Courts Remain Conflicted on Tracking Tech as Cases Increase
As lawsuits over tracking technologies increase rapidly, some courts have managed to narrow the scope of older statutes, countering the litigation wave, said panelists during an Interactive Advertising Bureau (IAB) webinar Wednesday. But other courts remain split on the reach of these laws, they added.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Since 2022, more than "3000 plus class actions litigation" were filed "involving pixels, cookies, session replay and chat widgets,” said Eva Yang, a Norton Rose attorney. And that figure is "just publicly filed lawsuits ... the tip of the iceberg,” and doesn’t include demand letters or arbitration.
But outside of those filed in the health care context, there “are not high exposure claims,” she added. It’s just plaintiffs’ counsel seeking damages, and once “you pay them, they'll go away” and “won't come back.”
Yang said the California Privacy Protection Agency’s (CalPrivacy) largest settlement, $1.55 million against Healthline, exemplifies this (see 2507010069). A retailer collecting your data after you shop is “not the same as going to a health care provider and providing confidential information about your health conditions.”
She discussed two California Invasion of Privacy Act (CIPA) cases that ruled in the opposite direction on standing.
In Price v. Converse (docket 2:24-cv-08091), Yang said the U.S. District Court for Central California asked, “What right of privacy do you have in your device information?” (see 2510270015). It ruled that claims “alleging that all the software is doing is gathering data involving your device and browser information and geographic information" are insufficient.
But in a similar case, the more recent Camplisson v. Adidas (docket 3:25-cv-00603), the U.S. District Court for Southern California let the proceedings continue (see 2512010012). “There's no uniform guidance from the appellate courts,” Yang said, and a district court ruling “depends on the judge you get.”
Concerning federal statutes, like the Video Privacy Protection Act (VPPA) of 1988, “there's been a lot of narrowing in this context” as well.
Though Adam Eisler, legal counsel at IAB, agreed, he cited the U.S. Supreme Court's refusal to review NBA v. Salazar recently (see 2512080052) as “less than favorable news.” A high court ruling on that VPPA case could have clarified a circuit split on the meaning of consumer under the law (see 2508190026). “It is a complete mess,” he added.
Yang noted that the lawsuits are targeting "any type of tracking technology.” Eisler agreed, and said it’s “increasingly clear” that the suits are less an attack "on any one particular piece of technology," and more a challenge against "the general practices of maintaining a website … and, of course, digital advertising.”
Combating the Claims
When a company receives a claim, the first thing it should do is a forensic analysis of its website, said Elizaveta Egorova, senior director at FTI Consulting. Determining what technologies fired and when, as well as understanding data flows and vendor involvement, is very important.
Courts “consistently dismiss” cases “involving metadata only or benign analytics events” where plaintiffs fail to “show the concrete harm or meaningful disclosure” of data, Egorova said. “Forensic steps that allow us to replace these assumptions and screenshots with actual evidence” are helpful defenses.
Sometimes, performance cookies are "alleged as tracking technologies,” she said, because many attorneys lack a “good understanding” of what "tracking technologies do.” So, having a technical understanding of what each technology does is important as well.
Additionally, a “privacy notice should say exactly what the website is doing,” Egorova said.
Yang agreed. “Definitely disclose as much as you can in the privacy policy,” as it is “a huge focus” in litigation. When a company has a privacy policy that's "clear and conspicuous, and [users] consented to it, and it discloses everything," it's generally a "strong defense.”
Other defenses include the party defense, or the idea that “a company cannot eavesdrop on its own conversation;” ensuring that no pixels fire before consent to do so is given; and contractual defenses using a company’s terms of use, Yang said.
Egorova said adtech governance programs can also help reduce litigation exposure. “Proactive analysis and remediation” help align company technology and behavior with user expectations, and the last step is constant monitoring and testing.
The takeaway is that "ethical governance" is vital, not only as a reaction to charges, "but companies [also] need to think about how to protect themselves going forward," Egorova said.
But, as Yang noted, a company “can do all of this" and have "the best protocol[s] in place” and “still get a demand letter.” There's "no 100% risk mitigation strategy."
Eisler said plaintiffs’ counsel isn't alone in seeking retribution. The FTC is "very much interested in third-party trackers,” but mitigating risk for litigation can also “ward off some regulatory investigation.”