AI Voice Products Subject to California Invasion of Privacy Claims

As the debate simmers about the proper application of the wiretapping provisions of the California Invasion of Privacy Act (CIPA), courts continue to weigh in on what technologies may constitute improper third-party wiretaps. On February 10, 2025, the Northern District of California denied a motion to dismiss in Ambriz v. Google, LLC and held that the definition of a third-party wiretap under CIPA extends to AI voice products that have the “capability” to use data for the benefit of the software provider. The court adopted the expansive reasoning in a prior decision from the Northern District of California in Javier v. Assurance IQ, LLC. Businesses that use or are considering using third-party AI voice and similar AI products to aid in customer service interactions should be aware of Ambriz’s potential implications.

The Alleged Invasion of Privacy & Google’s Motion to Dismiss

The plaintiffs in Ambriz alleged that Google eavesdropped on conversations that they had with customer service contact centers of other companies (such as a large home improvement retail chain and nationwide cellular telephone service provider) that were using the Google Cloud Contact Center AI (GCCCAI) service. According to the complaint, the GCCCAI service is a “virtual agent for callers to interact with” that “can also support a human agent” through (a) recording and sending a real-time transcript of the callers’ conversations with the GCCCAI, and (b) managing the customer service session by providing guidance, suggestions, and “smart replies” to the human agent based on the call transcript. The plaintiffs contended that Google used the GCCCAI service to intercept and record their communications with other businesses without proper consent, thereby violating CIPA’s prohibition against third-party wiretaps.

Google moved to dismiss the complaint on several grounds. Among other arguments, Google asserted that: (i) it is not a participant in any calls and simply provided a tool (like a tape recorder) to its business customers and thus should not be considered a third-party interceptor under CIPA; (ii) it did not use any collected data to train its AI model, which it could only do with permission of its business customers; (iii) the complaint alleges that the software (and not Google) engaged in the underlying wiretap, and the software is not a “person” within the meaning of CIPA; (iv) the complaint did not allege that Google read any communication “in transit”; and (v) plaintiffs failed to allege the use of a telephone or wire line.

The Court’s Decision

On February 10, 2025, the court denied Google’s motion to dismiss on all grounds. The court held that plaintiffs sufficiently alleged that (i) Google, through its GCCCAI service, engaged in the wiretap and was a “person” under CIPA Section 631(a); (ii) Google learned of the content of the communications either before or simultaneously with the business customer and thus read the contents while “in transit”; and (iii) smartphones satisfy CIPA’s wire line component because they are a telephone instrument. The court also rejected Google’s arguments that it merely provided a third-party tool to its customers, was not a party to the communication, and did not train its AI model on any data collected. In so holding, the court discussed the split of authority on the extension versus the capability test under CIPA.

The “Extension Test” Versus the “Capability Test”

In holding that Google was a party to the communication, the court reasoned that the use of the GCCCAI without the plaintiffs’ consent violated CIPA because GCCCAI had the “capability” to record that information on behalf of a third party, Google. The court discussed the differences between the two predominant tests that courts have applied when interpreting whether a third-party service is a wiretap under CIPA.

The court first considered the “extension test” based on the holding in Graham v. Noom, Inc., 533 F. Supp. 3d 823 (N.D. Cal. 2021), which held that a third-party technology service is not a wiretap in instances where the third-party software provider does not actually receive the data from the communication. Under the test articulated in Graham, the software provider is “simply acting as an extension” of the website or service itself and not as a separate party.

The court next discussed what it called the “capability test,” as described in Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891 (N.D. Cal. 2023), which held that a third-party software provider violates CIPA whenever its technology has the “capability to use the user data to its benefit, regardless of whether or not it actually did so.” The Ambriz court followed the reasoning in Javier, emphasizing that the mere potential for a service provider to exploit intercepted data for its own benefit is sufficient to classify it as a third party under CIPA.

Applying the “capability test” to the GCCCAI service, the court held that, at the pleadings stage, the plaintiffs had sufficiently alleged that Google was a third-party wiretapper. The court found that the plaintiffs plausibly alleged that Google’s GCCCAI service had the “capability” to use “the wiretapped data it collects…to improve its AI/[machine learning] models.” In so holding, the court rejected Google’s contention that it did not use the data to train its model absent consent from its business customers and that the complaint did not allege that it did use the data to train its model. The court reasoned that the allegation that Google had the “capability” to do so was enough to plead a violation of the statute, regardless of whether Google actually used the data the GCCCAI was recording for its own benefit.

Looking Ahead

Ambriz adds to the uncertainty over the permissible use of certain technologies with respect to CIPA and whether actual use of customer data is required for a violation. Overall, this ruling has significant implications for technology companies that provide AI support and similar AI products to communication services. The decision serves as a reminder that possessing the technical “capability” to intercept communications may be enough to subject companies to legal scrutiny, even if they merely function as service providers for other businesses and do not access the recorded data for their own benefit. Technology providers should carefully assess their roles and capabilities in handling user communications to ensure compliance with CIPA, including by disclosing the use of the technology and obtaining the consent of both parties to the communication.

 

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee a similar outcome.