Hi, CIPAWorld!

The District of Massachusetts just issued a huge win for the defendant in a spy pixels class action and dismissed the case altogether for lack of standing!

In Campos v. TJX Companies, Inc., No. 24-cv-11067, 2025 WL 360677 (D. Mass. Jan. 31, 2025), Plaintiff Campos filed a putative class action against Defendant TJX Companies (“TJX”), alleging that Plaintiff TJX embedded a “spy pixel” in its promotional emails which collected certain information about the email and its recipients, including the email address, the subject of the email, when it was opened and read, the recipient’s location, the length of time the recipient spent reading the email, whether it was forwarded or printed, the recipient’s email service, et cetera. Although Plaintiff conceded that she subscribed to TJX’s email list, she said that TJX nevertheless collected this information without her consent or the consent of other class members. Plaintiff claimed that this lack of consent formed the basis of TJX’s violation of the Arizona Telephone, Utility and Communication Service Records Act, which makes it a crime for a person to “[k]nowingly procure, … [a] communication service record of any resident of [Arizona] without the authorization of the customer to whom the record pertains or by fraudulent, deceptive or false means.” Id. at *1 (second and third alterations added).

In response, TJX filed, inter alia, a Rule 12(b)(1) motion to dismiss for lack of standing, arguing that the Plaintiff could not establish an injury-in-fact. To determine whether Plaintiff suffered an injury-in-fact based on a violation of privacy, as claimed here, the Court explained that there must be a “‘close relationship’ between, on one hand, Defendant’s alleged procurement of Plaintiff’s data relating to her opening of promotional emails and, on the other hand, a traditionally actionable harm under common law.” Id. at *3 (internal citation omitted).

The Plaintiff first likened her injuries to the tort of intrusion upon seclusion, which requires an intentional intrusion and one that “would be highly offensive to a reasonable person.” Id. The cause of action is aimed at protecting deeply personal, private, or confidential matters. The Court, however, wasn’t buying it:

Some of this information clearly does not implicate Plaintiff’s privacy or seclusion. For instance, Plaintiff’s email address was certainly not private, given that she provided it to Defendant when she consented to receive the promotional emails. Nor was there anything particularly privacy about the email’s subject or other content, as Defendant authored the email and therefore would have known the subject and content with or without the pixels and thus without any impact on any privacy interest asserted by Plaintiff.

Id. at *4 (emphasis added). While the Court found that the individualized data about whether, when, where, and for how long Plaintiff read TJX’s emails presented a closer question, the Court still found this distinguishable from the idea of covert surveillance. Specifically, it explained that “a glimpse into Plaintiff’s email inbox is a far cry from peeking into her upstairs window, particularly where she voluntarily subscribed to Defendant’s emails and where there is no allegation that the spy pixels intruded into any other private area of her email inbox or computer.” Id. (emphasis added).

In a footnote, the Court noted that “Plaintiff’s allegation that the spy pixel tracked whether the email was forwarded gives the Court some pause, as it comes the closes to tracking ‘unrelated personal messages.’” Id. at *6, n.3 (emphasis added). However, it dismissed this issue because Plaintiff did not allege that the pixels could track the recipient or the content of the forwarded message. Indeed, “the simple act of forwarding, without more, does not rise to the level of substantial intrusion into Plaintiff’s private affairs.” Id.

Plaintiff also attempted to liken her harm to other privacy statutes which give rise to standing, but to no avail. First, she analogized her harm to cases under the TCPA. The Court rejected this argument on the basis that plaintiffs in TCPA cases received unconsented to and unsolicited communication, whereas Plaintiff subscribed to TJX’s messages and frequently opened them. Second, it found that Plaintiff’s reliance on the Video Privacy Protection Act, which prohibits disclosure of an individual’s rental and sale records, was misplaced because Plaintiff did not allege any such disclosure. And finally, it found that the information protected by the Illinois Biometric Information Privacy Act—a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry—to be decidedly more personal than the information at issue in Plaintiff’s Complaint.

Accordingly, the Court dismissed Plaintiff’s complaint for lack of standing. Plaintiff’s allegations just didn’t cut it—without a concrete injury, there’s no standing, and without standing, there’s no case. This ruling reinforces that not every data collection claim fits within traditional privacy harms, especially when the user voluntarily engages with the service. It’s a significant win for defendants facing similar claims and one to keep an eye on moving forward.