The Ninth Circuit recently heard oral arguments in two critical appeals examining the application of the California Invasion of Privacy Act (“CIPA”) to website tracking technologies, issuing a ruling in one case shortly after. Both cases arose from class action lawsuits against retailers, with plaintiffs alleging that the defendant companies deployed tools like session replay software and chatbots to monitor website visitor interactions and transmit data to third parties without consent, violating CIPA Section 631.
Mikulsky v. Bloomingdale’s, LLC: A Win for Plaintiffs
In Mikulsky, the plaintiff alleged that Bloomingdale’s employed third-party session replay software that captured users’ mouse movements, clicks, keystrokes, URLs, and other electronic interactions. The amended complaint argued that the session replay vendor’s technology could index and search all user sessions and create user “fingerprints” to track individuals across multiple websites. The district court initially dismissed the claims, finding these details did not constitute the “contents” of a communication under CIPA. See 713 F. Supp. 3d 833, 845 (S.D. Cal. 2024).
However, the Ninth Circuit reversed, holding that the plaintiff plausibly alleged that Bloomingdale’s “aided, agreed with, employed, or conspired with” the vendor to intercept the contents of her communications in real time. Rejecting Bloomingdale’s argument, the Ninth Circuit panel found that the complaint alleged the real-time capture of the contents of the plaintiff’s communications on Bloomingdale’s website — including names, addresses, credit card information, and product selections — and not merely the collection of non-content “record data” such as mouse movements or clicks. The Ninth Circuit also upheld jurisdiction over Bloomingdale’s, noting its website targets and profits from California consumers. See 2025 WL 1718225 (9th Cir. June 20, 2025).
Gutierrez v. Converse Inc., et al.: A Narrower View of CIPA
In Gutierrez, plaintiffs challenged Converse’s use of online chat features that allowed customers to communicate with service agents via text. They argued that these communications should fall under CIPA’s protections, drawing analogies to traditional telephone calls.
The district court granted Converse’s motion for summary judgment, holding that CIPA Section 631’s first clause applies exclusively to “telephone communications,” not internet-based chats. The court further held that the chat provider did not “willfully and without consent” intercept communications because transmissions were encrypted in transit and stored securely on password-protected servers. See No. CV 23-6547-KK-MARX, 2024 WL 3511648, at *8 (C.D. Cal. July 12, 2024).
During oral arguments, the Ninth Circuit’s Judge Bybee raised concerns about applying a statute drafted in 1967 to modern technologies, describing it as “very anachronistic.” The panel questioned whether the California legislature intended CIPA to apply to digital communications, especially when newer statutes like the California Consumer Privacy Act (CCPA) specifically address online privacy. See Gutierrez v. Converse Inc., et al., Case No. 24-4797.
A decision in Gutierrez is still pending.
Together, these cases signal a split approach from the Ninth Circuit — uncertainty remains about the CIPA’s scope in the digital age.