Data Privacy and Cybersecurity

On Thursday March 13, 2025, New York Attorney General Letitia James announced proposed legislation to expand New York’s consumer protection law: the Fostering Affordability and Integrity through Reasonable (FAIR) Business Practices Act (“the Act”). The Act would update and expand New York’s current consumer protection law, Sections 349 and 350 of the New York General Business Law (“GBL”), to encompass a broader range of practices and claims.

The current versions of Sections 349 and 350 make unlawful certain deceptive business acts and practices and false advertising.  The Act would amend Section 349 to cover not only “deceptive” business acts and practices, but also conduct that may fall under vague definitions of “unfair” and “abusive” acts and practices.  The Act would further expand Section 349 by making it applicable “regardless of whether or not that act or practice is consumer-oriented [or] has a public impact or impact on consumers ….” The Act would also increase statutory damages to $1,000 and grant standing to organizations and third parties to the fullest extent otherwise permitted by law. However, the Act would also create affirmative defenses that limit plaintiffs to individuals and small entities, and excludes acts or practices that could be addressed by federal securities or intellectual property laws or that involve “high-value experienced commercial transaction[s]” directed exclusively to the parties to such transactions.

Continue Reading New York Proposes New Consumer Protection Law

Court decisions addressing “pen register” claims brought under the California Invasion of Privacy Act (“CIPA”) have started trickling in after last year saw an uptick in these claims targeting businesses’ use of website tools.  Two more California courts recently joined a growing trend dismissing pen register claims, but they did so on new grounds: one confirmed that CIPA’s pen register provision was not intended to cover “internet communications,” and another held that a website tool that allegedly collected “identifying information about visitors’ devices, from visitors’ devices” does not constitute a “pen register” or “trap and trace device.”  See Aviles v. Liveramp, Inc., 2025 WL 487196 (Cal. Super. Jan. 28, 2025); Sanchez v. Cars.com Inc., 2025 WL 487194 (Cal. Super. Jan. 27, 2025).

Continue Reading Courts Hold CIPA’s Pen Register Provision Does Not Apply to Internet Communications or to Alleged Data Collection “About Visitors’ Devices, From Visitors’ Devices”

A fan of celebrity LL Cool J filed a wiretapping suit against Community.com (“Community”), claiming that Community accessed her text message to LL Cool J in violation of the federal Wiretap Act and the California Invasion of Privacy Act (“CIPA”).  In an unpublished opinion highlighting that Section 632 of CIPA does not protect communications that are by nature a recorded medium, the Ninth Circuit affirmed dismissal of the plaintiff’s claims. See Boulton v. Community.com, Inc., No. 23-3145, 2025 WL 314813 (9th Cir. Jan. 28, 2025).

Continue Reading Ninth Circuit Affirms Dismissal of CIPA and Wiretap Act Claims Against Celebrity Platform

Website analytics and advertising tools, such as pixels, are regularly targeted in lawsuits brought under various wiretap laws, including the federal Wiretap Act and the California Invasion of Privacy Act (“CIPA”).  Over the last several months, we have featured posts discussing an important decision from Massachusetts’ highest court about the availability of website wiretap suits under Massachusetts law, an opinion from a California court about a new “pen register” theory under CIPA, and more.  These posts, and other highlights, include the following:

Continue Reading Website Wiretapping Litigation: Recent Decisions and Developments

Last month, a New Jersey federal judge applied Third Circuit precedent to hold that the California Invasion of Privacy Act (“CIPA”) does not impose liability for commonplace use of website marketing/analytics pixels under the well-established party exception.  Cole v. Quest Diagnostics, Inc., 2025 WL 88703 (D.N.J. Jan. 14, 2025).

Continue Reading New Jersey Court Applies CIPA’s Party Exception to Pixel Wiretap Complaint

The Illinois Supreme Court recently ruled that the named plaintiff in a putative data breach class action lacked standing to pursue her claims given that her private personal information had not actually been misused by a third party.

Continue Reading Illinois Supreme Court Rules That Plaintiff Lacks Standing to Bring Putative Data Breach Class Action

After removing a lawsuit brought against it in Pennsylvania state court under the Wiretapping and Electronic Surveillance Control Act (“WESCA”) to the United States District Court for the Eastern District of Pennsylvania, Prime Hydration LLC argued in its motion to dismiss that the plaintiff lacked Article III standing.  Judge Nitza I. Quiñones Alejandro agreed and remanded the case to state court.  Heaven v. Prime Hydration LLC, 2025 WL 42964, at *7 (E.D. Pa. Jan. 7, 2025).

Plaintiff Shantay Heaven filed a putative class action in the Philadelphia Court of Common Pleas asserting that Prime Hydration allowed third parties to track the activity of visitors to Prime Hydration’s website.  Id. at *1.  Plaintiff asserted that Prime Hydration integrated the third-party pixels into its website.  Id. at *2.  Those two pieces of code, Plaintiff alleged, allowed Prime Hydration to capture “her searches for drink flavors, . . . and that this information was transmitted to” the third-party servers.  Id. at *6.

Continue Reading Pennsylvania District Court Judge Remands Case After Finding No Article III Standing to Bring Wiretapping Claim

A California federal judge has largely granted summary judgment in a data privacy lawsuit against Yodlee, Inc., finding that two of the five plaintiffs lacked Article III standing for all remaining claims and that the three other plaintiffs lacked Article III standing for—and failed to create genuine disputes of fact on the merits about—two of their three remaining claims.  Covington represents Yodlee in this action.  Clark v. Yodlee, No. 20-cv-05991-SK (N.D. Cal.).

Continue Reading California Federal Court Grants Summary Judgment on Most Claims in Data Privacy Case

A court in the Northern District of California recently granted summary judgment to DDR Media LLC and Jornaya in a website wiretapping lawsuit under the California Invasion of Privacy Act (“CIPA”).  See Williams v. DDR Media, LLC, 2024 WL 4859078 (N.D. Cal. Nov. 20, 2024).  This decision represents a meaningful victory for defendants facing similar wiretapping claims.

Continue Reading California Federal Court Grants Summary Judgment to CIPA Defendants

Plaintiffs sometimes try to sidestep an arbitration agreement with one company by suing only a second company for interrelated conduct.  Last month, a California federal court applied principles of fairness under the doctrine of “equitable estoppel” to reject this tactic, holding that a software vendor (Twilio) could enforce a plaintiff’s arbitration agreement with a website operator (Keeps) that was not named as a defendant.  Perry-Hudson v. Twilio, Inc., 2024 WL 493333 (N.D. Cal. Dec. 2, 2024).

Continue Reading California Federal Court Allows Software Vendor to Enforce Website Operator’s Arbitration Agreement in Privacy Lawsuit