Is Your Website Violating California Wiretapping Law? | Bryan Cave Leighton Paisner

Retailers, financial services companies, and many other companies use third-party session replay software to keep a record of interactions with visitors to their websites for a variety of useful purposes, including documenting consent, preventing fraud, general compliance and for marketing purposes. However, a number of lawsuits have been filed alleging that the use of session replay software constitutes a surreptitious interception of consumer communications with the website in violation of California Penal Code § 631, a provision of California law. on the invasion of privacy often referred to as the Wiretapping Act.

Section 631(a) provides a private right of action against any person who “by means of any machine, instrument or device, … intentionally strikes, … or who willfully and without the consent of all the parties to the communication, or in any unauthorized manner, reads or attempts to read, or learn the content or meaning of any message, report or communication while it is in transit…”.[1] The law also holds responsible anyone who aids or abets unlawful interception. Courts have clarified, however, that section 631(a) includes an “intended recipient” or “party” exception, such that a party to a communication cannot be held liable under law for “intercepting a message that was intended for that person. to party. “Only a third party can eavesdrop on a conversation in secret.”[2]

In a series of recent decisions, federal courts in California have struggled to apply wiretapping law to the use of third-party web session recording software, diverging primarily on whether the software provider is an intruding third party, subject to the law or, by virtue of putting itself in the place of the operator of the website, is a party to the communication who cannot be held responsible.

In Revitch vs. New Moosejaw, LLC,[3] Saleh vs. Nike, Inc.,[4] and Yoon vs. Lululemon USA, Inc., the courts held not only that the third-party seller could, in fact, be liable under Section 631, but that the website operator who engaged the service provider could be liable as an accomplice to the third-party seller. surreptitious interception. This seems to be a misreading of the law.

In contrast, Graham v. Nom, Inc.,[5] Johnson vs. Blue Nile, Inc..,[6] and Yale vs. Clicktale, Inc.[7] determined, consistent with the spirit and intent of the Third-Party Intrusion of Private Communications Act, that the third-party service provider “is an extension” of the website operator, and therefore neither an illegal trespasser, nor the principle of illegal aid and abetting scheme.

The Ninth Circuit has yet to resolve the lower court split. A recent Ninth Circuit ruling in Javier v Insurance IQ, LLC reversed a trial court ruling that the consumer’s after-the-fact consent to the website’s privacy policy precluded a claim under section 631(a), but expressly did not address the issue of whether whether the requester had implied consent to the data collection, whether the third-party vendor is an extension of the website operator, or whether the website operator could be held liable for aiding and abetting the collection of communications from its users.[8]


[1] Pen. Code, § 631(a).

[2] Graham v. Noom, Inc.. (ND Cal. 2021) 533 F.Supp.3d 823, 831.

[3] (ND Cal., October 23, 2019, # 18-CV-06827-VC) 2019 WL 5485330, at *2.

[4] (CD Cal. 2021) 562 F.Supp.3d 503, 516.

[5] (ND Cal. 2021) 533 F.Supp.3d 823, 832–833.

[6] (ND Cal., April 8, 2021, # 20-CV-08183-LB) 2021 WL 1312771, at *2.

[7] (ND Cal., April 15, 2021, # 20-CV-07575-LB) 2021 WL 1428400, at *3.

[8] Javier v Insurance IQ, LLC (9th Cir., May 31, 2022, no. 21-16351) 2022 WL 1744107, at *1.

[View source.]

Sherry J. Basler