Litigation

Latest Privacy Litigation Threats: Something Old, Something New

Published: Oct. 08, 2024

Businesses continue to be hit with wiretapping and other privacy lawsuits concerning their use of relatively common technologies on their websites and apps. Some of these lawsuits recycle old claims while others test new theories; some are filed in state court while others are filed in federal court; and some are filed as individual actions while others are filed as class actions. The types of lawsuits we are seeing with increasing frequency are outlined below.

Online Surveys and Forms

Plaintiffs’ firms are increasingly asserting wiretapping claims against websites that deploy cookies on online surveys and forms. These websites, for example, may ask visitors to fill out a questionnaire to obtain a quote, schedule an appointment, or qualify for products like medication or credit cards. In completing the forms, users may share information like their age, income, or health status. When the website sets up advertising or marketing cookies on these webpages, plaintiffs argue, the substance of those survey responses is sent to the third-party vendors in violation of California’s wiretapping law, or the California Invasion of Privacy Act (“CIPA”). These cases are largely percolating in federal courts like district courts in California, and are still in the early stages.

Embedded Search URLs

Counsel for certain “tester” plaintiffs are also hitting dozens of businesses with allegations that their website search bar violates CIPA. On some websites, when the user runs a search, the website embeds the search phrase within the URL of the search results. These businesses commit a wiretapping violation, plaintiffs allege, when they share the URL (and thus the search query) with marketing and advertising vendors. Some of these lawsuits are also based on alleged sharing of search terms with the entity powering the search bar function on the business’s website. These cases are primarily in California state court, and we expect to see many more in the coming months.

Pen Register and Trap and Trace Claims

These lawsuits seek to extend liability under CIPA’s pen register and trap and trace (“PRTT”) provision to website marketing technologies. A classic PRTT device records all inbound or outbound phone numbers dialed to or from a target telephone line. A number of plaintiffs’ firms, however, have argued that a website engages in PRTT surveillance by merely recording its visitors’ IP addresses, or other information such as browser type and location, and sharing that information with vendors. These complaints have targeted a wide range of businesses, from technology to retail to business-to-business vendors, and are proceeding in a mix of state and federal courts. While there are various defenses against these suits, some complaints have been allowed to proceed past the demurrer or motion to dismiss stage.

App-Based VPPA Claims

Whereas 2020-2023 featured countless VPPA lawsuits based on businesses’ use of the Meta Pixel on their websites, we are seeing a recent uptick in VPPA suits based on the use of various third-party applications in apps. Some of these cases are based on the sharing of device or anonymous IDs with companies used to provide marketing or analytics services. Others are based on the alleged sharing of information such as names and email addresses, seemingly in the context of tracking conversions from advertisements on other platforms. These cases are preceding in federal court, with some cases surviving motions to dismiss and others still awaiting decisions on motions to dismiss. 

State Credit Card Privacy Laws

Plaintiffs’ firms are starting to bring putative class actions against online retailers under credit card privacy laws in Massachusetts, California, and Rhode Island. These laws generally prohibit businesses that accept credit cards from collecting personal identification information beyond what the credit card issuer requires to complete the transaction. Plaintiffs insist a violation occurs when the retailer at checkout requires an email address or phone number, arguing that the business then uses that information to send unsolicited marketing.  Courts have not yet had occasion to assess these claims, so we will continue monitoring developments as these and other privacy cases proceed.