Plaintiffs’ Lawyers Dust Off Legacy Privacy Statutes to Challenge Digital Tracking Technologies

In recent months, plaintiffs’ lawyers have successfully argued that software development kits, tracking pixels, and other embedded analytics tools can amount to “interception” or “knowing disclosure” under California’s Invasion of Privacy Act and the federal Video Privacy Protection Act, both of which were drafted long before mobile ecosystems or behavioral advertising. The results include a rare privacy jury verdict and the first certified VPPA class action in more than three decades.

At the center of the trend is an aggressive repurposing of CIPA Section 632, which prohibits intentional, nonconsensual eavesdropping on confidential communications. Plaintiffs in Frasco v. Flo Health alleged that Flo’s reproductive-health app transmitted intimate user information, including menstrual-cycle data and sexual-activity details, to Meta and Google via embedded SDKs. Although Flo and Google ultimately settled, Meta proceeded to trial. A Northern District of California jury unanimously found Meta liable for intentionally intercepting user communications in real time.

The court’s post-trial rulings offer a detailed roadmap for future CIPA actions. It rejected Meta’s argument that SDK-enabled data capture represented mere “secondhand repetitions,” concluding instead that Meta collected communications contemporaneously with users’ interactions with the Flo Health app. It also held that a physical “listening device” was unnecessary under the statute; but even if it were, a smartphone used to enable SDK operations would qualify.

The court emphasized that Meta “actively encouraged” integration of its SDK tools and only restricted the collection of health information after receiving negative publicity.

A similar theory underpinned Rodriguez v. Google, in which a jury awarded $425 million to plaintiffs alleging that Google continued collecting location and activity data via SDK relationships with Uber and Instagram, even after users disabled tracking settings. The claims were brought under CIPA, the Electronic Communications Privacy Act, and California’s constitutional privacy doctrines. Google has signaled it will appeal, arguing its disclosures sufficiently explained the collection practices at issue.

While CIPA litigation has surged in recent years, the VPPA has emerged as an unexpected vehicle for challenging pixel-based tracking. In Jancik v. WebMD, the court allowed VPPA claims to proceed where a health-information website allegedly disclosed users’ Facebook IDs, email addresses, and video-viewing details to Meta through the Facebook Tracking Pixel. The court adopted the Eleventh Circuit’s multifactor test for determining whether a user qualifies as a “subscriber.” It held that the exchange of an email address for a free WebMD newsletter,  including video content supported by advertising, satisfied the VPPA’s “goods or services” requirement.

Most notably, the court certified a class, reversing would-be VPPA plaintiffs’ long struggle with ascertainability and numerosity concerns. The court concluded that identifying class members was administratively feasible since WebMD maintained subscriber email lists and Facebook held corresponding event data. With more than 500,000 unique emails associated with video-viewing activity, numerosity was presumed.

Together, the decisions signal a maturing litigation theory: real-time digital tracking can meet statutory standards for interception, and information exchanges once viewed as mundane, like providing an email in return for free video content, can satisfy federal privacy-law triggers. Legacy privacy statutes, long perceived as technologically obsolete, are now proving adaptable to the modern data-collection ecosystem.