Adding to a growing body of case law following the Ninth Circuit’s decision in Popa v. Microsoft Corporation, a California federal court has dismissed for lack of subject matter jurisdiction a privacy suit against a news website, holding that the plaintiffs failed to allege a concrete injury sufficient to establish Article III standing. In Re: USA Today Co., Inc. Internet Tracking Litigation, 2026 WL 932655, at *3 (N.D. Cal. Apr. 6, 2026).
Continue Reading Another Court Dismisses Website Privacy Suit for Lack of Article III Standingprivacy
Sanctions Order in Website Wiretapping Suit Reinforces Importance of Early Fact Investigation
By Rachel Lia, Thea McCullough & Matthew Verdin on
Posted in Data Privacy and Cybersecurity, Litigation
In an effort to overcome hurdles to Article III standing, many website wiretapping suits today accuse businesses of unlawfully sharing sensitive health or financial data with third parties. However, Federal Rule of Civil Procedure 11(b) requires plaintiffs’ lawyers to ensure that these “factual contentions” in a complaint “have evidentiary support.” A California federal judge gave teeth to this requirement in a recent sanctions order, admonishing the plaintiff’s lawyers for “advancing unfounded and irrelevant allegations” about a business’s sharing of “health information.” Mitchener v. Talkspace Network LLC, No. 2:24-CV-07067-JAK (BFMX), 2026 WL 84466, at *3-4 (C.D. Cal. Jan. 7, 2026).
Continue Reading Sanctions Order in Website Wiretapping Suit Reinforces Importance of Early Fact InvestigationStanding in the Dark: Fourth Circuit Finds Standing for Driver’s License Information on the Dark Web
Courts continue to grapple with the type of “concrete harm” that is required to confer Article III standing under TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), particularly in data breach and privacy class actions. On October 14, the Fourth Circuit contributed to this debate, holding that allegations that plaintiffs’ driver’s license data had been leaked and appeared on the dark web were sufficient to establish standing.
Holmes v. Elephant Ins. Co., — F.4th —, 2025 WL 2907615 (4th Cir. 2025), started with a 2022 data breach of Elephant Insurance Company’s networks. Id. at *1. Plaintiffs were Elephant customers whose driver’s license numbers were compromised in the breach. Id. They sued Elephant for alleged harms stemming from the breach. Id. at *3. Two plaintiffs specifically alleged that they had found their driver’s license numbers on the dark web; the others did not. Id. at *2. The district court dismissed plaintiffs’ claims, holding that none of the alleged injuries were sufficient to confer standing. Id. But the Fourth Circuit disagreed in part, reversing the lower court’s dismissal of the two plaintiffs who alleged that their driver’s license information appeared on the dark web, but affirming dismissal of the other two.
Continue Reading Standing in the Dark: Fourth Circuit Finds Standing for Driver’s License Information on the Dark WebD.C. Circuit Deepens Circuit Split on Interpretation of “Consumer” Under VPPA
By Deb Malamud on
In Nicole Pileggi v. Washington Newspaper Publishing Company LLC, the D.C. Circuit unanimously affirmed the district court’s dismissal of a complaint alleging that news magazine and website Washington Examiner disclosed consumers’ personal information through a third-party pixel in violation of the Video Privacy Protection Act (“VPPA”).
In 2023, Pileggi alleged that the Examiner’s use of a third-party pixel on its site gave the third party the ability to collect website visitors’ personal information, including IP addresses and titles of videos they had watched. The District Court for the District of Columbia granted the Examiner’s motion to dismiss early last year, holding that Pileggi was not a “consumer” under the VPPA and that she failed to establish the requisite connection between her subscription to the Examiner’s newsletter and the video information allegedly disclosed.
Continue Reading D.C. Circuit Deepens Circuit Split on Interpretation of “Consumer” Under VPPA“Tester” Plaintiff Who “Actively Seeks Out Privacy Violations” Lacks Standing to Pursue CIPA Claim
By Matthew Verdin on
Lawsuits targeting businesses’ use of website tools under the California Invasion of Privacy Act (“CIPA”) increasingly are filed by so-called “tester” plaintiffs. These plaintiffs seek out websites to “test” for potential CIPA violations and then file lawsuits seeking damages for those alleged violations. A California federal court recently confirmed that…
Continue Reading “Tester” Plaintiff Who “Actively Seeks Out Privacy Violations” Lacks Standing to Pursue CIPA ClaimRecording of Customer Service Call “Not Private or Personal Enough” to Confer Article III Standing
By Matthew Verdin on
Posted in Article III Standing
Many businesses use customer support software that may include call recording features to help ensure a better customer service experience. A California federal court dismissed a wiretapping lawsuit filed against a software company offering this software tool (TalkDesk), holding that TalkDesk’s alleged recording of customers’ conversations with clothing retailers “is simply not private or personal enough to confer [Article III] standing.” See Lien, et al., v. Talkdesk, Inc., No. 24-CV-06467-VC, 2025 WL 551664 (N.D. Cal. Feb. 19, 2025).
Continue Reading Recording of Customer Service Call “Not Private or Personal Enough” to Confer Article III StandingIllinois Supreme Court Rules That Plaintiff Lacks Standing to Bring Putative Data Breach Class Action
By Billie Mandelbaum on
The Illinois Supreme Court recently ruled that the named plaintiff in a putative data breach class action lacked standing to pursue her claims given that her private personal information had not actually been misused by a third party.
Continue Reading Illinois Supreme Court Rules That Plaintiff Lacks Standing to Bring Putative Data Breach Class ActionPennsylvania Court Dismisses A Trio of Defendants in Website Wiretapping Suit Challenging Email Marketing Program
By Connor Kennedy & Matthew Verdin on
A Pennsylvania court recently dismissed a wiretapping complaint filed against a trio of defendants for lack of Article III standing, lack of personal jurisdiction, and failure to state a claim in Ingrao v. Addshoppers, Inc., 2024 WL 4892514 (E.D. Pa. Nov. 25, 2024).
The two plaintiffs in this case…
Continue Reading Pennsylvania Court Dismisses A Trio of Defendants in Website Wiretapping Suit Challenging Email Marketing ProgramCalifornia Federal Court Allows Software Vendor to Enforce Website Operator’s Arbitration Agreement in Privacy Lawsuit
By Jess Davis, Matthew Verdin & Kathryn Cahoy on
Plaintiffs sometimes try to sidestep an arbitration agreement with one company by suing only a second company for interrelated conduct. Last month, a California federal court applied principles of fairness under the doctrine of “equitable estoppel” to reject this tactic, holding that a software vendor (Twilio) could enforce a plaintiff’s arbitration agreement with a website operator (Keeps) that was not named as a defendant. Perry-Hudson v. Twilio, Inc., 2024 WL 493333 (N.D. Cal. Dec. 2, 2024).
Continue Reading California Federal Court Allows Software Vendor to Enforce Website Operator’s Arbitration Agreement in Privacy LawsuitAnother California Court Holds CIPA’s Pen Register Provision Does Not Prohibit the Collection of IP Addresses
By Matthew Verdin on
Dozens of lawsuits have started challenging businesses’ use of website tools to collect IP addresses under the “pen register” and “trap and trace device” provision of the California Invasion of Privacy Act (“CIPA”). As we reported last month, a California court dismissed one of these lawsuits because of a…
Continue Reading Another California Court Holds CIPA’s Pen Register Provision Does Not Prohibit the Collection of IP Addresses