Looking back on 2023, the trend of privacy-based class actions has only increased, and it doesn’t seem poised to halt or even slow down in the new year. Businesses are feeling acutely the threat of future litigation. At the end of 2022, the hundreds of cross-industry respondents to the Annual Litigation Trends Survey cited cybersecurity, data protection, and data privacy as the second-highest ranked area of future concern for class actions, and their concerns turned out to be justified. From peeved Pixel plaintiffs to data breach defendants, class actions abounded this year.
Tracking Technology Litigation
Pixels and similar website tracking and analytics technologies are nothing new or nefarious. These technologies have become ubiquitous, appearing on more than 90% of popular websites. They allow website owners to get an aggregated picture of their website visitors to help ensure they are reaching their target audience. Even so, these technologies have been the source of scrutiny for many years—due to fears that they could be used to reveal personal information in certain circumstances. In 1999, articles described emerging privacy concerns surrounding tracking technologies—at that time often called “web bugs” or simply “clear GIFs.” The following year, the FTC mentioned these trackers in a footnote within a report that the agency provided to Congress the following year.
In 2023, we continued to see privacy-related investigations and lawsuits focused on these technologies. The past two years saw an explosion of cases challenging the use of tracking pixels and similar technologies. Many such cases were dismissed but others drew headlines for their high-dollar settlements, which could spur even more cases in 2024.
Lawsuits over the use of trackers, cookies, and website analytics tools against hospital systems, telehealth companies, and other health care providers have exploded this year, with such claims filed against Cedars-Sinai Health System, the University of California Health System, IMB, Johnson & Johnson, Kroger, Costco, and Rite Aid to name just a few. Plaintiffs in these class actions allege that these tools violate HIPAA and other privacy standards by allowing third parties to collect information about patients’ interactions with their websites, including patients’ prescriptions, medical appointments, procedures, treatment options, and health care providers and facilities. While HIPAA has no private right of action, plaintiffs targeted these websites due to the alleged sensitivity of the data they handle.
Health information isn’t the only category of data that has received the attention of plaintiffs. Last November, a class action complaint against the Philadelphia Inquirer alleging violations of federal privacy and Pennsylvania wiretapping laws made it past the motion to dismiss, following a trend of federal Video Privacy Protection Act (“VPPA”) lawsuits alleging that Facebook IDs and similar online identifiers fall within the category of “personal information” protected by the statute. Courts however have not taken a uniform approach to such identifiers, with some requiring that the Facebook ID actually lead to a Facebook page itself disclosing personally identifiable information (“PII”) to be considered protected personal information. As plaintiffs attempt to wield the 1988 era statute against an ever-widening class of businesses in the context of 2023 technologies, companies’ most likely chances at surviving these suits has been successfully arguing that they are not “video tape service providers,” because providing video content is not a substantial portion of their business and is merely incidental to their central business and/or that the plaintiffs bringing these suits are not “consumers” within the meaning of the statute. Because consent to sharing data under the VPPA is not practical to obtain in the internet era, the surest way to avoid litigation altogether is for companies to remove tracking pixels from webpages that host video content.
As this wave of tracking litigation continues, we have seen plaintiffs continue to cast an increasingly wide net, targeting all types of consumer-facing websites. State wiretapping laws have also been used as the basis for numerous claims related to the alleged sharing of data—including online chat conversations, button clicks, or other website activity—with third parties. Similarly, use of session replay, software that monitors and records web-user activity such as keystrokes, clicks, and scrolling, can also underlie a wiretapping claim. While we haven’t seen many lawsuits based on such claims make it to the discovery stage—due to the lack of damages—companies can help avoid the legal fight by confirming that they have appropriate consent mechanisms in place for such data use and appropriate agreements in place with any third party service providers with whom data is shared.
Data Breach Litigation
Class actions following on the heels of massive data breaches have also permeated throughout the courts this year. Each day seems to bring with it a new proposed class action in the same vein. For instance, a May cyberattack on Progress Software Corp. led to a swath of lawsuits not just against itself, but a proposed federal class action against Sutter Health and WellTok, Inc. for exposing patient data to the risk of data theft and for delay in notifying affected patients once the breach had been detected. Similarly, a late summer breach of an online pharmacy delivery service inspired numerous class action proposals from plaintiffs who had their information exposed. These represent just a sliver of such post-breach claims being heard in courts across the country. Even the ABA is currently battling it out over a post-breach proposed class action. These suits often allege defendants were negligent in failing to properly secure employee, customer, or user data entrusted to them and failed to implement adequate procedures to protect PII, often invoking HIPAA and/or the FTC Act. Many courts have dismissed such claims, finding that plaintiffs have not met the threshold requirement for standing to bring suit due to the lack of concrete injuries resulting from the exposure of information, but this position is hardly consistent across courts and continues to be fought in many cases.
Looking Forward to 2024
While private class actions have been the headline story all year and we expect this trend to continue, the SEC has signaled it may be ready to move against businesses not sufficiently protecting customer data in the upcoming year. New SEC rules on cybersecurity risk management strategy, governance, and incident disclosure go into effect December 18. Following their going into effect, companies will have to comply with more burdensome incident reporting requirements, requiring disclosure within four business days of a company’s determination that a “material” “cybersecurity incident” has occurred. The new rule also requires annual disclosure of certain information regarding cybersecurity risk management, strategy, and governance.
Additionally, the expected proliferation of generative AI in the coming year could set the stage for a wave of privacy lawsuits relying on state privacy laws such as, but not limited to, BIPA and California’s CCPA as well as the Electronic Communications Privacy Act. Because generative AI tools often rely on web-scraping, companies behind their development can run the risk of harvesting vast amounts of sensitive data, including biometric or other sensitive information, without providing notice to those whose information is being aggregated. Though there is some legal precedent upholding the lawfulness of scraping publicly available data in certain circumstances, the arguments for and against have not faced widespread testing across courts. Finding an appropriate balance between protecting individual privacy and supporting rapid technological innovation will surely keep the courts busy next year.