2023 Data Security Incident Response Report Get the Full Report

Data Privacy Litigation Trends

Share this chapter


Incidents Handled in 2022


Incidents with Notification (44)


Incidents with Notification Resulted in One or More Lawsuits Filed

Lawsuits by Notice Population Size

< 1,000

People Notified:

4 Lawsuits

101K – 500K

People Notified:

13 Lawsuits

1,001 to 10,000

People Notified:

2 Lawsuits

501K – 1M

People Notified:

2 Lawsuits

10,001 to 100K

People Notified:

12 Lawsuits

> 1M

People Notified:

9 Lawsuits

Privacy Statute Litigation Is on the Rise

California Invasion of Privacy Act (CIPA) Litigation

Beginning in June 2022, a wave of class action lawsuits hit California retailers and consumer-facing service providers alleging violations of CIPA. The lawsuits claim defendants permitted third-party vendors to unlawfully eavesdrop on customers’ communications made through the defendants’ online chat feature. The sudden surge of cases began with the Ninth Circuit’s unpublished decision in Javier v. Assurance IQ, which held CIPA “applies to Internet communications.”  Relying on Javier, several “creative” plaintiff’s firms have circulated hundreds (if not thousands) of pre-suit demand letters threatening CIPA class litigation under two provisions of CIPA statutes—§ 631(a) and § 632.7. Over 100 cases have been filed in state and federal courts throughout California.

Fortunately, there have been numerous motions to dismiss granted in federal court, and they provide a solid framework for attacking these CIPA “chat-bot” wiretapping cases, including:

  • The § 631 aiding and abetting prong only applies when the alleged third party’s actions and use of the data are wholly independent of the website owner and not undertaken at the direction of, or for the benefit of, the website owner;
  • Plaintiffs are unable to allege sufficient facts demonstrating the chat communications were “intercepted” while “in transit” as opposed to being collected or recorded after the fact; and
  • § 632.7 only applies to communications between a cellular radio or cordless telephone on one side and a cellular radio or cordless or landline telephone on the other side. Because the retailer is not using an applicable telephone device to communicate, § 632.7 cannot apply.

Video Privacy Protection Act (VPPA) Litigation

Congress passed the VPPA (18 U.S.C. § 2710(b)) in 1988 to address video rental privacy concerns after Blockbuster disclosed a U.S. Supreme Court nominee’s video rental history to a news outlet. In 2012, the VPPA was updated to cover digital streaming and on-demand services. The VPPA prohibits any videotape service provider (VTSP) from knowingly disclosing, to any person, personally identifiable information concerning the VTSP’s consumer. Violators face a maximum $2,500 penalty per class member.

Recent cases are surviving motions to dismiss in the website tracking context even when the website tracks a user through a Meta Pixel or other software and provides videos incidental to its actual business purpose. In one case, the court denied the defendant’s motion to dismiss because the plaintiff had plausibly pled that he subscribed to goods and services from a VTSP – USA Today – under the VPPA. See Belozerov v. Gannett Co. In another, the motion to dismiss was denied in a putative class action where the plaintiffs alleged that the Boston Globe disclosed personally identifiable information of subscribers to Facebook in violation of the VPPA. See Ambrose v. Boston Globe Media Partners LLC. Finally, a motion to dismiss was denied in another putative class action where it was alleged that the NFL app violates the VPPA because it shares Android phone users’ pre-recorded video requests, as opposed to the viewing of live footage, with Google’s marketing apparatus. See Louth v. NFL Enterprises LLC.

Key defenses are still being litigated in the VPPA context, including:

  • The defendant is not engaged in the business of rental, sale, or delivery of prerecorded video cassette tapes or similar audio-visual materials;
  • The defendant is unaware of what information the website tracker is collecting;
  • For providers of free video content, the plaintiff is not a “renter, purchaser, or subscriber of goods or services” from the VTSP; and
  • The defendant provided the plaintiff informed consent in a distinct and separate form.

Right of Publicity Statutes

Class action filings alleging that any type of “sharing” of a consumer’s data violates states’ publicity or misappropriation statutes are on the rise. Notable examples of those statutes include:

  • Illinois’ Right of Publicity Act ($1,000 per violation);
  • California’s Right of Publicity Law ($750 per violation);
  • South Dakota’s Right of Publicity Law ($1,000 to $3,000 per violation);
  • Ohio’s Right of Publicity Law ($2,500 to $10,000 per violation); and
  • Puerto Rico’s Right of Publicity Act ($750 to $20,000 per violation).

Fortunately, the majority of these cases are not surviving motions to dismiss. For example, in both Huston v. Hearst Communications, Inc. and Farris v. The Orvis Co., the courts dismissed the matter, holding (1) plaintiff’s identity is, itself, the product and is not being used to promote some other product, which is necessary to state a claim; and (2) the mere mention of plaintiff’s name in sold mailing lists did not constitute an appropriation of plaintiff’s personality. However, further litigation on these statutes is anticipated. Despite these defendant-favorable rulings, a few cases have proceeded past motions to dismiss.

Illinois Biometric Information Privacy Act (BIPA)

More than 1,700 BIPA class actions have been filed since late 2017, with no signs of slowing down. BIPA provides for a private right of action with liquidated statutory damages of $1,000 for each negligent violation and $5,000 for each reckless or intentional violation, plus attorneys’ fees and costs.

In October 2022, the first BIPA case proceeded to a trial, and the jury returned a judgment of $228 million on a class of 45,600 truckers who had scanned their fingers to gain access to a railroad terminal (i.e., $5,000 per class member). In February 2023, the Illinois Supreme Court issued two decisions holding that the BIPA statute of limitations is five years for all claims and such statute of limitations accrues with each scan or transmission of biometric data. Per-person demands are increasing, as is the filing of BIPA-related lawsuits.

Class Certification in Data Breach Litigation Remains Uncertain

Lawsuits are being filed more often after security incidents are disclosed. However, the plaintiff’s bar has suffered defeats at the class certification phase.

In October 2022, the Court of Appeal of the State of California affirmed the denial of class certification to individuals asserting claims under California’s Confidentiality of Medical Information Act (CMIA) based on their patient and medical data being stolen by a former employee. Specifically, the court held that a breach of confidentiality under CMIA is an “individualized issue” and in this case would require individualized inquiries into “whether third parties used plaintiffs’ information, whether this use was without authorization, the timing of this misuse, whether plaintiffs took measures to protect against the misuse of their information, whether the information used was involved in the data breach, and whether third parties could have obtained this information through other means.” This is a big win for healthcare defendants, and also a pivotal leverage point for all privacy class certification litigation in California.

In addition, a district court in California denied class certification to individuals whose personal information was stolen in a data breach because the named plaintiff (and anyone who signed the defendant’s terms of use) waived any right to represent the class or subclass based on the “class action and jury trial waiver” provision in defendant’s terms of use. Despite litigating the action for nearly two years, the court determined that the defendant had not waived its right to enforce this provision because the affirmative defense was raised in its answer. The ruling is another important win for California defendants and a reminder that class action waiver provisions and affirmative defenses can still be valuable business tools.

There are two key appellate cases where classes were certified in data breach cases involving a hospitality company and a restaurant group. We will be watching both cases closely in 2023.