Category: Privacy Class Actions

By Gerald L. Maatman, Jr., Justin Donoho, Hayley Ryan, and Ryan Garippo

Duane Morris Takeaways:  On September 3, 2025, in Golden v. NBCUniversal Media, LLC, No. 22-CV-9858, 2025 WL 2530689 (S.D.N.Y. Sept. 3, 2025), Judge Paul A. Engelmayer of the U.S. District Court for the Southern District of New York granted a motion to dismiss with prejudice for a media company on a claim that the company’s use of website advertising technology on its website violated the Video Privacy Protection Act (“VPPA”).  The ruling is significant as it shows that in the explosion of adtech class actions across the nation seeking millions or billions of dollars in statutory damages under not only the VPPA but also myriad other statutes providing for statutory penalties on similar theories that the website owner disclosed website activities to Facebook, Google, and other advertising agencies, the statute and its harsh penalties should not be triggered because no ordinary person could access and decipher the information transmitted.

Background

This case is one of a multiplying legion of class actions that plaintiffs have filed nationwide alleging that Meta Pixel, Google Analytics, and other similar software embedded in defendants’ websites secretly captured plaintiffs’ web-browsing activity and sent it to Meta, Google, and other online advertising agencies.

This software, often called website advertising technology or “adtech,” is a common feature on corporate, governmental, and other websites in operation today.  In adtech class actions, the key issue is often a claim brought under the VPPA, a federal or state wiretap act, a consumer fraud act, and even the Illinois Genetic Information Privacy Act (GIPA), because plaintiffs often seek millions (and sometimes even billions) of dollars, even from midsize companies, on the theory that hundreds of thousands of website visitors, times $2,500 per claimant in statutory damages under the VPPA, for example, equals a huge amount of damages.  Plaintiffs have filed the bulk of these types of lawsuits to date against healthcare providers, but they also have filed suits against companies that span nearly every industry including retailers, consumer products, and universities.  Several of these cases have resulted in multimillion-dollar settlements, several have been dismissed, the vast majority remain undecided, and especially with some district courts being more permissive than others in allowing adtech class actions to proceed beyond the motion to dismiss stage (as we blogged about here), the plaintiffs’ bar continues to file adtech class actions at an alarming rate.

In Golden, the plaintiff brought suit against a media company.  According to the plaintiff, she signed up for an online newsletter offered by the media company and, thereafter, visited the media company’s website, where she watched videos.  Id. at *2-4.  The plaintiff further alleged that, after she watched those videos, her video-watching history was sent to Meta without her permission via the media company’s undisclosed use of the Meta Pixel on its website.  Id.  Like plaintiffs in most adtech class action complaints, this plaintiff: (1) alleged that before the company sent the web-browsing data to the online advertising agency (e.g., Meta), the company encrypted the data via the secure “https” protocol (id., ECF No. 56 ¶ 45); and (2) did not allege that any human had her encrypted web-browsing data or could retrieve it from the advertising agency’s algorithms or that even the advertising agency, or any other entity or person, has her web-browsing data stored or could retrieve it from the advertising agency’s algorithms in a decrypted (readable) format.  Based on the plaintiffs’ allegations, the plaintiff alleged a violation of the VPPA.

The media company moved to dismiss under Rule 12(b)(6), arguing that the media company did not adequately allege that the media company “disclosed” the plaintiff’s “personally identifiable information” (“PII”), defined under the VPPA as “information which identifies a person as having requested or obtained specific video materials or services….”  Id., 2025 WL 2530689, at *5-6.

The Court’s Decision

The Court agreed with the media company and held that the plaintiff failed plausibly to plead any unauthorized “disclosure.” 

As the Court explained, “PII, under the VPPA, has three distinct elements: (1) the consumer’s identity, (2) the video material’s identity, and (3) the connection between them.”  Id. at *6.  Moreover, PII “encompasses information that would allow an ordinary person to identify a consumer’s video-watching habits, but not information that only a sophisticated technology company could use to do so.”  Id. (emphasis in original).  Therefore, “to survive a motion to dismiss, a complaint must plausibly allege that the defendant’s disclosure of information would, with little or no extra effort, permit an ordinary recipient to identify the plaintiff’s video-watching habits.”  Id.  For these reasons, explained the Court, the Second Circuit has “effectively shut the door for Pixel-based VPPA claims.”  Id. at *7 (citing Hughes v. National Football League, 2025 WL 1720295 (2d Cir. June 20, 2025)).

Applying these standards, the Court dismissed the plaintiff’s VPPA claim with prejudice, holding that, “[i]n short, because the alleged disclosure could not be appreciated — decoded to reveal the actual identity of the user, and his or her video selections — by an ordinary person but only by a technology company such as Facebook, it did not amount to PII.”  Id. at *6-7.  In so holding, the Court cited an “emergent line of authority” shutting the door on VPPA claims not only in the Second Circuit but also in other U.S. Courts of Appeal.  See In Re Nickelodeon Consumer Priv. Litig., 827 F.3d 262, 283 (3d Cir. 2016) (affirming dismissal of VPPA case involving the use of Google Analytics, stating, “To an average person, an IP address or a digital code in a cookie file would likely be of little help in trying to identify an actual person”); Eichenberger v. ESPN, Inc., 876 F.3d 979, 986 (9th Cir. 2017) (affirming dismissal of VPPA case because “an ordinary person could not use the information that Defendant allegedly disclosed [a device serial number] to identify an individual”).

Implications For Companies

The Court’s holding in Golden is a win for adtech class action defendants and should be instructive for courts around the country addressing adtech class actions brought under not only the VPPA, but also other statutes prohibiting “disclosures,” and the like.  These statutes should be interpreted similarly to require proof that an ordinary person could access and decipher the web-browsing data, identify the person, and link the person to the data. 

Consider a few examples.  A GIPA claim requires proof of a disclosure or a breach of confidentiality and privilege.  An eavesdropping claim under the California Information of Privacy Act (CIPA) § 632 requires proof of eavesdropping.  A trap and trace claim under CIPA § 638.51 requires proof that the data captured is reasonably likely to identify the source of the data.  A claim under the Electronic Communications Privacy Act (ECPA) requires proof of an interception.

When adtech sends encrypted, inaccessible, anonymized transmissions to the advertising agency’s algorithms, has there been any disclosure or breach of confidentiality and privilege (GIPA), eavesdropping (CIPA § 632), data capture reasonably likely to identify the source (CIPA § 638.51), or interception (ECPA)?  Just as adtech transmissions are insufficient to amount to a disclosure under the VPPA, Golden shows neither should adtech transmissions trigger these similarly worded statutes because no ordinary person could access and decipher the data transmitted.

By Gerald L. Maatman, Jr., Justin Donoho, Hayley Ryan, and Tyler Zmick

Duane Morris Takeaways:  On August 20, 2025, in Hannant v. Sarah D. Culbertson Memorial Hospital, 2025 WL 2413894 (C.D. Ill. Aug. 20, 2025), Judge Sara Darrow of the U.S. District Court for the Central District of Illinois granted a motion to dismiss while allowing a website user to re-plead her claim that the hospital’s use of website advertising technology (“adtech”) violated the Electronic Communications Privacy Act (“ECPA”).  The same day, in Q.J. v. Powerschool Holdings, LLC, 2025 WL 2410472 (N.D. Ill. Aug. 20, 2025), Judge Jorge Alonso of the U.S. District Court for the Northern District of Illinois denied the Chicago school board and its educational technology (“edtech”) provider’s motion to dismiss a claim that their use of a third-party data analytics tool violated the ECPA.  These rulings are significant in that they show that in the hundreds of adtech, edtech, and other internet-based technology class actions across the nation seeking millions (or billions) in dollars in statutory damages under the ECPA, Illinois Federal courts have distinguished themselves from other courts in other jurisdictions that have refused to interpret the ECPA in such a plaintiff-friendly manner as have the Illinois Federal courts. 

Background

These cases are two of a legion of class actions that plaintiffs have filed nationwide alleging that Meta Pixel, Google Analytics, and other similar software embedded in defendants’ websites secretly captured plaintiffs’ web-browsing data and sent it to Meta, Google, and other online advertising agencies and/or data analytics companies.  In these adtech, edtech, and similar class actions, the key issue is often a claim brought under the ECPA on the theory that hundreds of thousands of website visitors times $10,000 per claimant in statutory damages equals a huge amount of damages.  Plaintiffs have filed the bulk of these types of lawsuits to date against healthcare providers, but they have filed suits against companies that span nearly every industry including education, retailers, and consumer products.  Several of these cases have resulted in multimillion-dollar settlements, several have been dismissed, and the vast majority remain undecided.

In Hannant, the plaintiff brought suit against a hospital.  According to the plaintiff, the hospital installed the Meta Pixel on its website, thereby transmitting to Meta, allegedly without the plaintiff’s consent, data about her visit to the hospital’s website. 

In Q.J., the plaintiff brought suit against the Chicago school board and its edtech provider.  According to the plaintiff, the school board and edtech provider installed a third-party data analytics tools called Heap Autocapture on the edtech provider’s online platform, thereby transmitting to Heap, allegedly without consent, information about the students’ visits to the online platform.

In both lawsuits, the plaintiffs claimed that these alleged events amounted to an “interception” by the defendant that violated the ECPA.  Neither defendant contested whether the plaintiff had plausibly alleged an “interception,” even though the events were more like the catching and forwarding of a different ball, not an interception: (1) as alleged in Hannant, see No. 24-CV-4164, ECF No. 14 ¶¶ 49, 363 (alleging that the communication Meta received was not the same transmission but a “duplicate[]” that was “forward[ed]”); and (2) despite the wholly conclusory allegations of a purported “interception” in Q.J.  However, both defendants moved to dismiss the claim under the ECPA on the grounds that, to the extent there was any interception, no liability exists under the ECPA pursuant to its exception where the party does not act “for the purpose of committing any criminal or tortious act.” 18 U.S.C. 2511(2)(d).

The Courts’ Decisions

In Hannant, the Court dismissed the ECPA claim without prejudice, and granted the plaintiff leave to re-plead in a fashion that may allow such an amended complaint to withstand the ECPA claim.  Specifically, the Court found that an amendment might plausibly allege a criminal or tortious purpose by adding sufficient detail about the plaintiff’s website interactions to show that there had been a violation of the Health Insurance Portability and Accountability Act (“HIPAA”), which provides for criminal and civil penalties against a person “who knowingly … discloses individually identifiable health information [(‘IIHI’)] to another person.”  2025 WL 2413894,at *3 (quoting 42 U.S.C. § 1320d-6).  As the Court explained, under adtech class-action precedent in the U.S. District Court for the Northern District of Illinois, adding additional detail regarding alleged transmission of IIHI could be enough to allege a criminal or tortious purpose.  Id. at *3-5.

In Q.C., the Court denied the school board and edtech provider’s motion to dismiss, citing the same plaintiff-friendly precedent in the Northern District of Illinois cited by the opinion in Hannant, and explaining that while the allegedly disclosed data in this educational context did not violate the HIPAA, the plaintiff had plausibly alleged that the transmissions at issue violated the Illinois School Student Records Act (“ISSRA”), 105 ILCS 10/6, and Family Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. § 1232g.  2025 WL 2410472, at *6.

Implications For Companies

In Illinois Federal courts, pixels and cookies are no longer just marketing and educational tools – they are legal risk vectors.  By contrast, other U.S. District Courts ruling on Rule 12(b)(6) motions have found no plausibly alleged interception when an internet-based communication is forwarded as opposed to being intercepted mid-flight, and no plausibly alleged criminal or tortious purpose because the purpose was not to violate any statute but rather to engage in advertising or data analytics.  (See, e.g., our prior blog entry discussing one of these several cases, here.)Website owners facing lawsuits in Illinois District Courts would do well to press such arguments finding success in other jurisdictions in order to preserve them for appeal in the Seventh Circuit, which has yet to rule on these issues.  In addition, other defenses remain, including demonstrating that plaintiffs cannot meet their burden of proof to show any actual disclosure where transmissions of information entered on the website to adtech vendors and data analytics providers such as Meta or Google are encrypted, ephemeral, anonymized, aggregated, and otherwise unviewable and irretrievable by any human and hence not any actual disclosure to a third party.

Corporate counsel seeking to deter ECPA litigation should keep in mind the following best practices (discussed in more detail in our prior blog post, here): (1) add or update arbitration clauses to deter class actions and mitigate the risks of mass arbitration; (2) update website terms of use, data privacy policies, and vendor agreements; and (3) audit and adjust uses of website advertising technologies.

By Gerald L. Maatman, Jr., Justin Donoho, and Ryan Garippo

Duane Morris Takeaways:  On July 9, 2025, in Gutierrez, et al. v. Converse, Inc., No. 24-4797, 2025 WL 1895315 (9th Cir. July 9, 2025), the Ninth Circuit affirmed that a plaintiff had no evidence from which a reasonable jury could conclude that an online retailer’s use of third-party software to enable a chat feature on its website aided and abetted the third-party vendor in reading or attempting to read the contents of the plaintiff’s chat messages real-time in alleged violation of the California Invasion of Privacy Act (CIPA).  In rejecting this theory, the ruling is significant because it shows that CIPA claims involving alleged disclosures of website activities to third-party software providers cannot survive unless the plaintiff can show that the website owner enabled the third party to read unencrypted, real-time communications. 

Background

This case is one of a legion of class actions that plaintiffs have filed nationwide alleging that third-party software embedded in defendants’ websites secretly captured plaintiffs’ web-browsing activity and sent it to the third-party provider of the software.  Third-party software is a common feature on many websites today and comes in many forms including website advertising technologies (“adtech”), customer relationship management (“CRM”) software, enterprise resource management (“ERP”) software, and, as in this case, communications platforms.

In Gutierrez, Plaintiff brought suit against an online retailer.  According to Plaintiff, the retailer installed a chat feature on its public-facing website and thereby transmitted chat communications entered on the website to Salesforce, a third-party provider of the chat feature to the online retailer in the form of “software as a service” (“SaaS”).  2024 WL 3511648, at *2 (C.D. Cal. July 12, 2024). 

As usual since the Snowden disclosures in 2013, all of these transmissions between the web user, website, and third-party software provider were “were encrypted while in transit.”  Id. at *3.  Moreover, as is true for all internet communications, the chats were transmitted “in different network packets.”  Id.  Thus, the uncontroverted expert evidence showed that “it is ‘virtually impossible’ to learn the contents of an internet communication while it is in transit.”  Id.

The online retailer’s chat data, including chat transcripts, were stored on Salesforce’s servers.  Id.  However, this information was accessible in unencrypted format only through the retailer’s password-protected dashboard.  Id.  Plaintiff offered no evidence to show that Salesforce had access to the retailer’s dashboard or that the retailer ever provided Salesforce access to it.  Id.

Based on these facts, Plaintiff argued that the retailer violated the CIPA by aiding and abetting Salesforce’s wiretapping or attempts to learn her chat communications on the retailer’s website. 

The District Court granted the retailer’s motion for summary judgment for multiple reasons.  First, the District Court found as a matter of law that Salesforce did not violate CIPA’s first clause prohibiting intentional wiretapping or making any unauthorized connection “with any telegraph or telephone wire, line, cable, or instrument” because “Courts have consistently interpreted this clause as applying only to communications over telephones and not through the internet.”  Id. at *6-7. 

Second, the District Court found no genuine dispute of material fact existed as to whether Salesforce had violated the second clause of CIPA, Section 631(a), “because Plaintiff has presented no evidence from which a reasonable jury could conclude Salesforce intercepts messages sent through [the retailer]’s chat feature ‘while … in transit’ or reads or attempts to read or learn the contents of such messages.”  Id. at *7.  As the District Court explained, “uncontroverted evidence establishes messages sent through [the retailer]’s chat feature are encrypted while in transit and, moreover, it is ‘virtually impossible’ to learn the contents of an internet communication while it is in transit because internet communications are transmitted ‘in different network packets[.]’”  Further, the District Court stated that “the fact that a user is redirected to a Salesforce-owned URL upon opening the chat feature on [the retailer]’s website does not establish the user’s messages are sent to Salesforce or Salesforce reads or attempts to read or learn the contents of such messages. Rather, this fact simply establishes . . . the user’s messages are transmitted to [the retailer]’s Service Cloud application.”  Id.  In addition, the District Court explained that “the existence of UUID [Universally Unique Identifier] values attached to chat messages and the mere possibility Salesforce ‘can’ use these values to ‘connect the dots’ between data are insufficient to establish a genuine issue of material fact as to whether Salesforce reads or attempts to read users’ messages while they are in transit.”  Id.

Finally, the District Court found that “because Plaintiff has not established an underlying violation of Section 631(a)’s first or second clause by Salesforce, [the retailer] cannot be liable for aiding and abetting Salesforce.”

The Ninth Circuit’s Opinion

The Ninth Circuit agreed with the retailer. It found that summary judgment for the retailer was warranted and affirmed the order below. 

In a short opinion, the Ninth Circuit affirmed the District Court’s opinion by finding that “no evidence exists from which a reasonable jury could conclude” that Salesforce engaged in wiretapping or attempted to learn Plaintiff’s chat communications on the retailer’s website and, therefore, absent an underlying violation by Salesforce, no aiding and abetting liability by the retailer.  Id., at *1.

Circuit Judge Jay Bybee agreed, filing a separate concurring opinion stating that the wiretapping claim should be affirmed because “the statute, as passed in 1967, focuses on the wiretapping of telegraph or telephone wires—it criminalizes, as relevant here, the wiretapping of a telephone call” and, thus, CIPA’s clause prohibiting wiretapping “does not apply to the internet.”  Id. at *2-3.  Further, Judge Bybee opined: “Until and unless the California appellate courts tell us otherwise, or the California legislature amends § 631(a), I refuse to apply § 631(a)’s first clause to the internet.”  Id. at *3. 

Implications For Companies

The District Court’s holding and Ninth Circuit’s affirmance in Gutierrez are a win for CIPA class action defendants and should be instructive for courts around the country.  In the hundreds of CIPA class actions alleging a defendant’s disclosure of web-browsing activities to an adtech provider, for example, the plaintiff typically does not allege that the adtech provider has any ability to read any unencrypted version of the information disclosed.  This is not surprising, since the largest adtech providers often alleged in CIPA adtech class actions typically encrypt, anonymize, aggregate, and otherwise prevent their own ability to access web users’ browsing activities in any unencrypted format. 

Gutierrez shows that adtech plaintiffs will need to show, however, that the owner of the website they visited enabled the third party adtech provider to read unencrypted, real-time communications, in order to prove their CIPA claims.

By Gerald L. Maatman, Jr., Tyler Z. Zmick, and George J. Schaller

Duane Morris Takeaways: On April 4, 2025,inRodriguez v. Autotrader.com, Inc., No. 24-CV-08735, 2025 U.S. Dist. LEXIS 70074 (C.D. Cal. Apr. 4, 2025), Judge R. Gary Klausner of the U.S. District Court for the Central District of California dismissed with prejudice a class action complaint which asserted violations of the California Invasion of Privacy Act (“CIPA”) for lack of standing. Plaintiff admitted she was a “tester” and knew that defendant Autotrader’s website contained tracking devices before accessing it, leading the Court to rule that Plaintiff failed to allege an unlawful use of pen registers and trace devices under the CIPA.

This ruling is welcome news for businesses sued by so-called “tester” plaintiffs, who actively seek out websites to “test” for potential CIPA violations.

Case Background

Plaintiff Rebeka Rodriguez filed a class action complaint against Autotrader.com, asserting claims under (i) CIPA § 631 for violating California’s wiretapping and eavesdropping statute and (ii) CIPA § 638.51 for violating California’s statute prohibiting the use of pen registers and trace devices.

Plaintiff claimed that Autotrader’s website immediately installs third-party tracking software that collects various types of information to deliver targeted advertising. She alleged that she ran a search containing “confidential” and “private” information using a search bar on Autotrader’s website, and that such information was then shared with third parties without her consent. Plaintiff also claimed that when she visited the website, tracking software was installed on her browser which “captured and sent identifying information to third parties.” Plaintiff admitted that she was actively seeking out privacy violations when she visited Autotrader’s website.

On March 14, 2025, the District Court granted Autotrader’s request that Plaintiff’s CIPA § 631 claim be dismissed with prejudice for lack of standing. See Rodriguez v. Autotrader.com, Inc., No. 24-CV-08735, 2025 U.S. Dist. LEXIS 47308, at *1 (C.D. Cal. Mar. 14, 2025). The Court’s March 14 order also directed the parties to show cause in writing “whether Plaintiff has standing to bring her § 638.51 claim.”  Id.

The Court’s Order

On April 4, 2025, the Court sua sponte dismissed Plaintiff’s remaining pen register claim under CIPA § 638.51 for lack of standing. The Court relied on the same analysis used in dismissing Plaintiff’s § 631 claim – specifically, Plaintiff was “a tester that actively [sought] out privacy violations,” she “had no expectation of privacy’ when she visited [Autotrader’s] website, and therefore, lacked an injury sufficient to establish standing.” Rodriguez v. Autotrader.com, Inc.,No. 24-CV-08735, 2025 U.S. Dist. LEXIS 47308, *2 (C.D. Cal. Apr. 4, 2025). In its ruling, the Court determined that neither party disputed that Plaintiff’s § 638.51 claim “requires the same disclosure of sensitive information and reasonable expectation of privacy as her § 631 claim.” Id.

The Court was not persuaded by Plaintiff’s argument that her status as a tester did not preclude “standing even though she expected or sought out an injury,”finding her supporting authority distinguishable because the cases she relied on involved “First Amendment and ADA claims for which the plaintiffs were injured regardless of their expectations or intentions.” Id. at *3. Accordingly, the Court dismissed Plaintiff’s § 638.51 claim with prejudice.

Implications For Companies

While the ruling in Rodriguez is a positive development for businesses, the scope of the decision was limited in that Plaintiff lacked standing only because her claim required a violation of her “reasonable expectation of privacy.” “Tester” plaintiffs in other class action lawsuits frequently assert claims against website hosts and website service providers and can proceed past the motion-to-dismiss stage. 

While companies cannot prevent “tester” plaintiffs from filing similar lawsuits, companies can protect themselves from liability under the CIPA by employing safeguards on their websites in the form of data-tracking disclosures and obtaining consent from users.

By Gerald L. Maatman, Jr., Shannon Noelle, and Ryan T. Garippo

Duane Morris Takeaways:  On April 3, 2025, in Salazar, et al. v. Paramount Global, d/b/a 247Sports, Case No. 23-5748, 2025 WL 1000139 (6th Cir. Apr. 3, 2025), the Sixth Circuit departed from two other federal circuits (i.e., the Second and Seventh Circuits) in its interpretation of “consumers” covered by the Video Privacy Protection Act (“VPPA”), and affirmed the district court’s dismissal of a putative class action on the basis that only consumers of audio-visual related materials are covered by the protections of the Act.  The Sixth Circuit’s holding narrows the scope and reach of the statute and is a welcome reprieve for companies offering video content on their websites in connection with advertising technology (“adtech”).

Background

In September 2022, Michael Salazar brought a putative class action against Paramount Global (i.e., the owner of 247Sports.com), claiming that the media company violated the VPPA because it installed Meta Pixel on its website. Salazar alleged that Meta Pixel, a form of adtech, tracked his and putative class members’ video viewing history and disclosed it to Meta without his consent.  He sought to represent a putative class of subscribers to 247Sports.com’s newsletter which contained links to articles (that could contain videos), photographs, and other content.

Salazar, however, did not allege that he was a subscriber of audio visual materials as contemplated by the statute.  18 U.S.C. § 2710(a)(1)-(4).  To the contrary, he alleged that he was a subscriber of 247Sports.com’s newsletter, and that 247Sports.com separately provided audio visual materials to its customers.  Salazar v. Paramount Global, 683 F.Supp. 3d 727, 744 (M.D. Tenn. 2023).  But, the district court determined that Salazar’s interpretation of the VPPA was “unavailing.”  Id.  Indeed, “there [was] no allegation in the complaint that Plaintiff accessed audio visual content through the newsletter (or at all, for that matter).  The newsletter [was] therefore not audio visual content, which necessarily means that Plaintiff [was] not a ‘subscriber’ under the VPPA.”  Id.

Salazar is no stranger to this legal issue.  Last year, in a virtually identical case, the U.S. District Court for the Southern District of New York, dismissed a putative VPPA class action brought by Salazar on the basis that “signing up for an online newsletter did not make Salazar a VPPA ‘subscriber.’”  Salazar v. National Basketball Association, 118 F.4th 533, 536-37 (2d Cir. 2024).  Salazar appealed that decision to the Second Circuit, which reversed the lower court, and held that the VPPA protects “consumers regardless of the particular goods or services rented, purchased, or subscribed to.”  Id. at 549.  If blog readers would like to learn more about the Second Circuit’s decision, a link to our post is included here.

Salazar appealed this case on the same grounds as his Second Circuit win and asked the Sixth Circuit to determine whether he was considered a “subscriber” and thus, a “consumer” under the VPPA.

The Sixth Circuit’s Decision

The Sixth Circuit affirmed the district court’s ruling and agreed that to be considered a “consumer” under the VPPA an individual must purchase goods or services of an audio-visual nature.

Judge John Nalbandian, writing for the Sixth Circuit, reasoned that the term “subscriber” must be viewed in its broader context, and in harmony with the other words in the statute such not to render associational words inconsistent or superfluous.  Applying these canons, the Sixth Circuit explained that the words “goods and services” informed the meaning of the term “subscriber.”  By using the terms together, the statute was intended to encompass only audio-visual goods or services provided by a video tape service provider, as opposed to any and all goods and services, provided by that company.  In other words, if a video tape service provider makes “hammers” or a “Flintstones sweatshirt or a Scooby Doo coffee mug,” a consumer of such goods would not fall under the purview of the VPPA.  Paramount Global, 2025 WL 100139, at *10.

In so holding, the Sixth Circuit departed from the Second and Seventh Circuits, including the near-identical lawsuit brought by Salazar himself, that found the phrase “goods or services” to encompass all goods and services that a provider places in the marketplace.  Judge Rachel Bloomekatz, penning the dissent, reached the same conclusion.  She opined that, under the majority’s interpretation, a provider could “stitch[] together” non-video transactions to provide information about audio-visual transactions that could reveal a consumer’s personal information.  Id. At *12.  The majority found such concerns unavailing and reasoned that the type of information available from the videos on Paramount Global’s website was not inherent to the newsletter and was “accessible to anyone, even those without a newsletter subscription.”  Id. at *7.

As a result, the Sixth Circuit affirmed the district court’s decision to dismiss the complaint without leave to amend.

Implications For Companies

Circuit splits in the federal courts are increasingly rare.  It is nearly unprecedented, however, to have a situation where one litigant has created a federal circuit split with himself.  Salazar could file one lawsuit in New York and his claims would go forward.  But, if the exact same lawsuit was filed in Tennessee, then dismissal would be the proper remedy.

This patchwork system may be difficult for corporate counsel, tasked with ensuring their companies’ adtech compliance, to follow.  But, the Sixth Circuit’s decision in Paramount Global is better than the alternative and could pave the way for other circuits to similarly limit the scope of the VPPA in their relevant jurisdictions.

In the meantime, however, corporate counsel for companies based in Kentucky, Michigan, Ohio, and Tennessee can rest a little easier knowing that – they can offer newsletters without worrying that adtech, installed solely on their websites – will somehow subject them to draconian VPPA liability.

By Justin Donoho, Gerald L. Maatman, Jr., and Tyler Zmick

Duane Morris Takeaways:  In Short v. MV Transportation, Inc., No. 24-CV-3019 (N.D. Ill. Mar. 10, 2025), Judge Manish S. Shah of the U.S. District Court for the Northern District of Illinois denied defendant’s bid to dismiss a claim brought under the Illinois Genetic Information Privacy Act (“GIPA”).  In his ruling, Judge Shah acknowledged that U.S. Department of Transportation regulations require companies in the transportation industry (including defendant) to ensure their drivers satisfy certain physical qualification criteria.  The Court nonetheless rejected defendant’s argument that the regulations preempt the GIPA because they do not specifically require employers to ask applicants about their family medical histories (which the GIPA prohibits).  In other words, the Court denied defendant’s motion to dismiss because the GIPA does not make it “physically impossible” to comply with federal regulations. 

Background

Plaintiff Kevin Short alleged that he applied for a position as a driver for Defendant MV Transportation, Inc., a company that provides paratransit services.  As part of the application process, Plaintiff was required to complete a physical examination during which he was asked about his family medical history, including whether his family members had a history of high blood pressure, heart disease, or diabetes.

Plaintiff subsequently sued MV Transportation under the GIPA, alleging that the company violated Section 25(c)(1) of the statute by “solicit[ing], request[ing], [or] requir[ing] . . . genetic information of a person or a family member of the person . . . as a condition of employment [or] preemployment application.”  410 ILCS 513/25(c)(1).

MV Transportation moved to dismiss the complaint on the basis that the Department of Transportation’s (“DOT”) regulations preempted Plaintiff’s GIPA claim.  Specifically, MV Transportation argued that Plaintiff’s claim was barred under a “conflict preemption” theory because allowing the claim to proceed would force MV Transportation to choose between complying with the GIPA or complying with federal requirements to “conduct[ ] thorough physical examinations of its drivers.”

MV Transportation pointed to the Motor Carrier Safety Act for support, under which the DOT regulates commercial motor vehicle safety by promulgating “minimum safety standards” to ensure that “the physical condition of operators . . . is adequate to enable them to operate the vehicles safely” – including by requiring drivers to satisfy 13 “physical qualification criteria.”  49 U.S.C. § 31136(a)(3).

The Court’s Decision

In denying MV Transportation’s motion, the Court noted that conflict preemption applies only where “compliance with both federal and state regulations is a physical impossibility” or where the state law “stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress.”  Id. at 6-7 (citations omitted); see also id. at 6 (noting that “‘[i]nvoking some brooding federal interest’ is insufficient to establish preemption; instead, MV Transportation must identify ‘a constitutional text or a federal statute’ that displaces or conflicts with the state law”) (quoting Virginia Uranium, Inc. v. Warren, 587 U.S. 761, 767 (2019)).  The Court further observed that MV Transportation had the burden of overcoming the “presumption against preemption.”

In its ruling, the Court concluded that it is not physically impossible for MV Transportation to simultaneously comply with the GIPA and DOT regulations relative to Plaintiff’s pre-employment health screening because the DOT regulations do not specifically require any inquiry into a driver’s family medical history.  MV Transportation asserted that DOT regulations nonetheless “contemplate[] that medical examiners may discuss” a person’s family medical history during a physical exam.  The Court was not persuaded, however, stating that such a scenario is “not enough to suggest that compliance with GIPA and the federal regulations is ‘physically impossible.’”  Id. at 9 (“The mere possibility that a medical examiner asks for information protected by GIPA while performing an examination does not demonstrate impossibility to comply with both federal and state law.”). 

The Court similarly held that the GIPA is not an obstacle to the execution of Congress’s purposes, as reflected in the Motor Carrier Safety Act and DOT regulations.  As support for this conclusion, the Court observed that the relevant DOL regulations and the GIPA serve different purposes – the regulations are meant to promote the safe operation of commercial motor vehicles, while the GIPA focuses on health information privacy. 

Implications Of The Decision

Short v. MV Transportation is one of several recent decisions in which courts denied bids to dismiss GIPA claims at the pleading stage. 

Given this litigation landscape and the statute’s strict penalty provision – under which statutory damages can quickly become significant ($2,500 per negligent violation and $15,000 per intentional or reckless violation, see 410 ILCS 513/40(a)(1)-(2)) – employers should ensure they comply with the statute regarding any health screenings they ask applicants or employees to complete (including by explicitly advising applicants and employees not to disclose their family medical histories during the screenings).

By Gerald L. Maatman, Jr., Jennifer A. Riley, Alex W. Karasik, Gregory Tsonis, Justin Donoho, and Tyler Zmick

Duane Morris Takeaways: The last year saw a virtual explosion in privacy class action litigation. As a result, compliance with privacy laws in the myriad of ways that companies interact with employees, customers, and third parties is a corporate imperative. To that end, the class action team at Duane Morris is pleased to present the second edition of the Privacy Class Action Review – 2025. This publication analyzes the key privacy-related rulings and developments in 2024 and the significant legal decisions and trends impacting privacy class action litigation for 2025. We hope that companies and employers will benefit from this resource in their compliance with these evolving laws and standards.

Click here to bookmark or download a copy of the Privacy Class Action Review – 2025 e-book. Look forward to an episode on the Review coming soon on the Class Action Weekly Wire!

By Gerald L. Maatman, Jr. and Justin Donoho

Duane Morris Takeaways:  On December 17, 2024, in Daghaly, et al. v. Bloomingdales.com, LLC, No. 23-4122, 2024 WL 5134350 (9th Cir. Dec. 17, 2024), the Ninth Circuit ruled that a plaintiff lacked Article III standing to bring her class action complaint alleging that an online retailer’s use of website advertising technology disclosed website visitors’ browsing activities in violation of the California Invasion of Privacy Act and other statutes.  The ruling is significant because it shows that adtech claims cannot be brought in federal court without specifying the plaintiffs’ web browsing activities allegedly disclosed. 

Background

This case is one of the hundreds of class actions that plaintiffs have filed nationwide alleging that Meta Pixel, Google Analytics, and other similar software embedded in defendants’ websites secretly captured plaintiffs’ web browsing data and sent it to Meta, Google, and other online advertising agencies.  This software, often called website advertising technologies or “adtech” is a common feature on many websites in operation today.

In Daghaly, Plaintiff brought suit against an online retailer.  According to Plaintiff, the retailer installed the Meta Pixel and other adtech on its public-facing website and thereby transmitted web-browsing information entered by visitors such as which products the visitor clicked on and whether the visitor added the product to his or her shopping cart or wish list.  Id., No. 23-CV-129, ECF No. 1 ¶¶ 44-45.  As for Plaintiff herself, she did not allege what she clicked on or what her web browsing activities entailed upon visiting the website, only that she accessed the website via the web browser on her phone and computer.  Id. ¶ 40.

Based on these allegations, Plaintiff alleged claims for violation of the California Invasion of Privacy Act (CIPA) and other statutes.  The district court dismissed the complaint for lack of personal jurisdiction.  Id., 697 F. Supp. 3d 996 (S.D. Cal. 2023).  Plaintiff appealed and, in its appellate response brief, the retailer argued for the first time that Plaintiff lacked Article III standing.

The Ninth Circuit’s Opinion

The Ninth Circuit agreed with the retailer, found that Plaintiff lacked standing, and remanded for further proceedings.

To allege Article III standing, as is required to bring suit in federal court, the Ninth Circuit opined that a plaintiff must “clearly allege facts demonstrating” that she “suffered an injury in fact that is concrete, particularized, and actual or imminent.”  Id., 2024 WL 5134350, at *2 (citing, e.g., TransUnion LLC v. Ramirez, 594 U.S. 413, 423 (2021)). 

Plaintiff argued that she sufficiently alleged standing via her allegations that she “visited” and “accessed” the website and was “subjected to the interception of her Website Communications.”  Id. at *1.  Moreover, Plaintiff argued, the retailer’s alleged disclosure to adtech companies of the fact of her visiting the retailer’s website sufficiently alleged an invasion of her privacy and thereby invoked Article III standing because the adtech companies could use this fact to stitch together a broader, composite picture of Plaintiffs’ online activities.  See oral argument, here.

The Ninth Circuit rejected these arguments. It found that Plaintiff “does not allege that she herself actually made any communications that could have been intercepted once she had accessed the website. She does not assert, for example, that she made a purchase, entered text, or took any actions other than simply opening the webpage and then closing it.”  Id., 2024 WL 5134350, at *1.As the Ninth Circuit explained during oral argument by way of example, it is not like the Plaintiff had alleged that she was shopping for underwear and that the retailer transmitted information about her underwear purchases.  Moreover, the Ninth Circuit found “no authority suggesting that the fact that she visited [the retailer’s website] (as opposed to information she might have entered while using the website) constitutes ‘contents’ of a communication within the meaning of CIPA Section 631.”  Id.

In short, the Ninth Circuit concluded that Plaintiff lacked Article III standing, and that this conclusion followed from Plaintiff’s failure to sufficiently allege the nature her web browsing activities giving rise to all of her statutory claims.  Id. at *2.  The Ninth Circuit remanded with instructions that the district court grant leave to amend if properly requested. 

Implications For Companies

The holding of Daghaly is a win for adtech class action defendants and should be instructive for courts around the country.  Other courts already have found that an adtech plaintiff’s failure to identify what allegedly private information allegedly was disclosed via the adtech warrants dismissal under Rule 12(b)(6) for failure to plausibly plead various statutory and common-law claims.  See, e.g, our blog post about such a decision here.   Daghaly shows that adtech plaintiffs also need to identify what allegedly private information beyond the fact of a visit to an online retailer’s website was allegedly disclosed via the adtech, in order to have Article III standing to bring their federal lawsuit in the first place.

By Gerald L. Maatman, Jr., Justin R. Donoho, and Nathan K. Norimoto

Duane Morris Takeaways:  On October 1, 2024, Judge Robert Scola of the U.S. District Court for the Southern District of Florida denied class certification in a case involving website advertising technology (“adtech”) in Martinez v. D2C, LLC, 2024 WL 4367406 (S.D. Fla. Oct. 1, 2024).  The ruling is significant as it shows that plaintiffs who file class action complaints alleging improper use of adtech cannot satisfy Rule 23’s numerosity requirement merely by showing the presence of adtech on a website and numerous visitors to that website.  The Court’s reasoning in denying class certification applies not only in adtech cases raising claims brought under the Video Privacy Protection Act (“VPPA”), like this one, but also to other adtech cases raising a wide variety of other statutory and common law legal theories.

Background

This case is one of the hundreds of class actions that plaintiffs have filed nationwide alleging that Meta Pixel, Google Analytics, and other similar software embedded in defendants’ websites secretly captured plaintiffs’ web browsing data and sent it to Meta, Google, and other online advertising agencies.  This software, often called website advertising technologies or “adtech” is a common feature on millions of corporate, governmental, and other websites in operation today.

In Martinez, the plaintiffs brought suit against D2C, LLC d/b/a Univision NOW (“Univision”), an online video-streaming service.  The parties did not dispute, at least for the purposes of class certification, that: (A) Univision installed the Meta Pixel on its video-streaming website; (B) Univision was a “video tape service provider” and the plaintiffs and other Univision subscribers were “consumers” under the VPPA, thereby giving rise to liability under that statute if the plaintiffs could show Univision transmitted their personally identifiable information (PII) such as their Facebook IDs along with the videos they accessed to Meta without their consent; (C) none of the plaintiffs consented; and (D) 35,845 subscribers viewed at least one video on Univision’s website.  Id. at *2. 

The plaintiffs moved for class certification under Rule 23.  The plaintiffs maintained that that at least 17,000 subscribers, including (or in addition to) them, had their PII disclosed to Meta by Univision.  Id. at *3.  The plaintiffs reached this number upon acknowledging “at least two impediments to a subscriber’s viewing information’s being transmitted to Meta: (1) not having a Facebook account; and (2) using a browser that, by default, blocks the Pixel.”  Id. at *6.  Thus, the plaintiffs pointed to “statistics regarding the percentage of people in the United States who have Facebook accounts (68%) and the testimony of their expert … regarding the percentage of the population who use a web browser that would not block the Pixel transmission (70%), to conclude, using ‘basic math,’ that the class would be comprised of ‘at least approximately 17,000 individuals.’” Id. at *6.In contrast, Univision maintained that the plaintiffs failed to carry their burden of showing that even a single subscriber had their PII disclosed, including the three named plaintiffs.  Id. at *3.

The Court’s Decision

The Court agreed with Univision and held that the plaintiffs did not carry their burden of showing numerosity.

First, the Court held that the plaintiffs’ reliance on statistics regarding percentage of people who have Facebook accounts was unhelpful, because “being logged in to Facebook”—not just having an account—“is a prerequisite to the Pixel disclosing information.”  Id. at *7 (emphasis in original).  Moreover, “being simultaneously logged in to Facebook is still not enough to necessarily prompt a Pixel transmission: a subscriber must also have accessed the prerecorded video on Univision’s website through the same web browser and device through which the subscriber (and not another user) was logged into Facebook.”  Id.

Second, the Court held that the plaintiffs’ reliance on their proffer that 70% of people use Google Chrome and Microsoft Edge, which allow Pixel transmission “under default configurations,” failed to account for all of the following “actions a user can take that would also block any Pixel transmission to Meta: enabling a browser’s third-party cookie blockers; setting a browser’s cache to ‘self-destruct’; clearing cookies upon the end of a browser session; and deploying add-on software that blocks third-party cookies.”  Id.

In short, the Court reasoned that the plaintiffs did not establish “the means to make a supported factual finding, that the class to be certified meets the numerosity requirement.”  Id. at *9.  Moreover, the Court found that the plaintiffs had not demonstrated that “any” PII had been disclosed, including their own.  Id. (emphasis in original).In reply, the plaintiffs attempted to introduce evidence supplied by Meta that one of the plaintiffs’ PII had been transmitted to Meta.  Id.  The court refused to consider this new information, supplied for the first time on reply, and further found that even if it were to consider the new evidence, “this only gets the Plaintiffs to one ‘class member.’”  Id. at *10 (emphasis in original).

Finding the plaintiffs’ failure to satisfy the numerosity requirement dispositive, the Court declined to evaluate the other Rule 23 factors.  Id. at *5.

Implications For Companies

This case is a win for defendants of adtech class actions.  In such cases, the Martinez decision can be cited as useful precedent for showing that the numerosity requirement is not met where plaintiffs put forth only speculative evidence as to whether the adtech disclosed plaintiffs’ and alleged class members’ PII to third parties.  The Court’s reasoning in Martinez applies not only in VPPA cases but also other adtech cases alleging claims for invasion of privacy, under state and federal wiretap acts, and more.  All these legal theories have adtech’s transmission of the PII to third parties as a necessary element.  In sum, to establish numerosity, plaintiffs must demonstrate, at a minimum, that class members were logged into their own adtech accounts at the time they visited the defendants’ website, using the same device and browser for the adtech and the visit, using a browser that did not block the transmission by default, and not deploying any number of browser settings and add-on software that would have blocked the transmission.