In In re U.S. Vision Data Breach Litigation, the District of New Jersey recently dismissed a putative class action related to a 2021 ransomware attack because the plaintiffs failed to adequately allege a direct relationship with the defendant, which was fatal to their claims. The plaintiffs were patients of Nationwide Optometry, a wholly owned subsidiary of defendants U.S. Vision, Inc. and USV Optical, Inc. (collectively, “USV”) until USV sold Nationwide in 2019. The plaintiffs alleged that after the sale, USV retained personally identifiable information (PII) and protected health information (PHI) of Nationwide’s patients and that Nationwide functioned as USV’s alter ego. Between April 20, 2021, and May 17, 2021, USV experienced a data breach compromising PII and PHI of more than 711,000 individuals. The plaintiffs claimed the data breach caused them to suffer identity theft risks, financial damages, and loss of privacy. The lawsuit asserted claims for negligence, breach of fiduciary duty, breach of contract, unjust enrichment, and violations of consumer protection laws. The defendants moved to dismiss, arguing that (1) merely storing the plaintiffs’ data does not create the direct relationship with them required for their fiduciary-duty, implied-contract, unjust-enrichment, consumer-fraud, and negligence claims; and (2) the plaintiffs failed to allege sufficient facts to plausibly suggest that USV and Nationwide are alter egos. The district...

In Rodriguez v. Autotrader.com, Inc., the District Court for the Central District of California dismissed, with prejudice, a class action lawsuit claiming that Autotrader.com violated the California Invasion of Privacy Act (CIPA) by allowing third-party tracking software to be installed on a website visitor’s browser before the visitor had any opportunity to consent to or decline the website’s privacy policy. The plaintiff’s complaint alleged that she was a “tester” – i.e., someone who seeks out legal violations and files lawsuits to ensure compliance – who visited the Autotrader.com website and made a search query purportedly containing confidential and private information. The complaint alleged that once a query is entered in the search bar, it is routed to unknown third parties and shared with other third parties like Google, Facebook, Pinterest, and various other advertising services. The complaint asserted that the use of the tracking technology violated California’s wiretapping and eavesdropping statute, CIPA § 631(a), as well as CIPA § 638.51, which prohibits the use of pen registers and trace devices. In January 2025, the district court dismissed the plaintiff’s CIPA § 631 claims without prejudice for lack of standing because the complaint merely alleged that the plaintiff made a search query containing confidential and private information but “fail[ed] to describe the contents of her query.”...

As we have blogged about in the past, federal district courts have seen a tidal wave of putative class actions by website users claiming violations of the California Invasion of Privacy Act (CIPA), Cal. Penal Code § 630, et seq.  These lawsuits focus on the alleged unlawful use of website tracking technologies, such as cookies, pixels, tags, and beacons, to collect and use personal information of people who visit these websites without their consent. The deluge of lawsuits has prompted courts to scrutinize CIPA claims more rigorously. As a recent example, in Smith v. Yeti Coolers, LLC, the Northern District of California dismissed with prejudice a putative class action challenging Yeti’s use of technology supplied by third-party payment processor, Adyen, to process customer purchases on its website. The lawsuit claimed that Adyen incorporated Yeti customers’ financial information into its fraud-prevention system, which it then marketed to merchants without customers’ consent. The plaintiff brought claims for violations of CIPA § 631 (anti-wiretapping) and § 632 (anti-eavesdropping) and for invasion of privacy under California’s Constitution. The court initially dismissed the complaint without prejudice because it did not “‘sufficiently allege [Yeti’s] knowledge of Adyen’s allegedly wrongful conduct or Defendant’s intent to assist Adyen in that conduct.’” The plaintiff’s Second Amended Complaint (SAC) fared no better. First, the court...