July was a busy month in the Ninth Circuit Court of Appeals for decisions related to the California Invasion of Privacy Act ("CIPA").  One case was particularly notable – the Ninth Circuit restored a consumer's proposed class action alleging that a department store's website session-replay technology collected consumers' personal information in violation of CIPA.  CIPA prohibits the unauthorized interception, eavesdropping, and recording of private communications without consent and has been interpreted to prohibit website owners from sharing the recorded contents of communications with online service providers. 

Companies that incorporate “session replay” technology on their websites have been hit with a swath of lawsuits related to the content that is collected by these technologies.  Session replay technology provides a video-like reconstruction of consumer's website interactions, capturing each click, scroll, keyboard input, and mouse movement.  The tracking technology allows website owners to gain an understanding of how users interact with their websites and identify places for improvement technically.  This technology has become a focus of CIPA claims, as plaintiffs’ attorneys argue that session replay allows for the recording of “contents of communications” and the transfer of such communications to third parties.

The case involving the department store is notable because the Ninth Circuit revived a portion of the plaintiff’s claim and therefore provided some guidance on how the courts may evaluate the scope of CIPA’s protections.  In the case, the consumer had alleged that the business violated CIPA by using tracking software to wiretap the plaintiff’s communications while she visited the store's website.  The claim was that the retailer utilized, without her consent, third party pixel tracking and "session replay" software to collect information such as mouse movements, clicks, keystrokes, URLs of web pages visited, and other electronic communications in real-time.  She claimed this was a recording of the contents of her communication, in violation of CIPA.

The district court disagreed, dismissing the plaintiff’s suit and finding that the intercepted data was not “communications” under CIPA.  The retailer's counsel argued that the CIPA claim could not be sustained because the third party vendor represented it had a way to “mask” text fields so it could not have viewed the contents of the transmitted data.  The Ninth Circuit rejected these arguments and found that the complaint provided sufficient facts to allege that the retailer “aided, agreed with, employed, or conspired with” the service providers to enable them to read or to learn “the contents or meaning” of any communication without the consent of all parties.  Cal. Penal Code § 631(a).  Thus, the Ninth Circuit found the evidence sufficient to sustain the claim of “aiding and abetting” and stated that the complaint alleged “real-time capture of the contents of communications” rather than mere information about “the characteristics of the communications.” 

As mentioned initially, July has been a busy month in the Ninth Circuit for CIPA claims.  This suit is one of three CIPA claims against retailers decided by the Ninth Circuit related to the retailers’ use of various tracking technology on their websites. In the other two cases, the Ninth Circuit upheld the lower courts’ dismissal of the CIPA claims, finding that the plaintiffs failed to sufficiently plead that the retailers aided a third party to eavesdrop on the plaintiffs’ communications without consent. Specifically, the Ninth Circuit found that although one plaintiff had facts to support a viable CIPA claim, the plaintiff “alleged a direct liability claim not an aiding and abetting theory,” and the retailer could not eavesdrop on communications if it was a party to those communications. In the second claim, the Ninth Circuit found that although CIPA could be interpreted to apply to modern tracking technology, the plaintiff failed to allege a “scintilla of evidence” that the communications tracked were actually read or accessed by the third party provider of the technology. 

To help minimize the risk of CIPA claims, businesses should carefully evaluate their use of session replay and other pixels on their platform, the nature of the data that is being collected (and why), and the data flows, and confirm that appropriate notice and consent is provided and collected.