CIPA Claims Stumble at Summary Judgment
Like a zombie apocalypse, hordes of California Invasion of Privacy Act (“CIPA”) claims have chased corporate defendants to court where they were held off for a time, until, clawing at the courthouse doors, CIPA claims broke through en masse in recent years. But now defendants have a new place of retreat: summary judgment.
CIPA Section 631(a), once a tool for targeting traditional eavesdropping—a practice long dead in the 21st century—has in recent years come back to life in the Internet age to threaten the ubiquitous use of website tracking technologies and chat features. Two recent decisions, Torres v. Prudential Financial, Inc. and Gutierrez v. Converse Inc., both decided at summary judgment, provide defendants with some hope of refuge where courts will decline to stretch CIPA’s outdated language to fit modern internet communications. These rulings not only underscore the evidentiary hurdles plaintiffs face at summary judgment, but also reflect a deeper judicial skepticism about applying 20th-century privacy laws to 21st-century technologies.
On April 17, 2025, a federal judge in the Northern District of California granted summary judgment to the defendants in Torres v. Prudential Fin., Inc.,1 concluding that a third party’s accessing of internet communications did not violate Section 631(a) because the access did not occur while the communications were “in transit.” This significant decision considered—and rejected—the theory that third-party website cookies can support a Section 631(a) claim.
Then, on July 9, 2025, the Ninth Circuit affirmed summary judgment against a plaintiff’s Section 631(a) claim in Gutierrez v. Converse Inc.2 In Gutierrez, the Ninth Circuit agreed with the district court that the plaintiff’s evidence,at most, only demonstrated that the defendant’s third-party vendor could read the plaintiff’s messages that were sent through the defendant’s chat feature, not that the messages were actually accessed in transit. Judge Jay Bybee’s concurring opinion was particularly helpful because it outlined CIPA’s legislative history and confirmed what many defendants have explained to district courts in these actions: Section 631(a)’s first clause—which prohibits wiretapping—simply does not apply to internet communications.
Overview of CIPA Section 631(a)
As discussed in our June Legal Update, California Penal Code § 631(a) prohibits the interception of communications while in transit, as well as attempts to read or learn the contents of such communications without consent. Some courts in California have interpreted Section 631(a) as “covering ‘three distinct and mutually independent patterns of action: (1) intentional wiretapping [of any telegraph or telephone wire, line, cable, or instrument]; (2) willfully attempting to learn the contents or meaning of a communication in transit over a wire; and (3) attempting to use or communicate information obtained as a result of engaging in either of the previous two activities.’”3 Courts have also interpreted Section 631(a) as having an additional fourth clause that holds parties to a communication liable when they “aid[], agree[] with, employ[], or conspire[] with any person or persons to unlawfully do, or permit, or cause to be done any of” the acts covered under Section 631(a)’s three clauses.4
Torres v. Prudential Financial, Inc.
The Torres plaintiffs alleged that after visiting the defendant-website operator’s website and entering their information on a webform to obtain a life insurance quote, the defendant used a third-party vendor’s “event listener” and “session replay” software to record their “clicks, mouse movements, and keyboard inputs” and recreate “the events that took place on the webform including” their “user-submitted data.”5 The plaintiffs brought a cause of action under the second clause of Section 631(a) on behalf of a putative class of website users.
According to the evidence at summary judgment, the defendants engaged a third-party vendor for incorporation of its software product “TrustedForm” into the defendants’ online webform.6 TrustedForm functions as follows: when “a user interact[s] with [a] webform, TrustedForm” collects and records user data “using a software tool called ‘event listeners.’” These “[e]vent listeners detect button clicks, mouse movements, and keyboard inputs.” TrustedForm then “generates a ‘TrustedForm Certificate’” with “the event data and sends a corresponding ‘TrustedForm Certificate URL’ to the website owner.” The TrustedForm Certificates are encrypted and have a “session replay,” which is “a recreation of the events that took place on the webform including, but not limited to, any user-submitted data.” Website owners can “retrieve a TrustedForm Certificate,” using the “the associated TrustedForm Certificate URL.” Further, certain third-party vendor employees can “view TrustedForm Certificates and session replays,” but “only for troubleshooting purposes.”
The Torres defendants moved for summary judgment on two grounds: (1) the third-party vendor was not a third-party eavesdropper for purposes of CIPA, and (2) even if it did eavesdrop, the third-party vendor did not “read[], or attempt[] to read, or to learn the contents or meaning of” the content of plaintiffs’ communications while they were “in transit.”7
The court granted the defendants’ motion for summary judgment because there was no evidence plausibly indicating “that [the third-party vendor] reads or attempts to read the contents of the communication while they are in transit.” (emphasis added). While certain third-party vendor employees have access to the TrustedForm Certificates, the court concluded that this fact “has no bearing on whether Defendants read the communications while they were in transit.” The court explained that reading a communication under CIPA “requires an attempt to understand or interpret the substantive meaning of a communication,” but “the events recorded by TrustedForm do not become readable content until after they are stored and reassembled into a TrustedForm session replay.” (emphasis added). At most, the plaintiffs “demonstrate[d] that [the third-party vendor] could have learned the substantive meaning of TrustedForm Certificates by accessing client accounts or viewing event log files.” But the plaintiffs “fail[ed] to provide any evidence indicating that [the third-party vendor] did so” while the data remained in transit.
In reaching this conclusion, the court also rejected plaintiffs’ argument that “a strict interpretation of” the in-transit requirement “would mean that CIPA could never apply in the context of the [I]nternet,” noting that plaintiffs’ interpretation of that requirement “would stretch CIPA’s statutory language too far” and would “encompass any hypothetical future attempt to read or understand the meaning of a communication.”8
Gutierrez v. Converse Inc.
District Court Proceedings: The Gutierrez plaintiff alleged that after visiting the defendant’s website and using its customer service chat feature, the defendant used a third-party vendor to record and “surveil” her conversations in the chat.9 The plaintiff alleged violations of the first second, and fourth clauses of Section 631(a).
According to the evidence at summary judgment, the defendant utilized a third-party vendor’s “Service Cloud” application feature. Through this feature, a user that uses the website chat feature is given an individualized Service Cloud application and a unique third-party vendor-owned URL.10 The user’s messages are encrypted and sent from the user’s device to the application and stored on the third-party vendor’s servers.11 Because the user’s communications are sent “in different packets,” the context required to interpret them is unavailable until after the defendant receives them. The defendant’s chat data is password protected, and according to the defendant’s expert, the only time the third-party vendor might have access to the chat data is if the defendant requests technical assistance.
The district court held that the first clause of Section 631(a) did not apply to internet communications.12 In doing so, the court distinguished other cases holding to the contrary as unpersuasive. The court also held there was no violation of the second clause of Section 631(a) because the plaintiff failed to present evidence that the third-party vendor intercepted her messages while in transit.13 Although the plaintiff’s messages were rerouted to a third-party vendor-owned URL, the court explained that this does not establish that the messages were sent directly to the third-party vendor or that the vendor read those messages. Moreover, although the defendant permitted vendor access to the Service Cloud dashboard, the plaintiff presented no evidence that this access enabled the third-party vendor to read hermessages while in transit. And because the court held that the third-party vendor did not violate Section 631(a), the defendant did not violate the fourth clause—i.e., it did not aid and abet the third-party vendor in violation of CIPA.14
Ninth Circuit’s Memorandum of Disposition: In an unpublished decision, the Ninth Circuit affirmed the district court’s order granting summary judgment against the plaintiff’s Section 631(a) claim.15 First, the Ninth Circuit determined that there was no evidence establishing that the third-party vendor violated Section 631(a)’s first clause—i.e., that it made an unauthorized connection through “a telephone wire, line, cable, or instrument with the messages sent by Gutierrez.” Next, the Ninth Circuit concluded that the third-party vendor likewise did not violate Section 631(a)’s second clause because the plaintiff’s evidence merely showed, at best, that the third-party vendor “could read messages sent through the [defendant’s] chat feature”—not that it actually read the plaintiff’s messages.
Judge Bybee concurred in a separate opinion to emphasize his view that “[Section] 631(a)’s first clause does not apply to internet communications.” Judge Bybee pointed out that, contrary to telephones in 1967 (which was when the legislature enacted CIPA), “[t]oday, our smartphones not only lack wires, but they also are cameras, atlases, phone directories, music players, weather stations, newspapers, clocks, and more. Most important, smartphones are mini-computers capable of accessing the internet, something the California legislature had never heard of (or could have imagined) in 1967.”16 For this reason, according to Judge Bybee, “simply sending a message on an iPhone (and through an internet browser) does not automatically implicate § 631(a).” CIPA’s primary purpose was “the wiretapping of a telephone call.” It is therefore up to the California legislature to amend CIPA and include language that encompasses new technology created after 1967—as Judge Bybee put it, “[i]t is not our job to do it for them.”1
What Does This Mean For My Business?
Gutierrez—although an unpublished case and therefore non-binding—and Torres both provide some hope of defense to meritless Section 631(a) actions. In particular, these cases explain that, at the very least, Section 631(a) claims premised on post-transit data access are not viable. And Judge Bybee’s concurrence is particularly helpful for wiretapping claims, suggesting that Section 631(a)’s first clause categorically does not apply to internet communications.
1 2025 WL 1135088, at *5 (N.D. Cal. Apr. 17, 2025).
2 Gutierrez v. Converse Inc., 2025 WL 1895315, at *1 (9th Cir. July 9, 2025).
3 Garcia v. Build.com, Inc., 2023 WL 4535531, at *4 (S.D. Cal. July 13, 2023).
4 See, e.g., R.C. et al. v. Sussex Publishers, LLC, 2025 WL 1735994, at *5 (N.D. Cal. June 23, 2025) (holding that the plaintiff plausibly alleged a Section 631(a) claim against the defendant for aiding and abetting a third-party vendor to surreptitiously collect their information without their knowledge and consent); Rodriguez v. Ford Motor Co., 2024 WL 4957566, at *10 (S.D. Cal. Dec. 3, 2024) (same); Yoon v. Lululemon USA, Inc., 549 F. Supp. 3d 1073, 1083 (C.D. Cal. 2021) (same).
9 Gutierrez v. Converse Inc., 2023 WL 8939221, at *1 (C.D. Cal. Oct. 27, 2023) (denying the defendant’s motion to dismiss).
10 Gutierrez v. Converse Inc., 2024 WL 3511648, at *2 (C.D. Cal. July 12, 2024) (granting summary judgment).
12 Gutierrez, 2024 WL 3511648, at *6.
