Category: Class Action

In In re U.S. Vision Data Breach Litigation, the District of New Jersey recently dismissed a putative class action related to a 2021 ransomware attack because the plaintiffs failed to adequately allege a direct relationship with the defendant, which was fatal to their claims. The plaintiffs were patients of Nationwide Optometry, a wholly owned subsidiary of defendants U.S. Vision, Inc. and USV Optical, Inc. (collectively, “USV”) until USV sold Nationwide in 2019. The plaintiffs alleged that after the sale, USV retained personally identifiable information (PII) and protected health information (PHI) of Nationwide’s patients and that Nationwide functioned as USV’s alter ego. Between April 20, 2021, and May 17, 2021, USV experienced a data breach compromising PII and PHI of more than 711,000 individuals. The plaintiffs claimed the data breach caused them to suffer identity theft risks, financial damages, and loss of privacy. The lawsuit asserted claims for negligence, breach of fiduciary duty, breach of contract, unjust enrichment, and violations of consumer protection laws. The defendants moved to dismiss, arguing that (1) merely storing the plaintiffs’ data does not create the direct relationship with them required for their fiduciary-duty, implied-contract, unjust-enrichment, consumer-fraud, and negligence claims; and (2) the plaintiffs failed to allege sufficient facts to plausibly suggest that USV and Nationwide are alter egos. The district...

In Rodriguez v. Autotrader.com, Inc., the District Court for the Central District of California dismissed, with prejudice, a class action lawsuit claiming that Autotrader.com violated the California Invasion of Privacy Act (CIPA) by allowing third-party tracking software to be installed on a website visitor’s browser before the visitor had any opportunity to consent to or decline the website’s privacy policy. The plaintiff’s complaint alleged that she was a “tester” – i.e., someone who seeks out legal violations and files lawsuits to ensure compliance – who visited the Autotrader.com website and made a search query purportedly containing confidential and private information. The complaint alleged that once a query is entered in the search bar, it is routed to unknown third parties and shared with other third parties like Google, Facebook, Pinterest, and various other advertising services. The complaint asserted that the use of the tracking technology violated California’s wiretapping and eavesdropping statute, CIPA § 631(a), as well as CIPA § 638.51, which prohibits the use of pen registers and trace devices. In January 2025, the district court dismissed the plaintiff’s CIPA § 631 claims without prejudice for lack of standing because the complaint merely alleged that the plaintiff made a search query containing confidential and private information but “fail[ed] to describe the contents of her query.”...

As we have blogged about in the past, federal district courts have seen a tidal wave of putative class actions by website users claiming violations of the California Invasion of Privacy Act (CIPA), Cal. Penal Code § 630, et seq.  These lawsuits focus on the alleged unlawful use of website tracking technologies, such as cookies, pixels, tags, and beacons, to collect and use personal information of people who visit these websites without their consent. The deluge of lawsuits has prompted courts to scrutinize CIPA claims more rigorously. As a recent example, in Smith v. Yeti Coolers, LLC, the Northern District of California dismissed with prejudice a putative class action challenging Yeti’s use of technology supplied by third-party payment processor, Adyen, to process customer purchases on its website. The lawsuit claimed that Adyen incorporated Yeti customers’ financial information into its fraud-prevention system, which it then marketed to merchants without customers’ consent. The plaintiff brought claims for violations of CIPA § 631 (anti-wiretapping) and § 632 (anti-eavesdropping) and for invasion of privacy under California’s Constitution. The court initially dismissed the complaint without prejudice because it did not “‘sufficiently allege [Yeti’s] knowledge of Adyen’s allegedly wrongful conduct or Defendant’s intent to assist Adyen in that conduct.’” The plaintiff’s Second Amended Complaint (SAC) fared no better. First, the court...

In Valenzuela v. The Kroger Co., the District Court for the Central District of California granted, for the third and last time, defendant’s motion to dismiss a class action lawsuit claiming that The Kroger Co. violated  section 631(a) of the California Invasion of Privacy Act (CIPA) by allowing third-party software (provided by Emplifi) to be embedded on its website to record consumers’ communications with the website’s chat function. The only issue before the court was whether the amended complaint plausibly alleged liability under prong four of CIPA 631(a)—“that Kroger aided and abetted Emplifi’s eavesdropping on Kroger’s website users’ chats.” In its previous ruling, the court held that merely using embedded software to archive communications, like with a tape recorder, would not give rise to a statutory violation.  Instead, to state a claim under prong four of CIPA 631(a) there must be plausible allegations explaining how Kroger knew that Emplifi engaged in conduct constituting a breach of duty, e.g. by sharing users’ data with third parties, or how Kroger itself engaged in conduct that constituted a breach of duty. Because prong four of CIPA 631(a) does not contain an explicit scienter requirement, the court applied California common law of aiding and abetting, under which aiding and abetting liability for an intentional tort can be imposed only...

In Lee v. Springer Nature America, Inc., Judge Lewis J. Liman in the Southern District of New York held that a longtime subscriber to Scientific American plausibly alleged, on behalf of a putative class, that the website violated the Video Privacy Protection Act of 1988 (VPPA) based on its use of website tracking technology. The plaintiff, a 10-year subscriber, filed a complaint alleging that Scientific American unlawfully installed a code known as “Meta Pixel” on its website. The Meta Pixel supposedly transmitted information to Meta (formerly known as Facebook) about the subscriber’s use of the site (including Facebook ID, URLs accessed, and titles of videos viewed) in exchange for Meta providing advertising capabilities to Scientific American. Scientific American moved to dismiss the complaint on two grounds: first, that the plaintiff lacked standing because he had not suffered an injury, and second, that the plaintiff did not plead the elements required to state a claim under the VPPA. Judge Liman rejected both arguments. Citing the Second Circuit’s recent decision in Salazar v. National Basketball Association, Judge Liman held that the plaintiff’s allegations that he was a subscriber to Scientific American, that Scientific American disclosed to Meta the plaintiff’s personal information (Facebook ID, URLs accessed, and titles of videos viewed), and that Meta used this information without...