The Ninth Circuit’s reversal marks a significant pushback to the idea that session replay is noncontent communication that is basically the equivalent of watching a customer as they browse a brick-and-mortar store
On June 20, 2025, the United States Court of Appeals for Ninth Circuit issued an unpublished decision in Mikulsky v. Bloomingdale’s, LLC, reversing a district court’s dismissal of a claim brought under Section 631(a) of the California Invasion of Privacy Act (CIPA) and arguably expanding the potential liability for companies using session-replay and tracking technologies, while lowering the pleading threshold. The case is a putative class action involving session-replay software used on Bloomingdale’s website. The plaintiff in the case, Erica Mikulsky, is a California resident who alleged that Bloomingdale’s deployment of session replay recorded and transmitted her interactions with the website—including mouse movements, keystrokes and page views—to a third-party vendor without her consent.
In the Southern District of California, Judge James Lorenz had dismissed the CIPA claim for failure to state a claim, holding that the session replay software captures “record data” as opposed to actual “confidential communications” under Section 631 and that the complaint lacked sufficient detail regarding the claimed privacy harms.
The Ninth Circuit’s reversal marks a significant pushback to the idea that session replay is noncontent communication that is basically the equivalent of watching a customer as they browse a brick-and-mortar store. The court held that the complaint plausibly alleged that Bloomingdale’s didn’t just capture metadata, but also intercepted and recorded the “contents” of the plaintiff’s communications by using session-replay software that can reconstruct a website user’s exact interactions with the site. The court held that this satisfied CIPA’s requirement that the contents of a communication be obtained during the transmission and without the user’s consent. The court also affirmed the district court’s exercise of jurisdiction, holding that there was personal jurisdiction since Bloomingdale’s intentionally operated a website that targets and profits from California users. Put another way, companies doing business online with California users—which is virtually every company with a website—can be sued under CIPA even without a physical presence in the state.
The decision arguably broadens the scope of CIPA by accepting the claim that session replay software’s ability to record and reconstruct a user’s interactions with a website can meet the definition of “contents” under Section 631(a). As such, companies that utilize session replay may now need to treat this technology as a potential “wiretap” under CIPA. The court also noted that the complaint alleged the capture of the contents of Mikulsky’s communications “without her consent,” which reinforces the importance of businesses obtaining prior, informed user consent before recording any user interactions with a website. Broad privacy policy notices may provide limited protection from session-replay-related liability.
The decision is certain to be used by plaintiffs’ attorneys to frame claims regarding session replay, pixels, data broker software and other tracking technologies under Section 631(a). However, defendants in these cases can still challenge the adequacy of the consent or argue that the data that is at issue is not actually intercepted “in transit.”
Notably, the court left intact the district court’s dismissal of the plaintiff’s claim for intrusion upon seclusion, holding that the plaintiff failed to plead a “highly offensive” violation under applicable California common law. While not the main crux of the decision, the court’s ruling on this issue may prove important should SB 690, which seeks to curb the wave CIPA data privacy lawsuits, be passed into law. If that happens, plaintiffs and their lawyers may have been thinking they could still rely on common law claims.
Looking ahead, companies may want to take a closer look at the tracking technologies that are deployed on their websites and ensure that they have obtained explicit consent prior to any of these tools being enabled. It also never hurts to reassess privacy policies and provide users with specific disclosure about the content that is captured.
For More Information
If you have any questions about this Alert, please contact J. Colin Knisely, Michael S. Zullo, any of the attorneys in our Privacy and Data Protection Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.