On February 10, 2025, the Northern District of California denied Google’s motion to dismiss in Ambriz et al. v. Google LLC, a putative class action alleging that Google Cloud Contact Center AI (“GCCCAI”) violated the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code §§ 631(a) and 637.5. Businesses that provide AI customer service software should be aware that mere capability to use collected communications (regardless of actual use) may be enough for plaintiffs to withstand motions to dismiss.
Background
GCCCAI provides AI customer service support to other businesses through a “virtual agent,” which can directly interact with callers or support human agents through call transcripts, suggestions, and “smart replies.” Plaintiffs alleged that they spoke with both a virtual agent and human agent when making customer service calls to businesses that used GCCCAI, and didn’t consent to Google transcribing or analyzing the call.
Cal. Penal Code § 631(a) Claims
Plaintiffs first alleged that Google violated Section 631(a) of CIPA by intentionally wiretapping and willfully attempting to learn the contents of a communication in transit.1 Google argued four defenses, each of which the Court rejected.
Defense One: Google is not an “unauthorized” third party.
Courts within the Ninth Circuit have used two tests for applying Section 631(a) to software services that allegedly wiretapped conversations—the “extension test” and the “capability test.” The “extension test” is a higher standard: plaintiffs must allege that the software vendor used the acquired data for its own independent purpose.2 On the other hand, the “capability test” is more permissive and only requires a plaintiff to show that the vendor has the ability to use intercepted data for its own purposes.3
The Ambriz court decided that the capability test is the proper application of Section 631(a) because there is already a use requirement in one of Section 631(a)’s discrete clauses, and it wouldn’t be proper to impute that requirement to the rest of the section. Applying the test, the court held that the complaint created a “plausible inference” that Google has the capability to use the data it collects – Google’s Terms disclose that it may use data collected on customer service calls for its own purposes with permission from the business client.
Defense Two: The alleged conduct was not taken by a “person.”
Google asserted that Plaintiffs failed to state a claim because their allegations stated that GCCCAI, not Google, committed the acts at issue, and GCCCAI is not a “person.” The Court summarily rejected the argument, concluding that as a corporation, Google is legally a “person” that acted through its technology.
Defense Three: Plaintiffs failed to allege the interception was in transit.
The second clause of Section 631(a) prohibits “read[ing], or attempt[ing] to read, or to learn the contents or meaning of any message . . . while the same is in transit” without consent. The Court concluded that Plaintiffs satisfied this requirement through allegations that Google “monitors the state of the conversation, identifies caller intent in real-time, transcribes calls in real time, and grabs context of the conversation to suggest real-time . . . guidance.”
Defense Four: Cellphone calls are different from wire, line, or cable.
Google focused on language in the statute that prohibits a connection “with any telegraph or telephone wire, line, cable, or instrument,” arguing that it wasn’t clear how Plaintiff made the calls at issue. However, the Court pointed out that Section 631(a) also covers “unauthorized connection[s]” with “telephone . . . instrument[s].” The Court explained: “[a]ll smartphones have a telephonic component,” and “other courts analyzing” the section “have focused on whether the conduct at issue uses the ‘internet capabilities’ or ‘telephonic capabilities’ of a device.” Opinion at 8.4 According to the Court, eavesdropping necessarily implicates telephonic capabilities.
The Court further held that reading Section 631(a) to apply narrowly to landline calls would be inconsistent with the legislature’s intent to protect privacy interests and California courts’ approach to apply statutes to new technologies. 5
Cal. Penal Code § 637.5 Claims
Section 637.5 of CIPA prohibits “any person receiving subscriber information from a satellite or cable television corporation” from observing or recording events or conversations that take place inside a subscriber’s residence without consent. Section 637.5(a)(1), (h). Plaintiff Ambriz alleged that Google used GCCCAI to eavesdrop on his calls with his cell service provider in violation of this section. Google raised three arguments for why the complaint failed to allege a § 637.5 claim, each of which the court rejected.
First, the Court rejected Google’s defense that the provider is not a “satellite or cable television corporation” based on other courts’ conclusion that it is such a provider under CIPA.
Second, the Court rejected Google’s assertion that “subscriber information” means the same thing as “individually identifiable information,” and that Plaintiff did not allege what information was communicated during his calls. The Court disagreed because Section 637.5(a)(2), which defines “individually identifiable information,” is a separate provision from the one Ambriz alleged Google violated. Further, the Court explained that “[i]t is more reasonable to assume that the legislature intended ‘subscriber information’ to be a more general term than the more specific defined term ‘individually identifiable information.’” Because customer service calls “generally require an individual to share some form of information to identify their account, such as name, phone number, or account number,” the Court concluded that Ambriz plausibly alleged Google shared his subscriber information by disclosing information about those calls to a third party.
Third, the Court dismissed Google’s defense that the call did not take place “inside a subscriber’s residence” because Ambriz alleged he called his cell service provider from his home.
Implications
The more permissive capability standard for CIPA claims endorsed by this Court makes it more likely that companies providing or using AI for customer service purposes may find themselves in a challenging litigation position. Companies should therefore make sure they understand exactly when and how such technology is being deployed, including what type of consent is obtained from consumers.
- Tavernetti v. Superior Ct., 22 Cal. 3d 187, 191, 583 P.2d 737 (1978). ↩︎
- See Graham v. Noom, Inc., 533 F. Supp. 3d 823 (N.D. Cal. 2021) (holding that Fullstory acted as an extension of Noom and not as a third party where FullStory did not receive an independent benefit). ↩︎
- See Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891 (N.D. Cal. 2023) (holding that ActiveProspect was a third party where it had the capability to use user data for its own benefit). ↩︎
- See Cody v. Ring LLC, 718 F. Supp. 3d 993, 999 (N.D. Cal. 2024); Mastel v. Miniclip SA, 549 F. Supp. 3d 1129, 1134 (E.D. Cal. 2021). ↩︎
- See Cal. Penal Code § 630; Matera v. Google Inc., No. 15-cv-04062LHK, 2016 WL 8200619 (N.D. Cal. Aug. 12, 2016). ↩︎
