Key point: (1) Courts grapple with nonstatutory damage claims in “broken banner” cases; (2) Courts dismiss CIPA claims where plaintiffs failed to explain delays; (3) New privacy litigation trend takes off as two courts deny motions to dismiss under Washington’s Commercial Electronic Mail Act; (4) Motion to transfer based on forum selection clause in terms of use denied, highlighting risks for cookie banners; (5) VPPA circuit split deepens: as two more courts reject “ordinary observer” test but SCOTUS again refuses to resolve.

Welcome to our monthly update on how courts across the U.S. have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from February 2026.

Many courts are currently handling data privacy cases across the U.S. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation you would like to know more about, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

1. Courts grapple with nonstatutory damage claims in ‘broken banner’ cases

As we have previously covered, plaintiffs are increasingly bringing lawsuits alleging they visited a defendant’s website, relied on the defendant’s use of a consent management platform — such as a cookie banner or cookie management preferences — and opted out of nonessential technologies, but despite that selection, the defendant’s website tracked the plaintiff’s activity and shared it with third parties. These complaints typically assert claims that provide for statutory damages, such as wiretapping under state or federal law. Plaintiffs have not limited their lawsuits to these statutory-damage claims, however, but have also asserted common law claims that may allow for profit disgorgement or that can serve as the predicate to overcome the one-party consent exemption under federal and many state wiretapping laws.

In February, we saw courts address many of these claims with varying results. Courts allowed invasion of privacy and fraud claims to proceed in several cases while dismissing or distinguishing claims for unjust enrichment, breach of implied contract, and trespass to chattels.

A Northern District of California court denied the defendant’s motion to dismiss the plaintiff’s invasion of privacy and intrusion upon seclusion claims, finding the plaintiff had adequately alleged facts sufficient to show that the defendant’s alleged collection of data could be highly offensive. The court emphasized that “determining the offensiveness of an invasion requires consideration of the degree of the intrusion, the context, conduct and circumstances surrounding the intrusion as well as the intruder’s motives and objectives.” Because the allegations did not “show no reasonable expectation of privacy or an insubstantial impact on privacy interests,” the court held the question could not be adjudicated as a matter of law at the pleading stage. Notably, the court found that the plaintiff’s expectation of privacy arose from the defendant’s own conduct: because the defendant “set an expectation that user data would not be collected, but then collected it anyway,” the plaintiff had alleged a sufficient injury. This decision aligns with previous rulings we have covered in prior posts that have allowed invasion of privacy and intrusion upon seclusion claims to proceed past the pleading stage in similar “broken banner” cases.

The same court also allowed the plaintiff’s common law fraud claim to proceed past the pleading stage. The court found the plaintiff had adequately pleaded “the who, what, when, where, and how” of the alleged misrepresentation under Federal Rule of Civil Procedure 9(b)’s heightened pleading standard because the plaintiff alleged that in the first half of 2023, he visited the defendant’s website and was immediately shown a popup cookie consent banner representing that he could decline all cookies by clicking “Reject All,” but that this representation was false because the defendant in fact tracked his activity using cookies and transmitted his data to third parties. The court rejected the defendant’s arguments that the plaintiff failed to plausibly allege justifiable reliance, failed to establish a duty to disclose, and failed to show compensable injury. The court found the plaintiff explicitly pleaded justifiable reliance by alleging he continued browsing the defendant’s website “in reliance on” the representations about opting out.

February decisions reached different conclusions on unjust enrichment claims. Another decision from a Northern District of California denied the defendant’s motion to dismiss the unjust enrichment claim. The court accepted the plaintiffs’ allegations that the defendant misled them as to the effect of rejecting all cookies and that the resulting data collection was valuable because it enabled the defendant to better market its products, better target advertisements, and better profit from its understanding of users’ behaviors. By contrast, an Eastern District of Pennsylvania court granted the defendants’ motion to dismiss the unjust enrichment claim, finding the plaintiffs failed to adequately allege either of two theories of economic injury. Under the “diminution of value” theory, the court held that while the plaintiffs alleged their health information had monetary value, they did not allege the defendants “deprived [plaintiffs] of the information’s value.” The court reasoned that the defendants “did not take information away from [plaintiffs], such that it was no longer available to [plaintiffs],” and “there were no allegations that information was less valuable because of defendants’ use of it, let alone allegations that [plaintiffs] themselves intended to sell their information.” Under the “benefit-of-the-bargain” theory, the court found the plaintiffs failed to allege they “provided [defendants] with an economic benefit worth one penny less than what they paid. The divergent outcomes on unjust enrichment claims — particularly the contrast between one court’s acceptance of value-based allegations and another court’s requirement of more concrete economic injury — suggest this remains an evolving area. Courts appear willing to allow unjust enrichment claims to proceed where plaintiffs can plausibly allege the defendant derived concrete financial benefits from the misrepresentation but remain skeptical of more abstract claims about the diminished value of personal information.

Courts have more uniformly dismissed breach of contract claims, including a Northern District of California court that found the plaintiffs failed to adequately allege the existence of a contract because they had not pleaded a bargained-for exchange. Under California law, a contract requires consideration, which means a party must “confer (or agree to confer) a benefit or must suffer (or agree to suffer) prejudice,” and “the benefit or prejudice must have induced the promisor’s promise.” The court rejected the plaintiff’s argument that the benefit they conferred on the defendant was “surrendering more data than they bargained for and that such data is valuable,” finding the “plaintiffs would have received the same access to [the defendant’s] website whether or not they consented to additional cookies.”

Courts in February also consistently dismissed trespass to chattels claims where plaintiffs failed to adequately allege damage to their devices. A Northern District of California court dismissed the plaintiff’s trespass to chattels claim because, under California law, a plaintiff must allege the trespass “impaired the condition, quality, or value of the personal property.” Although the complaint alleged the interference caused “(a) nominal damages for trespass, (b) reduction of storage space on his device, and (c) loss of value of his computing devices,” the court found “it is a matter of common understanding that cookies are minute in size and thus incapable of noticeably affecting the performance of modern computers.” Because the plaintiffs did not allege anywhere else in the complaint “that the placement of the cookies had any noticeable effect on the performance of their devices,” the court held the “generalized assertions of reduced storage or performance do not satisfy the requirement of actual, provable damages.” Similarly, another Northern District of California court dismissed a trespass to chattels claim after rejecting the plaintiff’s “reduced storage” theory. The court emphasized that “there are no allegations explaining how the cookies at issue have actually impaired [the] devices — e.g., how much storage space is taken up or whether any slowdown in performance has been measured.”

These February decisions illustrate that while courts continue to allow invasion of privacy and fraud claims to proceed in “broken banner” cases, plaintiffs face significant hurdles in establishing non-statutory damages through claims like unjust enrichment, breach of implied contract, and trespass to chattels. The consistent dismissal of trespass to chattels claims absent measurable device impairment indicates courts are holding plaintiffs to a high standard of pleading actual harm to their property interests. Similarly, the breach of implied contract dismissal suggests courts will carefully scrutinize whether plaintiffs have alleged the essential elements of contract formation, particularly mutual consideration, rather than accepting conclusory allegations that a contract existed. As these “broken banner” cases continue to proliferate, the treatment of nonstatutory damage claims will remain a key area of development.

2. Courts dismiss CIPA claims where plaintiffs failed to explain delays

Two Northern District of California courts granted motions to dismiss California Invasion of Privacy Act (CIPA) claims on statute of limitations grounds in February, providing guidance on what plaintiffs must allege to invoke the delayed discovery rule and equitable tolling.

In a February 18 decision from the Northern District of California, the court dismissed the plaintiff’s CIPA claim after finding she failed to cure deficiencies identified in a prior dismissal order. The court had previously explained that for the plaintiff’s claim to be timely under the delayed discovery rule, she needed to allege when she first discovered the alleged violation — specifically, when she began seeing targeted advertisements. Rather than providing this key temporal allegation, the plaintiff amended her complaint to argue that “due to the surreptitious nature of the interceptions,” it was “impossible for her to discern the causal link between those ads and Defendant’s unlawful disclosures.” The court found this insufficient and dismissed the claim.

In another decision from the Northern District of California, the court dismissed CIPA wiretapping and pen register claims after finding the plaintiff took 452 un-tolled days between the alleged injury in August 2023 and filing suit in June 2025, exceeding CIPA’s one-year statute of limitations. The court rejected the plaintiff’s equitable tolling argument, noting unexplained delays including four months before initiating arbitration, six months after the arbitrator ruled the claims were nonarbitrable, and filing an unnecessary petition to confirm the arbitration decision. The court found the plaintiff failed to demonstrate “good faith and reasonable conduct” due to the nearly 11-month delay in filing after learning the claims could proceed in court. The dismissal was granted with leave to amend if the plaintiff could allege facts justifying the filing delays.

These decisions show courts may not accept generalized arguments — whether that tracking technology is “surreptitious” — to excuse late filing. Plaintiffs invoking the discovery rule must allege specific facts about when they discovered the alleged interception, and those seeking equitable tolling must provide detailed explanations for any delays in filing suit.

3. New privacy litigation trend takes off as two courts deny motions to dismiss under Washington’s Commercial Electronic Mail Act

Plaintiffs are increasingly filing lawsuits that allege violation of a Washington 1998 law, the Commercial Electronic Mail Act (CEMA), which prohibits sending commercial email messages that contain “false or misleading information in the subject line” to Washington residents. RVS 19.190.020(1)(b). Enforcement of the CEMA is provided through Washington’s Consumer Protection Act (CPA) and the CEMA allows statutory damages of $500 per violation.

To state a claim under CEMA, plaintiffs must allege the defendant: (1) initiated a commercial e-mail; (2) with a false or misleading subject line; (3) to an address the sender knew or had reason to know was held by a Washington resident. RCW 19.190.020(1)(b). Motions to dismiss have focused on the second and third elements. Two decisions issued in February denied motions to dismiss, finding that subject lines that created artificial urgency through false deadlines — such as stating promotions would “end tonight” followed by next-day “EXTENDED!” messages — suggested planned deception rather than legitimate business decisions.

These decisions also found the plaintiffs had alleged the defendant knew plaintiffs were Washington residents and credited plaintiffs’ allegations regarding the defendants’ use of AdTech — including technology that collected IP address and location data through cookies, web beacons, and tracking pixels — and partnerships with data brokers whose products could match email address to consumer profiles with state level location data. Both courts rejected arguments that IP geolocation is too unreliable to support knowledge allegations at the pleading stage.

For any company who sends marketing emails and uses AdTech or data broker services, these decisions mean those companies must be extraordinarily vigilant in avoiding any claim that the subject lines of email messages are false or misleading as the other elements to state a CEMA claim appear predetermined. Moreover, we anticipate seeing more of these claims because courts have recently rejected arguments that the CEMA is preempted by CAN-SPAM and the statute has survived constitutional challenges that it violates the dormant commerce clause.

4. Motion to transfer based on forum selection clause in terms of use denied, highlighting risks for cookie banners

A District of Massachusetts court denied a defendant’s motion to transfer venue based on a forum selection clause, finding the defendant failed to prove users received reasonable notice of the terms and conditions when they created their accounts. The decision has significant implications beyond forum selection clauses — the same reasonable notice standards apply to cookie banners, privacy policy acknowledgments, and other consent mechanisms that companies rely on to obtain user agreement to data collection and sharing practices.

The defendant claimed that to create an account, users must check a box stating, “I agree to the Terms and Conditions,” which included a forum selection clause requiring all disputes to be brought in Texas. To support its motion, the defendant attached a declaration from its CEO, which stated only that “the user must check a box stating: ‘I agree to the Terms and Conditions’”. The court criticized the declaration for not confirming that the words “Terms and Conditions” were hyperlinked, underlined, or in blue — features the defendant claimed existed in its briefing but were unsupported by any evidence due to the wording of the declaration. The court consequently found this declaration insufficient to establish that users had reasonable notice of the terms.

The court emphasized that under Massachusetts law, reasonable notice requires that the interface clearly communicate to users that there are terms to which they will be bound and provide an opportunity to review those terms. Without a hyperlink, the box-clicking requirement alone demonstrates only manifestation of assent, not reasonable notice. The court noted that “reasonable users of the Internet may not understand that they are entering into a contractual relationship,” particularly when signing up for a mobile app.

The court also rejected the defendant’s evidence because both the memorandum and CEO declaration were written in present tense and made no claim that the sign-up process was identical in June 2023 when the plaintiff created his account. Without evidence that the agreement was binding at the relevant time, the court declined to give it controlling weight and denied the motion to transfer.

This decision creates risk for companies relying on cookie banners, sign-in flows, or account creation screens to obtain consent for privacy policies or data sharing practices. Courts may reject defenses based on user “consent” where companies cannot prove users received adequate notice of what they were agreeing to. The mere fact that a user clicked “I agree” or “Accept” is insufficient if the privacy policy or cookie policy was not conspicuously linked or if the interface did not clearly communicate that consent was being obtained. Companies should ensure that: (1) privacy policies and cookie policies are accessible through clearly visible, functional hyperlinks (ideally underlined and in a contrasting color like blue), (2) consent language explicitly references what the user is agreeing to (e.g., “I agree to the Privacy Policy and Cookie Policy” rather than generic “I agree”), (3) the design and content of banners and sign-in screens make clear that the user is providing consent to specific practices, and (4) dated screenshots or version histories are maintained to prove what interface existed at relevant times. Companies defending against AdTech litigation should anticipate challenges to whether users actually consented to data collection or third-party disclosures based on inadequate notice, even if users checked a box or clicked a button.

5. VPPA circuit split deepens: as two more courts reject “ordinary observer” test but SCOTUS again refuses to resolve

Courts continue to diverge on what test applies to determine whether a defendant disclosed a consumer’s personally identifiable information (PII) under the Video Privacy Protection Act (VPPA). Two decisions issued in February 2026 rejected the Second Circuit’s “ordinary observer” test and held that the relevant inquiry focuses on the defendant’s actual knowledge of whether disclosed information would allow identification of the plaintiff’s video viewing history. The decisions widen a circuit split that the Supreme Court, at least for now, appears uninterested in resolving — on March 10, 2026, the Court denied certiorari in Hughes v. National Football League, its second denial of a VPPA PII petition in four months.

The VPPA prohibits companies from disclosing a consumer’s PII related to what video materials the consumer viewed. Courts are currently split, however, on what standard to apply to determine whether a disclosure constitutes “PII” under the VPPA. The Second, Third, and Ninth Circuits apply the “ordinary observer test,” under which a violation occurs only if an ordinary person, without specialized knowledge or tools, could use the disclosed information to identify a consumer’s video viewing history. The First Circuit applies a “reasonable foreseeability” standard, under which PII includes information disclosed to a third party that is reasonably and foreseeably likely to reveal which videos the plaintiff obtained. Some courts applying the ordinary observer standard (mostly in the Second Circuit) have held the test forecloses claims based on disclosure of the Meta pixel, while other courts have allowed such claims to proceed past the pleading stage. Other courts apply the same standard have reached the opposite conclusion, such that there is a split even within Circuits that apply the same standard.

On February 2, a Northern District of Illinois court issued a decision finding an educational institution defendant violated the VPPA when it shared information about online courses students viewed with Meta through the Meta Pixel. In determining whether the defendant disclosed the plaintiff’s PII, the court acknowledged the circuit split but rejected the Second Circuit’s interpretation of the ordinary observer test, which has “effectively shut the door for Pixel-based VPPA claims.” The court found it “nonsensical” to “categorize information as PII based on its format, rather than the type of information conveyed” as “such a system would create a significant loophole in the VPPA that would allow to evade liability by formatting PII into code.” The court held that “the relevant question is whether the information is of such a quality that the particular defendant in question ‘knew’ at the time the disclosure was made that the third party would be able to ‘identify’ the plaintiff’s video purchases.” Under this defendant-knowledge standard, the court found the information alleged in the complaint was “plainly sufficient for an ordinary person, or Meta, to determine a person’s Facebook ID” and denied the motion to dismiss the VPPA claim.

On February 19, a District of Massachusetts court denied a motion to dismiss VPPA claims finding the plaintiff adequately alleged disclosure of PII. The court found that disclosure of course titles was sufficient because “each course is a formulated standalone offering that contains its own distinct video modules [and] disclosure of the course title also discloses precisely what videos were requested and obtained.”

The Supreme Court seems disinterested in resolving this dispute any time soon. Although the Court recently granted certiorari to resolve a different issue under the VPPA — when a plaintiff qualifies as a “consumer” — the Court has now twice declined to address the PII circuit split. In December 2024, the Court denied certiorari in a case that had asked the Court to resolve the conflict between the First Circuit’s “reasonable foreseeability” test and the Second Circuit’s “ordinary observer” test. And on March 10, 2026, the Court again denied certiorari in another Second Circuit case presenting the same circuit split. These denials suggest the Court is not yet ready to weigh in on the PII issue, leaving the circuit split in place and allowing district courts to continue developing divergent approaches to Meta pixel and similar tracking technology cases.