Does a plaintiff’s use of a website constitute consent to a privacy policy linked in the website’s footer? A Pennsylvania federal court answered yes in Popa v. Harriet Carter Gifts, Inc., 2025 WL 896938 (W.D. Pa. Mar. 24, 2025), granting summary judgment in favor of an online retailer (Harriet Carter Gifts) and its marketing partner (NaviStone) accused of collecting data about plaintiff’s website visit in violation of the Pennsylvania Wiretapping and Electronic Surveillance Control Act (“WESCA”).Continue Reading Implied Consent to Privacy Policy in Webpage Footer Forecloses Website Wiretapping Claim
Data Privacy
Another California Court Rejects Privacy Claims Targeting Online Chat Feature
By Erin Moore & Matthew Verdin on
Plaintiffs’ lawyers have continued to bring privacy claims targeting businesses that use vendors to help provide beneficial chat features on their website, as we last reported here. Late last year, a Southern District of California judge dismissed another set of privacy claims challenging the routine use of these vendor services by Tonal, a popular smart home gym company named as the sole defendant in the lawsuit. Jones v. Tonal Systems, Inc., 751 F. Supp. 3d 1025 (S.D. Cal. 2024).
Plaintiff Julie Jones, a California resident, claimed that she had visited Tonal’s website and used its chat feature to communicate with a Tonal customer service representative. This chat feature allegedly incorporated an API run by another company to create and store transcripts of website visitors’ chats with Tonal’s customer service representatives. According to the complaint, this alleged conduct constituted wiretapping, which Tonal purportedly aided and abetted in violation of Sections 631 and 632.7 of the California Invasion of Privacy Act (“CIPA”). Plaintiff also asserted other privacy claims based on the same alleged conduct, including the California Unfair Competition Law (“UCL”) and the California Constitution’s right to privacy provision.
The Court granted Tonal’s motion to dismiss each of plaintiff’s claims on multiple grounds. Continue Reading Another California Court Rejects Privacy Claims Targeting Online Chat Feature
French CNIL Issues Draft Guidance On The Use of Location Data From Connected Vehicles
By Kristof Van Quathem & Alix Bertrand on
On March 25, 2025, the French data protection authority (“CNIL”) published a draft recommendation on the use of location data from connected vehicles (the “Recommendation” – see here in French). The Recommendation is open for public consultation until May 20, 2025.Continue Reading French CNIL Issues Draft Guidance On The Use of Location Data From Connected Vehicles
South Africa Introduces Mandatory e-Portal Reporting for Data Breaches
By Dan Cooper, Benjamin Haley, Deon Govender, Ahmed Mokdad & Mosa Mkhize on
On April 7, 2025, South Africa’s Information Regulator announced a new requirement for organizations to report data breaches—referred to under local law as “security compromises”—via an online eServices Portal. The announcement marks a significant procedural shift in how companies must comply with the Protection of Personal Information Act, 2013…
Continue Reading South Africa Introduces Mandatory e-Portal Reporting for Data BreachesCJEU Clarifies GDPR Rights on Automated Decision-Making and Trade Secrets
On February 27, 2025, the Court of Justice of the European Union (“CJEU”) issued a significant decision on the right of data subjects to request access to their personal data under Article 15 GDPR, specifically as it relates to automated decision-making and striking an appropriate balance between informing data subjects and protecting trade secrets (Case C‑203/22).Continue Reading CJEU Clarifies GDPR Rights on Automated Decision-Making and Trade Secrets
Website Wiretapping Litigation: Recent Decisions and Developments
By Matthew Verdin, Kathryn Cahoy & Libbie Canter on
Website analytics and advertising tools, such as pixels, are regularly targeted in lawsuits brought under various wiretap laws, including the federal Wiretap Act and the California Invasion of Privacy Act (“CIPA”). We cover significant developments and trends in website wiretapping lawsuits on Inside Class Actions. Over the last several months, we have featured posts discussing an important decision from Massachusetts’ highest court about the availability of website wiretap suits under Massachusetts law, an opinion from a California court about a new “pen register” theory under CIPA, and more. These posts, and other highlights, include the following:Continue Reading Website Wiretapping Litigation: Recent Decisions and Developments
New Jersey Court Applies CIPA’s Party Exception to Pixel Wiretap Complaint
By Rachel Bercovitz & Matthew Verdin on
Last month, a New Jersey federal judge applied Third Circuit precedent to hold that the California Invasion of Privacy Act (“CIPA”) does not impose liability for commonplace use of website marketing/analytics pixels under the well-established party exception. Cole v. Quest Diagnostics, Inc., 2025 WL 88703 (D.N.J. Jan. 14, 2025).Continue Reading New Jersey Court Applies CIPA’s Party Exception to Pixel Wiretap Complaint
ICO announces its online tracking strategy for 2025
By Mark Young, Paul Maynard & Shona O'Donovan on
The UK Information Commissioner’s Office (“ICO”) recently announced a new online tracking strategy, which aims to ensure a “fair and transparent online world where people are given meaningful control over how they are tracked online.”
Online advertising is one of the ICO’s current areas of strategic focus (others areas of focus include AI and children’s privacy). The ICO has identified four key areas of concern—all of which the ICO states mean that individuals do not have sufficient control over their personal data:
- “deceptive or absent choice” regarding non-essential cookies and tracking technologies;
- “uninformed choice,” which refers to organizations not providing appropriate information to individuals;
- “undermined choice,” where individuals’ choices are not respected and they are surprised about how their data is used; and
- “irrevocable choice,” meaning that individuals cannot effectively change their minds after they have made a choice over how their personal data is processed.
Having identified these areas of concern, the ICO states that it will take the following actions in 2025:Continue Reading ICO announces its online tracking strategy for 2025
CJEU Advocate General Supports Pragmatic Definition of Personal Data
By Dan Cooper & Kristof Van Quathem on
On February 6, 2025, Advocate General Spielmann released his opinion in the EDPS vs. SRB case (Case C‑413/23 P). In this case, the European Data Protection Supervisor appealed a decision from the General Court (see our blog post here).
In essence, the case turns on the question of whether…
Continue Reading CJEU Advocate General Supports Pragmatic Definition of Personal DataCJEU Finds Customers’ Title Is Not Necessary Data For The Purchase Of A Train Ticket
By Kristof Van Quathem & Alix Bertrand on
On January 9, 2025, the Court of Justice of the European Union (“CJEU”) issued a decision on the GDPR’s lawfulness and data minimization principles.
The case arose after a French association (“Mousse”) complained to the French Supervisory Authority (“CNIL”) about the fact that France’s main train company SNCF requires customers to indicate their title and gender identity by ticking either “Sir” or “Madam” when purchasing a train ticket online. Mousse considered that such a mandatory requirement could not be justified under the “contractual performance” or “legitimate interests” legal bases set out in Article 6 GDPR, and infringed the GDPR’s principles of lawfulness, data minimization and transparency.
The CNIL dismissed the complaint, and Mousse appealed the CNIL’s decision before the French Administrative Supreme Court (“Conseil d’Etat”), which stayed the proceedings to refer some questions to the CJEU.Continue Reading CJEU Finds Customers’ Title Is Not Necessary Data For The Purchase Of A Train Ticket