Litigation Grows Around Website Technologies, With Focus on Sensitive Data
Data privacy-related lawsuits have skyrocketed in recent years. Federal courts saw over 900 data privacy dockets in 2020 – but witnessed a surge to 1,767 dockets in 2023.[1] At the halfway point in 2024, federal court data privacy dockets – currently over 1,000 – are on track to meet or exceed last year’s number.[2] Many of these cases increasingly involve website technologies, making careful attention to the trends and risks associated with such technologies more important than ever.
Online Chat Function Claims Involving User Communications
Courts have recently seen numerous cases exploring whether interactive chat functions on websites violate various state statutes, notably the decades-old California Invasion of Privacy Act (CIPA).[3] Originally intended to address phone communications, plaintiffs generally use CIPA in these cases to allege that online chat functions impermissibly access conversations between website visitors and operators without visitors’ consent.[4]
For example, in Yockey v. Salesforce, Inc., a California resident alleged, on behalf of herself and a class, that an application programming interface (API) chat function on a health website constituted impermissible wiretapping of her insurance and medical information in violation of CIPA.[5] The Northern District of California denied in part the defendant software provider’s motion to dismiss, holding that the plaintiffs sufficiently alleged that the defendant eavesdropped on their confidential communications regarding health care and insurance without consent under CIPA Section 632.[6] Similarly, in Valenzuela v. Nationwide Mutual Insurance Co., the Central District of California denied in part a motion to dismiss based on allegations that a third-party company intercepted plaintiff’s messages and collected his data – allegedly a form of “reading” or “learning the contents of” communications under CIPA.[7] In general, these cases tend to deny motions to dismiss when defendants intercept communications allegedly for their benefit.[8]
Data Collection “Pen Register” Claims
In a recent case, a California resident filed a class action under CIPA against a company called Kochava, alleging that the company installed a “pen register” on his device because its software allegedly collected personal data without his knowledge.[9] The Southern District of California denied a motion to dismiss, finding in a novel holding that the plaintiff stated a claim that Kochava’s practices could constitute a “pen register” under CIPA because its software “identifie[d] consumers, gather[ed] data, and correlate[d] that data through unique ‘fingerprinting.’”[10]
Similar “pen register” cases based on website technologies have made it further along in the judicial process and resulted in different outcomes as to whether the website technologies can give rise to a CIPA violation. For instance, one judge of the Los Angeles County Superior Court overruled a hotel company’s demurrer (i.e., motion to dismiss), finding that the plaintiff sufficiently alleged that the defendant’s website impermissibly “deployed a software device and process” in violation of CIPA Section 638.51(a).[11] In particular, the plaintiff alleged that the hotel company “knowingly and criminally deployed pen register software to access Plaintiff’s device, install tracking software, and obtain Plaintiff’s IP address.”[12] The court concluded that this allegation provided “the ultimate facts necessary to this cause of action.”[13]
In contrast, another judge of the Los Angeles Superior Court ruled against a plaintiff’s “pen register” allegations based on statutory interpretation and public policy.[14] In that case, a California plaintiff alleged that a food product company “secretly installed spyware on its website . . . to de-anonymize every visitor so that each visitor’s identity and browsing habits can be shared.”[15] Per the complaint, this software served as “a pen register to access and obtain Plaintiff’s IP address.”[16] The court disagreed with the plaintiff, noting that IP addresses are not “equivalent to . . . ‘unique fingerprinting’ . . . providing unique location and other information normally within the domain of law enforcement officers with a warrant.”[17] Additionally, the court determined that public policy weighed against the plaintiff’s allegations, since broadly interpreting CIPA to include providing IP addresses “would potentially disrupt a large swath of internet commerce.”[18]
These trends in website data collection cases signal a growing litigation risk, as certain data collection practices are targeted in plaintiffs’ litigation that can seek thousands of dollars per violation.
The New Frontier: Pixel and Health Care Claims
Companies using website tracking technologies also should pay close attention to a new wave of litigation surrounding social media pixels. Plaintiffs have brought suits alleging that websites use pixels to capture and transmit health data to third parties attempting to enhance targeted advertising. Recent decisions have held that use of pixels in these circumstances could violate various state statutes.
For example, in April 2024, a federal court denied a motion to dismiss in a case involving a health care services company’s social medial pixel and website tracking technologies.[19] The company’s website – through which users search for doctors, take health assessments, and schedule appointments – allegedly used website pixels that “capture[d] and record[ed] user interactions with the website, including pages viewed, buttons clicked, and information submitted.”[20] The company and third parties subsequently used the data to analyze website performance and target ads, according to the complaint.[21] The court denied the company’s motion to dismiss with respect to several state laws, notably the Massachusetts Right of Privacy Law, because the plaintiff sufficiently alleged that the company disclosed information of “highly personal or intimate nature,” including “health conditions and treatments.”[22]
Plaintiffs have also brought claims under the Illinois Biometric Information Privacy Act (BIPA), which establishes notice and consent requirements for biometric data collection and sharing, with limited exceptions.[23] For example, plaintiffs brought a class action lawsuit against a cosmetics company, alleging that the “Virtual Try-On” makeup feature impermissibly collected users’ “‘detailed and sensitive biometric identifiers and information, including complete facial scans.’”[24] Similarly, plaintiffs filed a class action lawsuit against an eyewear brand, claiming that its “Virtual Try-On” feature violates BIPA.[25] While BIPA claims have been litigated for years, companies now employing data collection involving biometrics must remain cognizant of BIPA compliance and litigation risk.
Looking Ahead at the Privacy Litigation Landscape
As privacy-related litigation increases, companies should closely monitor their website chat, data collection, and pixel practices. Sharing of sensitive data in particular is a key litigation risk, with the possibility of more litigation surrounding new state laws, such as the potentially expansive “Washington My Health My Data Act.”[26] The Act restricts regulated entities’ collection and sharing of “consumer health data,” broadly defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.”[27] Companies should take proactive steps to implement appropriate safeguards around website data collection, particularly when dealing with sensitive data.
The current privacy landscape marked by increased litigation over online data collection practices shows no sign of slowing down. This is a complex area for companies with an online presence, and Wiley’s Privacy, Cyber & Data Governance, Litigation, and Class Action attorneys advise companies on how to navigate this developing space.
[1] Westlaw Litigation Analytics: Data Privacy Analytics (last visited July 8, 2024).
[2] Id.
[3] Cal. Penal Code §§ 630-638.
[4] See id. at § 638.51.
[5] Yockey v. Salesforce, Inc., 688 F.Supp.3d 962, 968 (N.D. Cal. 2023).
[6] Id. at 973-975.
[7] Valenzuela v. Nationwide Mut. Ins. Co., 686 F.Supp.3d 969, 975-981.
[8] See e.g., Balletto v. American Honda Motor Co., No. 23-cv-01017-JSW, 2024 WL 589090 (N.D. Cal. Feb. 13, 2024) (denying motion to dismiss because the court determined that the plaintiff sufficiently alleged that Salesforce intercepted communications from Honda chat function for Salesforce’s benefit).
[9] Greenley v. Kochava, Inc., 684 F.Supp.3d 1024, 1035-1036, 1050-1051 (S.D. Cal. 2023).
[10] Id. at 1050-1051.
[11] Levings v. Choice Hotels Int’l, No. 23STCV28359, 2024 WL 1481189 at *2 (Cal. Super. Apr. 3, 2024).
[12] Complaint at ¶ 20, Levings, No. 23STCV28359 (Cal. Super. Nov. 20, 2023).
[13] Levings, 2024 WL 1481189 at *2.
[14] Licea v. Hickory Farms, LLC, No. 23STCV26148, 2024 WL 1698147 (Cal. Super. Mar. 13, 2024).
[15] Complaint at ¶ 1, Licea, No. 23STCV26148 (Cal. Super. Oct. 25, 2023).
[16] Id. at ¶ 40 (citing Greenley, 684 F.Supp.3d 1024).
[17] Licea, 2024 WL 1698147 at *3.
[18] Id. at *4.
[19] Doe v. Tenet Healthcare Corporation, No. 23-12978-PBS, 2024 WL 1756075 (D. Mass. Apr. 23, 2024).
[20] Id. at *1.
[21] Id.
[22] Id. at *6.
[23] Illinois Biometric Information Privacy Act, 740 Ill. Comp. Stat. 14 (2008).
[24] Davis v. e.l.f. Cosmetics, Inc., No. 22 C 5069, 2024 WL 2722663 at *5 (N.D. Ill. May 28, 2024).
[25] Theriot v. Louis Vuitton North America, Inc., 645 F.Supp.3d 178, 180-181 (S.D. N.Y. 2022).
[26] Washington My Health My Data Act, Wash. Rev. Code §§ 19.373.005-19.373.900 (2023).
[27] Id.