Ryan Garippo – Page 2 – Class Action Defense

November 14, 2025November 14, 2025 by Gerald L. Maatman, Jr.

Third Circuit Affirms Dismissal Of CIPA Adtech Class Action Because A Party To A Communication Cannot Eavesdrop On Itself

By Gerald L. Maatman, Jr., Justin R. Donoho, Hayley Ryan, and Ryan Garippo

Duane Morris Takeaways: On November 13, 2025, in Cole, et al. v. Quest Diagnostics, Inc., 2025 U.S. App. LEXIS 29698 (3d Cir. Nov. 13, 2025), the U.S. Court of Appeals for the Third Circuit affirmed a ruling of the U.S. District Court for the District of New Jersey’s in dismissing a class action complaint brought by website users against a diagnostic testing company alleging that the company’s use of website advertising technology violated the California Invasion of Privacy Act (“CIPA”) and California’s Confidentiality of Medical Information Act (“CMIA”).

The ruling is significant because it confirms two important principles: (1) CIPA’s prohibition against eavesdropping does not apply to an online advertising company, like Facebook, when it directly receives information from the users’ browser; and (2) the CMIA is not triggered unless plaintiffs plausibly allege the disclosure of substantive medical information.

Background

This case is one of a legion of nationwide class actions that plaintiffs have filed alleging that third-party technologies (“adtech”) captured user information for targeted advertising. These tools, such as the Facebook Tracking Pixel, are widely used across millions of consumer products and websites.

In these cases, plaintiffs typically assert claims under federal or state eavesdropping statutes, consumer protection laws, or other privacy statutes. Because statutes like CIPA allow $5,000 in statutory damages per violation, plaintiffs frequently seek millions, or even billions, in potential recovery, even from midsize companies, on the theory that hundreds of thousands of consumers or website visitors, times $5,000 per claimant, equals a huge amount of damages. While many of these suits initially targeted healthcare providers, plaintiffs have sued companies across nearly every industry, including retailers, consumer products companies, universities, and the adtech companies themselves.

Several of these cases have resulted in multimillion-dollar settlements; others have been dismissed at the pleading stage (as we blogged about here) or at the summary judgment stage (as we blogged about here and here). Still, most remain undecided, and with some district courts allowing adtech class actions to survive motions to dismiss (as we blogged about here), the plaintiffs’ bar continues to file adtech class actions at an aggressive pace.

In Cole, the plaintiffs alleged that the defendant diagnostic testing company used the Facebook Tracking Pixel on both its general website and its password-protected patient portal. Id. at *1-2. According to the plaintiffs, when a user accessed the general website, the Pixel intercepted and transmitted to Facebook “the URL of the page requested, along with the title of the page, keywords associated with the page, and a description of the page.” Id. at *2-3. Likewise, when a user accessed the password-protected website, the Pixel allegedly transmitted the URL “showing, at a minimum, that a patient has received and is accessing test results.” Id. at *3.

Plaintiffs asserted that these transmissions constituted (1) a CIPA violation because the company supposedly aided Facebook in “intercepting” plaintiffs’ internet communications, and (2) a CMIA violation because the company allegedly disclosed URLs associated with webpages plaintiffs accessed to view test results along with plaintiffs’ identifying information linked to users’ Facebook accounts. Id. at *3.

The company moved to dismiss, and, in separate orders, the district court dismissed both claims. See 2024 U.S. Dist. LEXIS 116350; 2025 U.S. Dist. LEXIS 7205.

As to the CIPA claim, the district court found that CIPA “is aimed only at ‘eavesdropping, or the secret monitoring of conversations by third parties,’” and that Facebook was not a third party because it received information directly from plaintiffs’ browsers about webpages they visited. 2025 U.S. Dist. LEXIS 7205, at *7-8 (quoting In Re Google Inc. Cookie Placement Consumer Privacy Litig., 806 F.3d 125, 140-41 (3d Cir. 2015)). As to the CMIA claim, the district court found that plaintiffs alleged only that the company disclosed that a patient accessed test results but not what kind of medical test was done or what the results were. 2024 U.S. Dist. LEXIS 116350, at *15. Accordingly, the district court held that plaintiffs failed to allege the disclosure of “substantive” medical information as required under the CMIA. Id.

Plaintiffs appealed both rulings.

The Court’s Decision

The Third Circuit affirmed. Id. at *1.

On the CIPA claim, the Third Circuit explained that “[a]s a recipient of a direct communication from Plaintiffs’ browsers, Facebook was a participant in Plaintiffs’ transmissions such that [the company] did not aid or assist Facebook in eavesdropping on or intercepting such communications, even if done without the users’ knowledge.” 2025 U.S. App. LEXIS 29698, at *6. With no eavesdropping, “Plaintiffs’ CIPA claim was properly dismissed.” Id. at *7.

On the CMIA claim, the Third Circuit explained that “at most, Plaintiffs alleged that [the company] disclosed Plaintiffs had been its patients, which is not medical information protected by CMIA.” Id. at *8. Thus, the Third Circuit held that the district court properly dismissed the CMIA claim. Id. at *9.

Implications For Companies

Cole offers strong precedent for any company defending adtech class action claims (1) brought under CIPA’s eavesdropping provision where the third-party adtech company directly receives the information from users’ browsers and (2) brought under the CMIA where the alleged disclosure merely shows that a person was a patient, without revealing any substantive information about the person’s medical condition or test results.

The latter point continues to appear across adtech class actions. Just as the plaintiffs in Cole failed to plausibly allege the disclosure of substantive medical information, courts have dismissed similar claims where plaintiffs allege disclosure of protected health information (“PHI”) without actually identifying what PHI was supposedly shared (as we blogged about here). These decisions reinforce that adtech plaintiffs must identify the specific medical information allegedly disclosed to plausibly plead claims under the CMIA or for invasion of privacy.

November 4, 2025 by Gerald L. Maatman, Jr.

New York State (Court) Of Mind: New York Federal Court Remands Allstate Data Breach Case To State Court For Lack Of Federal Question Jurisdiction

By Gerald L. Maatman, Jr., Ryan T. Garippo, and Elizabeth G. Underwood

Duane Morris Takeaways: On October 28, 2025, Judge Lewis A. Kaplan of the U.S. District Court for the Southern District of New York granted the People of the State of New York’s (the “State”) motion to remand in New York v. Nat’l Gen. Holdings Corp., No. 25 Civ. 03608, 2025 U.S. Dist. LEXIS 212731 (S.D.N.Y. Oct. 28, 2025). The State alleged that National General Holdings Corporation violated various state laws related to data protection programs and notifications to affected individuals when data breaches in 2020 and 2021 exposed the corporation’s customer information. This case reinforces the concept that a plaintiff is indeed the master of the complaint and can strategically craft their complaint to ensure that a case is litigated in state court.

Case Background

The State sued Allstate Insurance Company when one of its units, National General Holdings Corporation (the “Defendants”), was involved in two data breaches in 2020 and 2021, exposing nearly 200,000 consumers’ drivers’ license numbers to hackers. The State alleged that the Defendants failed to protect customers’ sensitive information and did not inform customers that their data was stolen.

Importantly, the complaint did not assert any cause of action under federal law. Instead, the complaint alleged that the Defendants violated three federal statutes, including the Gramm-Leach-Bliley Act (“GLBA”), the Health Insurance Portability and Accountability Act (“HIPAA”), and the Health Information Technology for Economic and Clinical Health Act (“HITECH”). The State brought the action against the defendants pursuant to New York State General Business Law (“GBL”) §§ 349, 350, 899-aa, and 899-bb, and New York Executive Law § 63(12).

Based on the inclusion of allegations that they violated federal law, the Defendants removed the action to the U.S. District Court for the Southern District of New York pursuant to 28 U.S.C. §§ 1331 and 1441, invoking the Court’s ability to decide a federal question. The State, however, moved to remand the case and for attorney’s fees incurred due to the removal.

Magistrate Judge Robert Lehrburger concluded in a report and recommendation that the Court lacked federal subject matter jurisdiction to hear the case because the causes of action (1) were not created by federal law and (2) did not satisfy the standard set forth in Gunn v. Minton, 568 U.S. 251 (2013), and Grable & Songs Metal Products, Inc. v. Darue Engineering & Manufacturing, 545 U.S. 308 (2005) (the “Gunn-Grable” test). ECF 55. Under the Gunn-Grable test, federal question jurisdiction exists only when a federal issue is “(1) necessarily raised, (2) actually disputed, (3) substantial, and (4) capable of resolution in federal court without disrupting the federal-state balance approved by Congress.” Gunn, 568 U.S. at 258.

In his report and recommendation, Magistrate Judge Lehrburger determined that the third element as to whether a federal issue was “substantial” was not satisfied. This inquiry looks to “the importance of the issue to the federal system as a whole,” not just the issues of one case. Id. at 260. In this case, the Defendants argued that the substantiality requirement was met because of the substantial federal interests in data privacy and national security; however, Magistrate Judge Lehrburger found these arguments were unpersuasive and recommended that the Court remand the case but not award attorney’s fees to the State.

The Court’s Opinion

In an opinion written by Judge Lewis Kaplan, the Court agreed with Magistrate Judge Lehrburger’s reasoning and held that the case did not pass the Gunn-Grable test.

The Court determined that Magistrate Judge Lehrburger correctly rejected the Defendants’ argument that the State’s claims satisfy the Gunn-Grable test as to the “substantiality” element. First, the Court found that the Defendants’ argument as to whether the New York State Attorney General had the authority to enforce the federal GLBA was “entirely inapt” because the complaint did not allege any GLBA claims. Nat’l Gen. Holdings Corp., 2025 U.S. Dist. LEXIS 212731, at *3. Second, the Court held that the federal government’s interest in data privacy was insufficient to meet the Gunn-Grable test. Third, the Court determined that the federal law questions implicated by the state law claims, including whether defendants are insulated from liability under state law if the defendants’ data protection programs and data breach notification procedures were in compliance with federal law, “are inherently fact-intensive and therefore likely would not provide guidance in future cases.” Id. at *4.

Moreover, the Court also rejected the Defendants’ argument that whether the GLBA preempts the New York Attorney General from bringing the state law claims is a substantial federal question, reasoning that the question was not “necessarily raised” and that preemption is an affirmative defense that may not serve as the basis for subject-matter jurisdiction. Id. at 4–5. Finally, the Court held that none of the three exceptions to the well-pleaded complaint rule applied because the Defendants did not assert the first two exceptions, and the third exception would have had to pass the Gunn-Grable test, which it did not.

Implications For Companies

Nat’l Gen. Holdings Corp. serves as a cautionary reminder of the uphill battles that corporate defendants often face to remove to and then keep bet-the-company litigation in federal court.

Although it is not uncommon for a corporation to prefer “federal courts because it fears a corporate defendant . . . will not get a fair trial in state court,” the road to get there is not always guaranteed. See, e.g., Hosein v. CDL West 45th Street, LLC, No. 12 Civ. 06903, 2013 WL 4780051, at *3 (S.D.N.Y. June 12, 2013). As on display here, the Nat’l Gen. Holdings Corp. opinion shows that corporate defendants may not even get to litigate in a federal forum even when there are allegations that they violated federal law.

As a result, corporate counsel should be aware that relying on a state law claim involving an embedded federal issue, as the basis for federal subject-matter jurisdiction, may not be successful in 100% of cases, but it may be worth a chance to attempt to remove the case to federal court if it is the company’s only opportunity to obtain a fair trial.

October 20, 2025May 28, 2026 by Gerald L. Maatman, Jr.

U.S. Supreme Court Takes Up The Transportation Worker Exemption Again

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Ryan T. Garippo

Duane Morris Takeaways: On October 20, 2025, in Flowers Foods, et al. v. Brock, No. 23-0936 (U.S.), the U.S. Supreme Court granted a writ of certiorari to decide whether last-mile delivery drivers are considered transportation workers, and thus exempt under the Federal Arbitration Act (the “FAA”), when the driver’s route is purely intrastate.

The decision will have sweeping implications for logistics companies and any business employing delivery drivers across the country.

Case Background

Flowers Foods, Inc. (“Flowers Foods”) operates one of the largest bakery companies in the United States. Under Flowers Foods’ business model, the company contracts with independent distributors who purchase the rights to distribute products in specific territories. The delivery-driver distributors “stock shelves, maintain special displays, and develop and preserve positive customer relations.” Brock v. Flowers Foods, Inc., 121 F. 4th 753, 757 (10th Cir. 2024). Flowers Foods “produces and markets the baked goods.” Id.

Flowers Foods delivers the products it produces, via these delivery-driver distributors, who are classified as independent contractors under the Fair Labor Standards Act (the “FLSA”). These products are usually produced in out-of-state bakeries, but then shipped to a local warehouse, where the local delivery driver picks them up to sell retail stores. This process is more commonly known as “last-mile delivery.” Plaintiff Angelo Brock (“Plaintiff or “Brock”), through his company Brock, Inc., was one of those delivery drivers. When Brock started delivering Flowers Foods’ products, he entered into a Distributor Agreement that contained a “Mandatory and Binding Arbitration” clause, which required nearly all disputes to be arbitrated under the FAA. Id. at 758.

Nonetheless, Brock filed a putative collective and class action under the FLSA, and Colorado labor law, claiming that Flowers Foods misclassified him and other delivery-driver distributors as independent contractors. As a result, Flowers Foods moved to compel arbitration, but the U.S. District Court for Colorado denied its request. The District Court concluded that Brock fell within the ‘‘transportation workers exemption” of the FAA, which exempts transportation workers engaged in interstate commerce from arbitration. The District Court reasoned that, although Brock did not cross state lines, he ‘‘actively engaged in the transportation of [the company’s] products across state lines into Colorado” and thus was covered by the exemption. Id. at 759. Flowers Foods appealed that decision to the U.S. Court of Appeals for the Tenth Circuit.

The Lower Court Opinion

On appeal, and on November 12, 2024, Judge Gregory Phillips, writing for the U.S. Court of Appeals for the Tenth Circuit, affirmed the District Court’s decision that delivery-driver distributors were exempt from the FAA. Judge Phillips explained that, although Brock’s routes were entirely within Colorado, a transportation worker need not cross state lines to qualify for the exemption. Instead, individuals qualify as transportation workers if they play a direct and necessary role in the interstate flow of goods.

Relying on decisions from the First and Ninth Circuits, which also concluded “that last-mile delivery drivers . . . who make the last intrastate leg of an interstate delivery route . . . are directly engaged in interstate commerce,” the Tenth Circuit reached the same conclusion. Id. at 762. The Tenth Circuit explained that “[b]oth [other] circuits focused on whether the goods moved in a continuous interstate journey or as part of multiple independent transactions.” Id. Thus, the flow of interstate commerce did not stop when “Brock start[ed] the interstate delivery process by placing orders for products produced in out-of-state bakeries” and Flowers Foods “deliver[ed] the products to the agreed-upon warehouse,” only for Brock to “load the products at the warehouse onto his vehicle and deliver[] the goods to retail stores on his intrastate delivery route” within one day. Therefore, Brock and other delivery-driver distributors were exempt under the FAA even though they did not cross state lines. But, Flowers Foods decided to ask the U.S. Supreme Court to take a third look at the issue.

On October 20, 2025, the U.S. Supreme Court agreed to hear the case, without a making any other comment, in its two-word order holding “certiorari granted.”

In some ways, this decision is not surprising as the U.S. Supreme Court has decided two recent cases under the transportation worker exemption: Sw. Airlines Co. v. Saxon, 596 U.S. 450 (2022), and Bissonnette v. LePage Bakeries Park St., LLC, 601 U.S. 246 (2024). The decision in Brock, however, is poised to be the most impactful of all three of the cases.

Implications For Employers

The importance of the ultimate decision in Brock cannot be overstated. In both Saxon and Bissonnette, the U.S. Supreme Court dramatically expanded the reach of the transportation worker exemption making it increasingly difficult for employers to move to compel arbitration in class and collective actions brought by workers in logistics-adjacent positions

If workers who engage in wholly intrastate commerce fall within the exemption’s reach, it may require a fundamental re-structuring of many employers’ arbitration programs. In contrast, if these workers and independent contractors are not exempt from the requirements of the FAA, then employers may finally be able to rest easy knowing that their arbitration defenses remain viable for at least a portion of their workforce.

Although only time will tell what the U.S. Supreme Court will decide, corporate counsel should follow this blog for updates because the authors will be watching this case closely. Oral arguments are likely to occur during Fall 2025 and a decision will follow in Spring 2026.

October 2, 2025October 2, 2025 by Gerald L. Maatman, Jr.

North Carolina Federal Dismisses Class Action Based On No Injury Stemming From Bojangles Data Breach

By Gerald L. Maatman, Jr., Ryan T. Garippo, and Andrew P. Quay

Duane Morris Takeaways: On September 30, 2025, in Dougherty, et al. v. Bojangles’ Restaurants, Inc., No. 25-CV-00065, 2025 U.S. Dist. LEXIS 194879 (W.D.N.C. Sept. 30, 2025), Judge Kenneth D. Bell of the U.S. District Court for the Western District of North Carolina dismissed a class action alleging violations of numerous state torts and the North Carolina Unfair and Deceptive Trade Practices Act following an alleged cyberattack on Bojangles. The Court held the former employees of the fast-food chain failed to plausibly allege a concrete injury, and therefore, lacked Article III standing. The Court reasoned that Plaintiffs’ theory of an “ongoing threat of identity theft” without any actual harm was not enough to sustain a concrete injury.

The decision illustrates that the mere possibility of future harm, without any actual harm, is not enough to plausibly allege an injury-in-fact for purposes of Article III standing. Further, building on U.S. Supreme Court precedent, the decision highlights the requirements of traceability where plaintiffs cannot identify any harm connected to the transfer of personal information to a data breach defendant.

Case Background

Bojangles Restaurants, Inc. (“Bojangles”) was the alleged victim of a cyberattack in February 2024. Id. at *5. In November of that same year, Bojangles sent a notice to those who may have been impacted, stating “that certain files were viewed and downloaded by an unknown actor between February 19, 2024 and March 12, 2024.” Id.

In January 2025, after receiving the notice from Bojangles, Alexis Dougherty and eight other former employees (“Plaintiffs”), filed a putative class action complaint against Bojangles. Id. at *2. Plaintiffs alleged that Bojangles gathers various types of sensitive information from its employees, including names, addresses, Social Security numbers, driver’s license information, etc., and that Bojangles failed to implement “reasonable cybersecurity safeguards or protocols.” Id. at *4-5. Notably, however, Plaintiffs did not identify any sensitive information they provided to Bojangles, except for some Plaintiffs who alleged they provided their Social Security number or that Bojangles’ notice identified their Social Security number. Id. at *6.

Plaintiffs asserted two different theories of injury. Eight of the nine Plaintiffs did not allege any identity theft or data misuse; rather, they claimed injury based on “the threat of harm” from a potential sale of their information on the Dark Web, an uptick in spam calls, “diminution in value” of their personal information, time spent mitigating the potential impacts of the cyberattack, and emotional distress. Id. The remaining plaintiff alleged fraudulent charges on his debit card but did not allege that he provided the card number to Bojangles as part of his employment. Id. at *6.

Bojangles moved to dismiss for lack of subject-matter jurisdiction and for failure to state a claim upon which relief can be granted. Bojangles argued that eight of the Plaintiffs failed to allege a concrete injury without an actual misuse of their personal information, and that the remaining plaintiff’s alleged debit card fraud is not fairly traceable to the data breach.

The Court’s Opinion

In a 10-page opinion, Judge Kenneth D. Bell granted Bojangles’ motion to dismiss for lack of subject-matter jurisdiction without reaching the merits of Plaintiffs’ claims.

The Court held that Plaintiffs failed to plausibly allege Article III standing. Judge Bell explained that Plaintiffs’ allegations “only describ[e] the possibility of future harm that is inherent in every data security incident, but cannot support the Article III standing necessary to pursue a federal lawsuit.” Id. at *7. There was no dispute that Plaintiffs’ personal information may have been impacted by the data breach, but the potential threat of resulting damages failed to plausibly allege a concrete injury that is fairly traceable to the data breach. Id. at *6-7.

The U.S. Supreme Court’s decision in TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), governed the opinion. There, the named plaintiff on behalf of a putative class alleged that TransUnion, a credit reporting agency, violated the Fair Credit Reporting Act by failing to use reasonable procedures before placing a misleading alert in his credit file that labeled him as a potential terrorist, among other comparable threats. Id. at 419-21. The Supreme Court held that only class members whose credit reports had been provided to third-party businesses had suffered a concrete injury, and that the mere existence of misleading alerts in one’s own credit file did not cause such an injury. Id. at 417, 435.

Applying TransUnion to the facts at hand, Judge Bell reasoned that “Plaintiffs’ allegations of harm as a consequence of the Data Breach fall squarely in the ‘might be a problem’ rather than the ‘is already a problem’ category.” Dougherty, 2025 U.S. Dist. LEXIS 194879,at *12. Therefore, Plaintiffs’ theory of an ongoing threat of identity theft or other data misuse failed to plausibly allege any actual harm, such as an attempt to open credit card accounts or otherwise steal information. Id. at *12-13. Further, most of the Plaintiffs did not identify any personal information that they personally provided to Bojangles, defeating any traceability argument. Judge Bell similarly dismissed Plaintiffs’ varied attempts to establish standing based on an uptick in spam calls, diminution in value of personal information, time spent mitigating the “potential impact” of the data breach, and emotional distress. Id. at 13-14. None of these harms constitute a concrete injury.

Judge Bell also dismissed the claims of the one Plaintiff who allegedly noticed fraudulent charges on his debit card, because he did not allege those charges were fairly traceable to the breach. Because the Plaintiff did not allege that he provided his debit card number to Bojangles as part of his employment, there was no way to connect those charges to the alleged breach. Thus, although those charges may constitute an injury-in-fact, they were insufficient on traceability grounds.

Implications For Companies

Dougherty illustrates the pleading requirements established in TransUnion, and the powerful tool that they can be in dismantling a nationwide data breach class action.

What’s more, the court in Dougherty seemed to take for granted that every class member must suffer an actual injury for each of their claims, even at the pleading stage in the litigation. Id. at *9 (“Therefore, following TransUnion, it is clear that to recover damages from Defendant, every class member must have Article III standing for each claim that they press requiring proof that the challenged conduct caused each of them a concrete harm”) (quotations omitted). This signal may be a favorable sign that Judge Bell agrees with the “sleeping lion” noted by Justice Kavanaugh in Lab. Corp. of Am. Holdings v. Davis, 605 U.S. 327 (2025) – i.e., whether “a federal court may . . . certify a damages class that includes both injured and uninjured members.” Id. at 328 (Kavanaugh, J., dissenting). For now, however, the Court left that issue until another day.

Nonetheless, if corporate counsel’s organizations are facing a class action seeking damages stemming from an alleged data breach, corporate counsel should consider their ability to attack Article III standing on all fronts, not only as to the named plaintiffs, but also as to the class. If successful, other organizations may be able to make an early exit from a data breach class action on the theory that plaintiffs cannot plausibly allege an actual injury from the future possibility of their data misuse, much like the defendant in Dougherty.

September 10, 2025 by Gerald L. Maatman, Jr.

New York Federal Court Dismisses Adtech Class Action Because No Ordinary Person Could Identify Web User

By Gerald L. Maatman, Jr., Justin Donoho, Hayley Ryan, and Ryan Garippo

Duane Morris Takeaways: On September 3, 2025, in Golden v. NBCUniversal Media, LLC, No. 22-CV-9858, 2025 WL 2530689 (S.D.N.Y. Sept. 3, 2025), Judge Paul A. Engelmayer of the U.S. District Court for the Southern District of New York granted a motion to dismiss with prejudice for a media company on a claim that the company’s use of website advertising technology on its website violated the Video Privacy Protection Act (“VPPA”). The ruling is significant as it shows that in the explosion of adtech class actions across the nation seeking millions or billions of dollars in statutory damages under not only the VPPA but also myriad other statutes providing for statutory penalties on similar theories that the website owner disclosed website activities to Facebook, Google, and other advertising agencies, the statute and its harsh penalties should not be triggered because no ordinary person could access and decipher the information transmitted.

Background

This case is one of a multiplying legion of class actions that plaintiffs have filed nationwide alleging that Meta Pixel, Google Analytics, and other similar software embedded in defendants’ websites secretly captured plaintiffs’ web-browsing activity and sent it to Meta, Google, and other online advertising agencies.

This software, often called website advertising technology or “adtech,” is a common feature on corporate, governmental, and other websites in operation today. In adtech class actions, the key issue is often a claim brought under the VPPA, a federal or state wiretap act, a consumer fraud act, and even the Illinois Genetic Information Privacy Act (GIPA), because plaintiffs often seek millions (and sometimes even billions) of dollars, even from midsize companies, on the theory that hundreds of thousands of website visitors, times $2,500 per claimant in statutory damages under the VPPA, for example, equals a huge amount of damages. Plaintiffs have filed the bulk of these types of lawsuits to date against healthcare providers, but they also have filed suits against companies that span nearly every industry including retailers, consumer products, and universities. Several of these cases have resulted in multimillion-dollar settlements, several have been dismissed, the vast majority remain undecided, and especially with some district courts being more permissive than others in allowing adtech class actions to proceed beyond the motion to dismiss stage (as we blogged about here), the plaintiffs’ bar continues to file adtech class actions at an alarming rate.

In Golden, the plaintiff brought suit against a media company. According to the plaintiff, she signed up for an online newsletter offered by the media company and, thereafter, visited the media company’s website, where she watched videos. Id. at *2-4. The plaintiff further alleged that, after she watched those videos, her video-watching history was sent to Meta without her permission via the media company’s undisclosed use of the Meta Pixel on its website. Id. Like plaintiffs in most adtech class action complaints, this plaintiff: (1) alleged that before the company sent the web-browsing data to the online advertising agency (e.g., Meta), the company encrypted the data via the secure “https” protocol (id., ECF No. 56 ¶ 45); and (2) did not allege that any human had her encrypted web-browsing data or could retrieve it from the advertising agency’s algorithms or that even the advertising agency, or any other entity or person, has her web-browsing data stored or could retrieve it from the advertising agency’s algorithms in a decrypted (readable) format. Based on the plaintiffs’ allegations, the plaintiff alleged a violation of the VPPA.

The media company moved to dismiss under Rule 12(b)(6), arguing that the media company did not adequately allege that the media company “disclosed” the plaintiff’s “personally identifiable information” (“PII”), defined under the VPPA as “information which identifies a person as having requested or obtained specific video materials or services….” Id., 2025 WL 2530689, at *5-6.

The Court’s Decision

The Court agreed with the media company and held that the plaintiff failed plausibly to plead any unauthorized “disclosure.”

As the Court explained, “PII, under the VPPA, has three distinct elements: (1) the consumer’s identity, (2) the video material’s identity, and (3) the connection between them.” Id. at *6. Moreover, PII “encompasses information that would allow an ordinary person to identify a consumer’s video-watching habits, but not information that only a sophisticated technology company could use to do so.” Id. (emphasis in original). Therefore, “to survive a motion to dismiss, a complaint must plausibly allege that the defendant’s disclosure of information would, with little or no extra effort, permit an ordinary recipient to identify the plaintiff’s video-watching habits.” Id. For these reasons, explained the Court, the Second Circuit has “effectively shut the door for Pixel-based VPPA claims.” Id. at *7 (citing Hughes v. National Football League, 2025 WL 1720295 (2d Cir. June 20, 2025)).

Applying these standards, the Court dismissed the plaintiff’s VPPA claim with prejudice, holding that, “[i]n short, because the alleged disclosure could not be appreciated — decoded to reveal the actual identity of the user, and his or her video selections — by an ordinary person but only by a technology company such as Facebook, it did not amount to PII.” Id. at *6-7. In so holding, the Court cited an “emergent line of authority” shutting the door on VPPA claims not only in the Second Circuit but also in other U.S. Courts of Appeal. See In Re Nickelodeon Consumer Priv. Litig., 827 F.3d 262, 283 (3d Cir. 2016) (affirming dismissal of VPPA case involving the use of Google Analytics, stating, “To an average person, an IP address or a digital code in a cookie file would likely be of little help in trying to identify an actual person”); Eichenberger v. ESPN, Inc., 876 F.3d 979, 986 (9th Cir. 2017) (affirming dismissal of VPPA case because “an ordinary person could not use the information that Defendant allegedly disclosed [a device serial number] to identify an individual”).

Implications For Companies

The Court’s holding in Golden is a win for adtech class action defendants and should be instructive for courts around the country addressing adtech class actions brought under not only the VPPA, but also other statutes prohibiting “disclosures,” and the like. These statutes should be interpreted similarly to require proof that an ordinary person could access and decipher the web-browsing data, identify the person, and link the person to the data.

Consider a few examples. A GIPA claim requires proof of a disclosure or a breach of confidentiality and privilege. An eavesdropping claim under the California Information of Privacy Act (CIPA) § 632 requires proof of eavesdropping. A trap and trace claim under CIPA § 638.51 requires proof that the data captured is reasonably likely to identify the source of the data. A claim under the Electronic Communications Privacy Act (ECPA) requires proof of an interception.

When adtech sends encrypted, inaccessible, anonymized transmissions to the advertising agency’s algorithms, has there been any disclosure or breach of confidentiality and privilege (GIPA), eavesdropping (CIPA § 632), data capture reasonably likely to identify the source (CIPA § 638.51), or interception (ECPA)? Just as adtech transmissions are insufficient to amount to a disclosure under the VPPA, Golden shows neither should adtech transmissions trigger these similarly worded statutes because no ordinary person could access and decipher the data transmitted.

September 2, 2025September 2, 2025 by Gerald L. Maatman, Jr.

Virginia Federal Court Slices Away Out-of-State FLSA Claims Against Pizza Company

By Gerald L. Maatman, Jr., Anna Sheridan, and Ryan T. Garippo

Duane Morris Takeaways: On August 22, 2025, in Shamburg, et al. v. Ayvaz Pizza, LLC, et al., No. 24-CV-00098, 2025 WL 2431652 (W.D. Va. Aug. 22, 2025), Judge Jasmine Yoon of the U.S. District Court for the Western District of Virginia partially dismissed a proposed nationwide collective action brought by pizza delivery drivers. Although Plaintiff Chandler Shamburg (“Plaintiff” or “Shamburg”), and other plaintiffs, asserted nationwide Fair Labor Standards Act (“FLSA”) and state law claims from multiple jurisdictions, the Court dismissed nearly all of them for lack of personal jurisdiction. This ruling reinforces the growing trend of federal courts willing to apply the Due Process Clause’s protections to expansive FLSA collective actions and underscores the difficulty plaintiffs face in keeping sprawling, multi-state, wage claims altogether in one federal court.

Case Background

In 2024, Shamburg filed a putative class and collective action that alleged that Ayvaz Pizza (“Ayvaz”), a franchisee that “operates an unidentified number of Pizza Hut Franchise Stores within” Virginia, that is neither incorporated in nor has its principal place of business in Virginia, violated the FLSA and various state laws. Id. at *1. They also sued Ayvaz’s owner, Shoukat Dhanani, for this conduct as well. Id.

Shamburg (and, ultimately several other plaintiffs) alleged that both himself, and other drivers, were “required to use their own cars, ensure their cars were legally compliant, pay car-related costs including gasoline expenses, maintenance and part costs, insurance, financing charges, and licensing and registration costs, pay storage costs, cell phone costs, and data charges, and pay for other necessary equipment.” Id. As a result, Shamburg and the out-of-state plaintiffs alleged that their hourly rate of pay dropped below the FLSA’s minimum wage guarantee because these expenses were “kicked back” to Ayvaz. Id. at *1-2. They also brought seventeen state law claims that “assert causes of action from seven different states and invoke both state statutory and common law.” Id. at *8.

But, Ayvaz was no stranger to these issues. It was also recently sued in Garza, et al. v. Ayvaz Pizza, LLC, No. 23-CV-01379 (S.D. Tex.), and Stotesbery, et al. v. Muy Pizza-Tejas, LLC, et al., No. 22-CV-01622 (D. Minn.), based on similar allegations. Based on the existence of these prior two actions, and the presence of the out-of-state plaintiffs’ claims, Ayvaz and its owner moved to dismiss based on lack of personal jurisdiction (both general and specific), lack of supplemental jurisdiction, and the first-to-file doctrine. Judge Yoon’s decision followed.

The Court’s Ruling

In general, Judge Yoon’s decision was split into four discrete parts — each addressing whether the Court could exercise various forms of jurisdiction over Ayvaz and its owner. For the most part, the Court declined each type of jurisdiction.

General Personal Jurisdiction & Out-Of-State Plaintiffs

First, although it was uncontested that Ayvaz was neither incorporated in nor headquartered out of Virginia, Plaintiffs argued that Ayvaz was subject to general personal jurisdiction in Virginia based on the U.S. Supreme Court’s decision in Mallory v. Norfolk Southern Railway Co., 600 U.S. 122 (2023). In Mallory, the U.S. Supreme Court held that Due Process does not prohibit “a State from requiring an out-of-state corporation to consent to personal jurisdiction to do business there.” Id. at 127. Like the Pennsylvania statute at issue in Mallory, Virginia also has “an out-of-state business registration statute.” Shamburg¸ 2025 WL 2431652, at *5.

Judge Yoon, however, reasoned that “unlike Pennsylvania, Virginia law does not require the out-of-state business to condition its registration on submitting to general personal jurisdiction” consistent with the decisions of several other district courts. Id. Thus, the Court “conclude[d] that, absent explicit consent to jurisdiction in Virginia’s business registration statute” it could not exercise general personal jurisdiction over Ayvaz or its owner.

Specific Jurisdiction & Out-Of-State Plaintiffs

Second, the Court addressed the out-of-state plaintiffs’ argument that the Court could exercise specific personal jurisdiction over Ayvaz as to the out-of-state plaintiffs but disagreed. Judge Yoon weighed in on the pending circuit split regarding the applicability of Bristol-Myers Squibb v. Superior Court, 582 U.S. 255 (2017), to FLSA collective actions. The Third, Sixth, Seventh, Eighth and Ninth Circuits hold that Bristol-Myers applies, whereas the First Circuit stands alone and holds otherwise.

Judge Yoon agreed with “the approach taken by the majority of the Courts of Appeals” and held each plaintiff “must present independent, sufficient bases for the exercise of the court’s specific jurisdiction over that claim.” Id. at *6. Similarly, because none of the plaintiffs alleged facts related to the owner’s minimum contacts with Virginia “beyond the fact that Ayvaz is registered to do business in Virginia and operates an unidentified number of Pizza Hut Franchise Stores,” their claims could not proceed against him either.

The Seventeen State Law Counts

Third, having dismissed the out-of-state plaintiffs’ claims, Judge Yoon declined to exercise supplemental jurisdiction over the seventeen state law counts. The Court observed that “the presence of more subclasses (eight) than states (seven) provides evidence of both complexity and the lack of commonality” that show that the state law claims “would substantially predominate over the FLSA claim.” Id. at *8. The court dismissed those claims without prejudice, leaving only the FLSA claims brought by Virginia-based employees.

The First-To-File Doctrine

Fourth and finally, the Court declined Ayvaz’s request to dismiss the case under the “first-to-file” doctrine due to the existence of the earlier filed suits in Garza and Stotesbury. The first-to-file rule allows a federal court to decline jurisdiction when a substantially similar lawsuit involving the same parties and issues is already pending in another court. Id. at *10. But, the court concluded that the “putative classes and respective issues” in the two prior suits differ enough that the first-to-file rule should not be applied. Id. at *12.

Indeed, “Stotesbery, by design, includes an FLSA claim limited to those who work in Minnesota” and thus did not overlap based on the Court’s ruling. Id. And, the Court declined to apply the first-to-file doctrine to Garza because the “case was settled and dismissed with prejudice” and thus was not pending at the time of the decision. Id. at *10. “Accordingly, Plaintiffs’ complaint will survive the motion to dismiss with respect to the FLSA claim for Plaintiffs who live in or work in Virginia.” Id. at *12.

Implications for Employers

The Shamburg decision demonstrates that courts are increasingly unwilling to allow out-of-state employees to anchor nationwide collective actions against employers without first affording employers certain due process protections. This growing trend prevents employers from having to defend these actions in distant and unfamiliar courts, and forces plaintiffs to bring these actions where these employers are incorporated or headquartered.

With these trends in mind, corporate counsel should continue to monitor this blog for developments because the Bristol-Myers circuit split is sure to be decided by the U.S. Supreme Court soon, and if their companies are sued in putative class and collective actions, it is better to prepared in advance for when these important issues are decided.

August 14, 2025 by Gerald L. Maatman, Jr.

You’ve Got Mail But Not Class Certification

By Gerald L. Maatman, Jr., Shannon Noelle, and Ryan Garippo

Duane Morris Takeaways: In a recent opinion in Fischbein v. IQVIA Inc., Case No. 19-CV-5365 (E.D. Pa. June 5, 2025), Judge Nitza I. Quiñones of the U.S. District Court for the Eastern District of Pennsylvania denied class certification of a proposed class of healthcare professionals that allegedly received unsolicited fax advertisements in violation of the Telephone Consumer Protect Act (“TCPA”). The Court determined that the TCPA only prohibits receipt of unsolicited ads on a “a traditional stand-alone fax machine” (as opposed to modern online faxing) and plaintiffs did not demonstrate that common evidence existed showing all class members received the alleged ads at issue through a traditional fax machine as opposed to through an online transmission. As a result, the Court found that plaintiffs did not satisfy the required ascertainability and predominance elements of class certification.

Background

The proposed class in Fischbein v. IQVIA Inc. consisted of more than 25,000 healthcare providers that allegedly received unsolicited fax advertisements from Defendant IQVIA Inc., a company that provides advanced analytics, technology solutions, and clinical research services to the life sciences industry. The class complaint contended that certain faxes for surveys administered by IQVIA were allegedly sent in violation of the TCPA which makes it “unlawful for any person within the United States, or any person outside the United States if the recipient is within the United States . . . to use any telephone facsimile machine, computer, or other device to send, to a telephone or facsimile machine, an unsolicited advertisement.” Id. at 3.

The Court’s Decision

Parsing the plain language of the statute and interpretive case law in the Fourth Circuit, the District Court agreed with the Fourth Circuit finding that the statute was designed to only protect plaintiffs that received advertisements on stand-alone fax machines, rather than through online fax services. The statute states in relevant part that it is unlawful to “use any telephone facsimile machine, computer, or other device to send, to a telephone facsimile machine, an unsolicited advertisement.” See 47 U.S.C. § 227(b)(1)(C) (emphasis added). The statute further defines “telephone facsimile machine” as “equipment which has the capacity (A) to transcribe text or images, or both, from paper into an electronic signal and to transmit that signal over a regular telephone line, or (B) to transcribe text or images (or both) from an electronic signal received over a regular telephone line onto paper.” See ECF No. 119, at 8 (citing § 227(a)(3) (emphasis added)). Plaintiffs submitted the testimony of an expert who opined that the phrase “regular telephone line” would include transmissions made by online services so long as it was regulated by the North American Numbering Plan Administrator. Id. at 8-9. But the Court found that this interpretation would “render superfluous” the word “regular” used as a modifier of “telephone line” in the statute. Id. at 9. In fact, the expert’s testimony contradicted his expert opinion as he conceded that “regular telephone line” means an “analog telephone line.” Id. The Court also noted that plaintiffs presented no evidence nor did they make any arguments that an online fax service has the ability on its own to either transcribe text or images “from paper” or “onto paper” as stated in the statute, further undermining plaintiffs’ argument that the statute was meant to include online fax transmissions. Id. at 10. Indeed, Plaintiffs’ expert conceded that such online fax services have the “capacity” to do this type of transcription only when connected to other devices like scanners or printers. Id. at 10. The Court acknowledged that its statutory interpretation was also supported by the Federal Communications Commission’s (“FCC”) declaratory ruling in In the Matter of Amerifactors Fin. Grp., LLC, 34 F.C.C. Rcd. 11950 (2019).

Applying this statutory interpretation, the Court found that the proposed class was not adequately ascertainable as plaintiffs could not point to common evidence to show that proposed class members received unsolicited ads through a stand-alone fax machine as opposed to an online service provider. Plaintiffs suggested that they could submit declarations from class members to ascertain that they fell under the scope of the class of plaintiffs the statute was designed to protect, but the Court found that declarations from potential class members “standing alone, without records to identify class members or a method to weed out unreliable affidavits” would not constitute a reliable or feasible means of determining class membership. See ECF No. 119, at 15 (internal citation and quotations omitted).

For similar reasons, the Court also found that the predominance element of class certification was not met as individual questions of whether the faxes at issue were received on a stand-alone fax machine or by way of an online fax service would predominate over questions common to the proposed class.

On June 20, 2025, plaintiffs filed a motion for reconsideration of the order denying class certification or, in the alternative, to certify a more narrowly-defined class (i.e. asking the Court to narrow the class definition to exclude people who used online fax services). This motion is pending before the Court.

Implications for TCPA Defendants

The Fischbein decision provides important points of attack for the defense bar on ascertainability and predominance grounds for TCPA classes by underscoring the importance of parsing class definitions in the TCPA context to ensure the modality of transmission of the alleged unsolicited advertisement can be determined on a class-wide basis and is limited to traditional fax machine communications.

August 6, 2025August 6, 2025 by Gerald L. Maatman, Jr.

The Seventh Circuit Raises The Bar For Conditional Certification Under The FLSA And The ADEA

By Gerald L. Maatman, Jr., Ryan T. Garippo, and George J. Schaller

Duane Morris Takeaways: On August 5, 2025, in Richards, et al. v. Eli Lilly & Co., et al., No. 24-2574, 2025 U.S. App. LEXIS 19667 (7th Cir. Aug. 5, 2025), the Seventh Circuit issued an opinion that vacated and remanded a district court’s decision to conditionally certify a group of potential opt-in plaintiffs in an Age Discrimination in Employment Act (“ADEA”) collective action. The opinion breaks new ground on the contours of 29 U.S.C. Section 216(b), and as a result, also applies to conditional certification of wage & hour collective actions under the Fair Labor Standards Act (“FLSA”). The opinion elucidates the standards for notice in FLSA collective actions. While the opinion is undoubtedly a win for employers, only time will tell the scope of the win, as this opinion ultimately may create more questions than it answers.

Background

In 2022, Monica Richards (“Richards” or “Plaintiff”) sued Eli Lilly & Co and Lilly USA, LLC (collectively, “Eli Lilly”), the international pharmaceutical manufacturers and her one-time employer, alleging discrimination under the ADEA. The ADEA incorporates the FLSA’s “enforcement provision, permitting employees to band together in collective actions when suing an employer for age discrimination.” Id. at *3. Richards, as a result, alleged that Eli Lilly promoted younger employees in violation of the ADEA.

Shortly after she filed her lawsuit, Richards “moved to conditionally certify a collective action, asserting that the unfavorable treatment she experienced was part of a broader pattern of age discrimination against Eli Lilly’s older employees.” Id. at *9. “Conditional certification” of such claims has traditionally been thought of in two steps. At the first step, an employee moves for conditional certification, i.e., to send notice of the lawsuit, to all individuals that he or she contends are similarly situated to him or her. Drawing on a District Court of New Jersey opinion from 1987, Lusardi v. Xerox Corp., 118 F.R.D. 351 (D.N.J. 1987), many courts hold that the employee has a light burden at this stage, and thus rely solely on the plaintiff’s allegations, and do not consider competing evidence submitted by the employer.

If the employee’s motion is granted, as they are with exceedingly high rates, those individuals covered by the collective action definition receive notice of the lawsuit and then have the ability to opt-in as party plaintiffs to the case and participate in discovery. At the close of discovery, if the case has not settled, the employer can then move to decertify the conditionally certified collective action, and prove the employees are not similarly situated, which results in the opt-in plaintiffs’ claims being dismissed without prejudice if successful.

In this case, the fight over the applicability of Lusardi took center stage as it has in many other collective actions. In recent years, the Fifth and Sixth Circuit Courts of Appeal, have found that Lusardi’s two step approach is inconsistent with the text of the FLSA. Swales v. KLLM Transp. Servs., LLC, 985 F.3d 430 (5th Cir. 2021); Clark v. A&L Homecare & Training Ctr., LLC, 68 F.4th 1003 (6th Cir. 2023). In Swales, 985 F.3d at 443, the Fifth Circuit rejected Lusardi’s two-step approach outright, and required its district courts to “rigorously enforce” the FLSA’s similarity requirement at the outset of the litigation in a one-step approach. Similarly, in Clark, 68 F.4th at 1011, the Sixth Circuit adopted a comparable, but slightly more lenient standard, requiring the employee to show a “strong likelihood” that others are similarly situated to him or her before the district court can send notice.

In contrast, the Second, Ninth, Tenth, and Eleventh Circuits continue to either follow or allow the district court to adopt the two-step framework outlined in Lusardi. Harrington v. Cracker Barrel Old Country Store, Inc., 142 F.4th 678 (9th Cir. 2025); Thiessen v. Gen. Elec. Cap. Corp., 267 F.3d 1095 (10th Cir. 2001); Myers v. Hertz Corp., 624 F.3d 537 (2d Cir. 2010); Hipp v. Liberty Nat’l Life Ins. Co., 252 F.3d 1208 (11th Cir. 2001). This brewing circuit split gave rise to the dispute in Richards.

Against this backdrop, the district court in Richards ultimately followed Lusardi, and decided to send notice to the employees whom Richards contended were similarly situated to her. But Eli Lilly filed a motion for interlocutory appeal, which was subsequently granted, and the Seventh Circuit set out to opine on the circuit split for itself.

The Seventh Circuit’s Opinion

The Seventh Circuit, in an opinion written by Judge Thomas Kirsch, rejected the Lusardi framework but declined to go as far as Clark or Swales. The Seventh Circuit observed that the notice process should be facilitated by three guiding principles: (1) the timing and accuracy of notice; (2) judicial neutrality; and (3) the prevention of abuses of joinder. Richards, 2025 U.S. App. LEXIS 19667 at *14. It reasoned that the Lusardi standard threatened the latter two principles by “incentivizing defendants to settle early rather than attempt to ‘decertify’ at step two . . . transforming what should be a neutral case management tool into a vehicle for strongarming settlements and soliciting claims.” Id. at * 17. Thus, the Seventh Circuit rejected Lusardi, but what to do in the alternative was a more difficult question.

The Seventh Circuit decided that rather than endorse the rigid standards of Clark or Swales, its approach would be guided by “flexibility” and an analysis that is not an “all-or-nothing determination.” Id. at *19. Indeed, a plaintiff must now “make a threshold showing that there is a material factual dispute as to whether the proposed collective is similarly situated.” Id. at *21. Or, in other words, a plaintiff must “produce some evidence suggesting that they and the members of the proposed collective are victims of a common unlawful employment practice or policy.” Id, at *21-22. To counter a plaintiff’s evidence, an employer “must be permitted to submit rebuttal evidence and, in assessing whether a material dispute exists, courts must consider the extent to which plaintiffs engage with opposing evidence.” Id., at *22.It is not clear, however, the burden a plaintiff must satisfy to refute the defendant’s evidence to move forward.

In considering that threshold determination, the district court has the discretion to send notice or not.It also has the discretion to resolve some of the disputed issues, and narrow the scope of notice, or not. It also may authorize limited and expedited discovery to make the determination, or not. Id., at *24.It also has the discretion to allow a plaintiff to come forward with more evidence, or not. In essence, “[t]he watchword here is flexibility.” Id. And, with those principles in mind, the Seventh Circuit vacated and remanded for further proceedings consistent with the opinion.

Implications For Employers

The Seventh Circuit’s opinion is undoubtedly a win for employers, but the opinion introduces ambiguity into the equation with its focus on “flexibility.” See id. Plaintiffs in Illinois, Wisconsin, and Indiana can no longer rely on mere allegations to send notice and must wrestle with an employer’s evidence contradicting claims of a common unlawful policy or practice. This result is most certainly a win.

It is what comes next that is the problem. What is the level of scrutiny a district court must apply when deciding whether a plaintiff engaged with an employer’s evidence? Should a district court apply a one-step approach or two-step approach? Should it allow limited and expedited discovery? What is the standard to obtain such discovery? When should a court allow a plaintiff to come forward with more evidence? When should it not? All these questions go unanswered.

These unanswered questions continue to contribute to the procedural morass that employers must navigate in wage-and-hour collective actions under the FLSA. In addition to these questions, employers are also now navigating the 4-way circuit split on whether Lusardi applies at all and a separate circuit split, also discussed on our blog, regarding the applicability of Bristol Myers Squibb Co. v. Super. Ct. of Cal., 582 U.S. 255 (2017) to collective actions. With both issues ripe for consideration by the U.S. Supreme Court, corporate counsel facing a collective action should consider hiring experienced outside counsel to help navigate these complicated procedural issues and monitor this blog for further developments.

July 11, 2025July 11, 2025 by Gerald L. Maatman, Jr.

Ninth Circuit Affirms Summary Judgment For Defendant On CIPA Claim For Aiding And Abetting Third-Party Software Provider

By Gerald L. Maatman, Jr., Justin Donoho, and Ryan Garippo

Duane Morris Takeaways: On July 9, 2025, in Gutierrez, et al. v. Converse, Inc., No. 24-4797, 2025 WL 1895315 (9th Cir. July 9, 2025), the Ninth Circuit affirmed that a plaintiff had no evidence from which a reasonable jury could conclude that an online retailer’s use of third-party software to enable a chat feature on its website aided and abetted the third-party vendor in reading or attempting to read the contents of the plaintiff’s chat messages real-time in alleged violation of the California Invasion of Privacy Act (CIPA). In rejecting this theory, the ruling is significant because it shows that CIPA claims involving alleged disclosures of website activities to third-party software providers cannot survive unless the plaintiff can show that the website owner enabled the third party to read unencrypted, real-time communications.

Background

This case is one of a legion of class actions that plaintiffs have filed nationwide alleging that third-party software embedded in defendants’ websites secretly captured plaintiffs’ web-browsing activity and sent it to the third-party provider of the software. Third-party software is a common feature on many websites today and comes in many forms including website advertising technologies (“adtech”), customer relationship management (“CRM”) software, enterprise resource management (“ERP”) software, and, as in this case, communications platforms.

In Gutierrez, Plaintiff brought suit against an online retailer. According to Plaintiff, the retailer installed a chat feature on its public-facing website and thereby transmitted chat communications entered on the website to Salesforce, a third-party provider of the chat feature to the online retailer in the form of “software as a service” (“SaaS”). 2024 WL 3511648, at *2 (C.D. Cal. July 12, 2024).

As usual since the Snowden disclosures in 2013, all of these transmissions between the web user, website, and third-party software provider were “were encrypted while in transit.” Id. at *3. Moreover, as is true for all internet communications, the chats were transmitted “in different network packets.” Id. Thus, the uncontroverted expert evidence showed that “it is ‘virtually impossible’ to learn the contents of an internet communication while it is in transit.” Id.

The online retailer’s chat data, including chat transcripts, were stored on Salesforce’s servers. Id. However, this information was accessible in unencrypted format only through the retailer’s password-protected dashboard. Id. Plaintiff offered no evidence to show that Salesforce had access to the retailer’s dashboard or that the retailer ever provided Salesforce access to it. Id.

Based on these facts, Plaintiff argued that the retailer violated the CIPA by aiding and abetting Salesforce’s wiretapping or attempts to learn her chat communications on the retailer’s website.

The District Court granted the retailer’s motion for summary judgment for multiple reasons. First, the District Court found as a matter of law that Salesforce did not violate CIPA’s first clause prohibiting intentional wiretapping or making any unauthorized connection “with any telegraph or telephone wire, line, cable, or instrument” because “Courts have consistently interpreted this clause as applying only to communications over telephones and not through the internet.” Id. at *6-7.

Second, the District Court found no genuine dispute of material fact existed as to whether Salesforce had violated the second clause of CIPA, Section 631(a), “because Plaintiff has presented no evidence from which a reasonable jury could conclude Salesforce intercepts messages sent through [the retailer]’s chat feature ‘while … in transit’ or reads or attempts to read or learn the contents of such messages.” Id. at *7. As the District Court explained, “uncontroverted evidence establishes messages sent through [the retailer]’s chat feature are encrypted while in transit and, moreover, it is ‘virtually impossible’ to learn the contents of an internet communication while it is in transit because internet communications are transmitted ‘in different network packets[.]’” Further, the District Court stated that “the fact that a user is redirected to a Salesforce-owned URL upon opening the chat feature on [the retailer]’s website does not establish the user’s messages are sent to Salesforce or Salesforce reads or attempts to read or learn the contents of such messages. Rather, this fact simply establishes . . . the user’s messages are transmitted to [the retailer]’s Service Cloud application.” Id. In addition, the District Court explained that “the existence of UUID [Universally Unique Identifier] values attached to chat messages and the mere possibility Salesforce ‘can’ use these values to ‘connect the dots’ between data are insufficient to establish a genuine issue of material fact as to whether Salesforce reads or attempts to read users’ messages while they are in transit.” Id.

Finally, the District Court found that “because Plaintiff has not established an underlying violation of Section 631(a)’s first or second clause by Salesforce, [the retailer] cannot be liable for aiding and abetting Salesforce.”

The Ninth Circuit’s Opinion

The Ninth Circuit agreed with the retailer. It found that summary judgment for the retailer was warranted and affirmed the order below.

In a short opinion, the Ninth Circuit affirmed the District Court’s opinion by finding that “no evidence exists from which a reasonable jury could conclude” that Salesforce engaged in wiretapping or attempted to learn Plaintiff’s chat communications on the retailer’s website and, therefore, absent an underlying violation by Salesforce, no aiding and abetting liability by the retailer. Id., at *1.

Circuit Judge Jay Bybee agreed, filing a separate concurring opinion stating that the wiretapping claim should be affirmed because “the statute, as passed in 1967, focuses on the wiretapping of telegraph or telephone wires—it criminalizes, as relevant here, the wiretapping of a telephone call” and, thus, CIPA’s clause prohibiting wiretapping “does not apply to the internet.” Id. at *2-3. Further, Judge Bybee opined: “Until and unless the California appellate courts tell us otherwise, or the California legislature amends § 631(a), I refuse to apply § 631(a)’s first clause to the internet.” Id. at *3.

Implications For Companies

The District Court’s holding and Ninth Circuit’s affirmance in Gutierrez are a win for CIPA class action defendants and should be instructive for courts around the country. In the hundreds of CIPA class actions alleging a defendant’s disclosure of web-browsing activities to an adtech provider, for example, the plaintiff typically does not allege that the adtech provider has any ability to read any unencrypted version of the information disclosed. This is not surprising, since the largest adtech providers often alleged in CIPA adtech class actions typically encrypt, anonymize, aggregate, and otherwise prevent their own ability to access web users’ browsing activities in any unencrypted format.

Gutierrez shows that adtech plaintiffs will need to show, however, that the owner of the website they visited enabled the third party adtech provider to read unencrypted, real-time communications, in order to prove their CIPA claims.

June 12, 2025June 12, 2025 by Gerald L. Maatman, Jr.

Illinois Federal Court Certifies Interlocutory Appeal To Seventh Circuit On The Retroactivity Of The Amended BIPA

By Gerald L. Maatman, Jr., George J. Schaller, and Ryan T. Garippo

Duane Morris Takeaways: On June 10, 2025,inClay v. Union Pac. R.R. Co, No. 24-CV-4194, 2025 U.S. Dist. LEXIS 108672 (N.D. Ill. June 10, 2025), Judge Georgia N. Alexakis of the U.S. District Court for the Northern District of Illinois certified for interlocutory appeal her decision denying Union Pacific’s motion for partial summary judgment after concluding the 2024 amendment to the Illinois Biometric Information Privacy Act (the “BIPA”) was not retroactive. In 10 days from entry of Judge Alexakis’ Order, Union Pacific may request the Seventh Circuit’s review of the certified question of whether the 2024 amendment to the BIPA applies retroactively. This would be a key issue of significant importance to all companies facing BIPA class actions.

Case Background

Plaintiff Reginald Clay is a truck driver that visited Union Pacific’s facilities. He alleges Union Pacific required him to register his fingerprint information and scan his fingerprints upon entering and exiting those facilities. Id. at *2-3. Clay also alleges Union Pacific did not “disclose what was done with his [fingerprint] information or how it would be stored.” Id. at *3. On April 16, 2024, Clay sued Union Pacific under the BIPA.

In August 2024, the Illinois legislature amended the BIPA to “clarify that when an entity subject to the [BIPA] ‘in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection,’ in violation of the [BIPA], the entity ‘has committed a single violation … for which the aggrieved person is entitled to, at most, one recovery.’” Id. (quoting 740 ILCS 14/20(b), (c), as amended by SB 2979, Public Act 103-0769.)

On November 4, 2024, Union Pacific moved for partial summary judgment and argued “under the 2024 BIPA amendment Clay was now entitled to recover for at most a single BIPA violation rather than the ‘per-scan’” violation under Cothron v. White Castle Sys., Inc., 2023 IL 128004, ¶ 24. Id. at *3-4. On April 10, 2025, the Court concluded that “the BIPA amendment was substantive rather than procedural” and therefore the BIPA amendment “was not retroactive under Illinois law, and thus did not apply to Clay’s claim.” Id. at *4.

Union Pacific requested certification of the Court’s order for interlocutory appeal. Clay opposed the request.

The Court’s Order

On June 10, 2025, the Court certified Union Pacific’s request for an interlocutory appeal of the order denying Union Pacific’s partial motion for summary judgment. Id. at *7.

The Court determined Union Pacific satisfied the four statutory criteria under 28 U.S.C. § 1292 (b)that: “there must be a question of law, it must be controlling, it must be contestable, and its resolution must promise to speed up the litigation.” Id. at *1-2. In addition, the Court found Union Pacific satisfied the Seventh Circuit’s fifth “non-statutory requirement: [that] the petition must be filed in the district court within a reasonable time after the order sought to be appealed.” Id. at *2.

The Court reasoned whether the 2024 amendment to the BIPA is retroactive is “undoubtedly ‘a question of the meaning of a statutory or constitutional provision,” the Amended BIPA “presents ‘an abstract issue of law . . . suitable for determination by an appellate court without a trial record,” and that the question of BIPA retroactivity “is quite likely to affect the further course of litigation.” Id. at *4. As Union Pacific argued, and as the District Court agreed, if the “Seventh Circuit were to conclude that Clay was entitled to only one recovery… [that] certainty about the retroactivity of the 2024 amendment would ‘materially advance the ultimate termination of the litigation.” Id. at *5.

The Court reasoned Union Pacific’s motion was timely because the Court “did not consider 28 days to be unreasonable in preparing a motion to certify for interlocutory appeal a novel question of state law, especially when Clay points to no prejudice he suffers as a result.” Id. at *6.

The Court also opined that while “the Court shares Clay’s view that its April 10 order was ‘correctly reasoned,’[], its confidence does not mean that BIPA retroactivity is not ‘contestable’ within the meaning of § 1292.” Id. In addition, the Court relied on the overwhelming decisions of judges within the Northern District of Illinois and Illinois state court finding the “BIPA amendment does not apply retroactively to pending cases, [], so no current dispute exists among the courts.” Id. at *6-7. But that the consensus of these decisions “does not mean there is ‘no substantial ground for difference of opinion’ about retroactivity.” Id. at *7.

The Court concluded that though its “confidence in its earlier decision” in Schwartz v. Supply, Inc., 23-CV-14319, (N.D. Ill. Nov. 22, 2024) (finding 2024 BIPA amendment not retroactive to pending cases) is not changed that it acknowledges “the novelty and complexity of the legal issue” of retroactivity. Accordingly, the Court found Union Pacific meet all four statutory requirements and the Seventh Circuits’ timeliness requirement and certified Union Pacific’s interlocutory appeal.

Implications For Companies

The ruling in Clay sparks newfound hope on the hotly contested issue of retroactivity of the 2024 amendment to the BIPA. Judge Alexakis’ well-reasoned decision allows Union Pacific 10 days from the Court’s order to request the Seventh Circuit’s interlocutory review of the certified question.

Should the Seventh Circuit grant Union Pacific’s pending request, then the BIPA’s “per-scan” damages for pre-amendment BIPA litigation will receive further consideration. However, even if the Seventh Circuit grants the request, there is always a possibility the Seventh Circuit certifies the question to the Illinois Supreme Court.

Until then, the deluge of decisions referenced in Clay denying retroactivity remain in effect. Companies met with BIPA litigation must monitor Clay as it progresses through interlocutory review.