A Domino’s customer may proceed in her putative class action for violations of the California Invasion of Privacy Act (CIPA) against ConverseNow for its provision of an AI virtual assistant that processes restaurant telephone orders. In Taylor v. ConverseNow Technologies, Inc., Case No. 25-cv-00990-SI, 2025 WL 2308483 (N.D. Cal. Aug. 11, 2025), the Court held that a communication software provider that could potentially improve its software with collection of communications was plausibly violating CIPA even though it had an agreement with the business receiving the communications. This ruling serves a cautionary note to both software companies and – because of potential aiding and abetting liability – companies that use those technologies.

Case Background

According to the complaint, ConverseNow provides AI voice assistants to clients like Domino’s to answer calls and process orders. Plaintiff Eliza Taylor alleged she called Domino’s to place a delivery order, was routed to ConverseNow’s virtual assistant without notice, and then provided personally identifiable information (including her payment information and delivery address). Taylor alleged “ConverseNow has the capability to use caller communications” to improve its products and develop new ones. Taylor brought claims under CIPA, seeking statutory damages for herself and a putative class.

CIPA is an anti-wiretapping statute that imposes criminal and civil penalties. Cal. Penal Code §§ 631(a), 632(a).  Section 631(a) prohibits, among other things, (1) unauthorized wiretapping, (2) intercepting the contents of any wireline communication, or (3) using or attempting to use any information so obtained. Section 637.2 authorizes a private right of action and imposes statutory damages of at least $5,000 per violation without requiring proof of actual damages.

Court Adopts Capability Test To Uphold CIPA Claims Against Software Provider

Critically, CIPA exempts parties to a conversation from liability. In other words, both Taylor and Domino’s could “intercept” communications with each other or use a tape recorder to record communications. ConverseNow moved to dismiss on this basis, arguing that its AI voice assistant was simply an extension of its client, Domino’s, who was a party to the conversation.

The Taylor Court disagreed and held that ConverseNow was an intercepting third party and not covered by the exemption for Domino’s. The Court discussed two different approaches adopted by California federal courts: the “extension” test and the “capability” test. 

Under the extension test, a software provider is not liable under CIPA where it is a tool used by a party to the communication (akin to a tape recorder) and does not use communication for the software provider’s own purposes. 

Under the capability test, whether the software provider did use the communication for the software provider’s own purposes is irrelevant; the inquiry is whether the software provider had the capability to use the communication for its own purposes. 

Citing “[a] growing number of district courts,” the Taylor Court adopted the capability test as the better interpretation of CIPA. Applying the capability test, the Court held that Taylor sufficiently alleged ConverseNow is a third party based on its capability and actual use of data from customers’ calls “to improve its own product.”

After concluding that ConverseNow was a third party to the conversation, the Court quickly disposed of the defendant’s other CIPA arguments. The Court found that there were sufficient allegations of “interception” because Taylor did not realize her phone call was connected to a party other than Domino’s. Taylor’s complaint also satisfied the intent element of CIPA because it alleged that ConverseNow’s business model depended on recording conversations. Finally, the Court held that plaintiff alleged a “confidential” conversation for purposes of a Section 632 claim by alleging disclosure of her personally identifiable information and personal financial information.

Conclusion

Not all decisions addressing CIPA claims have reached similar outcomes – many in fact have been dismissed. However, as this decision demonstrates, CIPA provides significant risk for software providers and website operators, particularly when it comes to training AI models using real human interactions. Moreover, all businesses using or developing AI-powered platforms to provide services to customers should also take this ruling under consideration. Although AI software providers may primarily offer tools for their customers to use, state wiretapping laws like CIPA can extend liability to providers themselves based on the software’s capabilities.  Given the proliferation of AI across industries  – and state efforts to regulate its use  – additional litigation activity is anticipated going into 2026. Privacy World will keep you in the loop on further developments in this space. Stay tuned.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

Stay Ahead on Consumer Privacy News

Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.

Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorneys’ marketing communications for thought leadership and rich content when you need a more comprehensive perspective.

This fall, a federal court in California granted summary judgment in favor of a website operator for alleged violations of the California Invasion of Privacy Act (CIPA). In its decision, the Court emphasized that it was “virtually impossible” to apply CIPA to internet communications and urged the California legislature to “step up” and “speak clearly” about how internet activity should be treated under the statute in light of a deluge of claims that have been filed recently against website operators.

Continue Reading California Federal Court Urges California Legislature to Clean Up “Total Mess” of State Wiretap Act, Dismisses Claim for Website Tracking

Over the past year, there has been an explosion of lawsuits targeting website analytics and tracking tools. One recent decision brought businesses another victory in challenging lawsuits alleging violations of the California Invasion of Privacy Act’s (CIPA)’s prohibition against use of “pen registers” and “trap and trace devices.” Cal. Penal Code § 638.51. In a recent ruling, a federal judge in the Central District of California dismissed one such lawsuit, holding that the claim could not be asserted in federal court.

Continue Reading Federal Court Dismisses “Trap and Trace” Lawsuit for Plaintiff’s Lack of Injury

In early October, a federal court in the Northern District of Illinois refused to dismiss a privacy litigation brought against a healthcare website operator for claims under the Electronic Communications Privacy Act (ECPA). The court held that the plaintiff plausibly alleged that Defendant violated the Health Insurance Portability and Accountability Act (HIPAA) by revealing to a third party that she clicked on the login button to the healthcare provider’s patient portal, and, as a result, disclosed her individually identifiable healthcare information—even though no third-party data collection tools were installed on the patient portal itself. Hartley v. Univ. of Chi. Med. Ctr., Case No. 22-cv-5891, 2025 WL 2802317 (N.D. Ill. Oct. 1, 2025).  However, at the same time, the court dismissed certain claims arising out of Plaintiff’s use of a “find-a-physician feature,” rejecting the full scope of Plaintiff’s theories. On the balance, this decision unfortunately broadens the scope of potential liability under the ECPA and will likely result in ECPA suits being brought against website operators in the healthcare sector.

Continue Reading Federal Court Holds That Button-Click Data From Public Website Can Disclose Patient Status in Violation of the ECPA

Earlier this fall, the United States Court of Appeals for the Second Circuit undermined a strategy often used by the plaintiff’s bar in privacy claims: the threat of mass arbitration fees.  In a decision reversing the district court, the Second Circuit held that the petitioners cannot use the Federal Arbitration Act (FAA) to compel arbitration on the basis that a business failed to pay arbitration fees.  This decision adds to a growing body of precedent that courts cannot compel a business to pay arbitration fees, which as discussed previously here on Privacy World, can total in the thousands or millions of dollars in the event of mass arbitration.

Case Background

The case arose out of large-scale layoffs that took place at Twitter (now X Corp.) after its acquisition by Elon Musk in 2022.  Thousands of terminated employees who had signed arbitration agreements as part of their contracts brought arbitration actions against Twitter.

The employee argued that, under the applicable JAMS guidelines, a respondent business like Twitter must pay all arbitration fees other than the initial filing fees. Twitter argued that the arbitration fees should be split pro rata under the terms of the employment contracts.  JAMS sided with the employees and refused to appoint an arbitrator until the fees were paid.  The employees then filed a petition in the Southern District of New York under section 4 of the FAA seeking “an order compelling Twitter to pay all ongoing fees for their arbitrations.”  The district court sided with the employees and ordered Twitter to pay all of the disputed fees.  Twitter appealed.

Second Circuit Reverses Lower Court’s Ruling on Fees, Finding That a Contrary Holding Would Undermine Purpose, Goals of Arbitration

The Second Circuit reversed the district court’s ruling.  The Court started by recognizing that the FAA only allows a court to compel arbitration where there has been a “failure, neglect, or refusal” to arbitrate.  9 U.S.C. § 4.  The Court then cited a body of caselaw holding that procedural issues beyond arbitrability—including waiver, delay, and forum-specific defenses—”are presumptively not for the judge, but for an arbitrator, to decide.”  Putting these threads together, the Court reasoned that the payment of fees is merely a procedural issue that must be decided and enforced by an arbitration panel and not a “failure, neglect, or refusal” to arbitrate.  In reaching this result, the court cited the Third, Fifth, Ninth, and Eleventh Circuits which have reached similar conclusions.

Supporting its reasoning, the Second Circuit stated that the employees’ position would undermine “the twin goals of arbitration, namely, settling disputes efficiently and avoiding long and expensive litigation.”  Without the FAA, the employees’ remedies for non-payment is “to [ask] JAMS to use the tools available to it to resolve the procedural [issue] as it sees fit – even if that ultimately means terminating the arbitrations.”

This case gives businesses in the Second Circuit an extra line of defense when facing large fees from mass arbitration—and offers persuasive authority for defendants litigating in other forums.  

Even so, companies should stay vigilant and carefully review the language in existing arbitration agreements to make sure their potential exposure to mass arbitrations in the first place are minimized.  This is particularly so given the recent abuse of mass arbitration as a procedural mechanism by the plaintiff’s bar to bring frivolous or unsupported claims, particularly in the area of consumer privacy.

Privacy World will keep you in the loop on further developments in mass arbitration.  Stay tuned.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

Did we miss you November 20th for our Navigating the App Store Age Verification Laws webinar? Not to worry! See link below to the recording

Watch Kyle Fath, Partner (Los Angeles), for a webinar discussion with Hailun Ying (Head of PrivSec Legal, Roblox), Amy Lawrence (Head of Legal, Chief Privacy Officer, SuperAwesome) where we dove into the burning topics that are (or should be) top of mind for app stores and companies that own or operate mobile apps.

Click here to watch full webinar.

December 3, 2025, at 10:00 am – 5:00 pm ET

National Business Institute is holding a live webinar “Business Data Privacy and Cybersecurity Tool Kit” on December 3rd. Join Julia Jacobson, Partner (New York) and Matthew Flora, Managing Director for the Ankura Consulting Group, LLC, for the following sessions:

II. Identifying Vulnerabilities: Business Data Audits 11:00 am ET

VI. Breach Response and Incident Reporting: What to Do First and Next 2:45 pm ET

For more information, click here.

December 8, 2025, at 1:00 pm ET

Join Alan Friel, Partner (Los Angeles) and Lydia de la Torre, Of Counsel (Palo Alto) on the panel for “Essential Elements of a Privacy Notice for Connected Devices” at PLI California (455 Market Street, San Francisco) as part of PLI’s Advanced Internet of Things 2025: Deeper Dive, Practical Wisdom program.

January 7, 2026, at 1:00 pm ET

Join Alan Friel, Partner (Los Angeles), Kyle Fath, Partner (Los Angeles), and Jennifer Oliver, Shareholder with Buchanan Ingersoll & Rooner PC for “New California Cybersecurity and Data Privacy Laws,” a Strafford Live CLE Webinar.

For more information click here

February 20, 2026 at 10:00 am – 1:15 pm ET

Join Julia Jacobson, Partner (New York) and the National Business Institute for a live webinar discussion on “Data Security: A Business Attorney’s Guide“. Julie will be speaking at the following sessions:

I. “Core Data Security Concepts and Current Laws” 10:00 am ET

IV. “Breach Response and Litigation” 12:30 pm ET

For more information, click here.

Stay Ahead on Consumer Privacy News

Not a subscriber yet? Subscribe here to be among the first to receive timely updates on the fast-moving world of data privacy, security, and innovation—delivered straight to your inbox.

Looking for deeper insights and expert analysis? You can also subscribe here to our privacy attorney’s marketing communications for thought leadership and rich content when you need a more comprehensive perspective.

On November 13, 2025, the Government of India formally brought into effect the much-awaited Digital Personal Data Protection Rules, 2025 (Rules). The Rules enforce the Digital Personal Data Protection Act, 2023 (DPDP Act) and provide practical guidance on how to comply with certain provisions of the DPDP Act. Together, they implement binding legislation that regulates the management of digital personal data[1] in and from India.

Continue Reading India Passes the Digital Personal Data Protection Rules, Ushering in a New Digital Age in India 

We have previously covered the recent changes to the California Consumer Privacy Act (CCPA) regulations, and summarized the changes companies need to make to be 2026-ready under them and other state consumer privacy laws that have recently or will soon become effective.  In a recent guidance document, CalPrivacy highlights “seven things businesses should know and prepare for,” which are:

Continue Reading CalPrivacy Highlights Regulatory Changes for 2026

On January 1, 2026, the first of four state app store age verification laws – which are relevant regardless of your target audience – will come into effect. Join us for a webinar discussion on Thursday, November 20 at 1PM ET/10AM PT with Hailun Ying (Head of PrivSec Legal, Roblox), Amy Lawrence (Head of Legal, Chief Privacy Officer,  SuperAwesome), and Kyle Fath (Partner, Squire Patton Boggs) where we’ll dive into the burning topics that are (or should be) top of mind for app stores and companies that own or operate mobile apps.  Among other things, we plan to cover:

  1. Age assurance requirements and parental consent obligations for app downloads, purchases, and in-app purchases
  2. Requirements to refresh parental consent upon making privacy, monetization, and other “significant changes” to your apps
  3. Restricting minors from downloading apps
  4. Privacy compliance and other regulatory impacts of receiving age information from app stores
  5. Liability and safe harbors (including Utah’s private right of action with statutory damages)
  6. App store technical documentation and implementation requirements for developers
  7. Legal challenges to Texas’ law

Click here to register.

CLE credit available in AZ, CA, NJ, NY, OH, PA, and TX.

In the meantime, for more information on these laws, see the detailed FAQ we recently published on Privacy World.