A recent decision in a California federal district courts has ruled that session-replay software doesn't violate the CIPA if the vendor didn’t “read” communications while in transit.
What is the CIPA?
The California Invasion of Privacy Act (CIPA) is intended to protect people from unauthorized surveillance and recording of confidential communications. The law makes it illegal to record or intercept conversations (including phone calls) without the consent of all of the parties involved. Specifically, the CIPA imposes liability on any entity that reads, attempts to read, or otherwise learns the contents of any communication made over any “wire, line, or cable” without full consent from all parties. Violations can result in both criminal charges and civil lawsuits, along with potential damages.
A 2022 Ninth Circuit decision extended the parameters of the Act to website usage.
Liability under section 631 attaches "only to eavesdropping by a third party and not to recording by a participant to a conversation." A third-party eavesdropper under section 631 is one who secretly listens to conversations between two other parties or who receives "simultaneous dissemination" of the "contents of a conversation." In a 1985 California Supreme Court case, the defendant was a friend of the plaintiff's wife who eavesdropped on a phone conversation between the plaintiff and his wife and later testified to what she heard during an arbitration hearing. The Court held that the complaint properly charged the defendant under section 631 because the legislature intended to prevent "eavesdropping, or the secret monitoring of conversations by third parties." However, a person can’t "eavesdrop" on their own conversation, and "it is never a secret to one party to a conversation that the other party is listening to the conversation." As a result, a participant to a conversation who uses a tape recorder to record the communication, even surreptitiously, isn’t liable under section 631.
To determine if a software service provider like ActiveProspect constitutes a third-party listener as opposed to a participant in the conversation, courts assess whether the software service "extends beyond the ordinary function of a tape recorder." This requires looking at the software vendor's independent capability to use its record of the interaction for another purpose. If software functions only as a tool that allows the participants record and analyze the contents of their own communications, the software vendor isn’t a third-party, and there is no violation of the Act.
What is the Recent Decision About?
Torres v. Prudential Financial, Inc. is the latest in a string of cases challenging the use of third-party software to record website visitor activity without their knowledge. In Torres, the plaintiffs sued ActiveProspect, Prudential Financial, and Assurance IQ, alleging that ActiveProspect violated the California Invasion of Privacy Act by intercepting, recording, and storing real-time interactions with a webform on Prudential's website without consent. The plaintiffs also claimed that Prudential and Assurance violated CIPA by employing ActiveProspect and embedding its software services on the Prudential website without proper disclosure to the website’s users.
The defendants moved for summary judgment, asserting that there was no genuine dispute of material fact as to whether ActiveProspect read or attempted to read the contents of the plaintiffs' communications while they were in transit, as is required to establish a section 631 CIPA violation.
Prudential’s website allowed users to get a life insurance quote by using ActiveProspect’s TrustedForm script as part of the website’s source code. Users were required to enter information about their demographics, family, situation, and medical history. The plaintiffs alleged this allowed ActiveProspect to intercept and record visitors’ real-time interaction with the form. ActiveProspect allegedly used the data it collected to create a “session replay,” which is a recreated video recording of the user’s real-time interaction with TrustedForm. The plaintiffs said that they didn’t consent to the recording of their interaction with a third party when they completed the form.
The defendants argued that ActiveProspect isn’t a third-party eavesdropper because it can’t use TrustedForm Certificates for any independent purpose. They provided two reasons why:
- (i) ActiveProspect doesn’t have the ability to locate particular TrustedForm Certificates or link them with specific website users without the associated TrustedForm Certificate URL, which is held by the website owner—not ActiveProspect; and
- (ii) Even with the associated TrustedForm Certificate URLs, ActiveProspect can’t retrieve large numbers of stored TrustedForm Certificates at one time.
The defendants contended that these limitations make it impossible for ActiveProspect to use TrustedForm Certificates "for any purpose beyond providing the TrustedForm software service to accountholders.”
However, ActiveProspect can access, and potentially use, the data collected by the TrustedForm software. Certain ActiveProspect employees with "superuser access" can independently view TrustedForm Certificates for customer support purposes. These select employees can log into the accounts of accountholders, such as Assurance, and view TrustedForm certificates and the session replays that contain user-submitted data.
The District Court’s Decision
United States District Judge Charles R. Breyer agreed with the defendants who also argued that there was no genuine dispute about whether ActiveProspect read, attempted to read, or to learn the contents of the plaintiff's communications while they were in transit, which is a requirement under section 631. The judge noted that while section 631 doesn’t define "read" or "attempt to read," courts generally conclude that liability under prong two of section 631 "requires some effort at understanding the substantive meaning of the message, report or communication." A party to a communication recording a conversation with a device and later sharing the recording with others isn’t a section 631 violation, judge concluded.
Because the plaintiffs failed to demonstrate that ActiveProspect attempted to understand or decipher the contents of their communications on its webform while the communications were in transit, there was no genuine dispute as to whether it read or attempted to read those communications under section 631. Further, because there was no predicate violation of section 631 on the part of ActiveProspect, there was no genuine dispute as to whether Prudential and Assurance aided and abetted ActiveProspect in violation of section 631. The Defendants’ motion for summary judgment was granted. Torres v. Prudential Fin., Inc., (N.D. Cal. 4/17/25).
What Businesses Should Do?
The Torres decision reminds California businesses to assess their session-replay tools under the CIPA and to bolster their documentation to demonstrate that they are not monitoring in-transit data. In addition, businesses should update their vendor agreements with clear definitions and liability protections.
Contact Eanet, PC to discuss any questions about CIPA and to determine if your present policies and agreements should be updated.