Since 2022, plaintiffs’ firms have filed an estimated 50,000 to 100,000 or more claims under the California Invasion of Privacy Act, a 1967 wiretapping statute that has been repurposed to attack the routine tracking technologies that most marketing and product teams deploy without a second thought. The statutory damages of $5,000 per violation, available without proof of actual harm, make CIPA an attractive vehicle for mass litigation. SB 690, the California bill that would have curbed the most opportunistic filings, stalled in 2025 and will not take effect before 2027 at the earliest. No statutory safe harbour currently exists. This guide explains what CIPA is, why websites are in the crosshairs, which technologies create exposure, and the practical steps that materially reduce legal risk.

What Is the California Invasion of Privacy Act (CIPA)?

CIPA was enacted in 1967 in response to advances in surveillance technology. The California Legislature designed it to protect residents from eavesdropping on private communications, modelled on federal wiretapping prohibitions. For most of its history, CIPA governed telephone interception and recording: it was the law that required businesses to announce “This call may be recorded for quality assurance” before capturing a phone conversation.

The statute’s modern relevance to websites stems from two provisions, and from a series of court decisions beginning around 2020 that extended both to digital communications. The plaintiffs’ theory is straightforward: when a user types a search query, enters a live chat message, or navigates a page while a tracking script is running, that user is engaged in a “communication.” Any third party that intercepts or captures that communication in real time without the user’s consent is, on this reading, committing the same offence that CIPA was originally designed to prohibit. The theory has had mixed success in court, but it has survived dismissal in enough cases to sustain an enormous volume of claims.

Why Websites Are Being Sued Under CIPA

The litigation surge is traceable to a single inflection point. In 2022, the Ninth Circuit held in Javier v. Assurance IQ that session replay technology can constitute an “interception” under CIPA, significantly expanding the statute’s scope. That decision made CIPA claims against website operators legally viable rather than easily dismissible, and plaintiff firms rapidly developed playbooks for targeting entire industries.

The economics of CIPA litigation are asymmetric. A single website that serves California consumers—and most consumer-facing US websites do—can face $5,000 per violation, with each user session potentially counted separately. Even businesses with defensible positions frequently choose to settle because the cost of early resolution is lower than the cost of discovery and trial. Settling with one claimant, however, does not shield the business from subsequent similar claims and can attract further attention from plaintiffs’ firms monitoring settlement patterns. Businesses of all sizes and industries have been targeted; so have websites operated by companies headquartered outside California and outside the United States.

The latest claims focus specifically on search queries shared with third parties via tracking pixels—arguing that when a user searches a website, those query strings are transmitted in real time to advertising and analytics vendors in violation of CIPA’s wiretap provision. In parallel, claims under CIPA’s pen register provisions (Sections 638.50–638.51) target tracking technologies that record device identifiers, routing information, and browsing behaviour. Understanding CCPA and CPRA consent requirements is the starting point for California website compliance, but CIPA creates distinct and broader exposure that consent management must address specifically.

Key CIPA Provisions Affecting Websites

Section 631 – Wiretapping

Section 631 is the most frequently invoked provision in website tracking litigation. It prohibits three categories of conduct: wilfully intercepting or attempting to intercept any telegraph or telephone wire, or other wire or cable communication; using or attempting to use any machine to intercept a communication; and wilfully aiding, agreeing with, or employing any person to do the above.

The third prong—aiding and abetting—is the one most relevant to website operators. Courts have held that a website owner cannot “eavesdrop” on its own communications, since it is a party to the conversation. The more viable theory is that the website operator aids and abets a third-party vendor (the session replay company, analytics provider, or chat platform) that itself intercepts the communication. This is the framing that survived dismissal in Heerde v. Learfield Communications (C.D. Cal. 2024), where search terms were transmitted in real time to third parties.A key 2025 development narrows this theory substantially. In Torres v. Prudential Financial (N.D. Cal. April 2025), the court held at summary judgment that CIPA liability requires evidence that a party actually read or attempted to read communication contents while in transit—mere data capture during a session is insufficient. This ruling provides a meaningful defence for businesses using analytics tools configured for post-transmission processing rather than real-time interception.

Section 632 – Recording Confidential Communications

Section 632 prohibits recording a “confidential communication” without the consent of all parties. For websites, this provision has primarily been tested against live chat and customer support tools. The key question courts have examined is whether a chat interaction is a “confidential communication” and whether the service provider recording or transcribing it qualifies as an unauthorised third party. Courts have generally dismissed Section 632 claims where the chat tool is an extension of the website operator itself — as in Byars v. Hot Topic — finding no impermissible third-party involvement. Claims have proceeded where the chat tool transmits conversation content to a genuinely independent vendor platform.

Sections 638.50–51 – Pen Register Provisions

The pen register provisions, added to CIPA in 2015, prohibit installing or using a device that records or decodes electronic or other impulses used to identify the source or destination of communications, without a court order or consent. Plaintiffs have argued that tracking pixels, web beacons, and fingerprinting tools are “pen registers” because they record users’ outgoing communications to a website (the IP address, browsing path, device identifiers). Courts have increasingly pushed back on this framing: two California courts in 2024 and 2025 dismissed pen register claims after finding that IP addresses alone are not “outgoing communications” and that CIPA’s pen register provision does not extend to internet communications as currently written.

Website Technologies Targeted by CIPA Lawsuits

Session Replay Tools

Session replay software (Hotjar, FullStory, LogRocket, and similar tools) records users’ keystrokes, mouse movements, clicks, and page interactions to allow developers and UX teams to replay user sessions. CIPA plaintiffs argue that this recording constitutes interception of communications in real time. The Torres v. Prudential summary judgment ruling provides meaningful relief for businesses where the replay vendor processes data after transmission, but the litigation risk has not disappeared. Any tool that captures search terms, form inputs, or chat content and transmits them to a third-party platform in real time remains more exposed than tools that capture only post-transmission behavioural data.

Chat Widgets and Support Tools

Live chat tools and AI-powered support widgets have been the subject of sustained CIPA litigation. The central question is whether the chat provider is a third party that intercepts communications, or an agent of the website operator. Courts have split on this: where the chat tool operates entirely on behalf of the website with no independent data rights, courts have tended to dismiss claims. Where the chat vendor retains conversation data for its own purposes — to train models, build audience profiles, or share with advertising partners — the third-party interception argument has more traction. Understanding how your chat vendor contractually and technically handles conversation data is an essential step in assessing CIPA exposure from these tools.

Analytics and Marketing Pixels

Google Analytics, Meta Pixel, TikTok Pixel, and similar tools are the current frontline of CIPA pen register litigation. The theory is that these pixels capture users’ outgoing queries and browsing behaviour and transmit that data to third-party servers in real time, functioning as tracking devices on the third party’s behalf. The scope of information collected matters: pixels that capture only page-load events and device metadata have fared better in court than those that capture search terms, form content, or purchase histories. First-party data collection compliance distinguishes clearly between first-party analytics (data flowing to systems you control) and third-party interception (data flowing in real time to external vendors), which is precisely the distinction courts apply under CIPA.

What Counts as “Digital Eavesdropping” Under CIPA

The legal argument in CIPA website litigation rests on characterising a user’s interaction with a website as a “communication” being intercepted by a third party. When a user types a search query into a website’s search bar, the plaintiffs’ theory holds that this is a communication from the user to the website. If a pixel simultaneously transmits that query string to a third-party advertising server before the website itself has received and processed it, the third party has intercepted the communication mid-stream.

Courts applying CIPA to websites have focused on the real-time element as the critical threshold. The statute prohibits interception during transmission — not after. This is why the Torres ruling narrowed session replay liability: data that becomes readable only after storage and reassembly is processed post-transmission, not intercepted during it. The distinction that matters operationally is between tools that fire synchronously with user input (receiving data at the moment of entry) and tools that receive data asynchronously, after the primary server has processed the communication. First-party analytics tools that receive data through your own server — rather than directly from the browser to a third-party endpoint — present meaningfully lower CIPA exposure.

How Consent Affects CIPA Liability

CIPA does not require opt-in consent as an absolute prerequisite for tracking in all circumstances, but consent can defeat CIPA claims as a defence. Courts have dismissed CIPA claims where plaintiffs interacted with a cookie banner, created an account, and made purchases on a site whose privacy policy disclosed the use of tracking technologies, finding that this conduct constituted consent to the data collection at issue.

The key word is clear. Generic privacy policy language buried in a footer link, or a cookie banner that accepts all tracking by default without a genuine decline option, has not been treated as obtaining meaningful consent in CIPA litigation. Two patterns that consistently appear in successful CIPA claims are: privacy policies that describe a narrower set of practices than what actually occurs on the site, and cookie banners where some tracking technologies fire before the banner loads or continue firing after the user declines. These facts are specifically used to argue that any nominal consent was uninformed or technically ineffective. Well-designed privacy notices and disclosures that accurately describe all tracking technologies in use, in plain language and at the moment of arrival, are part of a CIPA consent defence — not only a CCPA obligation.

The consent defence has limits. It requires affirmative action by the user, not mere continued use of the site. Courts have been unwilling to find consent through implied acquiescence. And consent obtained through a privacy policy that misrepresents the actual data practices — the “leaky consent” pattern where the disclosure and the technical reality diverge — provides no defence at all.

CIPA Compliance Strategies for Websites

Implement Consent Management That Actually Controls Script Loading

The most common CIPA exposure pattern is not the absence of a cookie banner — it is a banner that appears to offer choice while tracking scripts fire before the user responds, or continue firing after the user declines. A technically compliant consent implementation blocks all non-essential scripts until affirmative user action. Cookie consent automation platforms enforce this by injecting scripts conditionally based on real-time consent state, ensuring that analytics pixels, session replay tools, and advertising trackers only initialise after the user has accepted the relevant category. This is the single control most directly relevant to CIPA exposure.

Audit Your Tracking Technologies

Most organisations do not have a complete, current inventory of the tracking technologies running on their websites. Tag managers, third-party scripts, and plugins added by marketing teams can introduce new trackers without privacy team awareness. A website scanner that identifies all cookies and scripts on a periodic basis, combined with a review of when each fires relative to consent interactions, provides the visibility needed to identify CIPA exposure. Pay particular attention to any tool that captures text input — search queries, form fields, or chat messages — and transmits that content to a third-party endpoint in real time. Understanding cookie compliance includes the distinction between essential and non-essential cookies that determines which technologies require consent before loading.

Control Tag Firing Through Your Tag Manager

Google Tag Manager and similar platforms can be configured to fire tags only after a consent trigger, using consent mode variables that check user preference state before executing any tag. Configuring Google Tag Manager for California compliance ensures that the tags managing your analytics, advertising pixels, and conversion tracking do not fire before the user has responded to the consent banner. This configuration, combined with a correctly implemented consent platform, closes the most common technical gap that CIPA plaintiffs identify.

Review Chat and Session Replay Vendor Contracts

For each chat widget, session replay tool, and embedded analytics product, review the vendor’s data processing terms to determine whether the vendor uses data it receives from your users for its own purposes — model training, audience building, or advertising. Where the vendor has independent data rights to user interaction data, the third-party interception theory has more traction under CIPA. Negotiate contractual limitations on vendor data use, and document that the tool operates purely as your agent with no independent data processing rights. Retain this documentation: it supports the “extension of the website” defence that has succeeded in cases like Byars v. Hot Topic.

Align Privacy Notices With Technical Reality

Privacy policy language that fails to disclose the use of specific third-party tracking vendors, or that describes data practices that are narrower than what the technical implementation actually does, creates a specific litigation risk: it makes the consent defence unavailable because consent to undisclosed practices is not informed consent. Conduct a technical audit of all tracking tools before updating your privacy policy, ensure that the disclosure accurately lists each vendor and its purpose, and update the policy each time a new tracking technology is added. CCPA privacy policy requirements specify the categorical disclosures required under California law, which also inform the baseline of what a court will expect to see in a consent defence.

CIPA vs. Other California Privacy Laws

CIPA and CCPA/CPRA address overlapping but distinct concerns, and compliance with one does not confer compliance with the other. CCPA focuses primarily on transparency and consumer control over the sale and sharing of personal information, requiring businesses to honour opt-out signals and provide Do Not Sell links. It does not generally require opt-in consent for website cookies, and it does not create a private right of action for most tracking activities.

CIPA imposes a stricter standard in the specific context it covers: it prohibits real-time interception of communications without consent, carries a private right of action available to any California resident, and imposes statutory damages per violation without requiring proof of harm. A business can be fully CCPA-compliant and still face CIPA exposure if its tracking technologies fire before consent and transmit user input in real time to third parties. The California privacy law compliance landscape has grown to include both regulatory enforcement under CCPA and private litigation under CIPA, and the two require coordinated compliance programmes that address both simultaneously.

Common Mistakes That Increase CIPA Risk

Loading tracking scripts before the consent banner has rendered is the most prevalent technical failure. In sites with slow-loading consent platforms or scripts injected through tag managers that fire ahead of the consent check, users can generate multiple tracked events before they have seen or interacted with any consent interface. Each of those events is a potential CIPA violation.

Deploying session replay tools that capture form inputs, search queries, or chat content without reviewing whether that content constitutes intercepted communications under CIPA’s real-time standard is another common gap. Not all session replay tools operate the same way: those that capture keystroke data synchronously as users type and transmit it to third-party servers in real time are more exposed than those that capture rendered page states post-interaction.

Relying on a privacy policy alone without a functional consent mechanism is a documented failure pattern in CIPA litigation. Courts have been explicit that a privacy policy accessible through a footer link, without a consent banner that requires the user to acknowledge it before tracking begins, does not establish the clear and affirmative consent that defeats CIPA claims.

Failing to monitor third-party scripts added by marketing platforms, A/B testing tools, or CMS plugins for new tracking behaviour is an operational failure that regularly exposes businesses to claims arising from tools they did not intentionally deploy. Automated website scanning that continuously monitors what scripts are running and when they fire relative to consent events is the operational control that catches these gaps before plaintiffs do.

What Businesses Should Expect From CIPA Litigation

Most CIPA matters begin with a demand letter from a plaintiffs’ firm asserting violations and demanding settlement. Demand amounts are typically calibrated to be attractive relative to the cost of litigation rather than to any realistic assessment of per-violation damages. Ignoring demand letters is not a viable strategy: non-response can result in an actual lawsuit being filed and may compromise procedural rights.

CIPA claims that proceed to litigation expose businesses to statutory damages of $5,000 per violation, without proof of harm. In class action contexts, damages can quickly reach extraordinary amounts when multiplied across website visitors. The majority of claims settle before litigation, but settlement does not preclude additional claims from other plaintiffs or law firms, and early settlements at favourable terms can attract follow-on demand letters from other firms.

The best current risk reduction strategy is technical remediation before claims arrive. Businesses that can demonstrate — through consent logs, tag manager configuration records, and vendor contracts — that their tracking technologies fire only after affirmative consent and that third-party vendors have no independent data rights are positioned to defend claims successfully and to resist settlement pressure.

FAQ

What is the California Invasion of Privacy Act?

CIPA is a 1967 California statute originally designed to prohibit telephone wiretapping. It has been applied by courts to digital tracking technologies, making it one of the most heavily litigated privacy statutes in the United States. It provides for private lawsuits and statutory damages of $5,000 per violation without proof of actual harm.

Why are websites being sued under CIPA?

Because most commercial websites deploy third-party tracking tools — analytics, advertising pixels, session replay, chat widgets — that arguably intercept user communications in real time and transmit them to third-party servers. Plaintiffs’ firms have developed mass-claim strategies that target this routine practice across industries, relying on CIPA’s private right of action and per-violation statutory damages to create settlement pressure.

Does CIPA apply to websites outside California?

CIPA applies to communications involving California residents, regardless of where the website operator is located. Any website that serves California consumers is a potential CIPA target. Non-US companies operating websites accessible to California residents have also received CIPA demand letters.

Can session replay tools violate CIPA?

Potentially, if they capture user input — keystrokes, search queries, form content — and transmit it to third-party servers in real time while the user is typing. A 2025 federal court ruling in Torres v. Prudential held that session replay software that processes data only after transmission does not satisfy CIPA’s real-time interception element, narrowing liability for at least some implementations. Tools that capture data synchronously during input remain more exposed.

How can websites reduce CIPA risk?

The primary technical control is ensuring that all non-essential tracking scripts — analytics, advertising, session replay, chat tools — are blocked from loading until affirmative user consent is obtained. Supporting controls include accurate privacy policy disclosures that list all tracking vendors, vendor contracts that limit third-party data use, and ongoing website scanning to monitor script firing relative to consent events. These are the practices that support both a consent defence and an “extension of the website” defence to third-party interception claims. CCPA and CPRA consent requirements provide the California-law baseline for what disclosures and consent mechanisms are expected.

Secure Privacy’s consent management platform blocks non-essential tracking scripts until consent is obtained, logs consent decisions with timestamps for audit defence, and scans your website for cookies and trackers automatically. Start your free trial or