introduction

In today’s digital landscape, the line between marketing analytics and data breaches is increasingly blurred with regard to state privacy laws. At the heart of this debate is the use of tracking pixels—and recent lawsuits arise from analytics software embedded in emails to track user behavior. This note examines the recent surge in class action lawsuits centered around this very issue, with plaintiffs suing retailers and others, citing a violation of the State of Arizona’s Telephone, Utility, and Communications Service Records Act (ARS § 44-1376). This litigation, which focuses primarily on two of the plaintiffs’ companies, serves as a litmus test for a potential new liability theory that pits the evolving technology against existing state laws. As explained below, the laws in Spokeo, Inc. v. Robins578 US 330 (2016) and TransUnion LLC v. Ramirez594 US 413 (2021), Third Party Doctrines Formulated in State v. Mixton250 Ariz. 282 (2021) and other statutory interpretations could provide a defense as courts seek to balance consumers’ privacy interests and avoid unintended consequences resulting from applying outdated state laws to modern practices.

background

Citing the federal Telephone Records Protection and Privacy Act of 2006 and Arizona’s own strict Sanctity of Communications Records Act, the plaintiffs argue that the use of tracking and analytics pixels in conjunction with marketing emails – also known as deliverability metrics software – is an invasion of privacy that is both non-consensual and misleading in nature. The litigation so far has focused on Arizona law, but email pixel lawsuits have also been filed based on the federal Telephone Records Protection and Privacy Act of 2006 and California’s Invasion of Privacy Act (“CIPA”).

The new liability theory

The crux of the lawsuits is that the alleged, undisclosed insertion of pixels in marketing emails to track when, where and whether they are opened – without the express consent of recipients – qualifies as “intentional procurement of communications data.” The litigation offers an innovative perspective in interpreting the existing law, potentially expanding its scope to include modern tracking technologies that were not yet widely considered at the time the law was passed amid growing concerns about unauthorized disclosure of phone data by telecommunications providers.

The current perspective of the defense

At least two retail defendants affected by these lawsuits have challenged the plaintiffs’ claims and moved to dismiss the lawsuits, raising two key arguments: the plaintiff’s lack of specific harm and thus Article III standing, and the claim that the scope of the Arizona law does not include email pixels. The defendants have asserted that the law is a measure directed at telecommunications providers and does not provide for seamless application to digital marketing strategies. By basing their defense on the consent that users allegedly gave by accepting the marketer’s privacy policy and terms and conditions when providing or signing up for emails, the defendants seek to dissociate the text of the law from the digital measures used in their marketing strategies. In doing so, the defendants challenge both the plausibility of the lawsuit’s new liability theory and the legality of its legal basis.

Legal analysis

The defence’s arguments require a familiar examination of the requirements for standing and are based on the argument that, if the statutory interest amounts to an invasion of privacy, the infringement must constitute an “extremely offensive” injury to a reasonable person. Six v IQ Data International Inc.673 F. Supp. 3d 1040, 1045 (D. Ariz. 2023) (citing Restatement (Second) of Torts § 652B). Defendants contend that a customer’s browsing history, viewing activities, or purchasing habits may not constitute personal information or private facts to a sufficient degree to demonstrate tangible harm. The pivotal cases of Spokeo And TransUnion underline the need for tangible harm beyond statutory injury to establish standing. Hartley v. Urb. Outfitters, Inc.— F.Supp.3d —-, 2024 WL 3445004 (ED Pa. July 17, 2024), a federal district court recently dismissed plaintiff’s complaint for lack of standing.

In addition, it is important to analyze the definition of a “communications services record,” assuming that the information acquired does not match the statutory language and its history. Moreover, Arizona law only prohibits companies from “acquiring” communications services records. If, as plaintiffs allege, a defendant uses the pixel to create a record while a plaintiff is reviewing an email, is a record actually “acquired” under the statute?

Another possible defense is the application of the “third-party doctrine.” Courts in Arizona have held that the Fourth Amendment does not protect IP addresses and ISP subscriber information because this information falls under the exception created by the “third-party doctrine.” Mixton, 250 Ariz. at 294. The third-party doctrine is based on the concept of privacy and assumes that an individual cannot have a reasonable expectation of privacy with respect to information that he or she voluntarily discloses to a third party (in this case, the marketer, specifically when signing up for an email newsletter).

Defendants may also argue that plaintiffs’ civil action is time-barred. Section 44-1376.04 of the Arizona Revised Statutes states that a civil action under the Telephone, Utility, and Communication Service Records Act cannot be filed more than two years after the date the plaintiff first discovered the violation or had a reasonable opportunity to discover it. Unless plaintiffs can specify what date they opened emails, how they discovered the tracking, or how the company was using a particular pixel at the time of those emails, a statute of limitations argument may apply.

Impact on data protection and digital marketing

These cases go well beyond legal skirmishes and are creating a broader dialogue about individual privacy at a time when digital marketing software and the customer experience depend on important bytes of data. This intersectional friction is requiring a necessary reassessment of both marketing practices and state-level protection laws. Courts must now grapple with ever-growing consumer privacy concerns as well as the potential harms posed by expanding the application of state laws passed without considering modern tracking technologies. To date, most “pixel” tracking cases prior to the recent wave of email pixel cases—whether they arose from analytics technology, targeted advertising tools, or customer service features—have presented challenges for plaintiffs because the evidence typically requires expert analysis and testimony to link the software to the individual, which must then be translated into enough related facts to convince courts that class certification under privacy invasion theories is warranted. That’s a tall order. Regardless, retailers and others who use tracking and analytics pixels in their marketing strategies should take additional steps to ensure all the boxes are checked as these litigations move forward.