Mullen Coughlin, Cybersecurity & Data Privacy

Mullen Coughlin Partner Jim Monagle was recently interview by Mark Greisiger, President at NetDiligence, about the increase of data privacy lawsuits, including the surge of litigation around Meta Pixel and other website tracking technologies. This Q&A-style interview originally appeared on NetDiligence’s Junto Blog on March 20, 2023.

After the 2022 $18.4 million Mass General settlement in 2022 and some plaintiff-friendly appellate decisions (California and Pennsylvania), website tracking lawsuits exploded. This increased the legal and public scrutiny of widely-used Meta Pixel technology in healthcare and other industries.

On this matter, we spoke with Jim Monagle, an equity partner and member of the 14-person privacy litigation team at Mullen Coughlin LLC. The firm has over 100 attorneys solely dedicated to counseling organizations in data privacy and security matters. Their expertise includes: incident response (thousands per year); advisory compliance (hundreds per year); privacy litigation (hundreds per year) and regulatory investigations (thousands per year) primarily under the umbrella of cyber insurance. Mullen Coughlin is also a NetDiligence-authorized Breach Coach® firm.

In this interview, Jim shares his perspective regarding emerging issues and breaks down the technologies and legal arguments used in related data privacy/security cases.

Mark Greisiger: What is Meta Pixel and what technologies are at issue in these cases?

Jim Monagle: Meta Pixel is tracking code that website owners embed in their website to gather and share information with Meta (Facebook) in order to leverage Meta’s marketing prowess. Meta Pixel and similar tracking code allows data regarding website visitors’ behavior to be shared with third parties. For example, if you clicked on a video on the homepage, Meta Pixel can share data regarding the fact you clicked on it, what the video was, the URL you visited, and possibly embedded metadata regarding the webpage.

It’s not just Meta Pixel igniting litigation. Some other technologies we’re seeing litigated include session replay and chatbot functionality. Session replay effectively enables a video version of a screenshot, which captures a user’s interaction with the website. A video is not actually created, but the data that would allow recreation of the user visit is recorded.

With chatbot functionality, users typically chat with a website feature to obtain customer service. They make statements, ask questions, and receive automated responses which can be recorded.

While session replay and chatbot functionality may be designed for internal use, in some cases, website owners allow the information to be shared with the service provider behind the functionality.

MG: What types of claims are involved in these cases regarding Meta Pixel, session replay, or chatbot technologies?

JM: The claims being asserted are either content dependent or content agnostic. An example of a content dependent claim would be a person visits a healthcare provider website for information about a private malady. A couple of days later, that person receives targeted advertising about that malady, perhaps from a competitor of the healthcare provider. Facebook has been sued for this, as well as the website owners that have allowed the Meta Pixel to be embedded.

Those claims are content dependent insofar as they involve sensitive data being shared with Meta or other third parties without authorization. In the healthcare example, plaintiffs bring claims under consumer protection statutes which often allow for liability based on “unlawful activity.” Plaintiffs allege that standard is satisfied if the data sharing is deemed to be a HIPAA violation. There could also be common law torts or breach of contract claims asserted based on an alleged duty or promise not to share such information, but these claims are all based on the sensitive nature of data shared.

The content agnostic claims typically allege a violation of state or federal wiretapping laws because the website’s technology captures user interactions that could arguably be considered recording of communications without consent. These claims tend to draw on older, and in many cases pre-internet laws, that are attractive to plaintiffs based on the availability of statutory damages. The plaintiffs’ bar gravitates to these high-stakes claims because in a class action, thousands of website visitors may theoretically have a claim for thousands of dollars each. Although these types of claims can also target Meta Pixel use, they do not necessarily depend upon whether sensitive data is shared, so these claims are often based on technologies such as session replay and chatbot technologies that aren’t primarily designed to share data.

The plaintiffs’ bar often targets retailer defendants for these claims. Some of these cases also invoke the Video Privacy Protection Act, a once-rarely used law from the 1980s which is now used when websites share data regarding users’ interactions with embedded videos. It’s getting increasingly complicated.

MG: What are the defenses in these cases?

JM: For the Meta Pixel cases, one of Meta’s defenses has been that they disclose to website owners that Meta configures its pixel to share a lot of information with Meta, and if website owners don’t want to share as much information with Meta, they are free to configure the Meta Pixel to share less.

For chatbot functionality and session replay cases, liability could turn on whether or not the recorded information was accessible to or shared with a third party. If you’re recording it yourself as the recipient entity of a communication, an exception may apply to you. But if you share that information with a third party, that might eliminate that exception. In California, we’ve also seen liability potentially turn on whether a cell phone was used or not.

Most defendants seek to challenge the applicability of the wording in the statutes involved. Consent is also often litigated in these matters, and various jurisdictions are currently exploring whether implied consent is a viable defense, as defendants often assert their privacy policy discloses the use of technology to collect and share information. We’ve seen cases where courts have scrutinized the wording of pop-up banners, and whether they implicate the privacy policy disclosures as opposed to an affirmative acknowledgment by the user regarding cookie consent.

MG: Where do you see this litigation headed?

JM: Other than one Massachusetts case, these cases really haven’t been settling on a class-wide basis. One of the challenges is determining who even has a claim because when dealing with disembodied IP addresses, it makes it difficult to identify actual members of the class that interacted with the website. However, increasing evidence shows that some of these wiretapping cases are being settled on an individual basis.

On top of that, a recent Ninth Circuit decision concluded certain statutory damages should not be aggregated on such a large scale in a class action context as that would create such staggering liability that it would be an existential threat to the defendant—the argument is that if an individual really has a problem with the defendant’s information collection and sharing practices, they can try to bring their own individual claim based on statutory damages.

Ultimately, I think that if enough high-profile defendants face liability or maybe some lobbyists get involved, there might be legislation to clarify what these statutes do and don’t cover in today’s technology environment, and give organizations the ability to use these technologies as they have been without facing a huge potential liability.

Partner Carolyn Purwin Ryan participates at CLM’s Annual Conference on the panel “Cyber, Confidentiality, and Compliance…Oh My!” on March 30 in Tampa, FL.

Joined by professionals from cyber insurance carriers and brokers, this panel takes a look at the ethical and societal challenges that the proliferation of state and federal privacy laws creates related to cyber insurance, including underwriting and policy issuance. The panel also delves into proactive risk management solutions regarding an organizations private and sensitive data, as well as strategies for the next frontier of privacy litigation for both in-house and outside counsel.

CLM’s Annual Conference brings together thought leaders from the claims and litigation management professions. The conference runs from March 29-31.

At the Spring session of the Professional Liability Underwriting Society’s (PLUS) Cyber University on March 30, Partner Chris DiIenno presents the session, “Breach Scenario: Surviving a Cybersecurity Incident.”

As the final session of Cyber University, Chris runs participants through a mock data privacy and security incident where “students” use the knowledge gained throughout the program to respond appropriately to the mock exercise. Chris focuses on the challenges of identifying and discovering a cyber breach; the role of the incident response team, including the Beach Coach; the critical steps involved in the response and investigation into a data privacy and security incident; and the common resolutions of an incident response and what type of follow-up is necessary.

PLUS Cyber University is designed as an entry-level program for PLUS members who are new to cyber insurance or for those who want to learn more about cyber risk. The Spring session runs from March 28-30, 2023.