The landscape of privacy-related class action litigation is undergoing significant transformation in 2025, with three key statutes taking center stage: 1. Video Privacy Protection Act (VPPA); 2. California Invasion of Privacy Act (CIPA); and 3. Telephone Consumer Protection Act (TCPA). This article breaks down recent decisions, new theories from the plaintiffs' bar, and regulatory developments changing the scope and application of these decades-old privacy laws.
Expanded VPPA Interpretation Signals Rising Litigation
The VPPA litigation landscape appears poised for potential expansion in 2025, primarily driven by recent decisions.
What is the VPPA? The VPPA is a 1988 federal law that prevents videotape service providers from disclosing consumers' viewing history and requests to third parties without consent. While the law was originally designed to protect video rental records, it has evolved to cover modern video streaming and digital platforms as well as websites with video content.
New Definitions of "Consumer" and "Video Tape Service Provider": The Second Circuit's October 2024 ruling in Salazar v. NBA is a significant shift in VPPA interpretation, expanding both the definition of a "consumer" and a "video tape service provider" in that jurisdiction.
There, the Court held that a "consumer" includes anyone who subscribes to any goods or services from a video tape service provider, regardless of whether those services involve audio-visual content. For example, newsletter subscribers and account holders may be considered "consumers" under the Second Circuit's reading of the VPPA. Though this interpretation marks a departure from other decisions that require a direct connection between a subscription and video content, given the lack of uniformity across all courts, defendants can still argue that a "nexus" between content and a subscription is required depending on the jurisdiction in which they are litigating.
The Court also held that a "video tape service provider" encompasses companies whose delivery of audio-visual materials is a part of their business, and not necessarily the business's sole or exclusive focus. This ruling (at least in the Second Circuit) lowers the barrier for bringing VPPA cases, potentially exposing a much broader range of businesses to liability.
Takeaway: With the Sixth and Seventh Circuits scheduled to address similar VPPA issues, we may see further evolution in how courts interpret the statute. The Second Circuit's expansive reading suggests that VPPA litigation will likely increase in 2025, as plaintiffs' attorneys look for opportunities to leverage the ruling at least at the pleading stage.
CIPA's Digital Evolution from Wiretapping to Website Tracking
What is CIPA? The California Invasion of Privacy Act, enacted in 1967 as an anti-wiretapping statute, has become a significant source of litigation in today's digital age. While the law was originally enacted to protect Californians from traditional wiretapping of telephone conversations, its application has evolved in the digital realm.
CIPA violations carry statutory penalties of $5,000 per occurrence, potentially escalating to millions in damages in class actions – when these cases gain traction, they can result in significant exposure.
New Novel Interpretations of CIPA: Over the last year, there has been a surge in CIPA lawsuits and pre-litigation demands, particularly targeting companies' public-facing websites. This increase in litigation has been driven in large part by novel interpretations of CIPA, where plaintiffs are arguing that commonplace technology on websites constitutes a form of illegal "eavesdropping" on user communications. Typically, these "eavesdropping" cases are premised on the use of pixels, cookies, beacons, software code, chatbots/chat boxes, and compliance-related technology (such as technology deployed to ensure compliance with statutes including the Telephone Consumer Protection Act).
In July 2024, the Central District of California issued a notable decision in Dino Moody v. C2 Educational Systems. The Plaintiff alleged that the Defendant's use of a marketing pixel on its website was comparable to installing a trap-and-trace device or a pen register, and therefore could violate California Penal Code Section 638.51(a), which prohibits a person from installing or using a pen register or trap-and-trace device without consent. The Defendant countered that CIPA's provisions on trap-and-trace devices and pen registers are limited to physical devices attached to telephone lines and are not intended to apply to pixels. However, the Court disagreed with the Defendant, instead holding that the Defendant's use of a marketing pixel on its website was comparable to installing a trap-and-trace device or a pen register.
Dueling Decisions & Key Takeaways: Though the Central District of California agreed with the Plaintiff broadly reading CIPA, in Licea v. Hickory Farms LLC, the Superior Court of California reached the opposite conclusion, holding that technology at issue there did not qualify as the use of a pen register or trap and trace device on a website. The dueling decisions highlight the uncertainty in this area of the law and why businesses should review and understand the technology used on their websites and by their marketing teams while staying abreast of developments in this space.
The Telephone Consumer Protection Act: New Administration, New Uncertainty
The TCPA litigation and compliance landscape is also poised for change.
What is the TCPA? The TCPA was enacted in 1991 to protect consumer privacy and reduce the number of unwanted telemarketing calls and faxes. TCPA litigation can be very costly, ranging from $500 - $1500 per violation, potentially leading to millions of dollars in exposure when mass communications are at issue in class actions.
One-To-One Consent Rule Knocked Out: The most anticipated change heading into 2025 was the FCC "one-to-one" consent rule, which was set to take effect in January 2025. This rule would have required (1) companies to obtain separate, explicit consent from consumers for each individual seller that wanted to contact them and (2) that calls be logically and topically associated with the interaction that prompted the consent.
However, in a surprising turn of events, on January 24, 2025, the Court of Appeals for the Eleventh Circuit in Insurance Marketing Coalition v. FCC vacated the rule, holding that the FCC exceeded its statutory authority by interpreting "prior express consent" under the TCPA to require separate consent for each seller and logical and topical association of calls to the interaction prompting consent. Ahead of that ruling, the FCC notably had also paused implementation of the rule. With a new administration in place, the FCC may abandon the rule altogether at least for the immediate future.
Consent Revocation Rules Remain: Though the one-to-one consent rule is dead for now, the FCC's new consent revocation rules remain set to take effect on April 11, 2025. The new rules will codify broader consent revocation mechanisms, allowing consumers to revoke consent "in any reasonable manner" using terms like stop, quit, end, revoke, opt-out, cancel, or unsubscribe (which are now listed in the regulations). These rules will potentially lead to increased TCPA litigation in 2025 and beyond, particularly class actions focusing on systematic compliance failures.
FCC's Authority Is Under Further Scrutiny: TCPA litigation may also be significantly impacted by the Supreme Court's ruling in McLaughlin Chiropractic Associates, Inc. v. McKesson Corporation et al. This case raises the issue of whether the Hobbs Act requires a court to accept the FCC's interpretation of the TCPA as it pertains to faxes received by email. At the center of the case is the FCC's 2019 Amerifactors Declaratory Ruling where the FCC offers their interpretation of the TCPA.
As we previously reported here, companies (particularly in the healthcare space where faxes are more commonplace than in other industries) face a potential uptick in TCPA fax cases premised on the use of online fax services. The Supreme Court's ruling in McLaughlin has the potential to lead to more TCPA litigation if it results in increased uncertainty over the application of the FCC's Amerifactors Declaratory Ruling while further eroding FCC authority.
Conclusion
As we enter 2025, companies need to monitor and respond to emerging developments in this space to minimize their exposure to consumer and privacy class actions. Companies should consider:
- Reviewing technology, such as pixels and chatbots, used on their websites and understanding what information that technology is capturing/transmitting as well as the triggers for data collection/transmission;
- Reviewing and revising, as necessary, privacy policies and terms and conditions;
- Thoroughly reviewing their calling/texting practices and internal procedures addressing those practices (or putting them in place if they have not already done so);
- Thoroughly reviewing consent mechanisms to comply with the VPPA, CIPA, and the TCPA, as appropriate;
- Updating consent revocation triggers ahead of the TCPA's new consent revocation rules
Originally published by Corporate Counsel, 21 February 2025
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
