Ryan Garippo – Class Action Defense

March 25, 2026March 25, 2026 by Gerald L. Maatman, Jr.

Maryland Federal District Court Finds That Oral Consent Is Sufficient To Make Telemarketing Calls Using A Prerecorded Voice

By Gerald L. Maatman, Jr., Jennifer A. Riley, Anna Sheridan, and Ryan T. Garippo

Duane Morris Takeaways: On March 20, 2026, in Bradley, et al. v. DentalPlans.com, No. 20-CV-010904, 2026 U.S. Dist. LEXIS 59569 (D. Md. Mar. 20, 2026), Judge Brandan Hurson of the U.S. District Court for District of Maryland decertified a certified class action and granted summary judgment on a named plaintiff’s Telephone Consumer Protection Act (“TCPA”) claim. The decision is premised on the legal conclusion that the Federal Communications Commission (“FCC”) lacked the authority to interpret the TCPA’s consent provisions to require prior express written consent for telemarketing calls and continues the trend of courts which are challenging the FCC’s longstanding monopoly to interpret the statute.

Case Background

DentalPlans operates a “direct-to-consumer marketplace” that sells dental savings plans, including plans offered by Cigna. In November 2018, Deborah Bradley called DentalPlans to enroll in a plan and the representative asked her whether the company had her consent to contact her using “automated dialing system or prerecorded message.” Bradley, et al. v. DentalPlans.com, No. 20-CV-01094, 2024 U.S. Dist. LEXIS 10050, at *3 (D. Md. June 6, 2024). Bradley ultimately provided such consent and signed up for a dental discount plan with Cigna.

In September 2019, however, Bradley spoke to another DentalPlans representative and told that representative that she did not want her dental plan to automatically renew. As a result, DentalPlans started placing prerecorded calls to Bradley which informed her that “her membership was ending soon and that she could renew her plan.” After Bradley’s plan expired, she continued to receive prerecorded calls which “attempted to ‘win back’ [her] business by encouraging her to repurchase her Cigna plan with DentalPlans.” Id. at *5. In total, DentalPlans placed 10 “win back” calls to Bradley prior to the filing of the action.

As a result of these calls, on April 28, 2020, Bradley filed a putative class action lawsuit under the TCPA, alleging that the calls constituted unauthorized telemarketing calls using prerecorded messages. The crux of Bradley’s argument was that because these calls allegedly constituted “telemarketing” the applicable FCC regulations required prior express written consent, and oral consent would not suffice. 47 C.F.R. § 64.1200(a)(2). The court agreed with Bradley’s interpretation of the regulation, granted class certification, and certified a class comprised in part of “any consumer who signed up by telephone.” Id. at *27. Bradley then sent notice to the class members and the parties continued to litigate the case.

DentalPlans ultimately filed a motion for reconsideration of the court’s order granting class certification. In that motion, Dental Plans argued, inter alia, that the court’s reliance on 47 C.F.R. § 64.1200(a)(2) was misplaced following the U.S. Supreme Court’s mandate that district courts are “not bound by the FCC’s interpretation of the TCPA.” McLaughlin Chiropractic Assocs., Inc. v. McKesson Corp., 606 U.S. 146, 168 (2025). The parties then briefed that issue.

The Court’s Decision

In a thorough 24-page opinion, Judge Hurson walked through the proper interpretation of the phrase “prior express consent” as used in the TCPA and the scope of Congress’s delegation to the FCC.

In so doing, Judge Hurson turned to the Eleventh Circuit’s opinion in Insurance Marketing Coalition Ltd. v. FCC, 127 F.4th 303, 312 (11th Cir. 2025), which explained that the “TCPA gives the FCC only the authority to ‘reasonably define’ the TCPA’s consent-provisions” and not create a non-statutory consent regime. Judge Hurson, therefore, reasoned that because the phrase “prior express written consent” was not contained in the statute, the proper interpretation of the statute’s actual language hinged on the authority that Congress delegated to the FCC.

Similarly, Judge Hurson looked to the Fifth Circuit’s very recent decision in Bradford v. Sovereign Pest Control of Texas, Inc., 167 F.4th 809, 812 (5th Cir. 2026), which held the TCPA provides “no basis for concluding that telemarketing calls require prior express written consentbut not oral consent.” (emphasis in original).

Based on these opinions, because the “written consent” language does not appear in the statute, Judge Hurson concluded that Congress needed to delegate the interpretation of the TCPA to the FCC for its current interpretation to stand. But no such delegation is contained in the TCPA. As a result, the “best interpretation” of the statute was that “express consent” is the only requirement imposed by the TCPA, even if the consent is obtained orally.

Therefore, because Bradley provided oral consent to DentalPlans receive such to prerecorded messages when she signed up for her dental plan, she (and, the class) had no viable claims. The court, accordingly, granted summary judgment on Bradley’s individual claim and decertified the previously certified class action.

Implications For Companies

The Bradley decision continues an important trend for companies making telemarketing calls to consumers.

As we explained here, when the Fifth Circuit decided Bradford, the written consent requirement has long been thought of as one of the hallmarks of the FCC’s regulatory regime and is often used by the plaintiff’s bar to assert technical violations of the TCPA even where it is clear that a customer approved of such calls. But the current trend shows that the underlying regulatory scheme is quickly eroding with each decision that passes.

Nevertheless, the decisions in Bradford and Bradley represent only the middle ground on these issues. Other courts would go further and hold that Congress’s entire delegation of any of its authority “run[s] afoul of the nondelegation doctrine, since there are no delimitations on the discretion it grants the” FCC. McGonigle v. Pure Green Franchise Corp., No. 25-CV-61164, 2026 U.S. Dist. LEXIS 8059, at *4 (S.D. Fla. Jan. 15, 2026). Thus, the landscape of positions on such issues is wide ranging and changing by the day.

As a result of this shifting landscape, corporate counsel, and companies engaged in telemarketing, should continue to monitor this blog to stay apprised of any updates as new decisions continue to modify the FCC’s longstanding interpretation of the TCPA.

March 24, 2026March 24, 2026 by Gerald L. Maatman, Jr.

Nevada Federal Court Certifies A $3 Million Dollar TCPA Class Action Against Individual Nevada Realtor

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Ryan T. Garippo

Duane Morris Takeaways: On March 13, 2026, in Garvey, et al. v. Gaitan, No. 23-CV-00920, 2026 U.S. Dist. LEXIS 53447 (D. Nev. Mar. 13, 2026), Judge Andrew Gordon of the U.S. District Court for the District of Nevada certified a Telephone Consumer Protection Act (“TCPA”) class action against an individual realtor for violation of the statute’s prohibition against consentless prerecorded voice messages. The decision serves as a cautionary tale for companies and their individual agents, particularly those entities engaged in direct-to-consumer marketing, to consult experienced TCPA counsel in connection with their marketing campaigns to limit their potential exposure.

Case Background

In 2023, Britney Gaitan, a realtor based in Las Vegas, used an online third-party service to accumulate the homeowner contact information for home sellers whose online real estate listings were either withdrawn or expired. Gaitan then uploaded that list into a software that allowed her to send a prerecorded ringless voicemail message to the list of the home sellers she created. As a result, on March 3, 2023, and March 16, 2023, Gaitan sent these prerecorded voice messages to everyone on her list, including Wayne Garvey, one of the homeowners. Gaitan had no documentation that she received prior consent before placing these ringless voicemail messages.

Garvey ultimately filed suit against Gaitan alleging that she violated the TCPA’s prohibition on consentless prerecorded voice messages codified at 47 U.S.C. § 227(b)(1)(A)(iii). Garvey also sought to maintain the case as a class action and represent the owners of the 983 unique cell phone numbers that were called 1,983 times over the course of the two days. Put differently, Garvey ultimately asked the court to certify a class worth up to $2,974,500 or $1,500 per call.

The Court’s Ruling

On March 13, 2026, Chief Judge Andrew Gordon granted Plaintiff’s motion and certified a class against Gaitan. Although Gaitan raised arguments in response to many of the necessary elements for a plaintiff to certify a class action, the dispute largely hinged on Rule 23’s predominance requirement — i.e., whether a common questions of law or fact predominate over issues affecting only certain individual class members. To that end, Gaitan argued that four individualized issues would predominate.

First, Gaitan asserted that individualized inquiries were required to determine whether any class member actually listened to the voicemail. The problem, however, is that “Gaitan cite[d] no law that states a recipient must listen to the voicemail to suffer an injury under the TCPA.” Garvey, 2026 U.S. Dist. LEXIS 53447, at *12. To the contrary, the Federal Communications Commission (the “FCC”) only requires that a prerecorded voicemail must be “completed” to implicate the statute, and Garvey submitted such common proof via expert testimony. In short, the court concluded that these completed calls are “a central, common question of the class’s TCPA claims that predominates over any individualized issues.” Id. at *15.

Second, Gaitan asserted the same argument (i.e., an individualized issue as to whether any class member listened to the call) but repurposed it under the injury-in-fact requirement of Article III of the U.S. Constitution. For the same reason, the court concluded that because Gaitan could not cite “any law that the putative class members need to listen to the prerecorded message to be injured under the TCPA . . . they have Article III standing if Gaitan used a prerecorded voice in her ringless voicemail drops when calling their cell phones, and they need not prove any other harm.” Id. at *18. This argument was overruled.

Third, Gaitan asserted that there was individualized inquires as to whether any given class member consented to receive prerecorded voice messages. As the court aptly observed, Gaitan “indicated that she has no documentation showing that she obtained consent from any putative class members.” Id. at *19. Gaitan tried to point to the terms of the multiple listing service (“MLS”), which supposedly require a homeowner to provide his or her phone number to create a listing, and argued this action constitutes consent to receive such calls. Although the court was unconvinced, it correctly observed that the consent defense would apply to the entire class and thus “Gaitan has not provided evidence that determining whether some MLS users consented to being contacted about their property is an individualized issue.” Id. at *20.

Fourth, Gaitan asserted that individualized inquiries were required to determine whether any individual owner of a telephone number was a “residential telephone line” within the meaning of the TCPA. The primary problem, however, is that residential telephone subscriber status is not an element of a claim under Section 227(b)(1)(A)(iii) unlike other sections of the TCPA. In other words, this argument was wholly inapplicable and “does not defeat class certification.” Id. at *21.

As a result, once the realtor’s most significant objection to class certification was overruled, it was a near forgone conclusion that a class would be certified and thus the court proceeded to grant Garvey’s motion.

Implications For Companies

There are multiple cautionary messages embedded in Gaitan for those engaged in direct-to-consumer marketing. The most salient three takeaways are listed below.

The first (and, most important) lesson of Gaitan is to obtain “express consent” prior to making calls using an artificial or prerecorded voice message. 47 U.S.C. § 227(b)(1)(A). It can be difficult to defend a TCPA class action without a consent defense and Gaitan is no different.

The second lesson is that TCPA liability does not only attach to companies but may also be applied “to any person within the United States” who makes such calls. Id. Here, Britney Gaitan is the sole defendant facing TCPA liability and thus Gaitan’s personal assets are likely on the line for any resulting judgment. But that is not the end of the story. Many similar agencies have indemnification agreements with their agents, which require the agency to pay for the liabilities incurred by the agent. To the extent such an agreement exists here, both Gaitan and her agency may have exposure for this TCPA liability.

The third lesson is to ensure that any TCPA defense strategy is prophylactic in nature and crafted in collaboration with defense counsel well versed in this space. In this case, Gaitan raised arguments based on wholly inapplicable portions of the statute or asserted defenses with little chance of success given the facts of the dispute. If Gaitan consulted with experienced defense counsel in advance of the calls, then this situation could have been avoided. But once the calls are made, the best course of action is for a TCPA defendant to contact experienced defense counsel to help navigate any resulting class actions.

March 2, 2026March 2, 2026 by Gerald L. Maatman, Jr.

The Fifth Circuit Green Lights Oral Consent Under The TCPA For Telemarketing Calls

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Ryan T. Garippo

Duane Morris Takeaways: On February 25, 2026, in Bradford v. Sovereign Pest Control of Texas Inc., No. 24-20379, 2026 WL 520620, at *2 (5th Cir. Feb. 25, 2026), the Fifth Circuit held that the Federal Communications Commission (the “FCC”) lacked the statutory authority under the Telephone Consumer Protection Act (the “TCPA”) to require prior express written consent for all telemarketing calls using a prerecorded voice. This decision reverses decades of precedent requiring written consent for such calls and green lights a path to future challenges to the TCPA’s implementing regulations.

Case Background

In 2023, Radley Bradford agreed to a contract with Sovereign Pest for pest control services. When Bradford executed that agreement, he orally provided his phone number to Sovereign Pest. As a result, Sovereign Pest called him on that telephone number several times to schedule renewal inspections and Bradford agreed to those renewals. By every account, it was a normal business relationship.

But there was one wrinkle. Sovereign Pest did not call Bradford using one of its live employees. Instead, it used a prerecorded voice. Prerecorded voice calls always implicate the TCPA and its draconian statutory damages. As a result, Bradford ultimately sued Sovereign Pest in a federal class action lawsuit claiming the call constituted telemarketing. Thus, because Sovereign Pest did not have “prior express written consent” to contact him using a prerecorded voice, Bradford claimed he was entitled to damages in the amount of $1,500 per call for the 24 calls it made to him. In other words, Bradford claimed Sovereign Pest owed him $36,000 in statutory damages and millions of dollars more to the putative class.

The only problem for Bradford was that the TCPA does not contain the term “prior express written consent.” It only refers to “prior express consent.” So, Bradford sought to rely on FCC regulations that have long required written consent to make telemarketing calls using a prerecorded voice. Bradford claimed that Sovereign Pests calls constituted such telemarketing. The district court disagreed with Bradford, granting a motion for summary judgment filed by Sovereign Pest, and held that the calls did not constitute telemarketing as a matter of law. Bradford appealed.

The Fifth Circuit’s Ruling

Judge Jennifer Elrod, writing for the U.S. Court of Appeals for the Fifth Circuit, affirmed the judgment entered by the district court, but not for the reasons one might think. Rather than dive into whether or not the calls constitute telemarketing, the Fifth Circuit held that the distinction was irrelevant. It explained that although “[t]he regulation relevant to this case mostly tracks the statute” it adds an additional prohibition of “written consent for pre-recorded telemarketing calls.” Bradford, 2026 WL 520620, at *2. The FCC, however, did not have the authority to add that language to the statute.

In years past, courts may have deferred to the FCC’s interpretation of the TCPA. In 2025, however, the U.S. Supreme Court unequivocally held that district courts are “not bound by the FCC’s interpretation of the TCPA” and that courts are required to interpret the text of the statute for themselves. McLaughlin Chiropractic Assocs., Inc. v. McKesson Corp., 606 U.S. 146, 168 (2025). Thus, because the plain language of the TCPA does not impose an additional requirement of written consent for telemarketing calls, the Fifth Circuit concluded that it was outside the scope of the FCC’s regulatory authority to require such consent. As a result, the Fifth Circuit affirmed the judgement entered below.

Implications For Companies

The implications of Bradford cannot be understated.

The FCC’s imposition of a bright line rule requiring written consent for prerecorded telemarketing calls is one of the hallmarks of the statute’s regulatory regime. It is also a frequent tool used by the plaintiff’s bar to assert technical violations of the TCPA where it is clear by the context that a customer approved of such calls. In the wake of McKesson, however, the FCC’s regulations now fall by the wayside for district courts in Louisiana, Mississippi, and Texas. Companies operating in those states will now be able to rely on oral agreements with their customers to prove the existence of prior consent.

The Bradford decision is not alone. Some district courts have even suggested Congress’s delegation of any authority to the FCC “may run afoul of the nondelegation doctrine, since there are no delimitations on the discretion it grants the Commission.” McGonigle v. Pure Green Franchise Corp., No. 25-CV-61164, 2026 WL 111338, at *2 (S.D. Fla. Jan. 15, 2026). Although Bradford does not go that far, the decision represents unmistakable pushback on the FCC’s longstanding unchecked power to interpret the TCPA.

Of course, the standards are still far from clear as the Fifth Circuit is the only federal appellate court to have endorsed this approach. This decision continues the trend which has started to create a “patchwork” approach to the TCPA’s standards and complicates compliance for companies making calls nationwide. Thus, corporate counsel should continue to monitor this blog to stay on top of these varying decisions and contact experienced counsel if their organizations are facing TCPA related threats as the resulting liability can be ruinous.

November 19, 2025November 19, 2025 by Gerald L. Maatman, Jr.

Duane Morris Class Action Review Cited In Three U.S. Supreme Court Briefs

By Gerald L. Maatman, Jr., Jennifer A. Riley, Ryan T. Garippo, and George J. Schaller

Duane Morris Takeaways: On October 15, 2025, in Eli Lilly & Co., et. al. v. Richards, et al., No. 25-476 (U.S. Oct. 17, 2025), Eli Lilly & Co. filed a Petition For Writ Of Certiorari after a decision by the U.S. Court of Appeals for the Seventh Circuit which created a four-way circuit split as to the proper interpretation of 29 U.S.C. § 216(b). This petition drew briefing from several amici curiae, including the U.S. Chamber of Commerce and the CHRO Association.

Similarly, when the U.S. Court of Appeals for the Ninth Circuit decision widened that circuit split to include five different methodical approaches in Cracker Barrel Old Country Store, Inc. v. Andrew Harrington, et al., No. 25-559 (U.S. Nov. 5, 2025), Cracker Barrel also filed a Petition For A Writ of Certiorari.

Significant for readers of this blog, both petitioners and amici also cited the Duane Morris Class Action Review as the authoritative source on FLSA certification statistics and the widening circuit split regarding when it is appropriate to send notice to would-be plaintiffs, under 29 U.S.C. § 216(b) in a Fair Labor Standards Act (“FLSA”) collective action.

In its review of our practice group’s resource, Employment Practices Liability Consultant Magazine (“EPLiC”) said, “The Duane Morris Class Action Review is ‘the Bible’ on class action litigation and an essential desk reference for business executives, corporate counsel, and human resources professionals.” EPLiC continued, “The review is a must-have resource for in-depth analysis of class actions in general and workplace litigation in particular.

With the submission of our analysis to the U.S. Supreme Court, we are humbled and proud to be cited as the authoritative source in the class action space.

The Briefing In Richards And Harrington

Both Cracker Barrel and Eli Lilly correctly argued in their petitions that “the circuits are split five ways in how to interpret” Section 216(b) and the case law in this area “is in total disarray.” Both petitions ask the U.S. Supreme Court to help organize this “disarray.” As such, a brief guide through these disjointed methodological approaches is included below.

First, there is the familiar and lenient two-step standard in Lusardi v. Xerox Corp., 118 F.R.D. 351 (D.N.J. 1987), which was expressly adopted by the U.S. Court of Appeals for the Second Circuit, Scott v. Chipotle Mexican Grill, Inc., 954 F.3d 502, 515 (2d Cir. 2020), and “acquiesced to . . . without express adoption” by the First, Third, Tenth, and Eleventh Circuits. Kwoka v. Enterprise Rent-A-Car Company of Boston, LLC, 141 F.4th 10, 22 (1st. Cir. 2025); Zavala v. Wal Mart Stores Inc., 691 F.3d 527, 534 (3d Cir. 2012); Thiessen v. Gen. Elec. Cap. Corp., 267 F.3d 1095, 1105 (10th Cir. 2001); Hipp v. Liberty Nat’l Life Ins. Co., 252 F.3d 1208, 1219 (11th Cir. 2001)

Under the Lusardi approach, at step one, a plaintiff moves for conditional certification, relying solely on his or her allegations, and not competing evidence submitted by the employer. If the employee’s motion is granted, would-be plaintiffs receive notice of the lawsuit and then have the ability to opt-in as party plaintiffs to the case and participate in discovery. At the close of discovery, the employer can then move to decertify the conditionally certified collective action, and prove the employees are not similarly situated with the benefit of discovery and evidence.

Second, in Campbell v. City of Los Angeles, 903 F.3d 1090, 1114 (9th Cir. 2018),the Ninth Circuit adopted a variation of the Lusardi two-step approach but also required the plaintiff to show he or she is similarly situated to his or her fellow employees in “some material aspect of their litigation” and not just similar in some sort of irrelevant way, but the plaintiff may rely on mere allegations to make that showing.

Third, the Fifth Circuit in Swales v. KLLM Transp. Servs., LLC, 985 F.3d 430, 443 (5th Cir. 2021), rejected Lusardi’s two-step approach outright, and required its district courts to “rigorously enforce” the FLSA’s similarity requirement at the outset of the litigation in a one-step approach. “[T]he district court needs to consider all of the available evidence” at the time the motion is filed and decide whether the plaintiff has “met [his or her] burden of establishing similarity.” Id. at 442-43.

Fourth, the Sixth Circuit in Clark v. A&L Homecare & Training Ctr., LLC, 68 F.4th 1003 (6th Cir. 2023), adopted a comparable standard to Swales requiring the employee to show a “strong likelihood” that others are similarly situated to him or her before the district court can send notice, but leaving open the possibility of the employer filing a motion for decertification down the line. Clark, 68 F.4th at 1011.

Fifth, the Seventh Circuit in Richards, et al. v. Eli Lilly & Co, et al., 149 F.4th 901 (7th Cir. 2025), rejected the Lusardi framework but declined to go as far as Clark or Swales. Instead, the Seventh Circuit approach requires “a plaintiff must first make a threshold showing that there is a material factual dispute as to whether the proposed collective is similarly situated” to secure notice and an employer “must be permitted to submit rebuttal evidence” for the court to consider. Richards, 149 F.4th at 913. But, there is not a bright line rule as to whether the court should decide the similarly situated question in a one or two step approach as the analysis is not an “all-or-nothing determination.” Id. at 913-914.

Sixth, as correctly noted by counsel for Cracker Barrel, the U.S. Courts of Appeal for the D.C., Fourth, and Eighth Circuits have not yet opined on the proper interpretive method, leaving their district courts free to choose among the available options.

Duane Morris Class Action Review Citations

It should go without saying that these issues are complicated, and employers are looking to experienced practitioners to help them navigate this procedural morass. For that reason, both petitioners and the amici curiae turned to the Duane Morris Class Action Review, and its authors, as the authoritative source in support of their petitions.

The first citation is found in Eli Lilly’s petition for writ of certiorari, which cites Avalon Zoppo, Circuit Split Widens on Judicial Approach to Sending FLSA Collective Action Notices, Nat. L. J. (Aug. 11, 2025), regarding the proper interpretation of Richards, following the Seventh Circuit’s decision in that case. In that article, Gerald L. Maatman, Jr., Chair of the Duane Morris Class Action Defense Group, stated “[t]he [Seventh Circuit’s] holding is going to reverberate and have a huge impact on wage and hour litigation throughout the United States.”

The second citation can be found in Cracker Barrel’s petition, following the Ninth Circuit’s holding in Harrington, which cites directly to the Duane Morris Class Action Review for varying conditional certification rates under this patchwork quilt of legal standards. Indeed, in the 2024 and 2025 editions of the Duane Morris Class Action Review, our analysis showed that: (1) the federal circuit courts that follow or acquiesce to Lusardi grant conditional certification at rates of 84%; (2) the Ninth Circuit grants conditional certification at rates of approximately 71% under the lenient-plus approach; and (3) the remaining Fifth, Sixth, and Seventh Circuits, with varied stricter standards, granted certification at rates approximating 67%. The petition further noted our finding that only approximately 10% of conditionally certified FLSA collective actions reach the decertification stage.

The third citation is found in the U.S. Chamber of Commerce and the CHRO Association’s amicus brief which relies on the Duane Morris Class Action Review for the proposition that “motions for conditional certification . . . are granted in a large majority of [FLSA] cases.” Looking at the statistics, the amici highlight “[i]n 2024, district courts granted 80% of motions seeking court-ordered notice” with “Plaintiffs enjoy[ing] similar success in past years”

These U.S. Supreme Court practitioners and defense counsel are not alone as others refer to the Duane Morris Class Action Review as “the Bible” on class action litigation. It is also relied on by some of the world’s largest plaintiffs’ firms and federal judges, see, e.g., Laverenz v. Pioneer Metal Finishing, LLC, 746 F. Supp. 3d 602, 614 (E.D. Wis. 2024). The Duane Morris Class Action Review is the “one stop shop” and authoritative source on collective action certification rates, collective action trends and analysis, and the implications, pressures, and contours that parties face when engaged in FLSA collective action litigation.

Implications For Employers

Although the petitioners are still briefing their petitions, it is clear that the myriad approaches adopted by the federal circuit courts are ripe for some clarity from the U.S. Supreme Court, which would hopefully provide a roadmap for district courts to assess collective actions uniformly.

Further, the framework for when and how to send notice under Section 216(b) are not the only issues presented by these petitions. Eli Lilly expressly invited the U.S. Supreme Court to overturn Hoffman-La Roche, Inc. v. Sperling, 493 U.S. 165 (1989) and plaintiff-appellee in Harrington would also have the high court decide whether Bristol-Myers Squibb Co. v. Sup. Ct. of Cal., 582 U.S. 255 (2017) applies to collective actions, which we blogged about here.

Because these questions, and many others, remain in flux and unanswered, employers should monitor this blog for updates as it is a trusted source for companies, defense counsel, plaintiffs’ firms, federal judges, and U.S. Supreme Court practitioners alike. We will be following these petitions as they unfold.

November 14, 2025November 14, 2025 by Gerald L. Maatman, Jr.

Third Circuit Affirms Dismissal Of CIPA Adtech Class Action Because A Party To A Communication Cannot Eavesdrop On Itself

By Gerald L. Maatman, Jr., Justin R. Donoho, Hayley Ryan, and Ryan Garippo

Duane Morris Takeaways: On November 13, 2025, in Cole, et al. v. Quest Diagnostics, Inc., 2025 U.S. App. LEXIS 29698 (3d Cir. Nov. 13, 2025), the U.S. Court of Appeals for the Third Circuit affirmed a ruling of the U.S. District Court for the District of New Jersey’s in dismissing a class action complaint brought by website users against a diagnostic testing company alleging that the company’s use of website advertising technology violated the California Invasion of Privacy Act (“CIPA”) and California’s Confidentiality of Medical Information Act (“CMIA”).

The ruling is significant because it confirms two important principles: (1) CIPA’s prohibition against eavesdropping does not apply to an online advertising company, like Facebook, when it directly receives information from the users’ browser; and (2) the CMIA is not triggered unless plaintiffs plausibly allege the disclosure of substantive medical information.

Background

This case is one of a legion of nationwide class actions that plaintiffs have filed alleging that third-party technologies (“adtech”) captured user information for targeted advertising. These tools, such as the Facebook Tracking Pixel, are widely used across millions of consumer products and websites.

In these cases, plaintiffs typically assert claims under federal or state eavesdropping statutes, consumer protection laws, or other privacy statutes. Because statutes like CIPA allow $5,000 in statutory damages per violation, plaintiffs frequently seek millions, or even billions, in potential recovery, even from midsize companies, on the theory that hundreds of thousands of consumers or website visitors, times $5,000 per claimant, equals a huge amount of damages. While many of these suits initially targeted healthcare providers, plaintiffs have sued companies across nearly every industry, including retailers, consumer products companies, universities, and the adtech companies themselves.

Several of these cases have resulted in multimillion-dollar settlements; others have been dismissed at the pleading stage (as we blogged about here) or at the summary judgment stage (as we blogged about here and here). Still, most remain undecided, and with some district courts allowing adtech class actions to survive motions to dismiss (as we blogged about here), the plaintiffs’ bar continues to file adtech class actions at an aggressive pace.

In Cole, the plaintiffs alleged that the defendant diagnostic testing company used the Facebook Tracking Pixel on both its general website and its password-protected patient portal. Id. at *1-2. According to the plaintiffs, when a user accessed the general website, the Pixel intercepted and transmitted to Facebook “the URL of the page requested, along with the title of the page, keywords associated with the page, and a description of the page.” Id. at *2-3. Likewise, when a user accessed the password-protected website, the Pixel allegedly transmitted the URL “showing, at a minimum, that a patient has received and is accessing test results.” Id. at *3.

Plaintiffs asserted that these transmissions constituted (1) a CIPA violation because the company supposedly aided Facebook in “intercepting” plaintiffs’ internet communications, and (2) a CMIA violation because the company allegedly disclosed URLs associated with webpages plaintiffs accessed to view test results along with plaintiffs’ identifying information linked to users’ Facebook accounts. Id. at *3.

The company moved to dismiss, and, in separate orders, the district court dismissed both claims. See 2024 U.S. Dist. LEXIS 116350; 2025 U.S. Dist. LEXIS 7205.

As to the CIPA claim, the district court found that CIPA “is aimed only at ‘eavesdropping, or the secret monitoring of conversations by third parties,’” and that Facebook was not a third party because it received information directly from plaintiffs’ browsers about webpages they visited. 2025 U.S. Dist. LEXIS 7205, at *7-8 (quoting In Re Google Inc. Cookie Placement Consumer Privacy Litig., 806 F.3d 125, 140-41 (3d Cir. 2015)). As to the CMIA claim, the district court found that plaintiffs alleged only that the company disclosed that a patient accessed test results but not what kind of medical test was done or what the results were. 2024 U.S. Dist. LEXIS 116350, at *15. Accordingly, the district court held that plaintiffs failed to allege the disclosure of “substantive” medical information as required under the CMIA. Id.

Plaintiffs appealed both rulings.

The Court’s Decision

The Third Circuit affirmed. Id. at *1.

On the CIPA claim, the Third Circuit explained that “[a]s a recipient of a direct communication from Plaintiffs’ browsers, Facebook was a participant in Plaintiffs’ transmissions such that [the company] did not aid or assist Facebook in eavesdropping on or intercepting such communications, even if done without the users’ knowledge.” 2025 U.S. App. LEXIS 29698, at *6. With no eavesdropping, “Plaintiffs’ CIPA claim was properly dismissed.” Id. at *7.

On the CMIA claim, the Third Circuit explained that “at most, Plaintiffs alleged that [the company] disclosed Plaintiffs had been its patients, which is not medical information protected by CMIA.” Id. at *8. Thus, the Third Circuit held that the district court properly dismissed the CMIA claim. Id. at *9.

Implications For Companies

Cole offers strong precedent for any company defending adtech class action claims (1) brought under CIPA’s eavesdropping provision where the third-party adtech company directly receives the information from users’ browsers and (2) brought under the CMIA where the alleged disclosure merely shows that a person was a patient, without revealing any substantive information about the person’s medical condition or test results.

The latter point continues to appear across adtech class actions. Just as the plaintiffs in Cole failed to plausibly allege the disclosure of substantive medical information, courts have dismissed similar claims where plaintiffs allege disclosure of protected health information (“PHI”) without actually identifying what PHI was supposedly shared (as we blogged about here). These decisions reinforce that adtech plaintiffs must identify the specific medical information allegedly disclosed to plausibly plead claims under the CMIA or for invasion of privacy.

November 4, 2025 by Gerald L. Maatman, Jr.

New York State (Court) Of Mind: New York Federal Court Remands Allstate Data Breach Case To State Court For Lack Of Federal Question Jurisdiction

By Gerald L. Maatman, Jr., Ryan T. Garippo, and Elizabeth G. Underwood

Duane Morris Takeaways: On October 28, 2025, Judge Lewis A. Kaplan of the U.S. District Court for the Southern District of New York granted the People of the State of New York’s (the “State”) motion to remand in New York v. Nat’l Gen. Holdings Corp., No. 25 Civ. 03608, 2025 U.S. Dist. LEXIS 212731 (S.D.N.Y. Oct. 28, 2025). The State alleged that National General Holdings Corporation violated various state laws related to data protection programs and notifications to affected individuals when data breaches in 2020 and 2021 exposed the corporation’s customer information. This case reinforces the concept that a plaintiff is indeed the master of the complaint and can strategically craft their complaint to ensure that a case is litigated in state court.

Case Background

The State sued Allstate Insurance Company when one of its units, National General Holdings Corporation (the “Defendants”), was involved in two data breaches in 2020 and 2021, exposing nearly 200,000 consumers’ drivers’ license numbers to hackers. The State alleged that the Defendants failed to protect customers’ sensitive information and did not inform customers that their data was stolen.

Importantly, the complaint did not assert any cause of action under federal law. Instead, the complaint alleged that the Defendants violated three federal statutes, including the Gramm-Leach-Bliley Act (“GLBA”), the Health Insurance Portability and Accountability Act (“HIPAA”), and the Health Information Technology for Economic and Clinical Health Act (“HITECH”). The State brought the action against the defendants pursuant to New York State General Business Law (“GBL”) §§ 349, 350, 899-aa, and 899-bb, and New York Executive Law § 63(12).

Based on the inclusion of allegations that they violated federal law, the Defendants removed the action to the U.S. District Court for the Southern District of New York pursuant to 28 U.S.C. §§ 1331 and 1441, invoking the Court’s ability to decide a federal question. The State, however, moved to remand the case and for attorney’s fees incurred due to the removal.

Magistrate Judge Robert Lehrburger concluded in a report and recommendation that the Court lacked federal subject matter jurisdiction to hear the case because the causes of action (1) were not created by federal law and (2) did not satisfy the standard set forth in Gunn v. Minton, 568 U.S. 251 (2013), and Grable & Songs Metal Products, Inc. v. Darue Engineering & Manufacturing, 545 U.S. 308 (2005) (the “Gunn-Grable” test). ECF 55. Under the Gunn-Grable test, federal question jurisdiction exists only when a federal issue is “(1) necessarily raised, (2) actually disputed, (3) substantial, and (4) capable of resolution in federal court without disrupting the federal-state balance approved by Congress.” Gunn, 568 U.S. at 258.

In his report and recommendation, Magistrate Judge Lehrburger determined that the third element as to whether a federal issue was “substantial” was not satisfied. This inquiry looks to “the importance of the issue to the federal system as a whole,” not just the issues of one case. Id. at 260. In this case, the Defendants argued that the substantiality requirement was met because of the substantial federal interests in data privacy and national security; however, Magistrate Judge Lehrburger found these arguments were unpersuasive and recommended that the Court remand the case but not award attorney’s fees to the State.

The Court’s Opinion

In an opinion written by Judge Lewis Kaplan, the Court agreed with Magistrate Judge Lehrburger’s reasoning and held that the case did not pass the Gunn-Grable test.

The Court determined that Magistrate Judge Lehrburger correctly rejected the Defendants’ argument that the State’s claims satisfy the Gunn-Grable test as to the “substantiality” element. First, the Court found that the Defendants’ argument as to whether the New York State Attorney General had the authority to enforce the federal GLBA was “entirely inapt” because the complaint did not allege any GLBA claims. Nat’l Gen. Holdings Corp., 2025 U.S. Dist. LEXIS 212731, at *3. Second, the Court held that the federal government’s interest in data privacy was insufficient to meet the Gunn-Grable test. Third, the Court determined that the federal law questions implicated by the state law claims, including whether defendants are insulated from liability under state law if the defendants’ data protection programs and data breach notification procedures were in compliance with federal law, “are inherently fact-intensive and therefore likely would not provide guidance in future cases.” Id. at *4.

Moreover, the Court also rejected the Defendants’ argument that whether the GLBA preempts the New York Attorney General from bringing the state law claims is a substantial federal question, reasoning that the question was not “necessarily raised” and that preemption is an affirmative defense that may not serve as the basis for subject-matter jurisdiction. Id. at 4–5. Finally, the Court held that none of the three exceptions to the well-pleaded complaint rule applied because the Defendants did not assert the first two exceptions, and the third exception would have had to pass the Gunn-Grable test, which it did not.

Implications For Companies

Nat’l Gen. Holdings Corp. serves as a cautionary reminder of the uphill battles that corporate defendants often face to remove to and then keep bet-the-company litigation in federal court.

Although it is not uncommon for a corporation to prefer “federal courts because it fears a corporate defendant . . . will not get a fair trial in state court,” the road to get there is not always guaranteed. See, e.g., Hosein v. CDL West 45th Street, LLC, No. 12 Civ. 06903, 2013 WL 4780051, at *3 (S.D.N.Y. June 12, 2013). As on display here, the Nat’l Gen. Holdings Corp. opinion shows that corporate defendants may not even get to litigate in a federal forum even when there are allegations that they violated federal law.

As a result, corporate counsel should be aware that relying on a state law claim involving an embedded federal issue, as the basis for federal subject-matter jurisdiction, may not be successful in 100% of cases, but it may be worth a chance to attempt to remove the case to federal court if it is the company’s only opportunity to obtain a fair trial.

October 20, 2025October 20, 2025 by Gerald L. Maatman, Jr.

U.S. Supreme Court Takes Up The Transportation Worker Exemption Again

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Ryan T. Garippo

Duane Morris Takeaways: On October 20, 2025, in Flower Foods, et al. v. Brock, No. 23-0936 (U.S.), the U.S. Supreme Court granted a writ of certiorari to decide whether last-mile delivery drivers are considered transportation workers, and thus exempt under the Federal Arbitration Act (the “FAA”), when the driver’s route is purely intrastate.

The decision will have sweeping implications for logistics companies and any business employing delivery drivers across the country.

Case Background

Flower Foods, Inc. (“Flower Foods”) operates one of the largest bakery companies in the United States. Under Flower Foods’ business model, the company contracts with independent distributors who purchase the rights to distribute products in specific territories. The delivery-driver distributors “stock shelves, maintain special displays, and develop and preserve positive customer relations.” Brock v. Flower Foods, Inc., 121 F. 4th 753, 757 (10th Cir. 2024). Flower Foods “produces and markets the baked goods.” Id.

Flower Foods delivers the products it produces, via these delivery-driver distributors, who are classified as independent contractors under the Fair Labor Standards Act (the “FLSA”). These products are usually produced in out-of-state bakeries, but then shipped to a local warehouse, where the local delivery driver picks them up to sell retail stores. This process is more commonly known as “last-mile delivery.” Plaintiff Angelo Brock (“Plaintiff or “Brock”), through his company Brock, Inc., was one of those delivery drivers. When Brock started delivering Flower Foods’ products, he entered into a Distributor Agreement that contained a “Mandatory and Binding Arbitration” clause, which required nearly all disputes to be arbitrated under the FAA. Id. at 758.

Nonetheless, Brock filed a putative collective and class action under the FLSA, and Colorado labor law, claiming that Flower Foods misclassified him and other delivery-driver distributors as independent contractors. As a result, Flower Foods moved to compel arbitration, but the U.S. District Court for Colorado denied its request. The District Court concluded that Brock fell within the ‘‘transportation workers exemption” of the FAA, which exempts transportation workers engaged in interstate commerce from arbitration. The District Court reasoned that, although Brock did not cross state lines, he ‘‘actively engaged in the transportation of [the company’s] products across state lines into Colorado” and thus was covered by the exemption. Id. at 759. Flower Foods appealed that decision to the U.S. Court of Appeals for the Tenth Circuit.

The Lower Court Opinion

On appeal, and on November 12, 2024, Judge Gregory Phillips, writing for the U.S. Court of Appeals for the Tenth Circuit, affirmed the District Court’s decision that delivery-driver distributors were exempt from the FAA. Judge Phillips explained that, although Brock’s routes were entirely within Colorado, a transportation worker need not cross state lines to qualify for the exemption. Instead, individuals qualify as transportation workers if they play a direct and necessary role in the interstate flow of goods.

Relying on decisions from the First and Ninth Circuits, which also concluded “that last-mile delivery drivers . . . who make the last intrastate leg of an interstate delivery route . . . are directly engaged in interstate commerce,” the Tenth Circuit reached the same conclusion. Id. at 762. The Tenth Circuit explained that “[b]oth [other] circuits focused on whether the goods moved in a continuous interstate journey or as part of multiple independent transactions.” Id. Thus, the flow of interstate commerce did not stop when “Brock start[ed] the interstate delivery process by placing orders for products produced in out-of-state bakeries” and Flower Foods “deliver[ed] the products to the agreed-upon warehouse,” only for Brock to “load the products at the warehouse onto his vehicle and deliver[] the goods to retail stores on his intrastate delivery route” within one day. Therefore, Brock and other delivery-driver distributors were exempt under the FAA even though they did not cross state lines. But, Flower Foods decided to ask the U.S. Supreme Court to take a third look at the issue.

On October 20, 2025, the U.S. Supreme Court agreed to hear the case, without a making any other comment, in its two-word order holding “certiorari granted.”

In some ways, this decision is not surprising as the U.S. Supreme Court has decided two recent cases under the transportation worker exemption: Sw. Airlines Co. v. Saxon, 596 U.S. 450 (2022), and Bissonnette v. LePage Bakeries Park St., LLC, 601 U.S. 246 (2024). The decision in Brock, however, is poised to be the most impactful of all three of the cases.

Implications For Employers

The importance of the ultimate decision in Brock cannot be overstated. In both Saxon and Bissonnette, the U.S. Supreme Court dramatically expanded the reach of the transportation worker exemption making it increasingly difficult for employers to move to compel arbitration in class and collective actions brought by workers in logistics-adjacent positions

If workers who engage in wholly intrastate commerce fall within the exemption’s reach, it may require a fundamental re-structuring of many employers’ arbitration programs. In contrast, if these workers and independent contractors are not exempt from the requirements of the FAA, then employers may finally be able to rest easy knowing that their arbitration defenses remain viable for at least a portion of their workforce.

Although only time will tell what the U.S. Supreme Court will decide, corporate counsel should follow this blog for updates because the authors will be watching this case closely. Oral arguments are likely to occur during Fall 2025 and a decision will follow in Spring 2026.

October 2, 2025October 2, 2025 by Gerald L. Maatman, Jr.

North Carolina Federal Dismisses Class Action Based On No Injury Stemming From Bojangles Data Breach

By Gerald L. Maatman, Jr., Ryan T. Garippo, and Andrew P. Quay

Duane Morris Takeaways: On September 30, 2025, in Dougherty, et al. v. Bojangles’ Restaurants, Inc., No. 25-CV-00065, 2025 U.S. Dist. LEXIS 194879 (W.D.N.C. Sept. 30, 2025), Judge Kenneth D. Bell of the U.S. District Court for the Western District of North Carolina dismissed a class action alleging violations of numerous state torts and the North Carolina Unfair and Deceptive Trade Practices Act following an alleged cyberattack on Bojangles. The Court held the former employees of the fast-food chain failed to plausibly allege a concrete injury, and therefore, lacked Article III standing. The Court reasoned that Plaintiffs’ theory of an “ongoing threat of identity theft” without any actual harm was not enough to sustain a concrete injury.

The decision illustrates that the mere possibility of future harm, without any actual harm, is not enough to plausibly allege an injury-in-fact for purposes of Article III standing. Further, building on U.S. Supreme Court precedent, the decision highlights the requirements of traceability where plaintiffs cannot identify any harm connected to the transfer of personal information to a data breach defendant.

Case Background

Bojangles Restaurants, Inc. (“Bojangles”) was the alleged victim of a cyberattack in February 2024. Id. at *5. In November of that same year, Bojangles sent a notice to those who may have been impacted, stating “that certain files were viewed and downloaded by an unknown actor between February 19, 2024 and March 12, 2024.” Id.

In January 2025, after receiving the notice from Bojangles, Alexis Dougherty and eight other former employees (“Plaintiffs”), filed a putative class action complaint against Bojangles. Id. at *2. Plaintiffs alleged that Bojangles gathers various types of sensitive information from its employees, including names, addresses, Social Security numbers, driver’s license information, etc., and that Bojangles failed to implement “reasonable cybersecurity safeguards or protocols.” Id. at *4-5. Notably, however, Plaintiffs did not identify any sensitive information they provided to Bojangles, except for some Plaintiffs who alleged they provided their Social Security number or that Bojangles’ notice identified their Social Security number. Id. at *6.

Plaintiffs asserted two different theories of injury. Eight of the nine Plaintiffs did not allege any identity theft or data misuse; rather, they claimed injury based on “the threat of harm” from a potential sale of their information on the Dark Web, an uptick in spam calls, “diminution in value” of their personal information, time spent mitigating the potential impacts of the cyberattack, and emotional distress. Id. The remaining plaintiff alleged fraudulent charges on his debit card but did not allege that he provided the card number to Bojangles as part of his employment. Id. at *6.

Bojangles moved to dismiss for lack of subject-matter jurisdiction and for failure to state a claim upon which relief can be granted. Bojangles argued that eight of the Plaintiffs failed to allege a concrete injury without an actual misuse of their personal information, and that the remaining plaintiff’s alleged debit card fraud is not fairly traceable to the data breach.

The Court’s Opinion

In a 10-page opinion, Judge Kenneth D. Bell granted Bojangles’ motion to dismiss for lack of subject-matter jurisdiction without reaching the merits of Plaintiffs’ claims.

The Court held that Plaintiffs failed to plausibly allege Article III standing. Judge Bell explained that Plaintiffs’ allegations “only describ[e] the possibility of future harm that is inherent in every data security incident, but cannot support the Article III standing necessary to pursue a federal lawsuit.” Id. at *7. There was no dispute that Plaintiffs’ personal information may have been impacted by the data breach, but the potential threat of resulting damages failed to plausibly allege a concrete injury that is fairly traceable to the data breach. Id. at *6-7.

The U.S. Supreme Court’s decision in TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), governed the opinion. There, the named plaintiff on behalf of a putative class alleged that TransUnion, a credit reporting agency, violated the Fair Credit Reporting Act by failing to use reasonable procedures before placing a misleading alert in his credit file that labeled him as a potential terrorist, among other comparable threats. Id. at 419-21. The Supreme Court held that only class members whose credit reports had been provided to third-party businesses had suffered a concrete injury, and that the mere existence of misleading alerts in one’s own credit file did not cause such an injury. Id. at 417, 435.

Applying TransUnion to the facts at hand, Judge Bell reasoned that “Plaintiffs’ allegations of harm as a consequence of the Data Breach fall squarely in the ‘might be a problem’ rather than the ‘is already a problem’ category.” Dougherty, 2025 U.S. Dist. LEXIS 194879,at *12. Therefore, Plaintiffs’ theory of an ongoing threat of identity theft or other data misuse failed to plausibly allege any actual harm, such as an attempt to open credit card accounts or otherwise steal information. Id. at *12-13. Further, most of the Plaintiffs did not identify any personal information that they personally provided to Bojangles, defeating any traceability argument. Judge Bell similarly dismissed Plaintiffs’ varied attempts to establish standing based on an uptick in spam calls, diminution in value of personal information, time spent mitigating the “potential impact” of the data breach, and emotional distress. Id. at 13-14. None of these harms constitute a concrete injury.

Judge Bell also dismissed the claims of the one Plaintiff who allegedly noticed fraudulent charges on his debit card, because he did not allege those charges were fairly traceable to the breach. Because the Plaintiff did not allege that he provided his debit card number to Bojangles as part of his employment, there was no way to connect those charges to the alleged breach. Thus, although those charges may constitute an injury-in-fact, they were insufficient on traceability grounds.

Implications For Companies

Dougherty illustrates the pleading requirements established in TransUnion, and the powerful tool that they can be in dismantling a nationwide data breach class action.

What’s more, the court in Dougherty seemed to take for granted that every class member must suffer an actual injury for each of their claims, even at the pleading stage in the litigation. Id. at *9 (“Therefore, following TransUnion, it is clear that to recover damages from Defendant, every class member must have Article III standing for each claim that they press requiring proof that the challenged conduct caused each of them a concrete harm”) (quotations omitted). This signal may be a favorable sign that Judge Bell agrees with the “sleeping lion” noted by Justice Kavanaugh in Lab. Corp. of Am. Holdings v. Davis, 605 U.S. 327 (2025) – i.e., whether “a federal court may . . . certify a damages class that includes both injured and uninjured members.” Id. at 328 (Kavanaugh, J., dissenting). For now, however, the Court left that issue until another day.

Nonetheless, if corporate counsel’s organizations are facing a class action seeking damages stemming from an alleged data breach, corporate counsel should consider their ability to attack Article III standing on all fronts, not only as to the named plaintiffs, but also as to the class. If successful, other organizations may be able to make an early exit from a data breach class action on the theory that plaintiffs cannot plausibly allege an actual injury from the future possibility of their data misuse, much like the defendant in Dougherty.

September 10, 2025 by Gerald L. Maatman, Jr.

New York Federal Court Dismisses Adtech Class Action Because No Ordinary Person Could Identify Web User

By Gerald L. Maatman, Jr., Justin Donoho, Hayley Ryan, and Ryan Garippo

Duane Morris Takeaways: On September 3, 2025, in Golden v. NBCUniversal Media, LLC, No. 22-CV-9858, 2025 WL 2530689 (S.D.N.Y. Sept. 3, 2025), Judge Paul A. Engelmayer of the U.S. District Court for the Southern District of New York granted a motion to dismiss with prejudice for a media company on a claim that the company’s use of website advertising technology on its website violated the Video Privacy Protection Act (“VPPA”). The ruling is significant as it shows that in the explosion of adtech class actions across the nation seeking millions or billions of dollars in statutory damages under not only the VPPA but also myriad other statutes providing for statutory penalties on similar theories that the website owner disclosed website activities to Facebook, Google, and other advertising agencies, the statute and its harsh penalties should not be triggered because no ordinary person could access and decipher the information transmitted.

Background

This case is one of a multiplying legion of class actions that plaintiffs have filed nationwide alleging that Meta Pixel, Google Analytics, and other similar software embedded in defendants’ websites secretly captured plaintiffs’ web-browsing activity and sent it to Meta, Google, and other online advertising agencies.

This software, often called website advertising technology or “adtech,” is a common feature on corporate, governmental, and other websites in operation today. In adtech class actions, the key issue is often a claim brought under the VPPA, a federal or state wiretap act, a consumer fraud act, and even the Illinois Genetic Information Privacy Act (GIPA), because plaintiffs often seek millions (and sometimes even billions) of dollars, even from midsize companies, on the theory that hundreds of thousands of website visitors, times $2,500 per claimant in statutory damages under the VPPA, for example, equals a huge amount of damages. Plaintiffs have filed the bulk of these types of lawsuits to date against healthcare providers, but they also have filed suits against companies that span nearly every industry including retailers, consumer products, and universities. Several of these cases have resulted in multimillion-dollar settlements, several have been dismissed, the vast majority remain undecided, and especially with some district courts being more permissive than others in allowing adtech class actions to proceed beyond the motion to dismiss stage (as we blogged about here), the plaintiffs’ bar continues to file adtech class actions at an alarming rate.

In Golden, the plaintiff brought suit against a media company. According to the plaintiff, she signed up for an online newsletter offered by the media company and, thereafter, visited the media company’s website, where she watched videos. Id. at *2-4. The plaintiff further alleged that, after she watched those videos, her video-watching history was sent to Meta without her permission via the media company’s undisclosed use of the Meta Pixel on its website. Id. Like plaintiffs in most adtech class action complaints, this plaintiff: (1) alleged that before the company sent the web-browsing data to the online advertising agency (e.g., Meta), the company encrypted the data via the secure “https” protocol (id., ECF No. 56 ¶ 45); and (2) did not allege that any human had her encrypted web-browsing data or could retrieve it from the advertising agency’s algorithms or that even the advertising agency, or any other entity or person, has her web-browsing data stored or could retrieve it from the advertising agency’s algorithms in a decrypted (readable) format. Based on the plaintiffs’ allegations, the plaintiff alleged a violation of the VPPA.

The media company moved to dismiss under Rule 12(b)(6), arguing that the media company did not adequately allege that the media company “disclosed” the plaintiff’s “personally identifiable information” (“PII”), defined under the VPPA as “information which identifies a person as having requested or obtained specific video materials or services….” Id., 2025 WL 2530689, at *5-6.

The Court’s Decision

The Court agreed with the media company and held that the plaintiff failed plausibly to plead any unauthorized “disclosure.”

As the Court explained, “PII, under the VPPA, has three distinct elements: (1) the consumer’s identity, (2) the video material’s identity, and (3) the connection between them.” Id. at *6. Moreover, PII “encompasses information that would allow an ordinary person to identify a consumer’s video-watching habits, but not information that only a sophisticated technology company could use to do so.” Id. (emphasis in original). Therefore, “to survive a motion to dismiss, a complaint must plausibly allege that the defendant’s disclosure of information would, with little or no extra effort, permit an ordinary recipient to identify the plaintiff’s video-watching habits.” Id. For these reasons, explained the Court, the Second Circuit has “effectively shut the door for Pixel-based VPPA claims.” Id. at *7 (citing Hughes v. National Football League, 2025 WL 1720295 (2d Cir. June 20, 2025)).

Applying these standards, the Court dismissed the plaintiff’s VPPA claim with prejudice, holding that, “[i]n short, because the alleged disclosure could not be appreciated — decoded to reveal the actual identity of the user, and his or her video selections — by an ordinary person but only by a technology company such as Facebook, it did not amount to PII.” Id. at *6-7. In so holding, the Court cited an “emergent line of authority” shutting the door on VPPA claims not only in the Second Circuit but also in other U.S. Courts of Appeal. See In Re Nickelodeon Consumer Priv. Litig., 827 F.3d 262, 283 (3d Cir. 2016) (affirming dismissal of VPPA case involving the use of Google Analytics, stating, “To an average person, an IP address or a digital code in a cookie file would likely be of little help in trying to identify an actual person”); Eichenberger v. ESPN, Inc., 876 F.3d 979, 986 (9th Cir. 2017) (affirming dismissal of VPPA case because “an ordinary person could not use the information that Defendant allegedly disclosed [a device serial number] to identify an individual”).

Implications For Companies

The Court’s holding in Golden is a win for adtech class action defendants and should be instructive for courts around the country addressing adtech class actions brought under not only the VPPA, but also other statutes prohibiting “disclosures,” and the like. These statutes should be interpreted similarly to require proof that an ordinary person could access and decipher the web-browsing data, identify the person, and link the person to the data.

Consider a few examples. A GIPA claim requires proof of a disclosure or a breach of confidentiality and privilege. An eavesdropping claim under the California Information of Privacy Act (CIPA) § 632 requires proof of eavesdropping. A trap and trace claim under CIPA § 638.51 requires proof that the data captured is reasonably likely to identify the source of the data. A claim under the Electronic Communications Privacy Act (ECPA) requires proof of an interception.

When adtech sends encrypted, inaccessible, anonymized transmissions to the advertising agency’s algorithms, has there been any disclosure or breach of confidentiality and privilege (GIPA), eavesdropping (CIPA § 632), data capture reasonably likely to identify the source (CIPA § 638.51), or interception (ECPA)? Just as adtech transmissions are insufficient to amount to a disclosure under the VPPA, Golden shows neither should adtech transmissions trigger these similarly worded statutes because no ordinary person could access and decipher the data transmitted.

September 2, 2025September 2, 2025 by Gerald L. Maatman, Jr.

Virginia Federal Court Slices Away Out-of-State FLSA Claims Against Pizza Company

By Gerald L. Maatman, Jr., Anna Sheridan, and Ryan T. Garippo

Duane Morris Takeaways: On August 22, 2025, in Shamburg, et al. v. Ayvaz Pizza, LLC, et al., No. 24-CV-00098, 2025 WL 2431652 (W.D. Va. Aug. 22, 2025), Judge Jasmine Yoon of the U.S. District Court for the Western District of Virginia partially dismissed a proposed nationwide collective action brought by pizza delivery drivers. Although Plaintiff Chandler Shamburg (“Plaintiff” or “Shamburg”), and other plaintiffs, asserted nationwide Fair Labor Standards Act (“FLSA”) and state law claims from multiple jurisdictions, the Court dismissed nearly all of them for lack of personal jurisdiction. This ruling reinforces the growing trend of federal courts willing to apply the Due Process Clause’s protections to expansive FLSA collective actions and underscores the difficulty plaintiffs face in keeping sprawling, multi-state, wage claims altogether in one federal court.

Case Background

In 2024, Shamburg filed a putative class and collective action that alleged that Ayvaz Pizza (“Ayvaz”), a franchisee that “operates an unidentified number of Pizza Hut Franchise Stores within” Virginia, that is neither incorporated in nor has its principal place of business in Virginia, violated the FLSA and various state laws. Id. at *1. They also sued Ayvaz’s owner, Shoukat Dhanani, for this conduct as well. Id.

Shamburg (and, ultimately several other plaintiffs) alleged that both himself, and other drivers, were “required to use their own cars, ensure their cars were legally compliant, pay car-related costs including gasoline expenses, maintenance and part costs, insurance, financing charges, and licensing and registration costs, pay storage costs, cell phone costs, and data charges, and pay for other necessary equipment.” Id. As a result, Shamburg and the out-of-state plaintiffs alleged that their hourly rate of pay dropped below the FLSA’s minimum wage guarantee because these expenses were “kicked back” to Ayvaz. Id. at *1-2. They also brought seventeen state law claims that “assert causes of action from seven different states and invoke both state statutory and common law.” Id. at *8.

But, Ayvaz was no stranger to these issues. It was also recently sued in Garza, et al. v. Ayvaz Pizza, LLC, No. 23-CV-01379 (S.D. Tex.), and Stotesbery, et al. v. Muy Pizza-Tejas, LLC, et al., No. 22-CV-01622 (D. Minn.), based on similar allegations. Based on the existence of these prior two actions, and the presence of the out-of-state plaintiffs’ claims, Ayvaz and its owner moved to dismiss based on lack of personal jurisdiction (both general and specific), lack of supplemental jurisdiction, and the first-to-file doctrine. Judge Yoon’s decision followed.

The Court’s Ruling

In general, Judge Yoon’s decision was split into four discrete parts — each addressing whether the Court could exercise various forms of jurisdiction over Ayvaz and its owner. For the most part, the Court declined each type of jurisdiction.

General Personal Jurisdiction & Out-Of-State Plaintiffs

First, although it was uncontested that Ayvaz was neither incorporated in nor headquartered out of Virginia, Plaintiffs argued that Ayvaz was subject to general personal jurisdiction in Virginia based on the U.S. Supreme Court’s decision in Mallory v. Norfolk Southern Railway Co., 600 U.S. 122 (2023). In Mallory, the U.S. Supreme Court held that Due Process does not prohibit “a State from requiring an out-of-state corporation to consent to personal jurisdiction to do business there.” Id. at 127. Like the Pennsylvania statute at issue in Mallory, Virginia also has “an out-of-state business registration statute.” Shamburg¸ 2025 WL 2431652, at *5.

Judge Yoon, however, reasoned that “unlike Pennsylvania, Virginia law does not require the out-of-state business to condition its registration on submitting to general personal jurisdiction” consistent with the decisions of several other district courts. Id. Thus, the Court “conclude[d] that, absent explicit consent to jurisdiction in Virginia’s business registration statute” it could not exercise general personal jurisdiction over Ayvaz or its owner.

Specific Jurisdiction & Out-Of-State Plaintiffs

Second, the Court addressed the out-of-state plaintiffs’ argument that the Court could exercise specific personal jurisdiction over Ayvaz as to the out-of-state plaintiffs but disagreed. Judge Yoon weighed in on the pending circuit split regarding the applicability of Bristol-Myers Squibb v. Superior Court, 582 U.S. 255 (2017), to FLSA collective actions. The Third, Sixth, Seventh, Eighth and Ninth Circuits hold that Bristol-Myers applies, whereas the First Circuit stands alone and holds otherwise.

Judge Yoon agreed with “the approach taken by the majority of the Courts of Appeals” and held each plaintiff “must present independent, sufficient bases for the exercise of the court’s specific jurisdiction over that claim.” Id. at *6. Similarly, because none of the plaintiffs alleged facts related to the owner’s minimum contacts with Virginia “beyond the fact that Ayvaz is registered to do business in Virginia and operates an unidentified number of Pizza Hut Franchise Stores,” their claims could not proceed against him either.

The Seventeen State Law Counts

Third, having dismissed the out-of-state plaintiffs’ claims, Judge Yoon declined to exercise supplemental jurisdiction over the seventeen state law counts. The Court observed that “the presence of more subclasses (eight) than states (seven) provides evidence of both complexity and the lack of commonality” that show that the state law claims “would substantially predominate over the FLSA claim.” Id. at *8. The court dismissed those claims without prejudice, leaving only the FLSA claims brought by Virginia-based employees.

The First-To-File Doctrine

Fourth and finally, the Court declined Ayvaz’s request to dismiss the case under the “first-to-file” doctrine due to the existence of the earlier filed suits in Garza and Stotesbury. The first-to-file rule allows a federal court to decline jurisdiction when a substantially similar lawsuit involving the same parties and issues is already pending in another court. Id. at *10. But, the court concluded that the “putative classes and respective issues” in the two prior suits differ enough that the first-to-file rule should not be applied. Id. at *12.

Indeed, “Stotesbery, by design, includes an FLSA claim limited to those who work in Minnesota” and thus did not overlap based on the Court’s ruling. Id. And, the Court declined to apply the first-to-file doctrine to Garza because the “case was settled and dismissed with prejudice” and thus was not pending at the time of the decision. Id. at *10. “Accordingly, Plaintiffs’ complaint will survive the motion to dismiss with respect to the FLSA claim for Plaintiffs who live in or work in Virginia.” Id. at *12.

Implications for Employers

The Shamburg decision demonstrates that courts are increasingly unwilling to allow out-of-state employees to anchor nationwide collective actions against employers without first affording employers certain due process protections. This growing trend prevents employers from having to defend these actions in distant and unfamiliar courts, and forces plaintiffs to bring these actions where these employers are incorporated or headquartered.

With these trends in mind, corporate counsel should continue to monitor this blog for developments because the Bristol-Myers circuit split is sure to be decided by the U.S. Supreme Court soon, and if their companies are sued in putative class and collective actions, it is better to prepared in advance for when these important issues are decided.