Category: Privacy Class Actions

By Gerald L. Maatman, Jr., Justin Donoho, and Hayley Ryan

Duane Morris Takeaways: On May 11, 2026, in In Re BPS Direct, LLC; Cabela’s, LLC Wiretapping Litigation, No. 23-3235, 2026 WL 1280969 (3d Cir. May 11, 2026), the U.S. Court of Appeals for the Third Circuit reversed a federal district court’s dismissal of a class action alleging that defendants’ use of session replay code, a form of website analytics technology, violated federal and state privacy laws. The Third Circuit held that two plaintiffs who made purchases on the defendants’ websites had standing to sue because the session replay code collected their credit card information without consent, an alleged injury the Third Circuit deemed analogous to the common law tort intrusion upon seclusion. Id. at *6-7.

This ruling is significant in that it shows that in class actions seeking millions (or billions) in dollars in statutory damages under federal and state data privacy laws for alleged use of session replay code, the Third Circuit has distinguished itself from California District Courts, which have held that there is no reasonable expectation of privacy in credit card information collected by session replay code.  Companies operating in the Third Circuit should take note as the legal risk of session replay code has meaningfully shifted in that jurisdiction. 

Background

Many companies embed their websites with session replay code and other similar software such as Google Analytics and the Meta Pixel in order to perform website analytics and/or targeted advertising. All of these various technologies capture users’ browsing behaviors and cryptographically transmit this data to algorithms residing on the software providers’ servers.  Upon entry into the algorithm, this data is typically anonymized, aggregated, and not alleged to have been viewed or accessible by any human.  In addition, session replay code (unlike other website analytics and advertising technologies) is typically alleged to record and store “videos” of “all mouse movements, clicks, scrolls, zooms, window resizes, keystrokes, [and] text entries,” so that the session replay provider can provide that information back to the company “in a format that [the company] can use for its business purposes.” Id. at *1, 5. Plaintiffs across the country have filed multitudes of class actions challenging these various website analytics and advertising practices under federal and state privacy laws, targeting companies in virtually every industry, including healthcare, retail, education, and consumer products.  Some cases have resulted in multimillion-dollar settlements, others have been dismissed, and the vast majority remain undecided.  In these session replay and other data privacy class actions, the central question is often whether the specific data captured is sufficiently sensitive or personally identifying to establish a cognizable legal injury.

In In re BPS Direct, LLC, eight named plaintiffs sued the defendant retailers, alleging that session replay code embedded on their websites captured users’ interactions, including “mouse clicks and movements, keystrokes, search terms, substantive information inputted …, pages and content viewed …, scroll movement[s], and copy and paste actions.” Id. at *2.  Plaintiffs asserted claims under the federal Wiretap Act, 18 U.S.C. § 2510 et seq., and the Computer Fraud and Abuse Act, 18 U.S.C. § 1030 et seq., along with several state and common law causes of action. Id.

The plaintiffs fell into two groups. Two plaintiffs made purchases on the defendants’ websites and entered his or her “name, address, and payment and billing information” into text fields. Id. The remaining six plaintiffs browsed the websites without making purchases and did not enter any personally identifying information while browsing the websites.  Id.

Defendants moved to dismiss for lack of Article III standing under Federal Rule of Civil Procedure 12(b)(1) and for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6).  The District Court granted the motion, dismissing the non-purchasing plaintiffs’ claims with prejudice, finding that, after two attempts, they could not establish concrete harm “because they did not make purchases on the Websites or engage in any activity prompting their browsers to send highly sensitive personal information such as medical diagnosis information or financial data from banks or credit cards.” 705 F. Supp. 3d 333, 367 (E.D. Pa. 2023).  The claims of the two purchasing plaintiffs were dismissed without prejudice. Id. Rather than amend, those two plaintiffs filed a notice of intent to stand on their allegations, and all eight plaintiffs appealed.  2026 WL 1280969, at *2-3.

The Third Circuit’s Decision

The Third Circuit reversed the dismissal of the purchasing plaintiffs’ claims and modified the dismissal of the non-purchasing plaintiffs’ claims from with prejudice to without prejudice.  Id. at *1. 

The Third Circuit analyzed standing under two analogous common law torts: (1) public disclosure of private facts, and (2) intrusion upon seclusion. It held that none of the plaintiffs had standing under the first theory.  As to the non-purchasing plaintiffs, their browsing data was neither sensitive nor personally identifiable. As to the purchasing plaintiffs, their information was not publicly disclosed.  Id. at *4-5.

The Third Circuit held that only the two purchasing plaintiffs had standing under the intrusion upon seclusion theory. Id. at *3.  Under that common law tort, “[o]ne who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person.” Id. at *5 (citing Restatement (Second) of Torts § 652B (1977)). The Third Circuit concluded that the two purchasing plaintiffs had entered “personal or sensitive” information – specifically their “complete credit card or debit card numbers” – when making purchases on the defendants’ websites. Id. at *7. The Third Circuit reasoned that “[j]ust as media consumption is sensitive and historically private, so is a person’s complete credit card or debit card number.” Id.

Accordingly, the Third Circuit held that these two plaintiffs had standing based on their allegations that defendants embedded session replay code in their websites, allowing third-party adtech providers to “surreptitiously record their billing and payment information absent consent.” Id.

Implications For Companies

This ruling puts the Third Circuit at odds with California District Courts, which have reached the opposite conclusion in two session replay cases. See Thomas v. Papa Johns Int’l, Inc., 2024 WL 2060140, at *5 (S.D. Cal. May 8, 2024) (plaintiff’s “name, address, credit card number(s), and billing information” collected via session replay is “not information over which society is prepared to recognize a reasonable expectation of privacy”); Saleh v. Nike, Inc., 562 F. Supp. 3d 503, 525 (C.D. Cal. 2021) (collection via session replay of a website user’s “payment card information, including card number, expiration date, and CCV code” without consent was insufficient to constitute an invasion of privacy).

In the Third Circuit, session replay is no longer just an analytics tool – it carries significant legal risk for website operators.  Companies facing session replay class actions in the Third Circuit should shift their litigation strategy accordingly and consider moving beyond standing arguments, including demonstrating that plaintiffs cannot meet their burden of proof on the elements of the claims asserted.

Given the volume of session replay and similar litigation pending nationwide and the significant statutory damages at stake, this decision warrants close attention from any company whose website uses session replay code or similar technologies.

By Gerald L. Maatman, Jr., Bernadette M. Coyle, and Andrew P. Quay

Duane Morris Takeaways: On May 1, 2026, in Brahm, et al. v. Hospital Sisters Health System, et al., No. 23-CV-444, 2026 U.S. Dist. LEXIS 96866 (W.D. Wis. May 1, 2026), Judge William M. Conley of the U.S. District Court for the Western District of Wisconsin remanded a putative class action to state court after finding that Plaintiffs lacked Article III standing to pursue claims that healthcare defendants’ use of Google Analytics on patient portals resulted in unauthorized disclosure of protected health information (“PHI”) to Google.  Id. at *2-3.  The Court held that Plaintiffs’ lack of evidence of actual harm, together with their theory of future harm, was insufficient to confer standing.  Id. at *3.  The decision reinforces the growing trend among federal courts requiring proof that disclosed data was actually used to identify individuals, not merely that such identification was theoretically possible.

Case Background

The Defendant healthcare companies operate public websites and authenticated MyChart patient portals as “MyHSHS” and “MyPrevea,” which allow patients to log in with a username and password to access their medical records, schedule appointments, and pay bills.  Id. at *4.  Between at least 2016 and 2023, Defendants deployed Google Analytics tracking technology on their public websites, within patient portals on their websites, and on MyPrevea’s login page and app.  Id. at *6.  Whenever a user visits Defendants’ websites or portals, Google Analytics gathers information about the user’s interactions and shares certain transmissions with Google.  Id. at *7.

Plaintiffs asserted that Google Analytics routinely disclosed patients’ identities and protected health care information to third-party websites like Google without the patients’ knowledge or consent.  Id. at *1.  Plaintiffs alleged that they began seeing Facebook advertisements related to their specific medical conditions after visiting Defendants’ portals or websites.  Id. at *5.  However, Plaintiffs also searched about their medical conditions or treatment online and have had their personal information involuntarily exposed to third parties by entities unrelated to the litigation.  Id.  None of the Plaintiffs had ever tried or intended to sell their PHI, nor did they claim to have suffered any out-of-pocket expenses as a result of Defendants’ allegedly wrongful disclosures.  Id. at *10.  Nonetheless, they sought actual damages based on the alleged “diminished sales value of their PHI,” as well as statutory and nominal damages.  Id.

Plaintiffs alleged claims for violation of federal and state wiretapping statutes, as well as Wisconsin common and statutory laws for breach of duty of confidentiality, breach of implied contract to protect privacy, public disclosure of private facts, and unjust enrichment.  Id. at *3.  Plaintiffs moved to certify four subclasses, while Defendants moved for summary judgment as to all claims.  Id.  

The Court’s Opinion

The Court addressed the “threshold question” of Article III standing on its own initiative, noting that Defendants’ summary judgment motion called Plaintiffs’ standing into question and standing “is jurisdictional and cannot be waived” and must be “secured at each stage of the litigation.”  Id. at *12.  While the Court had previously allowed the original named Plaintiff to proceed past the motion to dismiss stage because it found her allegations of injury sufficient at the pleading stage, the Court explained that with a full record at the summary judgment stage, Plaintiffs failed to present sufficient evidence of a concrete injury-in-fact on multiple grounds.  Id. 

First, as to Plaintiffs’ tort claims for invasion of privacy and breach of fiduciary duty, the Court found no evidence from which a reasonable jury could conclude that their patient identity or PHI was actually disclosed to Google, disclosed by Google, or used by Google inappropriately.  Id. at *17.  Plaintiffs’ evidence did not establish that any of the disclosed anonymous information was actually used by Google or another third party to identify them.  Id.  

Despite Plaintiffs’ expert opining that Google’s systems had the “technical capability and documented practice” of linking information to specific individuals, the Court determined that the capabilities of Google’s systems were insufficient to demonstrate what it actually did.  Id. at *19.  Further, Plaintiffs failed to proffer evidence showing that Defendants caused Plaintiffs’ PHI to be shared, as opposed to other third parties or Plaintiffs themselves through their own voluntary internet disclosures.  Id. at *20. 

Relying on the Seventh Circuit’s decision in Dinerstein v. Google, LLC, 73 F.4th 502 (7th Cir. 2023), the Court emphasized that Plaintiffs “must still present sufficient evidence that Google Analytics actually worked as allegedly intended, which they have failed to do in this case,” and therefore, Plaintiffs failed to show a concrete injury to support standing under Article III.  2026 U.S. Dist. LEXIS 96866, at *23.  The risk of Google or other third parties identifying Plaintiffs at a later date by leveraging the data obtained from Defendants was “not sufficiently imminent to obtain relief in federal court.”  Id.

Second, as to the breach of implied contract claim, the Court found that Plaintiffs lacked standing because their asserted pecuniary harm based on the diminished sales value of their PHI or nominal damages, without any actual harm, was an injury in law and not an injury-in-fact as required by Article III.  Id. at *24-25.

Third, Plaintiffs alternatively asserted unjust enrichment, arguing that Defendants retained without compensation Plaintiffs’ PHI and then disclosed this information to third parties for Defendants’ own gain.  Id. at *26.  However, the Court found that without any evidence of improper disclosure, Plaintiffs’ alleged pecuniary injury was “simply speculative and insufficient to confer standing.”  Id. at *27.

Fourth, the wiretapping claims likewise failed.  Although Plaintiffs sought statutory damages, the Court held that a statutory violation on its own does not confer standing without an underlying concrete, particularized injury.  Id. at *28 (citing TransUnion LLC v. Ramirez, 594 U.S. 413, 427 (2021)).

Having found that Plaintiffs lacked standing as to all claims, the Court remanded the case to Wisconsin state court for further proceedings.  Id.

Implications For Companies

Brahm reinforces that plaintiffs challenging tracking technology must present actual evidence identifying what allegedly private information was disclosed and cannot rely on abstract and speculative alleged injuries to confer Article III standing.  Asserting an Article III standing defense remains an effective defense that companies should consider throughout litigation, balanced against the prospect of the case continuing in state court.

By Justin R. Donoho

Duane Morris Takeaways: Data privacy and data breach class action litigation continue to explode.  At the Sedona Conference Working Group 11 on Data Security and Privacy Liability, in Kansas City, Missouri, on May 5-6, 2025, Justin Donoho of the Duane Morris Class Action Defense Group served as a dialogue leader for two panel discussions, “Privacy and Data Security Litigation Update” and “Legislative Drafting Considerations: Lessons from Colorado’s Privacy and AI Law Intersection.”  The working group meeting, which spanned two days and had over 50 participants, produced excellent dialogues on these topics and others including unique procedural aspects of data breach class actions, data privacy primer, onward transfer of consumer PII in M&A and bankruptcy contexts, privacy and data security state regulator roundtable, and application of attorney-client privilege in the cybersecurity context.

The Conference’s robust agenda featured over 30 dialogue leaders from a wide array of backgrounds, including federal and state regulators and governmental officials, data security industry experts, in-house attorneys, cyberlaw professors, plaintiffs’ attorneys, and defense attorneys.  In a masterful way, the agenda provided valuable insights for participants toward this working group’s mission, which is to identify and comment on trends in data security and privacy law, in an effort to help organizations prepare for and respond to data breaches, and to assist attorneys and judicial officers in resolving questions of legal liability and damages.

Justin had the privilege of speaking about current trends in data privacy class actions and lessons from the intersection of the Colorado Privacy Act (CPA) and Colorado AI Act (CAIA) and how these lessons might guide future legislatures when drafting AI and data privacy statutes.  Highlights from his presentations included two recent cases resulting in helpful precedent for defendants facing cases alleging privacy violations for their uses of website advertising technologies (adtech), including a case that disposed of a claim under the California Invasion of Privacy Act under the rule of lenity (see here), and a case that dismissed an adtech class action due to failure to allege highly offensive conduct (see here).

Finally, one of the greatest joys of participating in Sedona Conference meetings is the opportunity to draw on the wisdom of fellow presenters and other participants from around the globe.  Highlights included:

1. Litigators from both sides of the “v.” and a neutral debating early case procedural rules and practices, choice of law, and discovery mechanisms in the context of data breach class actions, with an unprompted shoutout to the Duane Morris Class Action Review for supplying statistics.
2. Sedona Conference veterans discussing Sedona’s latest version of a data privacy primer and the proper level of detail to include in this document ten years in the making in order to keep it reasonably current to account for the rapid evolution of data privacy laws and related developments in artificial intelligence.
3. Panelists with different backgrounds discussing the law regarding when a company that has obtained personal data with consent can and cannot transfer the data in M&A and bankruptcy contexts.
4. A lively dialogue among some of my panelists and other participants regarding trends in decisions regarding mass arbitration protocols and whether a company’s use of website advertising technology is highly offensive to a reasonable person.
5. Federal and state regulators discussing enforcement priorities and issuances of advisory opinions in the contexts of data breaches, alleged data privacy violations, and concerns regarding national security.
6. Data breach litigators discussing factors to consider when conducting dual track investigations following a cybersecurity incident in order to segregate and maintain confidentiality over attorney work product and attorney-client communications.
7. A lively dialogue among some of my panelists and other participants regarding whether compliance with AI and antidiscrimination statutes should provide a safe harbor for compliance with data privacy statutes including, for example, the heavily litigated California Invasion of Privacy Act.

Thank you to the Sedona Conference Working Group 11 and its incredible team, the fellow dialogue leaders, the engaging participants, and all others who helped make this meeting in Redmond, Washington, an informative and unforgettable experience.

Finally, I want to thank to share the exciting news that I have been selected as a new steering committee member of Working Group 11.  Thank you Sedona!  In this role, I will help lead the identification of cutting-edge issues and oversee development of principles, guidelines, commentaries and other projects representing the work product of the Sedona Conference.

For more information on the Duane Morris Class Action Group, including its Data Privacy Class Action Review e-book, and Data Breach Class Action Review e-book, please click the links here and here.

By Gerald L. Maatman, Jr., Tyler Zmick, and Hayley Ryan

Duane Morris Takeaways:  In Henry v. AbbVie, Inc., No. 23-CV-16830 (N.D. Ill. Mar. 20, 2026), Judge Manish S. Shah of the U.S. District Court for the Northern District of Illinois granted defendant’s motion for summary judgment and dismissed a claim brought under the Illinois Genetic Information Privacy Act (“GIPA”). In his ruling, Judge Shah determined that the alleged request for plaintiff’s family medical history (which history Plaintiff did not provide) during his pre-employment medical screening was not a “condition of employment.” The decision is welcome news for employers that ask employees to undergo medical exams. The ruling indicates that an employer does not necessarily request genetic information “as a condition of employment” by requiring an employee to undergo a medical exam (even if an employee is asked to disclose genetic information during the exam).

Background

Plaintiff Daniel Henry was assigned to work for Defendant AbbVie, Inc., a biopharmaceutical company. During the onboarding process, Plaintiff was required to undergo a “medical surveillance,” which included “questionnaires, blood work, and a brief physical exam.” Henry v. AbbVie, Inc., 2026 WL 788630, at *2 (N.D. Ill. Mar. 20, 2026).

AbbVie used Premise Health, a third-party healthcare provider, to conduct Plaintiff’s medical screening. During the screening, Premise Health nurses asked Plaintiff to complete a written questionnaire and to undergo a physical examination. “Section U” of the questionnaire asked for Plaintiff’s genetic information (specifically, his family medical history), though Plaintiff did not complete that part of the form. Plaintiff claimed that nurses also verbally asked for his family medical history during the physical exam. After the exam, Plaintiff worked at an AbbVie facility in Illinois for four months.

Plaintiff subsequently sued AbbVie under the GIPA, alleging that the company violated Section 25(c)(1) of the statute by “solicit[ing], request[ing], [or] requir[ing] . . . genetic information of a person or a family member of the person . . . as a condition of employment [or] preemployment application.”  410 ILCS 513/25(c)(1).

AbbVie first responded to Plaintiff’s Complaint by moving to dismiss under Federal Rule of Civil Procedure 12(b)(6). Judge Shah denied AbbVie’s motion to dismiss after determining that the family medical history information sought during the medical screening constituted “genetic information” under the GIPA. See Henry v. AbbVie, Inc., 2024 WL 4278070, at *5-6 (N.D. Ill. Sept. 24, 2024).

AbbVie later moved for summary judgment, arguing that: (1) AbbVie did not request Plaintiff’s genetic information because third-party Premise Health (not AbbVie) conducted the screening; (2) even if AbbVie requested Plaintiff’s genetic information, the request was inadvertent because the medical questionnaire instructed Plaintiff to not disclose genetic information; and (3) AbbVie did not condition Plaintiff’s work status or assignment on any request for his genetic information.

The Court’s Decision

The Court granted AbbVie’s motion for summary judgment. While the Court was not persuaded by AbbVie’s first two arguments, it concluded that AbbVie’s third argument warranted dismissal of Plaintiff’s GIPA claim.

Request for Genetic Information

The Court first considered whether AbbVie can be characterized as having requested Plaintiff’s family medical history despite third-party Premise Health having conducted the medical screening. In answering in the affirmative, the Court relied on the GIPA’s incorporation of certain protections found in the federal Genetic Information Nondiscrimination Act (“GINA”). See 410 ILCS 513/25(a) (“An employer … shall treat genetic testing and genetic information in such a manner that is consistent with the requirements of federal law, including but not limited to [GINA].”). The Court cited a regulation promulgated under GINA providing that an employer that requires employees or applicants to undergo medical examinations “must tell health care providers not to collect genetic information, including family medical history, as part of a medical examination intended to determine the ability to perform a job.” 29 C.F.R. § 1635.8(d). Based on this federal regulation, the Court concluded that AbbVie “[n]ot telling Premise Health to elicit genetic information is not enough; the [GIPA] requires an affirmative instruction not to elicit it.” Henry, 2026 WL 788630, at *5.

Inadvertent Disclosure

AbbVie’s second argument turned on the GIPA’s “inadvertent exception,” which states that “inadvertently requesting family medical history by an employer … does not violate this Act.” 410 ILCS 513/25(g). The Court observed that AbbVie’s health questionnaire advised Plaintiff to “not provide any genetic information, including family medical history.” Henry, 2026 WL 788630, at *6 (citation omitted). Thus, the Court held that the inadvertent exception barred Plaintiff’s claim to the extent it was premised on the written questionnaire. See id. (“The disclaimer on AbbVie’s form was enough to make any disclosure on the form inadvertent.”). But the Court determined that the exception did not necessarily bar Plaintiff’s claim to the extent it was premised on nurses orally asking for his family medical history. See id. (“[T]he written disclaimer in the form does not necessarily mean that [Plaintiff] knew that he should not disclose genetic information in response to verbal questions during his physical exam.”) (emphasis added).

Request as a Condition of Employment

Finally, the Court turned to AbbVie’s argument that Plaintiff’s claim failed because any request for his family medical history was not a condition of his employment. See 410 ILCS 513/25(c)(1) (an employer may not “solicit, request, [or] require … genetic information of a person or a family member of the person … as a condition of employment [or] preemployment application”) (emphasis added). The Court agreed with AbbVie and granted the company’s motion for summary judgment on this basis, holding that no genuine issue of material fact existed regarding AbbVie’s request for Plaintiff’s family medical history not having been a condition of his employment. The Court further noted that “the request for genetic information on the written questionnaire was not a condition of [Plaintiff’s] employment, for the simple fact that [Plaintiff] did not fill out that section and it did not affect his employment with AbbVie.” Henry, 2026 WL 788630, at *6.

Moreover, the Court concluded that even if Plaintiff was required to undergo a medical exam to be eligible to work at AbbVie, that did not mean that the verbal request for his family medical history (made during the exam) was a condition of his employment. See id. at *7. The Court thus recognized an important distinction between (i) AbbVie requiring Plaintiff to undergo a medical screening as a condition of employment and (ii) AbbVie specifically requesting Plaintiff’s family medical history as a condition of employment. See id. (“[T]hat [Plaintiff] could not decline to complete his medical surveillance does not create a genuine dispute over whether the verbal request during his exam was a condition of his employment. The undisputed evidence is that a contractor could decline parts of the surveillance and still have the surveillance considered completed.”). Accordingly, because AbbVie did not condition Plaintiff’s employment on a request for his genetic information, the Court granted summary judgment in the company’s favor.

Takeaways For Companies

As noted in a prior blog post, recent decisions suggest that courts may be hesitant to dismiss GIPA claims (especially at the pleading stage). Given the GIPA statute’s strict penalty provision – under which statutory damages can quickly become significant ($2,500 per negligent violation and $15,000 per intentional or reckless violation, see 410 ILCS 513/40(a)(1)-(2)) – we have advised employers to ensure they comply with the statute regarding any health screenings they ask applicants or employees to complete (including by explicitly advising applicants and employees not to disclose their family medical histories during the screenings).

In this plaintiff-friendly litigation landscape, the Henry decision comes as welcome news for GIPA defendants and companies that have employees undergo medical screenings. Importantly, Henry suggests that an employer does not necessarily violate the GIPA by requesting an employee’s genetic information “as a condition of employment” by merely directing her to undergo a medical exam (during which the employee may or may not be asked to provide her family medical history).

By Gerald L. Maatman, Jr., Justin Donoho, and Hayley Ryan

Duane Morris Takeaways: On March 6, 2026, in Progin v. UMass Memorial Health Care, Inc., No. 25-CV-40003, 2026 U.S. Dist. LEXIS 46522 (D. Mass. Mar. 6, 2026), Judge Allison D. Burroughs of the U.S. District Court for the District of Massachusetts granted a motion to dismiss a class action complaint brought by website users against Massachusetts health care and hospital entities. Plaintiffs alleged that the defendants’ use of website advertising technology (“adtech”) violated the federal Wiretap Act, also known as the Electronic Communications Privacy Act (“ECPA”).  Following another similar ruling in the same court,  see Goulart v. Cape Cod Healthcare, Inc., 2025 U.S. Dist. LEXIS 119435 (D. Mass. June 24, 2025),  the decision is significant because it reflects the Massachusetts Federal court’s alignment with other federal courts (including the U.S. District Court for the Southern District of Texas, as we blogged about here) that have interpreted the ECPA in a defense-friendly manner. In contrast, courts in other jurisdictions (including Illinois Federal courts, as we blogged about here) have adopted more plaintiff-friendly interpretations, further deepening the emerging split of authority in adtech privacy litigation.

Background

Progin is one of a legion of class actions that plaintiffs have filed nationwide alleging that Meta Pixel, Google Analytics, and other similar software embedded in websites secretly captured plaintiffs’ web-browsing data and transmitted that data to Meta, Google, and other online advertising agencies and data analytics companies.

In these adtech and similar internet-based technology class actions, plaintiffs frequently rely on the ECPA’s statutory damages provision. Their theory is simple: multiply the number of website visitors – potentially hundreds of thousands – by $10,000 in statutory damages per claimant to produce enormous potential exposure. Although plaintiffs have filed a majority of these lawsuits to date against healthcare providers, they have filed suits against companies that span nearly every industry including education, retailers, and consumer products. Some of these cases have resulted in multimillion-dollar settlements, while others have been dismissed at the pleading stage (as we blogged about here) or the summary judgment stage (as we blogged about here), and the vast majority remain undecided.

In Progin, the plaintiffs sued a group of health care and hospital entities, seeking to represent a class of patients whose personal health information was allegedly disclosed by the Meta Pixel installed on defendants’ websites. The plaintiffs claimed that these alleged transmissions constituted an “interception” by defendants in violation of the ECPA.

Under the ECPA, a “party to the communication” generally cannot be sued unless it intercepted the communication “for the purpose of committing any criminal or tortious act.” 18 U.S.C. § 2511(2)(d). This provision is commonly referred to as the “crime-tort exception.”

Plaintiffs argued that alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) served as the predicate crime to trigger this exception. Specifically, plaintiffs argued that defendants were liable under the crime-tort exception because they intercepted and disclosed plaintiffs’ communications and personal information to third parties without consent in violation of HIPAA. 2026 U.S. Dist. LEXIS 46522, at *11.

The defendants moved to dismiss, arguing that the crime-tort exception did not apply because they did not install the Meta Pixel “for the distinct purpose of violating HIPAA or perpetrating a tort.” Id. at *11-12.

The Court’s Decision

The Court agreed with defendants and granted their motion to dismiss, holding that the amended complaint’s allegations “do not support the inference that Defendants purposefully committed the ‘criminal and tortious acts’ specified by Plaintiffs.” Id. at *13-14.

As the Court explained, based on the alleged predicate acts, plaintiffs were required to plausibly allege that defendants “purposefully used or caused to be used” plaintiffs’ unique health identifiers without authorization; “purposefully disclosed” plaintiffs’ individually identifiable health information to Facebook or Google without authorization; or “purposefully invaded” plaintiffs’ privacy.  Id. at *12-13.

Importantly, the Court emphasized that merely alleging that defendants knowingly committed such acts is insufficient because “‘purpose’ is an essential element of ECPA, distinct from the minimal intent [of knowingness] required under HIPAA.” Id. at *13 (quoting Doe v. Lawrence Gen. Hosp., 2025 U.S. Dist. LEXIS 195964, at *32 (D. Mass. Aug. 29, 2025)). The Court further explained that “[i]t is not enough that a crime or tort [may have been] a . . . side effect of the interception.” Id. at *14 (quoting Doe, 2025 U.S. Dist. LEXIS 195964, at *30).

Implications For Companies

The decision in Progin is a big win for healthcare providers and other defendants facing adtech class actions. This ruling reinforces a critical principle in ECPA and other privacy-based litigation: the defendants’ state of mind matters.

Under the ECPA’s HIPAA-based crime-tort exception, as well as under similar privacy statutes such as the Video Privacy Protection Act (“VPPA”), liability depends on the defendant’s knowledge and purpose. Where a defendant lacks knowledge that transmitted data is tied to specific individuals, or lacks the purpose to disclose identifiable information, the statutory requirements for liability may not be satisfied.

Accordingly, Progin provides strong authority for defendants to argue that routine adtech data transmissions cannot satisfy the purposeful intent requirements of the ECPA’s HIPAA-based crime-tort exception or similarly worded privacy statutes – a position that may prove critical as courts continue to confront the growing wave of adtech privacy class actions.

By Gerald L. Maatman, Jr., Justin R. Donoho, Tyler Zmick, and Hayley Ryan

Duane Morris Takeaways:  On October 30, 2025, in DellaSalla, et al. v. Samba TV, Inc., 2025 WL 3034069 (N.D. Cal. Oct. 30, 2025), Judge Jacqueline Scott Corley of the U.S. District Court for the Northern District of California dismissed a complaint brought by TV viewers against a TV technology company alleging that the company’s provision of advertising technology in the plaintiffs’ smart TVs committed the common law tort of invasion of privacy and violated the Video Privacy Protection Act (“VPPA”), the California Invasion of Privacy Act (“CIPA”), and California’s Comprehensive Computer Data Access and Fraud Act (“CDAFA”).  The ruling is significant as it shows that in the hundreds of adtech class actions across the nation alleging that adtech violates privacy laws, plaintiffs do not plausibly state a common law claim for invasion of privacy unless they specify in the complaint the information allegedly disclosed and explain how such a disclosure was highly offensive.  The case is also significant in that it shows that the VPPA does not apply to video analytics companies, and that California privacy statutes do not apply extraterritorially to plaintiffs located outside California.

Background

This case is one of a legion of class actions that plaintiffs have filed nationwide alleging that third-party technology captured plaintiffs’ information and used it to facilitate targeted advertising. 

This software, often called advertising technologies or “adtech,” is a common feature of millions of consumer products and websites in operation today.  In adtech class actions, the key issue is often a claim brought under a federal or state wiretap act, a consumer fraud act, or the VPPA, because plaintiffs often seek millions (and sometimes even billions) of dollars, even from midsize companies, on the theory that hundreds of thousands of consumers or website visitors, times $2,500 per claimant in statutory damages under the VPPA, for example, equals a huge amount of damages.  Plaintiffs have filed the bulk of these types of lawsuits to date against healthcare providers, but they have filed suits against companies that span nearly every industry including retailers, consumer products, universities, and the adtech companies themselves.  Several of these cases have resulted in multimillion-dollar settlements, several have been dismissed, and the vast majority remain undecided. 

In DellaSalla, the plaintiffs brought suit against a TV technology company that embedded a chip with analytics software in plaintiffs’ smart TVs.  Id. at *1, 5.  According to the plaintiffs, the company intercepted the plaintiffs’ “private video-viewing data in real time, including what [t]he[y] watched on cable television and streaming services,” and tied this information to each plaintiff’s unique anonymized identifier in order to “facilitate targeted advertising,” all allegedly without the plaintiffs’ consent.  Id. at *1.  Based on these allegations, the plaintiffs claimed that the TV technology company violated the CIPA, CDAFA, and VPPA, and committed the common-law tort of invasion of privacy. 

The company moved to dismiss, arguing that the CIPA and CDAFA did not apply because the plaintiffs were located outside California, that the VPPA did not apply because the TV technology company was not a “video tape service provider,” and that the plaintiffs failed to plausibly allege a highly offensive violation of a privacy interest.

The Court’s Decision

The Court agreed with the TV technology company and dismissed the complaint in its entirety, with leave to amend any existing claims but not to add any additional claims without further leave.

On the CIPA and CDAFA claims, the Court found that the plaintiffs did not allege that any unlawful conduct occurred in California.  Instead, the plaintiffs alleged that the challenged conduct occurred in their home states of North Carolina and Oklahoma.  Id. at *1, 3-4.  For these reasons, the Court dismissed the CIPA and CDAFA claims, finding that these statutes do not apply extraterritorially.  Id.

On the VPPA claim, the Court addressed the VPPA’s definition of  “video tape service provider,” which is “any person, engaged in the business … of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials.”  Id. at *5.  The plaintiffs argued that the TV technology company was a video tape service provider “because its technology is incorporated in Smart TVs, which deliver prerecorded videos.  [The defendant] advertises its technology precisely as providing a ‘better viewing experience’ ‘immersive on-screen experiences’ and a ‘more tailored ad experience’ through its technology.”  Id.  The Court rejected this argument. It held that “[t]his allegation does not plausibly support an inference, [the defendant]—an analytics software provider—facilitated the exchange of a video product. Rather, the allegations support an inference [the defendant] collected information about Plaintiffs’ use of a video product, but not that it provided the product itself.”  Id. (emphasis added).

On the common law claim for invasion of privacy, the TV technology company argued that this claim failed because the plaintiffs “have no expectation of privacy in the information it collects and Plaintiffs have not alleged a highly offensive intrusion.”  In examining this argument, the Court noted that Plaintiff had only provided “vague references” to the information supposedly intercepted.  Id. at *4.  This information included video-viewing data generally (none specified) tied to an anonymized identifier.  Id. at *1, 5.  Thus, the Court agreed with the defendant’s argument and found that plaintiffs identified “no embarrassing, invasive, or otherwise private information collected” and no explanation of how the tracking of video viewing history with an anonymized ID caused plaintiffs “to experience any kind of harm that is remotely similar to the ‘highly offensive’ inferences or disclosures that were actionable at common law.”  Id. at *5.  In sum, the Court concluded that “Plaintiffs have not plausibly alleged a highly offensive violation of a privacy interest.”

Implications For Companies

DellaSala provides powerful precedent for any company opposing adtech class action claims (1) brought under statutes enacted in states other than the plaintiffs’ place of residence; (2) brought under the federal VPPA where the company allegedly transmitted video usage information, as opposed to any videos themselves; and (3) alleging common-law invasion of privacy, where the plaintiffs have not specified the information disclosed and why such a disclosure is highly offensive. 

The last point is a recurring theme in adtech class actions.  Just as this plaintiff suing a TV technology company did not plausibly state a common-law claim for invasion of privacy without identifying the videos watched and any highly offensive harm in associating those videos with an anonymized ID, so did a plaintiff not plausibly state a claim for invasion of privacy by way of alleging adtech’s disclosure of protected health information (“PHI”), without specifying the PHI allegedly disclosed (as we blogged about here).  These cases show that for adtech plaintiffs to plausibly plead claims for invasion of privacy, they at least need to identify what allegedly private information was disclosed and explain how the alleged disclosure was highly offensive.

By Gerald L. Maatman, Jr., Justin Donoho, Hayley Ryan, and Tyler Zmick

Duane Morris Takeaways: On October 17, 2025, in Doe v. Eating Recovery Center LLC, No. 23-CV-05561, ECF 167 (N.D. Cal. Oct. 17, 2025), Judge Vince Chhabria of the U.S. District Court for the Northern District of California granted summary judgment to Eating Recovery Center, finding no violation of the California Invasion of Privacy Act (CIPA) where the Meta Pixel collected website event data. Specifically, the Court held that Meta did not “read” those contents while the communications were “in transit.” In so holding, the Court applied the rule of lenity, construed CIPA narrowly, and urged the California Legislature “to step up” and modernize the statute for the digital age. Id. at 2.

This decision is significant because Judge Chhabria candidly described CIPA as “a total mess,” noting it is often “borderline impossible” to determine whether the law – enacted in 1967 to criminalize wiretapping and eavesdropping on confidential communications – applies to modern internet transmissions. Id. at 1. As the Court observed, CIPA “was a mess from the get-go, but the mess gets bigger and bigger as the world continues to change and as courts are called upon to apply CIPA’s already-obtuse language to new technologies.” Id.  This is a “must read” decision for corporate counsel dealing with privacy issues and litigation.

Background

This class action arose after plaintiff, Jane Doe, visited Eating Recovery Center’s (ERC) website to research anorexia treatment and later received targeted advertisements. Plaintiff alleged that ERC’s use of the Meta Pixel caused Meta to receive sensitive URL and event data from her interactions with ERC’s site, resulting in targeted ads related to eating disorders.

ERC had installed the standard Meta Pixel on its website, which automatically collected page URLs, time on page, referrer paths, and certain click events to help ERC build custom audiences for advertising. Id. at 3. Plaintiff alleged that ERC’s use of the Pixel allowed Meta to intercept her communications in violation of CIPA, Cal. Penal Code § 631(a). She also brought claims under the California Medical Information Act (CMIA), the California Unfair Competition Law (UCL), and for common law unjust enrichment. The UCL claim was dismissed at the pleading stage.

ERC later moved for summary judgment on the remaining CIPA, CMIA, and unjust enrichment claims. In a separate order, the Court granted summary judgment on the CMIA and unjust enrichment claims, finding that plaintiff was not a “patient” under the CMIA and that there was no evidence ERC had been unjustly enriched. See id., ECF 168 at 1-2.

The Court’s Decision

With respect to the CIPA claim, the parties disputed two elements under CIPA § 631(a): (1) whether the event data obtained by Meta constituted “contents” of plaintiff’s communication with ERC, and (2) whether Meta read, attempted to read, or attempted to learn those contents while they were “in transit.” ECF 167 at 6.

The Court first held that URLs and event data can constitute the “contents” of a communication because they can reveal substantive information about a user’s activities – such as researching medical treatment. Id. at 7. The court thus deviated from other courts that have held differently on this particular issue when considering additional facts or allegations not addressed by this court (such as encryption, and inability to reasonably identify the data among lines of code).  However, the Court concluded that Meta did not read or attempt to learn any contents while the communications were “in transit.” Instead, Meta processed the data only after it had reached its intended recipient (i.e., ERC, the website operator).

In reaching that conclusion, Judge Chhabria relied on undisputed testimony about Meta’s internal filtering processes: “Meta’s corporate representative testified that, before logging the data that it obtains from websites, Meta filters URLs to remove information that it does not wish to store (including information that Meta views as privacy protected).” Id. at 8.

This evidence supported the finding that Meta’s conduct involved post-receipt filtering rather than contemporaneous “reading” or “learning.” Id. at 9. The Court emphasized that expanding “in transit” to include post-receipt processing would improperly criminalize routine website analytics practices. Because CIPA is both a criminal statute and a source of punitive civil penalties, the Court applied the rule of lenity to adopt a narrow interpretation. Id. at 11-12. The Court further cautioned that an overly broad reading would render CIPA’s related provision (§ 632, prohibiting eavesdropping and recording) largely redundant. Id. at 10.

Finding that Meta did not read, attempt to read, or attempt to learn the contents of Doe’s communications while they were in transit, the court granted summary judgment to ERC on the CIPA claim. Id. at 12.

The opinion concluded by reiterating that California’s decades-old wiretap law is “virtually impossible to apply [] to the online world,” urging the Legislature to “go back to the drawing board on CIPA,” and suggesting that it “would probably be best to erase the board entirely and start writing something new.” Id.

Implications For Companies

The Doe decision narrows one significant avenue for CIPA liability, particularly for routine use of website analytics and advertising pixels. The Northern District of California has now drawn a distinction between data “read” while in transit and data processed after receipt, significantly reducing immediate CIPA exposure for standard web advertising tools.

At the same time, the court’s reasoning underscores that pixel-captured data may be considered by some courts as “contents” of a communication under CIPA, although there is a split of authority on this issue. Companies could therefore face potential exposure under other California privacy statutes, including the CMIA, the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA), depending on the data involved and how it is used.

Organizations should continue to inventory the data they share through advertising technologies, minimize sensitive information in URLs, and ensure clear and accurate privacy disclosures. Because the court expressly invited legislative reform, companies should also monitor ongoing case law and potential statutory amendments.

Ultimately, Doe v. Eating Recovery Center reflects a pragmatic narrowing of CIPA’s “in transit” requirement while reaffirming that CIPA was not intended to cover common website advertising technologies or, in any event, should not be interpreted as such given the harsh statutory penalties involved and the rule of lenity — like the Supreme Judicial Court of Massachusetts concluded regarding Massachusetts’ wiretap act, as we previously blogged about here.  While this case is a big win for website operators, companies relying on third-party analytics should treat this decision as guidance—not immunity—and continue adopting privacy-by-design principles in their data collection and vendor management practices.

By Gerald L. Maatman, Jr., Ryan T. Garippo, and Elizabeth G. Underwood

Duane Morris Takeaways: On October 6, 2025, in Salazar v. National Basketball Association, No. 22 Civ. 07935, 2025 WL 2830939 (S.D.N.Y. Oct. 6, 2025), Judge Jennifer L. Rochon of the U.S. District Court for the Southern District of New York dismissed a proposed digital privacy class action against the National Basketball Association (“NBA”) because the plaintiff failed to plausibly allege that the NBA disclosed personally identifiable information in violation of the Video Privacy Protection Act (“VPPA”).  The district court reasoned that, following Second Circuit precedent, an “ordinary person” would not be able to identify the plaintiff’s video-watching habits from the alleged Pixel transmissions.  Id. at *5.  This ruling illustrates that district courts in the Second Circuit continue to interpret the phrase “personally identifiable information” contained within the VPPA narrowly, and that the uphill burdens that plaintiffs carry on adtech and VPPA claims against corporate defendants are continuing to grow steeper.

Case Background

In Salazar v. NBA,  the plaintiff, Michael Salazar (“Plaintiff”) alleged that the NBA disclosed his personal information, including personal viewing information, to Meta, the owner of Facebook and Instagram, via Meta Pixel (a common form of advertising technology or “adtech”).  Id. at *1–3.  According to Plaintiff, Meta Pixel is “a snippet JavaScript code” that allows online businesses to “track visitor activity on their website.”  Id. at *1.  When Meta Pixel is activated, it supposedly tracks the visitors and the visitors’ actions, including the pages they visit and the buttons they click.  Id.  Plaintiff filed his suit against the NBA on September 16, 2022.  Id. at *2.  He claimed that he signed up for an online newsletter to register for NBA.com and then that he separately watched videos on the NBA’s website.  Id. at *1.  Plaintiff also alleged that after he watched videos on the NBA’s website, not in connection with his subscription to the newsletter, his video-watching history was sent to Meta without his permission via the undisclosed use of Meta Pixel on the NBA’s website.  Id. at *5.  In response, the NBA filed a motion to dismiss and argued that Plaintiff failed to plead that he was a consumer of goods and services within the meaning of the VPPA, because although he alleged that he viewed audio-visual content on the NBA’s website, he did not allege that he viewed the materials that he actually subscribed to but rather, separate, and free content that was offered elsewhere on the website.  So, put differently, the content containing adtech was not the content that created his statutory standing to sue under the VPPA.  Id. at *2. 

The district court agreed with the NBA and granted its first motion to dismiss under Rule 12(b)(6).  Plaintiff, however, appealed the decision to the U.S. Court of Appeals for the Second Circuit.  On appeal, the Second Circuit agreed with Plaintiff, vacated the district court’s judgment, and remanded the case, finding that the plaintiff had “plausibly pleaded” that he was a consumer under the VPPA by alleging that he had subscribed to the NBA’s digital newsletter.  Id.  The Second Circuit reasoned that as long as the plaintiff was a “subscriber” under the meaning of the VPPA, he only needed to allege that he separately viewed audio-visual content offered by the defendant in order to state a valid claim.  The Duane Morris summary of the Second Circuit’s decision is attached here which describes the opinion in more detail.

Notably, this decision was not the only time that Plaintiff raised these issues to an appellate court.  In April, the U.S. Court of Appeals for the Sixth Circuit ruled against this exact same Plaintiff on the same issue, based on the argument that a plaintiff needed to subscribe to the audio-visual content he or she alleges was actually disclosed in order to have statutory standing to sue under the VPPA.  Thus, the Sixth Circuit created the odd situation where this exact same Plaintiff, Michael Salazar, filed one lawsuit in New York where he had statutory standing and another in Tennessee where he did not.  The Duane Morris summary of the Sixth Circuit’s decision is attached here and also provides more detail.

Nonetheless, on remand from the Second Circuit, Plaintiff filed a First Amended Complaint and later filed a Second Amended Complaint.  Id.  In response, the NBA again moved to dismiss the claims under Rule 12(b)(6), this time arguing that (1) pursuant to binding Second Circuit precedent, there was no disclosure of personally identifiable information under the VPPA; and (2) the plaintiff did not allege knowing disclosure.  Id. at *3.

The Court’s Opinion

Judge Rochon agreed with the NBA and dismissed Plaintiff’s proposed VPPA class action.  Id. at *5.  In reaching its decision, the Court applied the Second Circuit’s “ordinary person” standard, which requires plaintiffs to show that the “personally identifiable information” includes information that would permit an “ordinary person” to identify a user’s video-watching habits.  Id. at *3.

Under the standard, the Court found that the personally identifiable information would not allow an ordinary person to identify Plaintiff’s video-watching habits, relying on other cases in which the Second Circuit rejected Pixel-based VPPA claims that “mirror” the allegations at issue.  Id. at *3, *5; see Soloman v. Flipps Media, Inc., 136 F.4th 41, 44 (2d Cir. 2025) (finding that the complaint did not “plausibly allege that an ordinary person could identify [the plaintiff]” because an ordinary person would not be able to decipher the “c_user” cookie and corresponding string of letters to be a person’s Facebook ID); see also Hughes v. National Football League, 24-2656, 2025 WL 1720295 (2d Cir. June 20, 2025) (rejecting the argument that a user’s Facebook ID could be identified based on lines of computer code because it was not plausible that an ordinary person would conclude that the phrase was a person’s Facebook ID).  The Court aligned with other district court rulings in finding the plaintiff’s argument — that a person could use internet-based tools like ChatGPT to understand the code communication — to be unpersuasive, reasoning that the argument was “insufficient to demonstrate that an ordinary person would know what to do with the c_user information to pinpoint an individual’s identity.”  Id. at *5. (citing Taino v. Bow Tie Cinemas, LLC, No. 23-CV-0537, 2025 WL 2652730, at *8 (S.D.N.Y. Sept. 16, 2025)).

Although Plaintiff asked the Court not to dismiss the complaint based on the holdings in Soloman and Hughes, claiming the Soloman and Hughes line of precedent was on unstable footing, the Court independently concluded that “[t]here is no basis for this Court to find that the Second Circuit’s decision in Soloman runs afoul of the statutory text of the VPPA, and thus Plaintiff’s reliance on these [alternative] cases does not convince the Court that Soloman is soon to be overruled.”  Id. at *4.  In other words, “[b]ecause an ordinary person would not plausibly be able to identify Plaintiff’s video-watching habits as a result of the Pixel transmissions, Plaintiff has not plausibly alleged that the NBA disclosed personally identifiable information in violation of the VPPA.”  Id. at *5.

Implications For Companies

This case is a success for defendants involved in other putative adtech class actions.  Indeed, Salazar is another example of a district court applying a narrow interpretation of “personally identifiable information” under the Second Circuit’s “ordinary person” standard and has broader implications outside of the VPPA to adtech class actions generally.

As a result, if corporate counsel is faced with an adtech class action, based on common-place technology installed on his or her organization’s website, he or she should consider raising these arguments in a motion to dismiss or shortly thereafter, as Salazar and its progeny may prove to be a powerful tool to exit a putative class action early in the litigation..