Privacy: Plaintiffs’ Attorneys Test Theories To Bring Claims Against Companies Using Customer Data

Publication | 01.15.25

After a surge in privacy class action lawsuits in 2024, San Francisco-based Crowell & Moring partner Kristin Madigan says she expects to see more of the same in the year ahead, as plaintiffs’ lawyers continue testing out new legal theories to bring claims against any company that collects, uses, or sells customer data.

A record number of data breaches has fueled much of the rise in privacy litigation and government scrutiny, as it has become all but inevitable that a company that has been a victim of a data breach involving customer data will also get hit with a class action lawsuit and government investigation, says Madigan, who is a member of the firm’s Litigation and Privacy and Cybersecurity groups.

But less conventional suits targeting how companies handle personal customer information and the role of consumer notice and choice—even in the absence of a data breach—are increasingly common as well, says Madigan, most notably under California’s Invasion of Privacy Act (CIPA), a Cold War-era wiretapping statute passed to protect citizens from eavesdropping on private conversations. Unlike the California Consumer Privacy Act (CCPA/CPRA), CIPA provides for a broad private right of action and statutory damages.

CIPA was enacted with telephone communications in mind in 1967, decades before the internet would become commonly used by businesses to interact with customers. Then in 2021, the plaintiff in Javier v. Assurance IQ claimed an insurance company and its software provider violated CIPA when it used session replay software to record his interactions with the company’s website as he sought an insurance quote.

A California district court quickly granted a motion to dismiss for failure to state a claim on the basis that the plaintiff had retroactively consented to the recording by agreeing to the company’s privacy policy. But the 9th Circuit reversed in an unpublished opinion on the grounds that the defendant started recording the plaintiff as soon as he began inputting his personal information and that prior consent was not obtained.

The suit was dismissed in 2023 after a court ruled that CIPA’s one-year statute of limitations had lapsed before the plaintiff filed suit. But by that time, the number of CIPA claims was already on the rise, and in 2024 there were hundreds of such cases filed in California, with plaintiffs targeting not just tech companies or firms that collect sensitive personal information but also defendants in every sector, from apparel retailers to fast-food chains.

Targeting Data Analytics and Tracking Tools

The range of website technology targeted in CIPA suits has expanded well beyond session replay software. Plaintiffs have argued that widely used third-party data analytics and tracking tools and even search bars on websites violate CIPA’s prohibition on the use of pen registers, which record outgoing phone numbers, including the date, time, and length of calls, and trap and trace devices, which record incoming phone numbers.

In Greenley v. Kochava, for example, the defendant offered a software development kit to application developers that allowed the defendant to obtain geolocation data of app users, which it then sold to clients for advertising purposes. The U.S. District Court for the Southern District of California rejected the defendant’s argument that app users consented to the information sharing when they downloaded the apps but never opted out of the location sharing, and it denied the motion to dismiss, saying the software could in fact qualify as a pen register. (The court granted a joint motion to voluntarily dismiss the case in mid-October 2024, as both parties said they were near a settlement.)

In another case that survived a defendant’s motion to dismiss, the U.S. District Court for the Central District of California found that the transmission to third parties of search terms entered by plaintiffs into the search bar of a website could violate CIPA.

Most recently, a plaintiff filed suit in the Northern District of California claiming that a customer service software company violated CIPA when it surreptitiously recorded consumers’ telephone conversations with its satellite TV-provider clients, then analyzed those conversations by using artificial intelligence to identify patterns and classify the data so their clients could “optimize the [consumers’] buying journey to drive more revenue.”

What we’re seeing now is laying the groundwork for the next wave of privacy litigation, which we expect will continue to grow once AI really takes off

— Kristin Madigan

“I think what we’re seeing now is just laying the groundwork for the next wave of privacy litigation, which we expect will continue to grow once AI really takes off,” says Madigan.

Still Early Days

So far, the majority of recent CIPA complaints are still in the early stages of litigation, and court rulings have been mixed, with many not surviving defendants’ motions to dismiss.

For example, in 2024, a California Superior Court dismissed a claim on the grounds that the plaintiff failed to allege a “concrete injury in fact,” as the CIPA statute requires.

None of the recent CIPA complaints has yet been brought to trial, and one of the largest publicly disclosed settlements came in September, when Oracle agreed to pay $115 million in a case in which it was accused of tracking consumer activity without consent, in violation of CIPA.

Madigan points out that Oracle, as a data analytics company, is on the front lines of the privacy debate, but that all businesses that collect and process customer data and work with third-party providers need to pay attention.

“What’s happening with CIPA is really just an example of a larger trend,” Madigan says. “Many of the firms filing these suits are sophisticated. They are scraping your websites; they are employing technologists. They are looking for ways to at least make a prima facie evidentiary case that will survive a motion to dismiss. That theoretically raises the risk of class-wide statutory damages.”

Moreover, Madigan says, they are searching for old laws with statutory damages provisions, like CIPA, that could be dusted off and applied to new technology. Given that privacy law in the U.S. is a patchwork of federal statutes and regulations, as well as the laws of 50 states, it would not be surprising if they found more.

In fact, complaints have been filed using old CIPAlike wiretapping laws in Pennsylvania, Maryland, and Massachusetts, though not nearly in the same numbers as seen in California and without as much success so far.

Madigan says companies should take a close look at their data-sharing practices with third parties to make sure they are consistent with disclosures on their websites and that agreements are in place governing data sharing and use. Companies need to assess when to provide a data-gathering opt-out option for consumers, and in some instances, even consider adopting an explicit opt-in approach.

“It’s so important to understand your risk factors,” says Madigan. “What are the steps you are taking to mitigate that risk, and how much cover is that really giving you?”

To read more from Litigation Forecast 2025: What Corporate Counsel Need to Know for the Coming Year, visit here.

Contacts

Kristin J. Madigan
Partner
- San Francisco
  - D | +1.415.365.7233
a21hZGlnYW5AY3Jvd2VsbC5jb20=

Insights

Publication | 01.24.25

DOD Changes To List Of Chinese Military Companies May Impact Suppliers, Contractors

Publication | 01.16.25
Proactively Managing Tariff Impacts On Megaprojects
Publication | 01.16.25
The European Commission’s Draft Guidelines on Exclusionary Abuses: Toward Stricter Enforcement?
Publication | 01.15.25
Administrative Law: Big Shifts in Administrative Law

View All Insights