Data Privacy and Cybersecurity

A federal court in North Carolina dismissed a putative data breach class action against Bojangles because the plaintiffs failed to show that there was an actual or imminent misuse of their personal information as a result of the breach.  Dougherty v. Bojangles’ Restaurants, Inc., 2025 WL 2810673 (W.D.N.C. Sept. 30, 2025).Continue Reading Federal Court Fries Data Breach Class Action for Lack of Standing

Recently, a California federal judge dismissed a suit alleging that Sojern, Inc., a travel marketing platform, violated the Federal Wiretap Act and California law by allegedly installing “tracking technology” on two hotel websites. Crano v. Sojern, Inc., 2025 WL 2689267 (N.D. Cal. Sept. 19, 2025).Continue Reading California Court Dismisses Hotel Website Wiretapping Suit Based on “In Transit” Requirement

Recently, a California federal judge dismissed a suit challenging the use of third-party email marketing pixels by clothing retailer Gap, Inc., concluding plaintiff’s “scattershot and vague assertions” were insufficient to state a plausible claim under the California Invasion of Privacy Act (“CIPA”). Ramos v. Gap, Inc., 2025 WL 2144837 (N.D. Cal. July 29, 2025).Continue Reading California Court Dismisses CIPA Suit Alleging Use of Email Marketing Pixels

In Nicole Pileggi v. Washington Newspaper Publishing Company LLC, the D.C. Circuit unanimously affirmed the district court’s dismissal of a complaint alleging that news magazine and website Washington Examiner disclosed consumers’ personal information through a third-party pixel in violation of the Video Privacy Protection Act (“VPPA”). 

In 2023, Pileggi alleged that the Examiner’s use of a third-party pixel on its site gave the third party the ability to collect website visitors’ personal information, including IP addresses and titles of videos they had watched.  The District Court for the District of Columbia granted the Examiner’s motion to dismiss early last year, holding that Pileggi was not a “consumer” under the VPPA and that she failed to establish the requisite connection between her subscription to the Examiner’s newsletter and the video information allegedly disclosed.Continue Reading D.C. Circuit Deepens Circuit Split on Interpretation of “Consumer” Under VPPA

After last year’s landmark ruling holding that the Massachusetts Wiretap Act does not prohibit businesses’ use of pixels to capture website browsing data, Massachusetts plaintiffs have shifted their focus to the federal Wiretap Act.  The problem: unlike the Massachusetts Wiretap Act, its federal counterpart is a “one-party consent” law, meaning that a business’s consent to the use of the pixels is enough to preclude liability.  Last month, a federal court held that a “crime-tort exception” to this consent exemption does not apply when website browsing data is collected for “commercial purposes or advantages.”  Goulart v. Cape Cod Healthcare, Inc., 2025 WL 1745732 (D. Mass. June 24, 2025).Continue Reading Court Clarifies Federal Wiretap Act’s Crime-Tort Exception: “Commercial Purposes” Are “Not the Stuff of Which a Crime-Tort Is Made”

Heath and health-adjacent websites, from home pregnancy test companies to eyewear companies, continue to be a target for wiretapping lawsuits if they use pixels or other common-place third-party technologies.  A Texas federal court recently dismissed one such suit challenging the use of website pixels by Eyemart Express, LLC, a company

Continue Reading Eyewear Company Wins Dismissal of Pixel Wiretapping Suit

In a decision with implications for classwide settlement of privacy lawsuits, Magistrate Judge Joseph C. Spero of the Northern District of California held that claims under the Video Privacy Protection Act (VPPA) are personal to individual class members and therefore not assignable to third parties.  The decision, Stark v. Patreon, Inc., No. 22-cv-03131-JCS (N.D. Cal. June 5, 2025), invalidated a mass opt-out effort orchestrated by Lexclaim Recovery Group US LLC (“Lexclaim”), a third-party entity that claimed it was founded to “help people recover a greater share of the money to which they would be entitled in class action cases.”Continue Reading California Federal Court Holds VPPA Claims Are Not Assignable, Rejecting Third-Party Opt-Out Scheme

Many businesses are being hit with demand letters and lawsuits challenging their use of website marketing tools, such as pixels, under a lesser-known provision of the California Invasion of Privacy Act (“CIPA”) prohibiting the use of “trap and trace devices.”  A California court recently added clarity to the meaning of this term: a pixel tool that captures the “contents” of a plaintiff’s website communications is “definitionally not a trap and trace device.”  Price v. Headspace, 2025 WL 1237977 (Cal. Sup. Ct. Apr. 1, 2025).Continue Reading Website Pixel Tool “Definitionally Not a Trap and Trace Device” Under CIPA

User consent bars website wiretapping claims brought under the California Invasion of Privacy Act (“CIPA”).  As we reported on here, one way users may consent to the use of third-party website technologies is during a checkout process, such as via a checkbox indicating agreement to a website’s privacy policy.  But is consent negated if a 10-minute timer begins counting down the moment a user enters that checkout process?  A California court answered no in Washington v. Flixbus, Inc., 2025 WL 1592961 (S.D. Cal. June 5, 2025), rejecting a plaintiff’s argument that a countdown timer “imposes undue pressure that negates any consent.”Continue Reading User Consent Provided Under Time Pressure Is Still Consent Barring CIPA Suit

Capture of personal or private information is a prerequisite to Article III standing in wiretapping cases brought under the California Invasion of Privacy Act (“CIPA”).  As we reported on here, when a plaintiff fails to plead the capture of any such information, courts have dismissed the plaintiff’s complaint for

Continue Reading Collection of Website Visit Time Stamp Not Enough to Confer Article III Standing