Last week, a judge in the Eastern District of Pennsylvania dismissed a putative class’s wiretapping claims against health insurer Cigna. Adair v. Cigna Corporate Services, LLC, 2026 WL 295744 (E.D. Pa. Feb. 4, 2026). Five plaintiffs alleged that Cigna traded insureds’ privacy for commercial gain by embedding third-party tracking tools throughout its website and member portals. Id. at *1. On their own behalf and on behalf of a proposed class, they brought claims under the Electronic Communications Privacy Act of 1986 (“ECPA”) and the Pennsylvania Wiretapping and Electronic Surveillance Control Act (“WESCA”), together with common law intrusion-upon-seclusion, breach of fiduciary duty, and unjust enrichment claims. Id. at *2.
Continue Reading Pennsylvania Federal Court Dismisses Wiretapping Claims Against Health Insurer
California Court Dismisses Wiretapping Claims Regarding Retailer’s Website Chat Feature on Summary Judgment
In a recent decision from the Superior Court of California for Los Angeles County, Judge Carolyn B. Kuhl granted summary judgment and dismissed a putative class action alleging that an online retailer, I Am Beyond d/b/a Beyond Yoga, had aided and abetted violations of the California Invasion of Privacy Act
Continue Reading California Court Dismisses Wiretapping Claims Regarding Retailer’s Website Chat Feature on Summary JudgmentWebsite Wiretapping Roundup: 2025 Decisions and Developments
In 2025, courts continued to issue significant decisions concerning the application of wiretap and privacy laws to pixels, session replay, and other website technologies. Over the past year, we have featured posts discussing claims regarding website analytics and advertising tools brought under the federal Wiretap Act, the California Invasion of Privacy Act (“CIPA”), the Video Privacy Protection Act (“VPPA”), and other laws. A selection of posts highlighting important developments in this area is below.
Continue Reading Website Wiretapping Roundup: 2025 Decisions and DevelopmentsArbitrator Rejects Website Wiretapping Claims After Hearing
In a recently published award, an arbitrator rejected claims that Dick’s Sporting Goods, Inc. (“Dick’s”) violated the Federal Wiretap Act and the California Invasion of Privacy Act (“CIPA”) by purportedly installing website analytics and marketing technologies on its website after an evidentiary hearing. Asad v. Dick’s Sporting Goods, Inc., JAMS Ref. No. 5220005532 (Dec. 8, 2025).
Continue Reading Arbitrator Rejects Website Wiretapping Claims After HearingThird Circuit Affirms Dismissal of CIPA and CMIA Claims
Last week, the Third Circuit affirmed dismissal of a putative class action asserting that defendant Quest Diagnostics violated the California Invasion of Privacy Act (“CIPA”) and the Confidentiality of Medical Information Act (“CMIA”) by employing a website pixel to track and collect data about their website activity for advertising purposes. See Cole v. Quest Diagnostics Inc., No. 25-1449, 2025 WL 3172640 (3d Cir. Nov. 13, 2025). The Third Circuit held that Quest was not liable under CIPA for aiding and abetting wiretapping because no wiretapping had occurred, nor under CMIA because Plaintiffs had not alleged the disclosure of protected “medical information.”
Continue Reading Third Circuit Affirms Dismissal of CIPA and CMIA ClaimsCalifornia Court Grants Summary Judgment for Defendant, Urging the California Legislature to “Bring CIPA”—“A Total Mess”—“Into the Modern Age”
Recently, a California federal court granted summary judgment for defendant Eating Recovery Center (“ERC”) on a plaintiff’s California Invasion of Privacy Act (“CIPA”) § 631(a) wiretapping claim, joining other California federal courts that have granted summary judgment on CIPA claims for a plaintiff’s failure to “satisfy [CIPA’s] ‘in transit’ requirement as a matter of law.” In granting summary judgment, the court critiqued CIPA’s language as “ill-suited for application to internet communications” and called upon the California Legislature to “step up” and “speak clearly” about whether and how CIPA applies to website-based data collection tools. Doe v. Eating Recovery Ctr., LLC, –F. Supp. 3d–, 2025 WL 2971090 (N.D. Cal. Oct. 17, 2025).
Continue Reading California Court Grants Summary Judgment for Defendant, Urging the California Legislature to “Bring CIPA”—“A Total Mess”—“Into the Modern Age”Ninth Circuit Affirms Dismissal of Wiretap Claims Based on Party Exception
On October 27, 2025, the Ninth Circuit affirmed in a memorandum opinion the dismissal of a proposed class action asserting that the owner of a cybersecurity browser extension violated the California Invasion of Privacy Act (“CIPA”) and the Electronic Communications Privacy Act (“ECPA”) by intercepting communications between extension-users and search engines. Karwowski v. Gen Digital, Inc., No. 24-7213, 2025 WL 3002610 (9th Cir. Oct. 27, 2025) (mem.). The Court held that the Plaintiffs failed to allege that the Defendant was not a party to the communications.
Continue Reading Ninth Circuit Affirms Dismissal of Wiretap Claims Based on Party ExceptionCourt Applies Popa to Dismiss CIPA Pen Register Claim for Lack of Article III Standing
In a win for businesses using third-party technologies to power their websites, a California federal court applied the Ninth Circuit’s recent decision in Popa v. Microsoft Corporation to dismiss a “pen register” claim brought under the California Invasion of Privacy Act (“CIPA”) for lack of Article III standing. Khamooshi v. Politico LLC, No. 24-cv-07836-SK, 2025 WL 2822879 (N.D. Cal. Oct. 2, 2025). “As in Popa,” the Khamooshi court held that the plaintiffs—who alleged the collection of their device type, browser type, and “device fingerprints”—“identifie[d] no embarrassing, invasive, or otherwise private information collected,” as required to establish an Article III injury.
Continue Reading Court Applies Popa to Dismiss CIPA Pen Register Claim for Lack of Article III StandingStanding in the Dark: Fourth Circuit Finds Standing for Driver’s License Information on the Dark Web
Courts continue to grapple with the type of “concrete harm” that is required to confer Article III standing under TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), particularly in data breach and privacy class actions. On October 14, the Fourth Circuit contributed to this debate, holding that allegations that plaintiffs’ driver’s license data had been leaked and appeared on the dark web were sufficient to establish standing.
Holmes v. Elephant Ins. Co., — F.4th —, 2025 WL 2907615 (4th Cir. 2025), started with a 2022 data breach of Elephant Insurance Company’s networks. Id. at *1. Plaintiffs were Elephant customers whose driver’s license numbers were compromised in the breach. Id. They sued Elephant for alleged harms stemming from the breach. Id. at *3. Two plaintiffs specifically alleged that they had found their driver’s license numbers on the dark web; the others did not. Id. at *2. The district court dismissed plaintiffs’ claims, holding that none of the alleged injuries were sufficient to confer standing. Id. But the Fourth Circuit disagreed in part, reversing the lower court’s dismissal of the two plaintiffs who alleged that their driver’s license information appeared on the dark web, but affirming dismissal of the other two.
Continue Reading Standing in the Dark: Fourth Circuit Finds Standing for Driver’s License Information on the Dark Web
Illinois Court Narrows Lawsuit Over Medical Center’s Use of Pixel Technology and Strikes Class Claims
In a recent decision by the United States District Court for the Northern District of Illinois, Judge Georgia N. Alexakis narrowed and struck class claims alleging that the University of Chicago Medical Center’s use of pixel technology violated the Electronic Communications Privacy Act (ECPA).
The plaintiff, Sophia Hartley, asserted on
Continue Reading Illinois Court Narrows Lawsuit Over Medical Center’s Use of Pixel Technology and Strikes Class Claims