General

A Domino’s customer may proceed in her putative class action for violations of the California Invasion of Privacy Act (CIPA) against ConverseNow for its provision of an AI virtual assistant that processes restaurant telephone orders. In Taylor v. ConverseNow Technologies, Inc., Case No. 25-cv-00990-SI, 2025 WL 2308483 (N.D. Cal. Aug. 11, 2025), the Court held that a communication software provider that could potentially improve its software with collection of communications was plausibly violating CIPA even though it had an agreement with the business receiving the communications. This ruling serves a cautionary note to both software companies and – because of potential aiding and abetting liability – companies that use those technologies.Continue Reading Extra Large PII-zza: Courts Allows California Privacy Class Action to Proceed for Use of AI Phone Call Assistant

This fall, a federal court in California granted summary judgment in favor of a website operator for alleged violations of the California Invasion of Privacy Act (CIPA). In its decision, the Court emphasized that it was “virtually impossible” to apply CIPA to internet communications and urged the California legislature to “step up” and “speak clearly” about how internet activity should be treated under the statute in light of a deluge of claims that have been filed recently against website operators.Continue Reading California Federal Court Urges California Legislature to Clean Up “Total Mess” of State Wiretap Act, Dismisses Claim for Website Tracking

Over the past year, there has been an explosion of lawsuits targeting website analytics and tracking tools. One recent decision brought businesses another victory in challenging lawsuits alleging violations of the California Invasion of Privacy Act’s (CIPA)’s prohibition against use of “pen registers” and “trap and trace devices.” Cal. Penal Code § 638.51. In a recent ruling, a federal judge in the Central District of California dismissed one such lawsuit, holding that the claim could not be asserted in federal court.Continue Reading Federal Court Dismisses “Trap and Trace” Lawsuit for Plaintiff’s Lack of Injury

In early October, a federal court in the Northern District of Illinois refused to dismiss a privacy litigation brought against a healthcare website operator for claims under the Electronic Communications Privacy Act (ECPA). The court held that the plaintiff plausibly alleged that Defendant violated the Health Insurance Portability and Accountability Act (HIPAA) by revealing to a third party that she clicked on the login button to the healthcare provider’s patient portal, and, as a result, disclosed her individually identifiable healthcare information—even though no third-party data collection tools were installed on the patient portal itself. Hartley v. Univ. of Chi. Med. Ctr., Case No. 22-cv-5891, 2025 WL 2802317 (N.D. Ill. Oct. 1, 2025).  However, at the same time, the court dismissed certain claims arising out of Plaintiff’s use of a “find-a-physician feature,” rejecting the full scope of Plaintiff’s theories. On the balance, this decision unfortunately broadens the scope of potential liability under the ECPA and will likely result in ECPA suits being brought against website operators in the healthcare sector.Continue Reading Federal Court Holds That Button-Click Data From Public Website Can Disclose Patient Status in Violation of the ECPA

Earlier this fall, the United States Court of Appeals for the Second Circuit undermined a strategy often used by the plaintiff’s bar in privacy claims: the threat of mass arbitration fees.  In a decision reversing the district court, the Second Circuit held that the petitioners cannot use the Federal Arbitration Act (FAA) to compel arbitration on the basis that a business failed to pay arbitration fees.  This decision adds to a growing body of precedent that courts cannot compel a business to pay arbitration fees, which as discussed previously here on Privacy World, can total in the thousands or millions of dollars in the event of mass arbitration.Continue Reading Second Circuit Undercuts Plaintiffs’ Threats of Mass Arbitration Fees, Often Used In Asserting Privacy Claims

We have previously covered the recent changes to the California Consumer Privacy Act (CCPA) regulations, and summarized the changes companies need to make to be 2026-ready under them and other state consumer privacy laws that have recently or will soon become effective.  In a recent guidance document, CalPrivacy highlights “seven things businesses should know and prepare for,” which are:Continue Reading CalPrivacy Highlights Regulatory Changes for 2026

On October 29, 2025, the Federal Communications Commission (FCC) released a Further Notice of Proposed Rulemaking (FNPRM) reconsidering certain Telephone Consumer Protection Act (TCPA) consent revocation rules. This action follows the agency’s ongoing “Delete, Delete, Delete” initiative aimed at eliminating outdated regulations and clearing a backlog of petitions, 13 of which date from 2012 to 2021. The FNPRM was unanimously adopted by the Commission on October 28, 2025 and published with key amendments.Continue Reading FCC Proposes Amendments to TCPA Consent Revocation Rules; Proposed Changes to DNC Rules Deleted from Final Text