Litigation Updates

Subscribe to Litigation Updates via RSS
Privacy_1200x600_GettyImages-1347310666

Key point: In this post: (1) “Broken banner” claims proceed past pleading stage; (2) Courts continue to reject arguments that pen registers are limited to telephones but hope remains; (3) Offering movie trailers on websites does not transform movie theaters into “video tape service providers” under the VPPA; (4) “In transit” defense remains viable against wiretapping claims; (5) SDNY court suggests use of non-Meta social media pixel could impose VPPA liability.

Welcome to our monthly update on how courts across the nation have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from December 2025.

Many courts are currently handling data privacy cases across the U.S. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation you would like to know more about, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Privacy_1200x600_GettyImages-1347310666

Key point: Courts are split over whether use of the Meta Pixel to share URLs of videos users watch qualifies as disclosure of PII under the VPPA, even when they apply the same “ordinary person” test to nearly identical allegations.

Earlier this year, the Second Circuit joined the Third and Ninth Circuits in adopting an “ordinary person” standard to determine whether a defendant’s disclosure of information constitutes disclosure of personally identifiable information (PII) prohibited by the Video Privacy Protection Act (VPPA). Although this standard initially appeared more restrictive — and thus more favorable to defendants — than the “reasonable foreseeability” standard the First Circuit adopted in 2016, recent decisions by courts within the Second and Ninth Circuits have instead revealed a split in how district courts apply this test to nearly identical allegations, resulting in different outcomes on motions to dismiss.

In this post: (1) Selection of law in a choice-of-law forum can defeat privacy claims; (2) The Arizona Court of Appeals shuts down “spy pixel” litigation; (3) Multiple decisions provide guidelines as to when claims are likely to be dismissed for lack of standing; (4) Consent rises and falls on implementation but plaintiffs cannot avoid the issue; and (5) Courts in the 3rd and 9th Circuit disagree whether simultaneous messages are intercepted while in transit.

Welcome to our monthly update on how courts across the nation have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from October and November 2025.

Privacy_1200x600_GettyImages-1952157610

Key point: The Third Circuit Court of Appeals recently issued an opinion affirming the dismissal of a class action complaint asserting both California Invasion of Privacy Act (CIPA) and California Medical Information Act (CMIA) claims, providing helpful guidance on the application of the “party exception” defense to a wiretap claim, as well as the meaning of “medical information” under the CMIA claim.

Key point: Plaintiffs’ attorneys have started sending a wave of letters asserting opt-out and access rights under California’s Shine the Light law.

Over the last three months, businesses have been receiving requests from California residents seeking to exercise their rights under California’s Shine the Light law, Cal. Civ. Code § 1798.83. These requests are sent by attorneys who purport to represent a California resident who is a “customer” of, and has an “established business relationship” with, the business receiving the request. The requests seek an accounting of the customer’s personal information disclosed to third parties for direct marketing purposes within the past year.

Privacy_1200x600_GettyImages-2154887234

In what appears to be an emerging privacy litigation trend, plaintiffs’ attorneys have recently filed a series of putative class action lawsuits targeting data companies in possession of cellular telephone numbers. The lawsuits attempt to leverage an untested provision in Colorado’s Prevention of Telemarketing Fraud Act (PFTA) which prohibits knowingly listing “a cellular telephone number in a directory for a commercial purpose unless the person whose number has been listed has given affirmative consent[.]” Colo. Rev. Stat. Ann. § 6-1-304(4). Although the law was originally enacted in 2005, there is almost no case law interpreting its provisions. However, the PFTA provides for statutory damages of $300-500 per violation, attorneys’ fees, and costs, making it attractive to plaintiffs’ lawyers. Several other states have similar laws. See, e.g., Conn. Gen. Stat. Ann. § 16-247s, N.Y. Gen. Bus. Law § 399-cc.1, Minn. Stat. Ann. § 325E.318, 73 Pa. Stat. Ann. § 2403, S.D. Codified Laws § 49-31-118, and TX UTIL § 64.202.