HB Ad Slot
HB Mobile Ad Slot
Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
Thursday, July 3, 2025

Key Takeaways:

  • The Ninth Circuit court of appeals reviewed three separate proposed class actions against Papa John’s International Inc., Converse Inc., and Bloomingdale’s, all centered on whether certain website tracking activities violated the California Invasion of Privacy Act (CIPA).
  • The plaintiffs in these cases alleged that companies unlawfully used technologies like “session replay” software and chatbots to monitor website visitors’ interactions, intercepting their information and transmitting it to third parties without consent, thereby violating CIPA Section 631.
  • The court assessed how CIPA, an older wiretapping law, applies to modern website tracking like session replay and chatbots, focusing on definitions of “interception” and “contents.”

A Ninth Circuit court of appeals panel reviewed three separate proposed class actions against Papa John’s International Inc., Converse Inc., and Bloomingdale’s, all centered on whether certain website tracking activities violated the California Invasion of Privacy Act (CIPA).

The Core Issue: CIPA and Website Communications

At the core of these cases is the application of CIPA Section 631, a statute originally enacted to address traditional wiretapping and eavesdropping, to modern website tracking technologies. CIPA Section 631(a) imposes liability on an entity that “intentionally taps, or makes any unauthorized connection . . . with any telegraph or telephone wire, line, cable or instrument of any internal telephonic communication system, or willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report or communication while the same is in transit . . . ” The same section also imposes liability on an entity that “aids, agrees with, employs, or conspires with any person or persons” to commit one or more of the aforesaid acts.” The recent surge in CIPA litigation has targeted companies employing these tracking technologies, seeking to recover statutory damages of $5,000 per violation.

The Allegations: Website Tracking and the California Invasion of Privacy Act

The plaintiffs in these cases allege that companies unlawfully used technologies like “session replay” software and chatbots to monitor website visitors’ interactions, intercepting their information and transmitting it to third parties without consent, thereby violating CIPA Section 631.

The Lower Court Decisions and the Ninth Circuit’s Considerations

  • Papa John’s: In Thomas v. Papa John’s International Inc., the plaintiff alleged that Papa John’s unlawfully eavesdropped and wiretapped by capturing customers’ website interactions using tracking software and sent the data to a third-party. The lower court dismissed the case, determining that the plaintiff failed to sufficiently allege that Papa John’s engaged in or aided and abetted wiretapping. On appeal, the Ninth Circuit found, “Thomas alleged that Papa John’s directly violated section 631(a) of the California Penal Code by ‘eavesdrop[ping] and learn[ing] the content of its users’ communications.’ But a party to a conversation cannot be liable under section 631 for ‘eavesdropping’ on its own conversation,” the panel said. “Thomas did not allege that Papa John’s violated section 631 by aiding another party in eavesdropping.” Ultimately, the Ninth Circuit affirmed the lower court’s dismissal, ruling that Papa John’s, as a party to the communications, can’t be liable for spying on its own conversation. Thomas v. Papa John’s International Inc.
  • Bloomingdale’s: In Mikulsky v. Bloomingdale’s LLC et al., the plaintiff alleged that Bloomingdale’s used session replay code to capture and disclose the “contents” of website communications to a third-party vendor without user consent, violating CIPA Section 631. The district court granted the motion of Bloomingdale motion to dismiss Mikulsky’s complaint for failure to state a claim under Rule 12(b)(6) of the Federal Rules of Civil Procedure. On appeal, Bloomingdale’s argued that masking text fields prevented the vendor from viewing this data, however, the Ninth Circuit panel reversed the lower court’s decision finding that the district court erred in dismissing Mikulsky’s claim under CIPA section 631(a), finding that the complaint stated sufficient facts to allege that Defendants aided, agreed with, employed, or conspired with Session Replay Code providers to enable the providers to read, attempt to read, or to learn “the contents or meaning of any message, report, or communication while the same [was] in transit or passing over any wire, line, or cable, or [was] being sent from, or received at any place within this state,” without the consent of all parties. The court further found that the complaint alleged real-time capture of the contents of Mikulsky’s communications on Defendants’ website without her consent, not merely the real-time capture of information regarding the characteristics of the communications. Mikulsky v. Bloomingdales, LLC, et al.
  • Converse: In Gutierrez v. Converse Inc. et al., the claims revolved around Converse’s use of online customer service chat features allowing users to interact with Converse customer service agents through text-based communication directly on its website and whether the communications through these features could be considered analogous to traditional telephone communications covered by CIPA. The district court granted Converse’s motion for summary judgment finding that the internet transmissions, specifically the online chat features, were not analogous to traditional telephone communications as covered by CIPA Section 631, finding this clause applies solely to “telephone communications”. The court also found that the chat provider did not engage in wiretapping, as the messages were encrypted in transit and password-protected on the provider’s servers, preventing the “willful and without consent” reading of communications as required for CIPA liability. On appeal, during the Ninth Circuit’s hearing of oral arguments, Judge Jay S. Bybee expressed concerns about applying a statute adopted in 1967 to modern internet technology, describing it as “very anachronistic”. Judge Baybee suggested that the plaintiff might be better served asserting her claims under a more recent California statute designed to protect consumers’ online privacy. The court has yet to rule on the appeal. Gutierrez v. Converse Inc. et al.

Key Takeaways: Implications for Businesses

The Ninth Circuit’s decisions in Thomas v. Papa John’s, Mikulsky v. Bloomingdale’s, and Gutierrez v. Converse represent a critical moment in the ongoing debate over how existing privacy laws, apply to modern website tracking technologies.

  • Balancing Old Law and New Technology: These cases highlight the ongoing challenge of interpreting and applying older privacy laws to rapidly evolving internet technology. The Ninth Circuit’s decisions offer insight into how courts are grappling with these complexities, focusing on the technical specifics of data capture and the specific requirements of CIPA’s various clauses. The Ninth Circuit’s review allowed it to address key questions about applying CIPA, a law originally focused on telephone wiretapping, to modern internet communications, and what level of consent is required for tracking technologies. The appeals aimed to clarify the scope of CIPA liability for businesses using tracking technologies and to guide courts on how to interpret and apply this older law in the context of rapidly evolving online privacy issues. 
  • Political Landscape: Legislation including Senate Bill 690 (SB 690), if passed, would exempt companies using tracking for legitimate business purposes from CIPA liability, provided they comply with existing privacy laws. This reflects a growing sentiment that the CCPA provides a more comprehensive and modern framework for regulating online privacy, making CIPA-based lawsuits duplicative.
  • Ruling: Despite the apparent skepticism, the Ninth Circuit did reverse the dismissal in Bloomingdales, indicating a willingness to apply CIPA to session replay under certain conditions, particularly where the “contents” of communications are plausibly alleged to have been disclosed to a third party without consent. If the court were to issue a broader ruling favoring consumers in other cases, it would validate the use of CIPA in this context and likely trigger an influx of similar lawsuits, signaling a green light for consumers. This could also influence other circuits, who often look to the Ninth Circuit for guidance on CIPA matters due to its proximity to California and the high volume of privacy cases originating there.
HTML Embed Code
HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot

More from Proskauer Rose LLP

HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up for any (or all) of our 25+ Newsletters.

 

Sign Up for any (or all) of our 25+ Newsletters