Data Privacy and Cyber Security Update: April 2025
Sign Up for PublicationsRecent Cases Limiting Wiretapping Privacy Claims in the U.S.
For over a decade, enterprising plaintiffs have filed lawsuits against website operators and their third-party service providers alleging that routine transmission of information like IP address, cookies, and URLs constitutes illegal wiretapping. See, e.g., In re Zynga Privacy Litig., 750 F.3d 1098 (9th Cir. 2014); In re Google Inc. Cookie Placement Consumer Privacy Litig., 806 F.3d 125 (3d Cir. 2015). Although plaintiffs continue to pursue these cases around the country—often successfully—some courts have begun to recognize that applying wiretapping statutes to common internet communications essentially criminalizes the way the internet works. For example, in March 2024, a Los Angeles Superior Court judge, addressing California’s wiretapping statute (the California Invasion of Privacy Act), acknowledged that “public policy strongly disputes Plaintiff’s potential interpretation of privacy laws as one rendering every single entity voluntarily visited by a potential plaintiff, thereby providing an IP address for purposes of connecting the website, as a violator” because it “would potentially disrupt a large swath of internet commerce. “ Licea v. Hickory Farms LLC, 2024 WL 1698147, at *2 (Cal. Super. Mar. 13, 2014). Similarly in October 2024, the Massachusetts Supreme Court, in applying the Massachusetts wiretapping statute, noted that under the plaintiff’s proposed interpretation, “thousands of website owners could potentially face severe criminal and civil penalties for using tracking tools needed to support an advertising-based business model that is so common on the Internet.” Vita v. New England Baptist Hosp., 494 Mass. 824, 848-49 (2024). The court reasoned that interactions with a website, including tracking of a website user’s browsing of, and interaction with, information published on a website, are not sufficiently similar to the person-to-person conversations and messages wiretapping was enacted to address for such interactions to create liability for those websites; for example, the court found that there was “a difference in kind and not degree” between “speaking to a doctor about one’s specific illness and searching for, and then reading, pre-generated content on a webpage discussing an illness in general.” Id. at 826-27, 836-40 & n.21, 848. And on January 16, 2025, the Ninth Circuit heard argument in Popa v. PSP Group LLC regarding Pennsylvania’s wiretapping statute. The judges appeared to question whether the at-issue conduct—using a Microsoft data-tracking tool to track what website users do when browsing—constituted wiretapping, asking how tracking what a user looks at on a website is any different than following someone around in a physical store and taking notes. A published opinion from the Ninth Circuit on this point could curtail the plaintiff’s efforts to bring these claims.
However, these courts are still in the minority. For example, the Licea case discussed above acknowledged that its ruling may have been different if the information at issue went beyond an IP address and extended to “unique location and other information” constituting “fingerprinting.” 2024 WL 1698147, at *3. Similarly, although another court agreed that the wiretap statutes should not be used to “subject every website to liability for simply existing,” the court concluded that permitting lawsuits that allege the defendant “tracks data beyond that which is necessary for the proper functioning of a website,” such “unique location information and other information besides IP addresses,” goes beyond that limitation, and therefore should be covered by the wiretapping laws. Heiting v. Taylor Fresh Foods, Inc., 2024 WL 3833296, at *4 (Cal. Super. July 31, 2024). And even where courts have acknowledged that similar wiretapping claims “could unsettle the basic operating rules of the Internet,” they have nevertheless concluded that such a result is a problem created by the breadth of the wiretapping statutes and therefore must be resolved by the legislature, not the courts. See, e.g. Shah v. Fandom, Inc., 24-CV-01062-RFL, 2024 WL 4539577, at *6 (N.D. Cal. Oct. 21, 2024).
Separate from the policy concerns raised by the courts above, courts also have curtailed wiretapping claims by requiring standing allegations beyond a violation of the wiretapping statute. For example, in the Popa case described above, the district court concluded that allegations of collecting data that “reveals nothing more than the products that interested [the plaintiff]” did not establish concrete harm adequate to establish standing. Popa v. PSP Group, LLC, C23-0294JLR, 2023 WL 7001456, at *4 (W.D. Wash. Oct. 24, 2023). In another case, a California district court found that the plaintiff lacked standing in part because general allegations of “harm associated with her invasion of privacy” are not adequate if “Plaintiff’s identity [was not] connected with the anonymous information.” Hughes v. Vivint, Inc., CV 24-3081-GW-KSX, 2024 WL 5179916, at *5 (C.D. Cal. July 12, 2024), adopted, CV 24-3081-GW-KSX, 2024 WL 5179917 (C.D. Cal. Aug. 5, 2024). Another court similarly concluded that a violation of California’s wiretapping law is not “by itself an injury in fact sufficient to confer standing” because “the information [collected] must be sufficiently personal or sensitive that its disclosure is harmful.” Rodriguez v. Autotrader.com, Inc., 2:24-CV-08735-RGK-JC, 2025 WL 65409, at *3 (C.D. Cal. Jan. 8, 2025). And a state district court dismissed Washington state wiretapping claims, holding that “[t]he recording of ‘inquiries about shipping disputes’ is not enough to plausibly constitute an injury” and “[j]ust because customer data is valuable does not mean it is private.” Heinz v. Amazon.com, Inc., C24-714RSM, 2024 WL 5304886, at *3 (W.D. Wash. Dec. 18, 2024). A Maryland district court also found a failure to plead standing based on the “alleged collection of mere website activity, such as mouse movements, keystrokes and clicks, search terms, or content viewed by Plaintiff on Defendant’s website” because “[s]uch information does not convey any personal, private, or identifying information.” Arndt v. Gov’t Employees Ins. Co., CV MJM-23-2842, 2024 WL 4335644, at *5 (D. Md. Sept. 26, 2024). Finally, a California trial court recently considered a California wiretapping claim alleging that a website secretly installed a tracking beacon on website visitors’ browsers that collected their IP address so that the website can provide targeted advertisements and website analytics. Rodriguez v. Fountain9, Inc., No. 24STCV04504, 2024 WL 3886811, at *2 (Cal. Super. July 9, 2024). The court found the plaintiff had failed to allege a concrete injury-in-fact because (i) the only information that the website allegedly “collected” was the plaintiff’s IP address and (ii) the alleged injury was solely premised on a violation of the California Invasion of Privacy Act. Id. at *4. However, the court acknowledged that the result may have been different if the third-party software developer (who plaintiff alleged packaged and sold the information to third parties for advertising and marketing purposes) had been joined as a defendant. Id. Other recent cases have similarly held that allegations of tracking users across websites to serve targeted advertisements and conduct website analytics is enough to establish standing. See, e.g., Mirmalek v. Los Angeles Times Communications LLC, 24-CV-01797-CRB, 2024 WL 5102709, at *4 (N.D. Cal. Dec. 12, 2024); Shah v. Fandom, Inc., 24-CV-01062-RFL, 2024 WL 4539577, at *5 (N.D. Cal. Oct. 21, 2024).
In sum, there may be good news on the horizon for defendants as courts consider the practical effects of these wiretap cases, particularly those based on claims that cause no concrete harm to internet users apart from a mere violation of the wiretapping statute.