By John M. Jackson and Shannon Wright
Claimants are reviving a 1960s-era wiretapping law to challenge common website tracking tools – including pixels, session replay, chat widgets, and more.
Data privacy and compliance professionals navigate an increasing number of U.S. and international regulations related to consumer data privacy and data security. Nearly 20 U.S. states now have comprehensive consumer data privacy laws,[i] with three more states’ laws set to take effect on January 1, 2026.[ii]
So, it may come as a surprise that the last three years have seen an explosion of data privacy claims related to a 1960s wiretapping statute.
The California Invasion of Privacy Act (CIPA) was enacted in 1967 “to protect the right of privacy of the people of this state” by focusing on “eavesdropping upon private communications,” i.e., wiretapping.[iii] Among other things, CIPA bans wiretapping, eavesdropping, or recording private communications, and the use of pen register or tap and trace devices.[iv]
CIPA also grants a private right of action with damages of $5,000 per violation, or three times the plaintiff’s actual damages, whichever is greater.[v] This feature distinguishes CIPA from the California Privacy Rights Act (CPRA),[vi] which only permits a private right of action for certain data breaches.[vii] Significantly, courts have determined that so long as the website user is in California, CIPA extends even to companies based entirely outside of California.[viii]
While it might seem like CIPA has no place in the modern world of wireless phones and communications, particularly when California has its own comprehensive consumer data privacy law in the CPRA, plaintiffs (and several courts) have viewed the matter differently. In particular, CIPA’s broad private right of action, and potential for class-based claims[ix] present the lure of a potentially substantial recovery for plaintiffs and their attorneys.
In the last few years, courts evaluating California law have generally been responsive to plaintiffs’ arguments to expand CIPA to cover technology far beyond its wiretapping origins.
Hundreds of cases have been filed over the past three years claiming statutory damages under CIPA. Recently, plaintiffs have successfully survived motions to dismiss complaints addressing widely used website technologies, including:
Software developer kits (SDK)[x]
Third-party tracking pixels and software[xi]
“Fingerprinting” software[xii]
Cookies and identity profiles[xiii]
Application programming interfaces (API)[xiv]
Website analytics[xv]
Conversation intelligence software-as-a-service (SaaS)[xvi]
While there have been many lawsuits filed alleging CIPA violations, it is likely that many more such claims have proceeded to arbitration, or settled before litigation commenced in response to a demand letter, neither of which would be matters of public record. In fact, there is hardly a week that goes by that we do not receive an inquiry from a business that has received a CIPA-complaint letter.
In its 2025–26 regular session, the California Legislature considered a bill that would have carved out from CIPA liability personal information processed for a commercial business purpose,[xvii] but that bill has stalled in committee,[xviii] and its future is unclear.
CIPA’s specific applicability to a website will, as always, be driven by state law and company-specific factors, including but not limited to the technology used and its implementation. But the caselaw highlights certain best practices that can help to mitigate this risk.
Audit Website Technologies. Websites are constantly evolving, particularly in response to new technologies that enhance the customer experience and improve business outcomes. As business needs change, technologies used to meet those needs change, too. So it is good business practice to undertake a regular review of those technologies with the twin goals of ensuring alignment with applicable data privacy laws and regulations and with business needs.
Coordinate with Third-Party Vendors. At least one of CIPA’s provisions permits aiding-and-abetting liability,[xix] and plaintiffs have not shied away from bringing claims against both website owners and their third-party vendors. As a result, it is important for companies to look critically not only at their own website technologies but also at those of any third-party vendors to ensure alignment with company goals, including any considerations of potential indemnity, and applicable laws and regulations.
Review and Revise Website Privacy Policies and Terms and Conditions. Given the constant evolution of website technology and data privacy regulations, privacy policies and terms and conditions must be frequently reviewed and updated as well, both to conform to the ever-changing legal landscape and to make sure that your company’s disclosures accurately reflect your business and data privacy practices.
Review and Enhance Consent Frameworks. Caselaw supports that consumer consent is the gold standard to defend against CIPA and similar claims.[xx]
Recent caselaw demonstrates that consent is typically established through some type of affirmative action by the user after receiving notice of the website’s terms or policies. For example, requiring a user to agree to the website’s terms or policies to create an account[xxi] or make a purchase,[xxii] even if those policies cannot be read within the time allotted by the website’s checkout timer. Even an explicit notice to each user that continuing past the current page meant they agreed with the site’s terms could establish consent if the user then continued past that page,[xxiii] though one court declined to enforce such terms when the text was smaller than, and generally blended in with, the rest of the site.[xxiv] In short, sufficient notice and affirmative action are critical.
Other common practices may not be enough to establish consent. For example, courts have rejected the following as establishing consent:
Mere existence of terms of service and privacy policies[xxv]
Policies that did not disclose the specific type of information collected, even if users were required to agree to those policies, which disclosed that “some data would be collected”[xxvi]
Policies “buried at the bottom of the page or tucked away in obscure corners of the website”[xxvii]
A “conspicuous hyperlink on every page” but otherwise “no notice to users nor prompt[]” to take any action to show consent[xxviii]
As always, the best offense is a good defense. As demonstrated by the caselaw, following the above practices of reviewing technology usage, coordinating with vendors, revising privacy policies and terms and conditions, and reviewing and enhancing consent practices may provide a company with a strong response to a CIPA demand letter or claim.
[i] Cal. Civ. Code § 1798.100 (California); Colo. Rev. Stat. § 6-1-1308(5) (Colorado); Conn. Gen. Stat. § 42-520(a)(3) (Connecticut); Del. Code tit. 6, § 12D-106(a)(3) (Delaware); Fla. Stat. § 501.71(1)(b) (Florida); Iowa Code § 715D.4(1) (Iowa); Md. Code Ann., Com. Law § 14-4707(B)(1)(II) (Maryland); Minn. Stat. § 325M.16 (Minnesota); Mont. Code § 30-14-2812(1)(b) (Montana); Neb. Rev. St. § 87-1112(1)(b) (Nebraska); N.H. Rev. Stat. § 507-H:6(I)(c) (New Hampshire); N.J. Stat. Ann. § 56:8-166.12(a)(3) (New Jersey); Or. Rev. Stat. § 646A.578 (Oregon); Tenn. Code Ann. § 47-18-3305(a)(3) (Tennessee); Tex. Bus. & Com. Code Ann. § 541.101(a)(2) (Texas); Utah Code § 13-61-302(2) (Utah); Va. Code Ann. § 59.1-578(A)(3) (Virginia).
[ii] Ind. Code § 24-15-4-1(3) (Indiana); Ky. Rev. Stat. § 367.3617(1)(c) (Kentucky); R.I. Gen. Laws § 6-48.1-4(b) (Rhode Island).
[iii] Cal. Penal Code § 630.
[iv] Id. §§ 631, 632, 638.51.
[v] Id. § 637.2.
[vi] Cal. Civ. Code § 1798.100.
[vii] Id. § 1798.150.
[viii] Zarif v. Hwareh.com, Inc., 789 F. Supp. 3d 880, 898 (S.D. Cal. 2025).
[ix] See, e.g., Frasco v. Flo Health, Inc., 349 F.R.D. 557, 588 (N.D. Cal. 2025) (certifying a California subclass for claims brought under CIPA section 632).
[x] Greenley v. Kochava, Inc., 684 F. Supp. 3d 1024, 1050 (S.D. Cal. 2023) (rejecting defendant’s argument than an SDK was not a pen register).
[xi] E.g., Camplisson v. Adidas Am., Inc., No. 25-CV-603-GPC-KSC, 2025 WL 3228949, at *1, 7 (S.D. Cal. Nov. 18, 2025) (“[M]ost cases in this and other districts have also recognized that website-based trackers can plausibly constitute a pen register.”); In re Meta Pixel Tax Filing Cases, 793 F. Supp. 3d 1147, 1151–55 (N.D. Cal. 2025); Shah v. Fandom, Inc., 754 F. Supp. 3d 924, 927, 930–31 (N.D. Cal. 2024); Rodriguez v. Autotrader.com, Inc., 762 F. Supp. 3d 921, 925, 929–30 (C.D. Cal. 2025); Lesh v. Cable News Network, Inc., 767 F. Supp. 3d 33, 40–42 (S.D.N.Y. 2025).
[xii] Moody v. C2 Educ. Sys. Inc., 742 F. Supp. 3d 1072, 1074–76 (C.D. Cal. 2024) (rejecting defendant’s argument that TikTok “fingerprinting” software was not a pen register).
[xiii] Riganian v. LiveRamp Holdings, Inc., 791 F. Supp. 3d 1075, 1080–81, 1090–94 (N.D. Cal. 2025).
[xiv] Doe v. Tenet Healthcare Corp., 789 F. Supp. 3d 814, 836–840 (E.D. Cal. 2025).
[xv] Smith v. Google, LLC, 735 F. Supp. 3d 1188, 1193, 1196–1200 (N.D. Cal. 2024).
[xvi] Tate v. VITAS Healthcare Corp., 762 F. Supp. 3d 949, 952–59 (E.D. Cal. 2025).
[xvii] S.B. 690, 2025–26 Leg., Reg. Sess. (Cal. 2025).
[xviii] SB-690 Crimes: Invasion of Privacy, Cal. Legis. Info., https://leginfo.legislature.ca.gov/faces/billHistoryClient.xhtml?bill_id=202520260SB690 (last visited Nov. 25, 2025).
[xix] Cal. Penal Code § 631(a).
[xx] E.g., Turner v. Nuance Commc’ns, Inc., 735 F. Supp. 3d 1169, 1177 (N.D. Cal. 2024).
[xxi] Lakes v. Ubisoft, Inc., 777 F. Supp. 3d 1047, 1054–55 (N.D. Cal. 2025); Fteja v. Facebook, Inc., 841 F. Supp. 2d 829, 835, 841 (S.D.N.Y. 2012).
[xxii] Washington v. Flixbus, Inc., No. 3:25-cv-00212, 2025 WL 159296, at *3–5 (S.D. Cal. June 5, 2025).
[xxiii] Lee v. Ticketmaster L.L.C., 817 F. App’x 393, 394–95 (9th Cir. 2020); Nguyen v. Barnes & Noble Inc., 763 F.3d 1171, 1177 (9th Cir. 2014) (collecting cases).
[xxiv] India Price v. Carnival Corp., 712 F. Supp. 3d 1347, 1357–59 (S.D. Cal. 2024).
[xxv] Smith v. Google, LLC, 735 F. Supp. 3d 1188, 1196 (N.D. Cal. 2024).
[xxvi] In re Meta Pixel Tax Filing Cases, 724 F. Supp. 3d 987, 1003 (N.D. Cal. 2024); Calhoun v. Google LLC, 526 F. Supp. 3d 605, 619–23 (N.D. Cal. 2021); Zarif, 789 F. Supp. 3d at 892–93.
[xxvii] Nguyen, 763 F.3d at 1177 (collecting cases).
[xxviii] Id. at 1178–79.
The opinions expressed are those of the authors and do not necessarily reflect the views of the firm, its clients, or any of its or their respective affiliates. This article is for informational purposes only and does not constitute legal advice. For additional assistance please contact John M. Jackson, Shannon M. Wright, or a member of the Cybersecurity, Data Protection, & Privacy practice.
Meet John
John M. Jackson has represented clients in patent litigation and complex commercial litigation matters in federal and state courts throughout the country, and in the International Trade Commission (ITC). He has represented clients in patent infringement lawsuits involving software, internet applications, consumer electronics, oil drilling technology, mechanical devices, chemical compositions, and business methods. In addition to his intellectual property practice, John co-chairs the Firm’s Cybersecurity Litigation Group and counsels clients concerning data privacy issues. He has earned certification as a Certified Information Privacy Professional (CIPP/US) and a Certified Information Privacy Manager through the International Association of Privacy Professionals.
Meet Shannon
Shannon Wright is an attorney in the Houston Trial & Appellate Litigation practice. She assists businesses in resolving commercial disputes including breach of contract, breach of fiduciary duty, fraud, and negligence. During her time as a summer associate at the firm, Shannon handled research and analysis for various stages of commercial litigation in cases involving liability for injuries to independent contractors, UDJA, adverse possession, discrimination/retaliation, and service mark infringement. She also served as a judicial intern for federal judges Alfred H. Bennett (Southern District of Texas) and Gregg J. Costa (Fifth Circuit Court of Appeals) in 2020.