Data Privacy and Cybersecurity

Dozens of lawsuits have started challenging businesses’ use of website tools to collect IP addresses under the “pen register” and “trap and trace device” provision of the California Invasion of Privacy Act (“CIPA”).  As we reported last month, a California court dismissed one of these lawsuits because of a

Continue Reading Another California Court Holds CIPA’s Pen Register Provision Does Not Prohibit the Collection of IP Addresses

A Colorado federal judge recently granted a motion to dismiss a putative class action against two healthcare software companies arising from a 2022 data breach in which a threat actor allegedly accessed personally identifiable information (“PII”) and protected health information (“PHI”) in “over 250,000 patient records.”  See Henderson v. Reventics, LLC, 2024 WL 5241386 (D. Colo. Sept. 30, 2024).

Continue Reading Colorado Federal Court Dismisses Data Breach Class Action for Lack of Article III Standing

Websites cannot load without the transmission of an IP address, which tells websites where to deliver the webpages displayed on a user’s browser.  Yet a number of lawsuits have started challenging this routine transmission of IP addresses under a lesser-known provision of the California Invasion of Privacy Act (“CIPA”) that

Continue Reading Court Holds CIPA’s Pen Register Provision Does Not Impose Liability for “What Makes the Internet Possible.”

In a putative consumer data breach class action, a court in the Northern District of California recently denied a cloud solution company’s motion to dismiss the plaintiffs’ negligence claim finding that the plaintiffs plausibly alleged that the company owed consumers a duty of care. See In re Accellion, Inc. Data Breach Litig., 2024 WL 4592367 (N.D. Cal. Oct. 28, 2024).

Continue Reading California Federal Court Finds Plaintiffs Plausibly Alleged That Cloud Solution Company Owed Consumers Duty of Care

An Illinois federal court has held that the state’s recent amendment to its Biometric Information Privacy Act (“BIPA”) capping damages to one recovery for repeated identical violations applies to cases filed prior to its enactment. Gregg v. Cent. Transp. LLC, 2024 WL 4766297, at *3 (N.D. Ill. Nov. 13, 2024).

Continue Reading Illinois Federal Court Rules BIPA Single-Violation Amendment Applies Retroactively

Massachusetts’s highest court has ruled that website operators’ use of third-party technology, including Google Analytics and Meta Pixel, to collect data on individuals’ browsing of and interactions with websites does not violate the state’s anti-wiretapping law. Vita v. New England Baptist Hospital, No. SJC-13542, 2024 WL 4558621, at *16 (Mass. Oct. 24, 2024). The court explained that those activities do not clearly amount to the person-to-person communications the 1960s-era statute is intended to cover.

Continue Reading Massachusetts Supreme Judicial Court Holds That Third-Party Technologies Relating to Web Browsing Do Not Violate Massachusetts Wiretap Act

The Northern District of Ohio recently granted summary judgment to Ancestry.com in a putative class action asserting that Ancestry.com violated plaintiff’s rights to publicity and privacy by using his yearbook photos in marketing materials without consent.  See Wilson v. Ancestry.com, 2024 WL 3992356 (N.D. Ohio Aug. 27, 2024).

Continue Reading Ohio Federal Court Grants Summary Judgment on Right of Publicity and Invasion of Privacy Claims Involving Yearbook Photos

A California federal judge has denied class certification in a data privacy lawsuit against Yodlee, Inc., finding that the proposed class representatives lacked Article III standing and failed to satisfy Rule 23’s typicality and adequacy requirements.  Covington represents Yodlee in this action.  Clark v. Yodlee, No. 20-cv-05991-SK (N.D. Cal.)

Continue Reading California Federal Court Denies Class Certification in Data Privacy Case

The California Invasion of Privacy Act (CIPA) provides a private right of action only to those who have “been injured by a violation of” CIPA.  A California Superior Court decision, Rodriguez v. Fountain9, Inc., 2024 WL 3886811, at *4 (Cal. Super. July 9, 2024), confirmed that a plaintiff cannot satisfy this statutory standing requirement unless the plaintiff alleges “a concrete injury-in-fact.”

Continue Reading California State Court Holds That A Concrete Injury-In-Fact Is Required To Bring Claims Under CIPA

A Central District of California court recently dismissed a putative privacy class action after determining that the movie theater defendants were not Video Tape Service Providers as defined by the Video Privacy Protection Act (“VPPA”).  See Walsh v. California Cinema Investments LLC, 2024 WL 3593569 (C.D. Cal. July 29, 2024).  Two other California federal courts recently have reached similar conclusions, and appeals of those rulings are currently pending before the Ninth Circuit.  See Garza v. Alamo Intermediate II Holdings, LLC, 2024 WL 1171737, at *1 (N.D. Cal. Mar. 19, 2024); Osheske v. Silver Cinemas Acquisition Co., 700 F. Supp. 3d 921 (C.D. Cal. 2023).

Continue Reading Another California Federal Court Rules Movie Theater Is Not “Video Tape Service Provider” Under the VPPA.