On July 9, 2025, in an unpublished decision, the Ninth Circuit Court of Appeals affirmed the dismissal of a class action lawsuit alleging violations of the California Invasion of Privacy Act (CIPA).
CIPA’s First Clause Does Not Apply to Internet Communications
The central issue on appeal was whether CIPA section 631(a)’s first clause—which prohibits unauthorized wiretapping of telegraph or telephone wires—applies to internet communications. The Ninth Circuit held that it does not. The court reasoned that the statutory language, enacted in 1967, was intended to address traditional telephonic wiretapping and does not extend to modern internet-based messaging. The court noted that while California has updated other privacy statutes to address new technologies, section 631(a) remains focused on telephone communications.
Judge Bybee wrote a concurrence:
Even assuming that Salesforce wiretapped or made an “unauthorized connection” with Gutierrez’s chat message, does the phrase “any telegraph or telephone wire, line, cable, or instrument” contemplate an online chat message sent on a smartphone?1
Today’s smartphones do not send messages over a “telephone wire” as that phrase was understood in 1967 when the California legislature passed CIPA. In 1967, telephones were connected to wires on both ends of a phone call and had one use—you picked up the phone to dial and call another phone. Today, our smartphones not only lack wires, but they also are cameras, atlases, phone directories, music players, weather stations, newspapers, clocks, and more. Most important, smartphones are mini-computers capable of accessing the internet, something the California legislature had never heard of (or could have imagined) in 1967. For this reason, simply sending a message on an iPhone (and through an internet browser) does not automatically implicate § 631(a). Instead, the statute, as passed in 1967, focuses on the wiretapping of telegraph or telephone wires—it criminalizes, as relevant here, the wiretapping of a telephone call. See Flanagan v. Flanagan, 41 P.3d 575, 577 (Cal. 2002) (CIPA “was enacted in 1967, replacing prior laws that permitted the recording of telephone conversations with the consent of one party to the conversation. The purpose of the act was to protect the right of privacy by, among other things, requiring that all parties consent to a recording of their conversation.”) (emphasis added).2
If the California legislature wanted to apply § 631(a) to the internet, it could do so by amending that provision or adding to CIPA’s statutory scheme. Indeed, it “augmented the statutory scheme in 1985, 1990, and 1992 ‘to take account of privacy issues raised by the increased use of cellular and cordless telephones.’ ” See Smith v. LoanMe, Inc., 483 P.3d 869, 873 (Cal. 2021) (quoting Flanagan, 41 P.3d at 580 (compiling amendments)). For example, the California legislature added § 632.7 in 1992. That provision criminalizes nonconsensual interception and recording of “a communication transmitted between,” among other things, “two cordless telephones.” Cal. Penal Code § 632.7. The California legislature also added § 632.01 in 2017. That provision punishes anyone who violates § 632(a) (a section that penalizes eavesdropping) and then “intentionally discloses or distributes, in any manner, in any forum, including, but not limited to, Internet Web sites and social media … the contents of a confidential communication with a health care provider ….” See Cal. Penal Code § 632.01. California has failed to update § 631(a) to account for advances in technology since 1967. It is not our job to do it for them.
Unless and until then, plaintiffs like Gutierrez are not without recourse, thanks to the California Consumer Privacy Act of 2018 (CCPA). CCPA requires that businesses inform consumers of the “categories of personal information to be collected and the purposes” for that collection, “the categories of sensitive personal information to be collected,” and “the length of time the business intends to retain each category of personal information.” Cal. Civ. Code § 1798.100. Section 1798.150 creates a private cause of action for “[a]ny consumer whose nonencrypted and nonredacted personal information … or whose email address … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information ….”3 Cal. Civ. Code § 1798.150.
This statute likely covers the allegations here, so why do plaintiffs (like Gutierrez) prefer to contort § 631(a) to apply to internet communications? It may be about the money—CIPA allows plaintiffs to recover $5,000 per violation compared to just $750 per violation under the CCPA. Compare Cal. Penal Code § 637.2 with Cal. Civ. Code § 1798.150. In a class action like this one, the difference in total recovery (and attorneys’ fees) could be millions of dollars.
In my view, § 631(a)’s text, legislative history, subsequent augmentation, and relative ambiguity compared to the CCPA (which explicitly provides recourse for internet privacy violations like this one) compel the conclusion that § 631(a)’s first clause does not apply to the internet. Until and unless the California appellate courts tell us otherwise, or the California legislature amends § 631(a), I refuse to apply § 631(a)’s first clause to the internet.
One final note. Gutierrez asserted that our unpublished memorandum disposition in Javier v. Assurance IQ, LLC, No. 21-16351, 2022 WL 1744107 (9th Cir. May 31, 2022), held that the entirety of § 631(a) applies to internet communications. This is misleading. Javier is not precedential, as it is an unpublished disposition. And Javier only considered § 631(a)’s second clause, which prohibits nonconsensual reading of a communication in transit over a wire. Id. at *1. It is far from clear whether Javier‘s alleged “holding”—that “[t]hough written in terms of wiretapping, Section 631(a) applies to Internet communications”—even applies to § 631(a)’s first clause.4
No Evidence of Unauthorized Access or Reading of Messages
The plaintiff alleged that a third-party service provider, Salesforce, unlawfully accessed and read chat messages sent through Converse’s website. The court found no evidence that Salesforce made an unauthorized connection to a telephone wire or read the contents of any messages, as required under CIPA’s first and second clauses. The mere technical ability to access messages was deemed insufficient to establish liability without proof of actual unauthorized access or reading.
emerging legal requirements.
NORA GUTIERREZ, on behalf of herself & all others similarly situated, Plaintiff – Appellant, v. CONVERSE INC., a Massachusetts Corp., Defendant – Appellee, & DOES, 1 through 25, inclusive, Defendant., No. 24-4797, 2025 WL 1895315 (9th Cir. July 9, 2025).
