Technology

In 2025, courts continued to issue significant decisions concerning the application of wiretap and privacy laws to pixels, session replay, and other website technologies. Over the past year, we have featured posts discussing claims regarding website analytics and advertising tools brought under the federal Wiretap Act, the California Invasion of Privacy Act (“CIPA”), the Video Privacy Protection Act (“VPPA”), and other laws.  A selection of posts highlighting important developments in this area is below. Continue Reading Website Wiretapping Roundup: 2025 Decisions and Developments 

In many privacy and other technology-related class actions, the question of whether consumers consent to the practice at issue is central.  In these cases, class action defendants have defeated motions for class certification by successfully arguing that consent is an individualized issue that is not susceptible to common proof.  And though class action plaintiffs may try and avoid this problem by excluding consenting individuals from their class definition, that solution can create new problems, including impermissible “fail-safe” classes—i.e., classes that cannot be defined until a case is resolved on the merits.Continue Reading Sixth Circuit Denies Permission to Appeal Class Certification Order Raising Questions of Consent and Fail-Safe Classes

The Eighth Circuit recently affirmed dismissal of a putative class action asserting that defendant Cinema Entertainment Corporation, a regional movie theater chain, violated the Video Privacy Protection Act (“VPPA”) by disclosing website visitors’ information through a third-party pixel.  See Christopherson v. Cinema Ent. Corp., No. 24-3042, 2025 WL 3512393 (8th Cir. Dec. 8, 2025). Continue Reading Eighth Circuit Affirms Dismissal of VPPA Claim

Last week, the Third Circuit affirmed dismissal of a putative class action asserting that defendant Quest Diagnostics violated the California Invasion of Privacy Act (“CIPA”) and the Confidentiality of Medical Information Act (“CMIA”) by employing a website pixel to track and collect data about their website activity for advertising purposes.  See Cole v. Quest Diagnostics Inc., No. 25-1449, 2025 WL 3172640 (3d Cir. Nov. 13, 2025).  The Third Circuit held that Quest was not liable under CIPA for aiding and abetting wiretapping because no wiretapping had occurred, nor under CMIA because Plaintiffs had not alleged the disclosure of protected “medical information.”Continue Reading Third Circuit Affirms Dismissal of CIPA and CMIA Claims

Recently, a California federal court granted summary judgment for defendant Eating Recovery Center (“ERC”) on a plaintiff’s California Invasion of Privacy Act (“CIPA”) § 631(a) wiretapping claim, joining other California federal courts that have granted summary judgment on CIPA claims for a plaintiff’s failure to “satisfy [CIPA’s] ‘in transit’ requirement as a matter of law.”  In granting summary judgment, the court critiqued CIPA’s language as “ill-suited for application to internet communications” and called upon the California Legislature to “step up” and “speak clearly” about whether and how CIPA applies to website-based data collection tools.  Doe v. Eating Recovery Ctr., LLC, –F. Supp. 3d–, 2025 WL 2971090 (N.D. Cal. Oct. 17, 2025).Continue Reading California Court Grants Summary Judgment for Defendant, Urging the California Legislature to “Bring CIPA”—“A Total Mess”—“Into the Modern Age”

On October 20, a California trial court granted summary judgment in favor of defendants in Mach v. Yardi Systems, Inc., rejecting class plaintiffs’ claims that defendants violated California’s antitrust law, the Cartwright Act, through their common use of rental pricing software.  The decision, which relied on “critical” evidence produced

Continue Reading California Court Rejects First Algorithmic Price Fixing Case to Reach Summary Judgment

Courts continue to grapple with the type of “concrete harm” that is required to confer Article III standing under TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), particularly in data breach and privacy class actions.  On October 14, the Fourth Circuit contributed to this debate, holding that allegations that plaintiffs’ driver’s license data had been leaked and appeared on the dark web were sufficient to establish standing.

Holmes v. Elephant Ins. Co., — F.4th —, 2025 WL 2907615 (4th Cir. 2025), started with a 2022 data breach of Elephant Insurance Company’s networks.  Id. at *1.  Plaintiffs were Elephant customers whose driver’s license numbers were compromised in the breach.  Id.  They sued Elephant for alleged harms stemming from the breach.  Id. at *3.  Two plaintiffs specifically alleged that they had found their driver’s license numbers on the dark web; the others did not.  Id. at *2.  The district court dismissed plaintiffs’ claims, holding that none of the alleged injuries were sufficient to confer standing.  Id.  But the Fourth Circuit disagreed in part, reversing the lower court’s dismissal of the two plaintiffs who alleged that their driver’s license information appeared on the dark web, but affirming dismissal of the other two. Continue Reading Standing in the Dark:  Fourth Circuit Finds Standing for Driver’s License Information on the Dark Web

On August 15, the Ninth Circuit Court of Appeals affirmed the dismissal of a class action complaint in Gibson v. Cendyn Group, No. 24-3576, rejecting plaintiffs’ arguments that Las Vegas hotels violated Section 1 of the Sherman Act through their common use of revenue management software.  The decision follows

Continue Reading Ninth Circuit Rejects Vegas Hotel Algorithmic Price Fixing Claims

In Nicole Pileggi v. Washington Newspaper Publishing Company LLC, the D.C. Circuit unanimously affirmed the district court’s dismissal of a complaint alleging that news magazine and website Washington Examiner disclosed consumers’ personal information through a third-party pixel in violation of the Video Privacy Protection Act (“VPPA”). 

In 2023, Pileggi alleged that the Examiner’s use of a third-party pixel on its site gave the third party the ability to collect website visitors’ personal information, including IP addresses and titles of videos they had watched.  The District Court for the District of Columbia granted the Examiner’s motion to dismiss early last year, holding that Pileggi was not a “consumer” under the VPPA and that she failed to establish the requisite connection between her subscription to the Examiner’s newsletter and the video information allegedly disclosed.Continue Reading D.C. Circuit Deepens Circuit Split on Interpretation of “Consumer” Under VPPA

Last month, a California federal court in Dai v. SAS Institute, No. 4:24-cv-02537 (N.D. Cal. 2025), dismissed a proposed antitrust class action complaint against six nationwide hotel operators alleging that the hotels’ common use of revenue management software to set their room prices amounted to a per se illegal “hub-and-spoke” conspiracy to fix hotel prices in violation of Section 1 of the Sherman Act. Continue Reading California Court Dismisses Hotel Algorithmic Price Fixing Claims