California Invasion of Privacy Act (CIPA): Lawsuits + Penalties

What is the California Invasion of Privacy Act?

The California Invasion of Privacy Act (CIPA) is a 1967 California state wiretapping statute, codified at Cal. Penal Code §§ 630 to 638.55, which prohibits intercepting or recording any communication without the consent of all parties. 

When was CIPA passed?

The California Invasion of Privacy Act was passed in 1967 and codified at California Penal Code §§ 630 to 638.55. It was originally designed to address telephone wiretapping and electronic eavesdropping. Amendments in 1992 expanded the law to cover cellular and cordless communications, and 2017 amendments added §§ 638.50 and 638.51 covering pen-register devices, which plaintiff firms now use to target modern website tracking technologies.

For most of its history, the law governed phone call recording; it is the statute that requires businesses to announce "this call may be recorded for quality assurance purposes."

Its application to websites is more recent, stemming from a series of court rulings beginning around 2020 that extended CIPA's language to digital communications.

The legal theory behind modern CIPA website claims is straightforward. When a user types a search query, enters information into a form, or interacts with a live chat widget, they are engaged in "communication."

If a third-party tool captures or transmits that interaction in real time before the user has given explicit consent, plaintiff firms argue it constitutes illegal interception under a wiretapping statute.

Critically, CIPA is not limited to companies in California. It applies to any website that California residents can visit, which is effectively every website on the internet.

Key CIPA sections that apply to websites

Section 631: the wiretapping provision

California Penal Code Section 631 is the most frequently cited provision in website tracking litigation. It prohibits willfully intercepting or reading the contents of any electronic communication without the consent of all parties. The third prong, aiding and abetting a third-party interceptor, is the one most relevant to website operators. Courts have generally held that a website cannot eavesdrop on its own communications, since it is a party to the exchange. The viable theory is that the website aids and abets a third-party vendor that itself intercepts the communication.

The 2022 Ninth Circuit ruling in Javier v. Assurance IQ was the inflection point. The court held that Section 631 applies to internet communications and that consent under CIPA must be prior; a user agreeing to a privacy policy after their data has already been captured does not constitute valid consent. That ruling opened the door to the wave of pixel and session replay lawsuits that followed.

Section 632: confidential communications

Section 632 prohibits recording a "confidential communication" without the consent of all parties. For websites, this provision applies most directly to live chat tools and customer support widgets. Courts have generally dismissed Section 632 claims where the chat tool operates entirely on behalf of the website operator.

Claims have proceeded where the vendor retains independent rights to the conversation data, including for model training, audience building, or advertising. Reviewing your chat vendor's data processing terms is a practical step in assessing exposure here.

Sections 638.50 and 638.51: pen register provisions

The pen register provisions, added to CIPA in 2015, prohibit installing or using a device that records routing or signalling information from electronic communications without a court order or consent. Plaintiffs have argued that tracking pixels and web beacons are "pen registers" because they record device identifiers and browsing paths.

Courts have increasingly dismissed these claims: two California courts in 2024 and 2025 ruled that IP addresses alone are not "outgoing communications" and that CIPA's pen register provisions do not extend to internet communications as currently written. Pen register claims remain in play, but their legal footing is weaker than Section 631 claims.

Enzuzo is a Google-certified consent management platform that provides ironclad proof of consent to prevent CIPA claims. We'll guard you against any future demand letters or lawsuits.

Book a call with a CIPA expert→

CIPA at a glance

Why CIPA lawsuits exploded after 2022

CIPA was a sleepy statute for fifty-five years. From 1967 to 2022, most cases involved phone-call recording disputes that resolved quietly. The wave of website tracking litigation that defines CIPA today did not exist before May 2022.

The Ninth Circuit's ruling in Javier v. Assurance IQ held that consent under § 631 must be obtained before tracking begins, not after. It implied that a user's agreement to a privacy policy post-collection does not constitute valid consent. The decision rewired the economics of CIPA litigation overnight.

Plaintiff firms recognized that any site running Meta Pixel, TikTok Pixel, Google Ads tags, or session replay tools without a true consent gate was exposed. The compliance bar moved from "post-collection disclosure" to "pre-collection opt-in." Most websites had no defensible posture under the new standard.

A small number of firms now drive most CIPA filings: Swigart Law Group, Tauler Smith LLP, Pacific Trial Attorneys, Bursor & Fisher, and Almeida Law Group. Each runs a volume strategy with templated complaints calibrated to settle below litigation defense costs.

Healthcare sites face high exposure. Patient portals, appointment booking flows, and symptom-checker pages combine CIPA risk with HIPAA risk and state-specific health privacy law, producing a triple-statute stack that plaintiff firms target preferentially. Meta Pixel deployments on hospital websites drove several of the largest 2023 to 2024 class action settlements.

The CIPA case timeline: 2014 to 2026

CIPA's modern application to websites was not a single ruling. It was twelve years of incremental court decisions that took a 1967 phone-wiretapping statute and stretched it across the modern ad-tech stack.

The arc below shows what changed when, which cases plaintiff firms cite in 2026 demand letters, and where federal and state courts have split on the strongest defense theories.

2014: Before web tracking (Montemayor, Campbell)

Before CIPA was a website problem, it was a call-center and messaging problem. Montemayor v. GC Services LP (S.D. Cal. 2014, 302 F.R.D. 581) applied § 632 to call-center recording, establishing that statutory damages flow from any unconsented interception.

Campbell v. Facebook Inc. (N.D. Cal. 2014, 77 F. Supp. 3d 836) extended the same logic to electronic messaging. Together the two rulings put the building blocks in place for the web-tracking wave to come.

2020: Gruber v. Yelp and In re Facebook open the floodgates

Gruber v. Yelp (Cal. App. 2020, 55 Cal. App. 5th 591) and In re Facebook, Inc. Internet Tracking Litigation (9th Cir. 2020, 956 F.3d 589) marked the turning point. Both held that web-based communications, not just phone calls, could be intercepted or recorded under CIPA.

Plaintiff firms read the rulings as a green light to apply the 1967 wiretap statute to modern ad tech. The volume of CIPA filings against websites began climbing immediately after.

2022: Javier v. Assurance IQ, the prior-consent inflection

The Ninth Circuit's ruling in Javier v. Assurance IQ (No. 4:20-cv-02860-JSW, 2022 WL 1744107, 9th Cir. May 31, 2022) supercharged the theory. Javier held that consent under § 631 must be obtained before tracking begins.

The ruling implied that a user's agreement to a privacy policy after data had already been captured does not constitute valid consent. Every modern CIPA demand letter cites Javier in its opening paragraphs.

2023: Greenley v. Kochava, pen-register theory survives

In Greenley v. Kochava (S.D. Cal. 2023), a federal district court denied the defendant's motion to dismiss. The court ruled that surreptitiously embedded software fits the pen-register definition under §§ 638.50-51 when it identifies consumers, gathers data, and correlates that data through fingerprinting.

Greenley is the plaintiff bar's strongest pen-register precedent. It is the case demand letters cite most aggressively in 2026 when targeting analytics, ad tech, and identity-resolution vendors.

2024: The federal split (Byars, Valenzuela)

Federal district courts began producing conflicting decisions on nearly identical fact patterns. Byars v. Goodyear Tire & Rubber Co. read CIPA broadly to cover smartphone web chats and allowed claims to proceed against websites using third-party chat tools.

In contrast, Byars v. Hot Topic and Valenzuela v. Keurig held that CIPA's wiretap provisions are limited to telephonic interception and do not extend to internet communications. Similar cases, including Martin v. Sephora USA and Yoon v. Lululemon USA, continued to test the limits across districts.

2024: The state-court split (Licea, Levings)

State courts split, too. In Licea v. Hickory Farms (LA County Superior Court 2024), the court found that even if a tracking tool qualified as a pen register, the implied-consent argument was persuasive: visitors voluntarily disclose IP addresses when they visit a website. The court relied on older Ninth Circuit precedent, including U.S. v. Forrester (2007) and Heeger v. Facebook, for the implied-consent doctrine.

Levings v. Choice Hotels (LA County Superior Court 2024), filed by the same plaintiff firm with nearly identical claims, reached a divergent outcome on initial rulings. Same statute, same facts, two judges, two outcomes.

2025: Torres v. Prudential, the session-replay defense

Torres v. Prudential Financial (federal 2025) gave defendants their strongest precedent yet. The court granted summary judgment for the defendant, ruling that session replay software does not violate § 631 because captured data only becomes readable after it has been stored and reassembled, not while it is in transit.

California Invasion of Privacy Act penalties: criminal, civil, and class-action math

CIPA penalties stack across three layers: statutory damages, criminal fines, and class-action multipliers.

Civil statutory damages ($5,000 per violation)

California Penal Code § 637.2 authorizes any person whose communication has been intercepted in violation of CIPA to claim $5,000 per violation or three times the cost of actual damages, whichever is higher. The $5,000 figure requires no proof of harm: each unconsented interception is its own statutory violation.

In class action contexts where every site visitor during the class period is a class member, the math escalates quickly. A site with 10,000 California visitors during a one-year class period faces $50 million in theoretical statutory exposure before any settlement discount.

Criminal penalties under § 631

§ 631 violations are punishable as misdemeanors with fines up to $2,500 per violation, up to one year in county jail, or both. Repeat offenders face fines up to $10,000 and up to one year imprisonment. Felony charges are theoretically available but rare in practice for civil-litigation-style CIPA cases.

In practice, criminal prosecution under CIPA is uncommon. The California Attorney General has not pursued criminal CIPA cases against website operators in recent years, and plaintiff firms drive enforcement through the private right of action under § 637.2.

How class actions compound the math

Class actions multiply statutory damages across every member of the class. Standard class definitions in CIPA pixel cases include "all California residents who visited [defendant's website] during the [12 to 24 month] class period." For sites with meaningful California traffic, this produces nine-figure theoretical exposure.

In practice, courts rarely award full statutory damages on this multiplier basis. Settlements typically resolve at 1 to 5 percent of theoretical maximum, but the ceiling drives plaintiff bargaining power. The combination of mandatory attorney's fees and the multiplier is what makes CIPA cases lucrative for plaintiff firms.

What is the maximum CIPA settlement?

CIPA settlements run on two distinct tracks. Pre-suit demand letters, the most common form of CIPA action, typically range from $10,000 to $200,000 based on Enzuzo's review of customer-shared letters. The number scales with California traffic, tracker count, and whether session replay or form-field capture is in play.

Class action settlements operate at a different magnitude. Federal class actions in the pixel-tracking wave have settled between $1 million and $15 million for mid-market defendants. Healthcare and financial services class actions have occasionally exceeded $25 million, with the Meta Pixel healthcare cases of 2023 to 2024 producing multiple eight-figure settlements.

Will insurance cover a CIPA claim?

Sometimes. Cyber liability policies and commercial general liability (CGL) policies occasionally cover CIPA claims, but coverage depends on policy language and carrier interpretation. Most insurance policies added between 2023 to 2025 contain specific carve-outs for statutory privacy violations or biometric and wiretap exclusions.

Keep in mind that notice deadlines are aggressive. Most carriers require written notice within 30 days of receipt of a demand letter, and missing the notice window almost always voids coverage. Document the date of any letter the moment it arrives and notify your broker before responding to the plaintiff firm.

Worried your pixel setup is creating CIPA exposure?

Enzuzo blocks all non-essential tracking scripts until a user consents and logs every consent event with a timestamp as legal documentation. Rated 4.6/5 on G2.

Book a compliance call

Website technologies that create CIPA exposure

These are the tool categories most commonly cited in CIPA demand letters and lawsuits.

Session replay and heatmap tools: Hotjar, FullStory, Microsoft Clarity, LogRocket. These tools record user keystrokes, mouse movements, and clicks. If they transmit search queries or form field content to a third-party server in real time as the user types, they create the strongest CIPA exposure. Tools that process data only after transmission are better positioned following Torres, but the risk has not disappeared.

Live chat and support widgets: Intercom, Drift, HubSpot Chat, and Zendesk have been named explicitly. The key question is whether the chat vendor has independent data rights to the conversation content. 

Advertising pixels: Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, Pinterest Tag, Snap Pixel. These are explicitly named in a significant share of CIPA filings. Meta Pixel fires on page load by default and transmits full page URLs, referrer data, and user actions to Meta's servers immediately. If it fires before a user has consented, every transmission is a potential violation. For a detailed breakdown of Meta Pixel lawsuits, see our full coverage of that litigation wave.

Analytics tags configured for ads or audience building: Google's Consent Mode documentation explains how consent state affects tag behaviour, but Consent Mode alone does not stop all third-party scripts from loading. Google Analytics (GA4) and Google Ads conversion tracking can create exposure when tags fire before consent is established.

Call tracking, form enrichment, and A/B testing scripts: Dynamic phone number scripts, autofill enrichment tools, and testing platforms often load early, sometimes before the consent banner renders, and transmit interaction data to external vendors.

CIPA vs. CCPA: What's the difference?

Being compliant with the California Consumer Privacy Act (CCPA) does not mean you are compliant with CIPA. They address overlapping but distinct legal concerns, and many businesses that are fully CCPA-compliant still face CIPA exposure.

The practical gap: a CCPA-compliant website often uses opt-out consent, meaning tracking begins by default and users can turn it off. Under CIPA, that model is the problem. If a pixel fires before a user has actively consented and it transmits data to a third party in real time, CCPA compliance provides no shield.

California invasion of privacy act compliance checklist 

The following steps address the core technical gaps that plaintiff firms identify when scanning websites.

1. Run your consent platform in opt-in mode for California visitors.

All non-essential tracking scripts must be blocked by default until a user actively accepts. Opt-out mode, where tracking fires on page load and users can decline later, does not satisfy CIPA's prior consent requirement. Geofencing to California is a practical starting point for companies that cannot immediately roll out opt-in consent globally.

2. Ensure consent is initialized before your tag manager loads marketing tags.

The most common technical failure is a consent banner that appears compliant but loads too slowly, allowing pixels to fire before the user has seen or interacted with it. Your consent management platform tag should fire on Consent Initialization in Google Tag Manager, not on Page View. For a step-by-step guide, see our CIPA enforcement and defense guide.

3. Remove hard-coded pixels from your site header.

A pixel embedded directly in your site's HTML or theme loads before any GTM rules apply. Consent gating in GTM cannot block it. Audit your site header, theme files, WordPress plugins, and Shopify apps for any tracking code that loads outside your tag manager.

4. Align your privacy policy with your actual tech stack.

Privacy policy language that does not name specific tracking vendors, or that describes narrower data practices than what actually runs on your site, eliminates the consent defence. Audit your tag manager, then update your privacy policy to list every third-party tool and what it does.

5. Review your chat vendor contracts.

For each live chat tool and session replay product, check whether the vendor has independent rights to use the data it collects from your users. Where the vendor has those rights, the third-party interception theory has more legal support. Document that each tool operates as your agent with no independent data processing rights.

6. Build and retain a consent log.

Consent logs document when each user granted or denied consent, with timestamps. These records are the primary evidence in a CIPA defence, demonstrating that your site honoured consent choices before any tracking began. Enzuzo logs every consent event automatically and retains records for up to seven years.

7. Test with a fresh incognito session.

Google Tag Manager's Preview Mode is a supported tool for verifying your consent implementation. Open your website in an incognito window, open your browser's network inspector, and watch what fires before you interact with the consent banner. Any third-party request that appears before you click "Accept" is a potential CIPA violation.

What to do if you receive a CIPA demand letter

Demand letters are not the same as a lawsuit, but they cannot be ignored since a refusal to respond will typically result in an actual filing. The claims range from $10,000 to $200,000 per demand based on Enzuzo's review of letters shared by affected companies, depending on the number of non-compliant tools and the volume of Californian traffic.

Enzuzo has a detailed technical guide for California invasion of privacy act compliance and how to respond if you receive a demand letter. 

Immediate next steps: preserve your current site configuration before making any changes, document the state of your tag manager and pixel setup, pull any existing consent logs, and engage legal counsel with privacy litigation experience before responding. Technical remediation, specifically fixing the underlying consent timing issue, is the most important long-term step, since settling one claim without changing the implementation leaves you exposed to the next letter.

Get CIPA-compliant today

Enzuzo is a Google-certified consent management platform that blocks tracking scripts until consent is granted, logs every consent event for legal documentation, and integrates with Google Tag Manager in an afternoon. Rated 4.6/5 on G2 from verified reviews.

Book a call with a CIPA expert→

Frequently asked questions about CIPA

What does CIPA stand for?

California Invasion of Privacy Act (CIPA) is a 1967 state wiretapping statute applied by courts to digital tracking technologies. Not to be confused with the Children's Internet Protection Act, a federal law governing internet filtering in schools and libraries.

What is CIPA compliance for a website?

CIPA compliance means no third-party tracking tool, including pixels, session replay software, or live chat widgets, captures or transmits user data before the user has explicitly consented. Your consent banner must run in opt-in mode for California visitors, your tag manager must block all marketing scripts until consent is granted, and your privacy policy must accurately name every tool in use.

Does CIPA apply to companies outside California?

Yes. CIPA applies to any website that California residents can visit, regardless of where the website operator is located. Non-US companies operating websites accessible to California residents have received CIPA demand letters. If your site has any California traffic, you have potential CIPA exposure.

What is the penalty for a CIPA violation?

CIPA provides for statutory damages of $5,000 per violation, with no requirement to prove actual harm. In class action contexts, where each user session may count as a separate violation, damages can escalate quickly. Most cases settle before trial, with demand letters typically calibrated to be cheaper to resolve than to litigate.

Is CIPA the same as CCPA?

No. CCPA is a data privacy law focused on transparency and consumer rights around data sale and sharing, enforced by the California Privacy Protection Agency using an opt-out model. CIPA is a wiretapping statute enforced by private plaintiffs, requires prior opt-in consent before tracking begins, and carries $5,000 per-violation damages without proof of harm. A CCPA-compliant site can still violate CIPA.

Does a cookie banner protect me from CIPA?

Only if it works correctly. A banner that displays a preference interface while tracking scripts fire before the user interacts with it does not establish prior consent. The banner must technically gate all non-essential scripts, not just show a consent dialog, before any tracking data is transmitted.

What is a CIPA demand letter?

A CIPA demand letter is a formal notice from a plaintiff law firm asserting that your website violated CIPA by running tracking tools without prior user consent. Based on Enzuzo's review of customer-shared letters, settlements have ranged from $10,000 to $200,000 depending on the number of violations and California traffic volume.

Which websites are most targeted under CIPA?

Any consumer-facing website with California traffic that runs Meta Pixel, TikTok Pixel, session replay tools, or live chat widgets without a technically enforced consent mechanism. Media and news sites, ecommerce brands, healthcare and wellness platforms, and SaaS companies with marketing-heavy tech stacks have been the most common targets.