• There has been a recent surge of privacy class action lawsuits under the Arizona Telephone, Utility, and Communication Service Records Act targeting the use of common email marketing analytics technologies.
  • Defendants are asserting standard defenses including lack of Article III standing as well as challenging the 2007 Arizona law’s applicability to email tracking pixels.

Class action lawsuits targeting pixels and other tracking technologies are showing no signs of slowing, and while most of these cases have focused on website tracking tech and California’s wiretapping law, there has been a more recent surge of cases in Arizona alleging violations of Arizona Telephone, Utility, and Communication Service Records Act A.R.S. § 44-1376 et seq. (the “Arizona Law”) based on email pixel tracking. As we previously reported, a few cases focused on tracking pixels in emails popped up late last year, based both on the California Invasion of Privacy Act (CIPA) and the Arizona Law, and a new group of these cases has recently been filed accusing several companies, including Target (Smith v. Target Corporation.), Gap (Carbajal v. Gap Incorporated et al.), Lowe’s and Salesforce (Dominguez v. Lowe’s Companies Incorporated et al.) of embedding “spy pixels” in marketing emails in violation of the Arizona Law.

Arizona Telephone, Utility, and Communication Service Records Act

The Arizona Law is modeled on the federal Telephone Records and Privacy Protection Act of 2006, which prohibits “knowingly and intentionally obtain[ing], or attempting[ing] to obtain, confidential phone records information … by making false or fraudulent statements or representations” (18 U.S.C. §1039(a)(1)). Arizona enacted a state version of this law which it later amended to expand the prohibition to “communication service records” and “public utility records” (A.R.S. § 44-1376.01).The law defines “communication service records” as “subscriber information, including name, billing or installation address, length of service, payment method, telephone number, electronic account identification and associated screen names, toll bills or access logs, records of the path of an electronic communication between the point of origin and the point of delivery and the nature of the communication service provided, such as caller identification, automatic number identification, voice mail, electronic mail, paging or other service features” (A.R.S. § 44-1376). Notably, the Arizona law, unlike the federal law, includes a private right of action (A.R.S. § 44-1376.04).

Recent Arizona Law Class Actions

The recent slate of privacy class actions are very similar to the suits we saw against Saks Fifth Avenue (Mills v. Saks.com LLC.) and Nordstrom (McGee v. Nordstrom Inc.) in 2023. The complaints allege that the defendant companies violate the Arizona Law by embedding common analytics technologies (characterized as “spy pixels” in the complaints) within emails without first obtaining consumers’ consent. Plaintiffs assert that the data collected by email analytics pixels – such as when and where the email was opened, the number of times an email is opened, whether the email was forwarded/printed and what kind of email server the recipient uses – constitutes a “communication service record” under the Arizona Law.  As noted below, this is a novel argument that has not yet been tested by an Arizona court.

The Defendant Companies’ Responses

The defendant companies that have responded to date have generally argued in motions to dismiss that the plaintiffs lack Article III standing because they suffered no injury in fact in that plaintiffs failed to allege how the data collection at issue, if true, harmed them.  The defendant companies have also argued that the Arizona Law does not apply to email marketing analytics technologies. Specifically, some defendants have asserted that the Arizona Law was enacted to prohibit the unauthorized sale and/or disclosure of telephone records by telecommunications carriers and does not apply because they are not a telecommunications carrier nor a communications service provider. Defendants have also argued that the information collected by analytics pixels does not constitute “communication service records” under the Arizona Law, noting that there is no case law interpreting the meaning of “communication service record” in Arizona’s law, and the Arizona legislature has taken no steps to amend the statute to encompass the types of data captured by the technologies at issue.

Takeaway

This latest wave of litigation follows the well-trodden playbook for privacy class actions: applying old but expansively drafted laws with private rights of action to modern technologies not contemplated when the laws were enacted. Many of these cases are at the motion to dismiss stage, but organizations using similar tracking technologies should be aware of the possibility of lawsuits brought on behalf of Arizona email recipients. As with all of the evolving risks around the use of tracking technologies, companies should ensure they have a sound governance program in place and are continuing to balance commercial benefit against risk and available risk mitigation strategies. If your organization needs assistance assessing its risk posture with respect to these technologies and guidance on risk mitigation, please reach out to our Privacy & Cybersecurity Practice Group lead Leslie Shanklin. Organizations may also reach out to our litigation partners Baldassare VintiDavid Fioccola and Jeff Warshafsky for class action litigation defense strategies.

Photo of Leslie Shanklin Leslie Shanklin

Leslie Shanklin is a partner in the Corporate Department, co-head of the Privacy & Cybersecurity Group and a member of the of the Technology, Media & Telecommunications group.

Leslie’s practice focuses on privacy and data security, delivering comprehensive expertise around data-related risk and…

Leslie Shanklin is a partner in the Corporate Department, co-head of the Privacy & Cybersecurity Group and a member of the of the Technology, Media & Telecommunications group.

Leslie’s practice focuses on privacy and data security, delivering comprehensive expertise around data-related risk and compliance. Leslie provides pragmatic, strategic and tech-savvy legal counsel to clients seeking to realize the essential value of data to their businesses while effectively managing risk and preserving trust. Leslie draws from deep legal, practical and technical expertise gained from leading global privacy teams and operations for multinational companies.

Leslie’s experience includes advising on the legal and risk aspects of data strategy, building and operationalizing data protection compliance programs in all regions of the world, providing strategic legal counsel around data privacy and security issues in commercial transactions, advising on legal aspects of information security risk, compliance and incident response, and advising on federal, state and international regulatory enforcement actions.

Leslie advises clients with a global lens, helping clients craft nimble, risk-based, forward-looking approaches to data management in the rapidly-evolving US and international privacy and information security legal landscape, including:

  • Federal laws such as Section 5 of the FTC Act and FTC rules and guidance, COPPA, VPPA, TCPA, and HIPAA
  • State laws such as the California Consumer Privacy Act (CCPA including CPRA amendments) and the California Medical Information Act (CMIA), as well as various existing and evolving laws in other US states such as Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (ICDPA), Montana (MCDPA) and Washington (My Health My Data Act)
  • International law and guidance such as the EU General Data Protection Regulation (GDPR), the ePrivacy Directive, the UK Data Protection Act, Brazil’s General Data Protection Law (LGPD), and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)

Leslie is a Certified Information Privacy Professional in the United States (CIPP/US) and Europe (CIPP/E) with the International Association of Privacy Professionals (IAPP). She previously served as Co-Chair of the international Hybrid Broadcast Broadband Television (HbbTV) Association Privacy Task Force.

Prior to joining Proskauer, Leslie led global privacy teams for media and entertainment companies for over a decade and most recently served on the Privacy leadership team for Warner Bros. Discovery.

Photo of Jeffrey Warshafsky Jeffrey Warshafsky

Jeff Warshafsky is a partner in the Litigation Department. A versatile commercial litigator and strategic advisor, Jeff specializes in consumer class actions, sports litigation, false advertising, trademark, and other intellectual property disputes.

Jeff defends companies in connection with consumer class actions involving advertising…

Jeff Warshafsky is a partner in the Litigation Department. A versatile commercial litigator and strategic advisor, Jeff specializes in consumer class actions, sports litigation, false advertising, trademark, and other intellectual property disputes.

Jeff defends companies in connection with consumer class actions involving advertising and privacy issues. He has handled dozens of class actions around the country for multinational companies across diverse sectors including consumer product companies, retailers, and sports leagues. Jeff also counsels clients to avoid being targeted in such actions, helps them respond to demand letters from plaintiffs’ counsel, and negotiates resolutions.

Additionally, Jeff represents clients in competitor versus competitor advertising disputes, including in Lanham Act cases and advertising self-regulation disputes before the National Advertising Division and the National Advertising Review Board. He also counsels companies on advertising substantiation issues, with an emphasis on complex scientific testing, such as clinical trials and sensory testing. Jeff regularly advises major sports leagues on complex business disputes.

Jeff maintains a robust pro bono immigration practice, assisting clients with asylum and U-Visa applications and in connection with removal proceedings. In addition to his active practice, Jeff is an editor of and contributor to the Firm’s false advertising blog, Watch This Space: Proskauer on Advertising Law.

Photo of Aaron Francis Aaron Francis

Aaron Francis is an associate in the Litigation Department and a member of the Data Privacy and Cybersecurity Litigation Group.

Aaron’s practice focuses on complex civil litigations, internal and regulatory investigations, and arbitrations, covering a range of types of disputes, including cybersecurity, commercial…

Aaron Francis is an associate in the Litigation Department and a member of the Data Privacy and Cybersecurity Litigation Group.

Aaron’s practice focuses on complex civil litigations, internal and regulatory investigations, and arbitrations, covering a range of types of disputes, including cybersecurity, commercial contracts, and securities.  He also advises, counsels, and represents various pro bono clients, including non-profit organizations on issues related to harassment and discrimination, incarcerated survivors of domestic violence in criminal appeals, and multiple other entities in civil rights litigation.

Aaron is a member of Proskauer’s Black Lawyers Affinity Group.