No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Cold War-Era California Law Snags Companies That Use Common Website Tracking

Lawmakers considering CIPA update for the internet age

by Erin Doyle and Jackie Cooney
August 18, 2025
in Data Privacy
accept cookies on website popup

Courts have reached inconsistent conclusions about whether a Cold War-era California law applies to modern website technology tracking like cookies and chatbots. Erin Doyle and Jackie Cooney of Arnall Golden Gregory break down the rulings and the steps California lawmakers are taking to clarify the California Invasion of Privacy Act. 

From pizza chains to fashion retailers, companies are being targeted in a recent surge of lawsuits alleging that third-party tracking technologies on their websites, such as cookies, pixels, session-replay tools, search bars, chatbots and more, violate the California Invasion of Privacy Act (CIPA). Enacted during the Cold War to stop unauthorized wiretapping of telephone calls, CIPA is being repurposed to argue that tracking scripts intercept the online “conversations” between a visitor and a site.

Courts have reached inconsistent conclusions on whether the law applies to modern website technologies. 

In the courts

Recently, the US Court of Appeals for the Ninth Circuit reviewed three proposed class actions alleging CIPA violations. The court heard oral arguments in early June and has issued unpublished opinions in each case.

Thomas v. Papa John’s 

In Thomas v. Papa John’s International, Inc., the plaintiff alleged the company used session-replay technology to capture her website interactions as she placed an order (e.g., keystrokes, clicks, information input into text fields, etc.) without her knowledge and then shared the information with its software provider. The lower court dismissed the case, determining that the plaintiff did not sufficiently allege that Papa John’s engaged in wiretapping, nor did she allege that the pizza chain aided and abetted its software provider in doing the same. Affirming the lower court’s dismissal of the case, the Ninth Circuit held that Papa John’s, as a party to the communications on its website, cannot be liable for eavesdropping on its own conversation.

Mikulsky v. Bloomingdale’s

In Mikulsky v. Bloomingdale’s, LLC, the plaintiff alleged that Bloomingdale’s used third-party pixel tracking and session-replay software to capture and disclose the content of website visitors’ communications (e.g., name, address, credit card information, product selections, etc.) to a third-party software vendor without the website visitor’s consent. The Ninth Circuit reversed the lower court’s dismissal of the CIPA allegation, finding that the complaint sufficiently alleged real-time capture by the third-party vendor of the contents of the website visitor’s communications and that Bloomingdale’s aided and abetted the third-party vendor to enable such capture.

Gutierrez v. Converse

In Gutierrez v. Converse Inc., the plaintiff alleged that Converse’s use of an online customer service chat feature resulted in illegal wiretapping of the conversations by the chat vendor and that Converse aided and abetted the chat vendor. In a relatively brief opinion, the Ninth Circuit upheld the lower court’s grant of summary judgment in favor of Converse, finding that no evidence exists from which a reasonable jury could conclude that the chat provider read or attempted to read the contents of the plaintiff’s messages.

Based on Thomas, it appears that the Ninth Circuit is unwilling to find that a website operator illegally intercepts communications on its own website (as it is a party to the communication). However, based on Mikulsky, the Ninth Circuit seems open to hearing arguments that interception of communication content by third-party vendors evokes aiding and abetting liability under CIPA on the part of the website operator.

data privacy leader concept
Data Privacy

Who’s Minding Your Data? The Case for Dedicated Privacy Leadership

by Daniel Barber
June 16, 2025

As state privacy laws multiply and AI introduces new vulnerabilities, the question isn't whether you need dedicated privacy expertise — it's who will fill that critical gap

Read moreDetails

In the legislature

In June, the California Senate unanimously passed Senate Bill 690, which would amend CIPA in such a way that would likely curb the current slew of litigation. The bill would provide a “commercial business purpose” exception to CIPA such that website technologies that have a valid commercial business purpose would be expressly excluded from CIPA. The bill defines “commercial business purpose” as the processing of personal information either (1) to further a “business purpose,” as that term is defined in the California Consumer Privacy Act (CCPA); or (2) in a manner that is subject to a consumer’s opt-out rights under the CCPA. The bill reflects a growing sentiment that the CCPA provides a more comprehensive and modern framework for regulating online privacy than CIPA.

The bill is under consideration in the California Assembly. On July 2, the California Assembly’s Committee on Public Safety voted to advance SB 690 but as a two-year bill, which would allow it to carry over into the 2026 legislative session for further consideration, potentially delaying its effective date. Additionally, the current version of the bill would only apply prospectively, not retroactively, meaning it would not affect any lawsuits filed before its effective date. Furthermore, passage of the bill may not definitively foreclose these types of suits as it may lead plaintiffs’ counsel to increase their focus on bringing similar lawsuits in other states with their own two-party consent wiretapping laws like CIPA.

In practice

For businesses that continue to use website tools, transparent notice and express consent remain the most effective risk mitigation measures. Moreover, privacy legislation in several jurisdictions — including several US states and Europe — require that businesses allow website visitors to opt in to, or at least have the ability to opt out of, all nonessential cookies and tracking technologies. Furthermore, certain regulated entities may need to consider whether it is appropriate to utilize tracking technologies at all given the nature of their website (e.g., behind the login page on a healthcare provider website). Companies must balance both the litigation and regulatory considerations that surround the use of these tools. To the extent that a company operates in several jurisdictions, it may wish to adopt different approaches across jurisdictions to allow for maximum data collection while adhering to legal requirements.

Once a company establishes the approach it wants to take, it is prudent to ensure the approach is operating as intended. This may mean conducting a tracking technologies audit to ensure no legacy cookies are lingering on the website or testing third-party consent management tools to ensure they are implementing consumer preferences accurately. Companies should also ensure that their privacy notices are up to date and accurately reflect the tracking that occurs on their websites, in addition to the company’s other data processing activities. 

Companies using third-party consent management tools on their websites should ensure they have adequate contractual terms in place to protect personal data and restrict the third party’s access to and use of the data. Finally, companies should keep an eye on ever-evolving legal developments in this area and be prepared to adjust their practices as needed to mitigate litigation and regulatory risk to their organizations.


Tags: California Consumer Privacy Act (CCPA)
Previous Post

The Sustainability Shake-Up: When the World Pulls Back, Should You Push Forward?

Next Post

From Whistleblowers to Algorithms: FCA Enforcement 2.0 Is Here

Erin Doyle and Jackie Cooney

Erin Doyle and Jackie Cooney

Erin Doyle is an associate at Arnall Golden Gregory, where she provides regulatory counsel on data privacy and cybersecurity matters to clients across industry sectors.
Jackie Cooney co-chairs Arnall Golden Gregory’s privacy & cybersecurity practice. She has 30 years of experience handling privacy, governance, risk, compliance and public policy matters for clients in a variety of industries.

Related Posts

turkish national flags

Inside Turkey’s New Cybersecurity Regulation

by Yavuz Akbulak
August 11, 2025

Some violations punishable by fines and jail time

todd snyder runway show scarf

Lessons Learned: Todd Snyder CCPA Enforcement Action

by Richart Ruddie
May 29, 2025

Third-party risk, overcollection of data and lax training all cited by California data privacy enforcer

federal trade commission building

[Q&A] Big Tech & Free Speech Under the Microscope: FTC’s New Direction

by FTI Consulting
April 28, 2025

What compliance teams need to know about the changing approach to consumer protection and data privacy

data governance concept

The US Still Lacks Its Own GDPR, But That Doesn’t Mean Data Privacy Enforcement Isn’t Happening

by Brian McGinnis and Maddie San Jose
April 16, 2025

Despite the absence of comprehensive federal privacy legislation, American businesses face mounting regulatory pressure from multiple directions. Brian McGinnis and...

Next Post
ai whistleblower concept machine speaking

From Whistleblowers to Algorithms: FCA Enforcement 2.0 Is Here

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights