Last week, the Ninth Circuit issued unpublished rulings in the Papa John’s and Bloomingdale’s cases, both addressing session-replay technology under California’s Invasion of Privacy Act (§631). While not precedential, they offer insight into how courts will evaluate digital wiretap claims.

Thomas v. Papa John’s The Ninth Circuit affirmed dismissal, finding that Papa John’s, as a party to the communication, cannot “eavesdrop” under §631. But the panel emphasized that aiding-and-abetting liability remains viable when a third-party vendor does the intercepting. Theories involving shared control, direction, or benefit are still in play.

Mikulsky v. Bloomingdale’s Here, the Ninth Circuit reversed dismissal, holding the plaintiff plausibly alleged that session-replay software captured the content of her interactions—keystrokes, clicks, and page data—and transmitted it to a vendor without consent. The court focused on the substance of the user’s input, not just metadata.

What This Means These rulings confirm where plaintiffs are headed: Focusing on what data is captured and how it is shared Advancing aiding-and-abetting theories tied to vendor behavior Refining claims to emphasize unauthorized interception of communication content

This is a maturing litigation space. Plaintiffs will move beyond boilerplate filings alleging “session-replay is illegal.” Going forward, we expect to see more sophisticated, content-driven theories—especially against well-resourced vendors that use data for their own purposes.