Skip to main content

Legal Insights

The Bar Keeps Dropping: How California Courts Are Expanding Digital Privacy Standing — And Why Your Business Should Care

By James Chung, Managing Partner, Pro Veritas Law LLP  ·  April 4, 2026  ·  5 minutes read

Over the last two years, California courts have steadily lowered the bar for plaintiffs bringing digital privacy claims under laws like the California Invasion of Privacy Act (CIPA). What used to require clear concrete injury such as economic harm now often needs little more than proof that someone visited your site.

This shift isn't accidental. Courts are treating digital privacy as fundamental — a protection for your identity, your data, and what we might call your digital soul in an AI-connected world. Here's how the law evolved through three key cases.

The Evolution of Concrete Injury for Plaintiff Standing in Digital Privacy Cases

  1. Concrete (Economic) Injury Required — Early cases demanded plaintiffs show out-of-pocket losses or concrete financial harm. Many claims were dismissed at the pleading stage.

  2. Salazar v. National Basketball Association (2d Cir. 2024) — The watershed moment. Signing up for a free NBA email newsletter was enough to establish standing under the Video Privacy Protection Act (VPPA). The Second Circuit held that providing personal information in exchange for any service qualified the plaintiff as a "subscriber." No payment, no economic damage needed — just that basic exchange.

  3. Gardner v. MeTV National Limited Partnership (7th Cir. 2025) — This reaffirmed and expanded the trend. Creating a free account for personalized features — without even tying it directly to video content — was sufficient. The court made clear that any subscription or account creation with a provider could support a claim.

  4. Camplisson v. Adidas America, Inc. (S.D. Cal. Nov. 2025) — The bar dropped even further. The court found that confirmation of visiting the website, combined with tracking via pixels, was enough to show injury. No need to prove economic damage, engagement, or even specific account creation — the privacy violation itself counted as concrete harm.

We've gone from needing to prove you lost money, to proving you signed up, to proving you engaged, to simply proving you were there. That's a dramatic shift in just two years.

Why This Matters — Protecting Democracy in the AI Age

These rulings reflect a deeper recognition: in today's world, your digital privacy isn't a luxury — it's the foundation that lets you exercise your First Amendment rights without fear of being doxxed, manipulated, or silenced.

When platforms and tracking tools can connect every click to your identity, they threaten the open exchange of ideas that democracy depends on. Strong privacy enforcement creates space for honest conversation, accountability, and real community voice — especially as AI amplifies both truth and misinformation.

That's why these statutes carry serious statutory damages — up to $5,000 per violation under CIPA. The law treats each unauthorized tracking event as a real harm worth deterring.

The Smart Move for Businesses

If you've received a compliance demand notice, don't panic. Most of these issues can be fixed quickly and in good faith. At Pro Veritas Law, our approach has always been remediation first — no blame, no gotchas, just practical solutions.

Getting compliant now protects your business, respects your users' rights, and keeps you on the right side of a legal landscape that's only getting stricter.

To discuss a potential matter or learn more about our practice, contact us.

This article reflects the views of the author and is intended for informational purposes only. It does not constitute legal advice or create an attorney-client relationship. For specific legal guidance, please consult directly with qualified counsel.

← Back to Legal Insights