In 2022 there was a wave of class action litigation brought under state wiretapping laws, including the California Invasion of Privacy Act (CIPA), against website operators that use chat features and session replay software. See, e.g., Claburn, Thomas, Intel accused of wiretapping because it uses analytics to track keystrokes, mouse movements on its website, The Register (available at Intel accused of wiretapping because it uses analytics to track keystrokes, mouse movements on its website • The Register). This type of litigation is also present in other states, including Florida and Pennsylvania. A number of plaintiffs’ attorneys who specialize in class action litigation have seized on CIPA section 631 claims. The number of such cases, with virtually identical “cookie cutter” complaints, has exploded.
These actions have been spurred in part by a recent unpublished Ninth Circuit decision in Javier v. Assurance IQ, LLC. In Javier, the Ninth Circuit reversed a district court’s dismissal of a CIPA claim and held that retroactive consent is not a viable defense. However, Javier did not hold there was a violation of CIPA based on the allegations, nor did the court touch on any of the defendant’s other defenses.
Website operators that utilize chat features and session replay technology face increased litigation exposure. Nonetheless, they have a number of defenses and options available to them. This article will explore the legal landscape concerning CIPA claims in the context of session replay software and chatbot technology, and strategies to reduce risk and to respond to such claims.
What is CIPA and what is the basis for the claims? The CIPA, section 630 et seq., was enacted in 1967 and prohibits recording and eavesdropping on private communications. Its purpose is “to protect the right of privacy by, among other things, requiring that all parties consent to a recording of their conversation.” Flanagan v. Flanagan, 27 Cal. 4th 766, 769 (2002). Section 631(a) of California’s Penal Code provides for civil in addition to criminal liability for “wiretapping,” and states as follows:
(a) Any person  who, by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or  who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or  who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or  who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section . . . .
The Supreme Court of California has distilled this down to “three distinct and mutually independent patterns of conduct: intentional wiretapping, wilfully attempting to learn the contents or meaning of a communication in transit over a wire, and attempting to use or communicate information obtained as a result of engaging in either of the previous two activities.” Tavernetti v. Superior Court of San Diego Cty., 583 P.2d 737, 741 (Cal. 1978). Under section 631(a), if a person secretly listens to another’s conversation, the person is liable. Ribas v. Clark, 38 Cal. 3d 355, 359 (1985). A prevailing plaintiff is entitled to recover the greater of the following: five thousand dollars per violation or three times the amount of actual damages, if any. Cal. Penal Code § 637.2(a). Courts have held the statute does not require proof of actual damages.
In In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589 (9th Cir. 2020), the Ninth Circuit addressed a CIPA section 631(a) action in which the plaintiffs alleged Facebook improperly used plug-ins to track logged-out users’ browsing histories when they visited third-party websites and then compiled those browsing histories for sale to advertisers. The Ninth Circuit held that in the context of forwarding and duplication of “GET requests” to Facebook’s servers, Facebook did not qualify for the “party exemption”—i.e., an exemption from CIPA liability for a person who is a party to the communication. Id. (citing Warden v. Kahn, 99 Cal. App. 3d 805 (1979)). The Ninth Circuit emphasized that only third parties can wiretap communications (not the actual parties to the communication), but concluded that where an entity surreptitiously duplicates transmissions between two parties, it does not qualify for the exemption.
What technology is at issue? The new wave of wiretapping cases center around technology that is commonly-used across websites. Session-replay technology collects data concerning on-website keystrokes and mouse movements such as clicking, scrolling, swiping, and typing. A video is then created of the website visitor’s interactions with the website. The visitor’s data, including date and time of visit, IP address, browser and operating system, and geographic location may be recorded. If a visitor enters personally identifiable information—for example, to purchase a product using a credit card—that information may also be recorded. Typically, a website operator uses a software vendor’s code to capture the website interactions, which can then be reviewed by viewing the “video” of the website interactions.
The more recent wave of actions further allege violations based on a website’s use of a virtual chatbot, which permits a website visitor to engage in a text conversation with a virtual assistant or customer service representative. The plaintiffs in these actions allege the website operator defendants have “covertly” embedded code to record “transcripts” of conversations and allow a third-party vendor to obtain and store these chat communications. This, plaintiffs contend, constitutes a violation of state wiretapping laws based on the involvement of the third-party vendor in providing the underlying chat service or video recording. In turn, the plaintiffs allege the website operators have aided and abetted the violation through use of the third-party technology vendor. The first prong of section 631(a) has been considered to apply only to telegraph or telephone allegations, see Mastel v. Miniclip SA, 549 F. Supp. 3d 1129, 1135 (E.D. Cal. 2021) (noting “overwhelming weight of authority” adopting interpretation that clause applies only to wiretapping of a “telegraph or telephone”), and the third prong applies only if a plaintiff alleges an attempt to use or communicate the information.
The application of the wiretapping act might be considered an odd fit in this context. At the threshold, plaintiffs are attempting to apply the act to a person’s interaction with a public website. Compare this to the secretive listening-in to a private telephone conversation which the wiretap act was designed to prohibit. See, e.g., Ribas, 38 Cal. 3d at 359 (“the legislature could reasonably have contemplated that section 631, subdivision (a), would prohibit the type of surreptitious monitoring of private conversations,” where a third party monitored a husband’s private conversation with his former wife). It is also questionable whether the typical user of a modern website would be surprised the website uses analytics provided by a third party.
The Ninth Circuit first held that although “written in terms of wiretapping,” section 631 applies broadly “to Internet communications;” it “makes liable anyone who ‘reads, or attempts to read, or to learn the contents’ of a communication ‘without the consent of all parties to the communication.’” Javier, 2022 WL 1744107, at *1 (citation omitted). The court then held that CIPA requires “the prior consent of all parties to a communication,” and retroactive consent does not suffice. Because the plaintiff had alleged that he did not provide consent prior to the alleged recording, the Ninth Circuit reversed the district court’s order dismissing the case. However, the Ninth Circuit expressly stated that its holding narrowly applied to the issue of consent and did “not reach [d]efendants’ other arguments, including whether Javier impliedly consented to the data collection, whether ActiveProspect is a third party under Section 631(a), and whether the statute of limitations has run.”
Litigation risks. Section 631(a) presents a litigation risk for any company that uses chatbot or session reply technology on its website. Even where meritorious defenses exist, there is still the threat of litigation, with its attendant costs and fees, including those required to respond to any complaint and any discovery that plaintiffs seek pending any motion to dismiss. But see Zarnesky v. Adidas Am., Inc., No. 6:21-CV-540-PGB-GJK, 2021 WL 3729230, at *1 (M.D. Fla. June 10, 2021) (in session replay case, granting defendant’s motion to stay discovery until the court rules on defendant’s motion to dismiss, although recognizing that the situation is “rare”).
For defendants facing such wiretapping lawsuits, aside from obtaining express prior consent, a number of defenses may be available.
Implied consent. The Ninth Circuit in Javier explicitly left open whether implied consent could serve as a potential defense on remand. The contours of this argument have not yet been litigated, including what might qualify as sufficient implied consent. Section 631(a) prohibits conduct “without . . . consent.” At least one court in the Ninth Circuit has opined that consent may be “express or implied.” Calhoun v. Google LLC, 526 F. Supp. 3d 605, 620 (N.D. Cal. 2021); see Cal. Prac. Guide Civ. Pro. Trial Claims and Def. Ch. 4(VII)-B (in context of misappropriation claim, “[c]onsent may be implied from plaintiff’s action or inaction”); Jones v. Corbis Corp., 815 F. Supp. 2d 1108, 1113-1114 (C.D. Cal. 2011) (actress impliedly consented to posting of “red carpet” photographs on defendant’s website for sale where she knew photos would be taken and that custom and practice in entertainment industry was to widely use and disseminate such photos”) (applying California law); Hill v. Nat’l Collegiate Athletic Assn., 7 Cal. 4th 1, 26 (1994) (“[T]he plaintiff in an invasion of privacy case must have conducted himself or herself in a manner consistent with an actual expectation of privacy, i.e., he or she must not have manifested by his or her conduct a voluntary consent to the invasive actions of defendant.”); Adler v. Community.com, Inc., No. 2:21-CV-02416-SB-JPR, 2021 WL 4805435, at *5 (C.D. Cal. Aug. 2, 2021) (in CIPA context the “‘critical question’ for determining consent is whether the party in question ‘had adequate notice’ it was being surveilled.”); but see Javier v. Assurance IQ, LLC, No. 20-CV-02860-CRB, 2023 WL 114225, at *3 (N.D. Cal. Jan. 5, 2023) (on remand, concluding defendant had not demonstrated that plaintiff continued to use the website after having constructive notice that his communications may be intercepted). Accordingly, and based on the specific allegations, if a user visits a website and is made aware that the information the user enters is being collected, recorded or processed by a third party vendor, but continues to use the website, that might be sufficient to constitute implied consent to the collecting, recording or processing of interaction information. As in other contexts, whether a consent defense will be available will likely depend on the specific facts, such as the notice provided, the content of that notice, and whether any notice is conspicuous.
Party exception. To plead a CIPA violation, a plaintiff must allege the person intercepting the communication was a third party, not a party to the communication. In re Facebook, Inc. Internet Tracking Litig., 956 F.3d at 607 (explaining CIPA “contain[s] an exemption from liability for a person who is a ‘party’ to the communication”); Ribas, 38 Cal. 3d at 359 (“Section 631 was aimed at … eavesdropping, or the secret monitoring of conversations by third parties.”). A number of federal district courts in California considering session replay software CIPA claims have dismissed the claims based on the party exemption. Instead, courts have concluded that these software vendors provide a service for the website operator to analyze its own data. See Graham v. Noom, Inc., 533 F. Supp. 3d 823, 833 (N.D. Cal. 2021) (the vendor “provide[d] a tool … that allows [the website operator] to record and analyze its own data.”); Yale v. Clicktale, Inc., No. 20-CV-07575-LB, 2021 WL 1428400, at *3 (N.D. Cal. Apr. 15, 2021) (“Clicktale is not a third-party eavesdropper. It is a vendor that provides a software service that allows its clients to monitor their website traffic.”); Johnson v. Blue Nile, Inc., No. 20-CV-08183-LB, 2021 WL 1312771, at *2 (N.D. Cal. Apr. 8, 2021) (same); Williams v. What if Holdings, LLC, No. C 22-03780 WHA, 2022 WL 17869275, at *3 (N.D. Cal. Dec. 22, 2022) (same). Other courts, however, have reached the opposite conclusion. See Revitch v. New Moosejaw, LLC, No. 18-cv-06827-VC, 2019 WL 5485330, at *1 (N.D. Cal. Oct. 23, 2019) (involving a marketing company that partnered with e-commerce sites to intercept visitor data and create marketing databases of consumer information); Saleh v. Nike, Inc., 562 F. Supp. 3d 503, 521 (C.D. Cal. 2021) (where third party vendor had simultaneous access to website communications, no party exemption was applicable); Yoon v. Lululemon United States, 549 F. Supp. 3d 1073, 1077 (C.D. Cal. 2021) (claim “survives [a] participant exception challenge because [plaintiff] alleges that [third party] captures, stores, and interprets her real-time data—which extends beyond the ordinary function of a tape recorder.”); Javier, 2023 WL 114225, at *5 (third party exemption did not apply because the plaintiff “pleads that ActiveProspect monitors, analyzes, and stores information about visits to Assurance's websites, and that Active Prospect can use that information for other purposes, even if Javier has not alleged that they have done so in this case . . . [which is] beyond the ordinary function of a tape recorder,” but claim dismissed on statute of limitations grounds) (citation and quotation marks omitted). As one court has phrased the question, it “boils down to whether [the vendor] was an independent third party hired to eavesdrop on [the website operator]’s communications, or whether [the vendor]’s software was merely a tool that [the website operator] used to record its own communications with plaintiff.” Williams v. What if Holdings, LLC, No. C 22-03780 WHA, 2022 WL 17869275, at *3 (N.D. Cal. Dec. 22, 2022); see also Yoon, 549 F. Supp. 3d at 1081 (“The question thus becomes, in analogue terms: is Quantum Metric a tape recorder held by Lululemon, or is it an eavesdropper standing outside the door?”).
In the session replay software context, courts that have found there was not a violation of CIPA have concluded that the allegations amounted to the latter: the vendors provide a product that “function[s] as a recorder, not an eavesdropper,” for the website operator itself to collect information. See Williams, 2022 WL 17869275, at *3. However, complaints that include chatbot allegations may seek to avoid this argument by alleging the third party vendor is itself collecting and recording the communications that are being made to the website operator. Whether a “party” argument will be successful in defending against such claims may depend on the allegations of the complaint and the particular technology—for instance, whether the vendor provides software for chatbot functionality that is embedded code on a website, or whether a vendor itself collects, stores, and uses data, e.g., Revitch, 2019 WL 5485330 at *1-*2. Some complaints appear aimed at getting around this argument by alleging real-time, simultaneous access to chat communications by third party vendors. Further, this area of law is still evolving. See Javier, 2023 WL 114225, at *5 (summarizing split).
Content. Some courts considering motions to dismiss cases premised on the use of session replay software have dismissed claims, or parts of claims, to the extent they are predicated on non-content information. Section 631(a) prohibits the unauthorized access of the contents of any communications. In analyzing the federal Wiretap Act, the Ninth Circuit has explained that the “content” does not include “record information regarding the characteristics of the message that is generated in the course of the communication,” such as “the name, address and subscriber number or identity of a subscriber or customer.” In re Zynga Priv. Litig., 750 F.3d 1098, 1106 (9th Cir. 2014). Some courts have held that, in the session replay context, CIPA claims may be subject to dismissal where the only information allegedly captured is the characteristics of a message, such as origin, date, and time information. See, e.g., Graham, 533 F. Supp. 3d at 833; Yale, 2021 WL 1428400, at *3; Johnson, 2021 WL 1312771, at *2. At least one district court considering a section 631(a) claim based on the use of chatbot technology concluded, in contrast, that where the plaintiff alleged she shared “sensitive personal information,” this was sufficient to allege that the conversations contained “more than mere record information,” and thus sufficed to state a claim under section 631(a). Byars v. The Goodyear Tire and Rubber Co., Case No. 5:22-cv-01358-SSS-KK, Dkt. 175 (C.D. Cal. February 3, 2023). The court concluded that a plaintiff need not “allege the exact contents of her communications” at the pleading stage. Id.
In transit. The second clause of section 631(a) requires that a defendant attempt to learn the contents of a communication while the communication is “in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within [California].” In other words, this requires both that the conduct occur while a communication is “in transit” or while a communication is “being sent” or “received,” and that the conduct occur within California. One district court case considering an application on an iPhone that copied content from another application held this conduct did not satisfy the “in transit” requirement because the content was obtained from “previously-sent or previously-received communications”—in other words, there was no allegation that the application “ever read or learned the contents of a communication while the communication was in transit, or in the process of being sent or received.” Mastel, 549 F. Supp. 3d at 1132 (emphasis added); see also Adler v. Community.com, Inc., No. 2:21-CV-02416-SB-JPR, 2021 WL 4805435, at *4 (C.D. Cal. Aug. 2, 2021); Quigley v. Yelp, Inc., No. 17-CV-03771-RS, 2018 WL 7204066, at *4 (N.D. Cal. Jan. 22, 2018) (“An ‘interception’ only occurs if communications are “acquired during transmission, not while [ ] in electronic storage.”). Whether this defense would apply to chatbot technology depends on the precise functioning of the technology and the allegations of any complaint. One district court recently concluded a plaintiff sufficiently stated a section 631(a) claim at the pleading stage by alleging the third-party service “‘intercepts in real time’ a website visitors’ chat conversation.” Byars v. The Goodyear Tire and Rubber Co., Case No. 5:22-cv-01358-SSS-KK, Dkt. 175 (C.D. Cal. February 3, 2023).
Article III injury. Where the plaintiffs had not alleged they entered any personal information on a website utilizing session replay software, at least one court has held that simply recording browsing activities does not suffice for a concrete injury as required for Article III standing in federal court. See Massie v. Gen. Motors LLC, 2022 WL 534468, at *2 (D. Del. Feb. 17, 2022) (“Plaintiffs do not have a reasonable expectation of privacy over the anonymized data captured by the Session Replay software at issue here,” and rejecting argument that there was a concrete injury to plaintiffs’ “interest in controlling their personal information” in these circumstances); but see In re Facebook, Inc. Internet Tracking Litig., 956 F.3d at 597-98 (standing for CIPA claim established where plaintiffs alleged privacy harms). The applicability of this particular argument to other cases will depend on the precise allegations regarding the content of the information at issue and, of course, the venue for the action.
Other potential defenses. Other defenses may also be available depending on the case, such as any statute of limitations defense. See Javier, 2022 WL 1744107, at *2.
Summary. Companies should ensure they comply with wiretapping laws and get ahead of this litigation—including by fully understanding the technologies used on their websites—and should consider implementing procedures to obtain express consent.