A recent ruling from the U.S. District Court for the Northern District of California underscores the limits of state privacy statutes, particularly when plaintiffs reside outside the state and the alleged misconduct lacks a clear connection to California. The decision by Judge Jacqueline Scott Corley dismissed a proposed class action against California-based analytics company Samba TV Inc., clarifying the reach of both state and federal privacy protections. Steve Dellasala, et al., v. Samba TV, Inc., No. 3:25-CV-03470-JSC, 2025 WL 3034069 (N.D. Cal. Oct. 30, 2025).
Plaintiffs from North Carolina and Oklahoma claimed that Samba TV, whose technology is installed on certain Sony televisions, intercepted their private video-viewing data in real time and without consent. The data allegedly included unique device identifiers such as IP addresses.
These individuals brought their suit in federal court in California, asserting claims under:
- The Comprehensive Computer Data Access and Fraud Act (CCDAFA)
- The California Invasion of Privacy Act (CIPA)
- The federal Video Privacy Protection Act (VPPA)
- Intrusion upon seclusion under general privacy law
Judge Corley found that both the CCDAFA and CIPA specifically indicate the California legislature’s intent for the statutes not to apply extraterritorially; that is, they do not reach conduct occurring wholly outside California. Since the alleged collection and interception of data took place from televisions in North Carolina and Oklahoma and the complaint did not sufficiently allege that the conduct occurred within California, the court held that the California statutes are inapplicable.
The plaintiffs also invoked the federal VPPA, a law designed to protect video rental records from unauthorized disclosure. Judge Corley ruled these claims failed as well, holding that Samba TV does not qualify as a “video tape service provider” under the statute. Instead, Samba was deemed an analytics provider using information about video product usage, rather than distributing, renting, or selling video materials.
Lastly, the court evaluated whether the invasion of privacy was sufficiently “highly offensive” to sustain a claim for intrusion upon seclusion. Collecting an IP address alone, without more, the court held, does not meet the legal threshold for such a claim, especially without allegations showing exactly how the data was used or disclosed.
This decision provides a few key takeaways:
- Geographic Limitations of State Laws: California’s privacy statutes are meant to protect California residents and activities occurring within the state’s borders. Out-of-state plaintiffs cannot easily reach for these statutes in California federal court if the alleged misconduct occurred elsewhere.
- VPPA’s Narrow Scope: Plaintiffs should be cautious in applying the VPPA to technology or analytics firms unless those entities directly provide video rental, sale, or similar services.
- Heightened Requirements for Privacy Claims: Simply collecting identifiers like IP addresses, without more “highly offensive” conduct or misuse, may not clear the hurdle for intrusion upon seclusion or comparable claims under tort law.
This decision highlights the continued challenges in holding technology and analytics companies accountable under a patchwork of state and federal privacy laws, especially for consumers outside states with robust data privacy protections. Plaintiffs seeking redress for alleged privacy violations must pay close attention to jurisdictional limits and the scope of relevant statutes, as courts may remain vigilant in enforcing these boundaries. As data privacy concerns continue to grow, both legislatures and courts will likely face ongoing pressure to clarify and expand the reach of these protections.