technology

Courts continue to grapple with the type of “concrete harm” that is required to confer Article III standing under TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), particularly in data breach and privacy class actions.  On October 14, the Fourth Circuit contributed to this debate, holding that allegations that plaintiffs’ driver’s license data had been leaked and appeared on the dark web were sufficient to establish standing.

Holmes v. Elephant Ins. Co., — F.4th —, 2025 WL 2907615 (4th Cir. 2025), started with a 2022 data breach of Elephant Insurance Company’s networks.  Id. at *1.  Plaintiffs were Elephant customers whose driver’s license numbers were compromised in the breach.  Id.  They sued Elephant for alleged harms stemming from the breach.  Id. at *3.  Two plaintiffs specifically alleged that they had found their driver’s license numbers on the dark web; the others did not.  Id. at *2.  The district court dismissed plaintiffs’ claims, holding that none of the alleged injuries were sufficient to confer standing.  Id.  But the Fourth Circuit disagreed in part, reversing the lower court’s dismissal of the two plaintiffs who alleged that their driver’s license information appeared on the dark web, but affirming dismissal of the other two. Continue Reading Standing in the Dark:  Fourth Circuit Finds Standing for Driver’s License Information on the Dark Web

A federal court in North Carolina dismissed a putative data breach class action against Bojangles because the plaintiffs failed to show that there was an actual or imminent misuse of their personal information as a result of the breach.  Dougherty v. Bojangles’ Restaurants, Inc., 2025 WL 2810673 (W.D.N.C. Sept. 30, 2025).Continue Reading Federal Court Fries Data Breach Class Action for Lack of Standing

On August 15, the Ninth Circuit Court of Appeals affirmed the dismissal of a class action complaint in Gibson v. Cendyn Group, No. 24-3576, rejecting plaintiffs’ arguments that Las Vegas hotels violated Section 1 of the Sherman Act through their common use of revenue management software.  The decision follows

Continue Reading Ninth Circuit Rejects Vegas Hotel Algorithmic Price Fixing Claims

In Nicole Pileggi v. Washington Newspaper Publishing Company LLC, the D.C. Circuit unanimously affirmed the district court’s dismissal of a complaint alleging that news magazine and website Washington Examiner disclosed consumers’ personal information through a third-party pixel in violation of the Video Privacy Protection Act (“VPPA”). 

In 2023, Pileggi alleged that the Examiner’s use of a third-party pixel on its site gave the third party the ability to collect website visitors’ personal information, including IP addresses and titles of videos they had watched.  The District Court for the District of Columbia granted the Examiner’s motion to dismiss early last year, holding that Pileggi was not a “consumer” under the VPPA and that she failed to establish the requisite connection between her subscription to the Examiner’s newsletter and the video information allegedly disclosed.Continue Reading D.C. Circuit Deepens Circuit Split on Interpretation of “Consumer” Under VPPA

Lawsuits targeting businesses’ use of website tools under the California Invasion of Privacy Act (“CIPA”) increasingly are filed by so-called “tester” plaintiffs.  These plaintiffs seek out websites to “test” for potential CIPA violations and then file lawsuits seeking damages for those alleged violations.  A California federal court recently confirmed that

Continue Reading “Tester” Plaintiff Who “Actively Seeks Out Privacy Violations” Lacks Standing to Pursue CIPA Claim

The Illinois Supreme Court recently ruled that the named plaintiff in a putative data breach class action lacked standing to pursue her claims given that her private personal information had not actually been misused by a third party.Continue Reading Illinois Supreme Court Rules That Plaintiff Lacks Standing to Bring Putative Data Breach Class Action

After removing a lawsuit brought against it in Pennsylvania state court under the Wiretapping and Electronic Surveillance Control Act (“WESCA”) to the United States District Court for the Eastern District of Pennsylvania, Prime Hydration LLC argued in its motion to dismiss that the plaintiff lacked Article III standing.  Judge Nitza I. Quiñones Alejandro agreed and remanded the case to state court.  Heaven v. Prime Hydration LLC, 2025 WL 42964, at *7 (E.D. Pa. Jan. 7, 2025).

Plaintiff Shantay Heaven filed a putative class action in the Philadelphia Court of Common Pleas asserting that Prime Hydration allowed third parties to track the activity of visitors to Prime Hydration’s website.  Id. at *1.  Plaintiff asserted that Prime Hydration integrated the third-party pixels into its website.  Id. at *2.  Those two pieces of code, Plaintiff alleged, allowed Prime Hydration to capture “her searches for drink flavors, . . . and that this information was transmitted to” the third-party servers.  Id. at *6.Continue Reading Pennsylvania District Court Judge Remands Case After Finding No Article III Standing to Bring Wiretapping Claim

A Pennsylvania court recently dismissed a wiretapping complaint filed against a trio of defendants for lack of Article III standing, lack of personal jurisdiction, and failure to state a claim in Ingrao v. Addshoppers, Inc., 2024 WL 4892514 (E.D. Pa. Nov. 25, 2024).

The two plaintiffs in this case

Continue Reading Pennsylvania Court Dismisses A Trio of Defendants in Website Wiretapping Suit Challenging Email Marketing Program

Dozens of lawsuits have started challenging businesses’ use of website tools to collect IP addresses under the “pen register” and “trap and trace device” provision of the California Invasion of Privacy Act (“CIPA”).  As we reported last month, a California court dismissed one of these lawsuits because of a

Continue Reading Another California Court Holds CIPA’s Pen Register Provision Does Not Prohibit the Collection of IP Addresses

Websites cannot load without the transmission of an IP address, which tells websites where to deliver the webpages displayed on a user’s browser.  Yet a number of lawsuits have started challenging this routine transmission of IP addresses under a lesser-known provision of the California Invasion of Privacy Act (“CIPA”) that

Continue Reading Court Holds CIPA’s Pen Register Provision Does Not Impose Liability for “What Makes the Internet Possible.”