Plaintiff law firms have embarked on numerous class action lawsuits related to online “surveillance” or “web tracking.” Fueled by media reports1 and stepped-up regulatory enforcement activity,2 this new wave of privacy litigation challenges the leading forms of apps and tools related to consumer experiences online. Targeted defendants range from manufacturing to healthcare to retail to media to financial services. The new lawsuits rely on novel and often strained interpretations of existing laws and legal doctrines, even though many of the tools at issue have been used for commercial purposes for years.
Targeted Tools
At a high level, and unlike more traditional data breach litigation, these class action lawsuits arise out of voluntary relationships between consumers and the various entities whose website domains support the services they provide to such consumers. These entities collect information about the interaction of such consumers with those websites to improve such services and to offer additional and related services. The tools targeted in these lawsuits include:
-
Meta Pixel, which captures and shares, including with Meta, certain types of information about consumers’ interaction with specific websites.
-
Session replay software, which monitors specific consumer interactions with certain websites; specifically, such tools record mouse clicks, keyboard strokes, video activity, or cursor movements.
-
Chatbots, which use artificial intelligence tools to assist and guide consumers who interact with certain websites.
Types of Claims
The lawsuits rely on a variety of federal statutes, state laws, and principles of tort and contract law, including:
-
federal and state anti-wiretapping laws;
-
negligent misrepresentation;
-
“intrusion upon seclusion;”
-
invasion of privacy;
-
breach of contract; and
-
breach of fiduciary duty.
While plaintiffs’ attorneys have filed novel pleadings and are making interesting legal arguments about these issues, the success of such efforts remains to be seen.
Recurring Issues
Several pivotal issues consistently arise in these lawsuits.3 First, often at issue in these cases is whether entities obtained proper consent from consumers for data collection and other activities related to these tools. Specifically, courts are considering whether prior consent from consumers for such activities is necessary and what format such consent must take.
Second, courts are debating whether electronic communications are involved in these activities and whether website analytics providers are “parties” to communications between a tracking tool operator and a consumer. This is of particular concern in cases involving one-party consent statutes.
Finally, courts are revisiting what constitutes “content” for purposes of electronic communications, given the implications for consumer consent to such activities.
Litigation Avoidance
Website owners and supporting vendors can take the following practical steps to address some of the key issues that can arise in litigation:
-
Website owners should identify the information their website collects, how it is collected, for what purpose it is collected, and with whom such information is shared. Such companies should ensure their contracts with third-parties’ services used to improve the website and user experience or commercialize the collected data address data ownership, data privacy, and data security concerns.
-
Website owners should consider whether consent and what format of consent, is necessary for these activities.
-
Website owners should ensure that their website privacy policies provide clear and accurate disclosures and include resources required for state-specific compliance, such as the California Privacy Rights Act (“CPRA”).
Polsinelli’s Assessment
-
Class Certification – Undoubtedly, the largest driver of valuation of these cases will be the prospect of class certification. The wide variability of knowledge, consent, and acceptance by consumers of data-sharing in general and commercialized web tracking, in particular, will present a large hurdle for certification.
-
Laches/Statute of Limitations – Plaintiffs will need a colorable basis on an individual and class-wide basis to explain when and how their causes of action accrued and why they are still timely today.
-
Injury and Causation Issues – Given the pervasiveness of some of the challenged practices in recent years, plaintiffs may have difficulty establishing injury-in-fact and proximate cause linking an alleged injury to the defendants.
-
Business-to-Business (“B2B”) Issues – Privacy compliance is generally viewed as non-delegable absent unusual circumstances. Thus, the participants here may have litigation exposure and will need to preserve their B2B remedies.
-
Statutory Damages – It remains to be seen whether plaintiffs will be able to sidestep the traditional common law and class certification defenses with claims for statutory damages under such state laws as CPRA, CIPA, and CMIA.
Please contact us for assistance on these issues, specifically with regard to our analysis of ongoing litigation developments and the litigation avoidance measures noted above.
Contributors to this client alert include Polsinelli Shareholder Elizabeth Harding and Associates Colin Black and Adam Garcia.
1 Anson Chan, Pixel Hunt – Facebook is Receiving Sensitive Medical Information from Hospital Website, The MarkUp (June 16, 2022).
2 See Office for Civil Rights, Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, U.S. Dept. of Health & Human Servs. (Dec. 1, 2022).
3 Last month’s ruling in the closely watched In re Meta Pixel Healthcare Litigation, Case No. 22-cv-03580 (N.D. Cal.) extensively analyzes the merits issues of these cases. While the court ultimately denied preliminary injunctive relief against Meta, and thus did not need to reach the merits in a definitive way, the opinion clearly signals that these will be complex, fact-intensive cases to litigate.