Is Your Website a Lawsuit Target? Emerging Trends in Chat, Pixel and VPPA Cases

It has been over three years since the first wave of class action complaints and private arbitration demands emerged, alleging that technology on websites invades consumers' privacy. Numerous legal theories have since developed, with each plaintiff's counsel crafting their own unique blend of facts and arguments to support these claims. However, the key takeaway remains consistent: common tools like web pixels, beacons, cookies, chatbots, advertising software, analytics, and tracking software used on your (or your clients’) websites now put website owners at risk.

This article is the first in a series that explores the growing landscape of website privacy claims and how companies can prepare for 2025. Below, we focus on cases involving chat and pixel technologies.

Recent Developments in CIPA Section 631(a) Chat Cases

In earlier posts, we discussed the initial surge of website wiretapping litigation, primarily involving allegations of violations of the California Invasion of Privacy Act (CIPA) or similar laws in “two-party consent” states, such as Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (WESCA) and Florida’s Security of Communications Act (FSCA). Most of these early cases centered on the use of a third party to facilitate website chat functions or session replay software for website analytics. Many complaints were subjected to a motion to dismiss for failure to state a claim or lack of personal jurisdiction. The outcomes have been mixed; plaintiffs are almost always granted leave to amend, and often, the cases end in voluntary dismissal, indicating settlements. Because very few of these cases have proceeded to discovery, there are only a few judicial decisions providing substantive analysis or guidance on how courts view the merits of these claims.

A significant development occurred when the United States District Court for the Central District of California issued its summary judgment decision in Gutierrez v. Converse Inc.¹ This case involved a third-party chat feature on a business website, where the plaintiff claimed that her communications with the defendant’s live agents were stored by the chat provider, alleging this constituted aiding and abetting a violation of CIPA Section 631(a). The court disagreed, ruling that the chat provider did not engage in any wiretapping as a matter of law.

First, the court clarified that Section 631(a) pertains only to “telephone communications,” which excludes the use of a smartphone to access the chat feature. Second, the court found that the chat provider did not access or attempt to access the content of plaintiff’s messages during transmission, noting that messages sent through the chat feature are encrypted while in transit and are only accessible through a password-protected dashboard after reaching the provider’s servers. Plaintiff’s argument that the provider could potentially read the messages was deemed insufficient to establish an issue of material fact. With no evidence of a CIPA violation by the chat provider, the court determined that the defendant website owner could not be held liable for aiding and abetting a non-existent violation of CIPA.

Meta Pixel Cases Gain Momentum

The surge of Meta Pixel cases, on the other hand, continues to gain momentum. Plaintiff’s attorneys have successfully argued that third-party cookies and pixels on websites from social media advertising platforms, such as Facebook (Meta) and TikTok, not only collect and share consumers’ browsing data but also share that data with the social media platform for its own purposes like targeted advertising. Doing so without prior consent, they argued, violates CIPA.

It's important to note that any "communication" on a website occurs between the user and the website owner. Users send their communications—such as clickstreams and searches—directly to the website owner, meaning the owner is not a wiretapper under CIPA. To circumvent this legal roadblock, plaintiffs have shifted their claims to assert that the website owner has “aided and abetted” Meta in Meta’s violation of CIPA. Of course, to receive targeted ads from or have a Meta user profile, users must have a Meta account and consent to Meta Terms and Conditions. This raises the question: how can there be an underlying violation by Meta? While this argument has traction, it is difficult to make at the pleading stage when constrained to the “four corners” of the complaint.

Some complaints previously claimed that the use of third-party pixels without consent violated state statutory larceny statutes. However, at least one California court has now held that browsing data is not “‘property’ capable of theft under California Penal Code Section 496,”² stating that “‘property’ must be ‘capable of exclusive possession or control’…. By its nature, browsing data is shared with a variety of service providers that facilitate access to the website at issue… [and] data is not capable of exclusive possession or control.” Defendants can also assert the defense of “user consent” to try to beat allegations of theft, although courts continue to grapple with whether or not pop-up notices adequately inform users about third-party access to their data to support a defense of informed consent.

Revival of Video Privacy Protection Act (VPPA) cases

In 2023, there was an uptick of Meta Pixel cases under what had previously been a sleeper statute, the federal Video Privacy Protection Act (VPPA). In these cases, plaintiffs alleged that a website owner’s use of the Meta Pixel resulted in disclosing users’ video-watching history to Meta, thereby violating the VPPA. Under the VPPA, “video tape service providers” are generally prohibited from disclosing certain information about consumers derived from specific video materials or services without their consent.

Originally enacted by Congress in 1988 after the disclosure of Supreme Court nominee Robert Bork’s Blockbuster rental history, the VPPA was designed to prevent the wrongful disclosure of video tape rental, sales records or “similar audio-visual materials.” However, the question arises: Do typical retail or marketing websites qualify as a “video tape service provider”? Many of these cases were dismissed in 2023 on the grounds that website owners do not meet the definition.

But VPPA “wiretapping” cases are far from over. Recently, BuzzFeed settled a class-action lawsuit for $9 million in response to accusations of violating the VPPA for sharing its user information through Meta Pixel without consent. According to the class action lawsuit, plaintiff alleges that BuzzFeed, which owns multiple websites including Huff Post, Tasty and Complex, tracks and shares its subscribers’ “personal viewing information” – specifically, Facebook IDs (FID) and video content viewed – together as one data point to Meta without consent. Since the FID uniquely identifies an individual’s Meta user account, Meta can quickly and easily locate, access and view the corresponding BuzzFeed subscriber profiles. In other words, the Meta Pixel enables BuzzFeed to share with Meta what video media its subscribers have viewed on its websites.

Another development in VPPA cases is the Second Circuit’s decision in Salazar v. National Basketball Association.³ There, as a threshold matter, the court held that plaintiff had Article III standing to bring a VPPA claim based on a breach of common law privacy. The breach involved giving “publicity to a matter concerning the private life of another, . . . if the matter publicized is of a kind that would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public” (quoting Restatement (Second) Torts§ 652D), also known as public disclosure of private facts. The disclosure at issue in this case involved a Facebook pixel on the NBA website, which allegedly collected viewers’ “personal viewing information,” including their Facebook ID, when viewing videos available on the website.

Additionally, the court also found that by subscribing to the NBA’s online newsletter, plaintiff qualified as a subscriber under the VPPA, even though the newsletter itself was not the means by which plaintiff accessed the online videos. The videos were available to anyone visiting the website. Even so, the court held that the newsletter subscription conveyed standing under the VPPA and that the pixel constituted unauthorized disclosure in violation of the VPPA. This ruling may revive what had been a slowing trend of VPPA cases.

The Evolving Landscape of Privacy Law and Litigation

As data privacy concerns continue to grow, new litigation and evolving laws are reshaping the landscape for both businesses and consumers. Companies must stay vigilant and proactive in understanding and complying with these regulations to mitigate risks associated with potential lawsuits. The emergence of new legal precedents, like those seen in recent VPPA cases, underscores the importance of really understanding how an organization collects and uses consumer data to be confident that it is respecting privacy rights and expectations.

The Cybersecurity and Data Privacy team at Buchanan delivers comprehensive strategies for managing data privacy and cybersecurity challenges. We specialize in both compliance and litigation, with extensive experience in handling website wiretapping issues, including tracking and tracing. Our team has defended clients in a variety of contexts, from mass arbitrations to class actions, in courts nationwide. Our approach focuses on understanding our clients' business and marketing objectives, working collaboratively to achieve those goals while mitigating data privacy risks. Additionally, we offer a flat fee website auditing service designed to identify potential areas of risk and exposure. For more information about our flat-fee auditing service, click here to view our brochure, and reach us at cyber@bipc.com.