Duane Morris Takeaways: On July 9, 2025, in Gutierrez, et al. v. Converse, Inc., No. 24-4797, 2025 WL 1895315 (9th Cir. July 9, 2025), the Ninth Circuit affirmed that a plaintiff had no evidence from which a reasonable jury could conclude that an online retailer's use of third-party software to enable a chat feature on its website aided and abetted the third-party vendor in reading or attempting to read the contents of the plaintiff's chat messages real-time in alleged violation of the California Invasion of Privacy Act (CIPA). In rejecting this theory, the ruling is significant because it shows that CIPA claims involving alleged disclosures of website activities to third-party software providers cannot survive unless the plaintiff can show that the website owner enabled the third party to read unencrypted, real-time communications.
Background
This case is one of a legion of class actions that plaintiffs have filed nationwide alleging that third-party software embedded in defendants' websites secretly captured plaintiffs' web-browsing activity and sent it to the third-party provider of the software. Third-party software is a common feature on many websites today and comes in many forms including website advertising technologies ("adtech"), customer relationship management ("CRM") software, enterprise resource management ("ERP") software, and, as in this case, communications platforms.
In Gutierrez, Plaintiff brought suit against an online retailer. According to Plaintiff, the retailer installed a chat feature on its public-facing website and thereby transmitted chat communications entered on the website to Salesforce, a third-party provider of the chat feature to the online retailer in the form of "software as a service" ("SaaS"). 2024 WL 3511648, at *2 (C.D. Cal. July 12, 2024).
As usual since the Snowden disclosures in 2013, all of these transmissions between the web user, website, and third-party software provider were "were encrypted while in transit." Id. at *3. Moreover, as is true for all internet communications, the chats were transmitted "in different network packets." Id. Thus, the uncontroverted expert evidence showed that "it is 'virtually impossible' to learn the contents of an internet communication while it is in transit." Id.
The online retailer's chat data, including chat transcripts, were stored on Salesforce's servers. Id. However, this information was accessible in unencrypted format only through the retailer's password-protected dashboard. Id. Plaintiff offered no evidence to show that Salesforce had access to the retailer's dashboard or that the retailer ever provided Salesforce access to it. Id.
Based on these facts, Plaintiff argued that the retailer violated the CIPA by aiding and abetting Salesforce's wiretapping or attempts to learn her chat communications on the retailer's website.
The District Court granted the retailer's motion for summary judgment for multiple reasons. First, the District Court found as a matter of law that Salesforce did not violate CIPA's first clause prohibiting intentional wiretapping or making any unauthorized connection "with any telegraph or telephone wire, line, cable, or instrument" because "Courts have consistently interpreted this clause as applying only to communications over telephones and not through the internet." Id. at *6-7.
Second, the District Court found no genuine dispute of material fact existed as to whether Salesforce had violated the second clause of CIPA, Section 631(a), "because Plaintiff has presented no evidence from which a reasonable jury could conclude Salesforce intercepts messages sent through [the retailer]'s chat feature 'while ... in transit' or reads or attempts to read or learn the contents of such messages." Id. at *7. As the District Court explained, "uncontroverted evidence establishes messages sent through [the retailer]'s chat feature are encrypted while in transit and, moreover, it is 'virtually impossible' to learn the contents of an internet communication while it is in transit because internet communications are transmitted 'in different network packets[.]'" Further, the District Court stated that "the fact that a user is redirected to a Salesforce-owned URL upon opening the chat feature on [the retailer]'s website does not establish the user's messages are sent to Salesforce or Salesforce reads or attempts to read or learn the contents of such messages. Rather, this fact simply establishes . . . the user's messages are transmitted to [the retailer]'s Service Cloud application." Id. In addition, the District Court explained that "the existence of UUID [Universally Unique Identifier] values attached to chat messages and the mere possibility Salesforce 'can' use these values to 'connect the dots' between data are insufficient to establish a genuine issue of material fact as to whether Salesforce reads or attempts to read users' messages while they are in transit." Id.
Finally, the District Court found that "because Plaintiff has not established an underlying violation of Section 631(a)'s first or second clause by Salesforce, [the retailer] cannot be liable for aiding and abetting Salesforce."
The Ninth Circuit's Opinion
The Ninth Circuit agreed with the retailer. It found that summary judgment for the retailer was warranted and affirmed the order below.
In a short opinion, the Ninth Circuit affirmed the District Court's opinion by finding that "no evidence exists from which a reasonable jury could conclude" that Salesforce engaged in wiretapping or attempted to learn Plaintiff's chat communications on the retailer's website and, therefore, absent an underlying violation by Salesforce, no aiding and abetting liability by the retailer. Id., at *1.
Circuit Judge Jay Bybee agreed, filing a separate concurring opinion stating that the wiretapping claim should be affirmed because "the statute, as passed in 1967, focuses on the wiretapping of telegraph or telephone wires—it criminalizes, as relevant here, the wiretapping of a telephone call" and, thus, CIPA's clause prohibiting wiretapping "does not apply to the internet." Id. at *2-3. Further, Judge Bybee opined: "Until and unless the California appellate courts tell us otherwise, or the California legislature amends § 631(a), I refuse to apply § 631(a)'s first clause to the internet." Id. at *3.
Implications For Companies
The District Court's holding and Ninth Circuit's affirmance in Gutierrez are a win for CIPA class action defendants and should be instructive for courts around the country. In the hundreds of CIPA class actions alleging a defendant's disclosure of web-browsing activities to an adtech provider, for example, the plaintiff typically does not allege that the adtech provider has any ability to read any unencrypted version of the information disclosed. This is not surprising, since the largest adtech providers often alleged in CIPA adtech class actions typically encrypt, anonymize, aggregate, and otherwise prevent their own ability to access web users' browsing activities in any unencrypted format.
Gutierrez shows that adtech plaintiffs will need to show, however, that the owner of the website they visited enabled the third party adtech provider to read unencrypted, real-time communications, in order to prove their CIPA claims.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.
