Skip to site navigation Skip to main content Skip to footer content Skip to Site Search page Skip to People Search page

Bylined Articles

Recent Precedent May Aid In Defending Ad Tech Class Actions

By Gerald L. Maatman, Jr., Jennifer Riley and Justin Donoho
September 22, 2025

Recent Precedent May Aid In Defending Ad Tech Class Actions

By Gerald L. Maatman, Jr., Jennifer Riley and Justin Donoho
September 22, 2025

Read below

Plaintiffs are increasingly filing multitudes of high-stakes lawsuits against businesses of all types, alleging that common website advertising technologies embedded in their websites secretly captured plaintiffs' web-browsing activity and breached their privacy interests by sending information regarding such activity to online advertising agencies.

Many doubt the viability of these claims.

As U.S. District Judge Paul A. Engelmayer of the U.S. District Court for the Southern District of New York explained on Sept. 3 in Golden v. NBCUniversal Media LLC, there is an emergent line of appellate court precedent regarding the indecipherability of encrypted, inaccessible anonymized advertising technology transmissions. 

This article analyzes this precedent and suggests that it can be used to support moving to eliminate class allegations and/or moving to disqualify plaintiffs counsel if they are among the many plaintiffs attorneys who use advertising technology on the attorney-client communications pages of their own websites.

The article further explains that this powerful tool is one of several that can be used to counteract the explosion of advertising technology class actions across the nation seeking millions or billions of dollars in statutory damages under myriad statutory theories.

Background on the Advertising Technology Class Action Landscape

Advertising technology is a common feature on millions of websites in operation today.

In advertising technology class actions, the key issue is often a statutory claim, such as a claim asserting violation of the Electronic Communications Privacy Act, a state wiretap act such as the California Invasion of Privacy Act, the Video Privacy Protection Act, the Illinois Genetic Information Privacy Act, a consumer fraud statute, or another statute that provides for statutory penalties.

Plaintiffs invoke such statutes in order to seek millions — and sometimes even billions — of dollars, even from midsize companies, on the theory that hundreds of thousands of website visitors, multiplied by $10,000 per claimant in statutory damages under the Electronic Communications Privacy Act, or ECPA, for example, equals a crushing, settlement-inspiring number.

Plaintiffs have filed the bulk of these types of lawsuits to date against healthcare providers, but they are increasingly filing advertising technology class actions against companies that span nearly every industry. Several of these cases have resulted in multimillion-dollar settlements, several have been dismissed, and the vast majority remain undecided.

Some courts consistently have taken a more permissive approach than others in allowing advertising technology class actions to proceed beyond the motion to dismiss stage; Therefore, the plaintiffs' bar continues to file advertising technology class actions at a precipitous rate.[1] Over the past 18 months, for example, trial lawyers have sued more than 1,500 businesses, raising advertising technology claims under the California Invasion of Privacy Act, or CIPA.[2]

On Aug. 28, 2024, in T.D. v. Piedmont Healthcare Inc., in the U.S. District Court for the Northern District of Georgia, U.S. District Judge Thomas W. Thrash Jr., deciding an advertising technology class action brought under the ECPA, lamented "[c]ases like this have sprouted like weeds in recent years." 

Some plaintiffs attorneys bringing advertising technology cases use repeat "tester" plaintiffs,[3] and some even use so many tester plaintiffs to bring so many advertising technology cases that U.S. District Judge Noel Wise recognized on Aug. 6 in Mitchener v. CuriosityStream Inc. in the U.S. District Court for the Northern District of California: "This case is one in a rash of similar actions brought by Plaintiff's counsel." 

On March 12, while the Northern District of California dismissed this "rash" case on the merits, the defendant noted in its motion to dismiss that the plaintiff's counsel "itself also uses [adtech] to track visitors on its own website."

In fact, this argument bears noting. Many plaintiffs counsel bringing advertising technology class actions have advertising technology on the attorney-client communication pages of their own websites.

Emergent Line of Precedent Regarding Indecipherability of Advertising Technology Transmissions

In Golden v. NBCUniversal Media LLC, the plaintiff sued a media company. According to the plaintiff, she signed up for an online newsletter offered by the media company and, thereafter, visited the media company's website, where she watched videos.[4]

The plaintiff further alleged that, after she watched those videos, her video-watching history was sent to an online advertising agency without her permission via the media company's undisclosed use of advertising technology on its website.[5]

Like plaintiffs in most advertising technology class action complaints, the plaintiff: (1) alleged that, before the company sent the web-browsing data to the advertising agency, the company encrypted the data via the secure "https" protocol;[6] and (2) did not allege that any human had her encrypted web-browsing data or could retrieve it from the ad agency's algorithms or that even the ad agency, or any other entity or person, has her web-browsing data stored or could retrieve it from the ad agency's algorithms in a decrypted (readable) format.

Based on the allegations, the plaintiff alleged a violation of the Video Privacy Protection Act, or VPPA.

The media company moved to dismiss under Rule 12(b)(6) of the Federal Rules of Civil Procedure, arguing that the plaintiff did not adequately allege that the media company disclosed the plaintiff's personally identifiable information, defined under the VPPA as "information which identifies a person as having requested or obtained specific video materials or services."[7]

The court agreed with the media company and dismissed the plaintiff's VPPA claim with prejudice, holding that, "[i]n short, because the alleged disclosure could not be appreciated — decoded to reveal the actual identity of the user, and his or her video selections — by an ordinary person ... it did not amount to PII."[8]

In so holding, the Southern District of New York cited an "emergent line of authority" shutting the door on VPPA claims not only in the U.S. Court of Appeals for the Second Circuit but also in other U.S. courts of appeal.[9]

The court's holding in Golden is a win for advertising technology class action defendants and should be instructive for courts around the country addressing advertising technology class actions brought under the VPPA as well as other statutes prohibiting disclosures and the like. These statutes should be interpreted similarly to require proof that an ordinary person could access and decipher the web-browsing data, identify the person and link the person to the data.

Consider a few examples: An Illinois Genetic Information Privacy Act, or GIPA, claim requires proof of a disclosure or a breach of confidentiality and privilege.[10] An eavesdropping claim under Section 632 of the CIPA requires proof of eavesdropping.[11] A trap-and-trace claim under Section 638.51 of the CIPA requires proof that the data captured is reasonably likely to identify the source of the data.[12]

A claim under the ECPA requires proof of an interception.[13]

When advertising technology sends encrypted, inaccessible, anonymized transmissions to the advertising agency's algorithms, has there been any disclosure or breach of confidentiality and privilege (GIPA), eavesdropping (Section 632 of the CIPA), data capture reasonably likely to identify the source (Section 638.51 of the CIPA), or interception (ECPA)?

Just as advertising technology transmissions are insufficient to amount to a disclosure under the VPPA, Golden shows that neither should advertising technology transmissions trigger these similarly worded statutes because no ordinary person could access and decipher the data transmitted.

Conflicts of Interest

Counsel for many plaintiffs bringing advertising tech class actions have advertising technology on their own websites, including advertising technology on the webpage where clients and potential clients can enter attorney-client communications into form fields.

While typically the advertising technology on such pages does not transmit any data entered into the form fields (unless counsel has reconfigured the advertising technology defaults to allow such transmission), it transmits, cryptographically, other information such as a browser-IP address combination of the web user, a date and time stamp, and the URL of the law firm's attorney-client communication page when web users visit that page.

According to a typical advertising technology plaintiff's theory — that a company with advertising technology on its webpage facilitates sufficient disclosures and the like to trigger the myriad statutes identified above — these plaintiffs counsel with advertising technology on their attorney-client communication pages could be violating their ethical duty to "not reveal information relating to the representation," as noted in Rule 1.6 of the American Bar Association's Rule of Professional Conduct.[14]

The typical advertising technology plaintiff's theory is incorrect, because there is no actual disclosure, etc. — i.e., no reasonable likelihood of identification by any human, as Golden illustrates.

However, counsel with advertising technology on their attorney-client communication pages may need to embrace reality, and not plaintiffs' litigation theories, to avoid taking a position that would show they are violating their own ethical duty of confidentiality.

Hence, such counsel may have a conflict of interest that warrants an early motion under Rule 23(d)(1)(D) to eliminate the typical class allegation that a plaintiff is represented by unconflicted counsel and/or, in the non-class-action lawsuit setting, a motion for disqualification.[15]

Conclusion

This article asserts that statutes like the VPPA, GIPA, ECPA and CIPA are ill-suited vehicles under which to allege liability for advertising technology transmissions — as even plaintiff-champion scholars have concluded.[16]

Some legislatures are working to remedy the overuse of these statutes in advertising technology lawsuits.

For example, California S.B. 690, introduced March 24, passed in the Senate, and is currently being considered by the Assembly Committee on Privacy and Consumer Protection, may halt advertising technology lawsuits brought under the CIPA.[17]

Meanwhile, companies using advertising technology on their websites have several tools at their disposal to mitigate advertising technology litigation risk.

One is to fight fire with fire, if an aggressive plaintiffs firm is using advertising technology on its own website. Others include adding or updating arbitration agreements to mitigate the risks of mass arbitration; collaborating with IT, cybersecurity, risk/compliance departments and outside advisers to identify and manage AI risks; and updating notices to third parties and vendor agreements.[18]

References

[1] Compare, e.g., Hannant v. Sarah D. Culbertson Memorial Hospital , 2025 WL 2413894, at *3-5 (C.D. Ill. Aug. 20, 2025) (denying motion to dismiss ECPA claim based on N.D. Ill. precedent), with Goulart v. Cape Cod Healthcare, Inc. , 2025 WL 1745732, at *3 (D. Mass. June 24, 2025) (dismissing ECPA claim with prejudice); T.D. v. Piedmont Healthcare, Inc. , 2024 WL 3972984, at *5 (N.D. Ga. Aug. 28, 2024) (same).

[2] California Senate Bill 690, Report to the Committee on Public Safety at 10-11 (April 25, 2025).

[3] See, e.g., Casillas v. Transitions Optical, Inc., 2024 WL 4873370, at *2 (Cal. Super. Sep. 09, 2024) ("The [complaint] here is one of many nearly identical complaints filed by a self-described tester plaintiff").

[4] Id. at *2-4.

[5] Id.

[6] Id., No. 22-CV-9858, ECF No. 56 ¶ 45.

[7] Id., 2025 WL 2530689, at *5-6.

[8] Id. at *6-7.

[9] Id. at *7, citing Hughes v. National Football League , 2025 WL 1720295 (2d Cir. June 20, 2025); In Re Nickelodeon Consumer Priv. Litig. , 827 F.3d 262, 283 (3d Cir. 2016) (affirming dismissal of VPPA case involving the use of adtech, stating, "To an average person, an IP address or a digital code in a cookie file would likely be of little help in trying to identify an actual person"); Eichenberger v. ESPN, Inc. , 876 F.3d 979, 986 (9th Cir. 2017) (affirming dismissal of VPPA case because "an ordinary person could not use the information that Defendant allegedly disclosed [a device serial number] to identify an individual").

[10] 410 ILCS 513/15 & 410 ILCS 513/30.

[11] Cal. Penal Code. § 632.

[12] Cal. Penal Code. §§ 638.50 & 638.51.

[13] 18 U.S.C. §§ 2510-11.

[14] ABA Rule of Professional Conduct 1.6.

[15] See, e.g., id., Rule 1.7(a)(2) (prohibiting a lawyer from representing a client if "there is a significant risk that the representation of one or more clients will be materially limited ... by a personal interest of the lawyer").

[16] See, e.g., Daniel J. Solove, On Privacy and Technology 94-95 (Oxford 2025) ("Fitting new technologies into antiquated laws becomes a major challenge.  For example ... [n]early forty years later, not having been substantially updated, ECPA has become ill-suited to its task ... Its application now seems to rely on contingencies and arbitrary distinctions rather than coherent policy").

[17] See Justin Donoho, "CIPA May Not Be Necessary to Protect Ad Tech Plaintiffs,"Law360, June 6, 2025.

[18] See Justin Donoho, "Three Best Practices to Mitigate High-Stakes AI Litigation Risk," Journal of Robotics, Artificial Intelligence & Law, Volume 7, No. 6, November/December 2024 (discussing these risk mitigation techniques).