“Session replay” software is one of many website analytics tools targeted in wiretapping suits under the California Invasion of Privacy Act (“CIPA”). Last month, a California federal court confirmed one of the many reasons why the use of this software does not violate CIPA section 631: A defendant cannot “read” (or attempt to read) session replay data “in transit,” as CIPA requires, because “events recorded by” this software “do not become readable content until after they are stored and reassembled into a session replay.” Torres v. Prudential Financial, Inc., 2025 WL 1135088 (N.D. Cal. Apr. 17, 2025). Continue Reading Court Grants Summary Judgment: Website Vendor Cannot Read “Session Replay” Data “In Transit” Under CIPA
CIPA
Another California Court Rejects Privacy Claims Targeting Online Chat Feature
Plaintiffs’ lawyers have continued to bring privacy claims targeting businesses that use vendors to help provide beneficial chat features on their website, as we last reported here. Late last year, a Southern District of California judge dismissed another set of privacy claims challenging the routine use of these vendor services by Tonal, a popular smart home gym company named as the sole defendant in the lawsuit. Jones v. Tonal Systems, Inc., 751 F. Supp. 3d 1025 (S.D. Cal. 2024).
Plaintiff Julie Jones, a California resident, claimed that she had visited Tonal’s website and used its chat feature to communicate with a Tonal customer service representative. This chat feature allegedly incorporated an API run by another company to create and store transcripts of website visitors’ chats with Tonal’s customer service representatives. According to the complaint, this alleged conduct constituted wiretapping, which Tonal purportedly aided and abetted in violation of Sections 631 and 632.7 of the California Invasion of Privacy Act (“CIPA”). Plaintiff also asserted other privacy claims based on the same alleged conduct, including the California Unfair Competition Law (“UCL”) and the California Constitution’s right to privacy provision.
The Court granted Tonal’s motion to dismiss each of plaintiff’s claims on multiple grounds. Continue Reading Another California Court Rejects Privacy Claims Targeting Online Chat Feature
2021 Trends in Privacy Regulatory Enforcement and Litigation
2021 was another busy year for data privacy regulatory enforcement and litigation. With some distance to reflect on last year, we have prepared this post identifying and describing important trends from 2021 that can help provide insight into what to expect in the data privacy landscape in 2022.
Data Privacy Regulatory Enforcement Trends
Federal Trade Commission (FTC) and state enforcement action in 2021 centered on several key areas, including protecting children.
An FTC enforcement action last year alleged that the maker of an online coloring book application violated the Children’s Online Privacy Protection Act (COPPA) by collecting personal information about children who used the app without notifying their parents and obtaining their consent. The allegations note that the app included a “Kids” category that was targeted to children. The FTC further claimed that the app’s social media features collected personal information from users and that some parents, lacking knowledge of these features, may have inadvertently permitted their young children to use the app.
Continue Reading 2021 Trends in Privacy Regulatory Enforcement and Litigation
California Federal Court Examines Consent, Wiretap Claims, and Privacy Laws on Motion to Dismiss
A recent decision from the Northern District of California on a motion to dismiss examined consent and other key privacy issues. The putative class action claimed that payment processing company Stripe Inc. collected and used personal information from visitors to merchant partners’ websites in violation of various privacy laws, including the California Invasion of Privacy Act, Florida Security of Communications Act, and Washington’s wiretap law.
Continue Reading California Federal Court Examines Consent, Wiretap Claims, and Privacy Laws on Motion to Dismiss
Humana’s Quality Assurance Calls Not Exempted From CIPA
On Wednesday, a federal judge in the Central District of California dismissed Humana Pharmacy Inc.’s motion to dismiss a putative class action suit alleging the company illegally recorded telephone calls with customers, finding that the California Invasion of Privacy Act (“CIPA”) does not exempt quality assurance recordings.
In its motion to dismiss, Humana argued that CIPA exempts “service observing,” or a business’s recording of calls between its employees and customers for quality assurance purposes. Judge Josephine Staton Tucker rejected Humana’s interpretation of the statute and further found that plaintiff’s complaint did not allege that Humana recorded the call for service observing purposes, refusing to read such purpose into the allegations.
The court also rejected Humana’s contention that plaintiff’s complaint failed to allege that the company did not provide proper notice to him at the outset that the call was being recorded. The court held that plaintiff’s allegation that he was not warned “at any point during the telephone conversation” was sufficient at the pleadings stage, but acknowledged that the issue could be raised again in a motion for summary judgment. Continue Reading Humana’s Quality Assurance Calls Not Exempted From CIPA
New Holding That CIPA Not Preempted By Federal Wiretap Act
Adding to a growing body of decisions considering federal preemption of the California Invasion of Privacy Act (“CIPA”), Judge Chen of the Northern District of California held yesterday that there is no complete preemption, either express or implied, by the federal Wiretap Act. As a result, Judge Chen granted plaintiff’s…
Continue Reading New Holding That CIPA Not Preempted By Federal Wiretap Act
California Privacy Claims Survive Motion to Dismiss In NebuAd Lawsuit
In a recent order, Judge Henderson of the District Court for the Northern District of California denied NebuAd Inc.’s motion to dismiss in Valentine v. NebuAd Inc., No. C08-05113 TEH, finding that plaintiffs had sufficient statutory standing to assert claims under the California Invasion of Privacy Act (“CIPA”) and the California Computer Crime Law (“CCCL”) and that these claims were not preempted by the federal Electronic Communications Privacy Act (“ECPA”).
With respect to standing, the Court found that the California Legislature did not intend to limit the right of action under CIPA and CCCL to in-state plaintiffs, and, thus, the out-of-state plaintiffs in this action could bring suit again a California defendant (NebuAd). (Notably, this analysis pertained to standing under these specific California statutes, not the Article III constitutional standing that was at issue in the recent RockYou decision, which we wrote about here). On the preemption issue, the Court rejected the Central District of California’s holding in Bunnell v. Motion Picture Ass’n of Am. that ECPA preempted a CIPA claim. Instead, the Court said it was more persuaded by the California Supreme Court’s contrary holdings that ECPA does not preempt CIPA in People v. Conklin and Kearney v. Salomon Smith Barney.Continue Reading California Privacy Claims Survive Motion to Dismiss In NebuAd Lawsuit