Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
Thursday, July 3, 2025
Print Mail Download info_icon_img/>i

Key Takeaways:

  • The Ninth Circuit court of appeals reviewed three separate proposed class actions against Papa John’s International Inc., Converse Inc., and Bloomingdale’s, all centered on whether certain website tracking activities violated the California Invasion of Privacy Act (CIPA).
  • The plaintiffs in these cases alleged that companies unlawfully used technologies like “session replay” software and chatbots to monitor website visitors’ interactions, intercepting their information and transmitting it to third parties without consent, thereby violating CIPA Section 631.
  • The court assessed how CIPA, an older wiretapping law, applies to modern website tracking like session replay and chatbots, focusing on definitions of “interception” and “contents.”

A Ninth Circuit court of appeals panel reviewed three separate proposed class actions against Papa John’s International Inc., Converse Inc., and Bloomingdale’s, all centered on whether certain website tracking activities violated the California Invasion of Privacy Act (CIPA).

The Core Issue: CIPA and Website Communications

At the core of these cases is the application of CIPA Section 631, a statute originally enacted to address traditional wiretapping and eavesdropping, to modern website tracking technologies. CIPA Section 631(a) imposes liability on an entity that “intentionally taps, or makes any unauthorized connection . . . with any telegraph or telephone wire, line, cable or instrument of any internal telephonic communication system, or willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report or communication while the same is in transit . . . ” The same section also imposes liability on an entity that “aids, agrees with, employs, or conspires with any person or persons” to commit one or more of the aforesaid acts.” The recent surge in CIPA litigation has targeted companies employing these tracking technologies, seeking to recover statutory damages of $5,000 per violation.

The Allegations: Website Tracking and the California Invasion of Privacy Act

The plaintiffs in these cases allege that companies unlawfully used technologies like “session replay” software and chatbots to monitor website visitors’ interactions, intercepting their information and transmitting it to third parties without consent, thereby violating CIPA Section 631.

The Lower Court Decisions and the Ninth Circuit’s Considerations

  • Papa John’s: In Thomas v. Papa John’s International Inc., the plaintiff alleged that Papa John’s unlawfully eavesdropped and wiretapped by capturing customers’ website interactions using tracking software and sent the data to a third-party. The lower court dismissed the case, determining that the plaintiff failed to sufficiently allege that Papa John’s engaged in or aided and abetted wiretapping. On appeal, the Ninth Circuit found, “Thomas alleged that Papa John’s directly violated section 631(a) of the California Penal Code by ‘eavesdrop[ping] and learn[ing] the content of its users’ communications.’ But a party to a conversation cannot be liable under section 631 for ‘eavesdropping’ on its own conversation,” the panel said. “Thomas did not allege that Papa John’s violated section 631 by aiding another party in eavesdropping.” Ultimately, the Ninth Circuit affirmed the lower court’s dismissal, ruling that Papa John’s, as a party to the communications, can’t be liable for spying on its own conversation. Thomas v. Papa John’s International Inc.
  • Bloomingdale’s: In Mikulsky v. Bloomingdale’s LLC et al., the plaintiff alleged that Bloomingdale’s used session replay code to capture and disclose the “contents” of website communications to a third-party vendor without user consent, violating CIPA Section 631. The district court granted the motion of Bloomingdale motion to dismiss Mikulsky’s complaint for failure to state a claim under Rule 12(b)(6) of the Federal Rules of Civil Procedure. On appeal, Bloomingdale’s argued that masking text fields prevented the vendor from viewing this data, however, the Ninth Circuit panel reversed the lower court’s decision finding that the district court erred in dismissing Mikulsky’s claim under CIPA section 631(a), finding that the complaint stated sufficient facts to allege that Defendants aided, agreed with, employed, or conspired with Session Replay Code providers to enable the providers to read, attempt to read, or to learn “the contents or meaning of any message, report, or communication while the same [was] in transit or passing over any wire, line, or cable, or [was] being sent from, or received at any place within this state,” without the consent of all parties. The court further found that the complaint alleged real-time capture of the contents of Mikulsky’s communications on Defendants’ website without her consent, not merely the real-time capture of information regarding the characteristics of the communications. Mikulsky v. Bloomingdales, LLC, et al.
  • Converse: In Gutierrez v. Converse Inc. et al., the claims revolved around Converse’s use of online customer service chat features allowing users to interact with Converse customer service agents through text-based communication directly on its website and whether the communications through these features could be considered analogous to traditional telephone communications covered by CIPA. The district court granted Converse’s motion for summary judgment finding that the internet transmissions, specifically the online chat features, were not analogous to traditional telephone communications as covered by CIPA Section 631, finding this clause applies solely to “telephone communications”. The court also found that the chat provider did not engage in wiretapping, as the messages were encrypted in transit and password-protected on the provider’s servers, preventing the “willful and without consent” reading of communications as required for CIPA liability. On appeal, during the Ninth Circuit’s hearing of oral arguments, Judge Jay S. Bybee expressed concerns about applying a statute adopted in 1967 to modern internet technology, describing it as “very anachronistic”. Judge Baybee suggested that the plaintiff might be better served asserting her claims under a more recent California statute designed to protect consumers’ online privacy. The court has yet to rule on the appeal. Gutierrez v. Converse Inc. et al.

Key Takeaways: Implications for Businesses

The Ninth Circuit’s decisions in Thomas v. Papa John’s, Mikulsky v. Bloomingdale’s, and Gutierrez v. Converse represent a critical moment in the ongoing debate over how existing privacy laws, apply to modern website tracking technologies.

  • Balancing Old Law and New Technology: These cases highlight the ongoing challenge of interpreting and applying older privacy laws to rapidly evolving internet technology. The Ninth Circuit’s decisions offer insight into how courts are grappling with these complexities, focusing on the technical specifics of data capture and the specific requirements of CIPA’s various clauses. The Ninth Circuit’s review allowed it to address key questions about applying CIPA, a law originally focused on telephone wiretapping, to modern internet communications, and what level of consent is required for tracking technologies. The appeals aimed to clarify the scope of CIPA liability for businesses using tracking technologies and to guide courts on how to interpret and apply this older law in the context of rapidly evolving online privacy issues. 
  • Political Landscape: Legislation including Senate Bill 690 (SB 690), if passed, would exempt companies using tracking for legitimate business purposes from CIPA liability, provided they comply with existing privacy laws. This reflects a growing sentiment that the CCPA provides a more comprehensive and modern framework for regulating online privacy, making CIPA-based lawsuits duplicative.
  • Ruling: Despite the apparent skepticism, the Ninth Circuit did reverse the dismissal in Bloomingdales, indicating a willingness to apply CIPA to session replay under certain conditions, particularly where the “contents” of communications are plausibly alleged to have been disclosed to a third party without consent. If the court were to issue a broader ruling favoring consumers in other cases, it would validate the use of CIPA in this context and likely trigger an influx of similar lawsuits, signaling a green light for consumers. This could also influence other circuits, who often look to the Ninth Circuit for guidance on CIPA matters due to its proximity to California and the high volume of privacy cases originating there.
© 2025 Proskauer Rose LLP.

Current Public Notices

Post Your Public Notice Today!

PUBLIC NOTICE OF UCC SALE: GLP 2206 LLC
Published: 18 July, 2025
PUBLIC NOTICE OF UCC SALE: Broad St Ventures Urban Renewal, LLC
Published: 10 July, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: CCP Mezzanine Nashville I, LLC
Published: 7 July, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Chenango Flats LLC
Published: 7 July, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Integrated Endoscopy, Inc.
Published: 1 July, 2025
PUBLIC NOTICE OF ASSIGNMENT: Common Cents Distributors, LLC
Published: 26 June, 2025
PUBLIC NOTICE OF UCC SALE: Hudson 1702, LLC
Published: 24 June, 2025
PUBLIC NOTICE OF INTELLECTUAL PROPERTY SALE: American Energy Storage Innovations Inc.
Published: 24 June, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Chesterfield Faring, LTD
Published: 24 June, 2025
PUBLIC NOTICE OF ASSIGNEE SALE: Quadrata, Inc.
Published: 23 June, 2025
Discover more public notices

Current Legal Analysis

More from Proskauer Rose LLP

UK Green Taxonomy Shelved as Transition Plans Take Centre Stage
by: John Verwey , Rachel E. Lowe
Private Market Talks: Navigating Policy, Private Markets and AI with Barings’ David Mihalick [Podcast]
by: Peter J. Antoszyk
iCloud Coverage: Antitrust Storm Brews Against Apple
by: Peter C. Angelica
DOJ Targets Gender‑Affirming Care under FDCA and FCA: Scrutinizes Off‑Label Drug Use and False Diagnosis Codes
by: Matthew J. Westbrook , Jonian Rafti
Rhode Island Adds New Protections for Menopause and Mandatory Wage Payment Notice to New Hires
by: Evandro C Gigante , Arielle E. Kobetz
New York State COVID-19 Sick Time Requirement to Sunset on July 31, 2025
by: Evandro C Gigante , Laura M. Fant
Mastering Deposition Designations in California: Best Practices for Trial Success
by: Christina M. Assi
Canceled Before It Clicked: Eighth Circuit Strikes Down FTC’s Click-to-Cancel Rule
by: Baldassare Vinti , Jennifer Yang
Bullying, Harassment and Violence Set to Be Conduct Issues Under New FCA Rule
by: John Verwey , Rachel E. Lowe
New Notice Requirement for California Employers: Surviving Violent Crimes
by: Anthony J Oncidi , Dixie M. Morrison
House of Lords Launches Inquiry into Growth of UK Private Markets
by: John Verwey , Rachel E. Lowe
$30 Million Message: Jury Awards Substantial Punitive Damages for Trade Secret Theft
by: Steven J Pearlman , Nicole O. Swanson
A Leaner Regime for the EU Taxonomy Regulation
by: John Verwey , Rachel E. Lowe
Regulation Round Up July 2025
by: John Verwey , Andrew Wingfield
District Court Vacates HIPAA Reproductive Health Care Rule
by: Roberta K Chevlowe , Jennifer Rigterink

Upcoming Events

 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up for any (or all) of our 25+ Newsletters.

 

Sign Up for any (or all) of our 25+ Newsletters