Ninth Circuit Rejects Session Replay Wiretap Class Action

If you’ve ever shopped online and felt like the website “understood you” a little too well (why, hello, pop-up that knew I hovered over the deluxe dog bed for 3.7 seconds), you’ve brushed up against the modern data stack. One tool in that stacksession replayhas become a repeat customer in privacy lawsuits. Plaintiffs call it “wiretapping.” Businesses call it “UX analytics.” Courts call it “please, everyone sit down, we’re starting with standing.”

In a key decision, the Ninth Circuit rejected a proposed session replay wiretap class actionnot because session replay is automatically harmless, but because the plaintiff didn’t allege a concrete injury that qualifies for federal court under Article III standing. In other words: even if you think a statute was violated, you still need to show a real-world harm that looks like something courts have traditionally recognized.

Let’s unpack what the Ninth Circuit did, why it matters for website tracking litigation, and what businesses (and consumers) can realistically do next. (And yes, we’ll keep the legal jargon on a short leash. Unlike some cookie banners.)

What Is “Session Replay” (and Why Do People Call It a Wiretap)?

Session replay technology is software that records how users interact with a websitethink clicks, scrolls, mouse movements, and sometimes text inputso a company can “replay” the session and see where users get stuck or bail out. The pitch is usually innocent: improve checkout flow, find broken buttons, reduce rage-clicking, and help users get what they came for.

The lawsuit pitch is… less innocent. Plaintiffs often argue that session replay captures the “contents” of communications between a user and a website and transmits those contents to a third-party vendor in real timewithout consent. That gets framed as illegal interception under various laws that were originally designed to prevent actual wiretaps (like the “listen to phone calls” kind).

Here’s the tension: session replay sits in a gray zone between analytics and eavesdropping. Some cases focus on whether the data is “content” (what you typed) or “metadata” (device type, timestamps). Others focus on whether the vendor is a third party or a tool acting as an extension of the website operator. And increasingly, federal courts focus on the “gatekeeping” question: even if the statute creates a right, did the plaintiff suffer a concrete harm that belongs in federal court?

The Headline Case: Popa v. Microsoft and “Clarity” Session Replay

What the plaintiff alleged

The Ninth Circuit’s rejection of the class action came in Popa v. Microsoft Corp., involving Microsoft’s session replay tool Clarity. The plaintiff alleged she encountered session replay on a pet-supply website and that the technology captured and organized her browsing interactions into many categoriesthings like device and browser details, mouse movements, scrolling, and text input. The complaint also raised concerns about what might be captured when users enter information into website fields.

The claims sounded like “wiretapping,” but the court started elsewhere

The plaintiff brought claims under Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (WESCA) and also asserted intrusion upon seclusion (a common-law privacy tort). But the Ninth Circuit didn’t reach a grand verdict on whether session replay is categorically a “wiretap.” Instead, it affirmed dismissal because the plaintiff didn’t allege a concrete injurymeaning the case couldn’t stay in federal court at all.

Why the Ninth Circuit Said “No”: Article III Standing and Concrete Harm

Federal courts don’t exist to referee every “you technically broke a rule” dispute. To sue in federal court, a plaintiff must show standing, including an injury in fact that is concrete and particularized. The Supreme Court has been especially firm about this in privacy and statutory-damages cases.

The TransUnion framework: “Traditionally actionable” harm

The Supreme Court’s decision in TransUnion LLC v. Ramirez emphasized that “Article III standing requires a concrete injury even in the context of a statutory violation.” The practical test asks whether the plaintiff’s alleged harm has a “close relationship” to a harm that has traditionally been actionable in American courts.

Translation: you can’t just say “the statute says this is illegal.” You need to show the kind of injury courts recognizelike an invasion of privacy that looks like classic intrusion or disclosure, or a financial loss, or an actual misuse of personal data. “It could have been bad” often isn’t enough.

Why “intrusion upon seclusion” didn’t fit

The plaintiff tried to analogize session replay tracking to intrusion upon seclusion. That tort typically requires an intentional intrusion into a private place or private affairs that would be highly offensive to a reasonable person.

The Ninth Circuit found the analogy didn’t land because the alleged collectionbased on what was pleadedlooked more like routine observation of shopping behavior than a “highly offensive” privacy invasion. The opinion compared the monitoring to something closer to a store clerk observing which aisles are popular, rather than a scenario involving intensely private facts or truly invasive spying.

Importantly, the court signaled that context matters. Session replay that captures especially sensitive information (medical details, financial account data, passwords, or other intimate content) could look different. But this plaintiff didn’t plausibly allege that level of privacy invasion based on her own experience.

Why “public disclosure of private facts” didn’t fit either

The plaintiff also pointed to public disclosure of private facts, which generally involves giving publicity to private information in a way that’s highly offensive and not of legitimate public concern.

That analogy struggled too. Session replay, as alleged here, wasn’t pleaded as “publicity” to the public at large. And the plaintiff didn’t identify the sort of embarrassing, intimate facts traditionally protected by that tort. The court’s message was blunt: don’t bring a “nuclear” privacy tort to a “mild analytics” fact pattern and expect the standing requirement to blink first.

“The statute was violated” is not a free pass

The Ninth Circuit also rejected the idea that a legislature can automatically make any statutory violation “concrete” for Article III purposes. Even when a statute protects privacy interests, federal courts still look at the plaintiff’s actual circumstances and whether her alleged injury resembles a traditionally actionable harm.

Bottom line: without allegations tying session replay to a concrete, personal harmrather than generalized concernsthe courthouse door stays closed.

What This Means for Session Replay “Wiretap” Lawsuits Going Forward

Standing is the new bouncer at the door

For businesses, Popa is a powerful reminder that a complaint needs more than “a tool existed and it collected stuff.” Plaintiffs may increasingly try to plead facts showing:

• Capture of sensitive content (medical, financial, passwords, SSNs, full addresses, payment details)
• Actual misuse of information (identity theft, fraud, targeted harassment)
• A privacy invasion that resembles classic “highly offensive” intrusion
• Disclosure that is meaningfully “public” or otherwise widely disseminated

If a plaintiff can plausibly allege those specifics, the standing analysis may look very different. But where the allegations describe ordinary shopping interactions without meaningful sensitivity or misuse, standing can be a major hurdle.

Federal vs. state court: the strategy split

Standing is a federal constitutional requirement. Some session replay cases get filed in or moved to federal court; others stay in state court depending on claims, parties, and procedural posture. A standing loss in federal court doesn’t necessarily answer every question about whether a practice violates a state wiretap statuteit just means the plaintiff didn’t establish the kind of injury needed for federal jurisdiction.

Practically, that creates a chessboard: defendants may push toward federal court where standing scrutiny is intense, while plaintiffs may look for paths that keep claims alive under state procedures and state-law theories.

How This Decision Fits with Other Ninth Circuit Website-Tracking Cases

It’s tempting to read one opinion and declare “session replay lawsuits are over.” They’re not. The Ninth Circuit’s recent decisions show a more nuanced landscape: some tracking-related claims get trimmed; others survive, especially when pleadings focus on real-time interception and third-party access.

Mikulsky v. Bloomingdale’s: CIPA claim revived (but not intrusion)

In Mikulsky v. Bloomingdale’s, the Ninth Circuit held the complaint plausibly alleged a violation of California’s CIPA Section 631(a) based on real-time capture of the contents of communications and involvement of session replay code providers. Notably, the court still affirmed dismissal of an intrusion upon seclusion claim for failure to plead a “highly offensive” violation. That’s a theme: statutory claims may survive while common-law tort claims face a high bar.

Thomas v. Papa John’s: “direct party” exception mattered

In Thomas v. Papa John’s, the Ninth Circuit rejected a CIPA Section 631 theory where the plaintiff primarily alleged the company itself “eavesdropped” on its own conversation. Under California law, a party generally can’t be liable for eavesdropping on its own communications unless the claim is framed as aiding a third party’s interception. The court also rejected the intrusion claim for not being “highly offensive.”

Put those decisions next to Popa, and you get a practical map: (1) standing matters in federal court; (2) the identity and role of the “third party” matters under wiretap-style statutes; and (3) common-law intrusion claims demand allegations that are truly “highly offensive,” not merely “I dislike being tracked.”

Practical Compliance Playbook for Businesses Using Session Replay

If you run a website and your analytics stack includes session replay (or you’re not sure and now you’re sweating), here’s how to reduce risk without turning your website into a pop-up carnival. (This is general information, not legal advice.)

1) Inventory your tracking tools like it’s tax season

Many organizations have tracking creep: marketing tags, A/B testing scripts, customer support widgets, and replay tools added over time. Start with a real inventory:

• Which pages run session replay?
• Which vendor(s) provide it?
• What events are captured (clicks, keystrokes, form fields)?
• Is any data routed to third parties beyond the vendor?

2) Use masking and data minimizationon purpose, not by accident

One of the most litigation-sensitive issues is whether session replay captures typed text in formsespecially if users enter sensitive data. Many tools offer masking modes (for example, default settings that mask certain fields). But “available” is not the same as “enabled,” and “enabled” is not the same as “correctly configured.”

• Mask password, payment, and account fields by default.
• Mask address fields where full addresses aren’t necessary for replay analysis.
• Consider disabling keystroke capture entirely on high-risk pages (checkout, login, health-related forms).
• Audit with test submissions: confirm what the vendor actually receives.

3) Align consent and disclosures with what the tool truly does

“By using this website you agree to our terms” is not a magic spell. Plaintiffs often argue they never meaningfully consented to interception or third-party access. Stronger approaches include:

• Clear privacy notice language that describes session replay and similar analytics tools in plain English.
• Consent mechanisms where required (especially if you operate in jurisdictions with stricter rules).
• Just-in-time disclosure on pages where users enter sensitive info (short, clear, not a novel).

4) Vendor contracts should match your privacy posture

If session replay is being attacked as “third-party interception,” your vendor relationship matters. Work with counsel to evaluate:

• Data processing terms and restrictions on vendor use of captured data
• Security controls and retention limits
• Whether the vendor acts as a service provider/processor vs. independent third party
• Audit rights and incident notification obligations

5) Prepare your “litigation reality” file now

If a demand letter arrives, you’ll want to quickly answer: what ran, when, where, what data was captured, and under what settings. Maintain:

• Tag management logs and change history
• Configuration documentation (masking rules, exclusions)
• Data maps and retention schedules
• Records of consent flows and notice versions

What Consumers Should Know (Without Needing a Law Degree)

Session replay is not automatically sinister, but it can feel creepy when it’s invisible. If you’re privacy-conscious:

• Use browser privacy controls and tracker protections where available.
• Be cautious about entering sensitive information into unfamiliar sites.
• Look for privacy notices that explain analytics practices clearly (vague = not great).
• Remember: “data collected” doesn’t always mean “data publicly shared,” but it can still move across vendors.

Experiences From the Trenches: of Real-World Session Replay Reality

Talk to people who build and run websites, and you’ll hear the same story in different accents: session replay started as a helpful flashlight and quickly became a lawsuit-shaped shadow. Product teams love it because it turns abstract metrics into something you can actually see. “Why are users dropping off?” becomes “Oh, the ‘Submit’ button is hiding under the sticky chat widget on mobile.” That’s not a philosophical privacy debatethat’s a bug with a name tag.

But in practice, session replay can also expose how messy real websites are. Engineers discover that a form field wasn’t flagged as sensitive, so text input gets captured when it never should. Marketing teams add a new script through a tag manager on Friday afternoon (an act of bravery and/or chaos), and nobody updates the privacy notice until someone in compliance notices it three quarters later. And sometimes, teams assume the tool masks everythinguntil a replay shows a user typing something personal into a “comments” box that wasn’t on the sensitive-field list. The tool didn’t “hack” anything; it faithfully did what it was told. The problem was the instructions.

On the legal side, companies describe a familiar cycle: a demand letter arrives alleging “wiretapping,” the business scrambles to figure out exactly what data was captured, and the internal debate begins. One camp says, “It’s just analytics.” Another says, “It records keystrokeshow is that not content?” Then someone asks the question that matters most: “What did it capture on our site, for our users, under our settings?” That’s where many disputes live or die. Courts don’t want a category-level panic; they want specifics.

Meanwhile, consumers’ experiences are equally mixed. Most people never notice session replay existsuntil they see hyper-relevant remarketing, or they learn through a news story that “web tracking” can include detailed behavior. Some users feel violated by the idea of being watched, even if the data is pseudonymous. Others shrug and say, “As long as you’re not recording my password, fine.” That difference in expectations is a big reason why transparent disclosure matters: what feels “normal” to a UX team can feel like a hidden camera to a shopper.

The most effective organizations respond in a very unglamorous way: they build guardrails. They disable replay on sensitive flows, tighten masking, shorten retention, and treat tracking like a system that needs governancebecause it is. The irony is that these changes often improve the product, too. When you minimize captured data, you reduce risk and reduce noise. And in a world where lawsuits love ambiguity, “we know exactly what we collect and why” is a surprisingly strong superpower.

Conclusion: The Takeaway in Plain English

The Ninth Circuit’s rejection of the session replay wiretap class action is a wake-up call for both sides. Plaintiffs can’t rely on broad “this feels like wiretapping” allegations and expect to clear the Article III standing bar in federal court. Defendants, however, shouldn’t treat the decision as a universal shield. The more a session replay implementation captures sensitive contentor the more it looks like a third party is reading the “contents” of communications in real timethe riskier the fact pattern becomes.

The practical middle path is simple (and yes, a little boring): know your tools, minimize what you capture, configure masking correctly, and be honest with users about what’s happening. Because in 2026, “we didn’t know the script was doing that” is not a defenseit’s an audition for the next complaint.