ConsentPixel – Privacy · Verified

CIPA & Legal Risk

FullStory and CIPA: Is Your Session Recording Tool Creating Legal Liability?

FullStory has been named as a defendant alongside Nike, Bloomingdale's, and Noom in CIPA wiretapping lawsuits. The Ninth Circuit's June 2025 rulings sent mixed but consequential signals about session replay liability. Here is what the case law actually says, why "we're a party to the conversation" is not a reliable defence for website operators, and the specific technical steps that meaningfully reduce exposure.

By ConsentPixel Team June 11, 2026 14 min read CIPA & Legal Risk
3,500+
Projected CIPA filings in 2026 — up from 675 in 2024
$5,000
Statutory damages per violation — no proof of harm required
SB-690
Proposed CIPA reform stalled — not law yet, no current safe harbour
In This Article
  1. What FullStory Does and Why CIPA Applies
  2. The Two Legal Theories Plaintiffs Use
  3. The Case Law: What Courts Have Actually Said
  4. The Ninth Circuit's June 2025 Decisions — What Changed
  5. SB-690: The Reform That Hasn't Happened Yet
  6. Who Is Actually at Risk — And How Much
  7. What to Do Right Now

If you use FullStory on your website — or any session replay tool — and your site receives visitors from California, you need to understand the current CIPA litigation landscape. Not because a lawsuit is certain, but because the case law is now clear enough to tell you exactly what creates exposure, what reduces it, and what the specific gap is between a site that gets a demand letter and one that does not.

FullStory is a digital experience analytics platform that records user sessions — capturing mouse movements, clicks, keystrokes, page interactions, and scroll behaviour — allowing product and UX teams to watch replays of how users navigate a site. It is a genuinely useful tool. It is also at the centre of more CIPA litigation than almost any other software vendor, having been named alongside Nike, Noom, Bloomingdale's, and others in multiple proposed class actions.

This article is written for website owners, not lawyers. We will explain what the courts have actually decided, what still is not settled, and what the practical risk picture looks like for a business running FullStory in 2026. This is not legal advice — if you have received a demand letter or are named in a lawsuit, consult a qualified privacy attorney.

What FullStory Does and Why CIPA Applies

FullStory's session replay technology works by embedding a JavaScript snippet on a website. When a visitor arrives, the snippet begins capturing their interactions in real time — every click, scroll, mouse movement, and keystroke — and transmits this data to FullStory's servers. FullStory then allows the site operator to replay these sessions as video-like recordings, enabling analysis of user behaviour, identification of friction points in a checkout flow, and debugging of UX issues.

The mechanism that creates CIPA exposure is specific: FullStory is a third-party company that receives the visitor's website interactions in real time, simultaneously with the visitor sending them. The visitor types in a search box — FullStory receives that keystroke. The visitor clicks through a checkout — FullStory records each step. This is the "interception while in transit" framing that CIPA Section 631(a) addresses.

CIPA was enacted in 1967 to prevent telephone wiretapping. It prohibits any person from intentionally intercepting, reading, or attempting to read the contents of any communication while it is in transit, without the consent of all parties. Plaintiffs' attorneys beginning around 2020 began arguing — with increasing success — that a third-party session replay vendor receiving website interaction data in real time is functionally analogous to a wiretapper listening to a phone call.

⚠️
CIPA's $5,000 statutory damages are available without proof of actual harm. Unlike most privacy claims where a plaintiff must show concrete injury, CIPA's statutory damages provision allows recovery of $5,000 per violation regardless of whether the plaintiff suffered any measurable harm. In the class action context, "violations" in complaints are typically framed as per session or per page visit — creating potential aggregate exposure that makes even small California traffic volumes significant.

Understanding the specific legal theories plaintiffs use — and which ones have succeeded — is important because the technical countermeasures map directly onto these theories.

Theory 1 — Section 631(a): Wiretapping (the "contents" theory)

CIPA Section 631(a) prohibits intercepting the contents of communications while in transit. The legal debate here centres on three questions: whether website interactions constitute "communications" under a 1967 statute written for telephone lines; whether FullStory's data capture constitutes "interception while in transit" rather than storage of already-received data; and whether the contents of those interactions are being "read" rather than merely recorded.

The most important legal distinction under Section 631 is the party exception — a party to a communication cannot be a wiretapper. The website operator is a party to the visitor's session. FullStory, as a third-party vendor receiving the data simultaneously, is the potential wiretapper. The key question for website operator liability is whether they "aided and abetted" FullStory's interception — and this is where the court decisions diverge.

Theory 2 — Section 638.51: Pen Register (the "addressing data" theory)

CIPA Section 638.51 prohibits installing or using a "pen register" — a device that captures addressing and routing information — without prior consent. The pen register theory requires a lower standard of proof than §631 because it does not require showing "contents" were intercepted. IP addresses, URLs visited, and navigation paths may qualify. Several courts have allowed pen register claims to proceed where §631 wiretapping claims were dismissed.

Theory Legal standard Key question Recent trend
§631 Wiretapping Interception of "contents" in transit, third-party eavesdropper Is FullStory a third party or a direct party? Did operator aid and abet? ⚠ Highly split — Bloomingdale's survived, Papa John's dismissed
§638.51 Pen Register Recording of addressing/routing data, prior consent required Does internet tracking qualify as a "pen register" device? ⚠ Split — federal courts gaining vs. state courts limiting

The Case Law: What Courts Have Actually Decided

The case law on FullStory and session replay is genuinely split — a fact that favours neither side cleanly. Here are the most consequential decisions.

Graham v. Noom, Inc. (N.D. Cal. 2021)
Northern District of California · FullStory named as defendant · §631
✓ Dismissed — party exception

The foundational case establishing one side of the split. Noom used FullStory to record user sessions across its website, capturing keystrokes, mouse clicks, and user location information. The court found that FullStory was a direct party to the communication — functioning as an extension of Noom's own systems rather than as an independent third-party eavesdropper. Under the party exception, a party to a communication cannot be liable as a wiretapper. The court dismissed the §631 claims.

✦ Why it matters

Graham established the defence that session replay vendors are direct parties rather than eavesdroppers. However, subsequent courts — including the Ninth Circuit in Bloomingdale's — have disagreed with or distinguished this reasoning.

Saleh v. Nike, Inc. (C.D. Cal. 2021)
Central District of California · FullStory named as defendant · §631
✗ Survived — aiding and abetting theory

The opposite result from the same period. A California resident sued Nike and FullStory, alleging that FullStory's session replay tool intercepted personal communications — including potentially sensitive information like passwords and credit card numbers — without consent. Crucially, Nike's privacy policy contained no mention of FullStory or session recording.

The court found that FullStory, as a third-party vendor with simultaneous real-time access to user communications, could not avail itself of the party exception. More importantly for Nike: the court found that Nike had aided and abetted FullStory's interception by embedding the script and enabling the data capture. This is the theory that directly implicates website operators — not just vendors.

✦ Why it matters

Saleh v. Nike established that website operators who deploy FullStory (or any session replay tool) can be directly liable for aiding and abetting the vendor's interception, even if the vendor itself might claim party status. No disclosure in Nike's privacy policy strengthened the no-consent finding.

Torres v. Prudential Financial, Inc. (N.D. Cal. April 2025)
Northern District of California · Session replay · §631 · Summary judgment
✓ Dismissed — no real-time interception shown

A significant 2025 development that narrows the §631 wiretapping theory. The court granted summary judgment for Prudential, finding that CIPA §631 liability requires evidence that a party actually read or attempted to read communication contents while in transit. The court held that session replay software does not satisfy this standard because user click, keystroke, and mouse movement data becomes readable only after transmission when the software has stored and reassembled the information — not during transit itself.

This ruling provides a meaningful defence to §631 claims where the session replay vendor processes data after receipt rather than reading it in real time. However, it applies to §631 specifically — pen register claims under §638.51 were not dismissed on this basis.

✦ Why it matters

Torres narrows §631 exposure by requiring plaintiffs to show actual real-time reading of content, not just data capture. But it does not close the pen register door, and it does not help in the Ninth Circuit's jurisdiction after the Bloomingdale's decision.

The Ninth Circuit's June 2025 Decisions — What Changed

The most consequential recent session replay decisions came from the Ninth Circuit in June 2025, which heard oral arguments on June 10, 2025, in three closely watched cases involving Converse, Bloomingdale's, and Papa John's. Within days, the court issued two decisions that delivered a mixed but significant outcome.

Thomas v. Papa John's International, Inc. (9th Cir. June 18, 2025)
Ninth Circuit · FullStory session replay · §631 · Affirmed dismissal
✓ Dismissed — party exception affirmed

The Ninth Circuit affirmed the dismissal of §631 claims against Papa John's for its use of FullStory session-replay software. The court's reasoning was straightforward: citing longstanding California precedent, it held that "a party to a conversation cannot be liable under Section 631 for eavesdropping on its own conversation." Because Papa John's was itself a party to the online interactions recorded by FullStory, the direct liability claim failed as a matter of law.

Importantly, the court noted that the plaintiff had not alleged that Papa John's aided or abetted a third party in eavesdropping — and explicitly declined to take a position on whether such an aiding-and-abetting theory would be viable. This creates a significant opening: the Papa John's dismissal was narrow. A complaint that properly pleads the aiding-and-abetting theory (as Saleh v. Nike and Mikulsky v. Bloomingdale's did) may survive where Thomas failed.

✦ Why it matters

Papa John's dismissal is good news for defendants — but only for claims that solely allege direct wiretapping. The court was careful not to endorse FullStory as liability-free. A properly pleaded aiding-and-abetting claim has not been resolved by this decision.

Mikulsky v. Bloomingdale's, LLC (9th Cir. June 20, 2025)
Ninth Circuit · Session replay (FullStory-type) · §631 · Reversed dismissal
✗ Reversed — §631 claim reinstated

Two days after Papa John's, the Ninth Circuit reversed the district court's dismissal of CIPA §631 claims against Bloomingdale's — the most significant session replay ruling of 2025. The plaintiff alleged that Bloomingdale's used session replay software that captured mouse movements, clicks, keystrokes, URLs visited, and other electronic interactions in real time, and that the vendor could "index and search all user sessions and create user fingerprints to track individuals across multiple websites."

The district court had dismissed the claim finding these details were "record data" rather than "contents." The Ninth Circuit reversed, finding the complaint adequately alleged that Bloomingdale's aided, agreed with, employed, or conspired with the session replay vendor to intercept the contents of communications in real time. The court accepted that the real-time capture of mouse movements, clicks, keystrokes, and URLs could constitute "contents" under §631(a).

The Ninth Circuit also affirmed California's jurisdiction over Bloomingdale's, specifically noting that companies operating websites accessible to California residents — which is virtually every company with a website — can be sued under CIPA even without a physical presence in California.

⚠ Why this matters for every site running session replay

Three findings from Mikulsky are critical for website operators. First, the aiding-and-abetting theory survived — embedding session replay code and enabling data capture is sufficient to allege this. Second, mouse movements, clicks, keystrokes, and URLs can constitute "contents" under §631, not just storage data. Third, any website accessible to California residents can face CIPA claims regardless of where the company is incorporated or located.

The two decisions together create a specific compliance picture: the party exception may protect against direct liability claims, but a properly pleaded aiding-and-abetting theory citing the company's active deployment of session replay can survive dismissal. The pleading threshold was lowered by Mikulsky. The consent question — whether the visitor was adequately notified and consented before recording began — remains the most reliable distinguishing factor between cases that survive and cases that do not.

🚨
The consent gap is the deciding variable. Compare the outcomes: In cases where prior, meaningful consent was obtained before session recording began — or where the recording was disclosed in terms the visitor actively accepted — defendants fare significantly better. In cases where session replay ran before any banner interaction, or where it was not disclosed at all (as in Nike's missing privacy policy mention), claims survive. The technical question — did the script fire before or after the visitor had any opportunity to consent — is what separates the dismissals from the survivals in the most recent case law.

Is FullStory or Hotjar firing before your consent banner renders?

ConsentPixel scans your site in a fresh session and shows exactly which scripts fire before any banner interaction — the specific technical gap that determines CIPA exposure under current case law.

Run Free Scan →

SB-690: The Proposed Reform That Has Not Passed

California Senate Bill 690 would have created a "commercial business purpose" exemption to CIPA, shielding companies that deploy tracking technologies in ways already regulated under CCPA. It would have resolved much of the current litigation uncertainty. It has not become law.

SB-690 passed the California Senate unanimously in June 2025. It then stalled in the Assembly — its sponsor paused the bill citing "outstanding concerns around consumer privacy" — and ended the 2025 legislative session as a two-year bill eligible for reconsideration in 2026. A key provision that would have made the exemption retroactive to pending cases was removed before the Senate vote following objections from the EFF, ACLU, and privacy advocacy groups.

As of June 2026, SB-690 has not been enacted. There is no current statutory safe harbour for companies using session replay tools on California visitors. The 2026 legislative session could still produce a version of this reform, but the timeline is uncertain, the retroactivity provision has been removed, and any eventual law would not apply to cases already filed.

⚠️
Do not wait for SB-690 before taking action. Even if SB-690 passes in 2026, it is not retroactive. Cases filed before any enactment date will be evaluated under the current CIPA framework. The litigation pace — projected at over 3,500 filings in 2026 — is not slowing while the reform progresses. Plaintiff scanners are running now.

Who Is Actually at Risk — And How Much

Not every site using FullStory faces the same risk profile. The relevant variables from the case law are specific enough to allow a reasonable risk assessment.

Highest risk: session replay on checkout or form pages, no prior consent

The Bloomingdale's and Saleh v. Nike cases specifically involved session replay on eCommerce sites where users entered billing information, addresses, and potentially payment data. Courts have been most receptive to content interception arguments when the captured data includes sensitive user-entered information. A site running FullStory on its checkout page with California traffic and no prior consent mechanism in place is the highest-risk configuration in current CIPA case law.

Elevated risk: session replay sitewide, no disclosure in privacy policy

The absence of any disclosure of session recording in Nike's privacy policy was specifically noted in Saleh v. Nike as strengthening the no-consent finding. Sites that run FullStory sitewide without disclosing it in their privacy policy — by name, with a description of what data it captures — face a weaker consent argument if challenged.

Moderate risk: session replay with a consent banner but no technical blocking

The Garcia v. AEG decision from May 2026 — covered in detail in our CIPA Case Watch Issue 01 — is directly relevant here. AEG had a consent banner, but its third-party cookies activated before the banner rendered on screen. The court found this was sufficient for the CIPA pen register claim to survive. A site with FullStory configured, a consent banner displayed, but technical pre-consent firing of the FullStory script is in this moderate-risk category.

Lower risk: session replay consent-gated, excluded from sensitive pages

Sites where FullStory is technically blocked until the visitor has explicitly consented (not just seen a banner — actually consented), excluded from checkout and form pages, and disclosed by name in the privacy policy represent the lowest risk configuration under current case law. This does not guarantee immunity, but it addresses every specific gap that has led to claims surviving dismissal in the cases above.

What to Do Right Now — Based on the Case Law

The following steps are derived directly from what has made the difference between claims surviving and being dismissed in the cases above. They are technical and operational, not legal — consult a qualified privacy attorney for advice specific to your situation.

1

Consent-gate FullStory so it does not fire before consent is given

The single most consequential step. FullStory must not fire on page load for a first-time visitor who has not yet consented. This requires a consent management platform that technically blocks the FullStory script until the visitor has actively consented — not one that displays a banner while FullStory loads in the background. Test this by opening your site in incognito with DevTools Network tab open: if FullStory appears in the network waterfall before you interact with the consent banner, your implementation does not close the CIPA gap.

2

Exclude checkout, login, and form pages from FullStory's recording scope

Regardless of consent status, session replay on pages where users enter billing details, passwords, account credentials, or other sensitive information represents the highest-risk configuration. Use FullStory's URL exclusion settings to permanently remove checkout (/checkout, /payment), account login pages, and any form pages from recording scope entirely.

3

Disclose FullStory by name in your privacy policy

Nike's failure to mention FullStory anywhere in its privacy policy was specifically cited in Saleh v. Nike as evidence supporting the no-consent finding. Your privacy policy must name FullStory, describe what data it captures (session recordings including mouse movements, clicks, and keystrokes), and explain how visitors can opt out or manage their preferences. Vague references to "analytics tools" are insufficient.

4

Add FullStory to your consent management platform as "Session Recording" category

Create a dedicated "Session Recording" consent category in your CMP — distinct from general Analytics — that requires affirmative opt-in from visitors before FullStory activates. This gives visitors meaningful control, creates a consent record, and maps to the "prior consent of all parties" standard under CIPA. If you operate under the Ninth Circuit's jurisdiction, the Mikulsky ruling makes this more important than ever.

5

Maintain a consent log with timestamps

Every consent decision for the Session Recording category should be logged with the timestamp, the banner version shown, and the visitor's choice. This is the evidentiary foundation of a consent defence. The Sisti v. Bosley dismissal — covered in CIPA Case Watch Issue 01 — was partly based on the defendant's ability to demonstrate that consent was affirmatively obtained before tracking began, with documented evidence of that consent.

6

Enable FullStory's privacy controls — masking, exclusions, and field suppression

FullStory provides its own privacy features: input masking for sensitive fields, page exclusions, and element suppression. These do not replace consent requirements but they reduce the sensitivity of captured data, which matters for both the "contents" analysis under §631 and for the strength of any consent obtained. Bloomingdale's argued that masked text fields prevented the vendor from viewing sensitive data — though the Ninth Circuit found this argument insufficient at the pleading stage, the controls are still worth using as a risk reduction layer.

The bottom line on FullStory and CIPA in 2026

The case law is split, the legislative reform has not passed, and the plaintiff scanning operations are running at industrial scale. FullStory is a legitimate and valuable analytics tool. The CIPA exposure it creates is not inherent in the tool — it is created by the gap between when the script fires and when the visitor has had any opportunity to consent.

The Mikulsky v. Bloomingdale's Ninth Circuit decision lowered the pleading threshold for aiding-and-abetting claims. The Papa John's decision confirmed the party exception — but only for claims that do not properly allege aiding and abetting. SB-690 is not law. And the consent gap — specifically, whether FullStory fired before the visitor could consent — remains the single most consistent variable in the outcomes across all these cases.

Close the gap. Consent-gate FullStory. Exclude checkout pages. Name it in your privacy policy. Log every consent decision. Those four steps address the specific technical failures that have appeared in every case where a session replay claim survived to trial.

Check if FullStory fires before your banner — Free scan →
Legal disclaimer: This article is published for informational purposes only and does not constitute legal advice. Case summaries are based on publicly available court decisions and legal reporting. If you have received a CIPA demand letter or are named in a lawsuit, consult a qualified privacy attorney. ConsentPixel — Privacy · Verified is not a law firm.

Related Reading

CIPA Case Watch Issue 01: 7 Recent Court Decisions — What They Mean for Your Website Microsoft Clarity and CIPA: What You Need to Know Before Installing It CIPA Lawsuit Tracker 2026 — Every Website Wiretapping Case (Updated Monthly) What is CIPA? The California Invasion of Privacy Act Explained for Website Owners
CP
ConsentPixel Research Team
CIPA Litigation Research & Case Analysis
The ConsentPixel — Privacy · Verified research team monitors CIPA case filings, Ninth Circuit decisions, and legislative developments to translate legal risk into practical guidance for website owners. All case summaries are sourced from public court records and legal reporting. This article does not constitute legal advice.
Scroll to Top