By Leeza Arbatman and Scott C. Hall
In the wake of an explosion in digital privacy litigation, courts and legislatures are redrawing some of the boundaries of what qualifies as unlawful data collection under decades-old statutes. Claims brought under California’s Invasion of Privacy Act (CIPA) and the federal Video Privacy Protection Act (VPPA) have tested how far traditional wiretap and video privacy laws can stretch to cover modern tracking technologies like pixels, session replay tools, and embedded analytics software. As these suits proliferate, courts are being asked to decide whether routine digital tracking amounts to interception, surveillance, or unauthorized disclosure of personal information.
Recent developments reflect both the tightening and expansion of privacy liability. In California, courts remain split on whether modern tracking tools qualify as “pen registers” or violate CIPA’s wiretap provisions, while a pending bill—SB 690—aims to sharply curtail such claims going forward. At the federal level, VPPA decisions have moved in divergent directions, with a growing Circuit split on what makes someone a “consumer” and what counts as “personally identifiable information.” Together, these trends show a legal landscape in flux, shaped as much by statutory interpretation as by shifting expectations around digital privacy and surveillance.
Recent decisions illustrate the divergent paths CIPA claims are taking in California and beyond. While some courts continue to reject CIPA suits targeting ordinary website tracking, others are permitting such claims to proceed—especially where plaintiffs allege unauthorized use of third-party tracking software or more invasive data collection. The result is a patchwork of outcomes that often turn on the specific tracking technologies and legal theories alleged.
Courts are divided on whether modern web-tracking tools fall within the scope of California Penal Code § 638.51, which prohibits unauthorized use of devices that capture dialing or routing information, but not communication content.
In some recent decisions, courts have permitted claims to proceed where plaintiffs plausibly alleged that tools like TikTok scripts or IP trackers functioned like pen registers or trap-and-trace devices:
Others have rejected such claims, holding that § 638.51 targets telephone surveillance and doesn’t extend to routine online tracking:
Courts assessing CIPA § 631(a) claims based on session replay tools have focused on whether the software “reads” communications during transmission. The statute prohibits unauthorized interception, but not all data capture qualifies— liability generally requires real-time comprehension or decoding.
Several decisions highlight this distinction between passive recording and active interception:
Defendants continue to win dismissal where courts find no reasonable expectation of privacy in IP addresses or where plaintiffs fail to allege a concrete injury.
Amidst these varying district court cases, the Ninth Circuit weighed in on three CIPA cases, affirming dismissal of CIPA claims in two cases, but reversing dismissal in a third case. These decisions will likely be used by both plaintiffs and defendants going forward in bringing and defending against CIPA claims:
The VPPA prohibits video service providers from knowingly disclosing a consumer’s personally identifiable information (PII) related to video viewing without consent. Congress enacted the statute in 1988 after Judge Robert Bork’s video rental history was disclosed during his Supreme Court confirmation process. Although the titles—such as Hitchcock thrillers and family films—were unremarkable, the episode sparked public concern over the ease with which viewing habits could be exposed. Following what became known as the “Bork Tapes” episode, Congress passed the VPPA to protect disclosure of consumers’ video viewing information without their consent.
In Salazar v. National Basketball Association, 118 F.4th 533 (2d Cir. 2024), the plaintiff subscribed to the NBA’s email newsletter and later viewed videos on NBA.com while logged into Facebook. He alleged that the NBA used Meta’s tracking pixel to share his personal information and viewing history and Facebook ID with Meta for targeted advertising. The Second Circuit held that the email newsletter constituted a “good or service” under the VPPA even though it was non-video content. This holding significantly expanded the definition of a “subscriber” under the statute and led to a surge in VPPA claims.
More recently, however, in Solomon v. Flipps Media, Inc., 2025 WL 1234567 (2d Cir. May 1, 2025), the Second Circuit held that sending a Facebook user’s ID and a URL containing a video title to Meta does not trigger VPPA liability. Applying an “ordinary person” standard, the court ruled that this data combination does not constitute PII because it doesn’t, on its own, reveal an individual’s viewing history without additional tools or expertise. Solomon is a major victory for defendants and is expected to significantly curb pixel-based VPPA claims in the Second Circuit. The decision aligns the Second Circuit with the Third and Ninth Circuits, reinforcing a narrower interpretation of the statute.
In Salazar v. Paramount Global, 133 F.4th 642 (6th Cir. 2025), the Sixth Circuit rejected a VPPA claim based on Meta Pixel use, narrowing the definition of “consumer” under the statute. The plaintiff alleged that 247Sports.com disclosed his video viewing history to Facebook while he was logged into his account and subscribed to the site’s newsletter. The court held that unauthorized disclosure of viewing history to Facebook constituted a concrete injury, analogizing it to common-law privacy harms. However, it concluded that Salazar did not have a “consumer” relationship with the defendant, as required under the VPPA—Salazar’s newsletter subscription didn’t qualify as a subscription to goods or services in the nature of audiovisual materials.
In Gardner v. Me-TV National Limited Partnership, 132 F.4th 1022 (7th Cir. 2025), the Seventh Circuit expanded the scope of VPPA liability by holding that plaintiffs who created free MeTV accounts to access personalized video features qualified as “subscribers” under the statute. The plaintiffs alleged that MeTV embedded Meta’s tracking pixel in its videos, transmitting their viewing history and personal data to Facebook for targeted advertising. The court found that exchanging email addresses and zip codes for personalized video access made the plaintiffs “subscribers,” emphasizing that “data can be worth more than money” in the digital economy. It adopted a broad reading of “consumer,” holding that the VPPA covers anyone who subscribes to any service from a video tape service provider, regardless of whether thesubscription is tied directly to video content. The court rejected MeTV’s argument that the plaintiffs merely subscribed to an “information service,” explaining that the statute focuses on who provides the subscription—not the specific type of content accessed. Gardner marks a significant expansion of VPPA exposure, particularly for ad-supported platforms that collect user data in exchange for personalized video features.
Together, Solomon v. Flipps Media, Salazar v. Paramount Global, and Gardner v. Me-TV illustrate the deepening Circuit split over how broadly the VPPA applies in the context of modern digital tracking. The Circuits have taken different positions on who qualifies as a “consumer” and what constitutes “personally identifiable information” traceable to a person. These cases underscore the uncertainty that remains around the VPPA’s reach in the age of ad-supported streaming and pixel-based analytics, with the permissibility of such claims now hinging heavily on jurisdiction.
Amidst the wave of CIPA litigation, the California legislature has introduced a bill to curb increasingly abusive litigation practices over website data collection that have surged over the past few years.
SB 690 amends CIPA to exempt from liability the use of recording or tracking technologies that serve a “commercial business purpose.” The exemption applies to Penal Code Sections 631, 632, 637.2, and 638.51, provisions that have been the focus of extensive litigation and have generated significant uncertainty for businesses attempting to navigate compliance. The bill aims to clarify the permissible use of common and now universally used web technologies that assist with analytics, advertising, and personalization of digital experiences. If passed, the bill will rein in what many see as an increasingly unmanageable and unpredictable wiretapping litigation landscape.
SB 690 passed the California Senate unanimously and also found strong support in the Assembly. As amended, the bill applies prospectively only—it will not affect pending cases filed before the effective date. However, the Assembly voted to advance the bill as a two-year bill, meaning that it can carry over into the 2026 legislative session and will likely delay enactment of the bill. This may prompt a further surge of CIPA filings over the next few months as plaintiffs race to file before the new limitations take effect.
As courts and lawmakers confront the realities of digital tracking and data analytics, the legal contours of privacy litigation are rapidly evolving. The mixed rulings under CIPA reveal a judiciary still grappling with how to apply legacy statutes to modern technologies, while the VPPA decisions reflect growing disagreement over the statute’s scope in a data-driven economy. At the same time, SB 690 signals a legislative push to restore predictability and limit liability for businesses engaging in routine online practices. For companies operating in the digital space, this moment represents both risk and opportunity: a chance to reassess compliance strategies as privacy law realigns, and a need to stay alert as courts and legislatures continue to reshape the rules of engagement.
If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com or Mari Clifford at mclifford@coblentzlaw.com for further information or assistance.