In a win for businesses using third-party technologies to power their websites, a California federal court applied the Ninth Circuit’s recent decision in Popa v. Microsoft Corporation to dismiss a “pen register” claim brought under the California Invasion of Privacy Act (“CIPA”) for lack of Article III standing. Khamooshi v. Politico LLC, No. 24-cv-07836-SK, 2025 WL 2822879 (N.D. Cal. Oct. 2, 2025). “As in Popa,” the Khamooshi court held that the plaintiffs—who alleged the collection of their device type, browser type, and “device fingerprints”—“identifie[d] no embarrassing, invasive, or otherwise private information collected,” as required to establish an Article III injury.
Continue Reading Court Applies Popa to Dismiss CIPA Pen Register Claim for Lack of Article III StandingStanding in the Dark: Fourth Circuit Finds Standing for Driver’s License Information on the Dark Web
Courts continue to grapple with the type of “concrete harm” that is required to confer Article III standing under TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), particularly in data breach and privacy class actions. On October 14, the Fourth Circuit contributed to this debate, holding that allegations that plaintiffs’ driver’s license data had been leaked and appeared on the dark web were sufficient to establish standing.
Holmes v. Elephant Ins. Co., — F.4th —, 2025 WL 2907615 (4th Cir. 2025), started with a 2022 data breach of Elephant Insurance Company’s networks. Id. at *1. Plaintiffs were Elephant customers whose driver’s license numbers were compromised in the breach. Id. They sued Elephant for alleged harms stemming from the breach. Id. at *3. Two plaintiffs specifically alleged that they had found their driver’s license numbers on the dark web; the others did not. Id. at *2. The district court dismissed plaintiffs’ claims, holding that none of the alleged injuries were sufficient to confer standing. Id. But the Fourth Circuit disagreed in part, reversing the lower court’s dismissal of the two plaintiffs who alleged that their driver’s license information appeared on the dark web, but affirming dismissal of the other two.
Continue Reading Standing in the Dark: Fourth Circuit Finds Standing for Driver’s License Information on the Dark Web
Illinois Court Narrows Lawsuit Over Medical Center’s Use of Pixel Technology and Strikes Class Claims
In a recent decision by the United States District Court for the Northern District of Illinois, Judge Georgia N. Alexakis narrowed and struck class claims alleging that the University of Chicago Medical Center’s use of pixel technology violated the Electronic Communications Privacy Act (ECPA).
The plaintiff, Sophia Hartley, asserted on
Continue Reading Illinois Court Narrows Lawsuit Over Medical Center’s Use of Pixel Technology and Strikes Class ClaimsFederal Court Fries Data Breach Class Action for Lack of Standing
A federal court in North Carolina dismissed a putative data breach class action against Bojangles because the plaintiffs failed to show that there was an actual or imminent misuse of their personal information as a result of the breach. Dougherty v. Bojangles’ Restaurants, Inc., 2025 WL 2810673 (W.D.N.C. Sept. 30, 2025).
Continue Reading Federal Court Fries Data Breach Class Action for Lack of StandingCalifornia Court Dismisses Hotel Website Wiretapping Suit Based on “In Transit” Requirement
Recently, a California federal judge dismissed a suit alleging that Sojern, Inc., a travel marketing platform, violated the Federal Wiretap Act and California law by allegedly installing “tracking technology” on two hotel websites. Crano v. Sojern, Inc., 2025 WL 2689267 (N.D. Cal. Sept. 19, 2025).
Continue Reading California Court Dismisses Hotel Website Wiretapping Suit Based on “In Transit” RequirementCalifornia Court Dismisses CIPA Suit Alleging Use of Email Marketing Pixels
Recently, a California federal judge dismissed a suit challenging the use of third-party email marketing pixels by clothing retailer Gap, Inc., concluding plaintiff’s “scattershot and vague assertions” were insufficient to state a plausible claim under the California Invasion of Privacy Act (“CIPA”). Ramos v. Gap, Inc., 2025 WL 2144837 (N.D. Cal. July 29, 2025).
Continue Reading California Court Dismisses CIPA Suit Alleging Use of Email Marketing PixelsD.C. Circuit Deepens Circuit Split on Interpretation of “Consumer” Under VPPA
In Nicole Pileggi v. Washington Newspaper Publishing Company LLC, the D.C. Circuit unanimously affirmed the district court’s dismissal of a complaint alleging that news magazine and website Washington Examiner disclosed consumers’ personal information through a third-party pixel in violation of the Video Privacy Protection Act (“VPPA”).
In 2023, Pileggi alleged that the Examiner’s use of a third-party pixel on its site gave the third party the ability to collect website visitors’ personal information, including IP addresses and titles of videos they had watched. The District Court for the District of Columbia granted the Examiner’s motion to dismiss early last year, holding that Pileggi was not a “consumer” under the VPPA and that she failed to establish the requisite connection between her subscription to the Examiner’s newsletter and the video information allegedly disclosed.
Continue Reading D.C. Circuit Deepens Circuit Split on Interpretation of “Consumer” Under VPPACourt Clarifies Federal Wiretap Act’s Crime-Tort Exception: “Commercial Purposes” Are “Not the Stuff of Which a Crime-Tort Is Made”
After last year’s landmark ruling holding that the Massachusetts Wiretap Act does not prohibit businesses’ use of pixels to capture website browsing data, Massachusetts plaintiffs have shifted their focus to the federal Wiretap Act. The problem: unlike the Massachusetts Wiretap Act, its federal counterpart is a “one-party consent” law, meaning that a business’s consent to the use of the pixels is enough to preclude liability. Last month, a federal court held that a “crime-tort exception” to this consent exemption does not apply when website browsing data is collected for “commercial purposes or advantages.” Goulart v. Cape Cod Healthcare, Inc., 2025 WL 1745732 (D. Mass. June 24, 2025).
Continue Reading Court Clarifies Federal Wiretap Act’s Crime-Tort Exception: “Commercial Purposes” Are “Not the Stuff of Which a Crime-Tort Is Made”Eyewear Company Wins Dismissal of Pixel Wiretapping Suit
Heath and health-adjacent websites, from home pregnancy test companies to eyewear companies, continue to be a target for wiretapping lawsuits if they use pixels or other common-place third-party technologies. A Texas federal court recently dismissed one such suit challenging the use of website pixels by Eyemart Express, LLC, a company
Continue Reading Eyewear Company Wins Dismissal of Pixel Wiretapping SuitCalifornia Federal Court Holds VPPA Claims Are Not Assignable, Rejecting Third-Party Opt-Out Scheme
In a decision with implications for classwide settlement of privacy lawsuits, Magistrate Judge Joseph C. Spero of the Northern District of California held that claims under the Video Privacy Protection Act (VPPA) are personal to individual class members and therefore not assignable to third parties. The decision, Stark v. Patreon, Inc., No. 22-cv-03131-JCS (N.D. Cal. June 5, 2025), invalidated a mass opt-out effort orchestrated by Lexclaim Recovery Group US LLC (“Lexclaim”), a third-party entity that claimed it was founded to “help people recover a greater share of the money to which they would be entitled in class action cases.”
Continue Reading California Federal Court Holds VPPA Claims Are Not Assignable, Rejecting Third-Party Opt-Out Scheme