Most plaintiff firms pick a home jurisdiction and work it. Siri & Glimstad LLP operates differently. The firm files privacy class actions in California federal court, New York federal court, and wherever else the combination of statute, precedent, and judicial temperament produces the most favorable terrain for a given set of facts. That flexibility — the ability to match a legal theory to the jurisdiction where it is most likely to survive a motion to dismiss — is a structural advantage that defendants across every industry need to understand before they receive a demand letter.
The firm is perhaps best known nationally for its work in vaccine injury litigation and complex personal injury matters. Its expansion into consumer privacy class actions is more recent, but the strategic infrastructure that makes a firm effective in multi-jurisdictional personal injury litigation — co-counsel networks, forum analysis, willingness to file in multiple venues simultaneously — transfers directly to the digital privacy litigation context. Siri & Glimstad has brought both to bear on companies using tracking pixels, session replay software, and behavioral advertising tools without adequate consent mechanisms.
The Firm’s Jurisdictional Strategy
The defining characteristic of Siri & Glimstad’s privacy practice is its deliberate approach to forum selection. Privacy statutes vary significantly by state — California’s CIPA carries a wiretapping theory that has survived more motions to dismiss than most equivalents; Illinois BIPA carries uncapped per-violation damages; the federal VPPA carries $2,500 in liquidated damages per violation with fee-shifting. A firm that can credibly threaten to file under any of these frameworks in any jurisdiction where the plaintiff has a colorable nexus creates settlement pressure that no single-jurisdiction boutique can replicate.
Siri & Glimstad’s offices in California and New York — the two most active federal venues for consumer privacy class actions — give the firm home-court familiarity in the jurisdictions where the law has developed furthest in the plaintiff’s favor. California federal courts have processed enough CIPA and ECPA pixel tracking cases to produce substantial precedent on standing, the “party to the communication” defense, and the scope of “contents” versus “envelope” data. New York federal courts have become a preferred venue for VPPA claims given the statute’s favorable damages structure and the density of media and retail defendants headquartered there.
The practical consequence for defendants is that a Siri & Glimstad complaint cannot be evaluated solely by asking whether the named plaintiff has a good claim in the filed jurisdiction. The question is whether the firm can maintain pressure across multiple theories and venues long enough to make settlement more economical than defense. The firm’s track record suggests the answer is frequently yes.
Primary Legal Theories
California Invasion of Privacy Act
Siri & Glimstad pursues CIPA claims under two distinct provisions. Section 631 prohibits the unauthorized wiretapping or interception of communications and has been applied by plaintiff firms to third-party tracking scripts that capture user interactions — keystrokes, mouse movements, form entries — in real time as they occur on a website. The firm’s Section 631 theory holds that these scripts, because they are operated by companies that are not party to the communication between the user and the website, constitute unauthorized interceptions regardless of whether the website operator consented to their deployment.
Section 638.51, added to CIPA in 2016, prohibits the installation or use of a pen register or trap and trace device without prior consent. Plaintiff firms have applied this provision to third-party scripts that capture IP addresses, device identifiers, and URL paths — arguing that these tools function as pen registers under the statute’s definition. Courts have divided on whether this theory survives dismissal, but enough complaints have proceeded past the motion to dismiss stage to make Section 638.51 a viable litigation vehicle in the right factual circumstances.
The geographic reach of CIPA claims extends beyond California-headquartered companies. Any business whose website is accessible to and used by California residents can face CIPA liability for tracking practices that affect those users, regardless of where the company is incorporated or where its servers are located. This extraterritorial application is a feature of the statute that Siri & Glimstad, like other plaintiff firms, exploits deliberately in identifying defendants.
Video Privacy Protection Act
The VPPA is a 1988 federal statute originally enacted to prevent video rental stores from disclosing customer rental histories without consent — a response to the release of Supreme Court nominee Robert Bork’s video rental records during his confirmation proceedings. Plaintiff firms have spent the last several years arguing successfully that the statute applies to modern streaming and video-on-demand services, and more recently to any website that embeds video content alongside advertising pixels that transmit viewing data to third parties.
The theory works as follows: when an authenticated user — someone who has created an account and logged in — watches a video on a website that also runs Meta Pixel, Google Analytics, or similar advertising tools, the pixel may transmit data about what the user watched, along with a persistent identifier tied to the user’s advertising profile, to the third-party platform. Under the VPPA, disclosing a consumer’s video viewing history to a third party without informed written consent constitutes a violation. The liquidated damages are $2,500 per violation, and the statute provides for attorney fee recovery.
Siri & Glimstad’s VPPA strategy targets companies in healthcare, retail, and media that offer video content — including embedded YouTube or Vimeo players — on pages that also run advertising pixels. The firm does not require that the video content be the company’s primary product. A healthcare system with patient education videos on its website, a retailer with product demonstration clips on its product pages, a financial services company with explanatory videos in its resource center — all of these can generate VPPA exposure if authenticated users’ viewing data is transmitted to advertising platforms without consent.
The $2,500 per-violation liquidated damages provision is what makes the VPPA financially significant at class scale. A media company with one million authenticated subscribers whose viewing data was transmitted to Meta Pixel without VPPA-compliant consent is not facing a $2,500 exposure. It is facing a potential $2.5 billion exposure before attorney fees. Courts have not uniformly allowed VPPA class actions to proceed to that scale, and the circuit courts have divided on important threshold questions including what constitutes a “subscriber” under the statute and what level of data transmission constitutes a disclosure of video viewing history. But the statute’s liquidated damages structure is sufficient to produce substantial settlements even at a fraction of the theoretical maximum, which is precisely why firms like Siri & Glimstad continue to file these cases.
Electronic Communications Privacy Act
Federal ECPA claims under Title I — the Wiretap Act — and Title II — the Stored Communications Act — provide a jurisdiction-independent federal theory that can be combined with state law claims or pursued independently where state statute claims face unfavorable circuit precedent. Siri & Glimstad’s multi-statute approach means that even when a CIPA claim is dismissed on “party to the communication” grounds, or a VPPA claim fails to survive class certification, a companion ECPA theory may remain viable. This redundancy is deliberate: it keeps cases alive longer and increases the cost calculus that pushes defendants toward settlement.
Industries in the Crosshairs
Healthcare. The combination of sensitive underlying data, heavy video content use for patient education and telehealth, and large authenticated user bases makes healthcare one of Siri & Glimstad’s highest-priority target sectors. Healthcare organizations that have deployed Meta Pixel or Google Analytics on authenticated patient portal pages — a practice that generated significant federal enforcement attention after 2022 — face both regulatory exposure and civil VPPA and ECPA claims from plaintiff firms operating in this space.
Media and publishing. Media companies with subscription models have authenticated user bases whose video viewing histories are precisely the data VPPA was written to protect. A news organization with video journalism, a streaming service with documentary content, or a publisher with video-enhanced articles that also runs advertising pixels faces VPPA exposure that scales directly with its subscriber count.
Retail and e-commerce. Retailers that use product demonstration videos, customer testimonial clips, or embedded brand content alongside standard advertising infrastructure face VPPA exposure that most legal teams have not fully assessed. The statute does not require that video be the company’s primary product — it requires only that authenticated subscribers’ viewing histories be disclosed to third parties without consent.
Financial services. Banks, insurance companies, and fintech platforms that deploy explanatory or marketing video content alongside behavioral analytics tools face both CIPA and VPPA exposure. The sensitivity of the underlying financial account relationship strengthens arguments for intentional violation treatment in damages calculations.
The Multi-Statute Approach and What It Means for Defense Strategy
Plaintiff firms that file single-theory complaints are easier to defend against. A successful motion to dismiss on the core theory resolves the case. Siri & Glimstad’s practice of layering CIPA, VPPA, and ECPA claims — and pursuing them in jurisdictions selected for their favorable treatment of each theory — means that early motion practice rarely produces complete resolution. Defendants who defeat a VPPA claim on the “subscriber” definition still face the CIPA wiretapping theory. Defendants who defeat the Section 631 interception claim on “party to the communication” grounds may still face the Section 638.51 pen register theory. Defendants who succeed on both still face ECPA claims that have not been resolved by the same motion.
This structural persistence is not accidental. It is the litigation model. The cost of defeating all theories across multiple motions — with discovery running in parallel on surviving claims — frequently exceeds the cost of settlement even when defendants believe, correctly, that many of the claims would ultimately fail at trial. The economics of complex class action defense produce settlements that have nothing to do with liability and everything to do with the cost of litigation relative to the risk of an adverse class certification ruling.
For companies assessing their exposure to Siri & Glimstad specifically, the practical implication is that the question is not “can we win a motion to dismiss on the VPPA theory.” It is “can we win all the motions on all the theories in all the jurisdictions the firm is filing in, and if not, what is our exposure on the theories we cannot defeat early.”
Compliance Implications: Closing the Gaps This Firm Exploits
Video plus pixel is a VPPA trigger, not a VPPA defense. The most common mistake companies make in assessing VPPA exposure is concluding that because their primary business is not video, they are not a “video tape service provider” under the statute. Courts have not uniformly accepted that limitation. Any company with authenticated users who watch video content on a platform that also transmits data to third-party advertising tools should conduct a VPPA analysis before relying on that defense.
Authenticated users require separate consent analysis. The VPPA’s protections apply specifically to subscribers — people who have created accounts and authenticated. A company that has implemented a general cookie consent banner has not obtained VPPA-compliant consent for authenticated users whose video viewing histories are being transmitted. The consent required under VPPA is specific to the disclosure of video viewing records to third parties, must be informed, and must be in writing or electronic form.
CIPA reaches every company with California website traffic. A company headquartered in Texas, incorporated in Delaware, and operating primarily in the Southeast can face CIPA liability if California residents use its website and tracking scripts capture their interactions in real time. Geographic distance from California does not create geographic distance from CIPA.
The pen register theory requires separate remediation from the wiretapping theory. CIPA Section 638.51 pen register claims target IP address and device identifier collection by third-party scripts — a practice so universal in digital marketing that most companies have never considered it requires consent. Prior consent is required before the collection occurs. Retroactive consent mechanisms do not cure violations that have already accrued.
Co-counsel coordination amplifies the firm’s capacity. Siri & Glimstad’s willingness to coordinate with co-counsel means that a case the firm originates may be supplemented by the resources and discovery capacity of additional firms as it matures. Defendants should not assume that a boutique-sized opposing counsel means boutique-level litigation pressure.
The Longer View
Siri & Glimstad’s expansion into digital privacy class actions is part of a broader pattern: complex litigation firms with established infrastructure for multi-jurisdictional practice recognizing that consumer privacy law has become one of the most active and financially significant areas of plaintiff-side class action work in the country. The firm brings forum flexibility, co-counsel networks, and a multi-statute approach to a litigation space that rewards exactly those capabilities.
For companies that operate websites with video content, authenticated user bases, or standard advertising infrastructure — which describes the majority of consumer-facing businesses — the exposure profile that Siri & Glimstad targets is not theoretical. It is the operational status quo for most digital businesses, assessed against statutes that were written to prohibit exactly the data practices that status quo relies on.
The compliance gap is real. The question is whether it gets addressed before or after a complaint is filed.
5 Compliance Steps to Reduce Your Exposure
- Audit every page with video content for simultaneous pixel activity. Any page where authenticated users watch video content and advertising or analytics pixels are also running requires immediate VPPA analysis. The combination is the exposure — identify every instance of it before opposing counsel does.
- Build a separate consent mechanism for authenticated users viewing video content. General cookie consent does not satisfy VPPA’s written consent requirement for disclosure of video viewing histories. Authenticated users need a specific, informed consent flow that addresses video viewing data and third-party disclosure before any such disclosure occurs.
- Implement CIPA-compliant disclosures and consent for California traffic. This includes both Section 631 wiretapping disclosures for real-time script interception and Section 638.51 pen register disclosures for IP address and device identifier collection. California users must consent to both categories before the relevant scripts load.
- Categorize and document every tracking technology on your website. Each tool must be documented with its vendor, the data it collects, the third parties it transmits to, the legal basis for collection, and the consent obtained. This documentation is your primary evidence in any demand letter response and your first line of defense in early motion practice.
- Conduct VPPA and CIPA risk assessments with privacy counsel before your next website update. Website updates that add video content, new advertising pixels, or new analytics tools reset the exposure analysis. Any company that has made material changes to its website in the last two years without a corresponding privacy assessment is operating with an unreviewed liability profile.
How Captain Compliance Can Help
The gaps that Siri & Glimstad targets — video plus pixel combinations, unauthenticated consent flows, CIPA-noncompliant tracking on California-accessible websites — are identifiable and fixable before a complaint is filed. Captain Compliance specializes in VPPA and CIPA risk assessments, cookie consent architecture, authenticated user consent flows, and litigation-readiness reviews that find what plaintiff firms find, before they find it.
