Last week, the Third Circuit affirmed dismissal of a putative class action asserting that defendant Quest Diagnostics violated the California Invasion of Privacy Act (“CIPA”) and the Confidentiality of Medical Information Act (“CMIA”) by employing a website pixel to track and collect data about their website activity for advertising purposes. See Cole v. Quest Diagnostics Inc., No. 25-1449, 2025 WL 3172640 (3d Cir. Nov. 13, 2025). The Third Circuit held that Quest was not liable under CIPA for aiding and abetting wiretapping because no wiretapping had occurred, nor under CMIA because Plaintiffs had not alleged the disclosure of protected “medical information.”Continue Reading Third Circuit Affirms Dismissal of CIPA and CMIA Claims
California Court Grants Summary Judgment for Defendant, Urging the California Legislature to “Bring CIPA”—“A Total Mess”—“Into the Modern Age”
Recently, a California federal court granted summary judgment for defendant Eating Recovery Center (“ERC”) on a plaintiff’s California Invasion of Privacy Act (“CIPA”) § 631(a) wiretapping claim, joining other California federal courts that have granted summary judgment on CIPA claims for a plaintiff’s failure to “satisfy [CIPA’s] ‘in transit’ requirement as a matter of law.” In granting summary judgment, the court critiqued CIPA’s language as “ill-suited for application to internet communications” and called upon the California Legislature to “step up” and “speak clearly” about whether and how CIPA applies to website-based data collection tools. Doe v. Eating Recovery Ctr., LLC, –F. Supp. 3d–, 2025 WL 2971090 (N.D. Cal. Oct. 17, 2025).Continue Reading California Court Grants Summary Judgment for Defendant, Urging the California Legislature to “Bring CIPA”—“A Total Mess”—“Into the Modern Age”
Ninth Circuit Affirms Dismissal of Wiretap Claims Based on Party Exception
On October 27, 2025, the Ninth Circuit affirmed in a memorandum opinion the dismissal of a proposed class action asserting that the owner of a cybersecurity browser extension violated the California Invasion of Privacy Act (“CIPA”) and the Electronic Communications Privacy Act (“ECPA”) by intercepting communications between extension-users and search engines. Karwowski v. Gen Digital, Inc., No. 24-7213, 2025 WL 3002610 (9th Cir. Oct. 27, 2025) (mem.). The Court held that the Plaintiffs failed to allege that the Defendant was not a party to the communications.Continue Reading Ninth Circuit Affirms Dismissal of Wiretap Claims Based on Party Exception
Court Applies Popa to Dismiss CIPA Pen Register Claim for Lack of Article III Standing
In a win for businesses using third-party technologies to power their websites, a California federal court applied the Ninth Circuit’s recent decision in Popa v. Microsoft Corporation to dismiss a “pen register” claim brought under the California Invasion of Privacy Act (“CIPA”) for lack of Article III standing. Khamooshi v. Politico LLC, No. 24-cv-07836-SK, 2025 WL 2822879 (N.D. Cal. Oct. 2, 2025). “As in Popa,” the Khamooshi court held that the plaintiffs—who alleged the collection of their device type, browser type, and “device fingerprints”—“identifie[d] no embarrassing, invasive, or otherwise private information collected,” as required to establish an Article III injury. Continue Reading Court Applies Popa to Dismiss CIPA Pen Register Claim for Lack of Article III Standing
Standing in the Dark: Fourth Circuit Finds Standing for Driver’s License Information on the Dark Web
Courts continue to grapple with the type of “concrete harm” that is required to confer Article III standing under TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), particularly in data breach and privacy class actions. On October 14, the Fourth Circuit contributed to this debate, holding that allegations that plaintiffs’ driver’s license data had been leaked and appeared on the dark web were sufficient to establish standing.
Holmes v. Elephant Ins. Co., — F.4th —, 2025 WL 2907615 (4th Cir. 2025), started with a 2022 data breach of Elephant Insurance Company’s networks. Id. at *1. Plaintiffs were Elephant customers whose driver’s license numbers were compromised in the breach. Id. They sued Elephant for alleged harms stemming from the breach. Id. at *3. Two plaintiffs specifically alleged that they had found their driver’s license numbers on the dark web; the others did not. Id. at *2. The district court dismissed plaintiffs’ claims, holding that none of the alleged injuries were sufficient to confer standing. Id. But the Fourth Circuit disagreed in part, reversing the lower court’s dismissal of the two plaintiffs who alleged that their driver’s license information appeared on the dark web, but affirming dismissal of the other two. Continue Reading Standing in the Dark: Fourth Circuit Finds Standing for Driver’s License Information on the Dark Web
Illinois Court Narrows Lawsuit Over Medical Center’s Use of Pixel Technology and Strikes Class Claims
In a recent decision by the United States District Court for the Northern District of Illinois, Judge Georgia N. Alexakis narrowed and struck class claims alleging that the University of Chicago Medical Center’s use of pixel technology violated the Electronic Communications Privacy Act (ECPA).
The plaintiff, Sophia Hartley, asserted on
Continue Reading Illinois Court Narrows Lawsuit Over Medical Center’s Use of Pixel Technology and Strikes Class ClaimsFederal Court Fries Data Breach Class Action for Lack of Standing
A federal court in North Carolina dismissed a putative data breach class action against Bojangles because the plaintiffs failed to show that there was an actual or imminent misuse of their personal information as a result of the breach. Dougherty v. Bojangles’ Restaurants, Inc., 2025 WL 2810673 (W.D.N.C. Sept. 30, 2025).Continue Reading Federal Court Fries Data Breach Class Action for Lack of Standing
California Court Dismisses Hotel Website Wiretapping Suit Based on “In Transit” Requirement
Recently, a California federal judge dismissed a suit alleging that Sojern, Inc., a travel marketing platform, violated the Federal Wiretap Act and California law by allegedly installing “tracking technology” on two hotel websites. Crano v. Sojern, Inc., 2025 WL 2689267 (N.D. Cal. Sept. 19, 2025).Continue Reading California Court Dismisses Hotel Website Wiretapping Suit Based on “In Transit” Requirement
California Court Dismisses CIPA Suit Alleging Use of Email Marketing Pixels
Recently, a California federal judge dismissed a suit challenging the use of third-party email marketing pixels by clothing retailer Gap, Inc., concluding plaintiff’s “scattershot and vague assertions” were insufficient to state a plausible claim under the California Invasion of Privacy Act (“CIPA”). Ramos v. Gap, Inc., 2025 WL 2144837 (N.D. Cal. July 29, 2025).Continue Reading California Court Dismisses CIPA Suit Alleging Use of Email Marketing Pixels
D.C. Circuit Deepens Circuit Split on Interpretation of “Consumer” Under VPPA
In Nicole Pileggi v. Washington Newspaper Publishing Company LLC, the D.C. Circuit unanimously affirmed the district court’s dismissal of a complaint alleging that news magazine and website Washington Examiner disclosed consumers’ personal information through a third-party pixel in violation of the Video Privacy Protection Act (“VPPA”).
In 2023, Pileggi alleged that the Examiner’s use of a third-party pixel on its site gave the third party the ability to collect website visitors’ personal information, including IP addresses and titles of videos they had watched. The District Court for the District of Columbia granted the Examiner’s motion to dismiss early last year, holding that Pileggi was not a “consumer” under the VPPA and that she failed to establish the requisite connection between her subscription to the Examiner’s newsletter and the video information allegedly disclosed.Continue Reading D.C. Circuit Deepens Circuit Split on Interpretation of “Consumer” Under VPPA