[co-author: Juliette West]
- Dismissing a putative nationwide class action against Samba TV, Inc., a California federal court recently held that CIPA and CDAFA do not apply extraterritorially, preventing nonresidents from invoking these laws to challenge conduct occurring outside California.
- The court also rejected the three nonresident Plaintiffs’ other common law and statutory privacy claims as implausible.
- The decision is welcome news for businesses operating in (and outside) California and establishes clear boundaries in a hotly contested area of the law.
On October 30, 2025, the U.S. District Court for the Northern District of California dismissed a putative nationwide class action filed by three residents of North Carolina and Oklahoma against California-based Samba TV, Inc. DellaSala v. Samba TV, Inc. was one of dozens of such putative class actions pending in California federal courts asserting broad and novel “privacy” claims and seeking crippling amounts of statutory damages.
Samba TV provides content personalization software deployed in TVs, smartphones and tablets, using information collected from users’ onscreen viewing habits to inform future content recommendations. Plaintiffs alleged that Samba TV’s technology was installed on their smart TVs, and that it allowed Samba TV to “intercept unique identifiers,” such as their IP addresses, without their consent in violation of (1) the California Invasion of Privacy Act (CIPA), Cal. Penal Code §§ 631, 632, 638.50, 638.51; (2) the Comprehensive Computer Data Access and Fraud Act (CDAFA), Cal. Penal Code § 502; and (3) the federal Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710.
In an opinion from Judge Jacqueline Scott Corley, the court dismissed the case on jurisdictional (and other) grounds, never reaching the merits of Plaintiffs’ claims. At the heart of the court’s dismissal was its finding that protection under both CIPA and CDAFA was intentionally restricted to California residents and directed at conduct within the state. Emphasizing that both laws reflected “express legislative intent” to limit their application to Californians, the court rejected Plaintiffs’ argument that the statutes’ inclusive language, including phrases such as “any person” or “any owner or lessee,” permitted nonresidents to bring claims thereunder. Thus, the court explained that to invoke CIPA’s and CDAFA’s protections, nonresidents like Plaintiffs “must allege conduct in” California. Crucially, because Plaintiffs’ own allegations contradicted any notion that the alleged interceptions or uses of data took place in-state, their claims were not permitted by CIPA or CDAFA.
The court also dismissed Plaintiffs’ common law intrusion upon seclusion claim premised on vague assertions that Samba TV’s interception of personal information from their smart TVs—including IP addresses and other unspecified data associated with a unique “SambaID” for each household and device—constituted an invasion of privacy. The disclosure of information like Plaintiffs’ IP addresses, “without more,” did not amount to the “highly offensive” private disclosures required under common law. Relying on the Ninth Circuit’s recent decision in Popa v. Microsoft Corp., 153 F.4th 784 (9th Cir. 2025), the court concluded that Plaintiffs failed to identify the disclosure of any “embarrassing, invasive, or otherwise private information” such as “sensitive medical or financial” data.
Finally, Judge Corley agreed with Samba TV that it was not a “video tape service provider” under the VPPA given its limited role as an alleged data collector. In dismissing Plaintiffs’ VPPA claim, the court explained that, by Plaintiffs’ own allegations, Samba TV did not directly connect users to any video content or even facilitate access to video content but instead solely collected data.
Key Takeaways
CIPA, a statute that permits uncapped statutory damages of $5,000 per violation, has become one of the most litigated privacy laws across the country in recent years, with hundreds of consumer class actions alleging CIPA violations filed in the past three years alone. Some courts have expressed doubts about the ability of out-of-state residents to sue under CIPA, but Samba TV finally provides a clear roadmap for dismissal on this ground (and others).
At the same time, we fully expect that courts will continue grappling over when and how to apply this 60-year-old statute drafted and intended to prevent unauthorized wiretapping before the Internet age. Recent legislative attempts to stem the tide of claims brought under this statute have stalled in committee, with the recent fizzling of Senate Bill 690, which would have given businesses the right to conduct routine website business practices without fear of misdirected CIPA claims.
