Data Privacy

In Nicole Pileggi v. Washington Newspaper Publishing Company LLC, the D.C. Circuit unanimously affirmed the district court’s dismissal of a complaint alleging that news magazine and website Washington Examiner disclosed consumers’ personal information through a third-party pixel in violation of the Video Privacy Protection Act (“VPPA”). 

In 2023, Pileggi alleged that the Examiner’s use of a third-party pixel on its site gave the third party the ability to collect website visitors’ personal information, including IP addresses and titles of videos they had watched.  The District Court for the District of Columbia granted the Examiner’s motion to dismiss early last year, holding that Pileggi was not a “consumer” under the VPPA and that she failed to establish the requisite connection between her subscription to the Examiner’s newsletter and the video information allegedly disclosed.Continue Reading D.C. Circuit Deepens Circuit Split on Interpretation of “Consumer” Under VPPA

After last year’s landmark ruling holding that the Massachusetts Wiretap Act does not prohibit businesses’ use of pixels to capture website browsing data, Massachusetts plaintiffs have shifted their focus to the federal Wiretap Act.  The problem: unlike the Massachusetts Wiretap Act, its federal counterpart is a “one-party consent” law, meaning that a business’s consent to the use of the pixels is enough to preclude liability.  Last month, a federal court held that a “crime-tort exception” to this consent exemption does not apply when website browsing data is collected for “commercial purposes or advantages.”  Goulart v. Cape Cod Healthcare, Inc., 2025 WL 1745732 (D. Mass. June 24, 2025).Continue Reading Court Clarifies Federal Wiretap Act’s Crime-Tort Exception: “Commercial Purposes” Are “Not the Stuff of Which a Crime-Tort Is Made”

Many businesses are being hit with demand letters and lawsuits challenging their use of website marketing tools, such as pixels, under a lesser-known provision of the California Invasion of Privacy Act (“CIPA”) prohibiting the use of “trap and trace devices.”  A California court recently added clarity to the meaning of this term: a pixel tool that captures the “contents” of a plaintiff’s website communications is “definitionally not a trap and trace device.”  Price v. Headspace, 2025 WL 1237977 (Cal. Sup. Ct. Apr. 1, 2025).Continue Reading Website Pixel Tool “Definitionally Not a Trap and Trace Device” Under CIPA

User consent bars website wiretapping claims brought under the California Invasion of Privacy Act (“CIPA”).  As we reported on here, one way users may consent to the use of third-party website technologies is during a checkout process, such as via a checkbox indicating agreement to a website’s privacy policy.  But is consent negated if a 10-minute timer begins counting down the moment a user enters that checkout process?  A California court answered no in Washington v. Flixbus, Inc., 2025 WL 1592961 (S.D. Cal. June 5, 2025), rejecting a plaintiff’s argument that a countdown timer “imposes undue pressure that negates any consent.”Continue Reading User Consent Provided Under Time Pressure Is Still Consent Barring CIPA Suit

Last week, the Second Circuit affirmed dismissal of a putative class action under the Video Privacy Protection Act (VPPA), holding that the alleged transmission of code containing video titles and a unique user ID to a third-party is not a disclosure of “personally identifiable information” (PII). The decision, Solomon v. Flipps Media, Inc., 23‐7597 (2d Cir. May 1, 2025), aligns the Second Circuit with the Third and Ninth Circuits in holding that the VPPA only prohibits the disclosure of information that would “readily permit an ordinary person to identify a specific individual’s video-watching behavior.” Continue Reading Second Circuit Affirms VPPA Dismissal: Data Is Not “Personally Identifiable Information” If Only Experts Can Decipher It

Lawsuits targeting businesses’ use of website tools under the California Invasion of Privacy Act (“CIPA”) increasingly are filed by so-called “tester” plaintiffs.  These plaintiffs seek out websites to “test” for potential CIPA violations and then file lawsuits seeking damages for those alleged violations.  A California federal court recently confirmed that

Continue Reading “Tester” Plaintiff Who “Actively Seeks Out Privacy Violations” Lacks Standing to Pursue CIPA Claim

The Ninth Circuit recently reversed an $800,000 attorney fee award in a data breach class action because the award accounted for too large a portion of the total value of the settlement. In re California Pizza Kitchen Data Breach Litig., — F.4th —, 2025 WL 583419 (9th Cir. Feb. 24, 2025).Continue Reading Ninth Circuit Shoots Down Fee Award in Data Breach Class Action

The Illinois Supreme Court recently ruled that the named plaintiff in a putative data breach class action lacked standing to pursue her claims given that her private personal information had not actually been misused by a third party.Continue Reading Illinois Supreme Court Rules That Plaintiff Lacks Standing to Bring Putative Data Breach Class Action

After removing a lawsuit brought against it in Pennsylvania state court under the Wiretapping and Electronic Surveillance Control Act (“WESCA”) to the United States District Court for the Eastern District of Pennsylvania, Prime Hydration LLC argued in its motion to dismiss that the plaintiff lacked Article III standing.  Judge Nitza I. Quiñones Alejandro agreed and remanded the case to state court.  Heaven v. Prime Hydration LLC, 2025 WL 42964, at *7 (E.D. Pa. Jan. 7, 2025).

Plaintiff Shantay Heaven filed a putative class action in the Philadelphia Court of Common Pleas asserting that Prime Hydration allowed third parties to track the activity of visitors to Prime Hydration’s website.  Id. at *1.  Plaintiff asserted that Prime Hydration integrated the third-party pixels into its website.  Id. at *2.  Those two pieces of code, Plaintiff alleged, allowed Prime Hydration to capture “her searches for drink flavors, . . . and that this information was transmitted to” the third-party servers.  Id. at *6.Continue Reading Pennsylvania District Court Judge Remands Case After Finding No Article III Standing to Bring Wiretapping Claim

A Pennsylvania court recently dismissed a wiretapping complaint filed against a trio of defendants for lack of Article III standing, lack of personal jurisdiction, and failure to state a claim in Ingrao v. Addshoppers, Inc., 2024 WL 4892514 (E.D. Pa. Nov. 25, 2024).

The two plaintiffs in this case

Continue Reading Pennsylvania Court Dismisses A Trio of Defendants in Website Wiretapping Suit Challenging Email Marketing Program