Category: Privacy

January 19, 2026 Privacy

FAFO in federal court: Hacker who bragged on Hulu documentary slammed with liability under federal law

fafo

Plaintiff sued defendant for unlawfully accessing plaintiff’s email account and publishing more than sixty private emails on social media. Defendant had repeatedly claimed credit for the hack in a Hulu documentary, on social media, and in podcast appearances. Plaintiff brought several claims in federal court, including claims under the Stored Communications Act, the Computer Fraud and Abuse Act, and invasion of privacy under Tennessee common law.

Plaintiff asked the court to enter summary judgment on liability, arguing that defendant’s own public statements confirmed every essential element of the Stored Communications Act and invasion of privacy tort claims.

The court ruled that defendant was liable under the Stored Communications Act and for public disclosure of private facts. It denied summary judgment on the Computer Fraud and Abuse Act claim because plaintiff had not presented sufficient evidence of economic loss. But that issue remains open for trial.

The court ruled this way because it found that defendant gave repeated, detailed accounts of how he accessed plaintiff’s email account, changed the password, and took control. Plaintiff submitted additional evidence that it lost access to the account during the same period. The court held that this conduct met the elements of unauthorized access under the Stored Communications Act and that the publication of dozens of personal emails, including intimate messages and communications from family members, qualified as highly offensive under Tennessee law.

McKamey v. Yerace, No. 3:21-CV-00132, 2024 WL 7147987 (M.D. Tenn. January 15, 2026)

June 20, 2025 Artificial Intelligence, Computer Crime, Electronic Discovery, Evidence, Privacy

Facial recognition missteps lead to dismissal in New York criminal case

facial recognition

A criminal defendant sought dismissal of a criminal charge for aggravated harassment in the second degree. An issue arose after law enforcement identified defendant using facial recognition technology operated by the FDNY, rather than approved NYPD methods. The investigation included unauthorized use of Clearview AI software and unlawful access to DMV records, which led to a digitally altered photo being included in a lineup that resulted in defendant’s identification.

Defendant asked the court to dismiss the case, arguing that the government violated its discovery obligations and denied defendant a speedy trial. Defendant claimed that critical evidence, including AI-generated facial recognition materials and records showing how the DMV photo was altered, had not been disclosed in time and that the government had failed to act with due diligence in obtaining and producing them.

The court ruled that the criminal case must be dismissed. It found that the government failed to file a valid certificate of compliance and was not ready for trial within the time limits required by New York’s speedy trial statute.

The court ruled this because the government relied on investigative tools that violated both policy and law, including the use of unauthorized AI facial recognition and improper access to protected DMV data. The government also failed to adequately pursue and disclose relevant records from FDNY and NYPD sources. The court concluded that the government’s handling of the investigation and discovery process showed a lack of reasonable diligence. The cumulative failures deprived defendant of the timely and fair process guaranteed by law.

People v. Zuhdi A., 86 Misc.3d 1227(A), 2025 WL 1790657 (Crim Ct, NY County, June 17, 2025).

October 16, 2024 Privacy

Recent case applies VHS-era law to modern digital privacy

vhs

Plaintiff sued the NBA, accusing it of violating the Video Privacy Protection Act, 18 U.S.C. 2701 (VPPA). Plaintiff claimed that after signing up for the NBA’s online newsletter and watching videos on NBA.com, the NBA shared his viewing history with Meta without his permission. The district court dismissed the case and plaintiff sought review with the Second Circuit. On review, the court vacated and remanded the case for further proceedings.

What is the VPPA?

The VPPA, enacted in 1988, aims to protect consumers’ privacy by restricting video tape service providers from sharing personally identifiable information without consent. The historical circumstances around its enactment, particularly involving Robert Bork, is worth taking a few minutes to read up on.

Key issue – what’s a consumer here?

Plaintiff argued that he qualified as a “consumer” under the VPPA’s definition, which includes any “renter, purchaser, or subscriber of goods or services.” He contended that by providing his email and other personal data in exchange for the NBA’s newsletter, he became a “subscriber,” thus entitling him to privacy protections. According to plaintiff, the NBA’s practice of embedding a “Facebook Pixel” on its website allowed Meta to track users’ video-watching behavior, which constituted a violation of the VPPA’s restrictions.

The NBA, however, argued that plaintiff did not meet the VPPA’s criteria for a “consumer” because the newsletter subscription did not involve any audiovisual services, as required under the law. The NBA further asserted that plaintiff did not suffer a “concrete” injury, a requirement for Article III standing under the standards set out by SCOTUS in TransUnion LLC v. Ramirez. The NBA maintained that merely signing up for a free newsletter did not establish a sufficient relationship to qualify as a “subscriber.”

Lower court proceedings

The United States District Court for the Southern District of New York ruled in favor of the NBA. While it determined that plaintiff had standing to sue, the court dismissed the case on the grounds that plaintiff failed to establish that he was a “consumer” as defined by the VPPA. The court ruled that the VPPA’s scope was limited to audiovisual goods or services, and an online newsletter did not fit this definition. It concluded that merely signing up for a newsletter did not create a relationship that would extend VPPA protections to plaintiff’s video-watching data.

But the appellate court said…

Plaintiff appealed the decision, and the Second Circuit found that plaintiff sufficiently alleged that he was a “subscriber of goods or services” because he provided personal information in exchange for the NBA’s online newsletter. The court emphasized that the VPPA’s language did not strictly limit “goods or services” to audiovisual content, thus broadening the potential scope of who could be considered a “consumer.” This meant that the case would proceed to further legal proceedings to address the other issues in the dispute.

Three reasons why this case matters:

  • It clarifies modern VPPA applications: The case explores how the VPPA, with its origins in a VHS-centric era, applies to modern digital interactions, like email newsletters and online video streaming.
  • It expands consumer privacy definitions: The court’s interpretation suggests that a “subscriber” could include individuals who exchange personal information for non-monetary services, influencing other privacy claims.
  • It influences digital business practices: It affects how businesses should collect and share user data, potentially increasing scrutiny over partnerships involving data tracking and disclosure to third parties such Meta.

Salazar v. NBA, — F.4th —, 2024 WL 4487971 (2nd Cir., October 15, 2024)

See also: Casual website visitor who watched videos was not protected under the Video Privacy Protection Act

March 28, 2024 Privacy, Section 230

CCPA claim against Apple thrown out on Section 230 grounds

Plaintiffs sued Apple after downloading a malicious app from the App Store. The claims included violation of the Computer Fraud and Abuse Act (“CFAA”), the Electronic Communications Privacy Act (“ECPA”), and the California Consumer Privacy Act (“CCPA). (Alphabet soup, anyone?)

The lower court granted Apple’s motion to dismiss these claims. Plaintiffs sought review with the Ninth Circuit Court of Appeals. On appeal, the court held that the lower court properly applied Section 230 immunity to dismiss these claims.

What Section 230 does

Section 230 (47 U.S.C. § 230) instructs that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” A defendant is not liable if it can show that (1) it is a provider of “interactive computer services” as defined by the statute, (2) the claim relates to “information provided by another content provider,” and (3) the claim seeks to hold defendant liable as the “publisher or speaker” of that information.

Why the CFAA and ECPA claims were dismissed

In this case, concerning the CFAA and ECPA claims, the court looked to Barnes v. Yahoo!, Inc., 570 F.3d 1096 (9th Cir. 2009) and concluded that the lower court properly found Section 230 immunity to apply. The duty that plaintiffs alleged Apple violated derived from Apple’s status or conduct as a “publisher or speaker.” It found that the claims referred, as the basis for culpability, to Apple’s authorization, monitoring, or failure to remove the offending app from the App Store. “Because these are quintessential “publication decisions” under  Barnes, 570 F.3d at 1105, liability is barred by  section 230(c)(1).”

Section 230 knocked out CCPA claim too

The data privacy count included allegations that Apple violated duties to “implement reasonable security procedures and practices” to protect the personal information of App Store users, in violation of  Cal. Civ. Code § 1798.100(e). The court said that it need not decide whether violations of such duties can be boiled down to publication activities in every instance or whether implementation of reasonable security policies and practices would always necessarily require an internet company to monitor third-party content. Citing to Lemmon v. Snap, Inc., 995 F.3d 1085 (9th Cir. 2021) the court found that in this case, at least, plaintiffs failed to plead adequately a theory of injury under CCPA that was “fully independent of [Apple’s] role in monitoring or publishing third-party content.”

Diep v. Apple, Inc., 2024 WL 1299995 (9th Cir. March 27, 2024)

March 5, 2024 Privacy

Website operator not liable under Wiretap Act for allowing Meta to intercept visitor communications

Plaintiffs asserted that defendant healthcare organization inadequately protected the personal and health information of visitors to defendant’s website. In particular, plaintiffs alleged that unauthorized third parties – including Meta – could intercept user interactions through the use of tracking technologies such as the Meta Pixel and Conversions API. According to plaintiffs, these tools collected sensitive health information and sent it to Meta. Despite defendant’s privacy policy claiming to protect user privacy and information, plaintiffs alleged that using defendant’s website caused plaintiffs to receive unsolicited advertisements on their Facebook accounts.

Plaintiffs sued, asserting a number of claims, including under the federal Electronic Communications Privacy Act (“ECPA”) and the California Invasion of Privacy Act (“CIPA”). Defendant moved to dismiss these claims. The court granted the motion.

To establish an ECPA claim, a plaintiff must demonstrate that defendant intentionally intercepted or attempted to intercept electronic communications using a device. CIPA similarly prohibits using electronic means to understand the contents of a communication without consent. Both laws have a “party exception” allowing a person who is a party to the communication to intercept it, provided the interception is not for a criminal or tortious purpose. In other words, there is an exception to the exception.

In this case, defendant argued it was a legitimate party to plaintiffs’ communications on a website, thus invoking the party exception. Plaintiffs countered that the exception should not apply due to defendant’s alleged tortious intent (making the information available to Facebook without disclosure to plaintiffs). But the court found that plaintiffs did not provide sufficient evidence that defendant’s actions were for an illegal or actionable purpose beyond the act of interception itself. Under the guidance of Pena v. GameStop, Inc., 2023 WL 3170047 (S.D. Cal. April 27, 2023), (a plaintiff must plead sufficient facts to support an inference that the offender intercepted the communication for the purpose of a tortious or criminal act that is independent of the intentional act of recording or interception itself), the court concluded there was no separate tortious conduct involved in the interception and dismissed the claims.

B.K. v. Eisenhower Medical Center, 2024 WL 878100 (February 29, 2024)

See also:

January 24, 2024 Privacy

Website cookie banner was not enough for cruise line to sink federal wiretap lawsuit

cookie banner

Plaintiffs sued Carnival Cruise Line because they were upset about how much information carnival.com collected when they visited the site. “On carnival.com, no action goes unnoticed. Every click is counted, every keystroke is collected, and every cursor movement is catalogued.”

The claims centered around Carnival’s use of Clarity – a Microsoft session replay software that was deployed onto the user’s browser to collect a wide variety of information about the user’s system and browsing behavior. That collection was not limited to information from carnival.com. Clarity allegedly assigned each user a specific id that it used to associate and aggregate browsing behavior across all Clarity-enabled websites.

Plaintiffs asserted several claims, including one under the federal Electronic Communications Privacy Act (18 U.S.C. 2510 et seq.) (“ECPA”). They complained that Carnival intercepted Plaintiffs’ personal information, including their passport number, driver’s license number, date of birth, home address, phone number, email address and payment information, and used that information to trace users’ browsing history on other sites.

Carnival moved to dismiss for failure to state a claim under the ECPA. The court denied the motion.

No “party to the communication” exception

Carnival argued that the “party to the communication” exception of the ECPA absolved it of liability. 18 U.S.C. 2511(2)(d) provides that “[i]t shall not be unlawful … for a person … to intercept a[n] electronic communication where such person is a party to the communication.” But plaintiffs asserted that Microsoft, as the provider of the session replay code software, was a third party to the communication of the browsing information. Courts sometimes find third parties to be merely “extensions” of a website when such third parties’ services “merely function as a tape recorder.” But in this case, citing to Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891 (N.D. Cal. 2023), the court declined to find that Clarity had such limited functionality. The main problem for Carnival was that Clarity did more than just serve as a “tape recorder” – it used data to generate analytics such as heatmaps of user engagement and profiles of browsing history on other sites.

No consent for third party interception

Carnival also argued that the ECPA claim should be dismissed because plaintiffs had consented to the interception of their information. The court rejected this argument.

Carnival’s first argued that by merely sending a communication over the internet, plaintiffs expressed their consent. It cited to a 2001 Pennsylvania decision called Commonwealth v. Proetto, a criminal case in which that court found that a defendant accused of improperly soliciting a 15-year-old girl online could not claim that the girl’s decision to print out the defendant’s chat communication violated defendant’s right of privacy. In other words, the Pretto case stands for the notion that when one sends something over the internet, he or she loses control, from a privacy standpoint, over what the recipient will do with that information. The court distinguished the Proetto case, however, noting that it did not cover third-party interception, focusing instead on direct communication between two parties, and emphasizing that consent is given specifically to the receiver, not any incidental third party. This distinction was crucial in the present case, as Carnival needed to demonstrate that plaintiffs consented not just to Carnival, but also to third-party session replay providers – such as Microsoft in providing Clarity – involved in data collection.

So Carnival cited to Farst v. AutoZone, Inc., 2023 WL 7179807 (M.D. Pa. 2023) wherein the court dismissed similar claims in the context of online shopping, deeming it a public activity with no expectation of privacy in browsing habits. The court distinguished the Farst case, however, by noting that it did not focus not on the collection of sensitive information like this case did. In the current case, plaintiffs had made concrete allegations regarding the interception of sensitive information (e.g., driver’s license number, date of birth, home address).

Carnival’s second argument for plaintiffs’ consent to its recording policy hinged on a “Cookie Policy” banner on its website, suggesting that continued use of the site provided consent to the policy. Plaintiffs countered this by asserting that the website did not adequately notify users of this recording, and interaction with the site was possible without reviewing or agreeing to any privacy policy. The court observed that in assessing the validity of such “browsewrap” agreements, it should consider whether a website provides sufficient notice to a reasonably prudent user about the terms of the contract. In this case, the Cookie Policy banner was less noticeable due to its smaller text, inconspicuous color scheme, and placement away from key user interaction points, like large “SHOP NOW” or “SEARCH CRUISES” buttons. There was also no evidence that the banner appeared immediately or remained visible throughout a user’s visit. Consequently, the court found that – based on the facts alleged – a reasonably prudent user would not be adequately informed of the terms, siding with plaintiffs’ claim that they did not consent to the interception of their communications.

Rejection of Carnival’s other ECPA arguments

In denying the motion to dismiss the ECPA claims, the court rejected Carnival’s remaining arguments as well.

The court found that based on the facts alleged in the complaint, it was plausible to believe that the transmission of the information was contemporaneous, thereby qualifying as an “interception” under the statute.

It found that the information transmitted was not merely “record information” but that information such as an intent to travel, dates and locations were actual “contents” of the alleged communications.

And it rejected Carnival’s argument that the offending session replay code comprising Clarity was not a “device” prohibited by the statute. Carnival contended that it did not meet the definition of a “device” in the context of wiretapping laws, arguing that a “device” should be a physical object. The court held that that the combination of software and hardware involved in this case fell under the ambit of “device” as contemplated by the statute.

Price v. Carnival Corporation, 2024 WL 221437 (S.D. Cal., January 19, 2024)

See also:

January 15, 2024 Privacy

Beauty and the Biometrics: Federal court in Illinois tosses biometric data case brought against cosmetics giant

biometric privacy

A federal judge recently dismissed a class action lawsuit against The Estée Lauder Companies and one of its affiliates. This case involved allegations that these entities violated the Illinois Biometric Information Privacy Act (BIPA).

Background of the Case

Plaintiffs represented a proposed class and accused defendants of three distinct violations of BIPA. The dispute centered on the use of a virtual try-on tool that one of defendants had licensed to Estée Lauder which enabled customers to virtually test cosmetic products on brand websites. Plaintiffs claimed that they were not adequately informed about the capture and use of their biometric data, including facial mapping and facial geometry. They argued that there was a failure to provide clear consent and privacy policies regarding biometric data.

What BIPA Says

The law governs private entities’ collection, use, and storage of biometric identifiers and information. Plaintiffs contended that defendants did not comply with these requirements, specifically in failing to obtain written consent and establishing proper retention and destruction policies for biometric data.

What the Court Said

The court’s decision to dismiss the case hinged on plaintiffs’ inability to demonstrate that defendants used the biometric data in a manner that could identify individuals. The court referenced similar cases where allegations were dismissed due to the lack of plausible claims connecting biometric data collection with the capability to identify individuals.

The court found that plaintiffs did not provide sufficient factual allegations to establish that defendants could identify individuals using the facial scans. It compared other cases where claims were either dismissed or upheld based on the presence or absence of plausible allegations of identification capability. The case was dismissed without prejudice, meaning plaintiffs were given the opportunity to file an amended complaint by a specified date.

What It Means

This decision highlights the importance of clear legal standards for biometric data usage and the challenges plaintiffs face in proving violations under BIPA. It also underscores the need for companies to be transparent and compliant with privacy laws when implementing innovative technologies.

Castelaz v. The Estee Lauder Companies, Inc. et al., 2024 WL 136872 (N.D. Illinois, January 10, 2024)

See also:

January 2, 2024 Litigation, Privacy

Microsoft Edge privacy case dismissed for lack of standing

standing

A legal dispute involving Microsoft recently concluded with the dismissal of a class-action lawsuit. Plaintiffs had accused Microsoft of unauthorized data collection through its Edge browser, alleging violation of privacy laws. The court, however, ruled in favor of Microsoft, citing the plaintiffs’ lack of standing under Article III of the Constitution.

The Allegations Against Microsoft

The lawsuit centered on the claim that Microsoft Edge intercepted and sent private user data, including activities in “private” browsing mode, to Microsoft-controlled servers. This data, linked to unique user identifiers, allegedly allowed Microsoft to track users’ internet habits. Plaintiffs argued this was done without consent, breaching the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and various state laws, and claimed economic injury due to these practices.

Microsoft’s Challenge and the Court’s Decision

Microsoft moved to dismiss the lawsuit, arguing plaintiffs lacked the necessary standing under Article III of the U.S. Constitution. The court agreed, determining the plaintiffs did not meet the required standing criteria.

The core issue was whether the plaintiffs had standing, a fundamental requirement for a case to be heard in a federal court. The constitution requires an actual “case or controversy” for federal courts’ involvement. The court examined whether plaintiffs demonstrated (1) an injury in fact, (2) a direct causation, and (3) a potential remedy through court action.

The 2021 Supreme Court ruling in TransUnion LLC v. Ramirez was key to the outcome in this case. This ruling stressed that not every violation of a statutory right leads to a concrete harm that warrants a federal lawsuit. This court, agreeing with Microsoft, found that the data identified in the complaint was not traditionally considered private. It determined that the collection of browsing data did not closely relate to a harm traditionally actionable in court. The court pointed out that data like browsing history and keystrokes do not carry a reasonable expectation of privacy.

Final Outcome

So the court found that the plaintiffs failed to allege a concrete privacy injury that would fulfill the requirements for Article III standing. The dismissal of this lawsuit highlights the complex challenges in digital privacy litigation and the difficulty plaintiffs face in proving standing in privacy-related legal actions.

Saeedy v. Microsoft Corporation, 2023 WL 8828852 (W.D. Washington, December 21, 2023)

See also: Reading a non-friend’s comment on Facebook wall was not a privacy invasion

August 8, 2022 Employment, Privacy

Can a company snoop on its employee’s personal email account?

email snoop

Plaintiff was an administrative assistant at defendant company. When her supervisor got word that plaintiff had been asked to join a competing company started by some other former company employees, the supervisor allegedly logged onto plaintiff’s work computer and without authorization accessed plaintiff’s Gmail account to get more information confirming plaintiff’s plans. Plaintiff was later terminated.

So she sued under the federal Stored Communications Act (“SCA”) and the Federal Wiretap Act (under a part of that act often called the Electronic Communications Privacy Act (“ECPA”)). Defendant moved to dismiss both the claims. The court denied the motion to dismiss the SCA claim but dismissed the ECPA claim.

The SCA prohibits, among other things, the intentional unauthorized access of a “facility through which an electronic communication service is provided”—thereby obtaining access to an electronic communication while in electronic storage. 18 U.S.C. § 2701(a). A court may award actual damages, statutory damages, and punitive damages for violation of the SCA. If a plaintiff seeks statutory damages under the SCA, it must prove actual damages. But one need not prove actual damages to recover punitive damages. The ECPA prohibits, among other things, the “interception” of electronic communication. 18 U.S.C. § 2511(a). Courts have generally held that such “interception” must be contemporaneous with transmission.

The court held plaintiff could move forward with her SCA claim even though she had not pled actual damages. She had sufficiently pled that she should be awarded punitive damages. And the court tossed the ECPA claim because the facts as alleged showed that the email messages the employer allegedly accessed had already been delivered and therefore were not intercepted as the statute requires for liability.

Benz v. PHB Realty Co., 2022 WL 3098579 (D. Kansas, August 4, 2022)

See also:

March 15, 2022 Privacy

Is storing protected information on an unencrypted server a disclosure of that information?

unencrypted server disclosure

Back in the 1990s, Congress recognized that stalkers were aided in their crimes by using victims’ driver’s license information, and states were selling driver’s license information to marketers. So Congress passed the Driver’s Privacy Protection Act, 18 U.S.C. § 2721, et seq. (the “DPPA”). This statute makes it unlawful for any person to knowingly disclose personal information from a motor vehicle record for any use other than certain uses that the statute permits.

Defendant had more than 27 million Texas driver’s license records that it stored on an external unencrypted server. In 2020, it announced that a third party had accessed the records without authorization. As expected, the class action lawyers jumped on board and sued under the DPPA.

The lower court dismissed the DPPA claim in response to defendant’s motion to dismiss for failure to state a claim. Plaintiffs sought review with the Fifth Circuit Court of Appeals. On appeal, the court affirmed the dismissal.

It held that plaintiffs failed to plausibly allege that storing the data on an unencrypted server amounted to a “disclosure”. More specifically, although plaintiffs argued that defendants had placed the information on a server that was readily accessible to the public, that assertion was nowhere in the complaint, nor was it supported by the facts alleged in the complaint.

In finding there to be no disclosure, the court observed that the storage of the data, as alleged, did not make it visible to a digital “passer-by”. This made the case different from Senne v. Village of Palatine, Ill.,695 F.3d 597 (7th Cir. 2012), in which a police officer disclosed information by putting a traffic ticket on a windshield, which any passer-by could see. The court also looked to Enslin v. Coca-Cola Co., 136 F. Supp. 3d 654 (E.D. Pa. 2015), in which that court held there to be no disclosure under the DPPA when someone stole an unencrypted laptop containing information protected under the statute.

Allen v. Vertafore, Inc., No. 21-20404 (5th Cir., March 11, 2022)

Scroll to top