US Privacy & Breach Litigation Monitor

Welcome to the US Privacy & Breach Litigation Monitor

We are pleased to share the latest edition of Kennedys US Privacy & Breach Litigation Monitor. This mailing was created with our clients in mind - to bring you up to speed on the latest topics and trends in data privacy and breach litigation.

Healthcare provider fails (twice) to have pixel cases removed to federal court under federal officer jurisdiction

In two recent decisions out of the Central District of California, Cedars-Sinai Health Systems sought to remove a pair of healthcare website tracking lawsuits under federal officer jurisdiction. The federal officer removal statute allows a civil action to be removed from state to federal court if it involves “[t]he United States or any agency thereof or any officer (or any person acting under that officer) of the United States or of any agency thereof, in an official or individual capacity, for or relating to any act under color of such office ....” Cedars-Sinai argued that it acted under a federal officer because the federal government “incentivizes, regulates, monitors, and supervises its actions as part of the MUP in order to meet the federal government’s national priority of interoperable health information technology,” and Cedars-Sinai is helping the government produce the “nationwide, interoperable information technology infrastructure for health information.’”

The court disagreed, finding that “[a] private firm’s compliance (or noncompliance) with federal laws, rules, and regulations does not by itself fall within the scope of the statutory phrase ‘acting under’ a federal ‘official.’” The court further explained that “[t]he directions Cedars-Sinai points to are general regulations and public directives regarding the development of health information technology and an electronic health records infrastructure. Therefore, removal is not justified.” The cases are Doe v. Cedars-Sinai Health Sys., 2023 WL 3059141 (C.D. Cal. Apr. 24, 2023) and Browne v. Cedars-Sinai Health Sys., 2023 WL 3095551 (CD Cal. Apr. 26, 2023).

Federal court’s mixed ruling on motion to dismiss CIPA claims highlights potential risks for companies using online chatbots

On April 18, 2023, a California federal court denied in part and granted in part a motion to dismiss filed by Old Navy in a putative class action brought under the California Invasion of Privacy Act (“CIPA”). The plaintiff alleged that Old Navy used a session reply program to automatically record and create transcripts of customer’s conversations with its online chatbot in violation of the wiretapping (631(a)) and eavesdropping (632.7) sections of CIPA. The court denied Old Navy’s motion to dismiss, finding that the fact the plaintiff allegedly accessed Old Navy’s online chatbot with a smartphone met the “telephone” requirement of Section 632.7, and by sharing “highly sensitive personal data via” the chatbot feature, the plaintiff’s communication with Old Navy’s online chatbot fell within the scope of Section 632.7. However, Old Navy was successful in defeating the wiretapping claim, with the Court finding that as a “party” to the “communication,” Old Navy was exempt from direct CIPA liability.

Notably, the court granted plaintiff’s leave to amend its claim under a derivative liability theory, which will require plaintiff to allege non-conclusory facts which suggest that a third party recorded defendant’s customers’ information for some use or potential future use beyond simply supplying this information back to defendant.” The matter is Miguel Licea v. Old Navy, LLC, No. 5:22-cv-01413-SSS-SP (C.D. Cal. Aug. 10, 2022).

Court finds that free access to website does not make a user a consumer under the VPPA

Much of the battle over Video Privacy Protection Act (VPPA) claims has centered around how courts should apply the definitions contained in the 35-year-old statute to modern businesses and technology. One such definition is “consumer,” which is defined by the VPPA as a “renter, purchaser, or subscriber of goods or services.” The inquiry by courts on this issue center around the level of commitment that users have with the platforms that they are using.

In Carter v. Scripps Networks, No. 22-2031 (SDNY Apr. 24, 2023), for example, the Court dismissed a VPPA complaint, finding that free access to a website was insufficient to make a website user a “subscriber” to fall under VPPA’s definition for “consumer.” As the court held, “plaintiffs were free to watch or not watch hgtv.com videos without any type of obligation, no different than any of the other 9.9 million monthly visitors to the site. Because the Complaint does not plausibly allege that plaintiffs acted as ‘subscribers’ when they viewed videos on the hgtv.com, it does not plausibly allege that they were ‘consumers’ under the VPPA.”

The VPPA battle continues: court finds factual record is needed to determine liability

Although some complaints, such as in Scripps, are dismissed at the pleading stage, others are not. In Jason Goldstein & Tammy Huttemeyer v. Fandango Media, LLC., 2023 WL 3025111 (S.D. Fla. Mar. 7, 2023), plaintiffs claimed that Fandango violated the VPPA by disclosing its customers’ PII every time the customers watched a video clip on the Fandango App or website or purchased a movie ticket on the Fandango Website. The defendant moved to dismiss.

With respect to the question of whether defendant is a “video tape service provider,” the complaint alleged that because defendant sells movie tickets and delivers video clips for at-home consumption, defendant is essentially a modern-day video store and therefore qualifies. Defendant disagreed, stating it does not deliver video content, but sells tickets, and the videos provided serve only to promote the business in which it is engaged. The parties also disagreed as to whether the plaintiffs had properly alleged an ongoing commitment or relationship with the defendant sufficient to be considered “consumers” under the VPPA.

The Court found that to answer both questions, it must determine the nature of defendant’s business, which requires a factual inquiry that goes beyond the pleadings. This decision reflects ongoing challenges for defendants seeking to have claims dismissed at the pleading stage, although viable defenses still remain.

California court analyzes defenses to CIPA and ECPA wiretapping allegations

A California court recently weighed in on defenses to claims brought pursuant to the California Invasion of Privacy Act (CIPA) and the Electronic Communications Privacy Act (Federal Wiretap Act). In Katz-Lacabe v. Oracle Am., Inc., 2023 WL 2838118 (N.D. Cal. Apr. 6, 2023), plaintiffs alleged that Oracle violated both statutes by using cookies, tracking pixels, widgets, and proprietary code which sends Oracle information users are requesting from a website server. Oracle raised three common defenses: (1) that is exempt from liability as a party to plaintiffs’ communications; (2) plaintiffs failed to plead the interception of “contents” as defined under the statutes; and (3) Oracle’s customers’ consent satisfies one-party consent under the ECPA.

First, Oracle asserted that it was a party to the communications because it is simply “an extension” of the website operators from whom it collects information, rather than an outsider. The Court disagreed, following district precedent that a third-party “is a vendor that provides a software service that captures its clients’ data, hosts it on [its own] servers, and allows the clients to analyze their data.”  

Next, Oracle claimed that referrer URL and data entered into forms did not meet the statutory definition of “contents” because plaintiffs failed to identify whether the URLs at issue included elements that would render their collection problematic, such as search terms. The Court found that while plaintiffs’ lack of specificity made its decision a close call, allegations about data entered was just barely enough to withstand dismissal. Finally, the court agreed with defendant is correct that the Federal Wiretap Act is a one-party consent statute requiring dismissal of the claim (CIPA requires two-party consent, so that claim survived).

 

To view our full newsletter, click here: Privacy & Breach Litigation Monitor - May 4, 2023

 

Previous issues:

Privacy & Breach Litigation Monitor - February 24, 2023

Privacy & Breach Litigation Monitor - November 29, 2022

Privacy & Breach Ligation Monitor - November 1, 2022

Privacy & Breach Ligation Monitor - October 7, 2022

Privacy & Breach Ligation Monitor - September 21, 2022

Privacy & Breach Litigation Monitor - August 21, 2022