In a consolidated putative class action arising out of an alleged data breach, In re A-Line Staffing Solutions Data Security Incident Litigation, Case No. 24-cv-11917 (E.D. Mich. May 27, 2026), a Michigan district court declined to dismiss the complaint under Rule 12(b)(1) but granted the defendant’s motion to dismiss without prejudice on Rule 12(b)(6) grounds. The decision exemplifies a theme in such data breach cases: even where plaintiffs clear the Article III standing hurdle, their allegations may still fail to state a claim.
Continue Reading Standing Found, But Negligence Fails: Eastern District of Michigan Dismisses Data Breach Claims for Lack of CausationData Privacy
Third Circuit Addresses Standing in Website Wiretapping Claims—Again
By Marianne Spencer on
The Third Circuit continues to draw a firm line on Article III standing in website “wiretapping” cases. Just weeks after the court’s decision in Harriet Carter Gifts, the court has issued yet another decision reinforcing that the alleged collection of data through third party tools does not create a concrete injury unless the tools capture truly sensitive, identifying information.
Continue Reading Third Circuit Addresses Standing in Website Wiretapping Claims—AgainFederal Court Rejects Claim that Cookies Are Illegal Trap and Trace Devices
By Erin Moore & Megan Rodgers on
Posted in Data Privacy and Cybersecurity
Many California-based privacy claims have turned on the application of longstanding statutes to modern technologies, with courts frequently holding that certain online tracking technologies can qualify as impermissible trap-and-trace devices in violation of California Penal Code section 638.51, part of the California Invasion of Privacy Act (CIPA). A recent decision from the Central District of California, however, signals that these arguments will not always succeed.
Continue Reading Federal Court Rejects Claim that Cookies Are Illegal Trap and Trace DevicesAnother Federal Court Dismisses Wiretapping Claims Premised on Crime-Tort Exception
By Vivian Wen, Jordan Joachim & Kathryn Cahoy on
Posted in Data Privacy and Cybersecurity
Another recent federal court decision endorsed the “heightened intent requirement” for satisfying the crime-tort exception of the federal Wiretap Act. Progin v. UMass Mem’l Health Care, Inc., 2026 WL 632770, at *4–5 (D. Mass. Mar. 6, 2026).
In Progin, the plaintiffs claimed that the defendants, healthcare and hospital…
Continue Reading Another Federal Court Dismisses Wiretapping Claims Premised on Crime-Tort ExceptionCourt Dismisses Federal Wiretap Claim Premised on Crime-Tort Exception, Rejects Aiding-and-Abetting Liability
By Kathryn Cahoy & Thea McCullough on
Posted in Data Privacy and Cybersecurity
A recent Washington federal court decision emphasizes two key federal Wiretap Act principles. First, the Act’s crime-tort exception only applies if there are plausible allegations that a party to the communication intercepted communications specifically to commit a separate wrongdoing. Second, the statute does not allow secondary liability for “procuring” an interception by a third party. Nichols v. PeaceHealth Networks on Demand LLC, 2026 WL 607763, at *3-4 (W.D. Wash. Mar. 4, 2026).
Continue Reading Court Dismisses Federal Wiretap Claim Premised on Crime-Tort Exception, Rejects Aiding-and-Abetting LiabilitySanctions Order in Website Wiretapping Suit Reinforces Importance of Early Fact Investigation
By Rachel Lia, Thea McCullough & Matthew Verdin on
Posted in Data Privacy and Cybersecurity, Litigation
In an effort to overcome hurdles to Article III standing, many website wiretapping suits today accuse businesses of unlawfully sharing sensitive health or financial data with third parties. However, Federal Rule of Civil Procedure 11(b) requires plaintiffs’ lawyers to ensure that these “factual contentions” in a complaint “have evidentiary support.” A California federal judge gave teeth to this requirement in a recent sanctions order, admonishing the plaintiff’s lawyers for “advancing unfounded and irrelevant allegations” about a business’s sharing of “health information.” Mitchener v. Talkspace Network LLC, No. 2:24-CV-07067-JAK (BFMX), 2026 WL 84466, at *3-4 (C.D. Cal. Jan. 7, 2026).
Continue Reading Sanctions Order in Website Wiretapping Suit Reinforces Importance of Early Fact InvestigationWebsite Wiretapping Roundup: 2025 Decisions and Developments
By Kathryn Cahoy, Jordan Joachim & Angela Li on
In 2025, courts continued to issue significant decisions concerning the application of wiretap and privacy laws to pixels, session replay, and other website technologies. Over the past year, we have featured posts discussing claims regarding website analytics and advertising tools brought under the federal Wiretap Act, the California Invasion of Privacy Act (“CIPA”), the Video Privacy Protection Act (“VPPA”), and other laws. A selection of posts highlighting important developments in this area is below.
Continue Reading Website Wiretapping Roundup: 2025 Decisions and DevelopmentsArbitrator Rejects Website Wiretapping Claims After Hearing
By Jordan Joachim on
Posted in Data Privacy and Cybersecurity
In a recently published award, an arbitrator rejected claims that Dick’s Sporting Goods, Inc. (“Dick’s”) violated the Federal Wiretap Act and the California Invasion of Privacy Act (“CIPA”) by purportedly installing website analytics and marketing technologies on its website after an evidentiary hearing. Asad v. Dick’s Sporting Goods, Inc., JAMS Ref. No. 5220005532 (Dec. 8, 2025).
Continue Reading Arbitrator Rejects Website Wiretapping Claims After HearingNinth Circuit Affirms Dismissal of Wiretap Claims Based on Party Exception
By Jordan Joachim on
Posted in Data Privacy and Cybersecurity, Ninth Circuit
On October 27, 2025, the Ninth Circuit affirmed in a memorandum opinion the dismissal of a proposed class action asserting that the owner of a cybersecurity browser extension violated the California Invasion of Privacy Act (“CIPA”) and the Electronic Communications Privacy Act (“ECPA”) by intercepting communications between extension-users and search engines. Karwowski v. Gen Digital, Inc., No. 24-7213, 2025 WL 3002610 (9th Cir. Oct. 27, 2025) (mem.). The Court held that the Plaintiffs failed to allege that the Defendant was not a party to the communications.
Continue Reading Ninth Circuit Affirms Dismissal of Wiretap Claims Based on Party ExceptionStanding in the Dark: Fourth Circuit Finds Standing for Driver’s License Information on the Dark Web
Courts continue to grapple with the type of “concrete harm” that is required to confer Article III standing under TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), particularly in data breach and privacy class actions. On October 14, the Fourth Circuit contributed to this debate, holding that allegations that plaintiffs’ driver’s license data had been leaked and appeared on the dark web were sufficient to establish standing.
Holmes v. Elephant Ins. Co., — F.4th —, 2025 WL 2907615 (4th Cir. 2025), started with a 2022 data breach of Elephant Insurance Company’s networks. Id. at *1. Plaintiffs were Elephant customers whose driver’s license numbers were compromised in the breach. Id. They sued Elephant for alleged harms stemming from the breach. Id. at *3. Two plaintiffs specifically alleged that they had found their driver’s license numbers on the dark web; the others did not. Id. at *2. The district court dismissed plaintiffs’ claims, holding that none of the alleged injuries were sufficient to confer standing. Id. But the Fourth Circuit disagreed in part, reversing the lower court’s dismissal of the two plaintiffs who alleged that their driver’s license information appeared on the dark web, but affirming dismissal of the other two.
Continue Reading Standing in the Dark: Fourth Circuit Finds Standing for Driver’s License Information on the Dark Web