Expect Focus Life, Annuity, and Retirement Solutions, January 2023

New Year, New Privacy Shakedowns: Six Resolutions for Keeping Warm

Life, Annuity, and Retirement Solutions   |   Cybersecurity and Privacy   |   Financial Services Regulatory   |   Life, Annuity, and Retirement Solutions   |   February 16, 2023

Class action privacy litigation’s icy grip tightened around financial services providers in late 2022, and the forecast shows no signs of melting. The plaintiffs’ creeping application of old law to new technologies is extending the wall of ice.


  • In September 2022, five large financial institutions were sued in California federal court by plaintiffs asserting that prior express written consent was required under California Penal Code § 637.3 before the institutions could record phone calls to create voiceprints. Some institutions broke the icy grip with quick settlements, while others battled longer winters. The plaintiffs, however, suffered a major defeat in a recent motion to dismiss ruling that voiceprints used only for identity verification were not a violation of California Penal Code § 637.3. The decision, while a welcome relief, may not shelter users of other voice-based analytics, and plaintiffs may use their opportunity at an amended complaint to raise other bases to support their claims. The litigations are just one more example of the frosty risks associated with biometrics, even for an industry that has largely (though not entirely) avoided litigation under Illinois’s Biometric Information Privacy Act.

Website Technologies

  • These cold fronts began outside the financial service industry, but the industry is now feeling their blusters. Hard-freeze areas include:
    • Session Replay Technology.
    • Plaintiffs are using a variety of theories (e.g., wiretapping statutes, unfair trade practices, invasion of privacy claims (both common law and statutory, such as pursuant to California’s Invasion of Privacy Act)) to allege insufficient notice and consent related to website technologies. When it comes to session replay technology, plaintiffs have claimed that they are owed:
      • Pre-recording website pop-up messages alerting them to the session recording; and
      • Specific disclosures in companies’ website privacy policies.
    • Website Video Viewing Data.
    • The latest winter bomb cyclone involves the Video Privacy Protection Act of 1988 (VPPA) and educational and marketing videos appearing on websites. The VPPA was intended to protect individuals’ video rental and sale history, but its chill has expanded over the years. The atmospheric pressure significantly dropped in September 2022, when one such claim survived a motion to dismiss, triggering a blizzard of putative class actions.
    • Plaintiffs allege that any sharing of information reflecting their viewing of a video on a website (e.g., sharing information that a particular user viewed a video so that that individual can be targeted for further advertising) requires informed, written consent. Although the VPPA has several exceptions (most obviously, sharing “for the exclusive use of marketing goods and services directly to the consumer,” which only requires opt-out consent, and “incident to the ordinary course of business”), these exceptions have not yet been applied in relation to current technologies. Shakedown communications are blanketing entities with websites that include videos. The communications commonly allege that the website has been sharing video viewing data with companies, such as through the use of Facebook pixels, and demand compensation.
  • Such litigations frequently include substantial claims for statutory damages and attorneys’ fees and are based on allegations that the defendants have not: (1) provided the requisite notice; and (2) secured necessary consent. Below are six New Year resolutions to fight the frost.
  1. Take an inventory of the technologies being employed on your websites, the data flows involved, and the optional settings available.
  2. Sensitize your team to the associated requirements and risks involved in different technologies, settings, and data practices.
  3. Review your existing privacy notices and processes for documenting consent, and if appropriate, bolster them, even if not legally required.
  4. Negotiate vendor contracts to favorably allocate risk.
  5. Revise website terms of use to maximize the enforceability of arbitration and class action waiver provisions.
  6. If you receive a shakedown communication, be wary of the thin ice.

Bundle up; it’s going to be a long winter.


©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.