Wiretapping claims based on session replay software and tracking pixels are on the rise. Most claims are brought under the California Invasion of Privacy Act (CIPA). A required element under CIPA is that a third party must have “read[ ], or attempt[ed] to read, or to learn the contents or meaning of any message, report, or communication.” The theory advanced by plaintiffs’ lawyers is that session replay software—i.e., software that reconstructs a user’s journey through a website by recording keystrokes, mouse clicks and movements, the pages and content viewed, etc.—allows the software provider to intercept communications between a company and its website visitors in violation of CIPA.
But do keystrokes and mouse clicks really constitute “communications” between website users and companies that are protected under CIPA? Not according to the Southern District of California, which recently dismissed a CIPA claim on this basis. See Augustine v. Great Wolf Resorts, Inc., 2024 WL 3450967 (S.D. Cal. July 18, 2024). This is consistent with the Central District of California’s 2021 decision in Yoon v. Lululemon USA, Inc., 549 F. Supp. 3d 1073, 1082–83 (C.D. Cal. 2021), which similarly held that users’ keystrokes, mouse clicks, pages viewed, IP addresses, shipping and billing information, browser type, etc. are not “message content in the same way that [are] the words of a text message or an email.”
These decisions signal that courts are becoming less receptive to claims that session replay software violates CIPA. If faced with this type of claim, companies should consider moving to dismiss on the ground that the data alleged to have been intercepted is not a protected “communication” under CIPA.