Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
Thursday, July 3, 2025
Print Mail Download info_icon_img/>i

Key Takeaways:

  • The Ninth Circuit court of appeals reviewed three separate proposed class actions against Papa John’s International Inc., Converse Inc., and Bloomingdale’s, all centered on whether certain website tracking activities violated the California Invasion of Privacy Act (CIPA).
  • The plaintiffs in these cases alleged that companies unlawfully used technologies like “session replay” software and chatbots to monitor website visitors’ interactions, intercepting their information and transmitting it to third parties without consent, thereby violating CIPA Section 631.
  • The court assessed how CIPA, an older wiretapping law, applies to modern website tracking like session replay and chatbots, focusing on definitions of “interception” and “contents.”

A Ninth Circuit court of appeals panel reviewed three separate proposed class actions against Papa John’s International Inc., Converse Inc., and Bloomingdale’s, all centered on whether certain website tracking activities violated the California Invasion of Privacy Act (CIPA).

The Core Issue: CIPA and Website Communications

At the core of these cases is the application of CIPA Section 631, a statute originally enacted to address traditional wiretapping and eavesdropping, to modern website tracking technologies. CIPA Section 631(a) imposes liability on an entity that “intentionally taps, or makes any unauthorized connection . . . with any telegraph or telephone wire, line, cable or instrument of any internal telephonic communication system, or willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report or communication while the same is in transit . . . ” The same section also imposes liability on an entity that “aids, agrees with, employs, or conspires with any person or persons” to commit one or more of the aforesaid acts.” The recent surge in CIPA litigation has targeted companies employing these tracking technologies, seeking to recover statutory damages of $5,000 per violation.

The Allegations: Website Tracking and the California Invasion of Privacy Act

The plaintiffs in these cases allege that companies unlawfully used technologies like “session replay” software and chatbots to monitor website visitors’ interactions, intercepting their information and transmitting it to third parties without consent, thereby violating CIPA Section 631.

The Lower Court Decisions and the Ninth Circuit’s Considerations

  • Papa John’s: In Thomas v. Papa John’s International Inc., the plaintiff alleged that Papa John’s unlawfully eavesdropped and wiretapped by capturing customers’ website interactions using tracking software and sent the data to a third-party. The lower court dismissed the case, determining that the plaintiff failed to sufficiently allege that Papa John’s engaged in or aided and abetted wiretapping. On appeal, the Ninth Circuit found, “Thomas alleged that Papa John’s directly violated section 631(a) of the California Penal Code by ‘eavesdrop[ping] and learn[ing] the content of its users’ communications.’ But a party to a conversation cannot be liable under section 631 for ‘eavesdropping’ on its own conversation,” the panel said. “Thomas did not allege that Papa John’s violated section 631 by aiding another party in eavesdropping.” Ultimately, the Ninth Circuit affirmed the lower court’s dismissal, ruling that Papa John’s, as a party to the communications, can’t be liable for spying on its own conversation. Thomas v. Papa John’s International Inc.
  • Bloomingdale’s: In Mikulsky v. Bloomingdale’s LLC et al., the plaintiff alleged that Bloomingdale’s used session replay code to capture and disclose the “contents” of website communications to a third-party vendor without user consent, violating CIPA Section 631. The district court granted the motion of Bloomingdale motion to dismiss Mikulsky’s complaint for failure to state a claim under Rule 12(b)(6) of the Federal Rules of Civil Procedure. On appeal, Bloomingdale’s argued that masking text fields prevented the vendor from viewing this data, however, the Ninth Circuit panel reversed the lower court’s decision finding that the district court erred in dismissing Mikulsky’s claim under CIPA section 631(a), finding that the complaint stated sufficient facts to allege that Defendants aided, agreed with, employed, or conspired with Session Replay Code providers to enable the providers to read, attempt to read, or to learn “the contents or meaning of any message, report, or communication while the same [was] in transit or passing over any wire, line, or cable, or [was] being sent from, or received at any place within this state,” without the consent of all parties. The court further found that the complaint alleged real-time capture of the contents of Mikulsky’s communications on Defendants’ website without her consent, not merely the real-time capture of information regarding the characteristics of the communications. Mikulsky v. Bloomingdales, LLC, et al.
  • Converse: In Gutierrez v. Converse Inc. et al., the claims revolved around Converse’s use of online customer service chat features allowing users to interact with Converse customer service agents through text-based communication directly on its website and whether the communications through these features could be considered analogous to traditional telephone communications covered by CIPA. The district court granted Converse’s motion for summary judgment finding that the internet transmissions, specifically the online chat features, were not analogous to traditional telephone communications as covered by CIPA Section 631, finding this clause applies solely to “telephone communications”. The court also found that the chat provider did not engage in wiretapping, as the messages were encrypted in transit and password-protected on the provider’s servers, preventing the “willful and without consent” reading of communications as required for CIPA liability. On appeal, during the Ninth Circuit’s hearing of oral arguments, Judge Jay S. Bybee expressed concerns about applying a statute adopted in 1967 to modern internet technology, describing it as “very anachronistic”. Judge Baybee suggested that the plaintiff might be better served asserting her claims under a more recent California statute designed to protect consumers’ online privacy. The court has yet to rule on the appeal. Gutierrez v. Converse Inc. et al.

Key Takeaways: Implications for Businesses

The Ninth Circuit’s decisions in Thomas v. Papa John’s, Mikulsky v. Bloomingdale’s, and Gutierrez v. Converse represent a critical moment in the ongoing debate over how existing privacy laws, apply to modern website tracking technologies.

  • Balancing Old Law and New Technology: These cases highlight the ongoing challenge of interpreting and applying older privacy laws to rapidly evolving internet technology. The Ninth Circuit’s decisions offer insight into how courts are grappling with these complexities, focusing on the technical specifics of data capture and the specific requirements of CIPA’s various clauses. The Ninth Circuit’s review allowed it to address key questions about applying CIPA, a law originally focused on telephone wiretapping, to modern internet communications, and what level of consent is required for tracking technologies. The appeals aimed to clarify the scope of CIPA liability for businesses using tracking technologies and to guide courts on how to interpret and apply this older law in the context of rapidly evolving online privacy issues. 
  • Political Landscape: Legislation including Senate Bill 690 (SB 690), if passed, would exempt companies using tracking for legitimate business purposes from CIPA liability, provided they comply with existing privacy laws. This reflects a growing sentiment that the CCPA provides a more comprehensive and modern framework for regulating online privacy, making CIPA-based lawsuits duplicative.
  • Ruling: Despite the apparent skepticism, the Ninth Circuit did reverse the dismissal in Bloomingdales, indicating a willingness to apply CIPA to session replay under certain conditions, particularly where the “contents” of communications are plausibly alleged to have been disclosed to a third party without consent. If the court were to issue a broader ruling favoring consumers in other cases, it would validate the use of CIPA in this context and likely trigger an influx of similar lawsuits, signaling a green light for consumers. This could also influence other circuits, who often look to the Ninth Circuit for guidance on CIPA matters due to its proximity to California and the high volume of privacy cases originating there.
© 2025 Proskauer Rose LLP.

Current Public Notices

Post Your Public Notice Today!

PUBLIC NOTICE OF RECEIVERSHIP SALE: ENTEGRA CAPITAL LLC AND EC MASTER TRUST
Published: 23 July, 2025
PUBLIC NOTICE OF ASSET SALE: SERFACE CARE, INC. D/B/A MYRO
Published: 21 July, 2025
PUBLIC NOTICE OF UCC SALE: Harrisburg Hotel LLC
Published: 21 July, 2025
PUBLIC NOTICE OF UCC SALE: GLP 2206 LLC
Published: 18 July, 2025
PUBLIC NOTICE OF UCC SALE: Broad St Ventures Urban Renewal, LLC
Published: 10 July, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: CCP Mezzanine Nashville I, LLC
Published: 7 July, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Chenango Flats LLC
Published: 7 July, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Integrated Endoscopy, Inc.
Published: 1 July, 2025
PUBLIC NOTICE OF ASSIGNMENT: Common Cents Distributors, LLC
Published: 26 June, 2025
PUBLIC NOTICE OF UCC SALE: Hudson 1702, LLC
Published: 24 June, 2025
PUBLIC NOTICE OF INTELLECTUAL PROPERTY SALE: American Energy Storage Innovations Inc.
Published: 24 June, 2025
PUBLIC NOTICE OF UCC ARTICLE 9 SALE: Chesterfield Faring, LTD
Published: 24 June, 2025
PUBLIC NOTICE OF ASSIGNEE SALE: Quadrata, Inc.
Published: 23 June, 2025
Discover more public notices

Current Legal Analysis

More from Proskauer Rose LLP

Defendant Bore Risk Of Loss Due To Fraud When It Wired Settlement Proceeds To Imposter
by: Anthony J Oncidi
“Headless” PAGA Action May Proceed In Court
by: Anthony J Oncidi
Decertification Of Class Action Upheld
by: Anthony J Oncidi
Arbitration Agreement Was Unconscionable
by: Anthony J Oncidi
Unsuccessful Whistleblower Was Not Entitled To Recover Attorney’s Fees
by: Anthony J Oncidi
Employee Who Refused To Return To Work After COVID Was Not Disabled
by: Anthony J Oncidi
Employee’s Indirect Exposure To Harassing Conduct Supported $4 Million Verdict
by: Anthony J Oncidi
Supreme Court Invalidates Heightened Evidentiary Standard For Majority-Group Plaintiffs
by: Anthony J Oncidi
Seven Questions for Legal and Compliance Before Adopting AI Transcription Services
by: Nathan Schuur , Robert Pommer
No Surprises Here! Payers Push Back on IDR Submissions, Opening New Front in NSA Implementation Landscape
by: Vinay Kohli , D. Austin Rettew
Oregon Strengthens Geolocation Data Privacy and Children’s Personal Data Protections, Adding to Compliance for Data Brokers and Others
by: Jonathan Mollod
President Trump Signs One Big Beautiful Bill Act into Law
by: Jean M. Bertrand , Richard M. Corn
IRS Clarifies that Failure to Cash Checks Does Not Affect Withholding or Reporting
by: Seth J Safra , Tyler Forni
DOJ Begins Enforcement of New Data Security Program
by: Emma K. Baker
President Trump Taps Two GOP Nominees for NLRB, But Uncertainty Remains
by: Joshua S. Fox , Austin McLeod

Upcoming Events

 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up for any (or all) of our 25+ Newsletters.

 

Sign Up for any (or all) of our 25+ Newsletters