What Is CIPA? The California Invasion of Privacy Act and Website Tracking, Explained

CIPA is a 1967 California wiretapping law now used to sue websites over pixels and trackers. Learn what it prohibits, what it costs, and how to protect your site.


by Riad Us Salehin • 5 July 2026


CIPA (the California Invasion of Privacy Act) is a 1967 state wiretapping law, Penal Code Sections 630 to 638. It requires every party's consent before a communication is recorded or intercepted. Plaintiffs now apply it to websites running pixels, chatbots, cookies, or session replay tools without prior consent, exposing site owners to $5,000-per-violation lawsuits.

Below: what CIPA actually bans, why a decades-old wiretapping law is suddenly a website liability, what it costs, and how to protect your site.

What Is the California Invasion of Privacy Act (CIPA)?

CIPA is a California statute enacted in 1967, codified at Penal Code Sections 630 to 638, that makes California an all-party consent state. It prohibits intercepting, recording, or eavesdropping on a confidential communication unless every party involved consents first.

All-party consent means a website visitor counts as a party to the communication. A third-party script, such as an ad pixel or a session replay tool, can capture that visitor's activity without consent. When that happens, the website itself can be treated as the eavesdropper's accomplice. That reframing is the entire basis of the modern CIPA lawsuit wave.

Why Is a 1967 Wiretapping Law Suddenly Suing Websites?

Plaintiffs' firms have repurposed CIPA's wiretapping language to challenge routine web tracking. They argue that a pixel, cookie, or session replay script firing before consent is an unauthorized interception. That is the same legal theory CIPA was written to stop for telephone calls.

CIPA filings have climbed sharply since 2022 as this tracking-technology theory spread through California and federal courts. The pattern is consistent: a single serial plaintiff and firm send mass demand letters to any site running a pixel, then escalate to class-action complaints.

One e-commerce owner described a plaintiff demanding $25,000 over "a couple pixels" that fired before their cookie banner loaded. The same plaintiff had 20 other suits pending against brands including JC Penney and New Balance.

The technical trigger is often a tag a site owner does not actively manage. In the same case, the owner traced one flagged pixel to an app deactivated for at least three years. It still fired through Google Tag Manager without anyone noticing. Old, abandoned trackers are as legally dangerous as active ones.

A reform bill, SB 690, would exempt routine commercial tracking from CIPA's private right of action. It passed the California Senate unanimously in 2025 but stalled in the Assembly, and was designated a two-year bill.

Its own sponsor paused it over "outstanding concerns around consumer privacy," and the Electronic Frontier Foundation and ACLU oppose it. SB 690 is not law as of mid-2026, so CIPA exposure for website trackers remains fully in force.

CIPA is one of several website tracking lawsuits reshaping how sites handle consent. The wave of the Meta Pixel lawsuits is the single most common CIPA fact pattern plaintiffs cite.

What Does CIPA Actually Prohibit? The Key Sections

CIPA's website-tracking exposure comes from three Penal Code sections, each targeting a different mechanism.

SectionWhat it prohibitsWhy it matters to websites
631Intentional wiretapping or unauthorized interception of a communicationPlaintiffs argue a site "aids and abets" a third-party vendor that intercepts visitor data
632Eavesdropping on or recording a confidential communication without all-party consentApplied to chat transcripts, form inputs, and session recordings a visitor expects to stay private
638.51Installing or using a pen register or trap-and-trace device without consent or a court orderPlaintiffs argue tracking scripts and fingerprinting tools function as a pen register

Section 631: Wiretapping and the "Aiding and Abetting" Theory

Section 631 bars intentionally tapping or intercepting a communication without authorization. Its text reaches four acts. These are tapping a line, reading a message in transit without consent, using information so obtained, and aiding anyone who does. That fourth prong is the website theory's hook. Plaintiffs argue the site aids and abets a third-party vendor, such as a pixel operator. That vendor intercepts the visitor's data as it passes through the page. Courts remain split on how far this theory reaches ordinary marketing tags.

Section 632: Eavesdropping on Confidential Communications

Section 632 prohibits recording a confidential communication without every party's consent. Plaintiffs apply it to chatbots, live chat transcripts, and session replay tools that capture keystrokes or form entries. A visitor reasonably expects that data to stay private between them and the site.

Section 638.51: The "Pen Register" Theory for Trackers

Section 638.51 bars installing or using a pen register or trap-and-trace device without consent or a court order. That technology captures routing or addressing data rather than message content.

In Greenley v. Kochava (S.D. Cal. 2023), a federal court let a Section 638.51 claim proceed. It held that software identifying and fingerprinting visitors could plausibly qualify as a pen register.

Courts have since split hard on how far that ruling reaches. In Licea v. Hickory Farms (2024), a California court distinguished Greenley. It ruled that a plain IP address is not the "unique fingerprinting" that made Greenley's tracker a pen register. Near-identical claims now win in one court and lose in the next.

The split runs by court, by data type, and by how the injury is pled. A New York federal court let a CIPA claim against CNN proceed. A California federal court dismissed a nearly identical claim against USA Today. Some judges found IP, device, and browser data too generic to be private; others let claims over credit-card or medical data advance.

Other courts have dismissed session-replay claims outright, reasoning the pen-register provisions were built for telephone surveillance, not commercial websites. Treat the theory as active and genuinely contested, not a guaranteed loss for either side.

Which Website Technologies Trigger CIPA Lawsuits?

Any script that sends a visitor's activity to a third party before consent can trigger a CIPA claim. The technologies named most often in filings are:

  • Tracking pixels, including the Meta Pixel, TikTok Pixel, Microsoft Bing tag, and LinkedIn Insight Tag
  • Third-party advertising and analytics cookies that share visitor data across domains
  • Session replay tools, such as Hotjar, FullStory, Microsoft Clarity, and LogRocket, that record clicks, scrolls, and form input
  • Chatbots and live chat widgets that log visitor messages
  • Browser fingerprinting scripts that identify a device without a cookie
  • Keystroke monitoring scripts that capture what a visitor types before form submission
  • Google Analytics (GA4) configured to share data with Google Ads

Named cases track this list closely. A session replay lawsuit accused Papa John's of violating both the federal Wiretap Act and CIPA over session-recording software. In Camplisson v. Adidas (S.D. Cal. 2025), the plaintiff based a Section 638.51 claim on two specific tags: the TikTok Pixel and a Microsoft Bing tracker.

Related questions about whether Google Analytics is legal under GDPR overlap heavily with this CIPA exposure. The same tag that raises GDPR questions in the EU raises CIPA questions in California.

How Much Can a CIPA Violation Cost? Statutory Damages and the Private Right of Action

CIPA carries a private right of action under Section 637.2: statutory damages of $5,000 per violation, or three times actual damages, whichever is greater. No proof of financial harm is required. That per-violation math is what makes CIPA class actions and demand letters financially attractive to file.

CIPA also carries criminal exposure, with fines up to $10,000 and potential jail time. The civil private right of action is what drives the current website lawsuit wave, since any visitor can sue without government involvement.

The danger is the multiplication. At $5,000 per violation, a class of a few thousand California visitors implies tens of millions in theoretical exposure. That leverage is what pushes defendants to settle.

Settlement amounts still vary widely by case size and defendant leverage. One small merchant reported settling a single CIPA claim for $1,500, while large-media class settlements have been reported in the eight-figure range. Treat any single settlement figure as a data point, not a benchmark for your own exposure.

Who Does CIPA Apply To? (Even If You Are Not in California)

CIPA reaches any business whose website is used by California residents, regardless of where the business itself is based. If your site runs trackers and California visitors can reach it, you carry CIPA exposure even as an out-of-state or international company.

This scope hits e-commerce stores, lead-generation sites, healthcare portals, and any site running a pixel or chat widget particularly hard. None of those categories require a California office to draw a claim.

Agencies managing several client sites face compounding exposure: one analytics consultant reported that four separate clients received CIPA demand letters within a single stretch. That pace shows how fast this risk multiplies across a multi-site book of business.

How Is CIPA Different from the CCPA?

CIPA and the CCPA are separate California laws that address different moments in the data lifecycle. CIPA governs interception at the point of collection; the CCPA governs what happens to data after it is collected.

DimensionCIPACCPA
Origin and focus1967 wiretapping law; protects confidentiality of communications in transit2018/2020 consumer-data-rights law; governs access, deletion, and opt-out
Consent modelRequires prior, affirmative, all-party consent before tracking beginsOpt-out model; tracking is allowed until the visitor says stop
EnforcementBroad private right of action, $5,000 per violation, any California visitor can suePrimarily enforced by the California Attorney General and the California Privacy Protection Agency; private right limited to specific data breaches, $100 to $750 per consumer

Fixing one does not fix the other. A compliant CCPA opt-out banner does not satisfy CIPA's prior-consent requirement. That gap is why sites with a working cookie banner still receive CIPA demand letters over pixels that fired before a visitor clicked it.

How Do You Protect Your Website from a CIPA Claim?

A cookie banner alone does not satisfy CIPA. Trackers must be blocked until the visitor gives prior, explicit consent, since the Ninth Circuit held in Javier v. Assurance IQ that consent must come before tracking starts, not after. Retroactive consent does not cure a violation that already happened.

To reduce CIPA exposure:

  1. Inventory every pixel, cookie, chat tool, and session-replay script running on the site, including ones added through a tag manager
  2. Block non-essential cookies, scripts, and iframes until the visitor gives consent, not just display a banner alongside active trackers
  3. Get explicit, prior opt-in consent from California visitors before any non-essential tracker fires
  4. Make consent specific and logged, so you can prove the timing and scope of what a visitor agreed to
  5. Disclose any chat or session-recording tool clearly before it captures input, and play a "this call may be recorded" warning before any recorded phone call, since Section 632 covers telephone recording too
  6. Review vendor contracts, limiting data retention and allocating liability for any interception a marketing or analytics vendor performs on your behalf
  7. Keep a current cookie policy and privacy policy that matches what actually runs on the site
  8. Re-scan the site regularly, since a script added months ago by a developer or a now-deactivated app can still fire and still count as a violation

This is general compliance information, not legal advice; a lawyer should review any active demand letter or claim.

How Consently Helps You Get Consent Before Tracking Fires

Consently closes the exact gap that produces most CIPA exposure: having a banner is not the same as blocking trackers until a visitor consents. Consently's cookie auto-blocking stops non-essential cookies, scripts, and iframes from loading until that consent exists, so a pixel cannot fire a moment early.

The platform pairs that blocking with a prior-consent, GDPR-style opt-in banner. Consent logs timestamp exactly what each visitor agreed to and when, giving you an audit trail if a claim ever surfaces.

Consently also scans your site on a recurring schedule. That catches the same kind of stray, forgotten pixel that turns an otherwise-compliant site into a CIPA target.

This is general information, not legal advice; pair it with counsel if you receive an actual demand letter. Start free and get consent in place before trackers fire.

FAQs

What is CIPA in simple terms?

CIPA is California's 1967 wiretapping law, Penal Code Sections 630 to 638. It bans recording or intercepting communications without everyone's consent, and courts now apply it to websites that track visitors without prior consent.

What are the elements of a CIPA claim in California?

A plaintiff must show a confidential communication was intercepted, recorded, or eavesdropped on without all-party consent. Under Section 631, that includes tapping a line, reading a message in transit, using what was obtained, or aiding anyone who does.

Can you sue someone in California for invading your privacy under CIPA?

Yes. CIPA gives any affected person a private right of action under Section 637.2, with no government involvement required. A California visitor can sue a website directly over trackers that fired before they consented.

What are the statutory damages for a CIPA violation?

CIPA's private right of action allows $5,000 per violation, or three times actual damages, whichever is greater. Section 637.2 requires no proof of harm.

Does CIPA apply to my business if I am not in California?

Yes, if California residents can reach your site and you run trackers. Courts have allowed CIPA claims against businesses based entirely outside California when their websites serve California visitors.

Is a cookie banner enough to be CIPA compliant?

No. A banner that still lets pixels and scripts fire before a visitor consents does not satisfy CIPA. The Ninth Circuit's Javier ruling requires prior consent, so trackers must stay blocked until the visitor consents, not just display alongside a banner.

What is a CIPA demand letter and should I be worried?

A CIPA demand letter is a pre-suit letter, often from a serial-plaintiff firm, demanding payment over tracking technology on your site. It is common and not a verdict, but ignoring it is a mistake; fix your consent setup and consult counsel.

What is the statute of limitations for a CIPA claim?

A civil CIPA claim generally must be brought within one year of discovering the alleged violation.

Does CIPA only apply to the Meta Pixel?

No. Cookies, the TikTok Pixel and other ad pixels, session replay tools, chatbots, keystroke monitoring scripts, and fingerprinting tools have all drawn CIPA claims.

Is the California Invasion of Privacy Act the same as the Children's Internet Protection Act?

No. Both abbreviate to CIPA, but the Children's Internet Protection Act is a separate federal law requiring internet filters in schools and libraries. This page covers the California privacy statute that affects any commercial website.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.