Key Takeaways:

  • The Ninth Circuit court of appeals reviewed three separate proposed class actions against Papa John’s International Inc., Converse Inc., and Bloomingdale’s, all centered on whether certain website tracking activities violated the California Invasion of Privacy Act (CIPA).
  • The plaintiffs in these cases alleged that companies unlawfully used technologies like “session replay” software and chatbots to monitor website visitors’ interactions, intercepting their information and transmitting it to third parties without consent, thereby violating CIPA Section 631.
  • The court assessed how CIPA, an older wiretapping law, applies to modern website tracking like session replay and chatbots, focusing on definitions of “interception” and “contents.”

A Ninth Circuit court of appeals panel reviewed three separate proposed class actions against Papa John’s International Inc., Converse Inc., and Bloomingdale’s, all centered on whether certain website tracking activities violated the California Invasion of Privacy Act (CIPA).

The Core Issue: CIPA and Website Communications

At the core of these cases is the application of CIPA Section 631, a statute originally enacted to address traditional wiretapping and eavesdropping, to modern website tracking technologies. CIPA Section 631(a) imposes liability on an entity that “intentionally taps, or makes any unauthorized connection . . . with any telegraph or telephone wire, line, cable or instrument of any internal telephonic communication system, or willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report or communication while the same is in transit . . . ”  The same section also imposes liability on an entity that “aids, agrees with, employs, or conspires with any person or persons” to commit one or more of the aforesaid acts.” The recent surge in CIPA litigation has targeted companies employing these tracking technologies, seeking to recover statutory damages of $5,000 per violation.

The Allegations: Website Tracking and the California Invasion of Privacy Act

The plaintiffs in these cases allege that companies unlawfully used technologies like “session replay” software and chatbots to monitor website visitors’ interactions, intercepting their information and transmitting it to third parties without consent, thereby violating CIPA Section 631.

The Lower Court Decisions and the Ninth Circuit’s Considerations

  • Papa John’s: In Thomas v. Papa John’s International Inc., the plaintiff alleged that Papa John’s unlawfully eavesdropped and wiretapped by capturing customers’ website interactions using tracking software and sent the data to a third-party. The lower court dismissed the case, determining that the plaintiff failed to sufficiently allege that Papa John’s engaged in or aided and abetted wiretapping. On appeal, the Ninth Circuit found, “Thomas alleged that Papa John’s directly violated section 631(a) of the California Penal Code by ‘eavesdrop[ping] and learn[ing] the content of its users’ communications.’ But a party to a conversation cannot be liable under section 631 for ‘eavesdropping’ on its own conversation,” the panel said. “Thomas did not allege that Papa John’s violated section 631 by aiding another party in eavesdropping.” Ultimately, the Ninth Circuit affirmed the lower court’s dismissal, ruling that Papa John’s, as a party to the communications, can’t be liable for spying on its own conversation.  Thomas v. Papa John’s International Inc.
  • Bloomingdale’s: In Mikulsky v. Bloomingdale’s LLC et al., the plaintiff alleged that Bloomingdale’s used session replay code to capture and disclose the “contents” of website communications to a third-party vendor without user consent, violating CIPA Section 631. The district court granted the motion of Bloomingdale motion to dismiss Mikulsky’s complaint for failure to state a claim under Rule 12(b)(6) of the Federal Rules of Civil Procedure.  On appeal, Bloomingdale’s argued that masking text fields prevented the vendor from viewing this data, however, the Ninth Circuit panel reversed the lower court’s decision finding that the district court erred in dismissing Mikulsky’s claim under CIPA section 631(a), finding that the complaint stated sufficient facts to allege that Defendants aided, agreed with, employed, or conspired with Session Replay Code providers to enable the providers to read, attempt to read, or to learn “the contents or meaning of any message, report, or communication while the same [was] in transit or passing over any wire, line, or cable, or [was] being sent from, or received at any place within this state,” without the consent of all parties. The court further found that the complaint alleged real-time capture of the contents of Mikulsky’s communications on Defendants’ website without her consent, not merely the real-time capture of information regarding the characteristics of the communications. Mikulsky v. Bloomingdales, LLC, et al.
  • Converse: In Gutierrez v. Converse Inc. et al., the claims revolved around Converse’s use of online customer service chat features allowing users to interact with Converse customer service agents through text-based communication directly on its website and whether the communications through these features could be considered analogous to traditional telephone communications covered by CIPA. The district court granted Converse’s motion for summary judgment finding that the internet transmissions, specifically the online chat features, were not analogous to traditional telephone communications as covered by CIPA Section 631, finding this clause applies solely to “telephone communications”. The court also found that the chat provider did not engage in wiretapping, as the messages were encrypted in transit and password-protected on the provider’s servers, preventing the “willful and without consent” reading of communications as required for CIPA liability. On appeal, during the Ninth Circuit’s hearing of oral arguments, Judge Jay S. Bybee expressed concerns about applying a statute adopted in 1967 to modern internet technology, describing it as “very anachronistic”. Judge Baybee suggested that the plaintiff might be better served asserting her claims under a more recent California statute designed to protect consumers’ online privacy. The court has yet to rule on the appeal. Gutierrez v. Converse Inc. et al.

Key Takeaways: Implications for Businesses

The Ninth Circuit’s decisions in Thomas v. Papa John’s, Mikulsky v. Bloomingdale’s, and Gutierrez v. Converse represent a critical moment in the ongoing debate over how existing privacy laws, apply to modern website tracking technologies.

  • Balancing Old Law and New Technology: These cases highlight the ongoing challenge of interpreting and applying older privacy laws to rapidly evolving internet technology. The Ninth Circuit’s decisions offer insight into how courts are grappling with these complexities, focusing on the technical specifics of data capture and the specific requirements of CIPA’s various clauses. The Ninth Circuit’s review allowed it to address key questions about applying CIPA, a law originally focused on telephone wiretapping, to modern internet communications, and what level of consent is required for tracking technologies. The appeals aimed to clarify the scope of CIPA liability for businesses using tracking technologies and to guide courts on how to interpret and apply this older law in the context of rapidly evolving online privacy issues. 
  • Political Landscape: Legislation including Senate Bill 690 (SB 690), if passed, would exempt companies using tracking for legitimate business purposes from CIPA liability, provided they comply with existing privacy laws. This reflects a growing sentiment that the CCPA provides a more comprehensive and modern framework for regulating online privacy, making CIPA-based lawsuits duplicative.
  • Ruling: Despite the apparent skepticism, the Ninth Circuit did reverse the dismissal in Bloomingdales, indicating a willingness to apply CIPA to session replay under certain conditions, particularly where the “contents” of communications are plausibly alleged to have been disclosed to a third party without consent. If the court were to issue a broader ruling favoring consumers in other cases, it would validate the use of CIPA in this context and likely trigger an influx of similar lawsuits, signaling a green light for consumers. This could also influence other circuits, who often look to the Ninth Circuit for guidance on CIPA matters due to its proximity to California and the high volume of privacy cases originating there.

Posted in California, Online Privacy, Privacy Law, Privacy Litigation
Tags: California Invasion of Privacy Act (CIPA), California privacy laws, Ninth Circuit, privacy law, privacy litigation, website privacy
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Fioccola David Fioccola

A seasoned litigator and trial lawyer, David Fioccola specializes in the defense of complex commercial disputes and consumer class actions. With more than 20 years of experience, David has tried cases in federal and state courts and before arbitral tribunals throughout the U.S.

A seasoned litigator and trial lawyer, David Fioccola specializes in the defense of complex commercial disputes and consumer class actions. With more than 20 years of experience, David has tried cases in federal and state courts and before arbitral tribunals throughout the U.S. He regularly defends Fortune 500 companies in bet-the-company litigation as well as financial institutions against claims involving federal and state law violations, including antitrust laws, trust claims, and breach of contract.

David has extensive experience handling large-scale internal investigations and represents clients before U.S. federal and state agencies, including the Department of Justice, the Consumer Financial Protection Bureau, the Office of the Comptroller of the Currency, the Federal Trade Commission, and the Securities and Exchange Commission, and state agencies, such as the New York Department of Financial Services and state attorneys general. Moreover, he has significant experience counseling clients in various U.S. federal laws and statutes, including:

  • The Consumer Financial Protection Act
  • The Unfair, Deceptive, or Abusive Acts and Practices (UDAAP)
  • The Federal Antitrust laws
  • Americans with Disabilities Act (ADA)
  • The Fair Credit Reporting Act (FCRA)
  • The Fair Debt Collection Practices Act (FDCPA)
  • The Servicemembers Civil Relief Act (SCRA)
  • The RICO Act
  • The Truth in Lending Act (TILA)
  • The Telephone Consumer Protection Act (TCPA)
  • California’s Business and Professions Code § 17200

Prior to joining Proskauer, David was the co-chair of the Class Actions and Mass Torts Practice Group at Morrison & Foerster, and the Trial Practice Group.

Read more about David Fioccola
Show more Show less
Photo of Baldassare Vinti Baldassare Vinti

Baldassare (“Baldo”) Vinti heads Proskauer’s Intellectual Property Litigation Group.

Baldo’s practice focuses on litigating patent, false advertising, trade secret, life sciences, trademark and contractual matters in federal and state courts and before the International Trade Commission. He is a seasoned trial attorney responsible…

Baldassare (“Baldo”) Vinti heads Proskauer’s Intellectual Property Litigation Group.

Baldo’s practice focuses on litigating patent, false advertising, trade secret, life sciences, trademark and contractual matters in federal and state courts and before the International Trade Commission. He is a seasoned trial attorney responsible for all aspects of litigation, including Markman hearings, appeals before the Federal Circuit, case preparation and strategy, depositions, motion practice, and settlement negotiations. He has represented clients in high-stakes matters involving a broad range of technologies, including medical devices, diagnostics, immunoassays, prosthetics, pharmaceuticals, dental implants, electronic medical records systems, encryption technology, wound dressings, digital video compression, electronic book delivery and security systems, mobile media technologies, navigation and location-based services, bandwidth management, bar code scanning, lasers , and other technologies. Baldo has represented numerous major corporations, including Arkema S.A., British Telecommunications PLC, Church & Dwight Co., Inc., Henry Schein, Inc., Maidenform Brands Inc., Mitsubishi Electric Corp., Ossur North America Inc., Panasonic Corp., Sony Corp., Welch Foods, Inc., and Zenith Electronics LLC.

In addition, Baldo regularly handles transactional work, including intellectual property due diligence, licensing, intellectual property structural transactions, patentability studies, infringement/non-infringement opinions, and client counseling in intellectual property matters.

Baldo is an author and frequent commentator on patent issues pertaining to medical devices and a host of other intellectual property topics, and has been quoted in the National Law Journal, Bloomberg BNA, Law360, Westlaw Journal and Inside Counsel magazine. He is also a regular contributor of articles published in Medical Product Outsourcing magazine that deal with the medical device industry.

Baldo served as a judicial intern for Hon. John E. Sprizzo of the United States District Court for the Southern District of New York and for Hon. Charles A. LaTorella of the New York Supreme Court.

Read more about Baldassare Vinti
Show more Show less
Photo of Aaron Francis Aaron Francis

Aaron Francis is an associate in the Litigation Department and a member of the Data Privacy and Cybersecurity Litigation Group.

Aaron’s practice focuses on complex civil litigations, internal and regulatory investigations, and arbitrations, covering a range of types of disputes, including cybersecurity, commercial…

Aaron Francis is an associate in the Litigation Department and a member of the Data Privacy and Cybersecurity Litigation Group.

Aaron’s practice focuses on complex civil litigations, internal and regulatory investigations, and arbitrations, covering a range of types of disputes, including cybersecurity, commercial contracts, and securities.  He also advises, counsels, and represents various pro bono clients, including non-profit organizations on issues related to harassment and discrimination, incarcerated survivors of domestic violence in criminal appeals, and multiple other entities in civil rights litigation.

Aaron is a member of Proskauer’s Black Lawyers Affinity Group.

Read more about Aaron Francis
Show more Show less
Related Posts
Ninth Circuit Reshapes Personal Jurisdiction Standards for E-Commerce Platforms in Briskin v. Shopify
May 6, 2025
Now Trending: The TikTok Dox
December 10, 2024
Privacy Class Action Spotlight: Surge of Privacy Class Actions in Arizona Targeting Email Pixel Tracking
September 4, 2024