Data Privacy and Cybersecurity

Continuing the trend of early dismissals in website wiretapping cases, a California federal court has dismissed a putative class action challenging the use of third-party pixel technology on nonprofit food bank websites.  Timothee v. Meta Platforms, Inc., No. 25-CV-05106-LB, 2026 WL 1130363 (N.D. Cal. Apr. 27, 2026).  The court held plaintiffs failed to plausibly plead concrete injury to establish Article III standing, consented to the third party’s receipt of their information, and proposed an impermissibly broad nationwide class.

The plaintiffs in Timothee alleged that several nonprofit food banks embedded third-party pixel technology into their websites, which collected and transmitted users’ addresses and “intent to receive nutrition assistance.”  Some plaintiffs further alleged that the pixel technology collected detailed information about “financial hardship,” “disability status, mobility status, and urgency of [their] need for food assistance.”  According to plaintiffs, this information was then used by the third party to target them with advertisements.  The plaintiffs claimed these transmissions violated the California Invasion of Privacy Act (“CIPA”), the Federal Wiretap Act, and various California privacy and common-law doctrines.  The court disagreed, dismissing plaintiffs’ claims, with leave to amend, on three grounds.

Continue Reading Wiretapping Suit Meets Triple Defeat: No Standing, Consent Established, Class Allegations Rejected

Adding to a growing body of case law following the Ninth Circuit’s decision in Popa v. Microsoft Corporation, a California federal court has dismissed for lack of subject matter jurisdiction a privacy suit against a news website, holding that the plaintiffs failed to allege a concrete injury sufficient to establish Article III standing. In Re: USA Today Co., Inc. Internet Tracking Litigation, 2026 WL 932655, at *3 (N.D. Cal. Apr. 6, 2026).

Continue Reading Another Court Dismisses Website Privacy Suit for Lack of Article III Standing

A recent decision from the Southern District of California underscores a point courts have made increasingly clear after the Ninth Circuit’s precedential decision in Popa v. Microsoft: alleging the disclosure of online activity—even activity touching on sensitive health topics—is not enough, by itself to establish Article III standing.  As the Court put it, the mere allegation that a defendant disclosed “sensitive health related” search terms, without any indication in the search terms that they “were tied to his personal medical history,” cannot establish a concrete injury.  Maghoney v. Dotdash Meredith, Inc., 2026 WL 497402 (S.D. Cal. Feb. 23, 2026) (emphasis added).

Continue Reading Sensitive Search Terms Not Enough To Establish Article III Standing Under Popa

In a new post on the Inside Privacy blog, our colleagues discuss the Seventh Circuit’s recent Clay v. Union Pacific Railroad Company holding that a 2024 amendment to the Illinois Biometric Information Privacy Act (BIPA) limiting damages to a per-person basis applies retroactively to cases pending when the amendment

Continue Reading Seventh Circuit Holds that BIPA Amendment Applies Retroactively

We have routinely highlighted the proliferation of wiretapping class actions, and the variety of approaches courts have taken to address them.  One common pitfall for plaintiffs in these types of cases is standing, an issue highlighted in a recent Third Circuit case throwing out a proposed federal class action against Harriet Carter Gifts and NaviStone Inc., and remanding it to state court.  

The case, Popa v. Harriet Carter Gifts, Inc., No. 25-1760 (3d. Cir. 2026), involved plaintiff’s allegations that Harriet Carter Gifts and NaviStone tracked her browsing activity on Harriet Carter’s website while she shopped for pet stairs, purportedly in violation of the Pennsylvania Wiretapping and Electronic Surveillance Control Act.  After removal, the district court twice granted summary judgment for the defendants, and both decisions were appealed to the Third Circuit. 

Continue Reading Stand Aside:  Third Circuit Throws Out Harriet Carter Gifts Federal Wiretapping Case On Standing Grounds

Many California-based privacy claims have turned on the application of longstanding statutes to modern technologies, with courts frequently holding that certain online tracking technologies can qualify as impermissible trap-and-trace devices in violation of California Penal Code section 638.51, part of the California Invasion of Privacy Act (CIPA).  A recent decision from the Central District of California, however, signals that these arguments will not always succeed.

Continue Reading Federal Court Rejects Claim that Cookies Are Illegal Trap and Trace Devices

Recently, a Pennsylvania federal judge dismissed a suit challenging the use of a third-party website analytics tool by defendant Highlands Healthcare, Inc., an integrated health system with eight hospitals in Pennsylvania.  The Court concluded plaintiffs had failed to plead the “specifics” of their interactions with defendant’s website, which were “essential to convert [the] case” from a “law-school hypothetical to an actionable dispute” under the Pennsylvania Wiretapping and Electronic Surveillance Control Act (“WESCA”), the state law analog to the Federal Wiretap Act.  Muraski v. Penn Highlands Healthcare, Inc., 2026 WL 353041 (W.D. Pa. Feb. 9, 2026).

Continue Reading Pennsylvania Court Dismisses WESCA Suit Alleging Use of Analytics Tools Against Health System, Requiring “Specifics” for an “Actionable Dispute”

Another recent federal court decision endorsed the “heightened intent requirement” for satisfying the crime-tort exception of the federal Wiretap Act.  Progin v. UMass Mem’l Health Care, Inc., 2026 WL 632770, at *4–5 (D. Mass. Mar. 6, 2026).

In Progin, the plaintiffs claimed that the defendants, healthcare and hospital

Continue Reading Another Federal Court Dismisses Wiretapping Claims Premised on Crime-Tort Exception

A recent Washington federal court decision emphasizes two key federal Wiretap Act principles. First, the Act’s crime-tort exception only applies if there are plausible allegations that a party to the communication intercepted communications specifically to commit a separate wrongdoing. Second, the statute does not allow secondary liability for “procuring” an interception by a third party. Nichols v. PeaceHealth Networks on Demand LLC, 2026 WL 607763, at *3-4 (W.D. Wash. Mar. 4, 2026).

Continue Reading Court Dismisses Federal Wiretap Claim Premised on Crime-Tort Exception, Rejects Aiding-and-Abetting Liability

As businesses increasingly deploy AI-powered call centers to streamline customer service, plaintiffs have turned to decades-old wiretapping laws to challenge these tools. In a recent decision, however, an Illinois federal district court held that use of an AI call analysis platform without caller consent does not violate the federal Wiretap Act because it falls within the statute’s ordinary course of business exception. Lisota v. Heartland Dental, LLC, 2026 WL 91667, at *6 (N.D. Ill. Jan. 13, 2026).

Continue Reading Use of AI Call Center Without Consent Not a Federal Wiretap Violation, Court Holds