The Ninth Circuit Briefly Speaks on CIPA Section 631

The Ninth Circuit recently issued two back-to-back memoranda of dispositions addressing claims under the California Invasion of Privacy Act (“CIPA”) Section 631 and the common law tort of intrusion upon seclusion. First, on June 18, 2025, the Court affirmed the dismissal of both the intrusion upon seclusion and Section 631 claims against Papa John’s International, Inc.¹ Two days later, the Court again affirmed dismissal of the intrusion upon seclusion claim, but reversed the dismissal of the Section 631 claim against Bloomingdale’s, LLC, holding that the plaintiff had adequately pleaded a violation of Section 631.²

Overview of CIPA Section 631 and Intrusion Upon Seclusion

California Penal Code § 631(a) prohibits the interception of communications while in transit, as well as attempts to read or learn the contents of such communications without consent. Some courts in California have interpreted Section 631(a) as “covering ‘three distinct and mutually independent patterns of action: [1] intentional wiretapping, [2] willfully attempting to learn the contents or meaning of a communication in transit over a wire, and [3] attempting to use or communicate information obtained as a result of engaging in either of the previous two activities.’”³ Further, many California courts, both federal and state, agree that a party to a communication cannot be directly liable under these three clauses “because parties to a conversation cannot eavesdrop on their own conversations.”⁴ “Contents . . . includes any information concerning the substance, purport, or meaning of that communication.” However, some courts have interpreted Section 631’s fourth clause as holding parties to a communication liable when they “aid[], agree[] with, employ[], or conspire[] with any person or persons to unlawfully do, or permit, or cause to be done any of” the acts covered under Section 631’s three clauses.⁵

As relevant to the recent Ninth Circuit decisions, the second clause prohibits a person from “willfully and without consent of all parties to the communication, or in any unauthorized manner,” reading or attempting to read “the contents or meaning of any message, report, or communication while the same is in transit.”⁶ The fourth clause prohibits a person from “acting with the third party in order to have the third party perform acts that violate the statute” and “[a]t the very least, [] requires both knowledge of the conduct that will violate the statute and a purpose of aiding, agreeing with, or employing the third party to commit those acts.”⁷

Under California common law,⁸ a claim for intrusion upon seclusion requires:

1. An intentional intrusion into a place, conversation, or matter in which the plaintiff has a reasonable expectation of privacy; and
2. That the intrusion be highly offensive to a reasonable person.

Thomas v. Papa Johns International, Inc.

In Thomas, the plaintiff alleged that after placing an order on Papa John’s website, the company used session replay technology to capture her interactions—including payment information—without her knowledge.⁹ The district court previously dismissed the plaintiff’s Section 631 claim without leave to amend, holding that the allegations focused on the defendant’s conduct rather than that of a third party.¹⁰ The court did allow plaintiff to amend her intrusion upon seclusion claim. In the second amended complaint, she alleged that Papa John’s used a third-party vendor’s session replay code to collect her mouse movements, clicks, keystrokes, and personal information (e.g., her name, address, credit card details), which was shared with third-party providers.¹¹

Notwithstanding the new allegations, the district court again dismissed the intrusion because the allegations still did not support the reasonable expectation of privacy nor the highly offensive to a reasonable person elements.¹²

To assess whether the plaintiff had a reasonable expectation of privacy, the court considered factors such as “[i] the customs, practices, and physical setting’ surrounding the activity, [ii] whether there was advance notice of any impending action, [iii] whether there was an opportunity to give voluntary consent, . . . [iv] the identity of the intruder, and the nature of the intrusion[,] . . . [v] ‘the amount of data collected, the sensitivity of data collected, [vi] the manner of data collection, and [vii] the defendant’s representations to its customers.’”¹³ The court determined that, while plaintiff’s new complaint described the general functionality of the session replay code, there still were no allegations “about the customs and practices related to Defendant’s activities.”¹⁴ Next, the court looked at the sensitivity of the data collected.¹⁵ Following other courts, the district court determined that the “mouse movements, clicks, keystrokes . . . , [and] URLs of web pages visited” that the defendant allegedly collected are “not something over which a consumer has an objectively reasonable expectation of privacy.”¹⁶ The court also determined that the plaintiff had no reasonable expectation of privacy in information she voluntarily provided to the defendant.¹⁷ Finally, the court determined that the defendant’s failure to give notice of its use of session replay, in and of itself, did not give rise to a reasonable expectation of privacy in a user’s website communications.¹⁸

On the highly offensive element, the court rejected plaintiff’s argument that it could not resolve this element at the pleading stage because the California Supreme Court “provided some clear and objective guidance as to the trial courts’ role in applying [the term ‘highly offensive’] at the pleading stage.”¹⁹ Addressing the merits, the court held that plaintiff’s allegations were too conclusory.²⁰ Specifically, while plaintiff alleged that defendant could use session replay to create “fingerprint” profiles (i.e., information “collected across all sites that the Session Replay Provider monitors”), she did not allege that Papa John’s actually used it in this manner.²¹

Mikulsky v. Bloomingdale’s LLC

In Mikulsky, the plaintiff similarly alleged that Bloomingdale’s embedded session replay technology on its website to collect detailed user information—such as mouse movements, clicks, keystrokes, URLs visited, and other electronic communications in real time— as well as other allegedly sensitive information. The court had previously dismissed the plaintiff’s Section 631 claim, holding that she failed to allege that the defendant intercepted the “contents” of her communication.²² It also dismissed the plaintiff’s intrusion upon seclusion claim, concluding that she had not established a reasonable expectation of privacy in her interactions with the defendant’s website.²³

In her second amended complaint, plaintiff alleged that Bloomingdale’s third-party session replay vendor “indexes all user sessions and can be searched for events, users, date & time constraints, clicked elements, URLs, time, location, CSS selectors, and countless other web elements.” She also claimed that the session replay vendor created fingerprints “to identify individual users by tracking their movements across multiple websites, including www.bloomingdales.com.”²⁴ To supplement her intrusion upon seclusion claim, plaintiff emphasized that the vendor was an uninvited third party that used session replay to intercept and record her website communications as the moment she visited the website.²⁵

Despite these new allegations, the court again dismissed both claims. It held that the session replay technology still only captured “record” information—not the “contents” of communications as required under Section 631.²⁶ As for the intrusion claim, the court held that the plaintiff’s allegations described the same conduct it had previously deemed non-offensive. 

The Ninth Circuit’s Thomas and Mikulsky Memoranda Dispositions

Thomas

The Ninth Circuit affirmed the district court’s dismissal of both the Section 631 and intrusion claims. It determined that the plaintiff failed to allege that the defendant aided a third party in eavesdropping—a necessary element to hold a party to the communication liable under Section 631. The court reiterated a party cannot eavesdrop on its own communications. It also agreed, without explanation, that the plaintiff had not sufficiently alleged the “highly offensive” element of her intrusion upon seclusion claim.

Mikulsky

The Ninth Circuit affirmed the district court’s dismissal of the plaintiff’s intrusion upon seclusion claim, but reversed the dismissal of the Section 631 claim. It determined that that the plaintiff had sufficiently alleged that Bloomingdale’s “aided, agreed with, employed, or conspired with” the vendor to intercept the contents of her communications with the website while in transit.²⁷

What Does This Mean For Your Business?

The Thomas and Mikulsky decisions provide important guidance for businesses facing CIPA Section 631 claims. While courts continue to scrutinize what constitutes the “contents” of a communication, the Ninth Circuit’s ruling in Mikulsky signals that allegations of the sharing of data with a third-party analytics vendor may survive dismissal. Because CIPA mandates statutory damages of $5,000 per violation, businesses should remain aware of the ongoing risks of private litigation under this statute. Businesses should carefully evaluate their use of session replay tools and ensure transparency in data collection practices. Further, both Thomas and Mikulsky provide some comfort to businesses that the Ninth Circuit does not believe users not have a reasonable expectation of privacy regarding the types of information shared with defendants in these two cases, such as names, mouse movements, clicks, keywords, URLs of webpages, product preferences, interactions on a website, and search words typed into a search bar—information that commercial websites regularly collect for analytics purposes.

---

¹ See Thomas v. Papa John's Int’l, Inc., 2025 WL 1704437, at *1 (9th Cir. June 18, 2025).

² Mikulsky v. Bloomingdale’s, LLC, 2025 WL 1718225, at *1 (9th Cir. June 20, 2025).

³ Garcia v. Build.com, Inc., 2023 WL 4535531, at *4 (S.D. Cal. July 13, 2023).

⁴ Id. (citing Warden v. Kahn, 99 Cal. App. 3d 805, 811 (1979) (distinguishing “eavesdropping by a third party” from “recording by a participant to a conversation”); Rogers v. Ulrich, 52 Cal. App. 3d 894, 899 (1975) (“It is never a secret to one party to a conversation that the other party is listening to the conversation . . . .”)). 18 U.S.C. § 2510 (federal Wiretap Act); see Saleh v. Nike, Inc., 562 F. Supp. 3d 503, 517 (N.D. Cal. 2021) (definition of “contents” under CIPA mirrors Wiretap Act’s definition).

⁵ See, e.g., R.C. et al. v. Sussex Publishers, LLC, 2025 WL 1735994, at *5 (N.D. Cal. June 23, 2025) (holding that the plaintiff plausibly alleged a Section 631 claim against the defendant for aiding and abetting a third-party vendor to surreptitiously collect their information without their knowledge and consent); Rodriguez v. Ford Motor Co., 2024 WL 4957566, at *10 (S.D. Cal. Dec. 3, 2024) (same); Yoon v. Lululemon USA, Inc., 549 F. Supp. 3d 1073, 1083 (C.D. Cal. 2021) (same).

⁶ Heiting v. Taro Pharms. USA, Inc., 709 F. Supp. 3d 1007, 1013 (C.D. Cal. 2023).

⁷ Smith v. YETI Coolers, LLC, 754 F. Supp. 3d 933, 942 (N.D. Cal. 2024).

⁸ See Mikulsky v. Bloomingdale’s LLC, 2024 WL 3091395, at *4 (S.D. Cal. May 14, 2024).

⁹ Session reply vendors typically “provide[] software to [their] clients . . . [that] records visitor data such as keystrokes, mouse clicks, and page scrolling[,]” and, “[t]hrough a function called Session Replay, [the vendor]’s clients can see a ‘playback’ of any visitor’s session.” Graham v. Noom, Inc., 533 F. Supp. 3d 823, 828 (N.D. Cal. 2021). “If the visitor is still on the site, the clients can see the session live.” Id. This software “provides online marketers, advertisers, and website designers with specific insights into website visitor behavior which they can use to target website visitors with marketing and advertising content.” In re BPS Direct, LLC, 705 F. Supp. 3d 333, 341 (E.D. Pa. 2023).

¹⁰ See Thomas v. Papa John’s Int’l, Inc., 2023 WL 6370641, at *1 (S.D. Cal. Aug. 14, 2023).

¹¹ See Thomas v. Papa John’s Int’l, Inc., 2024 WL 2060140, at *3, *5 (S.D. Cal. May 8, 2024).

¹² Id. at *4.

¹³ Id. at *1.

¹⁴ Id.

¹⁵ Id.

¹⁶ Id.

¹⁷ Id. at *5.

¹⁸ Id.

¹⁹ Id. at *6 (citing Mastel v. Miniclip SA, 549 F.Supp.3d 1129, 1140 (E.D. Cal. 2021)).

²⁰ Id. at *7.

²¹ Id.

²² Mikulsky v. Bloomingdale’s LLC, 713 F. Supp. 3d 833, 845 (S.D. Cal. 2024).

²³ Id. at 846.

²⁴ Mikulsky v. Bloomingdale’s LLC, 2024 WL 3091395, at *3 (S.D. Cal. May 14, 2024).

²⁵ Id.

²⁶ Id.

²⁷ 2025 WL 1718225, at *2.