Greetings CIPAWorld!

As we head into New Year’s, when millions of us make those last-minute holiday purchases or finally buy the gifts you promised in those IOUs handed out during the holidays and plan New Year’s celebrations, a California federal court delivered a lesson about digital privacy. In Posadas v. Goodyear Tire & Rubber Co., No. 23-cv-0402-L-DDL, 2024 U.S. Dist. LEXIS 228992 (S.D. Cal. Dec. 13, 2024), what started as a case about website tracking evolved into a deeper look at the challenges of proving privacy harm.

Think of it as complaining someone could have read your diary without proving they actually did—or that reading it caused real harm. Not exactly a winning argument, right? That’s essentially what Judge Lorenz found when examining Plaintiff’s claims about Goodyear’s session replay software, which recorded everything from mouse movements to keystrokes. In TransUnion L.L.C. v. Ramirez, 594 U.S. 413, 424 (2021), the Court explained that feeling watched isn’t enough; privacy injuries must mirror harms traditionally recognized as providing a basis for lawsuits in American courts.

Here, Plaintiff’s challenge was simple but insurmountable: they couldn’t say what specific private information Goodyear actually captured. Relying on Friends of the Earth, Inc. v. Laidlaw Env’t Servs., Inc., 528 U.S. 167, 180-81 (2000) and Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016), the Court emphasized that claims of injury can’t be “conjectural or hypothetical”—they must be concrete and real. Why? Because if courts allowed vague “what if” arguments to proceed, privacy lawsuits would spin out of control. It’s not enough to say a company could track everything. You need to show what they actually tracked and how it hurt you. This makes sense.

So, for my privacy law gurus, this is where privacy law gets spicy. Even if Goodyear captured sensitive data like credit card numbers, the Court, following In re Zynga Priv. Litig., 750 F.3d 1098, 1106 (9th Cir. 2014) considered this mere “record information” rather than protected communication. In essence, it’s like saying the fact that you wrote in your diary isn’t as protected as what you actually wrote. This distinction might seem technical, but it fundamentally shapes how courts continue to view online privacy.

With this in mind, the Court acknowledged that session replay technology could enable serious privacy violations. However, relying on Hernandez v. Hillsides, Inc., 47 Cal. 4th 272, 286 (2009) and In re Vizio, Inc., 238 F. Supp. 3d 1204, 1233 (C.D. Cal. 2017), the Court explained that routine website analytics don’t typically qualify as “highly offensive” privacy invasions. So, the key question now becomes: When does normal website tracking cross the line into true privacy violations?

Let me break this down to a practical example. Every time you shop online, websites track countless details about your visit. But which of those details, if captured, would actually violate your privacy in a legally recognizable way? As Judge Lorenz’s analysis shows, Davis v. Facebook, Inc. (In re Facebook Inc. Internet Tracking Litig.), 956 F.3d 589, 598 (9th Cir. 2020), privacy rights include the individual’s control of information concerning his or her person—but proving you’ve lost that control requires more than just showing someone could have accessed your information.

This decision doesn’t say privacy doesn’t matter. Instead, it teaches us something crucial about proving privacy violations. The gap between feeling watched and legally proving harm is wider than most people realize. Understanding this distinction becomes increasingly important as we continue shopping, clicking, and sharing online.

Ultimately, Judge Lorenz dismissed the case with prejudice, finding Plaintiff lacked standing to sue and failed to state viable claims under both CIPA and intrusion upon seclusion. The Court concluded that after the original Complaint and two amendments, Plaintiff still couldn’t identify specific personal information captured by Goodyear or demonstrate concrete harm from its collection. In turn, this sends a clear message that privacy claims need more than general assertions of tracking to survive in federal court.

All in all, privacy claims aren’t about what could happen—they’re about what did happen and how it hurt you. Tomorrow, I’ll wrap up 2024 with a breakdown of the Court’s decision on Zillow.com, tackling online real estate and privacy. You won’t want to miss it!

As always,

Keep it legal, keep it smart, and stay ahead of the game.

Talk soon!