Litigation Updates

Subscribe to Litigation Updates via RSS
Security_1200x600_GettyImages-2170887175

Welcome to Part Two of our series that examines the ECPA as a private right of action for privacy policy inaccuracies.  In Part One of this series, we examined how a wave of state-law wiretapping litigation — predominantly under California’s Invasion of Privacy Act (CIPA) — set the stage for a new and more expansive federal class action litigation threat.  After years of plaintiffs targeting websites that deploy tracking technologies such as pixels and cookies, a series of defense wins in 2025 (and pending legislative action) encouraged plaintiffs’ firms to seek alternative theories. They found one in the Electronic Communications Privacy Act (ECPA). 

Privacy_1200x600_GettyImages-1952157610

Key Points: An August 2025 federal court ruling has opened the door for plaintiffs to use alleged inaccuracies or misrepresentations in a company’s privacy policy and other privacy disclosures as the basis for a federal wiretapping claim under the Electronic Communications Privacy Act (“ECPA”).

Unlike state wiretapping claims like CIPA, class action plaintiffs can file ECPA claims nationwide and they can carry statutory damages of $100 per day of violation or $10,000, whichever is greater. Plaintiffs’ firms are increasingly leading with ECPA claims in demand letters and class action complaints.

Companies can take steps to help insulate themselves from litigation by assessing and modifying their privacy policy and other data processing disclosures.

Introduction

Any company with a privacy policy that operates a website using so-called tracking technologies such as pixels, cookies, software development kits, or third-party analytics tools (which is practically every company) should be aware of the real class action risk associated with the federal wiretapping law known as the Electronic Communications Privacy Act (ECPA or Wiretap Act) and its “crime-tort” exception.  We have data mined and analyzed thousands of privacy lawsuits using AI to track plaintiff lawyers’ allegations and patterns.

Blogs_PrivacyCyberAI_OG_PrivacyLitigationReport

Key point: Five takeaways from March 2026 decisions: (1) Courts diverge on “purpose” requirement in ECPA’s crime-tort exception; (2) Courts consider ECPA exception outside the health care industry; (3) Contradictory statements in privacy policies can defeat consent even when tracking tech use is disclosed; (4) Courts provide guidance on website design to establish consent; and (5) Three courts allow negligence claims to proceed but nix negligence per se claims.

Welcome to our monthly update on how courts across the U.S. have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from March 2026.

Blogs_PrivacyCyberAI_OG_PrivacyLitigationReport

Key point: (1) Courts grapple with nonstatutory damage claims in “broken banner” cases; (2) Courts dismiss CIPA claims where plaintiffs failed to explain delays; (3) New privacy litigation trend takes off as two courts deny motions to dismiss under Washington’s Commercial Electronic Mail Act; (4) Motion to transfer based on forum selection clause in terms of use denied, highlighting risks for cookie banners; (5) VPPA circuit split deepens: as two more courts reject “ordinary observer” test but SCOTUS again refuses to resolve.

Welcome to our monthly update on how courts across the U.S. have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from February 2026.

CA_StateFlag_1200x600_GettyImages-1435108815

Key point: The California attorney general announced a $2.75 million fine against a company for CCPA violations for failing to honor requests to opt out of the sale or sharing of personal information across all devices and services associated with consumer accounts.

On February 11, 2026, the California attorney general (AG) announced a settlement with a multiplatform entertainment company, resolving alleged California Consumer Privacy Act (CCPA) violations based on gaps in the company’s opt-out procedures. This is the second public CCPA enforcement settlement arising from the California Department of Justice’s 2024 investigative sweep of streaming services. This also is the largest CCPA settlement amount to date, and is roughly five times the amount of the first enforcement action and more than $1 million more than the prior largest settlement by the AG. These actions reflect an escalating enforcement trajectory as the AG and the California Privacy Protection Agency develop a body of precedent that increasingly functions as operational compliance guidance for businesses. Notably, every CCPA enforcement action to date has involved, in some way, the right to opt out and demonstrates that the AG’s expectations for what constitutes compliant opt-out implementation are becoming both more granular and more demanding with each successive action.

Blogs_PrivacyCyberAI_OG_PrivacyLitigationReport

Key point: In this post: (1) increase in ECPA litigation as courts extend “crime tort” exception beyond health care; (2) service provider wins again against wiretapping claim; (3) defendants lose standing arguments in federal court; (4) VPPA circuit split widens as courts reject existing tests to determine whether disclosure of PII occurred; and (5) first PTFA decision in 15 years is issued, with more likely to come.

Welcome to our monthly update on how courts across the U.S. have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from January 2026. And there were a lot of decisions. Courts issued twice as many California Invasion of Privacy Act (CIPA) wiretapping decisions in January 2026 than in December 2025.

Artificial_Intelligence_1200x600_GettyImages-2170346048

Key Point: In a significant win for electronic communication providers that utilize artificial intelligence (AI) as part of their core functions, the Northern District of Illinois held that a defendant’s AI transcription and analytics service operated in the ordinary course of its electronic communications business and therefore did not violate the Electronic Communications Privacy Act (ECPA). The ruling may provide a powerful defense to federal and state law wiretap claims targeting AI call technologies.

Privacy_1200x600_GettyImages-1347310666

Key point: In this post: (1) “Broken banner” claims proceed past pleading stage; (2) Courts continue to reject arguments that pen registers are limited to telephones but hope remains; (3) Offering movie trailers on websites does not transform movie theaters into “video tape service providers” under the VPPA; (4) “In transit” defense remains viable against wiretapping claims; (5) SDNY court suggests use of non-Meta social media pixel could impose VPPA liability.

Welcome to our monthly update on how courts across the nation have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from December 2025.

Many courts are currently handling data privacy cases across the U.S. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation you would like to know more about, please reach out. The contents provided below are time-sensitive and subject to change. If you are not already subscribed to our blog, consider doing so to stay updated. If you are interested in tracking developments between blog posts, consider following us on LinkedIn.

Privacy_1200x600_GettyImages-1347310666

Key point: Courts are split over whether use of the Meta Pixel to share URLs of videos users watch qualifies as disclosure of PII under the VPPA, even when they apply the same “ordinary person” test to nearly identical allegations.

Earlier this year, the Second Circuit joined the Third and Ninth Circuits in adopting an “ordinary person” standard to determine whether a defendant’s disclosure of information constitutes disclosure of personally identifiable information (PII) prohibited by the Video Privacy Protection Act (VPPA). Although this standard initially appeared more restrictive — and thus more favorable to defendants — than the “reasonable foreseeability” standard the First Circuit adopted in 2016, recent decisions by courts within the Second and Ninth Circuits have instead revealed a split in how district courts apply this test to nearly identical allegations, resulting in different outcomes on motions to dismiss.

In this post: (1) Selection of law in a choice-of-law forum can defeat privacy claims; (2) The Arizona Court of Appeals shuts down “spy pixel” litigation; (3) Multiple decisions provide guidelines as to when claims are likely to be dismissed for lack of standing; (4) Consent rises and falls on implementation but plaintiffs cannot avoid the issue; and (5) Courts in the 3rd and 9th Circuit disagree whether simultaneous messages are intercepted while in transit.

Welcome to our monthly update on how courts across the nation have handled privacy litigation involving website tools such as cookies, pixels, session replay, and similar technologies. In this post, we cover decisions from October and November 2025.