Top 5 Privacy Cases To Watch, From Chatbots to Geolocation
Litigation — and threats of litigation — related to privacy law violations have been on the rise recently. While some judges have pushed back on the theories set forth by plaintiffs, new privacy lawsuits are filed almost every day. Below, we highlight some pending privacy cases worthy of tracking.
1. Chatbot CIPA Case – Miguel Licea v. Old Navy LLC
The primary issue in Miguel Licea v. Old Navy LLC is whether the privacy policy at issue provides sufficient constructive notice to qualify as consent under the California Invasion of Privacy Act, or CIPA.
Use of chatbots on company websites for customer support has been on the rise. Not surprisingly, this has resulted in a wave of new litigation.
Generally speaking, plaintiffs allege that chatbot technology violates CIPA because the chatbot technology eavesdrops and records chat conversations without a website visitor's consent.
Because websites typically hire third-party service providers to operate the chat, plaintiffs allege that the website visitor is unaware of the third party who operates the chat function and intercepts the communications between the website visitor and website operator.
The prevalence of such chatbot-CIPA claims arose after the ruling in a website activity tracking case — Javier v. Assurance IQ LLC — in which the U.S. Court of Appeals for the Ninth Circuit held in May 2022 that consent under CIPA cannot be retroactive and remanded the case.
In June 2023, U.S. District Judge Charles Breyer of the U.S. District Court for the Northern District of California dismissed the case without leave to amend and held, inter alia, that the plaintiff was put on constructive notice of defendant's privacy policy, which stated that defendant may use third party vendors to assist with monitoring and analyzing website activity, because the web form that the plaintiff used included a notice of defendant's privacy policy.
The impact of Javier's dismissal is likely to be tested in Licea v. Old Navy. In this class action involving Old Navy's chat feature, the plaintiff alleged in the U.S. District Court for the Central District of California that Old Navy assists a third party, Salesforce, in violating CIPA — specifically, Sections 631 and 632.7, which address wiretapping and eavesdropping, respectively. Salesforce is not a named party in the lawsuit.
In April, prior to the dismissal of the Javier case, U.S. District Judge Sunshine Sykes of the Central District of California denied in part and granted in part Old Navy's motion to dismiss.
The court dismissed the plaintiff's Section 631(a) claim regarding wiretapping because Old Navy was a party to the chats at issue, and therefore the well-established party exception rule applied, which provides that a party cannot wiretap its own conversation.
However, the judge allowed the plaintiff's Section 632.7 claim regarding eavesdropping to proceed.
Judge Sykes rejected Old Navy's argument that the plaintiff had failed to establish that both parties were using a qualifying telephone device to conduct customer chats.
Instead, Judge Sykes held that smartphones are "cellular phones with web capabilities and fall within the cellular phone category." The court also notably rejected Old Navy's claim that the plaintiff had consented to any alleged chat recording because the plaintiff "explicitly plead[ed] that he and the purported class members did not consent," and cited to the Ninth Circuit Javier decision in support of this conclusion.
As this case proceeds, Old Navy is likely to challenge Judge Sykes' reliance on Javier in light of its ultimate dismissal. For example, Old Navy may consider whether it can credibly argue that its privacy policy provided sufficient constructive notice to the plaintiff to qualify as consent.
2. Meta Pixel CIPA Case – In re: Meta Pixel Healthcare Litigation
Meta Pixel, a tool used to track a website user's activities, is at issue in In re: Meta Pixel Healthcare Litigation. In this lawsuit, the plaintiffs allege in the Northern District of California that Meta Platforms Inc.'s use of Meta Pixel violates CIPA and the Electronic Communications Privacy Act, among other laws, when used on health care providers' patient portals.
The plaintiffs specifically allege that the health care providers at issue installed Meta Pixel on their patient portals, and when the plaintiffs logged into their patient portal on their medical provider's website, the pixel transmitted certain information to Meta. The plaintiffs further allege that this information revealed their status as patients and was monetized by Meta for use in targeted advertising.
In December 2022, U.S. District Judge William Orrick denied the plaintiffs' motion for preliminary injunction, in which the plaintiffs sought an order prohibiting Meta from intercepting and disseminating their patient information. [1]
In ruling against the plaintiffs, the court found that Meta had sufficiently demonstrated that it has procedures to detect and filter out potentially sensitive health data transmitted by Meta Pixel.
The court also noted that it was too early in the litigation to determine whether it was true that Meta's filtration systems were ineffective, as the plaintiffs had asserted — and that discovery would shed light on this. However, Judge Orrick did agree with the plaintiffs that "the information at issue here appears to show patient status and thus constitutes protected health information under HIPAA."
In May, Meta moved to dismiss the lawsuit arguing that there is nothing inherently unlawful or harmful about the Pixel tool. Meta also asserted that the plaintiffs did not allege that Meta intended to receive the health data at issue.
Meta further argued that Meta Pixel is a publicly available tool that Meta did not personally implement, configure or customize — rather, the health care providers and third-party web developers did that. The hearing on Meta's motion to dismiss is scheduled for August 16.
3. Meta Pixel VPPA Case – Jesse Cantu v. Geico Insurance Agency LLC
A new case in the Central District of California, Jesse Cantu v. Geico Insurance Agency LLC, may expand the application of the Video Privacy Protection Act. The 1988 law prohibits a videotape service provider from disclosing personally identifiable information of a consumer derived from videotape rental or sale records without their consent.
A videotape service provider includes anyone in the business of renting, selling or delivering videotapes, or similar audiovisual materials. This broad language has allowed plaintiffs to allege VPPA violations in various contexts.
Indeed, recently many plaintiffs have alleged VPPA violations based on the use of Meta Pixel. Not surprisingly, though, a new case was filed recently alleging a VPPA violation based on the use of Google Analytics — another web activity tracking tool.
In April, a plaintiff filed a class action in the Central District of California against GEICO alleging that GEICO's use of Google Analytics to collect data on user video-watching behavior violates the VPPA.
Specifically, the plaintiff alleges that when he watched videos on GEICO's website, GEICO "disclosed information that allowed Google (and any ordinary person) to readily identify Plaintiff's video-watching behavior."
The plaintiff further alleges that GEICO did this for the purpose of "retargeting Plaintiff in connection with Google advertising campaigns," and that GEICO did not obtain the plaintiff's consent to disclose his personally identifiable information to third parties. GEICO's response to the complaint is due in mid-July.
4. COPPA Case – Cara Jones v. Google LLC
The answer to whether the Children's Online Privacy Protection Rule preempts state law is coming soon. COPPA is a federal law passed in 1998 that is administered and enforced by the Federal Trade Commission. COPPA imposes certain requirements on website operators to protect the privacy of children under 13 years of age.
These requirements include making certain disclosures about data collection activities, and importantly here, obtaining parental consent prior to any collection, use, and/or disclosure of a child's personally identifiable information. COPPA includes a preemption clause that restricts states from imposing liability for regulated activities that is inconsistent with COPPA's treatment of those activities.
The plaintiffs in Cara Jones v. Google LLC — minor children appearing through their guardians — filed a lawsuit against Google and other defendants, alleging that Google's YouTube platform collected and used children's online behavior surreptitiously for advertising purposes, without their consent. COPPA does not include a private right of action, so the plaintiffs relied on various state law theories in their case.
Initially, the Northern District of California found that COPPA preempted the plaintiffs' state law claims.
However, last December, the Ninth Circuit reversed and remanded after finding that COPPA did not preempt the plaintiffs' state law claims, reasoning that in excluding inconsistent state laws, COPPA implicitly preserves state laws that are consistent — i.e., do not stand as an "obstacle to COPPA in purpose or effect" — even in instances where state remedies for violations may be different.
The defendants asked for an en banc review of the decision. In turn, the Ninth Circuit asked the FTC "whether the preemption clause [in COPPA] preempts fully stand-alone state-law causes of action by private citizens that concern data-collection activities that also violate COPPA but are not predicated on a claim under COPPA."
In May, the FTC filed an amicus brief arguing that COPPA does not preempt state privacy laws that are consistent with the federal statute's treatment of regulated activities.
On May 30, the Ninth Circuit denied Google's petition for rehearing en banc, but granted Google's motion to respond to the FTC's amicus brief. Google and the appellants recently filed supplemental briefs, and are awaiting the court's decision.
These developments come at the same time that the FTC announced new enforcement actions related to COPPA. On June 5, the FTC announced a $20 million proposed settlement with Microsoft Corp., after alleging that Microsoft violated COPPA by using its Xbox Live service to collect children's photos, videos, audio, biometric data and health information prior to obtaining parental consent.
5. FTC Act Geolocation Case – Federal Trade Commission v. Kochava Inc.
FTC is taking another bite at Kochava, a mobile app analytics company, which may clarify best practices for geolocation data.
In summer 2022, the FTC approached Kochava with the threat of a complaint for permanent injunction if it did not settle to a proposed consent order to address what the FTC saw as inadequate protection of sensitive geolocation data tied to mobile ad IDs, a unique identifier tied to a mobile phone used for advertising purposes.
The FTC alleged that Kochava sold geolocation data that was not anonymized and could "expos[e users] to threats of stigma, stalking, discrimination, job loss, and even physical violence."
In August 2022, Kochava decided to preemptively sue the FTC in the U.S. District Court for the District of Idaho, rather than respond to the FTC.
Kochava alleged that the FTC "illustrate[d] a lack of understanding of Kochava's services" and sought the court to "enter a judgment construing the provisions of the FTC Act and declaring and clarifying the rights and obligations of the parties ... as they effect Plaintiff's services and operations."
In turn, the FTC filed the complaint it threatened.
But in May 2023, the court dismissed the FTC's complaint because the FTC could not show that Kochava's sale of geolocation data is causing or is "likely to cause" substantial injury to consumers. [2]
Kochava argued several reasons, including several constitutional arguments, why the FTC ultimately had not proven an inference of a consumer injury. In defense of their complaint, the FTC argued that "geolocation data sales could enable third parties to track consumers' past movements ... and based on inferences arising from that information, inflict secondary harms."
This was insufficient for U.S. District Judge B. Lynn Winmill, who stated that "the FTC must go one step further and allege that Kochava's practices create a 'significant risk' that third parties will identify and harm consumers."
Undeterred, the FTC filed an amended complaint in June, and Kochava moved to seal the FTC's revamped complaint. Kochava argues the revamped complaint contains "false and highly inflammatory" allegations "clearly aimed" to mislead the court and the public.
The case is notable not only because the FTC has seldom refiled, but also because the FTC appears determined to establish best practices for the collection and handling of geolocation data.
[1] https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/orderdenyingpreliminaryinjunction-in-meta-case-dec-22-2022.pdf
[2] https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/court-dismissal-ftc-suit-against-kochava-5-4-23.pdf