Litigation Updates

Subscribe to Litigation Updates via RSS
Blogs_PrivacyCyberAI_OG_PrivacyLitigationReport

Key point: Five takeaways from March 2026 decisions: (1) Courts diverge on “purpose” requirement in ECPA’s crime-tort exception; (2) Courts consider ECPA exception outside the health care industry; (3) Contradictory statements in privacy policies can defeat consent even when tracking tech use is disclosed; (4) Courts provide guidance on website design to establish consent; and (5) Three courts allow negligence claims to proceed but nix negligence per se claims.

Welcome to our monthly update on how courts across the U.S. have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from March 2026.

Blogs_PrivacyCyberAI_OG_PrivacyLitigationReport

Key point: (1) Courts grapple with nonstatutory damage claims in “broken banner” cases; (2) Courts dismiss CIPA claims where plaintiffs failed to explain delays; (3) New privacy litigation trend takes off as two courts deny motions to dismiss under Washington’s Commercial Electronic Mail Act; (4) Motion to transfer based on forum selection clause in terms of use denied, highlighting risks for cookie banners; (5) VPPA circuit split deepens: as two more courts reject “ordinary observer” test but SCOTUS again refuses to resolve.

Welcome to our monthly update on how courts across the U.S. have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from February 2026.

CA_StateFlag_1200x600_GettyImages-1435108815

Key point: The California attorney general announced a $2.75 million fine against a company for CCPA violations for failing to honor requests to opt out of the sale or sharing of personal information across all devices and services associated with consumer accounts.

On February 11, 2026, the California attorney general (AG) announced a settlement with a multiplatform entertainment company, resolving alleged California Consumer Privacy Act (CCPA) violations based on gaps in the company’s opt-out procedures. This is the second public CCPA enforcement settlement arising from the California Department of Justice’s 2024 investigative sweep of streaming services. This also is the largest CCPA settlement amount to date, and is roughly five times the amount of the first enforcement action and more than $1 million more than the prior largest settlement by the AG. These actions reflect an escalating enforcement trajectory as the AG and the California Privacy Protection Agency develop a body of precedent that increasingly functions as operational compliance guidance for businesses. Notably, every CCPA enforcement action to date has involved, in some way, the right to opt out and demonstrates that the AG’s expectations for what constitutes compliant opt-out implementation are becoming both more granular and more demanding with each successive action.

Blogs_PrivacyCyberAI_OG_PrivacyLitigationReport

Key point: In this post: (1) increase in ECPA litigation as courts extend “crime tort” exception beyond health care; (2) service provider wins again against wiretapping claim; (3) defendants lose standing arguments in federal court; (4) VPPA circuit split widens as courts reject existing tests to determine whether disclosure of PII occurred; and (5) first PTFA decision in 15 years is issued, with more likely to come.

Welcome to our monthly update on how courts across the U.S. have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from January 2026. And there were a lot of decisions. Courts issued twice as many California Invasion of Privacy Act (CIPA) wiretapping decisions in January 2026 than in December 2025.

Artificial_Intelligence_1200x600_GettyImages-2170346048

Key Point: In a significant win for electronic communication providers that utilize artificial intelligence (AI) as part of their core functions, the Northern District of Illinois held that a defendant’s AI transcription and analytics service operated in the ordinary course of its electronic communications business and therefore did not violate the Electronic Communications Privacy Act (ECPA). The ruling may provide a powerful defense to federal and state law wiretap claims targeting AI call technologies.

Privacy_1200x600_GettyImages-1347310666

Key point: In this post: (1) “Broken banner” claims proceed past pleading stage; (2) Courts continue to reject arguments that pen registers are limited to telephones but hope remains; (3) Offering movie trailers on websites does not transform movie theaters into “video tape service providers” under the VPPA; (4) “In transit” defense remains viable against wiretapping claims; (5) SDNY court suggests use of non-Meta social media pixel could impose VPPA liability.

Welcome to our monthly update on how courts across the nation have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from December 2025.

Many courts are currently handling data privacy cases across the U.S. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation you would like to know more about, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Privacy_1200x600_GettyImages-1347310666

Key point: Courts are split over whether use of the Meta Pixel to share URLs of videos users watch qualifies as disclosure of PII under the VPPA, even when they apply the same “ordinary person” test to nearly identical allegations.

Earlier this year, the Second Circuit joined the Third and Ninth Circuits in adopting an “ordinary person” standard to determine whether a defendant’s disclosure of information constitutes disclosure of personally identifiable information (PII) prohibited by the Video Privacy Protection Act (VPPA). Although this standard initially appeared more restrictive — and thus more favorable to defendants — than the “reasonable foreseeability” standard the First Circuit adopted in 2016, recent decisions by courts within the Second and Ninth Circuits have instead revealed a split in how district courts apply this test to nearly identical allegations, resulting in different outcomes on motions to dismiss.

In this post: (1) Selection of law in a choice-of-law forum can defeat privacy claims; (2) The Arizona Court of Appeals shuts down “spy pixel” litigation; (3) Multiple decisions provide guidelines as to when claims are likely to be dismissed for lack of standing; (4) Consent rises and falls on implementation but plaintiffs cannot avoid the issue; and (5) Courts in the 3rd and 9th Circuit disagree whether simultaneous messages are intercepted while in transit.

Welcome to our monthly update on how courts across the nation have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from October and November 2025.

Privacy_1200x600_GettyImages-1952157610

Key point: The Third Circuit Court of Appeals recently issued an opinion affirming the dismissal of a class action complaint asserting both California Invasion of Privacy Act (CIPA) and California Medical Information Act (CMIA) claims, providing helpful guidance on the application of the “party exception” defense to a wiretap claim, as well as the meaning of “medical information” under the CMIA claim.

Key point: Plaintiffs’ attorneys have started sending a wave of letters asserting opt-out and access rights under California’s Shine the Light law.

Over the last three months, businesses have been receiving requests from California residents seeking to exercise their rights under California’s Shine the Light law, Cal. Civ. Code § 1798.83. These requests are sent by attorneys who purport to represent a California resident who is a “customer” of, and has an “established business relationship” with, the business receiving the request. The requests seek an accounting of the customer’s personal information disclosed to third parties for direct marketing purposes within the past year.