Greetings CIPAWorld!

We are bringing back CIPA Sundays! And what better day to do it than Super Bowl Sunday—where the only replay we should be analyzing is on the field. But off the field, a different kind of replay is making headlines—one that allegedly tracks every move you make online, even the ones you think are erased. While millions tune in for the big game, another play-by-play happens behind the scenes. Imagine filling out an online life insurance quote form. You type in your age, financial details, and perhaps even information about your medical history. Then you delete something, perhaps reconsidering how much you want to share. But what if that erased data was never truly gone? What if every keystroke, every backspace, every moment of hesitation was silently recorded? That’s exactly what Prudential Financial allegedly did, and a federal court gave thousands of California residents the green light to challenge the practice together.

In a significant ruling for digital privacy, Judge Charles Breyer of the Northern District of California refused to let Prudential and its partners sidestep liability, certifying a class action that could reshape the boundaries of online data collection. See Torres v. Prudential Fin., Inc., No. 22-CV-7465-CRB, 2024 WL 4894289 (N.D. Cal. Nov. 26, 2024). Does this case sound familiar? It should. The one and only Baroness blogged about it here: The ActiveProspect Saga: Privacy Challenges Continue Post-Javier. This case illustrates how courts deal with modern surveillance technologies, the boundaries of implied consent, and whether companies can justify real-time user tracking under the pretext of “data collection.”

So, let’s get a little technical for a moment for those unfamiliar with this tech. The technology at issue here is TrustedForm, a session replay tool that does more than just log user submissions. In turn, it generates a second-by-second reconstruction of a user’s entire interaction with Prudential’s quote form, capturing information even if it is deleted before submission. Here’s how it works: the moment a visitor lands on the form, TrustedForm assigns them a unique tracking ID and begins recording. Think of it like a surveillance camera for your browser—monitoring every keystroke, every backspace, every time you hover over a field but hesitate to fill it out. By the time users hit “Get an instant quote,” Prudential and its partners already have a fully mapped-out replay of their entire thought process. But here’s the twist—users never agreed to this level of tracking. At no point were they explicitly told that their interactions were being recorded in real time.

With this in mind, let’s now switch gears and break down the Court’s reasoning so we can work through the Court’s analysis to fully understand it. Before deciding whether a class could be certified, the Court tackled standing—a threshold issue in privacy litigation. In Campbell v. Facebook, Inc., 951 F.3d 1106, 1117 (9th Cir. 2020), Judge Breyer reaffirmed that CIPA violations inherently confer standing because they protect substantive privacy rights, not just procedural ones. Unlike some privacy claims that require proof of harm beyond statutory violations, Plaintiff didn’t need to show her data was misused—the unconsented recording itself was enough to constitute concrete injury under TransUnion L.L.C. v. Ramirez, 594 U.S. 413, 423 (2021).

Prudential’s primary defense hinged on implied consent—arguing that website visitors were sufficiently “on notice” of session replay tracking through privacy policies, industry norms, and even news articles discussing online monitoring. However, the Court wasn’t convinced. Relying on Calhoun v. Google, L.L.C., 113 F.4th 1141, 1147 (9th Cir. 2024), the Court emphasized that for consent to be valid, it must be to “the particular conduct, or substantially the same conduct” at issue. Generic disclosures about data collection won’t cut it.

Prudential then pointed to its privacy policy, but the Court found this argument lacking, distinguishing Torres from its own prior decision in Javier v. Assur. IQ L.L.C., 649 F. Supp. 3d 891, 896-97 (N.D. Cal. 2023). While Javier held that a privacy policy might put users on “inquiry notice” for statute of limitations purposes, it didn’t establish actual consent. Here, no reasonable user clicking through Prudential’s quote form would expect that their keystrokes and deleted inputs were being recorded in real time.

Another hurdle Prudential tried to establish was the identification of class members—arguing that individual inquiries would dominate. The Court disagreed. Under Briseno v. ConAgra Foods, Inc., 844 F.3d 1121, 1125 (9th Cir. 2017), the Ninth Circuit doesn’t require plaintiffs to demonstrate administrative feasibility at the certification stage. It found that Prudential’s own database, combined with user affidavits, would be sufficient to identify affected consumers.

Next, one of Prudential’s more technical arguments was that some class members may have used VPNs, making it difficult to verify whether they were in California. However, the Court found this issue insufficient to defeat predominance. The Court suggested that ZIP code cross-referencing and affidavits could establish California residency. See Zaklit v. Nationstar Mortg. L.L.C., No. 5:15-cv-2190-CAS(KKx), 2017 WL 3174901, at *9 (C.D. Cal. July 24, 2017). It also pointed out that CIPA’s protections extend to communications “in transit” through California, meaning that even non-residents could potentially qualify if their data was intercepted while in the state.

With class certification granted, the battle over Prudential’s use of TrustedForm is far from over. The defendants—Prudential, ActiveProspect, and Assurance IQ—aren’t waiting for the trial to try to shut this case down. They’ve filed an early motion for summary judgment, arguing that their use of TrustedForm doesn’t violate California’s wiretapping law, CIPA § 631(a). The motion is set for a hearing on March 28, 2025, with briefing continuing through February and March.

The core of this motion revolves around whether ActiveProspect qualifies as a “third-party eavesdropper” under CIPA or if it was merely a service provider acting on Prudential’s behalf. The defense insists that TrustedForm is just a compliance tool, incapable of independent use, while Plaintiffs argue that recording user interactions without explicit consent is exactly the kind of digital surveillance CIPA was meant to prevent. Defendants might also move to exclude the expert testimony of Plaintiffs’ software expert, adding another layer of complexity. If they do, that motion will be fully briefed by March 13, 2025.

Meanwhile, the Court has scheduled a case management conference for March 28, 2025, immediately following the summary judgment hearing. Depending on how Judge Breyer rules, this case could either be heading toward trial—or be over before it ever gets there.

Bottom line? This fight is far from over, and Torres could still set a significant precedent for online tracking and consumer privacy rights. The next few months will be one to watch, and we’ll be sure to keep you updated.

As always,

Keep it legal, keep it smart, and stay ahead of the game.

Talk soon!