Michael Foulkes voluntarily dismissed without prejudice his Video Privacy Protection Act class action claims against Chegg, said his notice Thursday (docket 1:23-cv-23993) in U.S. District Court for Southern Florida in Miami. Foulkes alleged in his Oct. 19 complaint that the educational services company tracked his video viewing history while he was on its website and then shared that history with Facebook (see 2310200013).

Clearesult Consulting opposes conditional transfer order 24 (CTO-24) as it relates to Dauch v. Clearesult Consulting, said its Dec. 26 notice (docket 3083) before the U.S. Judicial Panel on Multidistrict Litigation related to the May Progress Software Corp. (PSC) data breach MDL. Dauch’s case was one of three tagalong actions in CTO-24, transferred to U.S. District Court for Massachusetts in Boston and assigned to U.S. District Judge Allison Burroughs. In the Sept. 29 breach of contract case in U.S. District Court for Western Texas in Austin (docket 1:23-cv-01182), plaintiff Jason Dauch sued the energy consulting company for failure to properly secure his personally identifiable information (PII) in the late May data breach at Progress Software, one of Clearesult’s IT vendors. Also Tuesday, plaintiff Sophie Jani withdrew her November notice of opposition (see 2311220007) to CTO-17 and a December motion to vacate conditional transfer order with brief in support of the CTO related to Jani v. Patelco Credit Union (docket 3:23-cv-05054), in a notice before the panel. Jani sued Patelco for failing to protect her PII in the PSC MOVEit file transfer software data breach. Jani's case was transferred to U.S. District Court for Massachusetts from U.S. District Court for Northern California as part of conditional transfer order CTO-17 Nov. 27.

U.S. District Judge Susan Paradise Baxter dismissed a privacy class action for lack of subject-matter jurisdiction, said her order Friday (docket 1:23-cv-00330) in U.S. District Court for Western Pennsylvania in Erie. Plaintiff Robert Marrone and defendant Warren General Hospital requested an order dismissing Marrone’s Nov. 22 data breach class action against the hospital because more than 80% of proposed class members -- roughly 115,000 out of 142,000 -- live in Pennsylvania, said their joint motion Thursday (see 2312220037). Marrone intends to refile his case to Warren County Court, said the judge's order.

Alyssa Gary and Marla Defoort’s first amended complaint against Dynatrace should be dismissed in its entirety with prejudice because they can't state a claim against Dynatrace, said the defendant's motion to dismiss Friday (docket 3:23-cv-11673) in U.S. District Court for Massachusetts in Springfield. The plaintiffs also lack Article III standing, and Defoort fails to plausibly allege facts to support a claim under a theory of liability under the California Invasion of Privacy Act, said Dynatrace. The plaintiffs allege that Dynatrace “wiretaps” electronic communications of “thousands” of website visitors, secretly observing and recording their “keystrokes, mouse clicks, data entry, and other electronic communications, in real time” (see 2307270025). Plaintiff Gary visited Ulta Beauty’s website last year to buy cosmetics, and her keystrokes, mouse clicks and other electronic communications “were intercepted in real time and disclosed” to Dynatrace, along with her IP address, geolocation and information about her device, it said. The “capturing, recording, and redirection” of her website interactions began when she accessed the Ulta site, “before any purported disclosures were made,” the complaint alleged. Defoort, too, was unaware her website interactions on Ulta Beauty were being disclosed to Dynatrace, the complaint said. When the plaintiffs voluntarily browsed Ulta Beauty’s website, their online activity “was purportedly captured by Dynatrace’s ‘session replay’ technology, which Ulta used on its website “to understand and improve its online consumer experience,” said the motion. The technology enables website owners to identify ways to improve website design “to be more consumer-friendly, resolve problems consumers may encounter, and protect against fraud,” the motion said. Plaintiffs’ unidentified activities on the website are the “online equivalent of browsing in a brick-and-mortar store” and “not protected private activity or communications that Dynatrace somehow eavesdropped,” it said. Courts have rejected similar claims on grounds that this type of online activity isn’t protected and not the type of conduct the “decades-old laws were intended to prohibit,” it said. Also, the use of session replay technology to improve a website “does not constitute unlawful eavesdropping,” it said. The Massachusetts court “should do the same here and dismiss this misdirected lawsuit,” it said.

The Electronic Privacy Information Center supports the appeal of six Chrome users to reverse the district court’s dismissal of their complaint alleging that Chrome secretly sent their personal information to Google when Google said it wouldn’t (see 2312130029), said its amicus brief Thursday (docket 22-16993) in the 9th U.S. Circuit Appeals Court. For more than two decades, Google and other internet companies have presented privacy as an issue of “user choice” and argued that their legal obligations “should only extend so far as the promises they have explicitly made,” it said. That “notice and choice” framework “has led to a massive expansion in commercial surveillance that has fueled harmful discrimination, enabled invasive profiling, and degraded user privacy across the internet ecosystem,” it said. In response to the recent trend of users demanding greater privacy protection, companies like Google “have made new privacy promises and offered new services that they claim protect user privacy,” it said. “This case is about what happens when a company purports to offer its users new privacy-protective settings on the one hand, but then continues to invade their privacy on the other,” it said. Google contends that even when it has explicitly promised its users that it will protect their data, “it doesn’t have to abide by that promise so long as it points to contrary terms in its general user agreement and statements posted in a sprawling web of disclosure pages,” said the brief. The U.S. District Court for Northern California’s ruling in Google’s favor “is a fundamental rejection of the reasonable consumer standard and would eliminate even the modicum of privacy that the common law currently provides to internet users,” it said. When Google makes specific privacy promises to Chrome users, the company shouldn’t be allowed “to override those promises with blanket disclaimers in its general user agreement,” it said. Internet users want strong privacy protections online, and companies like Google shouldn’t be “insulated from liability when they expand the scope of their disclosures beyond what users reasonably expect,” it said.

Plaintiff Melanie Newman gave her Social Security number and other personal information to AMC Theatres when she began working for the company, but the theater chain incurred a data breach “well after” her employment ended, said Newman’s response Thursday (docket 2:23-cv-02358) in U.S. District Court for Kansas in Kansas City to AMC's Nov. 21 motion to compel her claims to arbitration. Newman’s Aug. 17 complaint alleges AMC failed to properly secure and safeguard her personally identifiable information that was compromised in Progress Software’s MOVEit May file transfer software data breach. The theater chain “now seeks to avoid” answering to Newman’s claims arising out of the MOVEit data breach “by attempting to tie its failure to implement reasonable data security to Plaintiff’s role as an employee of the company,” said the response. AMC’s motion doesn’t mention that any agreement it had with Newman “unambiguously excludes Plaintiff’s ability to seek equitable relief before this Court from the agreement itself,” it said. The court should deny AMC’s motion as her claim is “unrelated to her role as an employee,” or, in the alternative, sever Newman’s claims from her claims for damages and allow her to seek equitable relief on behalf of all others similarly situated before the court, it said. The U.S. Judicial Panel on Multidistrict Litigation added Newman’s case as the single tagalong action in conditional transfer order 20 last month (see 2312010048) in In Re: MoveIt Customer Data Security Breach Litigation, transferring it to the U.S. District Court for Massachusetts in Boston. AMC's motion to compel arbitration should be denied, said the response.

U.S. Magistrate Judge Adam Abelson for Maryland in Baltimore ordered plaintiff Abigail Collins to appear in court for a Jan. 26 hearing to show cause why she hasn’t filed the required consent or declination to have her negligence case against Washington College tried by a magistrate judge, said Abelson’s signed order Wednesday (docket 1:23-cv-03258). Abelson will vacate the order if Collins files the consent or declination by the hearing date, it said. Collins alleges that the school where she’s a student failed to secure her personally identifiable information (PII) in a March data breach (see 2312040021). Though Collins was aware a cybersecurity incident occurred in March, she didn't know her PII might have been exposed until the college notified her in a Nov. 15 letter.

U.S. District Judge for Southern New York Nelson Stephen Roman granted plaintiffs’ motion for consolidation of class actions against IBM and Johnson & Johnson involving a data breach defendants were alerted to on Aug. 2 (see 2311060062), said his order Tuesday (docket 7:23-cv-09725) in U.S. District Court for Southern New York in White Plains. Seven cases will be consolidated into Malinowski v. IBM Corp. (docket 7:23-CV-08421), filed Sept. 22. Plaintiff Elaine Malinowski asserts claims of negligence and negligence per se; unjust enrichment; and breach of confidence, implied contract, covenant of good faith and fair dealing, and fiduciary duty against the defendants for failing to protect her personally identifiable information in the data breach. The other six class actions were brought by Michelle Pettiford; Anthony Hanna; Vanessa Hays; Michael Wright; Joseph Haley, Rowdy Alldridge and Mary Lea Kirby; and Kristal Mize.

Seven plaintiffs filed notices of opposition Tuesday and Wednesday before the U.S. Judicial Panel on Multidistrict Litigation (docket 3083) to conditional transfer order 23 (CTO-23) in In Re: MOVEit Customer Data Security Breach Litigation. The cases involve the May Progress Software MOVEit data breach. Plaintiff Brad Yourglich opposes CTO-23 as it relates to Yourglich v. Pension Benefit Information (PBI) (docket 3:23-cv-02034), said his filing Tuesday. Yourglich sued PBI and Does 1-10 Oct. 2 in California Superior Court in San Diego, claiming violations of the California Customer Records and Consumer Privacy acts, plus negligence. PBI removed the case to the U.S. District Court for Southern California in San Diego Nov. 3. PBI on Nov. 27 also removed an Oct. 23 negligence suit (docket 3:23-cv-02167) filed by plaintiff Sean Carlblom, with the same claims, from state court to district court. Carlblom opposes the transfer to the multidistrict litigation in U.S. District Court for Massachusetts in Boston under U.S. District Judge Allison Burroughs. Counsel Jennifer Simil of Jibrael Hindi filed a notice of opposition Wednesday on behalf of four of her clients who are suing PBI for negligence related to the MOVEit data breach. Defendant PBI removed the four cases brought by plaintiffs Andrew Kantack (docket 3:23-cv-01406), Sharon Oliver (docket 3:23-cv-01420), Brian Huey (docket 5:23-cv-00700) and Stacey Lockett (docket 0:23-cv-62321) from Florida state court to U.S. district courts in Florida. Columbia University, a defendant in a negligence suit brought by plaintiff Alexandra Lardis (docket 1:23-cv-10241) in U.S. District Court for Southern New York, also opposes CTO-23 in the MDL, said its notice Wednesday.

U.S. District Judge John Coughenour granted in part and denied in part motions to dismiss a May privacy case against Microsoft and Qualtrics, said his Tuesday order (docket 2:23-cv-00718) in U.S. District Court for Western Washington in Seattle. Plaintiff “Jane Doe” alleged Microsoft and analytics company Qualtrics “repeatedly and systematically” violated patients’ healthcare privacy rights on the Kaiser Permanente website by intercepting and collecting data on medical conditions, prescriptions, immunizations and more (see 2305160051). Coughenour granted defendants’ requests for judicial notice with respect to certain exhibits that are public webpages. In the case of Qualtrics’ seeking judicial notice for “of the truth of its contents, not merely its existence” with respect to an assertion that the “Site Intercept function does not ‘intercept’ anything,” Coughenour said that request isn’t appropriate under Federal Rule of Evidence 201. Qualtrics contends Doe lacks standing, but Coughenour said she adequately pleads an entitlement to Qualtrics’ profits from users’ personal data. She alleges that her personal data carries financial value and cites numerous articles and studies describing the “growing market for personal data, including personal health data,” said the order. She also alleges that Qualtrics profited from the data and used it for targeted advertising, generating revenue and profit, the order said. The defendants challenged the complaint’s factual allegations with Qualtrics arguing Doe fails to plead when she used the Kaiser website and thus was exposed to alleged data collection. Microsoft argues Doe fails to allege facts plausibly showing she was personally affected by Microsoft’s alleged conduct, including the dates she used the Kaiser website and facts showing Kaiser disclosed her data in a manner that allowed Microsoft to identify her personally. But Doe alleges she has been a Kaiser member for 10 years and that while logged into her account accessing her medical information, “Defendants unlawfully intercepted and collected such data along with her personal identifiers.” That is sufficient to allege facts, said the order. Qualtrics argues that Doe’s claims must be dismissed because she consented to its collection of her data when accepting the website’s terms, but Doe’s claims don’t hinge on her being logged in, said the order. Doe alleges Qualtrics collects data “regardless of whether the user is logged in to her Kaiser Account.” Coughenour denied that motion to dismiss, but he dismissed Doe’s California Invasion of Privacy Act claims to the extent she bases them on intentional wiretapping, the order said.