On October 27, 2025, the Ninth Circuit affirmed in a memorandum opinion the dismissal of a proposed class action asserting that the owner of a cybersecurity browser extension violated the California Invasion of Privacy Act (“CIPA”) and the Electronic Communications Privacy Act (“ECPA”) by intercepting communications between extension-users and search engines. Karwowski v. Gen Digital, Inc., No. 24-7213, 2025 WL 3002610 (9th Cir. Oct. 27, 2025) (mem.).  The Court held that the Plaintiffs failed to allege that the Defendant was not a party to the communications.

Plaintiffs Grace Lau and Christopher Karwowski asserted that Gen Digital, Inc., the creator and owner of the browser extension Avast Online Security & Privacy (“AOSP”), intercepted their communications with internet search engines. Plaintiffs, who claimed that they installed the AOSP extension to protect against third-party tracking of their browsing activity, argued that the AOSP extension was a “known party to their browsing activity,” but that Gen Digital was not.

In affirming dismissal of Plaintiffs’ CIPA and ECPA claims, the Ninth Circuit concluded that Plaintiffs “not only fail to allege that Gen Digital is not a party to the communication but also explicitly acknowledge that Gen Digital is potentially a necessary party for website verification.” The Court explained that Plaintiffs described themselves as “Gen Digital and Avast’s users,” which was inconsistent with their argument that Gen Digital was “an unannounced second auditor” to the alleged communications. Furthermore, the Court observed that Plaintiffs failed to convincingly explain how AOSP could function without Gen Digital receiving at least some of AOSP users’ browsing data.

The Ninth Circuit’s opinion reinforces the vitality of the party exception to wiretapping claims under both state and federal laws, particularly where the defendant owns or operates the technology at issue.