Data Privacy and Cybersecurity

The Illinois Supreme Court recently ruled that the named plaintiff in a putative data breach class action lacked standing to pursue her claims given that her private personal information had not actually been misused by a third party.Continue Reading Illinois Supreme Court Rules That Plaintiff Lacks Standing to Bring Putative Data Breach Class Action

After removing a lawsuit brought against it in Pennsylvania state court under the Wiretapping and Electronic Surveillance Control Act (“WESCA”) to the United States District Court for the Eastern District of Pennsylvania, Prime Hydration LLC argued in its motion to dismiss that the plaintiff lacked Article III standing.  Judge Nitza I. Quiñones Alejandro agreed and remanded the case to state court.  Heaven v. Prime Hydration LLC, 2025 WL 42964, at *7 (E.D. Pa. Jan. 7, 2025).

Plaintiff Shantay Heaven filed a putative class action in the Philadelphia Court of Common Pleas asserting that Prime Hydration allowed third parties to track the activity of visitors to Prime Hydration’s website.  Id. at *1.  Plaintiff asserted that Prime Hydration integrated the third-party pixels into its website.  Id. at *2.  Those two pieces of code, Plaintiff alleged, allowed Prime Hydration to capture “her searches for drink flavors, . . . and that this information was transmitted to” the third-party servers.  Id. at *6.Continue Reading Pennsylvania District Court Judge Remands Case After Finding No Article III Standing to Bring Wiretapping Claim

A California federal judge has largely granted summary judgment in a data privacy lawsuit against Yodlee, Inc., finding that two of the five plaintiffs lacked Article III standing for all remaining claims and that the three other plaintiffs lacked Article III standing for—and failed to create genuine disputes of fact on the merits about—two of their three remaining claims.  Covington represents Yodlee in this action.  Clark v. Yodlee, No. 20-cv-05991-SK (N.D. Cal.).Continue Reading California Federal Court Grants Summary Judgment on Most Claims in Data Privacy Case

A court in the Northern District of California recently granted summary judgment to DDR Media LLC and Jornaya in a website wiretapping lawsuit under the California Invasion of Privacy Act (“CIPA”).  See Williams v. DDR Media, LLC, 2024 WL 4859078 (N.D. Cal. Nov. 20, 2024).  This decision represents a meaningful victory for defendants facing similar wiretapping claims.Continue Reading California Federal Court Grants Summary Judgment to CIPA Defendants

Plaintiffs sometimes try to sidestep an arbitration agreement with one company by suing only a second company for interrelated conduct.  Last month, a California federal court applied principles of fairness under the doctrine of “equitable estoppel” to reject this tactic, holding that a software vendor (Twilio) could enforce a plaintiff’s arbitration agreement with a website operator (Keeps) that was not named as a defendant.  Perry-Hudson v. Twilio, Inc., 2024 WL 493333 (N.D. Cal. Dec. 2, 2024).Continue Reading California Federal Court Allows Software Vendor to Enforce Website Operator’s Arbitration Agreement in Privacy Lawsuit

Dozens of lawsuits have started challenging businesses’ use of website tools to collect IP addresses under the “pen register” and “trap and trace device” provision of the California Invasion of Privacy Act (“CIPA”).  As we reported last month, a California court dismissed one of these lawsuits because of a

Continue Reading Another California Court Holds CIPA’s Pen Register Provision Does Not Prohibit the Collection of IP Addresses

A Colorado federal judge recently granted a motion to dismiss a putative class action against two healthcare software companies arising from a 2022 data breach in which a threat actor allegedly accessed personally identifiable information (“PII”) and protected health information (“PHI”) in “over 250,000 patient records.”  See Henderson v. Reventics, LLC, 2024 WL 5241386 (D. Colo. Sept. 30, 2024).Continue Reading Colorado Federal Court Dismisses Data Breach Class Action for Lack of Article III Standing

Websites cannot load without the transmission of an IP address, which tells websites where to deliver the webpages displayed on a user’s browser.  Yet a number of lawsuits have started challenging this routine transmission of IP addresses under a lesser-known provision of the California Invasion of Privacy Act (“CIPA”) that

Continue Reading Court Holds CIPA’s Pen Register Provision Does Not Impose Liability for “What Makes the Internet Possible.”

In a putative consumer data breach class action, a court in the Northern District of California recently denied a cloud solution company’s motion to dismiss the plaintiffs’ negligence claim finding that the plaintiffs plausibly alleged that the company owed consumers a duty of care. See In re Accellion, Inc. Data Breach Litig., 2024 WL 4592367 (N.D. Cal. Oct. 28, 2024).Continue Reading California Federal Court Finds Plaintiffs Plausibly Alleged That Cloud Solution Company Owed Consumers Duty of Care

An Illinois federal court has held that the state’s recent amendment to its Biometric Information Privacy Act (“BIPA”) capping damages to one recovery for repeated identical violations applies to cases filed prior to its enactment. Gregg v. Cent. Transp. LLC, 2024 WL 4766297, at *3 (N.D. Ill. Nov. 13, 2024).Continue Reading Illinois Federal Court Rules BIPA Single-Violation Amendment Applies Retroactively