Data Privacy Litigation Trends

Privacy Statute Litigation Is on the Rise

California Invasion of Privacy Act (CIPA) Litigation

Beginning in June 2022, a wave of class action lawsuits hit California retailers and consumer-facing service providers alleging violations of CIPA. The lawsuits claim defendants permitted third-party vendors to unlawfully eavesdrop on customers’ communications made through the defendants’ online chat feature. The sudden surge of cases began with the Ninth Circuit’s unpublished decision in Javier v. Assurance IQ, which held CIPA “applies to Internet communications.”  Relying on Javier, several “creative” plaintiff’s firms have circulated hundreds (if not thousands) of pre-suit demand letters threatening CIPA class litigation under two provisions of CIPA statutes—§ 631(a) and § 632.7. Over 100 cases have been filed in state and federal courts throughout California.

Fortunately, there have been numerous motions to dismiss granted in federal court, and they provide a solid framework for attacking these CIPA “chat-bot” wiretapping cases, including:

• The § 631 aiding and abetting prong only applies when the alleged third party’s actions and use of the data are wholly independent of the website owner and not undertaken at the direction of, or for the benefit of, the website owner;
• Plaintiffs are unable to allege sufficient facts demonstrating the chat communications were “intercepted” while “in transit” as opposed to being collected or recorded after the fact; and
• § 632.7 only applies to communications between a cellular radio or cordless telephone on one side and a cellular radio or cordless or landline telephone on the other side. Because the retailer is not using an applicable telephone device to communicate, § 632.7 cannot apply.

Video Privacy Protection Act (VPPA) Litigation

Congress passed the VPPA (18 U.S.C. § 2710(b)) in 1988 to address video rental privacy concerns after Blockbuster disclosed a U.S. Supreme Court nominee’s video rental history to a news outlet. In 2012, the VPPA was updated to cover digital streaming and on-demand services. The VPPA prohibits any videotape service provider (VTSP) from knowingly disclosing, to any person, personally identifiable information concerning the VTSP’s consumer. Violators face a maximum $2,500 penalty per class member.

Recent cases are surviving motions to dismiss in the website tracking context even when the website tracks a user through a Meta Pixel or other software and provides videos incidental to its actual business purpose. In one case, the court denied the defendant’s motion to dismiss because the plaintiff had plausibly pled that he subscribed to goods and services from a VTSP – USA Today – under the VPPA. See Belozerov v. Gannett Co. In another, the motion to dismiss was denied in a putative class action where the plaintiffs alleged that the Boston Globe disclosed personally identifiable information of subscribers to Facebook in violation of the VPPA. See Ambrose v. Boston Globe Media Partners LLC. Finally, a motion to dismiss was denied in another putative class action where it was alleged that the NFL app violates the VPPA because it shares Android phone users’ pre-recorded video requests, as opposed to the viewing of live footage, with Google’s marketing apparatus. See Louth v. NFL Enterprises LLC.

Key defenses are still being litigated in the VPPA context, including:

• The defendant is not engaged in the business of rental, sale, or delivery of prerecorded video cassette tapes or similar audio-visual materials;
• The defendant is unaware of what information the website tracker is collecting;
• For providers of free video content, the plaintiff is not a “renter, purchaser, or subscriber of goods or services” from the VTSP; and
• The defendant provided the plaintiff informed consent in a distinct and separate form.

Right of Publicity Statutes

Class action filings alleging that any type of “sharing” of a consumer’s data violates states’ publicity or misappropriation statutes are on the rise. Notable examples of those statutes include:

• Illinois’ Right of Publicity Act ($1,000 per violation);
• California’s Right of Publicity Law ($750 per violation);
• South Dakota’s Right of Publicity Law ($1,000 to $3,000 per violation);
• Ohio’s Right of Publicity Law ($2,500 to $10,000 per violation); and
• Puerto Rico’s Right of Publicity Act ($750 to $20,000 per violation).

Fortunately, the majority of these cases are not surviving motions to dismiss. For example, in both Huston v. Hearst Communications, Inc. and Farris v. The Orvis Co., the courts dismissed the matter, holding (1) plaintiff’s identity is, itself, the product and is not being used to promote some other product, which is necessary to state a claim; and (2) the mere mention of plaintiff’s name in sold mailing lists did not constitute an appropriation of plaintiff’s personality. However, further litigation on these statutes is anticipated. Despite these defendant-favorable rulings, a few cases have proceeded past motions to dismiss.

Illinois Biometric Information Privacy Act (BIPA)

More than 1,700 BIPA class actions have been filed since late 2017, with no signs of slowing down. BIPA provides for a private right of action with liquidated statutory damages of $1,000 for each negligent violation and $5,000 for each reckless or intentional violation, plus attorneys’ fees and costs.

In October 2022, the first BIPA case proceeded to a trial, and the jury returned a judgment of $228 million on a class of 45,600 truckers who had scanned their fingers to gain access to a railroad terminal (i.e., $5,000 per class member). In February 2023, the Illinois Supreme Court issued two decisions holding that the BIPA statute of limitations is five years for all claims and such statute of limitations accrues with each scan or transmission of biometric data. Per-person demands are increasing, as is the filing of BIPA-related lawsuits.