Late last year, our colleagues highlighted a wave of class action litigation asserting novel claims under state wiretap laws against website operators that use session replay software and chatbots on consumer websites.  Federal district courts in California have now ruled on the first round of chatbot cases, most brought by a handful of “tester” plaintiffs under the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code §§ 630 et seq., and have nearly uniformly rejected the claims.  These initial favorable rulings should be helpful for defendants facing similar claims.

Plaintiffs Allege Recording Website Chats Is a Wiretap in Violation of CIPA §§ 631, 632.7

Plaintiffs alleged that defendants’ websites used third-party software to automatically record and create transcripts of all conversations conducted via the websites’ chat features without users’ consent.  Plaintiffs primarily asserted claims under CIPA § 631, which bars wiretapping or attempting to learn the contents of a communication in transit, and § 632.7, which prohibits “intercept[ing] or receiv[ing] and intentionally record[ing]” a communication between various combinations of a “cellular radio telephone,” a “landline telephone,” and a “cordless telephone.”  At least one case brought federal Wiretap Act claims as well.

Courts So Far Largely Skeptical of Chatbot-based CIPA Theories

The vast majority of decisions reported by Westlaw so far in 2023 have dismissed CIPA chatbot claims.  These decisions focus on several key grounds:

  • The “Party Exception”: The most common basis for dismissing CIPA § 631 claims has been the party exception, which provides that the intended recipient of a communication cannot be liable for wiretapping its own communications.  Because website operators are the intended recipients of communications entered into chat windows on their websites, courts have held that the party exception precludes chatbot-based § 631 claims against website operators.[1]
  • Aiding and Abetting Liability Not Adequately Alleged: Courts so far have generally rejected theories attempting to hold the website operator liable for alleged violations committed by third-party software providers.  To the extent third-party software enables the recording of chat communications with the website operator, courts have either held the role of the third-party was inadequately alleged, see, e.g., Pena, 2023 WL 3170047, at *5, or that the third-party software “operate[s] like an extension of the defendant,” Licea II, 2023 WL 2469630, at *8.  Some decisions have suggested that a key factor in this analysis will be whether the third-party provides “routine” data recordation or storage, which weighs in favor of treating the third-party provider as an extension of the defendant, or whether it aggregates the data with other data sources and resells it, which may weigh in favor of treating it like an eavesdropper.  See Byars I, 2023 WL 2026994, at *10.
  • Communication Not “In Transit”: As an alternative ground for dismissing CIPA § 631 claims, courts also have ruled that plaintiffs did not adequately allege that the communication was “in transit” when it was allegedly intercepted, as required to state a claim.[2]
  • First Clause of § 631 Does Not Apply to Internet Communications: A judge in the Central District of California also ruled that the first clause of § 631, which prohibits making unauthorized connection “with any telegraph or telephone wire, line, cable, or instrument,” does not apply to internet-based communications, even if one party to the communication accesses the internet through a smartphone.  Licea I, 2023 WL 2415592, at *4-6; Licea II, 2023 WL 2469630, at *4-6.  Because the allegedly intercepted communications in chatbot cases are web-based, the first clause of § 631 does not apply.
  • Section 632.7 Does Not Apply to Website Chats: Similarly, most courts to have considered the issue have found that CIPA § 632.7, which addresses communications between various types of telephones, does not apply to web-based communications.[3]  As one court explained, “[t]he unambiguous meaning of the statute is . . . that it only applies to communications involving two telephones,” and plaintiffs cannot plausibly allege that defendants use a telephone to respond to website chats.  See Byars I, 2023 WL 2026994, at *10-11.  These courts have rejected plaintiffs’ arguments that the statutory language should be ready broadly, such as to include “computer equipment” within the meaning of “landline telephone.”  See Licea I, 2023 WL 2415592, at *11-12; Martin, 2023 WL 2717636, at *16.
  • Lack of Article III Standing: Finally, one court dismissed chatbot claims for lack of Article III standing.  First, the defendant offered evidence that it had no record of plaintiff engaging with its website’s chat feature.  Second, the plaintiff did not allege that she disclosed any sensitive information, much less any “any specific personal information . . . that implicates a protectable privacy interest.”  Byars v. Sterling Jewelers, Inc., No. 5:22-CV-01456-SB-SP, 2023 WL 2996686, at *3 (C.D. Cal. Apr. 5, 2023).  As a result, the court held the plaintiff had not established that she had suffered a concrete harm.

In sum, most courts to have considered CIPA’s application to website chat functions have rejected the claims, but many other cases remain pending.  It remains to be seen whether plaintiffs will attempt to plead around the deficiencies courts have identified so far.


[1] See Martin v. Sephora USA, Inc., No. 122CV01355JLTSAB, 2023 WL 2717636, at *7-10 (E.D. Cal. Mar. 30, 2023), report and recommendation adopted, No. 122CV01355JLTSAB, 2023 WL 3061957 (E.D. Cal. Apr. 24, 2023); Esparza v. Lenox Corp., No. C 22-09004 WHA, 2023 WL 2541352, at *2-3 (N.D. Cal. Mar. 16, 2023); Licea v. Cinmar, LLC, No. CV 22-6454-MWF (JEM), 2023 WL 2415592, at *7-9 (C.D. Cal. Mar. 7, 2023) (“Licea I”); Licea v. Am. Eagle Outfitters, Inc., No. EDCV221702MWFJPR, 2023 WL 2469630, at *6-8 (C.D. Cal. Mar. 7, 2023) (“Licea II”); Cody v. Boscov’s, Inc., No. 822CV01434SSSKKX, 2023 WL 2338302, at *2 (C.D. Cal. Mar. 2, 2023); Byars v. Hot Topic, Inc., No. EDCV221652JGBKKX, 2023 WL 2026994, at *7-10 (C.D. Cal. Feb. 14, 2023) (“Byars I”); see also Pena v. GameStop, Inc., No. 22-CV-1635 JLS, 2023 WL 3170047, at *3-5 (S.D. Cal. Apr. 27, 2023) (rejecting arguments that “unseen auditor” or “criminal or tortious act” exemptions to party exception applied).

[2] Martin, 2023 WL 2717636, at *10-11; Licea I, 2023 WL 2415592, at *9-10; Licea II, 2023 WL 2469630, at *8-10.

[3] Byars I, 2023 WL 2026994, at *10-11; Licea I, 2023 WL 2415592, at *11-13; Martin, 2023 WL 2717636, at *13-17.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Amy Heath Amy Heath

Amy Heath focuses on complex commercial litigation and class actions. She has handled matters involving contract, privacy, consumer protection, fraud, unfair competition, and intellectual property claims. She also has experience with internal investigations. Before practicing law, Amy served as an intelligence analyst.

Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She specializes in defending clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved…

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She specializes in defending clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved significant victories for clients in the technology, entertainment, consumer product, and financial services industries. In addition, Kate has substantial experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), and common law and constitutional rights of privacy, among others.