In this post: (1) Website tracking litigation risk remains as SB 690 is designated “two-year bill”; (2) Second Circuit reinforces narrower interpretation of PII to “shut the door for Pixel-based VPPA claims”; (3) Courts require individualized harm to establish standing; (4) Dismissals increase where plaintiffs fail to provide detailed allegations; and (5) Courts split on whether commercial intent can defeat application of “crime-tort exception” under federal ECPA.
There are many courts currently handling data privacy cases across the nation. Although illustrative, this update is not intended to be exhaustive. If there is another area of data privacy litigation about which you would like to know more, please reach out. The contents provided below are time-sensitive and subject to change.
Five Privacy Litigation Takeaways from May 2025
1. SB 690 advances but faces delay; website tracking litigation risk remains.
On July 2, 2025, the California Assembly designed SB 690 a “two-year bill,” pushing any potential enactment to 2026 at the earliest. As we previously covered, SB 690 would modify several sections of California’s CIPA that have been favored by plaintiffs to allege violations by ad-tech on websites. The modification would expressly negate application of the laws to activity done for “a commercial business purpose.” The bill passed the California Senate unanimously in June but was first amended to remove a provision that allowed the bill to apply retroactively to any case pending as of January 1, 2026. Proponents of the bill believe SB 690 merely clarifies the scope of the existing laws, which proponents believe were intended to apply to telephones and not ad-tech on websites. Courts, however, have repeatedly applied the laws to websites.
At the Assembly hearing, opponents to the bill raised concerns that the bill could have unintended consequences on marginalized communities by, for example, permitting companies to collect and share sensitive information such as immigration status and reproductive health information with both private entities and governmental agencies. To allow more time to study and consider these issues, SB 690 was designated a two-year bill.
As a result, the litigation environment for website tracking technologies remains unchanged for the remainder of 2025, with businesses and privacy advocates continuing to watch the bill’s progress closely.
2. The Second Circuit Reemphasizes its Narrower Interpretation of “Personally Identifiable Information” under the Video Privacy Protection Act (VPPA)
Last month, we wrote about the Second Circuit’s decision in Solomon v. Flipps Media, Inc., which adopted the Third and Ninth Circuits’ narrower definition of “personally identifiable information” under the VPPA. A little over a month later, the Second Circuit issued another decision in June solidifying its Solomon decision and providing even stronger defenses to businesses facing VPPA claims premised on the Meta Pixel.
The June decision involved VPPA class claims against a professional sports league for allegedly using the Meta Pixel on its website and app to disclose plaintiff’s “personally identifiable information” to Facebook. Like the claims in Solomon, the plaintiff alleged that the disclosure occurred via lines of code that included video titles the plaintiff had watched and plaintiff’s Facebook ID. The plaintiff included an example of this code in his complaint.
As a reminder, the VPPA defines “personally identifiable information” to include “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” In Solomon, the Second Circuit adopted an “ordinary person standard” to apply this definition, which looks to whether the disclosed information would readily permit an ordinary person to identify a plaintiff’s video-watching behavior.
In September 2024, a district court granted the defendant’s motion to dismiss. After plaintiff appealed, the Second Circuit issued its Solomon decision in May 2025 and an earlier decision in Salazar v. National Basketball Association in October 2024, which expanded the VPPA’s application. In such scenarios—where relevant appellate decisions are issued after a district court’s ruling—the Second Circuit will usually remand a case for the district court to review and incorporate those newer decisions. Here, however, the Second Circuit panel found that remand was unnecessary because Solomon was dispositive of the present case and could lead to “one result only.”
The panel affirmed the district court’s dismissal by reiterating Solomon’s holding that “personally identifiable information” only includes “information that would allow an ordinary person to identify a consumer’s video-watching habits,” and not information that “a sophisticated technology company could use to do so.” Applying Solomon to the present case, the panel found that an ordinary person, without technical assistance or annotation, could not plausibly identify the plaintiff’s personally identifiable information from the lines of code transmitted to Facebook via the Meta Pixel.
The panel went one step further by stating that “Solomon effectively shut the door for Pixel-based VPPA claims.” The panel therefore also denied the plaintiff an opportunity to amend his complaint, noting that it would not make a difference (post-Solomon) if the complaint added allegations that (i) Facebook had the capacity to translate the lines of code into a readable format, (ii) ChatGPT and other common tools could be used to translate the code, or (iii) that 75% of Americans have a Facebook account. On the final point, the panel found that Facebook’s ubiquity would have no bearing on the ability of ordinary people to interpret the Pixel communication depicted in the plaintiff’s complaint.
3. Courts continue to demand individualized harm to establish Article III standing.
Federal courts remain skeptical of privacy lawsuits that rely on generalized allegations about website tracking or data collection. Recent decisions reinforce that to survive a motion to dismiss, plaintiffs must allege specific facts showing that their own sensitive or protectable information was collected or disclosed—mere speculation about what tracking technologies could do, or general claims about privacy violations, are not enough.
In a June 27 decision from the Northern District of California, the court dismissed a CIPA trap and trace claim against a transportation company, holding the plaintiff did not allege any concrete, individualized harm or that any of his own protectable personal information was collected. The court reiterated that general allegations about privacy invasions or data tracking are insufficient for standing; plaintiffs must show a particularized injury affecting them personally.
Three days later, a Central District of California court issued a decision that dismissed a CIPA “trap and trace” claim for lack of Article III standing after finding the plaintiff failed to allege any concrete or particularized injury. The complaint relied on generic, hypothetical allegations about the TikTok Cookie’s capabilities, but did not identify any actual personal information collected from the plaintiff or any harm suffered. The court emphasized that standing requires specific allegations about the plaintiff’s own experience, not just what the technology could theoretically do.
These two decisions contrast with a June 13 decision from a Southern District of California court, which found standing was adequately alleged where the plaintiff specified that she entered sensitive personal and health information while seeking telehealth services and plausibly claimed that this information was intercepted by third parties. The court focused on the plaintiff’s allegations that she actually had a condition for which she was seeking medical treatment.
4. Courts demand specific, fact-based allegations to survive dismissal under Rule 12(b)(6).
Consistent with our third takeaway above, our fourth takeaway also emphasizes the level of factual detail courts are increasingly requiring plaintiffs to provide to avoid dismissal. Whereas the third takeaway focused on the detail supporting the harm the plaintiff allegedly suffered, the fourth takeaway focuses on what level of detail a plaintiff must provide to avoid dismissal for failing to state a claim. Plaintiffs must go beyond generic descriptions or hypothetical examples and must clearly allege what information they personally provided, what was actually intercepted or disclosed, and how the data relates to protected interests.
In our first of three examples, the court dismissed claims against a hospital and health system for allegedly sharing protected health information with Meta via Pixel, finding the plaintiff’s allegations too vague and generalized. The complaint failed to specify what information the plaintiff actually searched for or provided on the website, what was transmitted to Meta, or whether any of the information related to her personal health or patient status. The court emphasized that hypothetical examples and descriptions of what could have happened are insufficient; plaintiffs must detail the actual data involved. Even if the plaintiff had provided this information, however, the court found the disclosure of browsing history was not a disclosure of PHI. The court noted the plaintiff did not allege she accessed a patient portal, scheduled an appointment, or did anything not accessible to a member of the general public.
Similarly, in our second decision, the court dismissed CIPA claims against a well-known restaurant, holding the complaint lacked sufficient detail about her own interactions with the website. The complaint provided only a brief, generic description of browsing and booking activity, without identifying what specific information was entered, which pages or buttons were used, or what data was intercepted by Meta. As with our first example, the court continued and found even with additional information the plaintiff would likely be unable to state a claim because “Plaintiff’s FAC falls short of alleging that the ‘contents’ of communications, as opposed to ‘record information,’ were intercepted.” The court found “button clicks” were more akin to record information and outside the scope of Section 631.
In contrast, in our third decision, the court allowed a Section 631 claim to proceed where the plaintiffs offered detailed, fact-specific allegations—supported by screenshots and a video demonstration—showing Google Analytics intercepted sensitive mental health information in real time as users interacted with the website. The court noted Google itself promoted the “real time” capabilities of the software. The court found that these well-pleaded allegations plausibly established both the “in transit” and “reading” requirements under the statute and rejected the defendant’s attempts to introduce competing technical evidence at the pleading stage.
5. Courts split on whether crime-tort exception has been met when the primary purpose is commercial.
Two June decisions highlight a growing split among courts evaluating the “crime-tort” exception to the federal wiretapping act’s (the “ECPA”) one-party consent rule. Whether a privacy plaintiff can proceed often turns on whether the complaint plausibly alleges that the defendant’s primary motivation for intercepting or disclosing communications was to commit a criminal or tortious act—such as a knowing HIPAA violation—rather than merely for commercial gain or analytics.
A District of Massachusetts court dismissed ECPA claims against a healthcare company, holding the crime-tort exception did not apply. The court found the plaintiffs failed to allege facts showing that the defendant’s primary motivation for installing tracking technology was to commit a crime or tort, as opposed to pursuing commercial gain or marketing benefits. The court made clear that commercial purposes—even if they result in unauthorized data sharing—are not enough to invoke the exception; specific, non-conclusory allegations of intent to commit a crime or tort at the time of interception are required.
The next day, a Southern District of New York court allowed the ECPA claims to proceed against a remote health company, finding the plaintiffs plausibly alleged the crime-tort exception applied. The complaint included detailed factual allegations that the defendant intentionally used tracking pixels and APIs to disclose users’ PHI to Facebook for marketing purposes, in violation of HIPAA. The court emphasized the plaintiffs specifically pled the secondary act of unauthorized dissemination—not just the interception itself—as the criminal or tortious act, and cited similar recent decisions sustaining ECPA claims where HIPAA violations were the alleged objective.
[View source.]
