In this post: (1) California courts split on personal jurisdiction post-Briskin; (2) District courts dismiss VPPA claims against movie theaters & online platforms; (3) ND Cal courts find “crime-tort” exception met in non-healthcare cases (4) Jury returns verdict against Flo Health in privacy case; and (5) Privacy Plaintiffs find new theory in Colorado law.
This is our twenty-sixth installment in our data privacy litigation report covering decisions from the previous month.
There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive.
Finally, for an overview of current U.S. data privacy litigation trends and issues, click here.
Five Privacy Litigation Takeaways from July 2025 Decisions.
- California courts continue to reach opposite decisions regarding personal jurisdiction post-Briskin.
Three recent California federal court decisions underscore the ongoing uncertainty and divergence among district courts when applying the Ninth Circuit’s landmark en banc decision in Briskin v. Shopify to questions of personal jurisdiction over out-of-state defendants in privacy litigation.
In one decision, a court in the Northern District of California denied a motion to dismiss for lack of personal jurisdiction brought by a telecommunications company. The court found the company’s operation of a nationwide website, along with its alleged targeting of California consumers through privacy disclosures and geolocation tracking, was sufficient to establish personal jurisdiction under Briskin. In reaching its decision, the court found persuasive that the defendant’s website privacy policy specifically referenced compliance with California law and the company allegedly collected data from California users with knowledge of their location. The court concluded that these allegations demonstrated “purposeful direction” and “express aiming” at California, even in the absence of “differential targeting.” Citing Briskin, the court reasoned that a nationwide business model that knowingly collects data from California residents can establish the requisite minimum contacts, particularly where the privacy policy singles out California law for compliance.
A decision from a Central District of California court also dismissed a complaint for lack of personal jurisdiction. The defendant produces advanced aviation, defense, and industrial products. It also offers visitors to its website access to information related to the defendant’s global network of businesses, financial information to interested investors, and career opportunities. The website includes a search bar. The plaintiff alleged he visited the website and searched “Do employee benefits cover Diabetics like me?” The plaintiff alleged his search terms were transmitted as part of a URL to two third parties who are part of Google’s advertising network. The court, however, dismissed for lack of personal jurisdiction after rejecting the plaintiff’s argument that the defendant knew the plaintiff was accessing the website from California. The court initially found the FAC did not allege facts that the defendant knew the plaintiff was located in California. The court then continued and found such an allegation would be inconsistent with other allegations in the FAC, such that the data was intercepted in part for the purpose of identifying where a visitor was located. The court “question[ed] how Defendant could have expressly aimed its conduct at the forum state through its embedded software if one of the purposes is to identify where a visitor is located.”
By contrast, another decision from a different court in the Central District of California reached the opposite result on a similar set of facts. There, the court dismissed a privacy claim under California’s pen register statute against an out-of-state retailer for lack of personal jurisdiction, even though the plaintiff alleged the company sold and shipped products to California and installed third-party tracking software on its website. While the court acknowledged Briskin, the district court found that case distinguishable, emphasizing that the defendant was not alleged to be a nationwide or global platform and that there were no allegations it “cultivated or exploited a nationwide audience for commercial gain.” The court held that merely selling and shipping products to California residents did not constitute “express aiming” or purposeful direction under the effects test. The court also rejected the argument that the presence of a third-party technology provider in California could provide a basis for jurisdiction, reiterating that jurisdiction must arise from the defendant’s own contacts with the forum, not those of a third party.
These decisions illustrate the unsettled landscape following Briskin. While some courts interpret Briskin as expanding the scope of specific jurisdiction over companies operating interactive websites with California-facing privacy disclosures or user tracking, others continue to require a closer nexus between the defendant’s business model and the forum, particularly where the defendant is not a large, nationwide platform.
2. Two district courts dismiss claims under the Video Privacy Protection Act (VPPA) in the wake of recent circuit court decisions.
July was relatively quiet for VPPA rulings after a slew of circuit court decisions in recent months, which we addressed in prior postings found here. Two notable decisions from July, however, come from the District of Kansas and Southern District of Ohio. Both decisions granted motions to dismiss VPPA class claims and illustrate how lower courts are navigating those recent circuit court decisions at the pleading stage.
In the District of Kansas, two plaintiffs alleged that the defendant, a national movie theater operator, violated the VPPA by disclosing the plaintiffs’ personally identifiable information when they purchased movie tickets from the defendant’s website. The defendant moved to dismiss the complaint on the grounds that it was not a “video tape service provider” under the VPPA. As a refresher, the VPPA defines a “video tape service provider” as “any person, engaged in the business . . . of rental, sale, or delivery of prerecorded video cassette tapes or similar audio visual materials[.]”
The district court agreed with defendant that it did not meet the VPPA’s definition of “video tape service provider.” It reached this conclusion, first, based on the “overwhelming weight of authority” that “[a] movie theater who shows movies doesn’t ‘deliver’ movies within the meaning of the VPPA” to be subject to the Act. For such authority, the court cited six district courts across the county and the Ninth Circuit’s recent decision in Osheske v. Silver Cinemas Acquisition Co. from May 2025, which we wrote about here. Notably, the District of Kansas sits within the Tenth Circuit, which has not published a substantive VPPA decision recently.
Relying on the Ninth Circuit’s Osheske decision, the district court went on to analyze the VPPA’s text to conclude that although movie theaters show movies (or “audio visual materials” in VPPA parlance), they do not rent, sale, or deliver movies to fall within the ambit of the Act’s “video tape service provider” definition. The district court therefore “join[ed] the growing chorus of courts to reject plaintiffs’ theory that movie theaters are video tape service providers under the VPPA.” The court granted the defendant’s motion to dismiss and dismissed the plaintiffs’ complaint with prejudice.
Turning to the Southern District of Ohio, that case involved a defendant operating a platform of websites that provide continuing education courses through videos and other materials. The plaintiff alleged she was a subscriber to one of defendant’s websites and that her personally identifiable information was disclosed without her consent via the Meta Pixel. Defendant moved to dismiss the complaint on several grounds. The district court granted the motion, however, based on one issue: plaintiff’s failure to adequately allege the disclosure of her “personally identifiable information” (PII) as that term is defined by the VPPA.
The district court acknowledged the VPPA does not explain the scope of PII and that the Sixth Circuit has not yet weighed in on the term’s limits. The court therefore looked to the two divergent approaches taken by other circuits: (1) the First Circuit’s approach defining PII as information that is “reasonably and foreseeably likely to reveal which … videos a person has obtained”; and (2) the Third and Ninth Circuits’ more narrow approach limiting PII to “the kind of information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior.” Notably, however, the district court did not address the Second Circuit’s most recent application of the “ordinary person” approach which, relevant to this case, excludes from PII the lines of code transmitted by the Meta Pixel.
Nevertheless, the district court found that the plaintiff had failed to satisfy either standard under the approaches established by the First or Third and Ninth Circuits. According to the court, the complaint failed to allege that the defendant disclosed plaintiff’s Facebook ID and a URL or name of the videos she accessed, or anything else that would allow Meta to determine which particular video she watched. The court found this deficiency fatal to her claim and dismissed the lawsuit. It did so without prejudice, however, allowing the plaintiff to replead her claim in the future.
3. Two Northern California District Courts find “crime-tort exception” met in non-healthcare cases.
Two recent decisions from Northern California district courts have found the “crime-tort” exemption to the one-party exception for wiretapping liability under the Federal wiretapping act satisfied outside the healthcare sector. In both cases, the courts denied motions to dismiss and held the plaintiffs plausibly alleged that the defendant’s use of intercepted communications for targeted advertising or commercial profiling could constitute an independent tortious purpose, thus meeting the crime-tort exception to the Wiretap Act’s party consent rule.
In one decision, the court addressed allegations that a retailer embedded third-party tracking code on its website, enabling the interception of personally identifiable user data which was then used for targeted marketing campaigns. The court found that the retailer’s alleged use of this data, in direct contradiction to its own privacy policy, could amount to an invasion of privacy sufficient to trigger the crime-tort exception. The court expressly rejected the argument that a primary financial motivation—such as profiting from advertising—precludes application of the exception at the pleading stage, joining a growing number of courts holding that commercial gain does not insulate a defendant from liability where the alleged conduct independently violates state privacy laws.
Another court in the same district considered claims against a shoe retail company accused of permitting data brokers to aggregate and sell detailed user profiles derived from both online and offline activity. The court found that the plaintiffs’ allegations—that their communications were intercepted, associated with persistent identity profiles, and then monetized through a data marketplace—were sufficient to invoke the crime-tort exception. The court reasoned that commercially exploiting unlawfully obtained information for profit does not render the defendant’s purpose “licit” for purposes of the Wiretap Act, and that the exception is not limited to cases involving malicious or injurious intent.
These rulings signal a willingness among Northern California courts to allow Federal Wiretap Act claims to proceed in commercial surveillance and data monetization contexts so long as plaintiffs can plausibly allege that the use of intercepted information serves an independent tortious purpose—regardless of whether the underlying motivation is financial. This approach lowers the bar for privacy plaintiffs seeking to overcome the party exception defense and may lead to increased scrutiny of commercial data practices in the digital advertising and data brokering industries.
4. A Northern District of California jury finds Meta liable for wiretapping violations related to Flo Health App.
Although not technically a July decision (in that it was not either in July or a judicial decision), on August 1 a Northern District of California jury returned a verdict in favor of plaintiffs and against defendant Meta. The plaintiffs alleged the Facebook SDK was incorporated into the Flo Health app to use information plaintiffs and others entered regarding the sensitive health information—including their sexual health, menstruation cycles, and more—to target users with advertisements.
We have previously covered the plaintiffs’ claims against Meta and former-defendants Flo Health and Google in previous posts, including the court’s May 19 rejections of the defendants’ arguments that the privacy policies established the plaintiffs consented to the alleged recording and that the plaintiffs waived their right to participate in a class action proceeding. Our September 2024 post also provided exclusive coverage to Byte Back + members regarding the court’s award of summary judgment to Google on the “aiding and abetting” claims. Google and Flo Health both settled before the jury’s verdict, with Flo Health settling only days before the jury’s verdict.
The verdict found the plaintiffs had proven by a preponderance of the evidence that Meta intentionally eavesdropped on and/or recorded plaintiffs’ conversations with Flo Health, that the plaintiffs had a reasonable expectations that their conversation was not being overheard and/or recorded, and that Meta did not have the consent of all parties to eavesdrop on and/or record plaintiffs’ conversations. Damages have not yet been determined.
Unfortunately, transcripts from the seven-day trial will not be publicly available until later this year. Look out for future takeaways once we are able to obtain and digest that information.
5. Privacy-Plaintiffs find new theory in Colorado’s Prevention of Telemarketing Fraud Act.
Plaintiffs’ firm who commonly file wiretapping, pen registry, and similar claims have begun filing new lawsuits under the Colorado Prevention of Telemarketing Fraud Act (“PFTA”), which prohibits knowingly listing “a cellular telephone number in a director for a commercial purpose unless the person whose number has been listed has given affirmative consent . . . .” There are only three published decisions interpreting the law, with the most recent being issued in 2010. The previous two decisions were issued in 2007 and 2002. The PFTA provides statutory of damages of $300 to $500 per violation and also allows the recovery of attorneys’ fees and costs. The complaints filed to date allege the defendants violate the PFTA by listing consumers’ cell phone numbers on the defendant’s website as a “teaser” of what information could be available for purchase. We will be monitoring these cases and how courts interpret the PFTA closely.
[View source.]
