Key point: In this post: (1) “Broken banner” claims proceed past pleading stage; (2) Courts continue to reject arguments that pen registers are limited to telephones but hope remains; (3) Offering movie trailers on websites does not transform movie theaters into “video tape service providers” under the VPPA; (4) “In transit” defense remains viable against wiretapping claims; (5) SDNY court suggests use of non-Meta social media pixel could impose VPPA liability.
Welcome to our monthly update on how courts across the nation have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from December 2025.
Many courts are currently handling data privacy cases across the U.S. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation you would like to know more about, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.
1. “Broken banner” claims proceed past pleading stage.
Two federal courts in California denied motions to dismiss where the plaintiff alleged the cookie preferences on the defendant’s website did not operate properly. Critically, these plaintiffs did not allege they were not aware of the cookie banner or of the tracking technology used on the defendant’s website but instead that they had studied the plaintiff’s disclosures carefully and used that information to opt out of nonessential cookies. The plaintiffs alleged in both cases that their elections were not honored and the tools on the defendant’s websites continued to track them even after they had opted out. Both plaintiffs alleged this behavior violated California common laws — such as intrusion upon seclusion, fraud, and unjust enrichment — and that the resulting tracking violated California’s wiretapping and pen registry laws.
On December 17, 2025, a Northern District of California court issued a decision finding the plaintiff had stated a claim for “intrusion upon seclusion” by alleging the defendant’s “broken banner” allowed the third parties to track the plaintiff’s activity and communications on the defendant’s website when the plaintiffs had expressly declined to allow third-party marketing and other nonessential cookies. The plaintiffs alleged the defendant presented users a choice as to how they would be tracked while on the defendant’s websites. The privacy policy explains that the websites use cookies and that plaintiffs can “make certain choices about cookies through the cookie choices tools ….” The pop-up cookie consent banner told users that the sites use cookies for “Online Advertising” on both the site they visit and “another site you may visit in the future.” The banner also said that the cookies it used for “Performance and Analytics” were meant “to improve our site” and were “[n]ot used for online advertising purposes or by third parties for their own use.”
Plaintiffs alleged they relied on these disclosures and opted out of nonessential cookies. Despite this election, the plaintiffs alleged the defendants placed cookies on the plaintiff’s devices. The court first found the plaintiff’s allegations stated a claim for intrusion upon seclusion, finding the plaintiffs had a reasonable expectation of privacy despite using a public website because the defendants had represented that if the plaintiffs opted out of cookies then the plaintiff’s information would not be shared. The court found this “deceptive conduct” was also sufficient to “preclude the court from concluding, as a matter of law, that [the defendant’s] invasion was not ‘highly offensive.’” The court also found the “deceptive” conduct meant the plaintiffs had alleged a concrete injury-in-fact under Popa, finding that the harm “is similar to that addressed by the common law public-disclosure-of-public-facts tort”.
The court also allowed wiretapping and pen registry claims to proceed past the pleading stage, rejecting the defendant’s arguments that the “content” of any communication had not been intercepted to establish a wiretapping claim and that, even if it had, the plaintiff could not state a claim under California’s pen registry law because a pen register cannot capture the “content” of a communication. Although a claim for intrusion upon seclusion does not allow a plaintiff to recover statutory damages, plaintiffs allege their data has value and will likely seek compensation for that data. Moreover, both the Central District and Northern District decisions discussed above also allowed the plaintiff’s wiretapping and pen registry claims, which do provide for statutory damages, to proceed past the pleading stage after first allowing the intrusion upon seclusion claim to proceed.
Two days prior, a Central District of California court issued a decision that denied the defendant’s motion to dismiss the plaintiff’s claims under both federal and California wiretapping laws, California’s pen registry law, and California common law claims for unjust enrichment, and fraud. Although the court did not devote many words to the facts that gave rise to the plaintiff’s claim, the court did note that the plaintiff alleged they expressly declined to allow third-party cookies and tracking technologies and the defendant nevertheless allowed those parties to place and/or transmit cookies that tracked the plaintiffs and other users’ website browsing activities. The court then rejected the defendant’s arguments regarding the plaintiff’s claims under California’s wiretapping and pen registry laws.
We anticipate seeing an increase in these “broken banner” claims as they allow plaintiffs to circumvent the defense of consent via the cookie banner, to which courts have been increasingly receptive. If you have questions regarding whether your cookie banner is operating in a way that could subject you to liability under these theories, please contact a Troutman Pepper Locke attorney.
2. Courts continue to reject arguments that pen registers are limited to telephones but note textual argument could have merit under different facts.
In December 2025, two courts issued decisions that rejected defendants’ arguments that California’s pen registry law was limited to telephones. One of these courts, however, noted that such an argument could have merit under different factual allegations.
On December 17, 2025, a decision by a Northern District of California court rejected the defendant’s argument that the tracking software at issue could not qualify as a pen register because California’s law applied only to telephones. The court found the limited textual provisions “cannot trump the express statutory definition of pen register, which is not so limited” and the California legislature could have limited pen register to claims if it wanted to do so.
Earlier that month, however, a Central District of California court issued a decision that, although it also rejected the defendant’s argument, noted the defendant’s textual argument could have merit under different factual allegations. The court found the defendant’s argument that IP addresses, location data, and device information do not constitute destination dialing or routing information for the party the plaintiffs contacted. Although the court noted this argument had some merit, the court ultimately rejected the argument after finding the specific tracker at issue in that litigation was alleged to follow plaintiffs across multiple devices as they engaged on the internet and, to accomplish that purpose, the tracker would necessarily have to capture destination information.
3. The Eighth Circuit confirms: Offering movie trailers on their websites does not transform movie theaters into “video tape service providers” under the VPPA.
On December 8, 2025, the Eighth Circuit issued a decision rejecting the plaintiff’s argument that a movie theater could meet the VPPA’s statutory definition of a “video tape service provider” based on the theater’s actions of either showing a movie in the theater or offering movie trailers on the theater’s website.
The defendant in the case was (obviously) a movie theater. It offers free movie trailers on its website and showed movies at its theater to customers who purchased a ticket. The plaintiff alleged after she watched trailers on the defendant’s website, she began receiving targeted movie ads. The Minnesota District Court dismissed the case after finding that the defendant was not a video tape service provider. The plaintiff appealed to the Eighth Circuit, which affirmed that a movie theater is not a video tape service provider.
In reaching its decision, the court separately considered whether the defendant could be liable under the VPPA for showing movies or by providing trailers for movies on its website. As to movies shown in the theater – the court found: “Running a theater involves the ‘delivery’ of movies to create ‘audio visual’ experiences.” The court noted, however, that in the definition under Section 2710(a)(4), the word “audio visual” is sandwiched between “similar” and “materials.” The court noted “‘[m]aterials like prerecorded video cassette tapes have a physical existence… they can be touched; played on a home recorder; watched, rewatched paused, rewound, and fast forwarded; and shared with family and friends.” In contrast, a customer who purchased a ticket to see a movie lacked such control: “the movie plays from start to finish with no opportunity to pause, rewind, or fast forward.” It is possible the court’s reasoning may also exclude other materials that cannot be played on a home recorder, rewatched, paused, rewound, fast forwarded, or shared with family and friends, such as online videos that do not allow the user to control the playback of the videos.
As to the trailers available on the website, the court first found the defendant’s business was “filling theaters” and it earned revenue from selling tickets, which got customers through the door to buy popcorn, snacks, and other concessions. The court then found that the “movie exhibition and food services” are the two businesses in which the defendant does business for “livelihood of gain.” This represents a split in authority, as another court recently found businesses need not be for profit and allowed claims against an educational institution to proceed past the pleading stage. Finally, the court found that a web trailer is merely a type of advertisement to get potential customers in the seats by generating interest and anticipation for a film.
4. “In transit” defense remains viable against wiretapping claims.
To state a claim for wiretapping under either Federal or California law, a plaintiff must allege an interception occurred while the contents of a communication were “in transit.” (Seen differently, if a quarterback gets a pass off but the other team catches it, then it is an interception. If the quarterback drops the ball before throwing it or the receiver catches the pass and then drops it, then it is a fumble; not an interception.)
In December 2025, courts continued to disagree as to what allegations are sufficient to avoid a motion to dismiss on the issue of “in transit.” A December 15 decision from a Central District of California court denied a motion to dismiss after finding the FAC alleges “third-party cookies stored on and/or loaded from users’ devices when they interact with the Website are transmitted to those third parties, enabling them to surreptitiously track in real time… .”
In a December 22 decision from a Northern District of California court, however, the court rejected the plaintiff’s argument that similar allegations were sufficient to allege the interception occurred while “in transit” because the complaint did not include “a description of how the software works or how the interception occurred. “As such, Plaintiffs’ mere assertion that Defendants or third parties acquire the communications contemporaneously, without factual support, is insufficient to survive to Defendant’s motion to dismiss.”
Similarly, a December 4 decision from a Central District of California court found the plaintiffs failed to allege the interception occurred while the communication was “in transit.” The court rejected the plaintiff’s argument that allegations the defendants employed trackers that collected “browser and device data as well as identifying and addressing information” said nothing about the third-party’s ability to read, attempt to read, or learn the contents of the plaintiff’s communications “while those communications were in transit.” The court “agreed with others that ‘you have to do something more than just intercept the contents of the communication’ to state a claim.”
5. SDNY court dismisses VPPA claim based on non-Meta pixel but notes alternative or additional factual allegation could potentially state claim.
As we have previously covered, Southern District of New York courts are historically hostile to VPPA claims based on pixels such as the Meta pixel. A December 23, 2025, decision from an SDNY court, however, may indicate that plaintiffs are shifting their theories to tracking technology other than the Meta pixel; and that at least one SDNY court would be receptive to such allegations.
The plaintiff had alleged violation of the VPPA by a professional sports organization’s use of two pixels: the Meta pixel and another social media pixel. Although the court dismissed the plaintiff’s claims in view of the Second Circuit’s Solomon decision, the court noted that alternative or additional factual allegations could state a claim as to the other pixel. The court cautioned the plaintiff (and others), however, noting that if the information transmitted from the plaintiff’s computer “is interspaced with many characters, numbers, and letters” (such as the case with the Meta pixel) then it may be illegible to an ordinary person and fail under Solomon.