Notably, the court reinforced a key principle from other recent cases: Metadata, standing alone, is not enough to support a CIPA wiretap claim.
In some positive news for companies facing privacy claims over marketing and tracking technologies, Judge Haywood S. Gilliam Jr. of the Northern District of California has dismissed a putative class action brought under the California Invasion of Privacy Act (CIPA) against the Gap Inc. The case, Ramos v. The Gap, Inc., No. 4:23-cv-04715-HSG, challenged Gap’s use of Bluecore Inc.'s email marketing technology, which tracks whether a customer opens a marketing email, clicks a link and later interacts with the website. The court's ruling, issued on July 29, 2025, adds to the growing body of federal precedent pushing back on expansive interpretations of Section 631(a) of CIPA in the digital context.
The plaintiff, Efren Ramos, alleged that Gap embedded unique URLs and tracking pixels in its promotional emails through its vendor, Bluecore. When users clicked a link in the email, they were momentarily routed through Bluecore’s servers before landing on Gap’s website—a process Ramos claimed enabled unlawful “interception” of communications. He also alleged that Bluecore captured metadata such as device type, IP address and user behavior on the Gap website, including clickstream activity.
The court rejected these claims on multiple grounds. Judge Gilliam emphasized that the portion of Section 631(a) prohibiting wiretaps over “telegraph or telephone wire” does not apply to internet-based communications like those at issue here. Applying that clause to digital technologies, the court explained, would stretch the statute far beyond its original scope and intent.
The court also found that the data allegedly collected—such as URLs and device information—did not constitute the “contents” of a communication under CIPA. Instead, this type of metadata falls outside the statute’s protections. Notably, the court reinforced a key principle from other recent cases: Metadata, standing alone, is not enough to support a CIPA wiretap claim.
Gap also prevailed on another core issue: It was a party to the communication. Because Section 631(a) targets unauthorized third-party eavesdropping, a company that initiates the communication (like Gap sending its own marketing emails) cannot be held liable under this provision. Plaintiffs often try to get around this rule by alleging that the vendor—in this case, Bluecore—acted as an independent “third-party interceptor.” But here, the court found those allegations conclusory and unsupported. It rejected the claim that Bluecore was a separate eavesdropper rather than a vendor acting on Gap’s behalf.
Judge Gilliam dismissed the complaint without leave to amend, signaling that the deficiencies were not curable. That’s significant. It reflects judicial skepticism toward applying Cold War-era wiretap laws to modern online marketing tools—and it’s a reminder that plaintiffs face an uphill battle when their CIPA claims rest on vague or speculative allegations.
This decision offers a helpful roadmap for companies facing similar claims involving email marketing platforms, session replay tools, pixels or analytics tags. It confirms that metadata is not protected content and that vendors acting on behalf of a company are unlikely to be considered third-party eavesdroppers under CIPA. In a crowded landscape of privacy litigation, Ramos is another step toward clearer boundaries.
For More Information
If you have any questions about this Alert, please contact J. Colin Knisely, Michael S. Zullo, any of the attorneys in our Website Accessibility and Privacy Compliance Litigation Group, any of the attorneys in our Technology, Media and Telecom Industry Group or the attorney in the firm with whom you are regularly in contact.
Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.