Litigation

Third Circuit Strikes a Blow to Yet Another Attempt to Penalize the Use of Tracking Pixels

By Kristin Bryan, James Brennan & Nicholas Sweeney on December 10, 2025

Posted in California, California Invasion of Privacy Act, CIPA, Class Action, Data Privacy, General, Privacy Litigation, Video Privacy Protection Act (VPPA), Wiretapping

Last month, the United States Court of Appeals for the Third Circuit, in an unpublished decision, undercut the latest attempt of the plaintiffs’ bar to penalize the common business practice of using tracking pixels on websites. These pixels are pieces of code created by third-party advertisers and analytics companies that can collect information about website visits such as a visitor’s IP address, when the visit occurred, and what links were clicked on within the site. Despite being used by most major U.S. businesses, tracking pixels have been increasingly targeted by plaintiffs for their alleged disclosure of certain information back to the company that operates them. Squire Patton Boggs’ Data Disputes team has significant experience defending these claims in litigation and arbitration (and obtaining dismissals for clients).

Read on for more about the Third Circuit’s decision in this case.

2025 Mass Arbitration Year in Review

By Kristin Bryan, James Brennan & Nicholas Sweeney on December 5, 2025

Posted in Arbitration, Biometric information, Biometric Information Privacy Act (BIPA), BIPA, California, California Invasion of Privacy Act, CCPA, CIPA, Class Action, Cookies, Data Privacy, General, Illinois, Litigation, Privacy Litigation, US, Video Privacy Protection Act (VPPA), Wiretapping

Mass arbitrations—where a plaintiffs’ firm brings dozens, hundreds, or thousands of identical claims against a business—is a mechanism increasingly relied upon by the plaintiffs’ bar in the past few years. This is because mass arbitrations enable a plaintiffs’ firm to create settlement pressure by leveraging unavoidable arbitration fees borne by a business regardless of the merits of the claims filed. Further powered by litigation funding, plaintiffs’ firms have used the mass arbitration device to bring vexatious claims and escape review of the merits or any downside risk.

Extra Large PII-zza: Courts Allows California Privacy Class Action to Proceed for Use of AI Phone Call Assistant

By Kristin Bryan, James Brennan & William Hupp on December 4, 2025

Posted in Artificial Intelligence, California, California Invasion of Privacy Act, Class Action, General, Litigation, Privacy Litigation, US, Wiretapping

A Domino’s customer may proceed in her putative class action for violations of the California Invasion of Privacy Act (CIPA) against ConverseNow for its provision of an AI virtual assistant that processes restaurant telephone orders. In Taylor v. ConverseNow Technologies, Inc., Case No. 25-cv-00990-SI, 2025 WL 2308483 (N.D. Cal. Aug. 11, 2025), the Court held that a communication software provider that could potentially improve its software with collection of communications was plausibly violating CIPA even though it had an agreement with the business receiving the communications. This ruling serves a cautionary note to both software companies and – because of potential aiding and abetting liability – companies that use those technologies.

California Federal Court Urges California Legislature to Clean Up “Total Mess” of State Wiretap Act, Dismisses Claim for Website Tracking

By Kristin Bryan, James Brennan & Max Giuliano on December 3, 2025

Posted in California, California Invasion of Privacy Act, Class Action, General, Litigation, Privacy Litigation, US, Wiretapping

This fall, a federal court in California granted summary judgment in favor of a website operator for alleged violations of the California Invasion of Privacy Act (CIPA). In its decision, the Court emphasized that it was “virtually impossible” to apply CIPA to internet communications and urged the California legislature to “step up” and “speak clearly” about how internet activity should be treated under the statute in light of a deluge of claims that have been filed recently against website operators.

Federal Court Dismisses “Trap and Trace” Lawsuit for Plaintiff’s Lack of Injury

By Kristin Bryan, James Brennan & Gerald Sharpe on December 2, 2025

Posted in California, California Invasion of Privacy Act, Class Action, General, Litigation, Privacy Litigation, US, Wiretapping

Over the past year, there has been an explosion of lawsuits targeting website analytics and tracking tools. One recent decision brought businesses another victory in challenging lawsuits alleging violations of the California Invasion of Privacy Act’s (CIPA)’s prohibition against use of “pen registers” and “trap and trace devices.” Cal. Penal Code § 638.51. In a recent ruling, a federal judge in the Central District of California dismissed one such lawsuit, holding that the claim could not be asserted in federal court.

Federal Court Holds That Button-Click Data From Public Website Can Disclose Patient Status in Violation of the ECPA

By Kristin Bryan, Alexandra Michalak & James Brennan on December 1, 2025

Posted in Class Action, Electronic Communications Privacy Act, General, HIPAA, Illinois, Litigation, Privacy Litigation, US, Wiretapping

In early October, a federal court in the Northern District of Illinois refused to dismiss a privacy litigation brought against a healthcare website operator for claims under the Electronic Communications Privacy Act (ECPA). The court held that the plaintiff plausibly alleged that Defendant violated the Health Insurance Portability and Accountability Act (HIPAA) by revealing to a third party that she clicked on the login button to the healthcare provider’s patient portal, and, as a result, disclosed her individually identifiable healthcare information—even though no third-party data collection tools were installed on the patient portal itself. Hartley v. Univ. of Chi. Med. Ctr., Case No. 22-cv-5891, 2025 WL 2802317 (N.D. Ill. Oct. 1, 2025). However, at the same time, the court dismissed certain claims arising out of Plaintiff’s use of a “find-a-physician feature,” rejecting the full scope of Plaintiff’s theories. On the balance, this decision unfortunately broadens the scope of potential liability under the ECPA and will likely result in ECPA suits being brought against website operators in the healthcare sector.

Second Circuit Undercuts Plaintiffs’ Threats of Mass Arbitration Fees, Often Used In Asserting Privacy Claims

By Kristin Bryan, James Brennan & Nicholas Sweeney on December 1, 2025

Posted in Arbitration, Class Action, General, Litigation, US

Earlier this fall, the United States Court of Appeals for the Second Circuit undermined a strategy often used by the plaintiff’s bar in privacy claims: the threat of mass arbitration fees. In a decision reversing the district court, the Second Circuit held that the petitioners cannot use the Federal Arbitration Act (FAA) to compel arbitration on the basis that a business failed to pay arbitration fees. This decision adds to a growing body of precedent that courts cannot compel a business to pay arbitration fees, which as discussed previously here on Privacy World, can total in the thousands or millions of dollars in the event of mass arbitration.

CalPrivacy Highlights Regulatory Changes for 2026

By Alan Friel on November 24, 2025

Posted in CCPA, CCPA, General

We have previously covered the recent changes to the California Consumer Privacy Act (CCPA) regulations, and summarized the changes companies need to make to be 2026-ready under them and other state consumer privacy laws that have recently or will soon become effective. In a recent guidance document, CalPrivacy highlights “seven things businesses should know and prepare for,” which are:

App Store Age Verification Laws: Your Questions, Answered.

By Kyle Fath, Niloufar Massachi & Alara Abbasi on October 28, 2025

Posted in CCPA, Compliance, COPPA, Digital Age Assurance Act, General

The last several weeks have been eventful for online safety and age assurance, particularly with respect to U.S. app store age verification laws: Apple and Google unveiled some of their plans for addressing these laws on Oct. 8; Governor Newsom signed the Digital Age Assurance Act into law on October 13; and on October 16, an industry organization lodged a constitutional challenge against Texas’ law (SB2420). Below, we provide a handy FAQ with questions and answers on issues that many likely have regarding these laws, the app stores’ guidance, and the legal challenge to the Texas law.

Mobile app operators: take note. Regardless of your company’s target audience, you will be required to take technical and operational steps to comply with these laws.

Your Year-end U.S. Privacy “To Do” List – don’t wait until the holiday crush to become 2026-ready

By Alan Friel on October 9, 2025

Posted in Artificial Intelligence, Biometric data, California, California Privacy Protection Agency, CIPA, Consumer Privacy, Health, Minnesota

The California Consumer Privacy Act (CCPA) requires that privacy notices be updated annually, and that the detailed disclosures it proscribes be in those notices reflect the 12-month period prior to the effective (posting) date. Interestingly, failure to make annual updates was one of several alleged CCPA violations that resulted in a recent $1.35 Million administrative civil penalty by the California Privacy Protection Agency (CPPA) against retailer Tractor Supply Company. Also, three more state consumer protection laws go into effect on January 1, 2026, which will require notice and consumer rights intake changes, if applicable. Additionally, new and amended CCPA regulations will bring new obligations for businesses starting the first of the year that need to be addressed between now and then. Also recommended is a general checkup with particular attention to enforcement priorities.

Privacy World