• There has been a recent surge of privacy class action lawsuits under the Arizona Telephone, Utility, and Communication Service Records Act targeting the use of common email marketing analytics technologies.
• Defendants are asserting standard defenses including lack of Article III standing as well as challenging the 2007 Arizona law’s applicability to email tracking pixels.

Class action lawsuits targeting pixels and other tracking technologies are showing no signs of slowing, and while most of these cases have focused on website tracking tech and California’s wiretapping law, there has been a more recent surge of cases in Arizona alleging violations of Arizona Telephone, Utility, and Communication Service Records Act A.R.S. § 44-1376 et seq. (the “Arizona Law”) based on email pixel tracking. As we previously reported, a few cases focused on tracking pixels in emails popped up late last year, based both on the California Invasion of Privacy Act (CIPA) and the Arizona Law, and a new group of these cases has recently been filed accusing several companies, including Target (Smith v. Target Corporation.), Gap (Carbajal v. Gap Incorporated et al.), Lowe’s and Salesforce (Dominguez v. Lowe’s Companies Incorporated et al.) of embedding “spy pixels” in marketing emails in violation of the Arizona Law.

Arizona Telephone, Utility, and Communication Service Records Act

The Arizona Law is modeled on the federal Telephone Records and Privacy Protection Act of 2006, which prohibits “knowingly and intentionally obtain[ing], or attempting[ing] to obtain, confidential phone records information … by making false or fraudulent statements or representations” (18 U.S.C. §1039(a)(1)). Arizona enacted a state version of this law which it later amended to expand the prohibition to “communication service records” and “public utility records” (A.R.S. § 44-1376.01).The law defines “communication service records” as “subscriber information, including name, billing or installation address, length of service, payment method, telephone number, electronic account identification and associated screen names, toll bills or access logs, records of the path of an electronic communication between the point of origin and the point of delivery and the nature of the communication service provided, such as caller identification, automatic number identification, voice mail, electronic mail, paging or other service features” (A.R.S. § 44-1376). Notably, the Arizona law, unlike the federal law, includes a private right of action (A.R.S. § 44-1376.04).

Recent Arizona Law Class Actions

The recent slate of privacy class actions are very similar to the suits we saw against Saks Fifth Avenue (Mills v. Saks.com LLC.) and Nordstrom (McGee v. Nordstrom Inc.) in 2023. The complaints allege that the defendant companies violate the Arizona Law by embedding common analytics technologies (characterized as “spy pixels” in the complaints) within emails without first obtaining consumers’ consent. Plaintiffs assert that the data collected by email analytics pixels – such as when and where the email was opened, the number of times an email is opened, whether the email was forwarded/printed and what kind of email server the recipient uses – constitutes a “communication service record” under the Arizona Law.  As noted below, this is a novel argument that has not yet been tested by an Arizona court.

The Defendant Companies’ Responses

The defendant companies that have responded to date have generally argued in motions to dismiss that the plaintiffs lack Article III standing because they suffered no injury in fact in that plaintiffs failed to allege how the data collection at issue, if true, harmed them.  The defendant companies have also argued that the Arizona Law does not apply to email marketing analytics technologies. Specifically, some defendants have asserted that the Arizona Law was enacted to prohibit the unauthorized sale and/or disclosure of telephone records by telecommunications carriers and does not apply because they are not a telecommunications carrier nor a communications service provider. Defendants have also argued that the information collected by analytics pixels does not constitute “communication service records” under the Arizona Law, noting that there is no case law interpreting the meaning of “communication service record” in Arizona’s law, and the Arizona legislature has taken no steps to amend the statute to encompass the types of data captured by the technologies at issue.

Takeaway

This latest wave of litigation follows the well-trodden playbook for privacy class actions: applying old but expansively drafted laws with private rights of action to modern technologies not contemplated when the laws were enacted. Many of these cases are at the motion to dismiss stage, but organizations using similar tracking technologies should be aware of the possibility of lawsuits brought on behalf of Arizona email recipients. As with all of the evolving risks around the use of tracking technologies, companies should ensure they have a sound governance program in place and are continuing to balance commercial benefit against risk and available risk mitigation strategies. If your organization needs assistance assessing its risk posture with respect to these technologies and guidance on risk mitigation, please reach out to our Privacy & Cybersecurity Practice Group lead Leslie Shanklin. Organizations may also reach out to our litigation partners Baldassare Vinti, David Fioccola and Jeff Warshafsky for class action litigation defense strategies.