A Turning Tide in Privacy Litigation? Notable Recent Appellate Wins for Defendants in Web Tracking Litigation
September 15, 2025
Publications
Recent appellate rulings in the U.S. Courts of Appeal for the Ninth and Third Circuits have curtailed session replay and web tracking class actions, holding that plaintiffs failed to establish concrete harms sufficient for Article III standing. In Popa v. Microsoft and Cook v. GameStop, the courts emphasized that alleged injuries must align with recognized common-law privacy torts. District court decisions, including Heaven v. Prime Hydration and Delong v. PHE, reinforce these trends, illustrating how courts assess potential harms and the challenges plaintiffs face when pleading claims. These developments may signal a narrowing path for plaintiffs in web tracking litigation while highlighting continued compliance risks for website operators.
Last month, defendants in highly anticipated web tracking class action lawsuits received procedural wins at the appellate level.
Ninth Circuit Upholds Dismissal in ‘Popa v. Microsoft’
The plaintiff in Popa v. Microsoft sued PSP Group and Microsoft, alleging that both the website operator and the software developer violated the Pennsylvania Wiretap and Electronic Surveillance Control Act (WESCA) by using the tracking software to monitor her browsing history on the website. The lower court granted the defendants’ motion to dismiss, holding that the plaintiff failed to demonstrate that the alleged conduct caused her concrete harm rather than alleging only a statutory violation. The plaintiff appealed, but after PSP Group filed for bankruptcy in December of last year, the appellate court stayed the appeal against it. The plaintiff and PSP Group filed a joint stipulation to dismiss PSP Group from the appeal at the beginning of August, and the action proceeded against Microsoft.
The Ninth Circuit looked to TransUnion v. Ramirez to determine whether the plaintiff had shown she suffered a particularized injury closely related to a harm traditionally recognized at common law. Although acknowledging that other circuit courts employ different approaches for determining whether an injury is concrete, all approaches require federal courts to closely examine “the specific underlying harm experienced by the plaintiff, and compare it, in detail, to a specific common-law tort.”
The court rejected the plaintiff’s argument that her claims were analogous to intrusion upon seclusion and public disclosure of private facts. For intrusion upon seclusion, the court emphasized that the tort requires conduct that would be highly offensive to a reasonable person. The plaintiff alleged no facts showing that the information collected was embarrassing, highly personal, offensive, or humiliating. For public disclosure of private facts, the plaintiff failed to allege that the defendants collected any private information.
The court further acknowledged that the plaintiff included allegations that the software could collect private information and potentially cause an injury, such as identity theft, but she failed to link this speculative harm to the specific information collected from her website visit, making the claim far too generalized. The court also quickly disposed of the plaintiff’s trespass argument, as she failed to identify what possessory interest was invaded by the defendant’s software or that the session replay software was placed on her personal device.
Notably, the Ninth Circuit emphasized that there is no traditionally recognized “free-roaming privacy right at common law but rather four discrete torts that protected specific kinds of privacy-related harms.” Therefore, plaintiffs must connect alleged privacy injuries to the torts of intrusion upon seclusion, public disclosure of private fact, appropriation of their name, image, or likeness, or publicity in false light to establish Article III standing. This requirement may be particularly challenging in web tracking claims, because plaintiffs often lack specific knowledge at the pleading stage of the exact information that was collected or how it will be used if it is not properly disclosed in privacy policies.
Conversely, this requirement may help defendants because they no longer must wait until after discovery to show that their data collection practices and use of third-party analytic software do not create the type of harm or rise to the level of conduct alleged in plaintiffs’ complaints.
This decision is likely to have a ripple effect, as lower district courts have stayed motions raising similar standing challenges pending the Ninth Circuit’s decision, such as In re Zillow Group Session Replay Litigation, a class action under Washington’s state wiretap law.
Third Circuit Affirms Dismissal in ‘Cook v. GameStop’
In early August, the Third Circuit sided with the defendant video game retailer in Cook v. GameStop, finding that the named plaintiff lacked Article III standing because she failed to articulate concrete harm.
The plaintiff alleged that GameStop deployed a third-party session replay software that recorded her movements during her visit to the site in violation of WESCA. The court rejected her argument that the tracking software exposed her to the type of public humiliation and embarrassment that is required for a claim under the tort of public disclosure of private information. The court noted that her pleadings only alleged that her IP address and browsing history were collected and included no private or sensitive information.
Similarly, the federal appellate court rejected the argument that the tracking software resembled someone looking over her shoulder and constituted an intrusion upon seclusion. Considering the nature of the internet, the court found that collecting users’ movements on a webpage is not highly offensive, a necessary element for the common-law tort.
District Court Consistency: ‘Heaven v. Prime Hydration’ and ‘Delong v. PHE’
The GameStop decision reflects reasoning applied in prior Third Circuit and district court web tracking cases challenging the use of session replay software. In Heaven v. Prime Hydration, the U.S. District Court for the Eastern District of Pennsylvania similarly found that the plaintiff failed to show how the defendant beverage producer’s collection and subsequent disclosure of her browsing history was closely related to a harm found at common law, as this only disclosed her preferred drink flavors. The court compared this disclosure to the level of exposure a customer would experience in a brick-and-mortar store and remanded the claim to state court.
Similarly, in Delong v. PHE, the court found that the plaintiff lacked Article III standing despite his allegations that his browsing history and IP address did contain highly sensitive and personal information. In Delong, the plaintiff sued an adult product retailer, alleging that the defendant collected and shared his product search history, purchase information, and IP address, which disclosed his sexual preferences and activities to a third party.
The court disagreed, holding that if the information collected on the website is the same information that would be disclosed by a customer if he were shopping in a brick-and-mortar store, such information is similarly not private or highly personalized. The court argued that while browsing and purchasing adult products may be more intimate than the purchase of other products, such as energy and sports beverages, this alone does not raise the reasonable expectations of a website visitor. The court further elaborated that because the defendant did not make any explicit promises not to share the users’ browsing history or provide any other factors that would raise the users’ expectations for privacy, the conduct was not highly offensive and was customary to normal internet use. The claim was dismissed without prejudice.
Implications for Web Tracking Litigation
While some defendants have experienced procedural wins against web tracking lawsuits, it is unlikely that plaintiffs will cease their litigation efforts soon. Website operators should continue to take meaningful steps to avoid these costly lawsuits, such as:
- Adequately displaying their privacy notices
- Accurately disclosing their data collection policies and use of analytic software
- Considering ways to obtain affirmative consent from website users
By implementing these measures, website operators can help mitigate the risk of costly litigation and better comply with evolving privacy requirements.
Reprinted with permission from the September 9, 2025, edition of The Legal Intelligencer © 2025 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.
