violations and then file lawsuits seeking damages for those alleged violations.  A California federal court recently confirmed that

Continue Reading “Tester” Plaintiff Who “Actively Seeks Out Privacy Violations” Lacks Standing to Pursue CIPA Claim

Does a plaintiff’s use of a website constitute consent to a privacy policy linked in the website’s footer?  A Pennsylvania federal court answered yes in Popa v. Harriet Carter Gifts, Inc., 2025 WL 896938 (W.D. Pa. Mar. 24, 2025), granting summary judgment in favor of an online retailer (Harriet Carter Gifts) and its marketing partner (NaviStone) accused of collecting data about plaintiff’s website visit in violation of the Pennsylvania Wiretapping and Electronic Surveillance Control Act (“WESCA”).Continue Reading Implied Consent to Privacy Policy in Webpage Footer Forecloses Website Wiretapping Claim

Plaintiffs’ lawyers have continued to bring privacy claims targeting businesses that use vendors to help provide beneficial chat features on their website, as we last reported here.  Late last year, a Southern District of California judge dismissed another set of privacy claims challenging the routine use of these vendor services by Tonal, a popular smart home gym company named as the sole defendant in the lawsuit.  Jones v. Tonal Systems, Inc., 751 F. Supp. 3d 1025 (S.D. Cal. 2024).

Plaintiff Julie Jones, a California resident, claimed that she had visited Tonal’s website and used its chat feature to communicate with a Tonal customer service representative.  This chat feature allegedly incorporated an API run by another company to create and store transcripts of website visitors’ chats with Tonal’s customer service representatives.  According to the complaint, this alleged conduct constituted wiretapping, which Tonal purportedly aided and abetted in violation of Sections 631 and 632.7 of the California Invasion of Privacy Act (“CIPA”).  Plaintiff also asserted other privacy claims based on the same alleged conduct, including the California Unfair Competition Law (“UCL”) and the California Constitution’s right to privacy provision.

The Court granted Tonal’s motion to dismiss each of plaintiff’s claims on multiple grounds.Continue Reading Another California Court Rejects Privacy Claims Targeting Online Chat Feature

Early this month, a Northern District of California judge dismissed, with prejudice, a putative class action complaint asserting five privacy-related causes of action, concluding the “issue of consent defeat[ed] all of Plaintiffs’ claims.”  Lakes v. Ubisoft, Inc., –F. Supp. 3d–, 2025 WL 1036639 (N.D. Cal. Apr. 2, 2025).  Specifically, the Court dismissed plaintiffs’ claims under the (1) Video Privacy Protection Act (“VPPA”); (2) Federal Wiretap Act; (3) California Invasion of Privacy Act (“CIPA”) § 631; (4) common law invasion of privacy; and (5) Article I, Section 1 of the California Constitution. Continue Reading California Court Holds Plaintiffs’ Consent Defeats Claims Involving Use of Website Pixel

On Thursday March 13, 2025, New York Attorney General Letitia James announced proposed legislation to expand New York’s consumer protection law: the Fostering Affordability and Integrity through Reasonable (FAIR) Business Practices Act (“the Act”). The Act would update and expand New York’s current consumer protection law, Sections 349 and 350 of the New York General Business Law (“GBL”), to encompass a broader range of practices and claims.

The current versions of Sections 349 and 350 make unlawful certain deceptive business acts and practices and false advertising.  The Act would amend Section 349 to cover not only “deceptive” business acts and practices, but also conduct that may fall under vague definitions of “unfair” and “abusive” acts and practices.  The Act would further expand Section 349 by making it applicable “regardless of whether or not that act or practice is consumer-oriented [or] has a public impact or impact on consumers ….” The Act would also increase statutory damages to $1,000 and grant standing to organizations and third parties to the fullest extent otherwise permitted by law. However, the Act would also create affirmative defenses that limit plaintiffs to individuals and small entities, and excludes acts or practices that could be addressed by federal securities or intellectual property laws or that involve “high-value experienced commercial transaction[s]” directed exclusively to the parties to such transactions.Continue Reading New York Proposes New Consumer Protection Law