Data Privacy Class Action Litigation, CCPA’s Structural Barriers, and Why the Ninth Circuit Makes Mobile Contract Formation Nearly Impossible

Wednesday, March 25, 2026 

Executive Summary

Instructor(s)
Ian Ballon, Greenberg Traurig
Wayne Stacy, BCLT 

Keywords

CCPA private cause of action — security breach — 30-day cure notice — causation and reasonable security • Illinois Biometric Information Privacy Act (BIPA) — $1,000 / $5,000 statutory damages — class certification • Ninth Circuit online contract formation — Berman v. Freedom Financial Network — inquiry notice standard • Video Privacy Protection Act (VPPA) — Salazar v. NBA — circuit split — Supreme Court cert 2026 • TCPA — McLaughlin Chiropractic v. McKesson — Hobbes Act — FCC ruling deference overruled • Wiretap troll claims — CIPA pen register — Meta pixel — replay software — Article III standing • Mass arbitration — Heckman v. Live Nation — delegation clause — unconscionability • Cybersecurity breach class action litigation strategy — MDL panel — 23andMe consolidation • Article III standing data breach — circuit split — risk of future harm standard • VPPA subscriber definition circuit split — audio visual goods or services — newsletter recipient • “what do plaintiffs need to prove to win a CCPA class action lawsuit” • “why is it harder to enforce an online contract in the Ninth Circuit than other circuits”

Legal Analysis

CCPA’s Trial-Only Path to Substantial Damages, BIPA’s Existential Statutory Exposure, and the Strategic Logic of Cybersecurity Breach Litigation

The California Consumer Privacy Act’s private cause of action is narrower and more plaintiff-hostile than many companies’ compliance departments recognise. Ballon’s synthesis of the CCPA’s private cause of action requirement, drawn from his litigation experience rather than any single case, distilled its operational elements into five cumulative hurdles: the plaintiff must be a California consumer; the personal information at issue must be non-encrypted or non-redacted within the security breach notification statute’s narrower definition; the information must have been subject to an unauthorised access and exfiltration, theft, or disclosure; causation must be established, meaning the breach must have occurred “because of” the defendant’s violation of a duty to implement and maintain reasonable security procedures and practices — a question requiring affirmative expert opinion on the applicable standard of care; and the plaintiff must provide 30 days’ notice with an opportunity to cure before any damages claim accrues. The cure notice requirement is, in Ballon’s assessment, the most tactically underutilised defensive tool in CCPA litigation: “there’s almost always a reason to respond to those letters and to say that you are curing and explain what you’re doing,” because a credible cure letter introduces a third factual question — whether the defendant actually cured — that cannot be resolved on summary judgment and must go to the jury. Since “the business model of the typical class action lawyer is to not go to trial,” converting a CCPA case into a trial-necessary matter is often dispositive. His two representative settlements — Atkinson v. Minted (the first federal class action settlement under CCPA, for approximately $1 per class member) and Couto v. Dickey’s Barbecue Restaurants (for $1 and change) — illustrate that CCPA cases regularly resolve at fractions of the $750 per-violation statutory maximum.

The Illinois Biometric Information Privacy Act, 740 Ill. Comp. Stat. 14/1 et seq., presents an entirely different risk profile: it creates a private cause of action for any aggrieved person under a broad standing standard that makes it difficult to dismiss on pleading grounds alone, and its statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, when applied to a class of employees or users whose biometric data was collected without compliant notice and consent, can yield aggregate exposure in the hundreds of millions of dollars. Ballon’s instruction to startup clients is direct: “if you can only afford to comply with one privacy law, it should be the Illinois Biometric Information Privacy Act because of the availability of statutory damages.” The Seventh Circuit’s 2025 decision in Svoboda v. [defendant] affirmed class certification in a BIPA case, reinforcing the pattern of large certified classes. Ballon also identified the Illinois Genetic Information Privacy Act as an emerging parallel risk, with Bridges and Courtney as early decisions establishing the statute’s basic framework. More broadly, he observed that no security breach class action case has ever gone to trial, meaning the critical strategic objective on the defense side is getting past the motion-to-dismiss stage into discovery without having exposed critical documents — “I had one case that resolved after four years, and after four years, plaintiffs still never really understood what happened and why, and that was because we had no documents that could help them.”

Ballon’s practitioner framework for cybersecurity breach class action litigation emphasises early-stage strategic decisions that most compliance-focused counsel underweight. The decision whether to bring a motion to dismiss requires anticipating whether plaintiffs will be given leave to amend: “if the plaintiffs are going to be given leave to amend, and the motion is only going to highlight for them a weakness in their case that they may not appreciate, maybe you don’t point it out, because then they can amend and make a better complaint.” The decision whether to seek MDL consolidation is similarly context-sensitive: in the 23andMe breach litigation, Ballon moved successfully for consolidation and transfer to the Northern District of California, where 23andMe’s principal place of business was located; in the Dickey’s Barbecue litigation, he successfully argued against MDL coordination over seven cases across California and Texas, then methodically transferred or dismissed the California cases and resolved the Texas cases individually. The sophistication of the plaintiff’s counsel is a primary diagnostic variable: more sophisticated plaintiffs’ attorneys have shifted toward narrower, more carefully tailored initial complaints, anchoring their claims on statutes providing statutory damages and attorney’s fees and on negligence theories framed around industry standard-of-care duties rather than statutory violations that lack private rights of action.

Wiretap Pixel Troll Claims, VPPA’s Circuit Split on the Subscriber Definition, and the TCPA’s Post-McKesson Landscape

The proliferation of wiretap troll claims premised on pixel tracking, replay software, chat banners, and session-recording tools — brought primarily under the California Invasion of Privacy Act’s two-party consent provisions and similar state statutes — represents what Ballon characterised as a scourge requiring a distinct strategic framework from ordinary class action defense. The exposure is real: district courts in California and New York have accepted pen register claims under CIPA despite Ballon’s assessment that they are wrongly decided, and extended CCPA claims to information transmitted via pixel in Shah and M.G., which he also characterised as incorrectly decided. The defensive assets in this space include Popa v. Microsoft [2025], holding that a statutory violation alone is insufficient for Article III standing and that clicks and keystrokes used to recreate a website visit do not implicate embarrassing, invasive, or sensitive information; a Third Circuit decision in the GameStop proceedings; and a 2024 Massachusetts decision holding that the Massachusetts wiretap statute — a literal product of the era of physical wire-tapping — does not extend to electronic tracking software such as the Meta Pixel and Google Analytics. Ballon’s tactical counsel for handling these claims emphasises knowing the plaintiff’s counsel’s settlement range and precedent-setting risks: some firms price cases below the cost of a motion to dismiss and represent little strategic risk; others ask “about 10 times what I usually settle these cases for” and require litigation on the merits. A key ethical constraint Ballon identified: defense counsel cannot ethically condition an individual settlement on an agreement never to sue the defendant on behalf of any other client, but can obtain representations about the absence of current clients with claims and current intentions to sue.

The Video Privacy Protection Act, 18 U.S.C. § 2710, has been the subject of recurrent waves of litigation, and a definitive circuit split on the definition of “consumer” — specifically, whether a consumer must subscribe to audio-visual goods or services specifically, or merely to any goods or services of the provider — will be resolved by the Supreme Court following the grant of certiorari to Salazar v. National Basketball Ass’n [S. Ct., cert. granted 2026]. The Second Circuit in Salazar v. NBA [2d Cir.] and the Seventh Circuit in Gardner v. [defendant, 7th Cir. 2025] held that consumer encompasses any subscriber to the provider’s goods or services, not just audio-visual ones, with the limit on disclosures running to the definition of personally identifiable information rather than the definition of consumer. The DC Circuit in the Washington Post case took a narrower view, holding that a plaintiff who visited the Washington Examiner’s website but did not subscribe to a video or similar audio-visual good or service was not a VPPA consumer. The Sixth Circuit in a separate Salazar case disagreed with the Second Circuit, holding that the goods or services language relates to audio-visual materials. And in the Solomon case, courts have addressed the threshold question of what constitutes personally identifiable information under the VPPA, holding it encompasses information an ordinary person could use to identify viewing habits but not information only a sophisticated technology company could decode. Ballon assessed the circuit split as a significant compliance and litigation risk for any company that shares user data with advertising platforms where the company also offers any subscription-based services.

The TCPA landscape entering 2026 has been reshaped in two directions: the scope of what an automatic telephone dialing system covers has been substantially narrowed toward the statutory text by the Supreme Court in Facebook, Inc. v. Duguid, 592 U.S. 395 (2021), and the FCC’s authority to issue interpretations of the statute binding on district courts has been eliminated by McLaughlin Chiropractic Associates, Inc. v. McKesson Corp. [U.S. 2025], which held that the Hobbes Act does not preclude a district court from departing from the FCC’s statutory interpretation. The practical implications of McKesson are broad: many TCPA claims premised on FCC-defined consent requirements, the scope of permitted calls, and what constitutes an ATDS are now open to fresh judicial construction without deference to the regulatory record. Ballon cited three additional 2025 developments: Howard v. Republican National Committee [2026], holding that a text message containing a video file constitutes a “call” even where the recipient must affirmatively act to watch the video; Hulce v. Zipongo [7th Cir. 2025], holding that calls promoting a third-party-paid service are not telephone solicitations for Do Not Call purposes because the recipient does not make the purchasing decision; and Insurance Marketing Coalition v. FCC, which pre-McKesson struck down FCC regulations requiring that consent be obtained one entity at a time and be logically connected to the interaction that prompted it. Ballon predicted that the combined effect of Loper Bright Enterprises v. Raimondo, 603 U.S. 369 (2024), and McKesson is that so much of the troll TCPA litigation that was based on broad FCC determinations, rulings will effectively go out the window.

Why the Ninth Circuit’s Online Contract Doctrine Has Drifted Beyond Any Other US Circuit, and the Mass Arbitration Framework After Heckman v. Live Nation

The Ninth Circuit’s online and mobile contract formation doctrine has become, in Ballon’s assessment, an outlier so extreme that it creates materially different legal regimes for the same transaction depending on whether the defendant is sued in that circuit. The operative Ninth Circuit standard, articulated in Berman v. Freedom Financial Network, LLC, 30 F.4th 849 (9th Cir. 2022), requires that to bind a user to contract terms, the notice of those terms must be conspicuous, the user must be given an affirmative means to manifest assent, and the page must clearly communicate what action constitutes acceptance. Two 2025 Ninth Circuit cases — Godun v. JustAnswer, finding that advisals on payment pages were insufficiently conspicuous to put consumers on inquiry notice, and Chabolla v. ClassPass, finding no contract even where a page stated “By continuing … you agree to Terms of Use and Privacy Policy” adjacent to a “Next” button — demonstrate that even formulations that would clearly establish a contract in other circuits do not satisfy the Ninth Circuit’s standard. The ClassPass case went further: even a Facebook single-sign-on flow stating “By clicking Sign up with Facebook … I Agree to Terms of Use and Privacy Policy” was held insufficient. A fourth 2025 Ninth Circuit case found that a checked checkbox — “I agree to Terms of Service, Privacy Policy, I’m over 13. Connect” — did not form a contract. “You cannot state a claim even if there’s a link on the bottom of every single page on a website,” Ballon observed, unless there is click-to-accept. By contrast, Austin v. Experian Information Solutions, 148 F.4th 194 (4th Cir. 2025), found a user enrollment page sufficient to form a contract under a presentation that Ballon predicted would not pass the Berman test in the Ninth Circuit.

The divergence between circuits is not merely academic: it materially affects whether arbitration provisions and class action waivers are enforceable, which in turn governs whether a data privacy or cybersecurity breach case proceeds as a class action or as individual arbitrations. Ballon’s recommendation is that companies review their online and mobile contract formation — terms, presentation, and user flow — at least annually, and their arbitration provisions at least every six months, because the case law and the major arbitration providers’ fee schedules are both evolving rapidly. Mass arbitration, which several years ago threatened companies with existential non-refundable filing fee exposure running into hundreds of millions of dollars under JAMS, AAA, and other providers, has become substantially less acute as those providers have dramatically reduced their non-refundable fee schedules. Ballon cautioned, however, that the capability to conduct mass arbitration can be quickly imported by plaintiffs’ firms through co-counsel arrangements: “just because we’re dealing with a law firm or lawyer that doesn’t have that capability, it’s pretty easy for them to associate in other counsel that do have that ability.” The 2024 Ninth Circuit decision in Heckman v. Live Nation Entertainment [9th Cir. 2024], invalidating as unconscionable several provisions commonly seen in mass arbitration clauses — including batch arbitration procedures and certain test-case mechanisms — requires practitioners to audit their arbitration provisions for compliance; Ballon described the decision as going further than he believed the doctrine required, but noted its practical effect on any company with Ninth Circuit exposure.

The delegation clause — a contractual provision assigning to the arbitrator rather than the court the threshold question of whether the arbitration agreement itself is valid and enforceable — is identified by Ballon as a particularly valuable tool in the mass arbitration context. Wassmund v. Red Bull [Greenberg Traurig, 2025] enforced a delegation clause in circumstances where the plaintiff argued the arbitration provision was unconscionable, with the court accepting the defendant’s argument that because the delegation clause existed, the arbitrator, not the court, must decide the unconscionability question. This mechanism can insulate an arbitration provision from judicial invalidation by removing the validity question from the court that would otherwise be most likely to apply the Ninth Circuit’s demanding unconscionability standard. Ballon also identified a broader compliance lesson from the interplay between regulatory enforcement and class action litigation: companies frequently segregate their litigation and regulatory response teams, but doing so creates the risk of documentary inconsistency between what is produced to regulators and what is produced in litigation. He described a client who inadvertently made a regulatory enforcement action public by referring to it in a securities filing, noting that regulatory enforcement actions “typically are confidential unless and until an enforcement action is brought or a settlement is reached.” Ballon’s overarching strategic framing — that every case is “like a chess game. It requires a great deal of strategy. We need to always be thinking two to three moves ahead” — is the unifying principle across the privacy breach, wiretap troll, BIPA, and contract formation contexts that his practice covers.

Generated by AI based on the Interview/Transcript below.

Key Takeaways

• CCPA Requires Trial to Win Substantial Damages: Ballon confirmed that the CCPA’s dual causation requirement (expert-supported breach of reasonable security standard of care plus causation), 30-day cure notice obligation, and class action lawyers’ trial aversion combine to make CCPA “a case where I at least think this can be managed” — illustrated by two of his own settlements at approximately $1 per class member.
• BIPA Compliance Is Non-Negotiable for Startups: At $1,000 per negligent violation and $5,000 per intentional or reckless violation, with broad statutory standing, BIPA creates aggregate class exposure that Ballon described as so severe that “if you can only afford to comply with one privacy law, it should be the Illinois Biometric Information Privacy Act.”
• The Cure Letter Is CCPA’s Most Under-Used Defense: Ballon argued that CCPA defendants who ignore the 30-day cure notice are “making a mistake” because a credible cure response introduces a third jury question — whether the defendant actually cured — that prevents summary judgment and forces plaintiffs to either proceed to trial or accept a nominal settlement.
• Ninth Circuit Contract Doctrine Has Left Every Other Circuit: Four 2025 Ninth Circuit decisions found no enforceable contract in scenarios including a checked checkbox, a Facebook SSO flow with explicit agreement language, and a clearly worded “By continuing … you agree” click flow; Ballon confirmed that absent click-to-accept, “you cannot state a claim even if there’s a link on the bottom of every single page on a website.”
• VPPA Circuit Split Goes to the Supreme Court: The Supreme Court has granted certiorari in Salazar v. National Basketball Ass’n, which will resolve whether the VPPA’s “consumer” definition extends to any subscriber of the provider’s goods or services or only to subscribers of audio-visual services specifically — a ruling with wide implications for media companies, newsletter publishers, and any company that both sells products and shares user data with ad platforms.
• McKesson Frees Courts From FCC Rulings on TCPA: McLaughlin Chiropractic v. McKesson’s holding that courts are not bound by FCC TCPA interpretations, combined with Loper Bright’s anti-deference logic, eliminates much of the legal foundation for troll TCPA claims premised on FCC-mandated consent and ATDS definitions; Ballon predicted that so much of the troll TCPA litigation … based on broad FCC determinations will effectively go out the window.
• Mass Arbitration Fees Are Lower, But Capability Risk Persists: JAMS, AAA, and other major providers have substantially reduced their non-refundable fee schedules, materially reducing the mass arbitration fee extortion risk that threatened existential exposure in earlier years; Ballon cautioned that capability to conduct mass arbitration can be quickly imported through co-counsel association.
• Delegation Clauses Shield Arbitration From Unconscionability Review: Wassmund v. Red Bull demonstrates that a well-drafted delegation clause can remove the validity challenge from the court and route it to the arbitrator, insulating mass arbitration provisions from judicial unconscionability review under the Ninth Circuit’s demanding Heckman v. Live Nation standard.
• Regulatory and Litigation Responses Must Be Coordinated: Ballon warned that companies that segregate regulatory and litigation response teams risk creating inconsistent document production and inadvertent public disclosure of confidential enforcement actions, potentially converting confidential regulatory matters into public knowledge that plaintiffs’ counsel can then exploit.

B-CLE Recording (CLE: $115) | Youtube Recording | Resource(s)| Speaker Bio(s) & Contact Info

Download the interview/transcript and slides here!

Interview/Transcript

This transcript is part two of a two-part program series, “Internet & Computer Law Year in Review,” held on March 25, 2o26. In this engaging discussion moderated by Wayne Stacy, BCLT, Ian Ballon, Greenberg Traurig, dives into the rapidly evolving world of digital law. This program offers a unique look into the high-stakes intersection of technology, litigation, and privacy, providing a “litigator’s perspective” on how the legal framework is being reshaped by AI. This session also provides an essential roadmap for any law student eager to navigate the complexities of modern tech law and explore careers in Internet Law, E-commerce, and AI litigation.

Wayne Stacy  00:30

Welcome everyone to the Berkeley Center for Law and Technology’s expert series webcast. We have another great program from Ian Ballon. Again, if you heard my introductions for Ian, if you don’t know Ian, you’ve probably come to the wrong webcast. Ian has one of the biggest names in this space, mainly because he’s published. He’s been around it since, well, since it really wasn’t a popular area. Ian started with this, but has grown with this practice of law through the last 20-25 years, and really helped pioneer the area. From his, you’ll find his treatise out there, to all the cases he’s been involved in, really helped form kind of what I consider the modern internet and computer law thought process. And with that, I’m always happy for Ian to come back and spend some time with us. With this particular program, it complements another program you’ll see with Ian out there, so I’ll let him introduce that, but formally, we have Ian Ballon. He’s the co-chair of Global IP and Technology Practice group at Greenberg Traurig, and one of the people I’ve had a great fortune of working with for little over 20 years now in this education space. So with that, Ian, I’m going to turn it over to you to do our next program.

 

Ian Ballon  01:52

Thank you, Wayne. I appreciate that. It’s always a pleasure to present to the Berkeley Center of Law and Technology. This is part of a two part program that Wayne talked me into doing. So this part of the presentation is going to focus on data privacy AI and cyber security breach, class action litigation and mitigation, as well as online and mobile contract formation. And there’s a lot to talk about in the privacy, cyber security and contract space. And then, in addition, for 2026, I have a Year in the Review program on Internet and AI law that focuses on intellectual property, the CDA, intermediate liability, and in particular, the use of third party content and data to train models for AI. So we’ve got two different programs, and without further ado, I’ll jump into this one. I have included excerpts from my treatise, including excerpts on cybersecurity breach, CCPA, litigation and data privacy, and those are available for download here that is a couple of years old, but the excerpts that I’ve included are fairly current, even if they don’t have the latest cases. The latest cases are in the slides. But the reason for that is I’m transitioning to a new series coming out later this year, ‘Internet law, e-commerce and litigation in the era of artificial intelligence’ and so as a consequence, some of the excerpts have not been fully updated, but the slides are very current, including cases decided as recently as just the last couple of weeks. In terms of this presentation, let me give you an overview of the area and what I’m going to cover, and then we’ll drill down. I’m going to be talking about cyber security breach, data privacy, AI, the claims that are brought, the risk mitigation strategies and things that compliance lawyers maybe don’t think about quite as much because they’re coming from the perspective of a litigator, as opposed to, let’s say, a state code or other guideline, and then also online and mobile contract formation and the interplay between class action litigation and mass arbitration, as well as the persistent problem of troll cases, and how best to address those. So in looking at 2025, I don’t have a current data point on the number of security breach lawsuits filed in 2025 but I can tell you that there were over 1500 data breach cases filed in 2024 and I can tell you that in 2025 healthcare accounted for about a quarter of the data breaches, and that there was a significant increase in ransomware attacks. So we are seeing more of the same, and hackers are increasingly looking at sensitive data. We are seeing a lower volume of TCPA cases, or cases brought primarily involving text marketing, for example. And this has been a consistent trend as the Supreme Court scaled back the definition of what an atds is, and as we have seen, courts scale back the ability of plaintiffs to sue under FCC guidelines. And I’ll talk a little bit more about that, and that has general application, even beyond the TCPA area. But just by comparison, for example, there were 12 reported Circuit Court opinions in 2025, versus 16 in 2024, and 33 in 2023, so in smaller number of cases, but a very important Supreme Court case which we’ll talk about. I’m going to talk about privacy at tech security breach, class action litigation and mass arbitration claims, the trends, the court opinions, litigation strategy, settlements and compliance lessons. That includes CCPA-CPRA litigation where I am not as concerned as defense lawyer about CCPA claims, because there are a number of significant hurdles for plaintiffs, which I’ll talk about later in this program. We’ll talk about the Illinois Biometric Information Privacy Act. I joke with startup clients that if you can only afford to comply with one privacy law, it should be the Illinois Biometric Information Privacy Act because of the availability of statutory damages and the large dollar number of some of the awards in this area. We also increasingly are seeing litigation under the Genetic Information Privacy Act. I’ll talk about wiretap troll claims and how best to address that, and that is a scourge for all companies, as well as online contract formation and what should be in EULAs, Terms of Use, in terms of service, excuse me, and also managing simultaneously multiple class action suits and mass arbitrations, because I think that there’s a lot of strategy that really comes to bear when, when you’re dealing with that. We’ll talk about trends, some of the big picture trends, regulation of neural data, anything involving children. Of course, there are new there’s some new rules involving COPPA, but COPPA only applies to those 13 and over and sorry, 13 and under. And what we see is a lot of litigation and a lot of attempts at state regulation for people who are not, have not achieved the age of majority and are minors but are not subject to COPPA. Health data and other sensitive data continues to be real target of plaintiffs in this area, we see an increase of litigation involving state claims, as well as suits brought by non-users who have not provided consent and have not been subject to arbitration provisions, but maybe their information somehow got accessed, or they were subject to a breach, and as I mentioned, the interplay between class action litigation and mass arbitration. As we sit here today, in early 2026, we have state laws that either have just taken effect or have long been in effect. State privacy laws in California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, as of January 1, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island as of January 1, Tennessee, Texas, Utah and Virginia — most of these laws do not allow a private cause of action, other than California, which allows for a private cause of action. Some state laws preclude, affirmatively preclude, any litigation. But, what I think I would say that I see a lot from plaintiff’s counsel, is that plaintiff’s counsel in this area, who are not that sophisticated and don’t know what they’re doing, will file suit alleging a claim for violation of the Colorado or Delaware privacy code or a violation of California CCPA, but from the provisions that don’t allow private cause of action. CCPA only allows for private cause of action in narrow circumstances involving a security breach. So they might sue for some other part of the CCPA, or they’ll bring an unfair competition claim, alleging that the act of unfair competition is the failure to comply with this other provision of CCPA. In those instances, we on the defense side have a pretty easy time moving to dismiss and getting the case thrown out, because there is no private cause of action. Certainly in California, there is no CCPA claim. There cannot be a CCPA claim brought through the back door as an unfair competition claim, except in the narrow circumstance where there is a claim for a security breach. The more sophisticated plaintiff’s lawyers, though, will file suit for negligence, and they won’t cite the statute. They will, they will not say your client failed to comply with Section 1302 of the statute. Instead, they will say your client failed to do X. X is the standard of care in the industry by failing to adhere to this duty to consumers, to do X, the plaintiff was injured, and your client owes the money. And that’s a more sophisticated claim where they’re not really saying you violated a law that doesn’t allow a private cause of action, but they’re repackaging the requirements of a law as a prevalent duty of care in the industry, and the more sophisticated plaintiffs lawyers know how to do that in a way where they can get past the motion to dismiss and into discovery. And the reality is, when you’re dealing with data privacy, cyber security breach, other kinds of class action litigation, the overwhelming majority of these cases, very few cases ever go to trial in the security breach area. I don’t think there’s ever been a security breach class action suit that’s gone to trial. And so just getting past the motion to dismiss into discovery is is hugely valuable for plaintiffs in terms of leveraging a settlement. I should also say that one thing that I’m seeing is that plaintiffs increasingly are bringing more narrowly focused claims. Obviously not all of plaintiffs, but the more sophisticated plaintiff’s counsel are bringing more narrowly tailored cases. Back several years ago, I represented a major Silicon Valley company in a series of security breach class action litigation cases, and there were 17 claims for plaintiffs, and through multiple rounds of motion practice, motions to dismiss, summary judgment, we eventually got it down to one claim, and it was a claim only for damages, not injunctive relief, making it harder for plaintiffs to ever recover, not recover, but making it harder for plaintiffs to ever obtain class certification. And even with that common law claim that remained, there was no proof of damage, so it was really not a very good case, but they had spent several years and significant amount of time and money litigating this case, losing three of their plaintiffs and losing 16 of their 17 claims. And today, in 2026 we see plaintiffs counsel being more sophisticated. They don’t want to spend the time of having to spend years in litigation to find out too late in the game that they’ve got a terrible case. And so increasingly, they are bringing more narrowly tailored cases that focus on maybe the best claim, if they’ve got any kind of claim that will allow for statutory damage to attorney’s fees, that’s a good claim to bring. Negligence, because if they can allege a duty, a breach of that duty and damage, they’ve stated a claim, and that’s easy to get into discovery, where they can then start looking under the hood to see actually if there was any negligence and sometimes unfair competition. In my home state of California, there is a requirement that you show an actual injury or damage to bring an unfair competition claim. But some states have more liberal laws, and sometimes in a more amorphous way, a claim can be framed on that basis. So this is what I see in the trends. Let’s drill down more specifically on the different areas. Let’s start with AI and its impact on data privacy class action litigation. There’s a lot going on in AI and in the companion program for the Berkeley Center for Law and Technology, where I do another 2026 year interview program on general internet and AI law, I have a much larger section dealing with AI law, property rights and the like. But I want to mention some AI issues relevant in the privacy area. And let me start specifically by framing what I think is an important issue. I mentioned this in the other program as well, but it’s particularly important in the privacy area. First of all, there are a lot of the privacy statutes that I talked about have provisions that implicate AI. They have provisions that create opt out rights, notice, access rights, things that may be complicated when companies are using huge amounts of data to train large language models, and this is something to be aware of. Most of these state laws are only enforced by regulators, the attorney general, not in litigation. But again, as I said earlier, plaintiffs increasingly are thinking of ways to frame things in terms of negligence, standard of care, duty, breach damage, and so that’s something to be aware of. There are also AI specific laws, the California Transparency and Frontier AI Act, which requires risk assessments and disclosures, public training, data summaries and also whistleblower provisions. The New York Responsible AI safety and Education Act, which requires safety protocols, reporting obligations, oversight structures for AI systems. The Utah Artificial Intelligence Policy Act, which requires disclosure of high risk AI interactions and also creates a safe harbor. And the Texas Responsible AI Safety and Education Act, which primarily applies to government use of AI and prohibited practices. But in December of 2025 President Trump signed an executive order a national policy framework for AI and that directs the Attorney General to prevent enforcement of state AI laws. And so I do want to mention briefly for a moment in this program, as I do in the other program, because I think it’s quite important that this may have practical consequences on AI enforcement as a general proposition, an executive order does not preempt state law, absent some delegation from Congress that would allow the President to act by executive authority. However, there is the argument that can be made for field preemption that AI policy is so important from a national perspective that it that the uh, it that the excuse me, that the field is preempted and that state regulation is not permissible. The existence of an executive order from the president can be cited as evidence in support of field preemption, also just as a practical matter, because the President has directed the Attorney General to prevent state enforcement of these laws. Excuse me, as a practical matter, states may not be in a position to enforce these laws, or if they do, the federal government may come in to help a company that’s dealing with enforcement, or may even, in fact, affirmatively seek to enjoy an enforcement so then something to be aware of. There are also substantial practice issues as well as property rights issues. I address those in the companion program for the Berkeley Center for Law and Technology, and I’m not going to cover them here, but if you’re interested, you should look at the other Year in Review program that I have.

 

Ian Ballon  20:07

So let’s jump into the sub topics, starting with the Telephone Consumer Protection Act. The TCPA allows for $500 per violation, trebled if a defendant violates the statute willfully or knowingly and among other things, the TCPA makes it unlawful to make a call other than a call made for emergency purposes or made with the prior express consent of called purpose using any automated telephone dialing system or an artificial or pre recorded voice to any emergency telephone line, or to any telephone number assigned to a paging service, cellular telephone service, or to initiate a telephone call to any residential telephone line. So this prohibits a lot of different things, and what we see particularly are cases involving calls to residential phone lines using artificial or pre recorded calls where there’s no prior express consent, and calls using an artificial or pre recorded voice or an automatic telephone dialing system either audio calls or text messages to a cell phone again absent prior express consent. The other kinds of claims that get brought are calls where a number is on the National Do Not Call list. Consent, obviously, is a big defense here, but otherwise, if there’s not consent, if a number is on the Do Not Call list, or if there’s use of an automatic telephone dialing system or a artificial or pre recorded voice call, then there is a potentially a claim. Now, in litigation, over the years, those of us on the defense side have very much narrowed the scope of this. I prevailed in an important Third Circuit decision that ultimately was followed by the US Supreme Court in finding that an automatic telephone dialing system has to be given the statutory definition, which is much narrower than the broader FCC definition, which arguably was just calling numbers from from a database or a list. What’s interesting is, is, and that’s the do good case from a couple of years ago that narrowed the scope of the of what an atds is. An interesting question is whether a text message itself is even actionable. The TCPA was signed into law in the early 1990s a year, more than a year before the first text message was sent, and it addressed a particular concern that seems very antiquated today, which is unwanted calls to landline phones during the dinner hour. In 2026, most people don’t have landline phones anymore, and most families don’t have what’s called a dinner hour. But in those days that was a big concern, and so that’s what this statute was intended to do, and because of FCC regulations, it was extended by various circuits to cover text messages. But interestingly, the US Supreme Court decided a major case in 2025, McLaughlin Chiropractic v. McKesson, which  deals with this question of whether and to what extent courts are required to adhere to FCC rulings. There is the narrow ruling in this case, which actually is not so narrow at all, it’s pretty broad. But then there’s also the broader implication, narrowly the Supreme Court held in McKesson that absent express statutory preclusion of judicial review, a district court enforcement proceeding is not bound by a federal agency’s pre enforcement statutory interpretation, but must determine the meaning of the statute itself. And the Hobbes Act does not preclude a district court from disagreeing with the FCC statutory interpretation of the TCPA. This is actually quite important, because previously, many circuits held that the Hobbes act prevented district courts from relitigating the meaning of a statute if a federal agency had issued a final rule interpreting what the statute means, and the current US Supreme Court has taken the exact opposite approach, and here they say, a district court must construe the meaning of the statute and is not in any way bound by the agency determination. Maybe it’s influential, but it can it can be freely ignored. This really follows on the Supreme Court’s 2024 decision in Loper Bright Enterprises v. Raimondo, overturning Chevron and the general rule that federal courts should defer to agency determinations in many instances. A lot of the litigation in this area involves calls on the Do Not Call list, whether a text message is a call after McKesson is an interesting question. What is an atds has largely been resolved by Facebook, although plaintiffs still address these issues and then, of course, what constitutes consent? Because the FCC had issued a number of regulations requiring specific things to be done in order to get consent, and post McKesson, those may no longer apply. So looking at some 2025 case law is a text message, a call? Well, we have one circuit court decision as I sit here in early March 2026 and that’s Howard V Republican National Committee from January 2026 holding that text containing video files constitutes a call, even if a user must affirmatively act after receiving the message to choose to listen to the video. So that’s an interesting and significant decision, but it is an interesting decision. In that case, they followed an earlier Ninth Circuit case, holding that a text message is a call, but that case relied on FCC ruling so and in any case, an interesting decision, but still to be continued in other circuits. Under the Do Not Call list. Hulce v. Zipongo, 2025 decision from the Seventh Circuit, holding that a telephonic solicitation means the initiation of a call or message for the purpose of persuading or urging someone to pay for a service from a caller. The case involved odd facts where you had calls promoting a service, but the service was paid for by someone else, and so they found that this was not a telephone solicitation and was not subject to the act. In that case, the Seventh Circuit affirmed summary judgment because Foodsmart did not initiate communications with the plaintiff consumer for the purpose of encouraging someone who makes the purchasing decision to purchase the service. In this case, Foodsmart contracted with cchp, a healthcare provider which paid for services to members like plaintiff, which members themselves did not pay for. So sort of an odd kind of case, but in that instance, outside the scope of do not call. The insurance marketing coalition, the FCC case, was a pre McKesson case, but also in validating regulations that required that consent must be obtained from one entity at a time and be the subject matter or message must be logically and topically associated, excuse me, with the interaction that prompted the consent. In other words, striking down much more burdensome FCC requirements that required consent to be obtained one at a time and subject matter at a time, in other words, much harder way to do things. So this is very interesting. There’s also a question about what’s a legitimate government function, the Bradford case for the Third Circuit in 2025 holding that the TCPA prohibition on robocalls absent prior express consent does not restrict state legislators by making automated and pre recorded calls in connection with legitimate government functions. So those calls could be, for example, notice or warning about about an earthquake or fire, things of that nature. Let’s turn from the TCPA, the data privacy, cyber security breach and ad tech punitive class action litigation, and let’s jump in. There a lot of issues to cover in a lot of new cases. In terms of claims — excuse me — there’s an interesting decision from the US Supreme Court on federal jurisdiction, holding that that when a plaintiff amends following removal, federal jurisdiction depends on what the new complaint says. So for those of you who are not litigators, what this means is whether there is federal jurisdiction at a given point in time has to be determined at that given point in time, not when the complaint was originally filed. What used to happen is a plaintiff might file suit in state court, a defendant might remove from state court to federal court, because they prefer to be in federal court, and then the plaintiff might amend the complaint to try to defeat federal jurisdiction. And some courts had held that didn’t make a difference, because, you know, that was just a procedural maneuver. But actually the Supreme Court says whether federal jurisdiction exists depends at the point in time when it’s evaluated, and so this now makes it easier for plaintiffs to amend their complaints after removal, to destroy federal jurisdiction and go back to state court.

 

Ian Ballon  31:41

As a general rule in data privacy and cybersecurity, breach class action litigation, you need to know who the plaintiffs are and who are the lawyers. Plaintiffs. Lawyers have different approaches, different MOS some are experts in mass arbitration and actually bring all those claims. Some don’t like they’re going to court. They like early settlements, you need to know who your plaintiff is, a plaintiff’s lawyer is, and you need to know who the plaintiffs are as well. Some are repeat players, and that can raise very interesting questions in litigation. I had a interesting deposition of a plaintiff in a security breach case who complained bitterly about how companies like my client were monopolizing the canned tuna industry, and the only problem with that is my client wasn’t in the canned tuna industry. My client was an internet provider and social media company, and this plaintiff was the plaintiff in so many cases that he had confused this case with a canned tuna anti trust case where he also was a plaintiff. So sometimes these plaintiffs are interesting to depose. You need to think about what motions to bring and when. So, for example, do you bring a motion to dismiss? Oftentimes, yes, but if the plaintiffs are going to be given leave to a man, and the motion is only going to highlight for them a weakness in their case that they may not appreciate, maybe you don’t point it out, because then they can amend and make a better complaint, maybe you’re better off going through discovery and filing for summary judgment, and they’ve never figured out that defect. Generally, in these kind of cases, particularly with more sophisticated lawyers, we try to bring motions to dismiss, to get rid of the case or force a settlement. We bring motions for summary judgment. There are strategic questions. Do you bring it early in the case, late in the case, and then we typically defend motions for class certification. You need to think about all of those, and you also need to think about, whether to settle, and if so, when to settle. Sometimes it’s helpful to have early settlement discussions or early mediations. Sometimes you need to go through litigation to get to that point, sometimes you can never settle. The way I tell clients to look at these cases is every case is like a chess game. It requires a great deal of strategy. We need to always be thinking two to three moves ahead. You cannot fully control what the other side will do. And by that, by the other side, I mean, not just the plaintiff’s counsel, but the judge, and what they’re what they’re going to do, but you can always try to think two and three moves ahead so that your goal is always to get the other side into checkmate. There are privilege and confidentiality issues to be aware of, particularly in the security breach area, and you know, not something to particularly discuss in a public forum. But I think there are things that one can do strategically to avoid helping plaintiffs when there’s a security breach by giving them a report that then is Exhibit A to the jury, and that also, frankly, helps them understand the case. I had one case that resolved after four years, and after four years, plaintiffs still never really understood what happened and why, and that was because we had no documents that could help them, and they couldn’t figure out the right questions to ask us in discovery.

 

Ian Ballon  35:30

Ways to mitigate risk, obviously, contract formation, and we’re going to talk about this the end of the program, online and mobile contract formation is incredibly important, not just from a transactional perspective or from a litigation avoidance perspective. What you put in your agreement is important, how you present it to users, so you determine whether it’s enforceable, and then what you do with respect to arbitration, whether you have arbitration, how you have arbitration, whether you treat mass arbitration differently from regular arbitration, these are all important things to think about. And then, of course, the next frontier. So there have been a number of AI privacy cases filed. We don’t have lots of decisions, but there are cases that have been filed that is certainly the next frontier, and there are issues related to the use of consumer information to train algorithms. State privacy litigations, I talked about that earlier, and then any kind of claim involving sensitive data, so children, financial information, health privacy, neural data, all of that is hot and heavy and subject to potential litigation. So the type of claims that are brought — common law claims in cyber security breach, breach of contract, if there’s a contract, breach of the covenant of good faith and fair dealing, if the contract claim is non point, breach of implied contract, if there’s no express contract, breach of fiduciary duty, negligence fraud, there are state there are federal claims in both data privacy and cyber security breach, wiretap claims, Computer Fraud and Abuse Act, although that requires a $5,000 minimum injury, video Privacy Protection Act, which I’m going to talk about in a little more detail in a moment. State laws, Illinois Biometric Information Privacy Act, that is one to be particularly aware of. Breach of contract. And then also one thing to consider is the interplay between regulatory enforcement and litigation. Sometimes companies segregate the two. They have different sets of lawyers involved. You really need to make sure that what you’re doing is consistent and that there is consistency and coherence in what you’re doing. You don’t want to produce documents in litigation and not to the FTC or state attorneys general, for example, or vice versa. Also, I will say that regulatory enforcement actions typically are confidential unless and until an enforcement action is brought or a settlement is reached, and that’s something to be aware of. I had a client that inadvertently raised the regulatory enforcement action in a securities filing, and while that then makes it public knowledge, so something to be aware of and something to consider. Video Privacy Protection Act, this is an area — this is one of those statutes where litigation moves in waves and trends. There’s a statute, there’s a lot of litigation, there are efforts to scale back that litigation. Then after that time, it tends to go away. Video Privacy Protection Act is one of those statutes where we saw a lot of litigation, then it got scaled back. But then in recent years, we’ve seen a lot more litigation again, and we have a number of circuit court decisions. Just in the last year, we have Salazar v. the NBA holding that the newsletter recipient was a subscriber of goods and services under the vppa. That’s a broad ruling, and I think that that is, you know, unduly broad. A consumer under vppa, according to the Second Circuit, should be understood to encompass a renter, purchaser or subscriber of any of the providers, goods or services, audio visual or not. It’s the definition of personally identified information that limits what can be shared, not the definition of consumer. And in 2025, the Seventh Circuit in the Gardner case, agreed with the Second Circuit. In 2025 in the Washington Post case, the DC Circuit held — they affirmed that plaintiff was not a consumer protected by the vppa because in visiting the Washington examiner’s website, she did not subscribe to a video or similar audio visual good or service. Well, that’s, you know, that’s a narrower definition of what you’re looking at, is it? Is it any product, or is it only the video product? Sixth Circuit in the Salazar case disagreed with the Second Circuit. The better reading remains the goods or services relates to audio visual materials and the definition of personally identifiable information merely provides an example of what information a videotape service provider can’t disclose to others. And then finally, the Solomon case, holding that PII under the vppa encompasses information that would allow an ordinary person to identify consumer video watching habits, but not information that only a sophisticated technology company could use. I should mention also that in early 2026, the US Supreme Court granted certain to the Salazar case. So we are going to see a ruling on that issue, and that is going to resolve the circuit split that we have that exists currently. So that’s the vppa I mentioned a moment ago, the this issue of different kinds of motions and things to look at. And this is, this is really one of them. Hold on for a second. Sorry, I talked about motions to dismiss. There’s, of course, the question, can you compel arbitration in the era of mass arbitration? Do you want to compel arbitration if there are multiple laws, multiple class action lawsuits, do you want to invoke the jurisdiction of the MDL panel? The MDL panel is the multi district litigation panel. It’s a panel of judges selected from around the country that meets periodically to determine whether to associate cases and transfer them all to one district. So in the 23andme case, for example, I argued in that case, where there were 39 Federal Court lawsuits that were filed, that they should be they should be coordinated for pre trial purposes, and transferred to the Northern District of California, where 23andme had its principal place of business, and I prevailed on that motion over objections from plaintiff’s counsel in some actions in Illinois that based on the unique kind of claims that Illinois residents wanted to make under the Illinois equivalent of the Genetic Information Privacy Act that the claims should be, should remain in Illinois. What that means when you get an MDL ruling is that any follow on actions, any additional lawsuits filed after that point in the federal system, automatically get transferred to, to this court where, where all of the actions are consolidated. On the other hand, in some cases, you don’t want that. So, for example, in Dickey’s Barbecue, I argued successfully against MDL consolidation. In that case, there were a total of seven lawsuits that had been filed in California and Texas, and some plaintiff’s counsel moved for MDL coordination to transfer all the cases to California. I argued against that and was successful in defeating that motion, and then one by one, we were able to get the California case is either dismissed or transferred to Texas, and then we address the cases in Texas. Venue is also something to consider in these cases. Motions to dismiss, you can bring both a motion to dismiss based on the allegations the complaint, or from a strategic standpoint, you may want to bring your own evidence if you’re arguing that there’s no standing. Standing can be decided based on the pleading standard, which is the allegations that plaintiffs make. And plaintiffs in this area are terrific, creative writers, and so they write beautiful complaints that can be embarrassing and problematic for companies, but at least with respect to standing, you can move not just on the 12 b6 standard, but based on your own affirmative evidence. And sometimes it’s really helpful, not only because you can win on that basis, but because it also tells your own story to the court and to the public, and that can be helpful as well. Summary Judgment. We talked about class certification. There are an array of issues. And then, of course, settlement. Sometimes you want a settlement, sometimes you don’t. Sometimes a class action settlement cuts off the risk of further litigation. Sometimes, though, you just want a narrow individual settlement because you don’t want to pay enough for a class settlement. Class settlement requires approval by the judge. There’s a preliminary approval hearing, there’s a final approval approval hearing. There’s notice the class typically, there’s an opt out, right on the part of class members. Sometimes, if a claim has been asserted, you may just want an individual settlement which can be confidential, as opposed to a class action settlement, which is public. So these are all things to think about. In the area of Article Three, standing there is a circuit split. I’ve got a large excerpt from my treatise on that. I think it’s a circuit split. The second circuit talks about how you can harmonize these different rulings, and a lot depends on the type of breach, which, in turn, tells you the particular risk the plaintiff that their information really is going to be exposed. But I think generally, it’s a pretty hard circuit split. If you are having trouble sleeping in these difficult times. I urge you to print it out. You can read it, and you will sleep well. If you are a civil procedure nerd, as I am, you may find it interesting. I do think at some point, the US Supreme Court is going to resolve this issue, and I think that based on recent Supreme Court decisions over the past couple of years that the narrower standard is going to be the one that would be applied, as opposed to the broader standard applied in the ninth and seventh circuits. But I’m loathe to predict what the US Supreme Court actually is going to do in any given case. I had a US Supreme Court case in 2020, sorry, 2010 the much Nick case. We won nine to zero, but the court ruled on such narrow grounds that the Second Circuit found unrelated reasons to vacate our case, and the case remained in litigation for another nine years. So I’m out of the business of predicting what the US Supreme Court actually will do. So let’s jump into the particular claims. This is the, excuse me, one of the, one of the major claims to be aware of the Illinois Biometric Information Privacy Act. It creates a private cause of action for any person aggrieved by a violation of BIPA, very broad statutory standing provisions, and so it’s very easy to state a claim that is that is potentially problematic for defendants and why compliance is so important, because if there is a violation of statute, a plaintiff can recover actual damages or $1,000 in liquidated damages for negligent violation, up to $5,000 if intentional or reckless, and if a number of people have been impacted, a class can be certified. We see that in the 2025 decision from the Seventh Circuit the Svoboda case, certified, affirming certification of a class. You can see in the slides, very large settlement numbers, even large jury trial numbers. And so these are, these are things to be aware of. You need to look also be aware of suits under the Illinois Genetic Information Privacy Act. That’s a newer statute. And there are a couple of decisions, not from 2025 but I put them on the board because it’s a relatively newer claim, and we’re seeing an increasing number of those claims bridges and Courtney are relevant cases under that statute. Let’s talk about ad tech cases involving replay, software, chat, banners, cookies. These pixels. These are troll cases. We’ve seen them over the last number of years. It’s a scourge for every company, and I think there’s a lot of strategy that should go into your decision about what to do. So we saw these starting a number of years ago, Massie v. General Motors is a case of mine from from 2022, in that case, that case involved replace software. We first moved the case from California to Delaware, then we ended up prevailing based on no standing Magistrate Judge Beeler in a trio of cases, sale of Graham and Yale narrowly construed the scope of CIPA claims in this area and those cases continue to be relevant today. Florida also scaled things back, but we are seeing a lot of cases in this area, and I’m put, I put on the screen some things to be aware of. So for example, in the area of Article Three and statutory standing, there are a number of claims that can be made on the defense side. Popa v. Microsoft from 2025 is a helpful case holding that a statutory violation alone isn’t sufficient to confer Article Three standing. There’s no standing where clicks and keystrokes are used to recreate plaintiff’s website visit because it didn’t implicate embarrassing, invasive or otherwise private, sensitive information.

 

Ian Ballon  51:38

You have the Third Circuit decision from GameStop. You also have some some lower court decisions involving statutory standing under CIPA, and these are all helpful cases. On the other hand, you have some bad opinions out there, Third Circuit opinion from a couple of years ago holding that a company itself can intercept communications. That’s a big problem in the Third Circuit, unreported decision from a couple of years ago involving retroactive consent. We have a good decision from 2024 in Massachusetts, finding that their wiretap law doesn’t apply to these kind of electronic communications. Wiretap laws literally involved a time when phones were wired. They were connected to a wall, and it was called wiretap because someone could shimmy up a telephone pole and literally tap into the wire to hear a phone conversation. That’s, of course, dramatically different to what we’re talking about with electronic signals. Massachusetts held that the use of tracking software like the meta pixel and the Google Analytics did not violate the Massachusetts Wiretap Act, but there are claims in a number of other states, including California, that have some provisions that allow or that require two party consent, and that’s the basis for a lot of this, these troll claims. What I will say with these troll claims is it’s very important to know your plaintiff and your plaintiff’s counsel. Because plaintiff’s counsel, you know, we deal with dozens and dozens and dozens of these cases all the time. We know we know who the plaintiff’s lawyers are. We know what their prices are. I mean, the prices don’t stay the same. You know, we’re in a period of tariffs and inflation, and plaintiff’s lawyers like to up their price as well, but we generally know the range they’ll settle within. We know the arguments that are persuasive to one set of lawyers and not others. Some are very greedy. I had one case where currently in litigation in California, where plaintiff’s lawyers are asking about 10 times what I usually settle these cases for. And so my client has decided we’re just going to litigate on the on the merits, and that’s what we’re doing. A lot of these plaintiffs lawyers, though, value price these cases to settle below the cost of a motion to dismiss, the kinds of things that I think you need to think about strategically. What precedent Are you setting if a lawsuit has been filed, and you pay the plaintiff to settle it, then the case disappears from the docket. Other plaintiffs lawyers may know and see that and may say, Oh, this company is one that settles easily. Maybe I should sue them. And indeed, even these plaintiffs may come back and sue you. Now, when you do an individual settlement. Ethically, we are not permitted to ask plaintiffs to to agree to never sue our client on behalf of any other client. You can’t ethically do that, but you can ethically get certain representations that they have no other clients that currently have claims against. Your client and no current intention to see your client in the future. That doesn’t stop them from suing in the future. But again, you’re dealing with certain kinds of business models. You’re dealing with plaintiffs that are trying to get settlements. They’re not necessarily going to target your client over and over again, the way some plaintiffs lawyers do with companies that they know are litigation averse and will quickly turn over big bags of money. On the other hand, if the only thing you’re looking at is a cease and desist letter or maybe a confidential arbitration demand, these may be the kind of situations where it’s confidential. No one knows about it, and so you don’t have the same concerns about precedent. If you pay a few dollars to get rid of the claim, you know, for an individual settlement, something to think about turning to, or actually — I’m sorry–  that we have also some other cases here that I omitted to mention, the pen register claims. That’s a big claim under SIPA and one to be aware of. I think they’re wrongly decided. I’ve been waiting for a client who wants to to pay me to take these cases up on appeal. But right now, you do have some bad decisions from district courts in California, New York holding that that SIPA pen register claims can be asserted. There’s a good decision from Judge chawry In the Northern District California, which has some good language, basically saying  browsing activity, third party filtering of URLs and web pages visited by users did not amount to reading the communication while in transit. That’s a good decision, and that’s helpful. We also see efforts in the in the pixel area to extend claims under the CCPA. Again, this is an area where I would be delighted to take this up on appeal. You have the Shah case and the M.G. case. Shah’s 2025 decision. I think these cases are not rightly decided. The CCPA has a narrow cause of action for security breaches. I think treating information transmitted by pixel as a security breach is a wrong determination of the statute under the vppa. You do have the Solomon case holding that that the VPP, vppa claim, excuse me, would not, would not apply. I talked about the strategies, but again, these are other claims to be aware of. Privacy Policy claims Ninth Circuit has held that you’ll need to look at the standard or reasonable user that’s consistent with what the FJC looks at. That’s what a lot of state unfair competition laws look at, such as in Texas, you’re looking at maybe someone with a ninth or 10th grade education. On the other hand, in a contract case from several years ago, the Second Circuit in Meyer v. Uber basically held that a reasonable mobile user should be assumed to be someone who enters into mobile contracts, not someone who’s never used this before. And I think that’s important. That’s a helpful case. I cite it all over the country, but I think it does represent sort of a nuanced difference of approach between circuits.

 

Ian Ballon  58:39

Let’s talk about the CCPA. CCPA, as I mentioned before, creates a private cause of action in narrow cases for a security breach, and it allows statutory damages of up to $750 per violation. I’ve had success in these cases, though, because every time I have a client who sued in a CCPA claim, I call a plaintiff and I say, thank you so much for bringing this claim. It’s so infrequent that I get to go to trial, particularly in a class action case, I really appreciate that opportunity. And after I hear the phone drop, and hopefully the glass hasn’t shattered. They pick up their phone again. You know, we talk about why, and I say because you can’t, as a plaintiff, you typically cannot win a CCPA case and get substantial damages without going to trial. These are the elements of a CCPA claim from my treatise. There’s no case that writes it out this way. But this is my assessment to bring a claim you have to be a consumer, which is a California resident for tax purposes, who is non encrypted or non redacted personal information within the narrower definition of the security breach notification law, not the broader definition generally applicable under. CCPA is subject to an unauthorized access and exfiltration, theft or disclosure. Disclosure is kind of a big concept there. But here’s the kicker, as a result of a businesses, in other words, causation violation of the duty to implement and maintain reasonable security procedures and practices, whatever those are. So a plaintiff has to present evidence that there was a duty of care to maintain reasonable security procedures and practices. That’s going to require expert opinion that may be controverted, which means it’s going to be a jury question, not subject to summary judgment, and then they need to show that the security breach here happened because causation, because of what, because of the defendants violating this duty. So that’s two things that that are going to be fact intensive jury questions. Plus, in order to get damages into the CCPA, a plaintiff must provide 30 days notice and a right to cure now, whether one can cure a security breach, to some extent, is philosophical. You know, unless you have a DeLorean, you may not be able to travel back to the future to change what happened, but there are often ways to cure in terms of mitigating the consequences. You can cancel a credit card. You can take other steps to ensure that there is no consequence of this breach. And remember, plaintiff can always sue for injunctive relief, but to get damages, they need to give 30 days notice to cure. Well, I’ve, I’ve taken over lawsuits where lawyers at other fine firms have chosen to ignore those letters because they felt there was no way to cure. I think that’s a mistake. I think there’s almost always a reason to respond to those letters and to say that you are curing and explain what you’re doing now, under the CCPA, if you say you are curing, that can create a contractual claim. If you say you’re doing it, in fact, you don’t do it, so you have to. You can’t just promise to do something and not do it, but I think in most instances, there is a basis to provide some cure. And if you can send a letter doing that, then you’ve created a third factual question precluding summary judgment that would have to be decided by a jury, and that again, makes it much harder for plaintiffs to to win without going to trial. And the business model of the typical class action lawyer is to not go to trial. That’s why, for example, in a number of cases, there’s been favorable settlements. Atkinson v. Minted was one of my cases, the first federal case to provide approval to a federal class action suit under the CCPA, it was for about $1 or under $1 that’s a low number in a statute where there’s Up to $750 statutory damages. But it’s because of these complexities and difficulties that make it hard for a plaintiff to actually get a big damage award into the CCPA. There are also other reasons that would justify a lower damage award, including, for example, the availability of of arbitration provisions. There’s not going to be a class action if the defendants move to compel arbitration. Similarly, cost to the Dickies, another case of mine, settlement for $1 and change. And I don’t mean to belittle the numbers here, it doesn’t mean that they’re not conferring the benefit of the class. They often are, but it is to say that CCPA is, is a case, is an area where I at least think this can be managed, mitigating risk, obviously, your practices, your procedures, contracts, disclosures, all of these things are important. And also look at the CCPA website, because that will tell you a lot about the enforcement actions and give you a clue about the next wave of class action litigation. Again, Class Action lawyers can’t sue for violations of the CCPA other than the security breach. But the reality is, whatever whatever regulatory enforcement actions are being taken, plaintiffs, Class Action lawyers are thinking this may be a kind of claim to make, just like they’re looking at what happens in Europe or under the GDPR. All of these are things that smart class action lawyers look at. So. So that turns us to the final segment of this program, online and mobile contract formation. And there’s a lot new and there’s a lot the same, plus change plus arrest meme. What is the same is that it remains extremely difficult in the ninth circuit to obtain enforcement of mobile and online contracts. It shouldn’t be, but it actually is, and it’s because the Ninth Circuit keeps on raising the bar. An older case that’s worth looking at if you want to understand Ninth Circuit law is the Berman case, 30 f for 849, it’s on the board from 2022 it’s really like a Law Review exam of all of the reasons why a contract shouldn’t be enforceable and it’s a problem. And we see that in 2025 more cases decided the wrong way. That isn’t to say that you can’t get a contract enforced in the ninth circuit because you can, but it is to say that it’s often very difficult. Outside the Ninth Circuit, it’s much easier. The other trend, where I said much changes but much stays the same, is that that if you don’t have click to accept, if you’ve just got posted terms in the Ninth Circuit, you can’t even state a claim as a matter of law. Now, I’ve, I’ve figured out some ways in litigation to get around that. I had one case where with with leave of court, we got early discovery on the arbitration question, and the plaintiff may concede that they knew there was a contract, but absent that kind of agreement or admission as a matter of law, you cannot state a claim even if there’s a link on the bottom of every single page on a website. So some recent cases, Godun v. JustAnswer, holding that advisals, which is an interesting term in and of itself, on payment pages, were insufficiently conspicuous to put consumers on inquiry notice of contractual terms, to explicitly advise users of what action would constitute a sin, or to put consumer on inquiry notice of proposed terms. Similarly, Chabolla v. ClassPass passed another 2025 case finding no contract. Now, you know there are cases where there is a contract formed, but in the Ninth Circuit, these 2025 cases are good examples, and I’ve got some screenshots to show you in a moment. On the other hand, you have cases from other circuits, like in 2025 Austin v. Experian Information Solutions 148 F.4th 194, circuit 2025, holding a user enrollment page placed consumers on reasonable notice. And you know that that’s the screenshot there would not necessarily have passed the Berman test in the Ninth Circuit. It’s really a problem from a transactional perspective, but it’s also something to be aware of from both litigation and transaction. So let’s look quickly at some screenshots. This is an older case, but it’s a good example. Meyer, the Uber Second Circuit case that I mentioned a moment ago, in terms of who a reasonable consumer is, and in the Second Circuit, reasonable consumer is someone who has previously entered into online contracts next register. Language is clear enough, Terms of Use and Privacy Policy. Underline in blue. Second Circuit says a reasonable consumer knows and understands that that’s where you can find the terms, and that will be sufficient. Another older case, Uber case from the First Circuit, huge block, Terms of Service, privacy policy. First Circuit says a reasonable consumer would not know that that’s a link to the agreement, because a reasonable consumer expects something underlined in blue, terrible decision, and not just remanded in the First Circuit. No contract is a matter of law under Massachusetts law. Okay, here’s the Berman case. Here you’ve got a check box. Check the box. I agree in most parts of America that would be enforceable, but not in the Ninth Circuit, because they say there’s too much going on. Not clear what you’re agreeing to. Too much happening here, too many colors, too many other things. The the mobile presentation didn’t have that checks box, but the online did. Here, we get to the to the class pass case, no contract and. That in the ninth circuit. Now look at this by continuing on this page. You agree to the Terms of Use and Privacy Policy, and there’s a next button again. Compare that to the Second Circuit, Myer Uber, but not not clear here, second Ninth Circuit says not clear what they were agreeing to or why. Here you had, you filled in lots of pages, and again, it says, By continuing past this page and clicking place an order you agree to Terms of Use, not good enough. Here’s class pass. Now granted with class pass, one way you could set up an account was sign in on Facebook. But even so, sign in on Facebook by clicking Sign up with Facebook or continue I Agree to Terms of Use and Privacy Policy a lot of parts of America, that would be enough, but not in, not in the Ninth Circuit. Apparently, again, more language, not enough in the ninth circuit. This is, this is the other case from the the Ninth Circuit in 2025 check a box. I agree to Terms of Service, privacy policy. I’m over 13. Connect Now you would think this would be sufficient, but, but, but not and so, on the other hand, when you get to the Fourth Circuit here you’ve got language create your account, and it is sufficient. So it really underscores that getting a contract form in the ninth circuit is much harder than elsewhere in America, and you really need to get your marketing people on the same page. Let me make let me just say a quick word about about mass arbitration and the interplay between class action litigation, mass arbitration and contracts. Couple of years ago, mass arbitration was almost an existential problem because of the amount of non refundable fees, and if a mass arbitration could be brought, companies might have to pay tens of millions or hundreds of millions of dollars in non refundable fees. It was a way for certain lawyers to shake down companies for huge settlements. Not all plaintiffs lawyers actually have the capability to engage in mass arbitration. There are a handful of firms that do, but I do warn clients, just because we’re dealing with with a law firm or lawyer that doesn’t have that capability, it’s pretty easy for them to associate in other counsel that do have that ability, and that’s why I think you need to think very strategically about what you’re dealing with and whether mass arbitration is a problem for you. There are reasons to to review contract formation, I say at least every year for online and mobile contract formation, because there’s so much law in this area, and sometimes it’s easier to just add a sentence to your Terms of Use, rather than have to hire someone like me to defend you and and go up to the appellate court to prove that some district court decision is wrong. Arbitration, if that’s important to you, I would look at it maybe every six months again, mass arbitration, because James, AAA, and others have revised their fee schedule. It’s not as much of a problem, but you need to have an enforceable arbitration provision. Some companies have provisions that say, if it’s regular arbitration, we do ‘A’ if it’s mass arbitration, we do ‘B’ And in that area, there’s potentially a problem. Heckman v. Live Nation  2024, decision worth reviewing, invalidating is unconscionable, a provision that required a lot of test cases and various other things that you actually will see in a lot of mass arbitration clauses online, and it’s a reason to really revise your terms, because it’s unconscionable. I think the Ninth Circuit went much further there than was required, and struck down a lot of provisions that I thought really were not unreasonable, but you need to be aware of it. On the other hand, there are ways to have these kind of provisions upheld. Wassmund v. Red Bull, one of my colleagues at Greenberg Traurig, prevailed in enforcing a delegation clause there, where the plaintiff argued that under the contract, the provision was unconscionable, and because there was a delegation clause. The argument was the arbitrator, not the court that decides this issue, and that’s an important issue as well to consider as you are navigating these things. And revising your your Terms of Use and provisions delegation clause can be very important and and I do think it’s important to think about mass arbitration versus individual arbitration and litigation, not only in terms of litigation, where I, for example, done early class action settlements to try to extinguish mass arbitration, but also in terms of drafting, and I think there’s a lot of creative things you can do to mitigate your risk.

 

Ian Ballon  1:15:32

So with that, I will end here. This is my Facebook profile. It’s a Meta AI version of myself. I will never look that good, so that’s what I use as my Facebook profile. If you have any questions, feel free to reach out to me by email or other modern means of communication, and beyond that, I would also encourage you to listen to the other Year in Review  program that I did this year for the Berkeley Center for Law and Technology, which is a more general program on internet, AI and IP and privacy law Year in Review. Encourage you to listen to that as well. So with that, I will end here and Wayne, thank you so much for this opportunity. It’s always a great honor to present to Berkeley.

 

Wayne Stacy  1:16:23

Ian, as always, it’s fantastic to listen to the fountain of knowledge that you are. You’ve obviously distilled a lot of information and a lot more that’s available. So I do encourage people to look at the written material that you provide and reach out, take you up on that offer. So thank you again.