Courts Reject Theoretical Privacy Violations Due to Lack of Standing

At a Glance

• Courts are increasingly dismissing data breach and web tracking class actions due to a lack of standing. The case law emphasizes that plaintiffs must demonstrate a concrete and particularized injury directly linked to a defendant’s actions to state a claim for relief. 
• Mere allegations of data exposure or potential misuse are insufficient. Instead, courts have held that plaintiffs must show actual misuse and a connection to the data exposure (traceability) to establish standing.
• California has become a focal point for web tracking cases under the California Invasion of Privacy Act (CIPA), but courts have varied in their interpretations of the statute, particularly as applied to collecting IP addresses and other technical data.

Courts across the country are becoming skeptical of data breach and web tracking claims that assert theoretical privacy violations without alleging any actual injury to the plaintiffs. Recent decisions underscore that courts are sharpening their focus on the type of data involved, whether that data has been used in furtherance of a malicious act, and traceability issues to determine if a plaintiff has alleged a plausible injury. This article discusses several recent data breach and web tracking decisions that demonstrate how courts have addressed standing issues in this context.

Standing in Data Breach and Privacy Lawsuits

Two Supreme Court cases establish the foundation for analyzing standing in data breach and privacy class actions — Spokeo, Inc. v. Robins, 578 U.S. 330 (2016) and TransUnion LLC v. Ramirez, 594 U.S. 413, 423 (2021). Specifically, to plead standing, plaintiffs must allege: (1) “an injury in fact,” (2) that is “fairly traceable” to the defendant’s alleged actions, and (3) “likely to be redressed” by a positive judicial outcome for the plaintiff. Spokeo, 578 U.S. at 338. Further, when plaintiffs assert intangible harm, courts must consider whether the plaintiff has “identified a close historical or common-law analog for their asserted injury,” such as “reputational harms, disclosure of private information, and intrusion upon seclusion.” TransUnion, 594 U.S. at 424-25. Finally, the injury must be “concrete and particularized” and “actual or imminent.” Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992). In data breach and web tracking cases, plaintiffs typically endeavor to meet the standing requirements by alleging a substantial risk of future fraud or identity theft. While this tactic has worked for plaintiffs in the past, recent court decisions express considerable skepticism regarding whether such allegations meet the standing requirements.

Recent Data Breach Decisions

Anyone who follows the news should know that there has been a sharp increase in data breach litigation. In several recent cases, courts have dismissed claims arising from data breaches due to a lack of standing. 

For example, in Stuart v. Kyocera AVX Components Corp., a federal district court in South Carolina dismissed a putative class action because the plaintiff failed to allege an injury in fact, traceable to the plaintiff’s allegation that his personally identifiable information (PII) may have been sold on the dark web following a data breach. ___ F. Supp. 3d ___, No. 6:23-cv-06087-JDA, 2025 WL 745903 (D.S.C. Mar. 6, 2025). Applying Fourth Circuit precedent that “the mere theft of [personal information], without more, cannot confer Article III standing,” the district court held that the plaintiffs lacked standing because they did not allege any facts to support the misuse of PII “such as a sale of PII to third parties” or any “unauthorized charges on their credit cards.” Id. at *5, 10 (internal citation omitted). Additionally, the court highlighted that, unlike other data breach incidents, the malicious actor was not intentionally targeting the plaintiffs’ PII. A malicious actor targeting specific PII moves the “threatened injury of future identity theft beyond the speculative to the sufficiently imminent.” Id. at *5 (quoting Beck v. McDonald, 848 F.3d 262, 274 (4th Cir. 2017)). Because the plaintiffs’ claims were “limited to the alleged disclosure of their PII,” they failed to allege a concrete injury sufficient to establish standing. Id. at *10. 

Likewise, in Maser v. CommonSpirit Health, a federal district court in Colorado found that a plaintiff in a putative class action failed to allege an injury in fact that was traceable to the data breach. No. 1:23-cv-01073-RM-SBP, 2024 WL 5484079 (D. Colo. Dec. 4, 2024). The plaintiff alleged that an unauthorized actor acquired her PII, including medical and health insurance information. The plaintiff claimed that she experienced fraudulent transactions on her bank account and a decreased credit score. However, because the plaintiff’s bank information was not accessed, the court determined that the acquired PII did not allow the malicious actor to perform the fraudulent activities. Id. at *7-9. Therefore, the court held that the alleged injuries were not fairly traceable to the breach. Id.

These cases highlight a growing national trend of courts dismissing data breach claims due to a lack of standing because plaintiffs, despite alleging fraud or misuse, fail to allege a connection between the data incident and the alleged harm. See, e.g., Stern v. Acad. Mortg. Corp., No. 2:24-CV-00015-DBB-DAO, 2025 WL 239036, at *6 (D. Utah Jan. 17, 2025) (dismissed for lack of standing despite allegations of a fraudulent loan made using plaintiff’s PII because plaintiff neglected to show traceability between the data incident and the injury); McGowan v. Core Cashless, LLC, No. 2:23-CV-00524-MJH, 2024 WL 488318, at *3 (W.D. Pa. Feb. 8, 2024) (dismissed for lack of standing even though plaintiff alleged that “cybercriminals” misused certain stolen payment card information from the defendant because plaintiff failed to “plausibly show that her payment card information was misused by the unknown hackers”).

The Illinois Supreme Court also recently affirmed dismissal of a data breach case due to a lack of standing in Petta v. Christie Business Holding Co. because the plaintiff alleged only an increased risk of future harm. 2025 IL 130337. The plaintiff alleged that she was a Christie Clinic patient. Id. ¶ 4. When using the clinic’s services, she provided her personal information, including her name, address, date of birth, social security number and medical history / insurance information. Id. After the data breach, the plaintiff claimed that her “phone number, city and state were used in connection with a loan application . . . [that] she did not initiate.” Id. ¶ 9. However, the plaintiff’s complaint “[did] not allege that any of her private, personally identifiable information, such as her Social Security number, was used in the loan application.” Id. ¶ 24. Instead, the plaintiff alleged only that her “publicly available phone number and city were used in an application that was made ‘in someone else’s name.’ ” Id. ¶ 24 (emphasis in original). Thus, the court concluded that “the primary factual allegation of the complaint [was] that Petta and the other members of the putative class faced only an increased risk that their private personal data was accessed by an unauthorized third party.” Id. ¶ 21 (emphasis in original). The court held that “[i]n a complaint seeking monetary damages, such an allegation of an increased risk of harm is insufficient to confer standing.” Id. ¶ 21. The court also cast doubt on whether a successful unauthorized loan application in Petta’s name, if it existed, would even confer standing on the class. The plaintiff’s complaint failed to allege that any other putative class member had a similar experience regarding creating an unauthorized loan application. Id. ¶ 23.

Recent Web Tracking Decisions

In recent years, consumer-facing companies have also been inundated with a torrent of web-tracking class actions. Claims of wiretapping, rooted in defendants’ use of cookies, pixels and other website scripts, have become all the rage. California has emerged as a hotspot for these cases, mainly due to the distinctive provisions of the California Invasion of Privacy Act (CIPA).

Like other state wiretapping laws, CIPA allows for private actions against those who intercept the “contents” of a person’s “communications” while in transit. Cal. Penal Code § 631. However, CIPA stands out for two reasons. First, CIPA is among just a handful of wiretapping laws requiring two-party consent, increasing website operators’ liability risk. Id. Second, the plaintiffs’ bar has been pushing the boundaries of lesser-known CIPA sections that regulate the use of “pen registers” and “trap-and-trace” devices. Cal. Penal Code § 638.51. Unlike the wiretapping provision, these claims are especially pernicious because plaintiffs have argued that they only need to prove that “dialing, routing, addressing, or signaling information” was collected without consent, without showing that the contents of communications were intercepted. Id. One court went so far as to hold that “software that identifies consumers, gathers data, and correlates that data through unique ‘fingerprinting’ ” can constitute a “pen register.” Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024, 1050 (S.D. Cal. 2023) (denying defendant’s motion to dismiss). Other courts have unilaterally rejected the extreme position outlined in Greenley and have held that such an interpretation of CIPA violates public policy due to its potential impact on internet commerce. See, e.g., Licea v. Hickory Farms LLC, No. 23STCV26148 (Cal. Super. Ct. Mar. 13, 2024) (“The court also finds public policy strongly disputes Plaintiff’s potential interpretation of privacy laws as one rendering every single entity voluntarily visited by a potential plaintiff, thereby providing an IP address for purposes of connecting the website, as a violator. Such a broad-based interpretation would potentially disrupt a large swath of internet commerce.”).

Recent decisions have also held that the mere interception of a website user’s IP address does not confer Article III standing. For instance, in Gabrielle v. Insider, Inc., No. 24-cv-01566 (ER), 2025 WL 522515 (S.D.N.Y. Feb. 18, 2025), the plaintiff alleged that the defendant installed a “third-party tracker” on its website which sent his IP address to a third party in violation of CIPA’s pen register provision. Id. at *1. But the court concluded that collection and disclosure of an IP address “does not implicate a legally protected privacy interest,” because an IP address “cannot identify an individual user and at most conveys general geographic information.” Id. at *5, 7. Therefore, the plaintiff failed “to allege a harm that bears a close relationship to the well-established common-law analog of public disclosure of private facts.” Id. at *6.

California state courts have reached essentially the same conclusions in other recent decisions. For example, in Palacios v. Office Depot, LLC, No. 24-ST-CV-11977 (Cal. Super. Ct. Dec. 4, 2024), another pen register and tap-and-trace case premised on the collection of a website visitor’s IP address without consent, the California Superior Court relied on federal case law to hold that “that there is no protected privacy interest in Plaintiff’s IP address.” Id. (citing United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008)). The court determined that “[a]n IP address standing alone, . . . is nothing more than a string of four sets of numbers separated by periods [that] cannot be identified without corresponding information from the Internet Service Provider.” Id. (quotations and citations omitted). Similarly, the Superior Court in Rodriguez v. Fountain9, Inc., No. 24STCV04504 (Cal. Super. Ct. July 9, 2024) held that another plaintiff lacked standing to maintain an IP-predicated CIPA claim because the plaintiff’s “alleged injury” was “abstract and hypothetical” since it was “solely premised on statutory damages under CIPA.” 

Another case to watch is In re BPS, 705 F. Supp. 3d 333, 367 (E.D. Pa. 2003), in which a Pennsylvania wiretapping claim was dismissed against a sporting goods retailer based on its use of website tracking technologies because “the website users must be able to plead facts of sharing highly sensitive personal information such as a medical diagnosis or financial data from banks or credit cards to enjoy Article III standing.” That case is now on appeal at the Third Circuit and its implications for non–health care and non–financial services industry website operators could be significant to the future of standing in web tracking litigation.

Practical Considerations

Despite the favorable case law, defendants facing privacy claims should be aware of the practical impact of a dismissal on standing grounds. For instance, if a federal complaint fails to establish Article III standing, the court will typically dismiss the federal action with leave to amend and/or without prejudice due to a lack of jurisdiction. Such a ruling could provide a plaintiff with an opportunity to refile in state court. Thus, defendants should carefully consider whether to assert a standing challenge in a federal case. As an alternative for claims that require damages as an element, defendants should consider arguing that the plaintiff cannot state a claim for relief due to a failure to plead damages.

Conclusion

Courts across the country are dismissing data breach and web tracking class actions due to lack of standing. These rulings emphasize that vague allegations of data exposure or potential misuse are not sufficient to state a claim for relief. Instead, plaintiffs must prove that they suffered a real, concrete injury directly linked to the defendant’s actions. Companies facing similar litigation or demand letters from plaintiffs should take note of these decisions when crafting their defenses.