The Ninth Circuit heard oral arguments on June 10, 2025, in three closely watched appeals—Gutierrez v. Converse Inc., Mikulsky v. Bloomingdale’s, LLC, and Thomas v. Papa John’s International, Inc.—that could shape the future of privacy litigation for businesses with websites accessible to California consumers. Central to these cases is whether California’s Invasion of Privacy Act (“CIPA”), and in particular Section 631(a), extends to modern internet-based technologies such as session replay software and online customer chat features. These lawsuits reflect a recent wave of litigation targeting companies that deploy digital tools to improve customer experience and analyze website interactions, with plaintiffs seeking statutory damages of $5,000 per alleged violation.
Within just days of oral argument, the Ninth Circuit issued decisions in two of the three cases, delivering a mixed outcome for businesses. In this article, we examine those rulings and preview the key issues that remain unresolved.
Key Issues Before the Court
The Ninth Circuit panel (Hon. Jay S. Bybee, Hon. Sandra Segal Ikuta, and Hon. Danielle J. Forrest) focused on the extent to which CIPA, which was enacted in 1967 to address telephone and telegraph communications, can be extended to cover internet-based communications. Plaintiffs in these cases allege that companies unlawfully tracked or allowed third parties to track website visitors’ interactions with a website without proper consent. The parties’ briefs and the Court’s questioning centered on several critical issues, including: the applicability of the first clause of CIPA Section 631(a) to the Internet;[1] whether website operators can be directly liable for “intercepting” communications to which they are a party, or only for aiding and abetting a third-party in doing so; the sufficiency of plaintiffs’ pleadings and evidence regarding real-time interception by third-party vendors; and whether California courts have personal jurisdiction over out-of-state defendants based on the operation of interactive websites.
In Gutierrez v. Converse Inc., the panel expressed doubt about applying CIPA’s first clause to Internet communications, repeatedly noting the statute’s text and its focus on telephone and telegraph technologies. The judges questioned whether the California legislature intended for the first clause of Section 631(a) to cover modern digital communications, especially given its text and the existence of more recent statutes specifically addressing online privacy, such as the California Consumer Privacy Act. Converse’s counsel emphasized that the plain text of the first clause of Section 631(a) does not apply to the Internet, and that the record contained no evidence concerning the first clause of Section 631, or that Salesforce, the third-party chat provider, read, attempted to read, or accessed any of plaintiff’s chat communications while they were in transmission to their intended recipient.
In Mikulsky v. Bloomingdale’s, LLC, the focus shifted to whether plaintiffs adequately pled that the session replay software (FullStory) had intercepted the “contents” of communications, such as names, addresses, and credit card information, or merely collected non-content “record data” like mouse movements and clicks. The panel explored the technical configuration of session replay tools and the plausibility of plaintiffs’ allegations at the pleading stage, raising concerns about how a consumer could know what data is actually collected without discovery.
In Thomas v. Papa John’s International, Inc., the panel pressed the plaintiffs on whether their complaint sufficiently alleged that the third-party vendor, FullStory, was an “eavesdropper” and whether Papa John’s had aided and abetted any such eavesdropping. The judges appeared skeptical that the facts, as pled, supported a direct liability claim against Papa John’s, and discussed whether the plaintiffs should be allowed to amend their complaint to clarify an aiding and abetting theory. The Court also questioned whether it was possible for Papa John’s to be liable for intercepting communications when it is a direct party to the conversation with the website visitor.
In both Bloomingdale's and Papa John's, the panel also addressed the respective cross-appeals challenging the lower court's rejection of the argument that the court lacked jurisdiction over the CIPA claims because Papa John’s and Bloomingdale’s lacked sufficient connections to California. However, the panel appeared skeptical that websites that allowed orders to be placed for pick-up in California were not sufficiently connected to California for purposes of their CIPA claims, with Judge Forrest at one point noting, “[i]f you had a website that was just informational, maybe your argument would work.”
Ninth Circuit Affirms Dismissal of Papa John’s Session Replay Case: Direct Party Exception Bars CIPA Claim
Quickly, on June 18, 2025, the Ninth Circuit issued its first decision, an unpublished memorandum affirming the dismissal of the session replay lawsuit against Papa John’s.
Citing longstanding California precedent, the Ninth Circuit panel explained that “a party to a conversation cannot be liable under section 631 for ‘eavesdropping’ on its own conversation.” Because Papa John’s was itself a party to the online interactions at issue—i.e., the users’ communications through session replay—the court found that the direct liability claim failed as a matter of law. The court further noted that the plaintiff did not allege that Papa John’s aided or abetted a third party in eavesdropping, though the court took no position on whether such a claim would be viable. As a result, the Ninth Circuit affirmed the district court’s dismissal of the CIPA claim.
In addition to the CIPA issue, the Ninth Circuit addressed Papa John’s cross-appeal challenging personal jurisdiction. The court rejected Papa John’s argument that it was not subject to suit in California, holding that its interactive website “appeals to, and profits from, an audience in” California. Applying the standard from Briskin v. Shopify, Inc., the panel found that the plaintiff’s allegations concerning Papa John’s purposeful direction of its website activities toward California consumers, and the alleged collection of user information from those consumers, was sufficient to establish personal jurisdiction.
Ninth Circuit Revives CIPA Claim Against Bloomingdale’s: Pleading Standard Clarified, Exposure for Website Tracking Expanded
On June 20, 2025, the Ninth Circuit issued another unpublished decision in Mikulsky, reversing the district court’s dismissal of a proposed class action alleging violations of CIPA based on Bloomingdale’s use of session replay technology. The court held that the plaintiff had sufficiently alleged that the defendant aided, agreed with, employed, or conspired with at least one third-party session replay provider to enable the third parties to read, attempt to read, or learn “the contents or meaning of any message, report, or communication while the same [was] in transit or passing over any wire, line, or cable, or [was] being sent from, or received at any place within this state,” without the consent of all parties.
Rejecting Bloomingdale’s argument that the complaint failed to allege the “contents” of communications were intercepted, the panel found that the complaint alleged the real-time capture of the contents of her communications on Bloomingdale’s website—including names, addresses, credit card information, and product selections—by a third-party vendor, not merely the collection of non-content “record data” such as mouse movements or clicks. The court emphasized that the complaint plausibly alleged that these contents were disclosed to FullStory without the plaintiff’s consent, and that masking of text fields by default did not defeat the plausibility of the claim at the pleading stage.
The court also affirmed that Bloomingdale’s is subject to personal jurisdiction in California. The panel found that the plaintiff’s allegation that the website “appeals to, and profits from, an audience in” California and is used to collect information intentionally from users, knowing that privacy harms will be suffered in the state, was sufficient. This holding aligns with the Ninth Circuit’s recent application of Briskin in the Thomas case.
Implications from Thomas and Mikulsky
The Ninth Circuit’s decision in Thomas offers important guidance for businesses facing CIPA claims related to their use of website chat, analytics, or session replay technologies. The court held that, under current law, a website operator cannot be held directly liable for “eavesdropping” on communications in which it is itself a participant. This outcome is consistent with the prevailing view among district courts and longstanding California precedent, providing a measure of certainty for companies that operate interactive websites and use such tools to engage with consumers.
Notably, however, the Thomas ruling did not foreclose all potential CIPA liability for website operators who deploy such technologies. The court expressly left open the possibility that a website operator could be liable under an “aiding and abetting” theory—specifically, where the operator is alleged to have enabled or assisted a third party in the unauthorized interception of user communications.
Just two days later, the Ninth Circuit’s decision in Mikulsky further clarified the landscape, signaling a more plaintiff-friendly standard at the pleading stage for CIPA website tracking cases. The court held that it may be enough, at least for purposes of surviving a motion to dismiss, for a plaintiff to allege that a session replay provider had the technical ability to intercept the contents of communications and that such interception plausibly occurred—even if the consumer cannot know the precise configuration of the tracking tool before discovery. The court rejected arguments that plaintiffs must plead detailed technical facts about how the tool was set up on a particular website, recognizing the practical difficulty for consumers to access such information pre-litigation.
The Mikulsky decision may therefore expand potential CIPA exposure for companies that use tracking technologies without providing clear, advance notice and obtaining user consent. By lowering the bar for what plaintiffs must allege to move forward, the Ninth Circuit may have increased litigation risk for businesses that deploy third-party analytics or customer service tools capable of capturing the contents of user communications. Companies should carefully review their use of such technologies and ensure that privacy disclosures and consent mechanisms are robust and transparent.
Unresolved Questions
With the Ninth Circuit’s decisions in Thomasand Mikulskyin the rearview, all eyes turn to the remaining appeal: Gutierrez.
In amicus briefs in the three appeals and in other litigations in both federal and state court in California, the business community has urged courts to clarify that CIPA’s first clause does not apply to Internet-based communications. Businesses emphasize that the first clause of Section 631(a) was enacted to address wiretapping of telegraph and telephone systems, not Internet communications, and that the California legislature has since enacted specific statutes to regulate online privacy. In essence, while both clauses aim to protect communication privacy, the first targets the illicit physical or technical act of making a connection with a telephone or telegraph wire, which is arguably easier to prove because, unlike the second clause, it does not require proving that the “contents or meaning” of communications were captured “in transit”.. Although requiring plaintiffs to prove more, the second clause has proven more versatile and has been frequently invoked in the digital age due to the fact that its text does not limit its application to telegraph or telephone wires and communications systems, like the first clause does. One amicus brief highlighted the practical consequences of an expansive interpretation of CIPA, noting that hundreds of lawsuits and demand letters have been filed based on the theory that routine website features violate the statute. This litigation surge exposes businesses to massive potential liability for standard analytics tools, and if courts interpret the first clause of CIPA Section 631(a) to cover internet-based tools, potential liability would be expanded and businesses may be forced to curtail or abandon widely used chat and analytics features altogether, undermining customer service and innovation.
Conclusion
The Ninth Circuit’s recent decisions in Thomas and Mikulsky could reshape the contours of online privacy law in California. While the court has confirmed that website operators cannot be held directly liable for eavesdropping on their own conversations, it has also stated that companies may face liability for aiding third-party vendors in intercepting the contents of user communications—especially where consent is lacking and the technical capability for interception exists. The forthcoming decision in Gutierrez may be pivotal in determining the reach of CIPA and the future of privacy litigation for internet-based business practices. The panel’s questioning suggests a reluctance to extend CIPA’s first clause to Internet communications, but the legal landscape remains unsettled. Businesses should review their website tracking and consent practices in light of these developments and remain vigilant as the Ninth Circuit continues to define the boundaries of digital privacy protections.
The Ninth Circuit’s decisions in these cases may have far-reaching consequences for online businesses operating in California and beyond. Companies should stay informed and consult counsel regarding compliance with evolving privacy laws and best practices for website communications and data collection.
[1] Although the Ninth Circuit has found that the second clause of Section 631 applies to the internet, because the first clause of Section 631 is limited only to wiretapping of “any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system,” lower courts have generally found that it is limited to telephony, and does not apply to the internet. If the first clause of Section 631 were to apply to the internet, the risk of liability under Section 631 would be expanded because, unlike the second clause, the first clause of section 631 is not limited to communications that a third party has “read or attempted to read” or to communications that were intercepted while they were in transmission to their intended recipient.