U.S. Privacy Litigation Update: March 2025

This is our twenty-second installment in our data privacy litigation report covering decisions from the previous month. 

There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. 

1. Five Privacy Litigation Takeaways from March 2025

• Takeaway #1: Legislative Changes – California looks to potentially eliminate Section 631(a) claims where there is a “commercial purpose” while Virigina approves private right of action for reproductive health data

California Senate Bill 690 was modified in the California Senate on March 4. As revised, SB 690 would modify Sections 631, 632, 632.7, and 638.50 of the California Penal Code to exempt behavior performed to further a commercial business purpose. The bill notes existing law already exempts specified communication intercepts, such as those in a correctional institution and those required for utility maintenance purposes. SB 690 would add “communication intercepts for a commercial business purpose”, which would be defined to mean the processing of personal information either performed to further a business purpose or subject to a consumer’s opt-out rights, to that list of exceptions. The bill would also modify Section 638.50 of the California Penal Code, which governs pen registry and tap and trace devices, to specify that neither a pen register or a tap and trace device includes a device or process “that is used in a manner consistent with a commercial business purpose.” The bill would make its provisions retroactive and applicable to any case pending as of January 1, 2026.

On the East Coast, Virginia’s governor approved SB 754, which amends Virginia’s Consumer Protection Act to prohibit “obtaining, disclosing, selling, or disseminating any personally identifiable reproductive or sexual health information without the consent of the consumer.” Because it amends the Consumer Protection Act, the law provides consumers with a private right of action to sue if they believe their privacy rights have been violated. The law goes into effect July 1, 2025. We will be covering SB 754 in more detail so be on the lookout for more soon.

• Takeaway # 2: Rise in federal wiretapping decisions as courts split on “commercial purpose” exception

Although the California legislature may significantly reduce the number of wiretapping claims brought against websites under California law, plaintiffs have increasingly started filing claims against websites for the use of ad-tech under the Federal wiretapping act, the ECPA. Seventeen (17) courts issued decisions interpreting the ECPA in March. Four decisions were from California courts, three from Illinois courts, two from New York courts, and the remaining nine from different states; highlighting plaintiffs’ efforts to determine which jurisdictions are more friendly to these claims. Although three decisions were criminal matters, most of the remaining fourteen decisions involved cases against health institutions. One involved a financial institution defendant.

Unlike California’s CIPA, the ECPA is a “one party consent” statute, which means only one party (e.g., the website) must consent for the communication to be recorded. There is an exception, however, when the recording is intercepted for the purpose of committing a crime or tort. To invoke this exception, plaintiffs have often alleged the interception violates some law that prohibits the information from being disclosed, such as HIPAA. (This explains the disproportionate number of ECPA cases filed against healthcare providers.)

Because plaintiffs often allege the defendant intercepted the communication to further their own marketing interests, defendants have argued the purpose of the interception was commercial; not to commit a crime or tort. Courts are split on whether

In March, four courts from four separate states issued decisions that weighed in on whether the “crime tort” exception could be met where the plaintiff alleges the defendant intercepted the information to further its own or others’ marketing. Two decisions—one from the Eastern District of Virginia and one from the Northern District of Illinois—rejected the “commercial purpose” argument and denied motions to dismiss the ECPA claim. A decision from the Western District of North Carolina, however, found the purpose of the interception as commercial and dismissed the ECPA claim. Finally, a decision from the Middle District of Florida noted the split and, without joining either side, held the issue was a factual dispute to be resolved at summary judgment or, more likely, trial.

• Takeaway # 3: More courts impose “knowledge or intent” requirement for Section 631(a) claim

Two courts dismissed plaintiffs’ claims with prejudice after the plaintiffs failed to allege the defendant knew the third party had the capability to use the intercepted-information for its own benefit.

On March 13, 2025, a Central District of California court dismissed the plaintiff’s second amended complaint (i.e., the plaintiff’s third bite at the apple). The court had previously held a plaintiff was required to plausibly allege the defendant knew of the third party’s ability to use the recording for its own purposes to allege a violation of the fourth prong of Section 631(a). The court had also previously explained if the defendant believed the third party “was merely using embedded software like a tape recorder to archive conversations, that would not give rise to a violation.”  In dismissing the second amended complaint, the court once again found the plaintiff failed to allege facts to meet the knowledge or intent element of the fourth prong. The court rejected the plaintiff’s argument that the third party’s ability to quickly develop a chat program or make that chat program look like the rest of the defendant’s website suggested the defendant knew the third party was capable of using consumers’ data for its own purposes. The court also rejected plaintiff’s interpretation of statements published by the third party, finding the statements in fact showed the opposite.

The next day, a Northern District of California court issued a decision dismissing the plaintiff’s Section 631(a) claim. The court found the plaintiff’s “conclusory” allegations failed to allow any plausible inference the defendant knowingly aided or abetted the third party in violation of Section 631(a) because the complaint did not contain facts about what the third party communicated to the defendant about how its fraud prevention services operate or about how customer information is stored or incorporated into the third party’s software.

These two decisions join a growing number of authorities that impose a “knowledge or intent” requirement for plaintiffs to state a claim under the fourth prong of Section 631(a).

• Takeaway # 4: The Ninth and Seventh Circuits provide new guidance on the VPPA’s scope, both restricting and expanding the law’s application

At the end of March, the Ninth and Seventh Circuits issued separate decisions one day apart interpreting the scope of the VPPA’s application. The Ninth Circuit somewhat limited the Act’s reach in focusing on the law’s definition of “video tape service provider,” while the Seventh Circuit joined the Second Circuit in broadening the law’s application to “consumers” covered by the Act.

In the Ninth Circuit, a three-judge panel affirmed the dismissal of a VPPA class action against a movie theater operator. In that case, the plaintiff alleges that the operator violated the VPPA by disclosing his personal information via the Facebook/Meta pixel without consent when he purchased a movie ticket on the operator’s website. He claims that the information shared with Facebook included his unique Facebook identification number and movie ticket information, such as the movie title and location.

The district court granted the theater operator’s motion to dismiss, reasoning that the operator’s activities do not qualify as a “rental, sale, or delivery” of “audio visual materials” under the VPPA’s definition of “video tape service provider.” The plaintiff appealed.

On appeal, the central question was whether the movie theater operator was a “video tape service provider” under the VPPA and therefore subject to the Act’s restrictions. The Ninth Circuit held that it was not based on the VPPA’s definition of a “video tape service provider” as “any person, engaged in the business . . . of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.”

The plaintiff argued for a broad reading of the terms “delivery” and “similar audio visual materials” in the above definition to claim that the VPPA applies to a defendant’s act of transmitting light and sound in a movie theater. The panel rejected this argument, however, finding that the term “delivery,” in relation to a “rental” or “sale,” signifies the “transfer or conveyance of a good” which does not occur in the movie theater context. According to the panel, a movie theater is not engaged in the “delivery” of “prerecorded video cassette tapes or similar audio visual materials” because theater patrons do not obtain the same level of control over videos shown in a movie theater, compared to at-home viewers who can pause, rewind, or start over a movie as they wish. Given that distinction, the panel found that a movie theater does not sufficiently transfer or convey video to customers to trigger the “video tape service provider” definition.

Although the Ninth Circuit’s analysis focused on the VPPA’s plain text, the panel further stated that its decision was supported by legislative history. The panel noted that the VPPA was enacted out of concerns for the disclosure of Supreme Court nominee Robert Bork’s video rental history and individual privacy in a “home” or “living room” setting, and not the “shared synchronous viewing” of movies in publicly accessible theaters. For this reason, the panel held that the defendant, and likely other movie theater operators, are not engaged in the type of business that the VPPA seeks to regulate.

The Ninth Circuit’s decision aligns with many lower court rulings, which have similarly found that the VPPA does not apply to movie theaters. This decision affirms those rulings and provides limitations around the term “delivery” in the statute’s definition of a “video tape service provider.”

Turning to the Seventh Circuit’s decision from last month, a three-judge panel reversed the dismissal of a VPPA class action against an online streaming service provider. According to the complaint, the service provider streams a schedule of classic TV programming (not on-demand) that is accessible for free to account holders and non-account holders alike. The plaintiffs allege they signed up for free accounts on the defendant’s service which required them to provide their email addresses and zip codes for personalized video recommendations, TV schedules, and newsletters. They claim that through their accounts and defendant’s use of the Facebook/Meta pixel, the defendant violated the VPPA by disclosing their personally identifiable information without consent.

The lower court granted the defendant’s motion to dismiss on the rationale that the plaintiffs were not “consumers” under the VPPA, which the Act defines as “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” The plaintiffs appealed.

On appeal, the Seventh Circuit reversed the lower court by finding that the plaintiffs are “subscribers” and therefore covered by the VPPA’s “consumer” definition. The panel first agreed with other circuit courts that a “subscriber” is any person who gives something of value in exchange for a good or service, whether that something be information (e.g., an email address or zip code) or money (e.g., a subscription fee). The fact that an account on defendant’s streaming service did not cost money was therefore not dispositive of the “subscriber” issue because the plaintiffs had provided personal information to create their accounts.

The panel next addressed the defendant’s argument (and the lower court’s reasoning) that because anyone could watch videos on defendant’s website without creating an account, account holders like plaintiffs had not subscribed to a video service subject to the Act but, instead, had subscribed to an information service in the form of receiving personalized TV schedules and newsletters. The panel rejected this argument, noting that the VPPA’s “consumer” definition does not apply to a “subscriber of video services.” Rather, the definition applies to a “subscriber of . . . goods or services from a video tape service provider”. Therefore, and because defendant was indisputably a “video tape service provider,” the Seventh Circuit stated that the plaintiffs would have satisfied the “consumer” definition even if they had “never watched a video, but had purchased a Flintstones sweatshirt or a Scooby Doo coffee mug [from the defendant] . . . [as] they would have purchased ‘goods’ from a ‘video tape service provider’.” In sum, the panel held that “when a person does furnish valuable data in exchange for benefits, that person becomes a ‘consumer’ [under the VPPA] as long as the entity on the other side of the transaction is a ‘video tape service provider.’”

The Seventh Circuit’s decision adopts the Second Circuit’s expansive view of the VPPA’s “consumer” definition and will continue to lower plaintiffs’ burden at the motion to dismiss stage.
2.         Overview of Current U.S. Data Privacy Litigation Trends and Issues

Privacy plaintiffs currently maintain lawsuits under several laws and factual scenarios. Many of these lawsuits are brought under the privacy laws of California, Pennsylvania, and Illinois. In this section, we provide an overview of some of the theories under which privacy plaintiffs are currently bringing claims. If you are already familiar with these, feel free to skip this section.

Chat wiretapping lawsuits grew in popularity in mid-summer 2022. Since then, over 100 lawsuits that allege privacy rights’ violations relating to chat services on websites have been filed. In most cases, the plaintiff alleges a website operator violates wiretapping laws in states that require all parties to a communication to consent for the communication to be recorded. This theory typically involves a website operator who has engaged a third-party service provider to operate the chat functionality on the website. Under the theory, the website visitor is unaware they are not only communicating with the website operator, but also the third-party who operates the chat function and intercepts the communications between the website visitor and website operator.

Lawsuits relating to session replay technology also involve claims that the alleged behavior violates wiretapping laws in “two party” or “all party” consent states. This technology allows website operators to monitor how website visitors interact with the website. Websites that use session replay technology are often trying to better understand how users interact with the website and may even want to document that users have seen and are aware of the site’s privacy policy. Where the technology also captures the website visitor’s communications—such as (but not limited to) chat services or when the visitor completes a form on the website—privacy plaintiffs have alleged use of the technology violates wiretapping laws.

Many cases alleging wiretapping violations are filed in California under the California Invasion of Privacy Act (“CIPA”). Most lawsuits assert a violation of Section 631 of CIPA and courts routinely refer to specific clauses or subsections of that section. When discussing litigation updates, we therefore also refer to courts disposing of specific clauses or subsections of Section 631. Courts have noted Section 631 “is somewhat difficult to understand.” See Warden v. Kahn, 99 Cal. App. 3d 805, 811 (Ct. App. 1979). To help guide readers, we have provided Section 631(a) below with the specific clauses (sometimes called subsections) delineated:

Any person who, [Clause 1 or Subsection (a)(1):] by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or [Clause 2 of Subsection (a)(2):] who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or [Clause 3 or Subsection (a)(3):] who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or [Aiding Provision, Clause 4, or Subsection (a)(4):] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable . . . .

Wiretapping claims—whether based on website chat services, the use of session replay technology, or something else—are typically resolved on a limited number of issues:

• How did the communication occur? Plaintiffs often allege they accessed a website using a mobile phone. Courts have held the first clause of Section 631(a) does not apply if the interception does not occur over a telephonic wire. Courts have also held Section 632.7, another provision of CIPA, requires a communication between two wireless or cordless devices and therefore does not apply if the website is communicating via a wired server. Some judges, however, disagree.
• Is the defendant or a third-party a “party” to the communication? If so, then the “party exception” will apply and the defendant will not be liable. When deciding whether a third-party was a “party” to the communication, courts consider whether the party is merely acting as a tool for the defendant (akin to a tape recorder) or can use the communication for their own benefit (akin to someone listening into a conversation).
• Did the website have consent to record or share the communication? Consent is a defense to wiretapping claims, but it can be difficult for courts to resolve whether the plaintiff provided consent at the pleading stage.
• Did the website share the “contents” of a communication? Wiretapping claims only apply to the contents of a communication. Merely sharing record information of a communication, such as an IP address, will not establish liability under wiretapping laws. Courts often struggle to define what constitutes communication “contents” and URLs can be especially tricky.
• Was the communication intercepted or stored and then forwarded? If the communication is not intercepted, then there cannot be liability under Clause 2 of Section 631.
• Was the plaintiff harmed? Do they have standing to sue? Courts are often split on whether an “invasion of privacy” itself is sufficient harm to provide standing, but this issue has weighed in defendants’ favor more often following the Supreme Court’s 2021 TransUnion decision, which held Article III standing requires a concrete injury even in the context of a statutory violation.

Claims that a defendant has violated the Video Privacy Protection Act (“VPPA”) rely on a 1988 law that prohibits, in part, a video service provider from publishing a “subscriber’s” video watching history. Most recently, it has been asserted against websites who use ad targeting cookies (such as the Meta Pixel or Google Analytics tags) on websites that include video content. The VPPA reads: “A video tape service provider who knowingly discloses, to any person, personally identifiable information concerning any consumer of such provider shall be liable to the aggrieved person for the relief provided in subsection (d).” 18 U.S.C. § 2710(b)(1). The VPPA defines a “provider” as an entity engaged in the business of “rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials” and a “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Where the defendant directly rents or sells video content or access to such content, courts will typically find the defendant is a video tape service provider and the plaintiff to meet the “consumer” definition. Where the defendant’s core business is unrelated to video services, however, and the video contents at issue are merely marketing for that other core business, courts are likely to find the parties do not meet the VPPA’s definitions of “provider” and “consumer.”

Lawsuits alleging a defendant has violated prohibitions on voice recording (commonly Section 637.3 of the California Penal Code) typically involve the use of voice recognition software, which is often used as a security measure by companies that provide sensitive information such as banks or other financial institution.

Finally, some plaintiffs have alleged defendants who track IP-addresses run afoul of “pen registry” laws such as CIPA, § 638.51, which prohibits “a person” from “install[ing] or us[ing] a pen register or a trap and trace device without first obtaining a court order . . . .” Cal. Penal Code § 638.51. Traditionally, pen registers were used by law enforcement to record all numbers called from a particular telephone. Under CIPA, however, a “pen register” is more broadly defined to mean “a device or process that records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of a communication.” § 638.50(b).

[View source.]