Data Privacy

In an effort to overcome hurdles to Article III standing, many website wiretapping suits today accuse businesses of unlawfully sharing sensitive health or financial data with third parties.  However, Federal Rule of Civil Procedure 11(b) requires plaintiffs’ lawyers to ensure that these “factual contentions” in a complaint “have evidentiary support.”  A California federal judge gave teeth to this requirement in a recent sanctions order, admonishing the plaintiff’s lawyers for “advancing unfounded and irrelevant allegations” about a business’s sharing of “health information.”  Mitchener v. Talkspace Network LLC, No. 2:24-CV-07067-JAK (BFMX), 2026 WL 84466, at *3-4 (C.D. Cal. Jan. 7, 2026).Continue Reading Sanctions Order in Website Wiretapping Suit Reinforces Importance of Early Fact Investigation

In 2025, courts continued to issue significant decisions concerning the application of wiretap and privacy laws to pixels, session replay, and other website technologies. Over the past year, we have featured posts discussing claims regarding website analytics and advertising tools brought under the federal Wiretap Act, the California Invasion of Privacy Act (“CIPA”), the Video Privacy Protection Act (“VPPA”), and other laws.  A selection of posts highlighting important developments in this area is below. Continue Reading Website Wiretapping Roundup: 2025 Decisions and Developments 

In a recently published award, an arbitrator rejected claims that Dick’s Sporting Goods, Inc. (“Dick’s”) violated the Federal Wiretap Act and the California Invasion of Privacy Act (“CIPA”) by purportedly installing website analytics and marketing technologies on its website after an evidentiary hearing.  Asad v. Dick’s Sporting Goods, Inc., JAMS Ref. No. 5220005532 (Dec. 8, 2025).Continue Reading Arbitrator Rejects Website Wiretapping Claims After Hearing

On October 27, 2025, the Ninth Circuit affirmed in a memorandum opinion the dismissal of a proposed class action asserting that the owner of a cybersecurity browser extension violated the California Invasion of Privacy Act (“CIPA”) and the Electronic Communications Privacy Act (“ECPA”) by intercepting communications between extension-users and search engines. Karwowski v. Gen Digital, Inc., No. 24-7213, 2025 WL 3002610 (9th Cir. Oct. 27, 2025) (mem.).  The Court held that the Plaintiffs failed to allege that the Defendant was not a party to the communications.Continue Reading Ninth Circuit Affirms Dismissal of Wiretap Claims Based on Party Exception

Courts continue to grapple with the type of “concrete harm” that is required to confer Article III standing under TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), particularly in data breach and privacy class actions.  On October 14, the Fourth Circuit contributed to this debate, holding that allegations that plaintiffs’ driver’s license data had been leaked and appeared on the dark web were sufficient to establish standing.

Holmes v. Elephant Ins. Co., — F.4th —, 2025 WL 2907615 (4th Cir. 2025), started with a 2022 data breach of Elephant Insurance Company’s networks.  Id. at *1.  Plaintiffs were Elephant customers whose driver’s license numbers were compromised in the breach.  Id.  They sued Elephant for alleged harms stemming from the breach.  Id. at *3.  Two plaintiffs specifically alleged that they had found their driver’s license numbers on the dark web; the others did not.  Id. at *2.  The district court dismissed plaintiffs’ claims, holding that none of the alleged injuries were sufficient to confer standing.  Id.  But the Fourth Circuit disagreed in part, reversing the lower court’s dismissal of the two plaintiffs who alleged that their driver’s license information appeared on the dark web, but affirming dismissal of the other two. Continue Reading Standing in the Dark:  Fourth Circuit Finds Standing for Driver’s License Information on the Dark Web

A federal court in North Carolina dismissed a putative data breach class action against Bojangles because the plaintiffs failed to show that there was an actual or imminent misuse of their personal information as a result of the breach.  Dougherty v. Bojangles’ Restaurants, Inc., 2025 WL 2810673 (W.D.N.C. Sept. 30, 2025).Continue Reading Federal Court Fries Data Breach Class Action for Lack of Standing

Recently, a California federal judge dismissed a suit alleging that Sojern, Inc., a travel marketing platform, violated the Federal Wiretap Act and California law by allegedly installing “tracking technology” on two hotel websites. Crano v. Sojern, Inc., 2025 WL 2689267 (N.D. Cal. Sept. 19, 2025).Continue Reading California Court Dismisses Hotel Website Wiretapping Suit Based on “In Transit” Requirement

In Nicole Pileggi v. Washington Newspaper Publishing Company LLC, the D.C. Circuit unanimously affirmed the district court’s dismissal of a complaint alleging that news magazine and website Washington Examiner disclosed consumers’ personal information through a third-party pixel in violation of the Video Privacy Protection Act (“VPPA”). 

In 2023, Pileggi alleged that the Examiner’s use of a third-party pixel on its site gave the third party the ability to collect website visitors’ personal information, including IP addresses and titles of videos they had watched.  The District Court for the District of Columbia granted the Examiner’s motion to dismiss early last year, holding that Pileggi was not a “consumer” under the VPPA and that she failed to establish the requisite connection between her subscription to the Examiner’s newsletter and the video information allegedly disclosed.Continue Reading D.C. Circuit Deepens Circuit Split on Interpretation of “Consumer” Under VPPA

After last year’s landmark ruling holding that the Massachusetts Wiretap Act does not prohibit businesses’ use of pixels to capture website browsing data, Massachusetts plaintiffs have shifted their focus to the federal Wiretap Act.  The problem: unlike the Massachusetts Wiretap Act, its federal counterpart is a “one-party consent” law, meaning that a business’s consent to the use of the pixels is enough to preclude liability.  Last month, a federal court held that a “crime-tort exception” to this consent exemption does not apply when website browsing data is collected for “commercial purposes or advantages.”  Goulart v. Cape Cod Healthcare, Inc., 2025 WL 1745732 (D. Mass. June 24, 2025).Continue Reading Court Clarifies Federal Wiretap Act’s Crime-Tort Exception: “Commercial Purposes” Are “Not the Stuff of Which a Crime-Tort Is Made”

Many businesses are being hit with demand letters and lawsuits challenging their use of website marketing tools, such as pixels, under a lesser-known provision of the California Invasion of Privacy Act (“CIPA”) prohibiting the use of “trap and trace devices.”  A California court recently added clarity to the meaning of this term: a pixel tool that captures the “contents” of a plaintiff’s website communications is “definitionally not a trap and trace device.”  Price v. Headspace, 2025 WL 1237977 (Cal. Sup. Ct. Apr. 1, 2025).Continue Reading Website Pixel Tool “Definitionally Not a Trap and Trace Device” Under CIPA