A Domino’s customer may proceed in her putative class action for violations of the California Invasion of Privacy Act (CIPA) against ConverseNow for its provision of an AI virtual assistant that processes restaurant telephone orders. In Taylor v. ConverseNow Technologies, Inc., Case No. 25-cv-00990-SI, 2025 WL 2308483 (N.D. Cal. Aug. 11, 2025), the Court
This fall, a federal court in California granted summary judgment in favor of a website operator for alleged violations of the California Invasion of Privacy Act (CIPA). In its decision, the Court emphasized that it was “virtually impossible” to apply CIPA to internet communications and urged the California legislature to “step up” and “speak clearly” about how internet activity should be treated under the statute in light of a deluge of claims that have been filed recently against website operators.Continue Reading California Federal Court Urges California Legislature to Clean Up “Total Mess” of State Wiretap Act, Dismisses Claim for Website Tracking
Over the past year, there has been an explosion of lawsuits targeting website analytics and tracking tools. One recent decision brought businesses another victory in challenging lawsuits alleging violations of the California Invasion of Privacy Act’s (CIPA)’s prohibition against use of “pen registers” and “trap and trace devices.” Cal. Penal Code § 638.51. In a recent ruling, a federal judge in the Central District of California dismissed one such lawsuit, holding that the claim could not be asserted in federal court.Continue Reading Federal Court Dismisses “Trap and Trace” Lawsuit for Plaintiff’s Lack of Injury
In early October, a federal court in the Northern District of Illinois refused to dismiss a privacy litigation brought against a healthcare website operator for claims under the Electronic Communications Privacy Act (ECPA). The court held that the plaintiff plausibly alleged that Defendant violated the Health Insurance Portability and Accountability Act (HIPAA) by revealing to a third party that she clicked on the login button to the healthcare provider’s patient portal, and, as a result, disclosed her individually identifiable healthcare information—even though no third-party data collection tools were installed on the patient portal itself. Hartley v. Univ. of Chi. Med. Ctr., Case No. 22-cv-5891, 2025 WL 2802317 (N.D. Ill. Oct. 1, 2025). However, at the same time, the court dismissed certain claims arising out of Plaintiff’s use of a “find-a-physician feature,” rejecting the full scope of Plaintiff’s theories. On the balance, this decision unfortunately broadens the scope of potential liability under the ECPA and will likely result in ECPA suits being brought against website operators in the healthcare sector.Continue Reading Federal Court Holds That Button-Click Data From Public Website Can Disclose Patient Status in Violation of the ECPA
Earlier this fall, the United States Court of Appeals for the Second Circuit undermined a strategy often used by the plaintiff’s bar in privacy claims: the threat of mass arbitration fees. In a decision reversing the district court, the Second Circuit held that the petitioners cannot use the Federal Arbitration Act (FAA) to compel arbitration
On January 24, 2025, the Supreme Court granted certiorari in Lab. Corp. of Am. Holdings v. Davis, Case No. 24-304, on the question of “[w]hether a federal court may certify a class action pursuant to Federal Rule of Civil Procedure 23(b)(3) when some members of the proposed class lack any Article III injury.” In TransUnion LLC v. Ramirez, 594 U.S. 413, 431 (2021), the Supreme Court made clear that “[e]very class member must have Article III standing in order to recover individual damages,” but the Court did not answer the question of when a class member’s standing must be established and whether a class can be certified if it contains uninjured class members.Continue Reading Supreme Court to Decide Whether Federal Courts May Certify a Class with Uninjured Class Members
Last week, the Illinois House of Representatives joined the Illinois Senate in passing amendments to the state’s Biometric Information Privacy Act (“BIPA”) to limit the scope of possible damages for violations of BIPA. As covered extensively here on PW, last year in Cothron v. White Castle, the Illinois Supreme Court held that an individual person accrues a separate statutory claim each time a defendant collects or discloses the individual’s biometric information in violation of BIPA. While the dissent in Cothron accurately observed that the combination of statutory damages and “per-scan” accrual meant that businesses could face “punitive, crippling liability . . . wildly exceeding any remotely reasonable estimate of harm,” the Cothron majority determined that “concerns about potentially excessive damage awards under the Act are best addressed by the legislature.”Continue Reading Illinois Legislature to Amend BIPA to Overrule Illinois Supreme Court Damages Decision
On March 22, the Western District of Washington granted a motion to remand cases removed from state court in In re Fred Hutchinson Data Security Litigation, 2:23-cv-01893-JHC, 2024 WL 1240681 (W.D. Wash. March 22, 2024). In doing so, it highlighted for litigators and companies alike a lesson in the importance of understanding how courts determine citizenship when determining diversity jurisdiction under the Class Action Fairness Act (“CAFA”).Continue Reading Relying on CAFA’s Discretionary “Home-State” Exception, Federal Court Punts Data Breach Class Action Back to State Court
2023 was another busy year in the realm of data event and cybersecurity litigations, with several noteworthy developments in the realm of disputes and regulator activity. Privacy World has been tracking these developments throughout the year. Read on for key trends and what to expect going into the 2024.
Growth in Data Events Leads to Accompanying Increase in Claims
The number of reportable data events in the U.S. in 2023 reached an all-time high, surpassing the prior record set in 2021. At bottom, threat actors continued to target entities across industries, with litigation frequently following disclosure of data events. On the dispute front, 2023 saw several notable cybersecurity consumer class actions concerning the alleged unauthorized disclosure of sensitive personal information, including healthcare, genetic, and banking information. Large putative class actions in these areas included, among others, lawsuits against the hospital system HCA Healthcare (estimated 11 million individuals involved in the underlying data event), DNA testing provider 23andMe (estimated 6.9 million individuals involved in the underlying data event), and mortgage business Mr. Cooper (estimated 14.6 million individuals involved in the underlying data event). Continue Reading 2023 Cybersecurity Year In Review
In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.