Vault Door

Wiretap Litigation Update

By Scott Hall and Phillip Wiese

Plaintiffs have continued to file privacy litigation at a furious pace, asserting claims under the California Invasion of Privacy Act (CIPA), the federal Video Privacy Protection Act (VPPA), and, increasingly, the federal Electronic Communications Privacy Act (ECPA). Plaintiffs have paid particular attention to the healthcare and financial services spaces, focusing on purported collection of sensitive personal information, but suits against other consumer retailers and service providers have not slowed either. These suits remain centered on modern tracking technologies like pixels, session replay tools, cookies, and embedded analytics software.

Case law on these issues remains in flux, although suits are beginning to trickle up to the appellate level for review. With respect to the VPPA, the Supreme Court is set to hear a case about how broadly the definition of “consumer” should be interpreted. Additionally, the Ninth Circuit attempted to clarify Article III standing in CIPA and ECPA claims, but lower courts have split when applying its holding. And the California federal court/state court divide continues to deepen when determining if cookies and pixels are covered by the CIPA pen register and trap and trace law. Against this backdrop of uncertainty, the California legislature is weighing whether to amend CIPA through SB 690, but there has been no movement at this point in the legislative cycle.

Supreme Court Grants Certiorari in VPPA Case

In January 2026, the Supreme Court agreed to hear Salazar v. Paramount Global, arising from the Sixth Circuit, to settle a circuit split about whether the VPPA requires that a “consumer” subscribe to audiovisual goods or services from a video tape service provider.

The VPPA prohibits a “video tape service provider” from disclosing any personally identifiable information about a “consumer.” A “video tape service provider” is someone that rents, sells, or delivers “prerecorded video cassette tapes or similar audio visual materials.” A “consumer” is “any renter, purchaser, or subscriber of goods or services from a video tape service provider.”

The plaintiff alleged that he watched video content on a college sports news site, 247Sports.com, and that his Facebook ID and video-viewing history were disclosed to Facebook by Paramount Global, the sports news site’s parent company. This disclosure, he claimed, violated the VPPA because 247Sports.com was a video tape service provider and improperly disclosed to Facebook the videos he watched on the website.[1]

The Sixth Circuit disagreed, holding that the plaintiff was not a “consumer” under the statute because while he subscribed to the 247Sports.com newsletter, that was separate from the subscription of audiovisual materials on the website. The Sixth Circuit split from the Second Circuit, which held the opposite, that newsletter subscriptions were sufficient to be a “consumer” under the VPPA, even if the newsletter had no audiovisual content.[2]

The case is likely to be heard during the Court’s 2026/2027 term and if the Court adopts the narrow definition of consumer, the result could significantly slow future VPPA litigation.

Ninth Circuit Clarifies Standing Issues with Respect to Statutory Wiretap Claims

The Ninth Circuit limited Article III standing in privacy cases in its August 2025 decision Popa v. Microsoft Corp., 153 F.4th 784 (9th Cir. 2025). In that case, the plaintiff alleged that while browsing for pet food on a pet supply website, her browsing activity was captured by Microsoft’s session replay technology. Her claims for violation of Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (WESCA) and intrusion upon seclusion were dismissed by the trial court for lack of Article III standing.

The Ninth Circuit affirmed the trial court, concluding that the plaintiff failed to allege a “concrete” injury to support her claim and that a bare statutory violation of WESCA did not satisfy the tests set forth in Spokeo and TransUnion.[3] Drawing upon TransUnion, the Ninth Circuit analyzed whether the plaintiff alleged an injury bearing “a close relationship to a harm traditionally recognized as providing a basis for a lawsuit in American courts.”[4] The Ninth Circuit analogized the plaintiff’s claim to the common law torts of intrusion upon seclusion and public disclosure of private facts, both of which require that any intrusion or disclosure be “highly offensive to a reasonable person,” and found plaintiff’s claims to be lacking.[5] Notably, the plaintiff did not identify any “embarrassing, invasive, or otherwise private information collected by” Microsoft’s software.[6] Plaintiff instead pleaded that the technology gathered her pet-store preferences and her street name, none of which was protected or highly offensive. Rather, the interactions were more similar to “a store clerk’s observing shoppers in order to identify aisles that are particularly popular or to spot problems that disrupt potential sales.”[7] The court noted that the result may differ in other circumstances if a greater volume of data is collected from across the internet and used to create user profiles.

Companies were quick to invoke Popa to dismiss claims, but the district courts continue to be split on the issue. Some courts have applied Popa broadly, finding that the disclosure of website browsing data was not highly offensive:

  • Garcia v. Blackhawk Network, Inc., 2026 WL 925028 (C.D. Cal. Apr. 1, 2026) (Staton, J.), holding that “informing a third party about Plaintiff’s interactions with [a] website” was not embarrassing, invasive, or otherwise private;
  • Maghoney v. Dotdash Meredith, Inc., 2026 WL 497402 (S.D. Cal. Feb. 23, 2026) (Battaglia, J.), holding that searches for allegedly sensitive health-related terms on a public-facing website were not highly offensive; and
  • Khamooshi v. Politico LLC, 2025 WL 2822879 (N.D. Cal. Oct. 2, 2025) (Kim, M.J.), holding that browsing activity, geolocation data, and “device fingerprints” were not sufficiently embarrassing, invasive, or otherwise private to support Article III standing.

Other courts distinguish Popa by finding the type of data and sheer volume of data allegedly collected cross the “highly offensive” line:

  • Harris v. iHeartMedia, Inc., 2026 WL 247875 (N.D. Cal. Jan. 29, 2026) (Lee, J.), holding that the plaintiff had standing because the data was allegedly used to create a “cradle-to-grave profile” of his web browsing activities across the internet;
  • Shah v. MyFitnessPal, Inc., 2026 WL 216334 (N.D. Cal. Jan. 27, 2026) (Pitts, J.), holding that plaintiffs had standing because they were allegedly told that sensitive information would not be shared with third parties even though it later was shared; and
  • Semien v. PubMatic Inc., 2026 WL 216333 (N.D. Cal. Jan. 27, 2026) (Illston, J.), holding that plaintiffs’ allegations that the defendant compiled detailed user profiles by tracking interactions across numerous websites and collected sensitive personal information without consent was sufficient to confer standing.

This decision may not be the panacea companies hoped for, but it, at minimum, increases the burden for plaintiffs at the pleading stage and provides a new line of attack in these challenging CIPA cases.

Divide Grows Between California State and Federal Courts in Pen Register, Trap and Trace Suits

There also appears to be a growing split between state and federal courts in California over whether tracking technology, including cookies and pixels, are pen registers or trap and trace devices that can form the basis of a CIPA section 638.51 claim. Interestingly, both state and federal courts ground their analysis in the statutory text and the legislative history yet reach conflicting results.

Section 638.51 prohibits using a pen register or trap and trace device without a court order. The state court decisions interpreting this section typically draw on the language from section 638.52 to limit the definition of pen register and trap and trace to telephone lines.[8] This cross-referenced language demonstrates that pen registers and trap and trace devices are separate from software or technology that operates on a computer or other device.[9] State courts also refer to the legislative history of section 638.51 that described the purposes as allowing law enforcement officers to monitor telephonic communications after obtaining a court order.[10]

While federal courts are obligated to interpret California laws like CIPA the same way the California Supreme Court would, there are no California Supreme Court or Court of Appeals decisions interpreting section 638.51, leaving the federal courts to apply their own standard. The federal courts have, by and large, found that sections 638.50 and 638.51 lack any limitation to telephone, and thus the legislature intended the law to apply broadly to include “evolving privacy threats.”[11] This broad statutory language, these courts hold, “is consistent with the California Legislature’s stated intent to protect privacy interests.”[12]

These conflicting decisions have led to confusion and uncertainty for companies trying to comply with CIPA. For now, section 638.51 liability may depend on the forum in which a suit is filed and the preferences of the individual judge.

No Update on California Wiretap Law Amendment

Meanwhile, plaintiffs and defendants alike continue to watch the California legislature to see whether it will pass legislation to amend CIPA. SB 690, which was introduced in February 2025 but advanced to the 2026 legislative session, would significantly curb the ongoing deluge of CIPA litigation. Specifically, the bill would exempt from CIPA liability the use of recording or tracking technologies that serve a “commercial business purpose,” targeting the near-ubiquitous pixels, cookies, and other website tracking technology.

SB 690 garnered strong support in 2025, but there has been no action thus far in the legislative cycle.

Until either the legislature or appellate courts provide clearer guidance, companies should continue to treat website tracking litigation as an active and evolving risk area. Regular review of tracking technologies, consent flows, vendor contracts, and privacy disclosures remains important, especially for businesses operating in sensitive sectors or using tools that collect data across multiple websites or services.

If your company needs assistance with any privacy issues, Coblentz Data Privacy & Cybersecurity attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com or Phillip Wiese at pwiese@coblentzlaw.com for further information or assistance.

 

 

[1] Salazar v. Paramount Global, 133 F.4th 642 (6th Cir. 2025).
[2] Salazar v. National Basketball Ass’n, 118 F.4th 533 (2d Cir. 2024).
[3] Spokeo, Inc. v. Robins, 578 U.S. 330 (2016); TransUnion LLC v. Ramirez, 594 U.S. 413 (2021).
[4] Popa, 153 F.4th at 789.
[5] Id. at 791.
[6] Id.
[7] Id.
[8] An order authorizing installation of a pen register or trap and trace device must specify: “(1) The identity, if known, of the person to whom is leased or in whose name is listed the telephone line to which the pen register or trap and trace device is to be attached. . . . [and] (3) The number and, if known, physical location of the telephone line to which the pen register or trap and trace device is to be attached . . . .” Cal. Pen. Code § 638.52(d) (emphasis added).
[9] See Schallert v. Orkin LLC, 2025 WL 4332757, at *4 (L.A.S.C. Dec. 15, 2025).
[10] Id.; see also Rodriguez v. Ink America Int’l Grp. LLC, 2025 WL 4034985, at *4 (L.A.S.C. Dec. 10, 2025) (holding that the lack of reference to website tracking technology when the law was amended in 2016 and 2022 confirms that the legislature made a “deliberate choice not to sweep ordinary website analytics” into the law’s provisions); Schallert v. Palo Alto Networks, Inc., 2026 WL 54028, at *2 (L.A.S.C. Mar. 6, 2026) (same).
[11] See Fregosa v. Mashable, Inc., 2025 WL 2886399, at *5 (N.D. Cal. Oct. 9, 2025).
[12] Walsh v. Dollar Tree Stores, Inc., 2025 WL 2939229, at *18 (N.D. Cal. Oct. 16, 2025) (quoting Shah v. Fandom, Inc., 754 F. Supp. 3d 924, 930 (N.D. Cal. 2024)).