In this post: (1) Selection of law in a choice-of-law forum can defeat privacy claims; (2) The Arizona Court of Appeals shuts down “spy pixel” litigation; (3) Multiple decisions provide guidelines as to when claims are likely to be dismissed for lack of standing; (4) Consent rises and falls on implementation but plaintiffs cannot avoid the issue; and (5) Courts in the 3rd and 9th Circuit disagree whether simultaneous messages are intercepted while in transit.

Welcome to our monthly update on how courts across the nation have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from October and November 2025.

Many courts are currently handling data privacy cases across the U.S. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following on LinkedIn.

  1. Selection of law in a choice-of-law forum can defeat privacy claims.

Our first takeaway emphasizes the effect choice-of-law provisions can have if they are included in an enforceable agreement. On October 16, a Western District of Washington court dismissed a case after finding Washington’s wiretapping act did not protect communications between an individual and a business entity’s automated system (such as a website). The plaintiff originally filed the lawsuit in the Northern District of California. The parties subsequently stipulated to transfer the case to the Western District of Washington.

The parties disputed whether California or Washington law applied. The defendant argued the terms of use included a choice of law provision that specified “the laws of the state of Washington, without regard to principles of conflict of laws, will govern … any dispute of any sort that might arise between you and [the defendant.]” The plaintiff argued they never agreed to the terms of use.

The court disagreed with the plaintiffs, finding the terms of use were part of a valid and enforceable sign-in agreement. Whenever a user signed into their account, the defendant notified users that: “By signing in, you agree to [defendant’s] Condition of Use and . . . Privacy Notice.” The court rejected the plaintiff’s arguments that the sign-in agreement was unenforceable under Chabolla because the sign-in screen did not indicate that clicking “continue” constitutes “signing in.” The court found that, unlike the page in Chabolla, the sign-in screen in the case at bar “is a single screen with a prominent action button that users like [the plaintiffs] would have repeatedly navigated to sing into their . . . accounts.” The court also distinguished Chabolla because that case involved a sign-up page users would have encountered only once, while the plaintiffs would have navigated the defendant’s sign-in page every time they accessed their accounts.

After finding the sign-in agreement enforceable, the court then found the choice of law provision was enforceable and Washington law applied. Notably, unlike California law, Washington’s wiretapping act does not protect communication between an individual and a business entity’s automated system, such as a website, effectively meaning the plaintiff’s claims would be dismissed under the application of Washington law. The court nevertheless gave the plaintiff leave to amend and try to state a claim under Washington. The plaintiff has appealed the decision.

As we routinely note in these posts, there are several splits in authority, with some jurisdictions being more favorable to defendants than to plaintiffs and vice versa. (Indeed, our fifth takeaway illustrates this.) Although plaintiffs most often can choose to avoid those jurisdictions that are less favorable to them, this decision emphasizes the importance choice of law provisions can have to mitigate that choice… assuming the provision is in an enforceable agreement.

  1. The Arizona Court of Appeals shuts down “spy pixel” litigation.

On November 13, the Arizona Court of Appeals issued a decision that shut down plaintiffs’ attempts to allege the use of “spy pixels” violated Arizona’s Telephone, Utility, and Communications Service Records Act (TUCSRA), which provided statutory damages of $1,000 per violation.

The plaintiff claimed the defendant embedded “spy pixels” in its marketing emails designed to extract email data — such as when the plaintiff opened the email and if he forwarded the email to others—without his consent. The trial court dismissed the case after finding “sending marketing emails and collecting information through tracking pixels” was “simply” not covered by the statute. The plaintiff appealed.

The Court of Appeals found the dispositive issue was whether the information the defendant allegedly extracted is a “communication service record” protected by TUCSRA. The court found such a record “does not merely include categories of information but rather refers to records about subscribers maintained by communication service providers.” Although the legislature could expand the statute to cover information gathered by marketing emails, it has not yet done so. The court concluded “logs of email access, logs of associated email addresses, email client types, email path data, recipient location, IP addresses, email forwarding data, and device information” are not covered by the TUCSRA.

Almost immediately after the Court of Appeals’ decision, federal district courts began dismissing similar claims.

  1. Standing is stronger when sensitive information or detailed URLs are disclosed; metadata-only allegations often fail.

To bring a claim in federal court, a plaintiff must establish a concrete injury under Article III of the U.S. Constitution. Numerous decisions from October and November demonstrate that courts are more willing to find Article III standing where the plaintiffs plausibly alleged the disclosure of sensitive content or full-string URLs revealing what they viewed or did, especially in health or video contexts.

Courts found the plaintiffs established standing in wiretapping, VPPA, and pen registry decisions. In one decision from the Northern District of California, the court recognized standing in a wiretapping case where the URLs disclosed a user’s research into eating disorder treatment. The court distinguished such sensitive health-related browsing from generic shopping data: “There may not be standing to sue based on a disclosure that a plaintiff was shopping for a football jersey, but there’s standing to sue based on a disclosure that a plaintiff was likely shopping for eating disorder services.”

A Southern District of California likewise found the plaintiff had established standing in a pen registry claim and distinguished cases dismissing metadata-only claims where the allegations involved personal or private information beyond mere IP/device data. The defendant, a well-known athletic shoe company, installed pixels on its website. The court distinguish Popa because the court found the information in the case the Ninth Circuit concerned merely how the plaintiff interacted with the website, rather than plaintiff’s personal, private information, which was at issue in the case at bar.

Courts also found the plaintiff had established standing in multiple VPPA cases. In the Western District of Texas, a court reached a similar result in a VPPA, holding the plaintiff alleged her private information was disclosed when she alleged the titles and contents of the videos she purchased were private information.

Courts in the Southern District of New York and Northern District of California similarly recognized standing where the plaintiffs alleged transmission of viewing or account data to third parties despite privacy choices.

By contrast, several courts rejected standing where the alleged disclosures were limited to metadata or generic identifiers. In one decision from the Eastern District of California, the court found no concrete injury where the collection was limited to email and IP addresses and no actual harm was alleged. Another Southern District of California decision reiterated that there is no reasonable expectation of privacy in IP addresses and similar device metadata and dismissed for lack of concrete harm. The plaintiff alleged the defendant’s website installed 35 “tracking beacons” on the plaintiff’s internet browser that collected her “unique [internet protocol (“IP”)] address . . . operating system name, operating system version number, browser name, browser version number, browser language, screen resolution, geolocation data, email address, mobile ad IDs, embedded social media identities, customer and/or loyalty IDs, cookies and device signature—as well as the connections between them.” In dismissing the claim for lack of standing, the court found the plaintiff made “no effort to establish a close relationship between her purported injury and a traditional harm,” instead broadly contending that any invasion of a statutorily recognized privacy interest is sufficient to constitute an Article III injury. The court also noted courts have consistently held internet users have no expectation of privacy in their IP addresses, or in the other data the defendant allegedly collects, including a user’s contact information that is designed to be exchanged to facilitate communication or the metadata of their communication.

Another Southern District of California court rejected standing where the claim centered on capture of an IP address alone. The plaintiff argued the harm they suffered most closely aligns with a claim for intrusion upon seclusion. The court found the plaintiff’s claim was limited to the capture of their IP address and the plaintiff must show a reasonable expectation of privacy in that information. As many other courts had recognized, there is no expectation of privacy in an IP address.

Finally, another Southern District of California court dismissed the case after finding the plaintiff lacked standing. The case involved a claim under the VPPA and it was therefore likely the court would find standing as discussed above. To challenge standing, however, the defendant submitted a declaration that established the defendant’s records showed the plaintiff created an account but never bought or rented any videos, did not enter any search terms, and did not enter any video pages. The plaintiff did not dispute the evidence and instead argued it was improper for the court to consider extrinsic evidence when resolving a motion to dismiss. The court rejected the plaintiff’s argument, noting that the allegations are not taken as true when the defendant presents evidence to contradict the plaintiff’s claim for standing. The court dismissed the claim.

Collectively, these decisions suggest courts are more likely to find Article III standing where complaints plausibly allege disclosure of sensitive contents or full‑string URLs that reveal specific user actions—especially in health and video contexts—across wiretap, VPPA, and pen‑register claims. By contrast, metadata‑only allegations (IP address, device/browser info, generic visit data) generally fail because courts find no reasonable expectation of privacy and no close tie to traditional harms. Even where the plaintiff may be able to establish standing, however, a defendant can still secure a dismissal if they are able to establish facts to contradict the plaintiff’s claim of harm.

  1. Consent rises and falls on implementation, but plaintiffs cannot avoid the issue.

Courts continue to separate mere “notice” from actual “assent” and expect plaintiffs to provide precise pleadings to evaluate consent. In one decision from the Southern District of California, the court rejected a consent defense when the policy was presented as a browsewrap agreement via a hyperlink at the bottom of the website. Another decision, this one from the Northern District of California, similarly refused to enforce a forum clause embedded in the website terms and conditions, which were available only at the bottom of the website via hyperlink. The court distinguished this from the privacy policy on the website. Unlike the browsewrap terms of use agreement, the privacy policy was “included within a popup banner that appeared automatically and rendered the webpage dark and prevented browsing until the user made a selection.” The court notes both parties agreed the plaintiff was on notice of the privacy policy.

Decisions from October and November also show, however, that courts may not simply accept plaintiffs’ statements that they did not consent. A Southern District of New York court ordered the plaintiffs to provide the specific dates they created accounts so it could determine whether the plaintiffs were on notice of the privacy policy. The defendant in that case collected information from multiple websites. The plaintiffs alleged they had visited and created accounts on four separate websites but refused to say when they had done so. The defendants attempted to establish consent by submitting—and asking the court to take judicial notice of—25 policies and 10 account registration forms. The court found this was excessive but that the plaintiffs were to blame. By pleading around the crucial information, the plaintiffs had attempted to “hamstring” the defendant’s ability to argue consent. The court sua sponte ordered the plaintiffs to make a more definite statement and made clear it would allow the defendant to file a future motion to dismiss.

These cases show consent will rise or fall on how the website implements the consent mechanism, but that bannerwrap agreements remain insufficient. If a defendant has shown a reasonable attempt to show the plaintiff consented, courts may not allow the plaintiff to avoid the issue through careful pleading.

  1. Courts in the Ninth and Third Circuits Disagree Whether Simultaneous Messages Are “Intercepted” while “in Transit.”

On October 17, a Northern District of California court denied a motion to dismiss wiretapping claims under both California’s Section 631(a) wiretapping law and the federal ECPA. The defendant had argued the plaintiffs were required to provide more than conclusory allegations that messages were intercepted “during transmission in real time” to meet the wiretapping requirement that messages are intercept while “in transit.” The court found the plaintiff’s allegations were not conclusory because the complaint contained a detailed description of the pixel and related technology at issue, including screenshots of the source code.

Nearly a month later, the Third Circuit of Appeals affirmed a New Jersey District Court’s dismissal of a wiretapping claim (brought under California’s CIPA). Relying on its 2015 precedential decision that dealt with the display of third-party advertisements on a webpage, the Third Circuit held there was no interception when the plaintiffs’ browser sent a separate message to the third-party’s server that was concurrent with the communications to the defendant’s browser. The Third Circuit held that as a recipient of a direct communication from the plaintiff’s browser, the third-party did not intercept anything but was instead a participant in the communication.